Monday, March 26, 2018

Risk Management Strategy


Congratulations!  You have successfully navigated the process of identifying your risk appetite and tolerance; you have identified the potential risk that can have an impact on your business, and you have analyzed and prioritized these risks. 

Now what?  Do you:
  • Avoid the risk?
  • Accept the risk?
  • Mitigate the risk?
  • Transfer the risk?

But before we get into the post, I want to give you a little explanation about the photograph I chose.  It is a picture of the board game Risk.  Probably my most favorite board game growing up.  I would analyze and rank the different scenarios to my conquering the world and would plan my different strategies for success.   I loved it and was excited about this week so I could use this photo. 

OK, on to the task at hand, in this post we will review each of the strategies mentioned above and weigh the benefits.  How do you determine which is the right course?  The right course will depend on your risk appetite, your analysis and prioritization of the risk you have identified.  You will use these tools to determine your risk management strategy.

All too often, we see one or more of the following methods used as a risk management strategy:

  • Pretend the risk does not exist.
  • Pray the risk will sort itself out so you will not have to deal with it.
  • Acknowledge the risk, but deny that it will have any impact on operations. 
These approaches are not risk management or good strategies.  In the first case, if a risk is not acknowledged, acting as if the risk does not exist is not a realistic approach, and only forces one to deal with the risk once it becomes a crisis.  Second, I cannot recall a situation where a risk has sorted itself out.  And finally, in my experience, though you can control the impact the risk will have, I have not come across a situation where simply denying that a risk will impact operations has been a successful strategy.

The following methods are risk management strategies for addressing risk:

Risk Avoidance

The first strategy is to avoid the risk altogether.  The benefit is by doing so your business is not exposed.  The downside is that by avoiding, you may not achieve the goal or accomplishment this potential risk is associated with.  For example, you might not gain the profits associated with the business venture you choose to avoid.  When considering risk avoidance as a strategy, you need to really understand the full impact of the decision.  Usually, this approach is considered for a risk that has a low impact on operations or if the organization’s goals can still be achieved without confronting the risk.   

Risk Acceptance

By accepting the risk, you determine that the risk will not have a significant impact to operations, the benefit of the goal is greater than the risk, or the risk is infrequent enough that it is worth the gamble to accept it in order to achieve the goal.

Risk Mitigation

Even though you have made the decision to accept the risk where a program or activity has a high-risk impact,  there are steps or actions that you can take to reduce the exposure or to mitigate the possible financial risk or impact to operations.  You’ll want to explore detective and preventative actions before you introduce the activity on a larger scale.

  • Detective action involves identifying the points in a process where something could go wrong, and then putting steps in place to fix the problems promptly if they occur.
  • Preventative action involves aiming to prevent a situation from happening. It includes activities such as health and safety training and firewall protection on corporate servers.
Risk Transfer
The last strategy is to transfer identified risk to another party.  The two main mechanisms for this approach include:
  • Contractual risk transfer (transfer the risk to another party through a contract).  With this method, we can transfer the liability for damages caused by a subcontractor’s work, or by the goods and services purchased from a vendor.
  • Risk financing. This is otherwise known as insurance.  By purchasing an insurance policy, we are effectively transferring our risk to an insurance company.  They, in turn, accept the risk for a price.

With any strategy or combination of strategies, you must continuously monitor your strategies, measure their effectiveness, and adjust as necessary.  During the 1990s, I attended several workshops by a scholar and management consultant by the name of Dr. Edward Deming (https://en.wikipedia.org/wiki/W._Edwards_Deming)  his teachings in continuous process improvement resonated and I began to apply them regularly.  Plan-Do-Check-Act is a four-stage approach for continually improving processes, and for resolving problems. It involves systematically testing possible solutions, assessing the results, and implementing any changes to the process to continue toward the goal.

The four phases are:
Plan: identify and analyze the problem and decide a strategy (or combination of strategies) to implement.
Do: test the potential solution, ideally on a small scale, and measure the results.
Check/Study: study the result, measure effectiveness, and decide whether the strategy is effective or not.
Act: if the strategy is successful, implement it.  Continue to monitor the performance for any changes.

Risk management strategies are like any other business strategy and involve monitoring key performance indicators and adjusting the strategy as necessary to ensure the greatest success. 

We now have the basic tools for developing and implementing a more formalized risk management process which can be as simple or complex as you have the time to manage.  As I said in an earlier post, you are probably doing some of these activities already but perhaps now you can better see your activities as part of an overall risk management strategy for your firm where you can embrace risk and use it to your advantage.

Until next time, stay safe and be kind to one another.

Monday, March 19, 2018

Risk Analysis


In a previous post, we discussed Risk Identification.  We discussed seven areas in an operation where foreseeable risk can exist, and we outlined four methodologies that can be used to identify foreseeable risk.  Next, we need to determine the probability that each risk event will occur and a measurement of the impact the event will have on operations.  
In this post, we will look at:
  • the probability of an event occurring
  • the measured impact the event could have on operations.
  • an assessment to determine if the level of risk is acceptable based on appetite and tolerance.
  • finally, prioritization based on the level of impact to operations. 

Probability

Oh no, here comes that nervous twitch and the flashbacks to college statistics!  Not to worry we are not about to start calculating the standard deviation from the mean of anything. 

