“If ‘ifs’ and ‘ands’ were pots and pans, the world would be a kitchen.”
For all of the enlightened academic material available from so many highly-qualified subject matter experts throughout the world of Risk Management, I thought I’d begin this segment with a piece of wisdom imparted to me over 30 years ago from my then-boss: US Army Command Sergeant Major Leo Manning.
“If only, if only…” There are many stories from our personal- or business lives that begin with these words, and so many things that we would have done differently- looking back. Hindsight is always 20/20- it’s what we see in our rear-view mirror. It’s history.
We’ve all heard the famous quote from philosopher George Santayana- "Those who cannot remember the past are condemned to repeat it." Behind this declaration lies our rationale for the study of History, but it also builds a fundamental bridge to the science of Risk Management: using lessons from The Past to attempt to influence The Future.
And thus begins our (very brief) segment on the origins of Risk Management.
Let’s start with defining what “Risk” means. There are many definitions floating around, but I prefer the catch-all qualities of the Cambridge Dictionary’s interpretation:
· the possibility of something bad happening: “In this business, the risks and the rewards are high.”
· something bad that might happen: “His employers thought he was a security risk.”
In simple terms, then, “something bad happening” is key to the definition of Risk- while noting that this “something bad” lies in the future. Put simply: ‘Risk’ is the “bad thing” that can happen, and ‘Risk Management’ is our attempt to reduce the chances of “bad things” from happening.
I’ll spare you the formal history on the origins of modern Risk Management, as if you’re like me- you may regard a history lesson in Risk Management a bit like you’d regard a history lesson in Dentistry: I don’t need the lesson to know what I want in a Dentist: I want to know that my Dentist is trained in the most modern methods of her craft; that she knows how to achieve the best outcomes, and that she will work conscientiously to spare me undue discomfort and cost- both now and in the future. The same principle applies in Risk Management- you don’t need a history lesson; you just need someone to help you manage your risks!
So let’s skim briefly across the “What” and “How” of Risk Management. What it attempts to achieve, and How the process unfolds.
What does Risk Management aspire to do? Regardless of industry or risk specialty, it is the following three things…
1. Determine the “bad things” that can happen (as related to your venture)
2. Assess the root causes of these “bad things” in order to try to prevent them from happening, and
3. Estimate the impact and likelihood of these “bad things” in order to assign probabilities, preventative measures, and responsive measures, to each.
Now let’s talk about the “How”. How does the process of managing risks actually work?
‘Risk Management’ sounds terribly technical to the practical-minded among us, and is viewed by many as a sort of ‘wizardry’. We think of high math and algorithms, and people in blue suits with lots of letters behind their names. And yes, it can be that. But in truth, at it’s core, Risk Management as applied to a business organization (formally known as ‘Enterprise Risk Management’, or ‘ERM’) is a very reasonable business discipline built on a foundation of basic Common Sense.
Enterprise Risk Management is a continual and ‘living’ process consisting of five basic steps; based on my experience as a corporate risk manager:
1. Define (or review) what you aim to achieve with your business or enterprise, and your strategy to achieve these aims
2. Understand what potential risks may hinder you on the road to meeting your objectives (this requires some serious out of the box thinking!)
3. Develop a framework to proactively manage your potential risks (this step often requires help of a subject matter expert)
4. Continually measure the effectiveness of your risk management framework (commitment is key)
5. Repeat. (on a regular basis; based on your risk profile)
Sounds easy, right? Let’s fly over the five steps to this process in five minutes or less!
The first crucial step, is to define, or review, what you aim to achieve with your business. To the experienced executive this may sound self-evident and silly, but I would challenge you to take ten minutes to dust off the old business plan, and reflect on the reality between what’s written in it (e.g., your vision, mission, values, and strategy) and your current actions. Big corporations have scores of people that re-define their mission, strategy and objectives on a regular basis, but if you have your own company, maybe you haven’t done this in a while. Perhaps your objectives have changed? Perhaps you started your own business in a bid to be more independent, but now you find that you’re managing dozens of employees, or your objectives have turned to mergers and acquisitions, or expanding your business internationally, or keeping your business alive in the economic downturn. Maybe you’re even thinking of retiring and selling the business. You see where I’m going with this- it doesn’t hurt to take a few minutes and reflect on ‘why’ your enterprise exists in the first place, and ‘what’ you want to achieve with it.
Once you’ve re-confirmed your objectives, you can start to think of all of the ‘bad things’ that can get in the way of meeting those objectives. These are your ‘risks’. There are risks to delivering your sales targets, risks to the safety of your employees and assets, risks to financial stability, risks to the company’s reputation, risks of non-compliance with regulations, risk of counterparties not paying on time, and so on. You may also find that some of these risks run against one another. For example, if you run an oil refinery, you have a pre-established cash flow target on the one hand, and safety objectives that require costly investments on the other hand. They’re both important, but every dollar you spend ‘too much’ on safety puts your cash flow targets at risk. Understanding this relationship is critical- for reasons we’ll explore in subsequent sections.
Once you’ve identified your risks, the third step is to develop and structure a framework (aka ‘Risk Management Program’) for your company or your project. This is the part where you roll up your sleeves, gather your leadership team together, and ideally also leverage the expertise of subject matter experts in Risk Management (like AscentWorks).
A good starting point for ‘How’ you manage risks, once you’ve identified them, is to separate them into three basic categories:
1. The bad things you can PREVENT through actions you take
2. The bad things you cannot prevent, but that you can still PREPARE for somehow
3. The bad things that you ACCEPT (as a cost or risk of doing business)
All three categories require a different technical approach and assessment methodology, and this is where the ‘blue suits and algorithms’ come in, when you reach this point in your own ‘ERM’ journey.
You may have heard it said- “The best defense is a good offense.” So while some see Risk Management as a ‘defensive’ measure, I’d rather view it as has having a good offense.
So far so good? We’ll jump feet-first into the practical bits over the next few sections…we’ll begin with “Preventable Risks” in the next piece- which will whisk us off to beautiful Paris, France.
- - -
Got Risk? Likely, I’d guess.
Got a Risk Manager? If you don’t, I hope your appetite has been whetted to find a great Risk Manager to partner with. But while you can ask your friends and family if they know of a good dentist, and get an honest answer, it’s unfortunately a bit harder to find a capable risk management partner for your company. That said, if you like what you hear on this website, I welcome you to give AscentWorks a call and we’ll be happy to provide a free consultation and listen to what’s on your mind.