Managing risks in business effectively can not only help organizations proactively deal with potential business failures and minimize exposures but also benefit effectively from the possible opportunities. Risk Management is therefore, the identification, evaluation, and prioritization of risks followed by optimal use of resources to minimize, monitor, and control the probability and impact of undesirable events or maximize the fulfillment of opportunities.
Traditionally Risk Management was limited to the banking, financial & insurance sectors to manage financial risks. However, with the increased focus on corporate governance due to various financial & operational failures; Risk Management assumed increased importance. The need for robust risk management practices became intensified and prescriptive across all sectors.
Although organizations started implementing risk management practices, the efficacy of the Risk Management system was often not to the desired levels due to one or more factors. A few of the critical factors for Risk Management to be effective in any organization are as follows:
- Risk-based culture/thinking: Leadership & commitment from Top Management and oversight bodies (where applicable) to ensure Risk management is an integral part of all organizational activities, including decision making
- A structured approach or process is followed
- Utilize the information available effectively
- Involve all stakeholders promptly
- Ensure the system is dynamic and responding quickly to changes
Risk management, therefore, becomes key to the creation and protection of value. This is true for large or medium organizations and equally relevant for small organizations, especially startups or entrepreneurs for whom the environment is filled with opportunities and fraught with risks.
II. Risk assessment:
Risk assessment is the overall process of risk identification, risk analysis, and risk evaluation.
a. Risk criteria:
Risk is the effect of uncertainty on the organization’s objectives. Therefore, an organization needs to specify its Risk appetite, i.e., the amount/ type of risk it may or may not take while pursuing its objectives before any action is taken to reduce the risk. Based on the risk appetite, criteria need to be defined to evaluate the significance of risk and support decision-making processes.
Some of the critical things that need to be factored while establishing risk criteria are:
-Nature & type of uncertainties that can affect the objectives.
-How consequences (positive & negative) & likelihood will be defined and measured
-Level of risk (e.g., High, medium, low, etc.)
b. Risk identification:
The purpose of risk identification is to determine and describe risks that might help or prevent an organization from achieving its objectives. The organization can use various techniques for identifying risks: e.g., SWOT analysis, brainstorming, Delphi technique, RCA, Checklists, etc. The organization should identify risks, whether its sources are under its control or not.
c. Risk analysis:
The purpose of risk analysis is to understand the nature of risk and the level of risk. It involves consideration of uncertainties, consequences, likelihood,events,controls & their effectiveness. The analysis can be quantitative, qualitative, or a combination of both. Risk analysis provides input to risk evaluation in making decisions on the most appropriate risk treatment strategy and methods.
d. Risk evaluation:
The purpose of risk evaluation is to support decisions. Risk evaluation involves comparing the risk analysis results with the established risk criteria to determine where additional action is required. This can lead to a decision to “Do nothing further and maintain existing controls or consider various risk treatment options or undertake further analysis or reconsider objectives”. Decisions should take account of the broad organization context and the actual and perceived consequences to stakeholders.
III. Risk treatment:
The purpose of risk treatment is to select and implement options for addressing risk.
Options for treating risk may involve one or more of the following:
-Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk
-Taking on or increasing the risk to pursue an opportunity
-Removing the risk source
-Changing the likelihood by introducing additional controls
-Changing the consequences by redefining the risk
-Sharing the risk (e.g., buying insurance, etc.)
-Retaining the risk by informed decision.
The selection of risk treatment options should be made in accordance with the organization’s values, objectives, risk criteria, and available resources.
IV. Implementing, monitoring & review of risk treatment plans:
The purpose of risk treatment plans is to specify how the various options identified will be implemented so that the same are understood by those involved, and progress against the plan can be monitored. The information provided in the treatment plan should include the expected benefits & constraints, responsibilities; the proposed actions; resources required; time frame, performance measures, the necessary monitoring, and reporting.
The purpose of periodic monitoring and review is to assure the effectiveness of the risk management process, including the design, implementation, and outcomes.
V. Risk reporting:
As part of the organization’s governance process, risk management outcomes should be periodically reported and communicated to all concerned stakeholders.
VI. Why Risk Management for Entrepreneurs:
Risk management is often seen as a luxury in the realm of large corporates that requires time and effort and does not add much value. However, every crisis is a grim reminder that risk management is relevant for all organizations: big or small and needs to be integrated into their processes from the beginning. By virtue of being new to the business, startups face several risks(e.g., lack of funding; competitors; constantly changing regulatory, health, safety, quality requirements; supply chain issues; inability to meet deadlines; attrition of key talent, etc.) that often threaten their very survival and hence the need for a robust risk management processes to manage these risks and provide confidence to the investors. Also, in the absence of a robust risk management process, the risk appetite for the organization is not clearly defined, and possible opportunities available are often not explored and go unaddressed. Therefore, establishing an effective Risk Management process is no longer a “good to have” feature for entrepreneurs but a critical component for effectively managing their business. However, this is possible only if entrepreneurs establish a risk-based culture in their organisation by implementing & integrating a risk management approach into and across all their processes, thereby inculcating risk-based thinking while making decisions.
-BS ISO 31000:2018: Risk Management guidelines
-ISO 14971:2019: Application of risk management to medical devices
Author: C.V.Murali is a Management Consultant, Lead Assessor & Mentor with more than three decades of experience in diverse industries: Automobile, Oil & Gas, Power, EPC, Health, Certification across various functions in Leadership roles. A Postgraduate in Metallurgical Engineering from IIT Bombay; his key areas of expertise are Operational and Business Excellence; Business Risk Management; Supply Chain Management; Manufacturing, Quality, Safety & Environment Management; Process & Management system Assessments & Certification. Widely travelled and having with worked with various functions and sectors across countries and work environment, he has been using his professional experience and personal skills to mentor start-ups over their entire product life cycle. He currently resides in Chennai, India.