For the purposes of this post, we are going to define probability as the likelihood that an event will occur. In its basic form, probability assumes that all possibilities must be equally likely to occur. Since we know this is not likely, we factor in a frequency variable which means that over time, a risk event has the likelihood of occurring x number of times (where x is the frequency of the event).  This is based on the collection of historic data and experience and is not an absolute. Although you cannot know the exact value of a probability, you can estimate it by observing how often similar events have occurred in the past. A common example that uses frequency interpretation is weather forecasting. If the forecast calls for a 60 percent chance of rain, it means that under the same weather conditions, it will rain in 60 percent of cases. This approach can be difficult and requires some individual judgment and credible historic data.

If credible historic data is not available, we can determine probability through subjective interpretation.    This approach is often used in situations where there is very little direct evidence. There may only be indirect information, educated guesses, or intuition, to consider. The probability of an event occurring is based on what an individual believes in the likelihood of occurrence. Different people assess probabilities differently, based on opinion or evaluation. One disadvantage of this approach is that it is often hard for people to estimate the probability, and the same person can end up estimating different probabilities for the same event using different techniques.  If this occurs, review the steps in each of the techniques and try to determine what caused the differences.  If you are unable to, in my opinion, take an average of the probabilities and use that. 

Measured Impact

After determining the probability of a risk event, we need to assign a value to the impact this will have on operations.   Knowing the probability of the event occurring, we multiply this by the amount it will cost operations if it happens.  With historical data, the probability and cost projections easier to determine. Without historical information, the estimates must be based on experience. 

This gives you a value for the risk:

Risk Value = Probability of Event x Cost of Event

As a simple example, imagine that you've identified a risk that when the water in a nearby retention pond rises to five feet, the basement of your business floods.
You think that there's an 80 percent chance of this happening because it has been an unusually wet winter and in past winters with similar amounts of rain and snow, you have experienced the flooding nearly every time. If this happens, it will cost your business an extra $25,000 in clean-up costs and lost income.
So the risk value of the flooded basement is:
0.80 (Probability of Event) x $25,000 (Cost of Event) = $20,000 (Risk Value)

Applying this analysis to each event allows you to rank the risk based on a value.  If the value data is not available, another option is to use an impact/probability chart. 

A risk probability/impact chart is a tool I have used often as it is a quick and easy way to visually plot the probability of an event occurring and the impact that event will have on operations.  This chart is most useful when subjectively determining the probability and impact of risk. 




To most effectively use this chart
  1. Assess the probability of each risk occurring and assign it a rating from 1-10. Assign a score of 1 when a risk is extremely unlikely to occur and use a score of 10 when the risk is extremely likely to occur. In the example above, there is an 80% probability of flooding occurring, therefore you would assign a value of 8 to the risk.
  2. Estimate the impact of the risk occurring. Again, using a 1-10 scale, assign it a 1 for little impact and a 10 for a huge, catastrophic impact. In the above case maybe a flooded basement is a nuisance, but it does not significantly impact operations so you assign it a “5”
  3. Map out the ratings on the Risk Impact/Probability Chart.
  4. Develop a response to each risk, according to its position in the chart. Remember, risks in the bottom left corner can often be ignored, while you will want to focus your attention on the risks in the upper right quadrant.

Assessment of the risk

Recalling the post about Risk Appetite and tolerance, we now evaluate the identified risk as falling inside or outside of tolerance based on your risk appetite statement.  This will allow you to determine a target risk value to review or on the Risk Impact/Risk Probability chart, a point above which you will review and rank the risk.    

Using the flooded basement example again.  Assume your company’s risk tolerance statement was something to the effect “XYZ Company cannot afford the cost associated with a single flooded basement event”.  Since you estimated an 80% probability of a flood event occurring based on the weather patterns this winter, this would rank pretty high for risk to review.

Prioritization of risk

Finally, you will want to prioritize the list.  This can be done based on the importance of the risk to operations, or (if you can determine at this point) you can prioritize the list based on the amount of resources it will take to manage risk.  In either event, this allows you to break down the list into manageable pieces.  This also will help to determine a strategy or how you will manage each of the risk. Here is an example of three risks identified by XYZ Company:
  1. There is a proposal from an engineer that says in order to solve for the flooded basement, you need to enlarge the retention pond and redirect the run-off.  The cost of this project is $60,000 but will potentially save $20,000+ if there is a wet winter. Additionally, the flooded basement impacts production as some of the production equipment has to be shut down every time the basement floods to protect the equipment.
  2. You have a proposal from a web-design firm to expand and enhance your online presence.  The cost of the project is $25,000. This new design will not only allow you to interact with customers through a customer service portal and social media, you will now have the ability for online retail sales.  This webpage can really broaden your market presence and potentially boost sales and revenue significantly.  You will need to hire a full-time employee to manage the webpage, and if sales go as projected, you will need to expand your production and shipping capabilities.
  3. The equipment used in your production process is getting old and showing signs of wear.  You have a proposal to update your equipment. It is a two-year upgrade process that will allow you to continue current production pace, but there is no room for increased production until after the updates are completed. The cost of the upgrades is $40,000 each year for a total of $80,000. 

So here are three risk scenarios, how would you prioritize them?

While we can't avoid risk altogether, there are often steps we can take to better cope with risk.  Risk analysis helps us determine the right steps to take, in the right order. 

Until next time, say safe and be kind to one another.