METHODS FOR IDENTIFYING RISKS

In this chapter we consider:

 Why should we bother thinking about risk to our business?

 The benefit of effective business risk management
 What do we mean by risk?
 Some of the risks that our business might face.
 Balancing opportunities and threats.
 Some possible uses for risk management.
 A simple but effective risk management process.

INTRODUCTION

Risk is unavoidable. Like the proverbial death and taxes, it’s one of the few things in life that’s
inevitable. All businesses, whatever their size and shape, whatever markets they operate in, and
whatever products or services they provide, are constantly faced with a multitude of risks, large and
small. Indeed, businesses can only prosper by successful risk-taking.

In our businesses we need to strike the correct balance between risk and potential reward; to
maximize our upside risk and minimize our downside risk. To succeed we need to manage risk
appropriately, not to try to eliminate or avoid it, as, in any case, that simply isn’t possible. It’s
therefore essential that we understand the major risks to our business operations to enable us to
manage them to our advantage.

Some risks are so minor as to be insignificant, whereas others have the potential to seriously
affect our business’s continued well-being. So it’s important to understand the likelihood and the
potential consequences of our particular risks, and to take sensible, cost-effective mitigation
measures for the more significant ones.

This module will help you to do just that; leading you through the process in a straightforward,
no-nonsense way.

It will help you to identify and manage your risks in several areas, such as strategy, day-to-day
business operations, financial control, capitalizing on potential business opportunities, launching
new products or services, expanding or changing the shape of your business, and managing projects,
to name just a few.

It will guide you through the various stages of assessing and mitigating your risks without
blinding you with pseudoscience, techno-speak, or jargon.

It will provide you - the business owner, director, departmental manager, or project manager,
who presumably doesn’t have the time or inclination to be a full-time risk manager - with a simple,
 straightforward, and effective risk management system. One that deals with the basics and avoids
some of the complexity and non-essential ‘padding’ that comes with many risk management
systems.

The result is a very simple, but above all usable, process that can be applied to the real world
that the vast majority of business managers inhabit.

THE BENEFITS OF EFFECTIVE RISK MANAGEMENT

“ WHILE ‘RISK’ IS COMMONLY REGARDED AS NEGATIVE, RISK

MANAGEMENT IS AS MUCH ABOUT EXPLOITING POTENTIAL
OPPORTUNITIES AS PREVENTING POTENTIAL PROBLEMS’’
BS31100:2008 RISK MANAGEMENT CODE OF PRACTICE, BRISTISH STANDARD INSTITUTION

There are many benefits to managing our risks effectively, including :

• Informed decision making
• A more resilient business
• Increased likelihood of successful risk taking (capitalising on opportunities)
• Protection of revenue, profits or market share
• Protection of reputation/goodwill
• Improved product or service quality and reliability
• Protection of valuable assets
• Increased likelihood of achieving strategic goals or objectives
• Reduced costs and/or increased profits
• Less failures and downtime
• Competitive advantage
• Fewer nasty surprises

Many risks are seen as having purely negative consequences and for this reason it’s not
uncommon for those involved in risk management to take a pessimistic view of risk. But we
shouldn’t forget that many risks also have positive consequences. Effective risk management
can help us to reduce the negative and increase the positive consequences of risk, thus helping
our business to grow and flourish.

Risk management has a part to play in your decision making, whether it’s with regard to
business start-up, strategy, exploiting opportunities, managing your various projects or in your
day-to-day business operations.

Risk management can help you to justify your decisions - to your management team, your
employees, your business partners, investors, creditors or customers. And it should mean that
you go into things with your eyes open; that you make informed decisions rather than just
acting on gut feel or on a hunch.
 There are many benefits to managing our risks effectively.
Effective risk management can help us to reduce the negative and
increase the positive consequences of risk and to make informed
What is a risk? decisions.

