“There are known knowns; There are things we know that we know. There are known unknowns; that is to say there are things that, we now know we don’t know. But there are also unknown unknowns – there are things we do not know we don’t know.”
In my businesses I have seen and experienced many disasters. In the early days of running my own businesses, some I was responsible for. If I had implemented any structured risk management, many of them would not have occurred. I learnt from these mistakes. I hope you can learn from mine and this is what this post is about.
What is risk? The ISO 31000 (2009) /ISO Guide 73:2002 Risk management – Principles and guidelines defines risk as the ‘effect of uncertainty on objectives‘. If you are interested, Wikipedia has a number of great articles on many aspects of risk. There are many inconsistent and ambiguous meanings attached to “risk” with varying approaches to risk management in different fields and this can often lead to confusion. Risk is a fascinating and complex subject with many books written on the topic. One of the best I have ever read is Against The Gods – The Remarkable Story of Risk by Peter L. Bernstein.
Risk can impact your business in many ways. Risk to and in your business can come from anywhere and it is difficult to predict occurrences. So what options do we have? The best way to minimise risk is to plan for possible scenarios. This is where a risk management plan is used to identify, evaluate and determine responses to possible events. These risk events can cover a broad range of possibilities from things like a change in government policy, work injuries, new product introductions and events such as natural or manmade disasters or terrorist acts, just to name a few.
Every business no matter how big or small, needs a risk management plan. It doesn’t have to be complex and its not rocket science, you don’t need an MBA to manage risk. However in saying that, there are also many people who practice risk management as their profession. This post is a guide to get you started on managing risks in your business.
Risk management is about expecting the unexpected and what you plan to do about it if and when it eventuates. There are many examples of disasters that could have been avoided with a little forethought and planning. Think of it this way, a risk management plan can be considered as your additional insurance policy. It will cover you with preparation for any risk event that you have identified and analysed. When something does happen, you should immediately know what action to take, whilst limiting any damage to your business.
Implementing a simple risk management plan
Before risks to and in your business can be managed, we need a plan. This is a two stage process, firstly the creation of a “Risk Matrix,” and secondly the development of the “Mitigation Plans” for the risks identified in the matrix.
The risk matrix is a three step process and forms the basis of our risk management plan. This is where you invest time and look for issues, problems and potential stumbling blocks. Basically anything that can possibly go wrong and have a negative impact to your business. To get this right we need to spend some time to;
- Identify possible risks that may occur and impact our business
- Determine the probability of the risk event occurring
- Evaluate the severity of the impact to our business if a risk event occurs
1. Identify Risks
The easiest way to start identifying possible risks is by asking questions and documenting the results. For all areas of your business ask “what can or could go wrong”? Examples of this are things like;
- Computer crash
- Backup failure
- Earthquake disruption
- Power failure short term or extended
- Loss of smartphone or laptop
- Staff injury or accident
- Resignation of key staff member
- Loss of major client
- New competitors
- Change of government
- Litigation….. etc
Try and be specific and cover all areas of your business operations. The more detail you capture the better your risk matrix will be and in turn, management and mitigation of risks will be easier to undertake.
Here are some more examples of the sort of risks you may identify in your business…
- Associate loses smartphone with all client content details and a number of sensitive and confidential documents on it.
- The computer server has crashed and all your data is corrupted and the backup is old and out of date
- There is a public transport strike and many of the staff are unable to come in for a key client presentation.
2. Determine Probability
Once we have identified all the possible risks we do an analysis and determine the probability of any risk event occurring by rating each identified risk with a simple “Low”, “Medium” or “High” (L,M or H) ranking.
3. Evaluate Severity
We do the same for evaluating the severity of the impact to our business if the risk event occurs (L,M or H). Yes it sounds simple and it is. You have just developed a risk matrix for your business. My suggestion is to set up a simple spreadsheet or a table in a document. And if you prefer, you can use a number rating system for finer clarity like 1 being the lowest risk or severity and 10 for the highest. This would provide you with better granularity if you need it.
Example of a Risk Matrix.
Remember this is a working document and risks change just like your business and opportunities change, so it is important to regularly review your plan. It’s always a good idea to set a review timeline. This of course depends on the type of business you run. If your business operates in a very volatile trading environment like foreign exchange you would analyze some risks more frequently than others.
Once the risk matrix is developed we can establish risk mitigation plans to minimise the impact or remove the risk fully. Depending on the type of risk you have identified, mitigation can be simple or complex. It may involve anything from modifying systems and processes of how you do things to getting additional insurance cover.
Lets take a hypothetical example of risk management. I’ll assume you have identified the risk of “Earthquake disruption” as your office is located in an earthquake zone. When you do your research you find earthquakes rarely occur in your area so you could say the probability for this risk is “Low”. However, although rare, when they do occur in your area they are always of a destructive magnitude. That would in this case give the severity of the impact a “High” ranking.
If this hypothetical risk eventuated it could have a severe impact on your business but the possibility of it occurring is fairly slim. How would you mitigate or reduce this risk? Do you need to? What do you need to do so the disruption is at a minimum to your business? What about others in your community who are affected by the same event? How would this impact on your revenue stream? Would additional insurance suffice? These and more are all questions you need to ask and answer to enable you to manage your risks effectively.
There are benefits to all this work. They may not be immediate or apparent whilst you are developing your risk management matrix and the mitigation plans, but from all the exercises you carry out you will be able to determine where your business may be exposed and in turn have the opportunity to strengthen the weaker areas of the business.
In addition to this, you will have planned and be able to appropriately act if anything occurs and more importantly, this risk management plan and metrics will provide you with a basis for developing a disaster recovery plan (DRP) but this is for another post at a later date.
If you are in business for yourself, this business is your livelihood therefore it’s imperative that you set yourself up to succeed. By setting up a firm foundation for your business you improve your chances of surviving and thriving. Planning for managing the unforeseen future is an essential part of this process. So now that you have a solid framework for a risk management plan…
What are you waiting for? Get to work.