Risk is something we manage every day. Whether we are crossing the road, riding a bike or simply eating, we manage short and long term risks.
We do so in the context of what is important to us. Elements we consider include internal contextual elements such as our:
- Health
- Fitness
- Stress
- Prosperity
- Reputation
- Willingness to take on the consequences of a risk being triggered
We also take into account external contextual elements such as:
- Our friend’s and families health
- Commitments to our employer
- Commitments to our family
- The rules and regulations of our community
- The norms of our social circle
From that analysis which may be intuitive or an overt process on our part, we arrive at a set of criteria upon which we manage risk.
In a work context, managing risk must be an overt process. It requires rigorous thinking. It also requires forward thinking.
Forward thinking is not difficult to do. However, it is difficult to do with great accuracy. We have to become good at estimating not only the likely consequence of a risk, but the probability too.
Managing risks requires us to be able to have balanced thinking as well. We must balance the costs of mitigating the consequence and the likelihood of a risk being triggered against the benefits of doing so.
The benefits of managing risk are several:
- Fewer surprises – great for our relationship with stakeholders and for our ability to plan well
- Efficient allocation of resources
- High reputation – we appear to always be in control
- High quality information for decision making
- High levels of accountability, assurance and governance
- Personal well being
Components of a risk:
There are six components of a risk:
- A source of risk or hazard.
- An event or incident that could trigger the risk.
- A consequence, outcome or impact on stakeholders.
- A cause for the presence of the hazard or the event occurring.
- Controls and their level of effectiveness in limiting the occurrence or consequence of the event occurring.
- When and where the risk event could occur.
Identifying risk
In identifying risks, we should ask a series of questions pertaining to the six components.
To demonstrate, let us assume we run an hotel business which has 200 rooms, a restaurant and a bar, a Day Spa and a workforce of 70 permanent employees and 70 part-time and casual staff. The questions we should ask and some examples of the answers we may come up with are:
- What is the source of the risk?
- Competitors.
- Government regulation.
- Food borne bacteria and other harmful organisms.
- Staff morale.
- Customer preferences and changes in fashion.
- Corporate memory.
- Recruitment.
- What event might happen that could improve or decrease our ability to achieve our objectives?
- A new 200 room hotel opens up within a 2km radius.
- A $25 room tax is levied by government.
- Our staff neglects to wash their hands properly and do not segregate raw and prepared foods.
- Staff love our new food and beverage manager’s style and appreciate the wealth of knowledge she brings (not all risks are negative!)
- Going to large scale hotels is out; boutique is in.
- A large number of our permanent employees are poached by a new competitor.
- We lapse into a practice of not checking references.
- What would the effect on our objectives be?
- We lose customers to the new hotel.
- Business people travel less, preferring to go back and forth on the one day instead of staying overnight.
- A customer contracts food poisoning.
- Staff morale improves boosting customer satisfaction and reducing staff churn.
- We lose customers.
- We have to train a large number of new people at high cost and our customer satisfaction levels decrease.
- We hire some people who are not really suitable and we have to hire again.
- When, where, why and how are these risk events likely to occur?
- Within a three year horizon if demand is high and we are not able to dominate from a supply side.
- At or after election time if lobbying is not convincing enough.
- Any time we tolerate poor hygiene, do not train our staff adequately, test their knowledge and audit their practise.
- When we recruit well having a well defined job role including desired competencies and a selection process that discriminates those who have those competencies from those who have not.
- When we are unable to remain relevant with our public image.
- Any time we do not provide the right remuneration, challenge and career progression.
- Any time we do not audit our processes to see what we do rather than what we think we do.
- Who might be involved or impacted?
- Shareholders and staff.
- Shareholders and staff.
- Customers, shareholders, government regulators, the community and staff.
- Staff, customers and shareholders.
- Shareholders and staff.
- Staff, customers and shareholders
- Staff, customers and shareholders.
- What controls currently exist?
- Market awareness, strategic planning, zoning laws.
- Hotel industry lobby group.
- HACCP practices and audits.
- Recruitment processes.
- Marketing and public relations processes.
- Performance management, rewards and recognition and succession planning processes.
- Recruitment processes and process audits.
- What would cause the control not to have the desired effect on the risk event and its consequences?
- Poor information, poor planning, internal view.
- Change in government, or a change in public perception.
- New management staff, complacency.
- New management staff use poor recruitment practices, a sudden resignation pressures us to crisis recruit.
- New staff lose sight of the importance of keeping abreast of market developments.
- Complacency with regard to staff loyalty, ineffective succession planning.
- New staff, complacency.
In addition we should consider the reliability and completeness of our information and whether any further research or involvement of other people is necessary.
There are several processes which can be used to identify risks. In our Hotel example we may choose:
- Brainstorming involving a representative from front desk, kitchen, restaurant, the bar, Day Spa, HR, and sales, making sure we get a vertical slice of the organisation too.
- Structured techniques such as flow charting processes impacting on each of the major stakeholders.
- Scenario based analysis e.g. What if a new hotel opened up? What if we had poor hygiene practices?
- Use of industry checklists of known risks.
The end result of risk identification is the beginning of a risk register with the following headings as a minimum:
- Reference number.
- The risk – what can happen and how it can happen.
- The consequence of the risk happening.
- The likelihood of the risk event occurring.
- The adequacy of existing controls.
A complete risk register will, upon completion of risk analysis and risk assessment, the topic of another article, also include as headings:
- A consequence rating.
- A likelihood rating.
- The rated level of risk.
- The risk priority.
Risks in any organisation must be overtly managed. The starting point is to identify risks in the context of your organisation, its objectives and those of its stakeholders.