Every organization has objectives and works to achieve them. Risks are events that can prevent organizations from reaching these objectives, whilst opportunities are the opposite, they can help to surpass objectives. In this article we focus on the former. Risks are inherent to reality; no progress can be made without incurring risks. However, we should not be blind to them; there are many examples of organizational failure as a result of mismanaging risk. That is why we need to become good risk managers; in the remainder of this article we share our thoughts on a novel and pragmatic way to do so.
Every organization has objectives and works to achieve them. Risks are events that can prevent organizations from reaching these objectives, whilst opportunities are the opposite, they can help to surpass objectives. In this article we focus on the former.
Risks are inherent to reality; no progress can be made without incurring risks. However, we should not be blind to them; there are many examples of organizational failure as a result of mismanaging risk. That is why we need to become good risk managers; in the remainder of this article we share our thoughts on a novel and pragmatic way to do so.
What does management of risk mean in practice? It boils down to three essential components: identification, analysis and mitigation. Identification is self-evident, analysis is about assessing the probability and the impact of the identified risks. A common misperception is that mitigation equates to “having to do something about the risk”. This is not the case; sometimes the right thing to do is to just accept the risk, sometimes it is better to actively mitigate it.
This is where it becomes slightly more complicated. The number of risks that a typical organization faces is huge, if not infinite. The challenge is to operate a risk management process that captures the complexity out there yet is intuitive and helps to make sense of it all. This is far from easy; issues we have seen in practice include:
- excessive bureaucracy and over processed
- the activity is not considered value adding by many in the organization
- an inconsistent use and understanding of definitions and methodology, leading to inefficiency and ineffectiveness
In our view, the first and second are primarily leadership challenges. They are key but not the focus of this article. For the third one, we believe in a simple approach that can be applied in every organization. We make use of concepts outlined in an excellent HBR paper “Managing Risks: A New Framework” written by Robert Kaplan and Anette Mikes to which we have added our own ideas.
Three types _ two timescales
Kaplan and Miles recognize three generic types of risks: preventable, strategic and external risks. To these three types we add the dimension of time and distinguish between slow and fast risks. This gives us six categories in total; each requiring a different approach.
Preventable risks are those risks that (in theory) we can remove from the equation. Examples are: misreporting measurements to the authorities, loss of skills in our workforce, unacceptable downtime of a production facility, or a fire or explosion in a plant. Certain of these risks are what we classify as slow. For example, operational availability of a facility is not going to dramatically deteriorate from one day to the next. Others are fast; explosions or fires usually do not announce themselves a week in advance.
The different timescale for these two types of preventable risks implies a different way of managing them. For slow preventable risks, a system of clear business processes needs to be defined which must be implemented with discipline. This includes a set of Key Performance Indicators (KPIs) that is monitored carefully to indicate whether the system is working; these KPIs should be leading and lagging. Finally, the tolerance level for these risks need to be defined. In the language of professional risk practitioners this is often referred to as risk appetite. What this means is that management must define what level of performance is acceptable. The availability of a plant will never be 100% unless excessive effort is put in to achieve this. Alternatively, a tolerance for 5% downtime may be defined, indicating that processes are considered to be working adequately as long as plant availability stays above 95%.
For fast preventable risks, the situation is different. Again, clear processes and control points need to be defined. For fast risks, leading indicators are even more important. What type of early signals indicate that a process safety incident is becoming more likely. Think about near misses and/or growing backlogs of maintenance activity. Finally, for fast preventable risks, a lot of emphasis should be placed on defining and testing recovery plans.
Strategic risks are of a different nature altogether. They are risks that are deliberately taken because potential reward outweighs the level of risk. For example, an oil company may decide to enter into a new country, where political, economic and reputational risk is relatively high. A technology company may dedicate massive resources to the development of a new product where competition is fierce; think of all the organizations now working on coming up with the first effective COVID-19 vaccine. Whilst the first of these is slow; the latter is fast. Again, both types of risk require different approaches as outlined in the schematic below.
Finally, external risks are those ones that are uncontrollable for organizations as they are the result of activities and events outside their areas of influence. Examples of slow external risks are a “No Deal Brexit” or climate change. Fast external risks are terrorist attacks or the outbreak of a pandemic. For slow external risks (as for slow strategic risks), stress testing and scenario planning are important approaches to deal with them.
The entire scheme is shown below, for each of the six different categories we present appropriate strategies to deal with them.
We have presented an approach to structure risk management, recognizing the fundamentally different types of risk and the uniquely required ways of dealing with them. This classification is not fully unambiguous; there is definitely potential overlap between the six classes. Yet we trust the ideas presented will help organizations to think more clearly about their own risk management process and potential ways of making it more effective.
What we have shared is only one lens to examine risk management; there are many more aspects that are important. Assessing probability and impact, differentiating between gross and net risks, organizational culture and defining practical mitigation strategies are a few prominent ones.
At ValVestris we have developed our own methodology to help organizations understand where they are and what they can do to take the next steps. It is based on our extensive business experience combined with insights from many leading thinkers and scholars in this field.
We can help with assessment as well as with identification and implementation of the most effective areas for improvement. We know that in real life it is impossible implementing a world class, fully functioning risk management process in a short time. However, small and pragmatic steps can already make a real difference. We will tailor our offering according to your individual needs. If you like to find out more, please get in touch through LinkedIn or via firstname.lastname@example.org.
The image is credited to Business photo created by jigsawstocker – www.freepik.com.