Risk Management Strategy

Congratulations!  You have successfully navigated the process of identifying your risk appetite and tolerance; you have identified the potential risk that can have an impact on your business, and you have analyzed and prioritized these risks. 

Now what?  Do you:

• Avoid the risk?
• Accept the risk?
• Mitigate the risk?
• Transfer the risk?

But before we get into the post, I want to give you a little explanation about the photograph I chose.  It is a picture of the board game Risk.  Probably my most favorite board game growing up.  I would analyze and rank the different scenarios to my conquering the world and would plan my different strategies for success.   I loved it and was excited about this week so I could use this photo. 

OK, on to the task at hand, in this post we will review each of the strategies mentioned above and weigh the benefits.  How do you determine which is the right course?  The right course will depend on your risk appetite, your analysis and prioritization of the risk you have identified.  You will use these tools to determine your risk management strategy.

All too often, we see one or more of the following methods used as a risk management strategy:

• Pretend the risk does not exist.
• Pray the risk will sort itself out so you will not have to deal with it.
• Acknowledge the risk, but deny that it will have any impact on operations. 

These approaches are not risk management or good strategies.  In the first case, if a risk is not acknowledged, acting as if the risk does not exist is not a realistic approach, and only forces one to deal with the risk once it becomes a crisis.  Second, I cannot recall a situation where a risk has sorted itself out.  And finally, in my experience, though you can control the impact the risk will have, I have not come across a situation where simply denying that a risk will impact operations has been a successful strategy.

The following methods are risk management strategies for addressing risk:

Risk Avoidance

The first strategy is to avoid the risk altogether.  The benefit is by doing so your business is not exposed.  The downside is that by avoiding, you may not achieve the goal or accomplishment this potential risk is associated with.  For example, you might not gain the profits associated with the business venture you choose to avoid.  When considering risk avoidance as a strategy, you need to really understand the full impact of the decision.  Usually, this approach is considered for a risk that has a low impact on operations or if the organization’s goals can still be achieved without confronting the risk.   

Risk Acceptance

By accepting the risk, you determine that the risk will not have a significant impact to operations, the benefit of the goal is greater than the risk, or the risk is infrequent enough that it is worth the gamble to accept it in order to achieve the goal.

Risk Mitigation

Even though you have made the decision to accept the risk where a program or activity has a high-risk impact,  there are steps or actions that you can take to reduce the exposure or to mitigate the possible financial risk or impact to operations.  You’ll want to explore detective and preventative actions before you introduce the activity on a larger scale.

• Detective action involves identifying the points in a process where something could go wrong, and then putting steps in place to fix the problems promptly if they occur.
• Preventative action involves aiming to prevent a situation from happening. It includes activities such as health and safety training and firewall protection on corporate servers.

Risk Transfer

The last strategy is to transfer identified risk to another party.  The two main mechanisms for this approach include:

• Contractual risk transfer (transfer the risk to another party through a contract).  With this method, we can transfer the liability for damages caused by a subcontractor’s work, or by the goods and services purchased from a vendor.
• Risk financing. This is otherwise known as insurance.  By purchasing an insurance policy, we are effectively transferring our risk to an insurance company.  They, in turn, accept the risk for a price.

With any strategy or combination of strategies, you must continuously monitor your strategies, measure their effectiveness, and adjust as necessary.  During the 1990s, I attended several workshops by a scholar and management consultant by the name of Dr. Edward Deming (https://en.wikipedia.org/wiki/W._Edwards_Deming)  his teachings in continuous process improvement resonated and I began to apply them regularly.  Plan-Do-Check-Act is a four-stage approach for continually improving processes, and for resolving problems. It involves systematically testing possible solutions, assessing the results, and implementing any changes to the process to continue toward the goal.

The four phases are:

Plan: identify and analyze the problem and decide a strategy (or combination of strategies) to implement.

Do: test the potential solution, ideally on a small scale, and measure the results.

Check/Study: study the result, measure effectiveness, and decide whether the strategy is effective or not.

Act: if the strategy is successful, implement it.  Continue to monitor the performance for any changes.

Risk management strategies are like any other business strategy and involve monitoring key performance indicators and adjusting the strategy as necessary to ensure the greatest success. 

We now have the basic tools for developing and implementing a more formalized risk management process which can be as simple or complex as you have the time to manage.  As I said in an earlier post, you are probably doing some of these activities already but perhaps now you can better see your activities as part of an overall risk management strategy for your firm where you can embrace risk and use it to your advantage.

Until next time, stay safe and be kind to one another.