Risk is a part of business, but if managed, doesn’t need to keep you awake at night
By Ed Marchak
As a business leader, one of your key responsibilities is identifying, assessing, and mitigating risks. Climate change and its impacts are a risk to businesses around the world, and you need to ensure you can manage or treat the risks to reduce them to acceptable levels that will allow your operations and activities to continue.
Risk can be defined as the possibility of suffering harm, loss, injury, or danger. It’s impossible to completely eliminate all risk, but most can be managed or reduced to acceptable levels through proper assessment and planning.
Types of risk
There are commonly five categories of risks that can be identified for your business. Examples of each are included below:
– Safety and security
- Property crime – burglary or theft of office equipment, materials, or finished product
- Illness and injury – COVID-19 or a natural disaster
- Vandalism – broken windows, graffiti, or damaged vehicles, equipment, or product
- Harassment – unwanted or annoying words (e.g., racial slurs or offensive jokes) or actions (e.g., unwanted advances), including threats and demands
- Fraud – creating fake invoices
- Theft – taking supplies or equipment from the facility or customer’s site
- Diversion of funds – using funds from a project account to pay for non-project purchases
- Financial mismanagement – not paying your bills or writing organizational cheques to yourself
- Contractual – Violation of the terms and conditions of contracts
- Litigation – the risk of being sued by an employee (e.g., for discrimination or workplace harassment) or a customer (e.g. product liability)
- Workplace health and safety – non-compliance OH&S standards)
- Environmental impact – improper disposal of toxic or harmful materials
- Process risks – not adhering to machinery maintenance requirements
- Denial of service attacks – your IT system is locked down until you pay a “ransom”
- System intrusion – unauthorized access to your IT system
- Data breaches – unauthorized access to confidential data, like personnel files, contract details, or customer information
- Compromise of sensitive business or personal data – like credit card numbers or bank account details
With the possible exception of digital risk, environmental- or climate-related risk can be a part of the other four categories.
This can appear as a lack of compliance with environmental standards or employees working in increasingly hazardous environments, which can lead to legal risks for the company and its officers and significant financial risk.
Many risk management efforts involve a mix of the following treatment methods:
- Avoid the risk by modifying operations or eliminating certain activities or locations altogether
- Mitigate the risk through plans, procedures, and resources to lower the chance it will occur or reduce the impact if it does occur
- Transfer or share the risk with another organization by using contract indemnification language or through risk financing (insurance)
- Accept the risk, typically after some level of mitigation or other treatment has occurred
The first step in effective risk management is risk identification. Consider these key questions to help identify potential risks:
- Who could be harmed? This could include staff, customers, community members or other businesses.
- What might be the impact? Determine the impact on those immediately involved and how it will impact the ability to continue your business operations.
- How might the risk occur? Some risks are immediately apparent, while others may be discovered after the initial occurrence.
An effective way to assess risks and plan mitigation measures is to use a risk treatment table, shown above.
To complete the Risk Treatment Table, ask and answer the following questions:
- What is the potential risk? Describe the risk clearly as a source of potential harm.
- Who (or what) is impacted if this risk occurs (staff, customers, organizations, individuals)?
- Determine the risk rating. This rating is based on the combination of two factors:
- What is the likelihood the risk could occur?
- What is the impact if the risk should occur?
- What are measures or actions to prevent or mitigate the risk?
- What is the revised rating of the risk if the mitigation measures are taken?
There are five descriptions you can use to assess the likelihood of a risk occurring:
- Almost Certain – the risk occurs often or on a regular basis
- Likely – the risk occurs periodically with reoccurrence
- Possible – the risk has occurred but not often or without reoccurrence
- Unlikely – the risk has not yet occurred or may only occur under extraordinary circumstances
- Rare – the risk could conceivably occur based on a change in conditions
There are five descriptions we can use to assess the impact of the risk:
- Severe – the potential impact (financial, legal, or environmental) on the organization is extremely high
- Major – the potential impact on the organization is significant
- Moderate – the potential impact on the organization is high
- Minor – the potential impact on the organization is modest
- Insignificant – the potential impact on the organization is low
Once you have determined the risk rating (or risk level), you can assess the acceptability of the risk and recommended actions to mitigate the risk.
- Low Risk is considered ‘Acceptable.’ Based on this, no additional risk mitigation may be necessary.
- Medium Risk is considered ‘Tolerable.’ Based on this, interim risk mitigation measures may be implemented while long-term measures are being established.
- High Risk is considered ‘Not acceptable’ or ‘Tolerated,’ but only under specific conditions. Based on this, focus on reducing the high-risk level to at least a medium risk level before proceeding.
In many cases the risks can be mitigated through plans, procedures, and resources. Mitigation modifies the risk by lowering the likelihood that the risk will occur and/or reducing the impact or consequence if it does occur.
Consider these questions when exploring effective mitigation measures:
- Are the resources in place and/or available to mitigate the risk?
- Does the mitigation measure substantially impact the ability to conduct your work?
- Are staff trained to make the mitigation measure effective?
Consider these key questions to help determine mitigation measures:
- Is there time to implement the measure?
- Does the mitigation measure introduce additional risk?
Once mitigation measures are determined, reassess the risk rating to evaluate how the likelihood of occurrence or impact has been reduced.
Managing risk is about:
- Identifying the risk
- Identifying who is impacted if the risk occurs
- Determining the risk rating
- Determining mitigation measures
- Reassessing the risk rating
- Implementing mitigation strategies
Following these steps will allow you to proactively manage potential risks, rather than reacting to them if or when they occur.
Ed Marchak is an Edmonton-based independent management consultant who has been working with and advising clients for over 35 years. Ed works with both public and private sector clients in strategic planning, operational effectiveness, performance measurement and evaluation, and project management. Ed holds a Lean Six Sigma Green Belt and has worked with manufacturers large and small on productivity improvement and technology implementation.