Almost anything worth doing is inherently risky. But many businesses and individuals try to avoid risks and play it safe. But this safety often leads to mediocrity, complacency, and stagnation as seen in the cases of Blockbuster, Kodak, Xerox, Yahoo, Borders Bookstore, and many more. In today’s VUCA (volatility, uncertainty, complexity, and ambiguity) world, apart from forecasting the low-probability, high-impact “Black Swan” events with predictive analytics, business leaders can protect their enterprises with solid risk management practices, hedging their bets. In addition, in business, there is no innovation and growth without risks. Innovation and growth are intrinsically tied to risk. If you want bigger returns and rewards, you have to take on more risks. So how can modern enterprises effectively manage risks? Below are the 5 key enterprise risk management (ERM) steps.
Step 1: Identify Risk
The initial step in the risk management process is to define and identify the risks in the operating environment. Fundamentally, the risk is the event or condition that may or may not happen. Hence the risk should be clearly defined so that the concern is made real and can be responded to. These risks could be legal/compliance risks, environmental risks, political risks, market/economic risks, product risks, reputation risks, cybersecurity risks, regulatory risks, and more. So, how can a business enterprise identify risks? Diversity of perspectives is risk management’s best friend, involving stakeholders from different lines of business to effectively identify risks.
Step 2: Analyze Risk
Once a risk has been identified, the scope of the risk needs to be thoroughly analyzed from both positive and negative perspectives. Risk management is about assessing the business strategy and objectives given that risk is often the effect of uncertainty of business objectives. Basically, risk analysis involves examining how the business objectives and outcomes might change due to the impact of the risk event. Effective assessment of risk involves applying techniques such as Monte Carlo Analysis, scenario planning, sensitivity analysis, outlier analysis, and more to understand the likelihood and consequences better. In addition, at this step appropriate ownership should be identified for each risk item for accountability.
Step 3: Evaluate Risk
The third step is evaluating the risks by ranking and prioritizing them, because not all risks have the same consequence/impact and likelihood. Basically, each risk item should be assessed for Severity (S), Occurrence (O), and Detection (D).
- Severity is the potential effect of the failure
- Occurrence rates the likelihood that the failure or loss will occur
- Detection rates the likelihood that the problem will be detected before it reaches the end-user/customer.
The combination of the three scores produces a risk priority number (RPN) which can then be used to rank and prioritize the risks i.e., RPN = S*O*D. For example, if the severity score is 6, the occurrence score is 5, and the detection score is 4, then the RPN score is 120. This can be further complemented with a risk heat map that presents the risks visually in a meaningful and concise way based on consequence/impact and likelihood. At the end of this step, you can choose the top risks to address immediately.
Step 4: Address Risk
This step is about execution i.e., managing risks based on impact and likelihood of occurrence. While some risks are good and desired, some need to be eliminated or contained as much as possible. Overall, every risk can be addressed in one of four ways: avoidance, retention, transferring (or sharing), and reduction (or loss prevention).
4.1 Avoiding Risk
The surest way to prevent the potential loss arising from the risk is to completely avoid it. For example, if I want to avoid the possibility of having to pay for a stranger’s medical expenses due to an auto accident, I could stop driving my car. While this will avoid all risks, it affects my mobility, comfort, convenience, and so on. The problem is whenever we completely avoid risk, we also miss out on the benefits we could have received for participating in the associated activity. But at the same time, not all risks can be completely avoided. Unforeseeable circumstances or force majeure events like wars, epidemics, and natural disasters cannot be completely avoided.
4.2 Reducing Risk
If we are unable to avoid a risk item, we can take steps to reduce the probability and potential severity of loss associated with the risk. For example, when we choose to drive, we can reduce the risk of being involved in an accident by observing the speed limit, not texting while driving, wearing seat belts, and so on.
4.3 Transferring (or Sharing) Risk
Another way to deal with risks we are unable or unwilling to completely avoid is to transfer them to a third-party. The most common instances are insurance, out-sourcing with indemnification clauses in contracts, and more.
4.4 Retaining Risk
If none of the above options work, we have to retain the risk by taking full responsibility for the potential loss or impact. Retention is the most suitable approach when the potential severity of a loss is low, regardless of how frequently it is expected to occur.
Basically, the goal of this step i.e., step #4, is to reduce the inherent or initial risk to the desired level of target risks.
Step 5: Monitor Risk
Not all risks can be eliminated or brought to target risk levels. Some risks will be present as residuals and can even come back in a different shape and form. Market risks and environmental risks which are beyond one’s influence and control need to be constantly monitored by maintaining a risk register and keeping a close watch on all risk variables using data and analytics.
Risks can be good and bad, but are often seen solely from a negative perspective. As opposed to focusing on what could go right, many enterprises tend to concentrate on all the things that can go wrong and run into analysis-paralysis mode. Risk analysis is part of every decision we make. Sometimes it is even good to take a risk when it pushes your business to go outside of your comfort zone and become more innovative and resilient. But you have to plan appropriately, leverage data and analytics to explore different scenarios, develop contingency plans, and so on to remain relevant in the marketplace. If you don’t have the appetite to take risks, someone else will capitalize on the opportunity and making you irrelevant. As Mark Zuckerberg, CEO of Facebook once said, “The biggest risk is not taking any risk.”
References
- https://www.forbes.com/sites/chuckswoboda/2020/06/22/in-business-as-in-life-the-greatest-risk-is-doing-nothing/?sh=65b484c41828
- https://www.360factors.com/blog/five-steps-of-risk-management-process/
Author Bio
Dr. Prashanth Southekal is the Managing Principal of DBP Institute (www.dbp-institute.com), a data and analytics consulting, research, and education firm. He is also an advisor at Astral Insights. He is a Consultant, Author, and Professor. He has consulted for over 80 organizations including P&G, GE, Shell, Apple, and SAP. Dr. Southekal is the author of two books — “Data for Business Performance” and “Analytics Best Practices” — and writes regularly on data, analytics, and machine learning in Forbes.com, FP&A Trends, and CFO.University. His second book, ANALYTICS BEST PRACTICES was ranked the #1 analytics book of all time in May 2022 by BookAuthority. Apart from his consulting pursuits, he has trained over 3,000 professionals worldwide in Data and Analytics. Dr. Southekal is also an Adjunct Professor of Data and Analytics at IE Business School (Madrid, Spain). CDO Magazine included him in the top 75 global academic data leaders of 2022. He holds a PhD. from ESC Lille (FR) and an MBA from Kellogg School of Management (U.S.). He lives in Calgary, Canada with his wife, two children, and a high-energy Goldendoodle dog. Outside work, he loves juggling and cricket.