3 Types of Risks That Affect Your Company and How to Manage Them
Measuring and managing risk must be considered as an integral part of the company’s value-creating and strategy execution processes. Discover the different types of risk that affect your organization and how to strategically manage them to protect your company.
Failing to incorporate risk management into the company’s corporate governance and strategy execution processes may leave the company at danger, as was the case with the many companies that went bankrupt during the recent financial crisis. Their excessive exposure to risk and poor risk management, whether by not incorporating risk into their strategic planning or by failing to monitor the risks they took, left them particularly vulnerable to the strong market volatilities that ultimately caused their demise.
It is important to consider that companies face different degrees of risks. These can be classified into three categories depending on how predictable they are, how controllable they are and, most importantly, the magnitude of their consequences for the organization. The lowest degree of risk represents those that stem from compliance functions and standard operations; the second degree comprises the risks naturally created by the company’s chosen strategy; and lastly, the highest (or third) degree of risk comprises the unaccountable and unpredictable risks to which all companies are inevitably exposed to.
First Degree Risks: Operational and Compliance Risks
This level encompasses the risks that may arise from errors in standardized, routine and predicable operations which could cost the company substantial losses. These processes, while vital for the company’s operation, do not give the company a competitive advantage. They may include processes such as: information management and protection, compliance to mandatory regulations and taxation.
These risks can be identified and prevented through comprehensive training, internal auditing and the establishment of internal controls and standard operating procedures. This way, the company may aspire to have a zero defects rate and full compliance with the necessary protocols.
Second Degree Risks: Strategy-derived Risks
With the hope of achieving higher financial rewards, directors selects the strategies that they believe can create a sustainable competitive advantage over their competitors. However, the tradeoff between risk and return states that, in order to offer shareholders a more attractive return, the company must undertake some risk.
Some of these risks are straightforward and can be easily accounted for such as the risk of uncollectible accounts when extending credit to customers. Others, however, may result more speculative, such as entering new markets or developing new products. Therefore, leaders must identify the most likely and potentially most harmful risks to the company to try and counter them and mitigate their negative consequences as best as possible.
The best way to manage these risks is to consider them from a holistic perspective. Leaders may begin by visualizing and understanding the company’s strategy from these four perspectives: human resources and technology, internal processes, customers and shareholders.
The executive team should then define the objectives that should be achieved in each of these perspectives if the company is to execute its strategy successfully. They should also discuss how these objectives are interrelated to one another.
Afterwards, they should take the time to consider what the biggest risks that exist for each objective’s fulfillment are. Each of these risks should be complemented with an indicator that serves as an early warning if the objective is in danger of not being reached.
Risk management should be preventive, rather than reactive. So rather than wait until the indicators point to an adverse condition, management needs to estimate which risks are the most likely and potentially harmful, and take a proactive stance against them.
When there is no sufficient or adequate historical data to calculate the risk exposure, management can use another tool, the heat map, as a framework to stimulate discussion on their estimates of risk events. Management must assign a value, on a scale of 1 to 5, for each identified risk based on how the probability for its occurrence, and then again for the magnitude of its consequences. These two parameters should then be multiplied to yield a score between 1 and 25. Risks ranking higher than 15 are the most likely to occur and potentially most harmful, and should therefore be given a higher priority when allocating the resources available to prevent or mitigate risks.
By using this approach, leaders can ensure they are anticipating and preventing the most important operational and strategic risks. However, for risk management to be truly effective in all areas of the company, it should play an integral part of senior management’s quarterly Strategy Review Meetings.
Third Degree Risks: Inescapable Risks
This degree encompasses those unpredictable and unprecedented events that all companies are inherently exposed. If we refer to the heat map, these risks would have a probability of less than 1 (very unlikely) and consequences higher than 5 (highly adverse).
To prepare for these risks, some companies choose to periodically discuss unlikely events and their consequences. Such events could include natural events (devastating hurricanes, tropical storms or earthquakes), global economic or social events (strong fluctuations in energy prices or exchange rates, civil unrest or wars) or important actions taken by competitors.
During such meetings, the executive team gathers to study the possible ramifications of these events and what can be done to prevent or mitigate their consequences. By doing so, management can estimate how sensible the corporate strategy is to external events and concentrate on making it more robust. And, if any of these events were to occur, leaders can be sure to have mitigated its consequences beforehand, or at least have a pre-agreed action plan to quickly respond to the situation.
Risk comes in many ways and forms. First degree risks are known and can be avoided through robust processes, internal controls and auditing. Second degree risks come as part of the package the company accepts when choosing a strategy to pursue higher returns. Creating a risk indicator scorecard than contemplates the company’s strategy in a holistic way can help management identify strategic and operative risks in a systematic way. This scorecard may be complemented with a heat map that evaluates the risks’ probability and possible impact, and enables management to allocate resources accordingly. Last, but certainly not least, third degree risks are external and beyond the company’s control. While they are also the most difficult to predict, they have the potential of being the most devastating for the company. Tools such as scenario planning and risk assessment meetings can help leaders be alert to possible catastrophic events and develop contingency plans.
Corporate Governance and Risk Management
To date, in many organizations risk management is seen only as a requirement; something that is easily delegated to lower-level management risk professionals. However, if leaders intend to protect the value of the company, risk management should be incorporated into the roles and responsibilities of senior management and the Board of Directors.
It is important to consider that risk management requires leadership, especially in times of prosperity. Company executives and the Board of Directors, should be able to identify, and have the courage to refuse, opportunities that despite appearing to be very profitable, expose the company to excessive risk. At TRISSA we can help you establish the necessary mechanisms to closely monitor your company’s risk exposure and implement a system to ensure that it is managed along with the strategy.
Talk to a counselor and organize a free consultation
To learn more about how we can help, browse our webpage and get to know us better: www.trissa.com.mx/en. Or send us an e-mail; our consultants would be delighted to answer any questions you may have: email@example.com
Author: Trissa Strategy Consulting
Source: Kaplan, Robert S. "Risk Management and the Strategy Execution System." Balanced Scorecard Report, 2009: 1-6.