It’s good when plans are executed close to ideal or even exceeded. But what if something goes wrong for reasons beyond your control? A supplier fails. A customer fails to pay. An inspection comes up and the head office is paralysed for a few days. Or your internet provider’s cable is accidentally cut during excavation work and you can’t use your business software and databases (CRM, ERP and other information systems).
There can be many variations of events. But the bigger the company and the more responsible the job, the more risks you need to anticipate and be prepared to deal with.
And to systematise the approach, you should implement a risk management system in your company. Read on to find out what it is and how to implement it.
What is a risk management system (basic definitions)
A company’s risk management system is a set of policies, guidelines, rules and other management decisions aimed at identifying major risks and developing measures to respond to them in order to minimise negative consequences.
The main objective of risk management is to maintain the stability of the company despite external and internal negative influences.
Who is involved in risk management
Depending on the size of the company, risk management may involve a different set of tools and organisational measures.
In a small company, for example, risks can only be documented and the main algorithms for responding to certain critical situations can be communicated to employees. In this way, all employees in the company will react to changes in the situation.
If the company is large, appropriate superstructures appear: risk management departments, security services (including information security), internal control and others. They can actively cooperate on relevant issues with legal services, production departments, etc.
The need for such bodies should be justified. To this end, a clear qualitative and quantitative risk assessment must be established, as well as a system for evaluating the unit’s performance.
There are a number of risks that need to be described in every company. These include, for example, a fire protection system and occupational health and safety in the event of an emergency: this involves a large number of organisational measures, including the development of instructions, the provision of personal protective equipment for personnel, the holding of training courses, and so on.
Some risks, particularly financial risks, can be covered by appropriate insurance programmes.
Industry standards for risk management
As risks will be common to many companies, they can be standardised. The following standards have been developed specifically to describe and manage risks:
- ISO 31000:2018 ‘Risk management — Guidelines’.
- COSO ERM (developed by the Committee of Sponsoring Organisations of the Treadway Commission)
- Risk Management Standard FERMA (Federation of European Risk Management Associations).
These standards have their own objectives, scope, tasks and characteristics. However, in many ways they are similar, as they all state that risks should be identified, systematised and appropriate responses developed for each of them.
Despite the availability of specific guidelines and a good theoretical basis, few companies implement risk management systems. This is partly due to the high start-up costs of implementing such systems in active and growing companies.
Why do you need risk management methods in your company?
It’s simple. All risk management methods and specific actions within the developed methodologies are aimed at reducing losses and other negative consequences when they occur.
The purpose of any business is to make a profit. And the ability to generate profit must be maintained throughout the lifecycle of any business, regardless of external or internal conditions.
What applies to risk management techniques
The main methods of risk management are:
- Risk prevention — the avoidance of problematic situations. The best way to do this is to prevent risks from arising in the first place. For example, the company can refrain from entering into a controversial contract, check the reputation and reliability of the partner, reduce the amount of funding for innovative projects in order to reduce losses in the event of their unsuccessful completion, and so on. Caution never hurts. But the avoidance method has its own drawbacks. Excessive caution can hinder the development of the company, and it is impossible to foresee all risks anyway.
- Spreading (distributing) risks. Another effective method, referred to in some sources as ‘outsourcing’ or ‘transfer’. It works on the principle of ‘divide and conquer’. If the risks are known, well described and documented, you can consider the possibility of distributing the responsibility for them to different structural units within the company. If the risks are related to specific products, you can expand the product range, increase the geographical coverage (if the target region does not meet expectations), etc. in order to mitigate the risks.
- Risk localisation. It’s the antipode of spreading risks, but here it’s a bit different. You can reduce the impact of a risk by isolating it in a controlled environment. For example, if you can’t predict demand for a new type of product, you can isolate experimental products in a separate product line or create a subsidiary and separate brand to mitigate potential reputational damage.
- Risk Compensation. This method is similar to balancing on a scale. For every negative action, you must have countermeasures. Even if the risk cannot be fully compensated for, you must have a way to mitigate the negative consequences.
What are the steps in the risk management process?
The stages of risk management are summarised in the same list in various sources, including the industry standards outlined above. There is nothing new or miraculous here:
- Risks need to be identified, i.e. recognised.
- When there are a large number of risks, they need to be categorised into groups based on their likelihood of occurrence and potential loss. The risk matrix and ISO/IEC 31010-2011, which outlines more than three dozen risk analysis methods (including brainstorming, interviews, checklists, event tree analysis, ‘bow tie’ and others), will help in the compilation and assessment of risks.
- Selecting responses to risks (one of the risk management methods described above).
- Developing a list of specific risk strategy actions. These can be any actions, including setting aside reserves, taking out insurance, developing policies, job descriptions, etc., that can eliminate the risk or minimise its impact if it occurs.
- Realisation of actions in case of risk occurrence.
- Analysing the results and, if necessary, adjusting risk management policies.
A continuous process that goes through all stages can be called monitoring the occurrence of risks.
How risks can be managed
All of this is already described in the management stages above. Going through the stages of identification, assessment, strategy development, implementation and analysis is the process of managing risk in a business or enterprise.
But it is important to realise that these are not just items on a plan. Behind each of them is a huge amount of work. And each item should be approached as responsibly as possible. If you don’t have the necessary experience, you can consult experts or even specialised agencies, hire specialists and create your own risk management department within the company.
And to automate the management process as much as possible, it is logical to implement a special organisation management system. It can be a BPM system or a simple task manager. However, it is better if the corresponding information system implements all the necessary management functionality: controlling and setting tasks, managing projects, employee calendars, planning the organisational structure, storing correspondence (dialogues, discussions) and task implementation statuses, organising a system of notifications about new events (assigned tasks, announcements), and much more.
