Don’t get caught with your pants down!

Transport Fail

There are known knownsThere are things we know that we know. There are known unknowns; that is to say there are things that, we now know we don’t know. But there are also unknown unknowns – there are things we do not know we don’t know.”

Former US Secretary of Defense, Donald Rumsfeld.

In my businesses I have seen and experienced many disasters. In the early days of running my own businesses, some I was responsible for. If I had implemented any structured risk management, many of them would not have occurred. I learnt from these mistakes. I hope you can learn from mine and this is what this post is about.

What is risk? The ISO 31000 (2009) /ISO Guide 73:2002 Risk management – Principles and guidelines defines risk as the effect of uncertainty on objectives. If you are interested, Wikipedia has a number of great articles on many aspects of risk. There are many inconsistent and ambiguous meanings attached to “risk” with varying approaches to risk management in different fields and this can often lead to confusion. Risk is a fascinating and complex subject with many books written on the topic. One of the best I have ever read is Against The Gods – The Remarkable Story of Risk by Peter L. Bernstein.

Risk can impact your business in many ways. Risk to and in your business can come from anywhere and it is difficult to predict occurrences. So what options do we have? The best way to minimise risk is to plan for possible scenarios. This is where a risk management plan is used to identify, evaluate and determine responses to possible events. These risk events can cover a broad range of possibilities from things like a change in government policy, work injuries, new product introductions and events such as natural or manmade disasters or terrorist acts, just to name a few.

Every business no matter how big or small, needs a risk management plan. It doesn’t have to be complex and its not rocket science, you don’t need an MBA to manage risk. However in saying that, there are also many people who practice risk management as their profession. This post is a guide to get you started on managing risks in your business.

Risk management is about expecting the unexpected and what you plan to do about it if and when it eventuates. There are many examples of disasters that could have been avoided with a little forethought and planning. Think of it this way, a risk management plan can be considered as your additional insurance policy. It will cover you with preparation for any risk event that you have identified and analysed. When something does happen, you should immediately know what action to take, whilst limiting any damage to your business.

Implementing a simple risk management plan

Before risks to and in your business can be managed, we need a plan. This is a two stage process, firstly the creation of a “Risk Matrix,” and secondly the development of the “Mitigation Plans” for the risks identified in the matrix.

Risk Matrix

The risk matrix is a three step process and forms the basis of our risk management plan. This is where you invest time and look for issues, problems and potential stumbling blocks. Basically anything that can possibly go wrong and have a negative impact to your business. To get this right we need to spend some time to;

  1. Identify possible risks that may occur and impact our business
  2. Determine the probability of the risk event occurring
  3. Evaluate the severity of the impact to our business if a risk event occurs

1. Identify Risks

The easiest way to start identifying possible risks is by asking questions and documenting the results. For all areas of your business ask “what can or could go wrong”? Examples of this are things like;

  • Computer crash
  • Backup failure
  • Earthquake disruption
  • Power failure short term or extended
  • Loss of smartphone or laptop
  • Staff injury or accident
  • Resignation of key staff member
  • Loss of major client
  • New competitors
  • Change of government
  • Litigation….. etc

Try and be specific and cover all areas of your business operations. The more detail you capture the better your risk matrix will be and in turn, management and mitigation of risks will be easier to undertake.

Here are some more examples of the sort of risks you may identify in your business…

  • Associate loses smartphone with all client content details and a number of sensitive and confidential documents on it.
  • The computer server has crashed and all your data is corrupted and the backup is old and out of date
  • There is a public transport strike and many of the staff are unable to come in for a key client presentation.

2. Determine Probability

Once we have identified all the possible risks we do an analysis and determine the probability of any risk event occurring by rating each identified risk with a simple “Low”, “Medium” or “High” (L,M or H) ranking.

3. Evaluate Severity

We do the same for evaluating the severity of the impact to our business if the risk event occurs (L,M or H). Yes it sounds simple and it is. You have just developed a risk matrix for your business. My suggestion is to set up a simple spreadsheet or a table in a document. And if you prefer, you can use a number rating system for finer clarity like 1 being the lowest risk or severity and 10 for the highest. This would provide you with better granularity if you need it.

Example of a Risk Matrix.

Remember this is a working document and risks change just like your business and opportunities change, so it is important to regularly review your plan. It’s always a good idea to set a review timeline. This of course depends on the type of business you run. If your business operates in a very volatile trading environment like foreign exchange you would analyze some risks more frequently than others.