‘’WHATEVER CAN GO WRONG WILL GO WRONG’’

MURPHY’S LAW

Look in any dictionary and you’ll find a definition of risk. Here’s one :

risk n the possibility of incurring misfortune or loss; hazard at risk vulnerable

What we’re really talking about is a potential future problem - or, indeed, opportunity - or the
potential future effect of a decision or an action that we take now. And every decision we make or
action we take contains some element of risk.

Risk is essentially a potential future problem (or opportunity). Every

decision we make or action we take contains some elements of risks.

Risks come about when the vulnerabilities in our systems, processes, facilities or resources are
exploited by threats. Examples might include the burglar or hacker who exploits the vulnerabilities
in our physical or IT security system, a fire that starts due to an electrical fault and spreads because
of weaknesses in our fire detection and suppression systems, errors made by inexperienced or
insufficiently trained staff, or a whole host of other things.

The following are examples, in no particular order, of some of the possible risks to businesses.
It’s by no means a definitive or exhaustive list - rather it’s intended to give a flavor of the types of
risks that businesses may face. We only have to read or watch the news or think of our own
experiences to realize that, unfortunately, these events do happen - in some cases all too
frequently.
 Risks can arise as a result of our own business’s activities or as a result of external factors such
as legislation, market forces, interest or exchange rate fluctuations, the activities of others or even
the weather. They can be a product of the business environment, the natural environment, the
political or economic climate or of human inadequacies, failings or errors.

The bottom line is that risk may impact on our ability to meet our business objectives or even
threaten the business itself.

Risk can arise as a result of our business’s activities or as a

result of external factors

IT’S NEVER HAPPENED/WILL NEVER HAPPEN TO US

We might be tempted to think that risks like those listed on the previous page will never happen
to us, particularly if we’re one of the fortunate few who have never experienced anything particularly
bad or disruptive in our business. We may feel that the likelihood of us suffering from events like these
is just too low to worry about; that the odds are stacked in our favor.

It’s an interesting thought, though, that many of us who take the ‘it’ll never happen to us’
approach to risk in this context, where the odds might be hundreds or thousands to one, will
nevertheless gamble on the national lottery, where, despite the fact that the odds of winning, at many
millions to one, are stacked massively against us, we consider it a gamble worth taking.

Unfortunately, the past isn’t necessarily that useful or reliable in helping us to predict the
future. Just because a particular risk hasn’t yet come to fruition doesn’t necessarily mean that the risk
isn’t there. And on the other hand it doesn’t mean that it’s imminent.

The thing about unexpected events is that, by definition, they’re unexpected. The reality is that
only we, as business managers, can decide whether a particular risk is acceptable to our business.

Sadly, things do go horribly wrong from time to time. And the reality is that bad things don’t just
happen to other people. History is littered with the casualties (large and small businesses alike) of events
that they thought couldn’t possibly happen to them.

In reality, almost every business is likely to suffer some sort of disruptive or damaging event or
situation during its lifetime. And whilst the consequences of many of these events will, though painful,
be manageable or at least survivable, for the unlucky or unprepared some of them will have the
potential to seriously damage the business. These more serious events will range from the headline
grabbing fires, floods and explosions, through product and environmental contamination, fraud and
theft, to the less news-worthy but equally debilitating power or technology failures and supply chain or
cash flow problems.

Almost every business is likely to suffer some sort of disruptive or damaging

event or situation during its lifetime.
 Some of the risks in the list in paragraph 1.3 are largely beyond our control, because they are
due to external forces, such as nature or changes to the political or economic environment. Whilst that
may be true, it’s interesting to note that many of the risks listed are down to the actions of people, with
very few ‘natural’ events and relatively few external influences over which we have absolutely no
control. It’s a sad fact that when we introduce people into the equation things often go wrong. Because,
people being people, they sometimes do unexpected, dangerous or even stupid things; they don’t
follow processes; they cut corners; they make mistakes.