Mitigation Plans

Once the risk matrix is developed we can establish risk mitigation plans to minimise the impact or remove the risk fully. Depending on the type of risk you have identified, mitigation can be simple or complex. It may involve anything from modifying systems and processes of how you do things to getting additional insurance cover.

Lets take a hypothetical example of risk management. I’ll assume you have identified the risk of “Earthquake disruption” as your office is located in an earthquake zone. When you do your research you find earthquakes rarely occur in your area so you could say the probability for this risk is “Low”. However, although rare, when they do occur in your area they are always of a destructive magnitude. That would in this case give the severity of the impact a “High” ranking.

If this hypothetical risk eventuated it could have a severe impact on your business but the possibility of it occurring is fairly slim. How would you mitigate or reduce this risk? Do you need to? What do you need to do so the disruption is at a minimum to your business? What about others in your community who are affected by the same event? How would this impact on your revenue stream? Would additional insurance suffice? These and more are all questions you need to ask and answer to enable you to manage your risks effectively.

There are benefits to all this work. They may not be immediate or apparent whilst you are developing your risk management matrix and the mitigation plans, but from all the exercises you carry out you will be able to determine where your business may be exposed and in turn have the opportunity to strengthen the weaker areas of the business.

In addition to this, you will have planned and be able to appropriately act if anything occurs and more importantly, this risk management plan and metrics will provide you with a basis for developing a disaster recovery plan (DRP) but this is for another post at a later date.

If you are in business for yourself, this business is your livelihood therefore it’s imperative that you set yourself up to succeed. By setting up a firm foundation for your business you improve your chances of surviving and thriving. Planning for managing the unforeseen future is an essential part of this process. So now that you have a solid framework for a risk management plan…

What are you waiting for? Get to work.


10 thoughts on “Don’t get caught with your pants down!

  1. Gee, you make it all seem so sensible, but I guess in the heat of the arena we sometimes forget basic underpinnings like, ‘effect of uncertainty on objectives‘. Not sure I understand it all, and certainly wish I had done a better job of managing risk on my marital paths (yes, plural…ha ha). Any way, looking forward to more of yours, as a way stretch my thinking.

    1. Thanks for taking the time to check the post out and reply. Yes all the textbooks and experts make it sound intricate, but as you see, a simple plan doesn’t require a rocket science degree to put together. The hardest thing about it is taking the time out to determine what the risks could be and what impact they could have on your business… or life. If you know the risk and impact, you normally have a good idea of how to fix it. Cheers

      1. Totally agree and I like your simple plan. I try to incorporate something very similar myself. The only thing I do a little differently is try to state the impact (i.e. severity) in financial terms and the probability as a percentage. That way I can simply multiply the probability by the impact to come up with “risk exposure”.

        For example, the risk of a computer crash may have an impact of $5000 (replacement, data recovery, etc.), but the probability is roughly 10%, therefore the exposure is $500 to my business/project. My mitigation plan may reduce the 10% probability to 5% (i.e. a mitigation plan that includes updating hardware) or it may reduce the impact to $2500 (i.e. using backup/restore services) … in each case reducing my exposure by half.

        Often in cient engagements I’ll suggest that we only actively manage the Top 10 risks by exposure of a given project in detail (i.e. with detailed mitigation and contingency plans), whereas the other risk items continue to be identified, but not a distraction overall.

        I don’t find many people that have a passion for this Don. I find too many people are uncomfortable with discussing risk (perhaps because it is too ‘negative’), but risk should be easy (as you state) and can even be positive (there IS such a thing as uncertainty that can POSITIVELY affect your business/project).

        Thanks again … I enjoyed this.

      2. Jame, excellent points you raise. Yes and in taking the effort to set a monetary value to a risk, you inherently reduce that risk because it is so much easier to evaluate the impact on the business. I totally agree with the concepts you present. And the idea of “Positive Risk” is one that is hardly considered by anyone because when you are evaluating risk you are looking for the negatives.
        Thank you for the positive feedback.

  2. Reblogged this on Orlando Bootstrapper and commented:
    Computer won’t boot up? Mobile phone breaks? Loss of power from Mother Nature fury? Is your business – even partially – ready for most any emergency? This is pretty important. Make it a habit.

  3. Reblogged this on ProtectMyBusiness and commented:
    A significant part of being a small business owner is often overlooked – or at the least, not planned out. Here is a great blog that goes through the risks of running a business and how to take some preventative steps to stay in business!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s