However, in many ways this is good news. Clearly we normally have little or no influence over
natural events, the political or economic climate or the legal or regulatory environment and can only
really take steps to mitigate their effects (for instance we can’t prevent severe weather from happening,
although we can choose not to locate our business premises in a flood plain). However, in many cases, it
is possible to do something to prevent or reduce the likelihood of manmade risks occurring in the first
place.

Investing some time and effort in managing our risks is a worthwhile investment and makes
good business sense. Ultimately, effective risk management could be the difference between the
survival and failure of the business.

ME, A RISK MANAGER?

The good news is that every one of us is an intuitive risk manager!

Being in business may be risky, but life is a risky business and we’re constantly faced with
countless risks that we have to assess and make decisions about. Most of the time we don’t even realise
we’re doing it - we just do it naturally. Which is just as well really, as if we had to stop and think about it
we’d spend all of our time assessing risks and never actually get anything done

For instance, every time we cross the road or drive our cars or play sport, or carry out many
other day-to-day activities, we have to assess and manage risks, identifying and assessing the threats
that we face and working out appropriate mitigation measures. But we do this almost subconsciously.

So, if we’re all risk managers already, what’s the point of this book? Well, the difference is that
here we’re more concerned with assessing and mitigating business risks. The process is pretty much the
same as for our intuitive method, it’s just that we probably have a bit more time to think about things.
And in business we really need a slightly more structured system than the instinctive approach, to
enable us to identify and quantify our risks a bit better before we make our decisions.

When we evaluate risks to our business we need to have a clear and reasoned method of doing
so. We may have to justify our thinking to others. We may need to persuade others to do something as a
result. Perhaps more importantly, the potential downside if we get it wrong may be extremely serious -
for ourselves, for our employees, for our customers, or for our business as a whole.

THE BALANCED VIEW

 Almost every business opportunity has a potential downside. But some of the risks that we take
also have a potential upside – that’s why we take them. Indeed, a business may consciously decide, as
part of its strategy, to take a high level of risk because of the potential rewards.

We need to balance the opportunities (to make a profit, grow the business, move into new
markets, launch new products and services, etc) against the potential downside (such as over
commitment, the impact of interest or exchange rate fluctuations, inability to sell our wonderful product
or service, inability to pay our staff, and so on).

It’s not possible to create a completely risk-free environment. But what we can do is manage
risk more effectively. We can identify risks, quantify them, and once we understand what we’re up
against we can make informed, considered decisions regarding what (if anything) to do about them.

RISK MANAGEMENT HAS ITS USES

Risk management has many uses. It can be used to:

 Ensure the safety and well-being of employees, visitors, customers, etc

 Make your business more resilient
 Support your decision-making process
 Increase the likelihood of successfully exploiting opportunities
 Perform ‘‘what if’’ assessments
 Ensure legal or regulatory compliance
 Protect your cash flow
 Increase the likelihood of success in your projects
 Support requests for action or expenditure
 Improve the strategic and day-to-day management of your business
 Improve operational processes and reduce failures and problems

THE RISK MANAGEMENT PROCESS

The risk management process described in this section is simple but effective. More to the point,
it has been proven to work in businesses of all types and sizes. There are five very straightforward stages
to the suggested process, which are shown in the following diagram, outlined below:
Stage 1 : Before we can take any meaningful action to address our risks we need to know what we’re up
against. So we need to identify the risks that we face.

Stage 2 : Once we’ve identified our risks we need to quantify them. Because the risks that we’re really
interested in are those we consider to be significant enough to do something about. So we need a way
to sort the wheat from the chaff. We do this by assessing the likelihood of the risk occurring and the
impact if it does.

Stage 3 : Once we know which risks are the most serious we can start to deal with them, by identifying
and implementing possible countermeasures or mitigation measures - methods of removing, reducing,
controlling or recovering from adverse events.

Stage 4 : Having determined which countermeasures we feel are sensible and cost-effective and decided
which ones we want to invest in, we can go ahead and implement them.

Stage 5 : To complete the process we must monitor the effectiveness, or otherwise, of the controls we
put in place.