Protecting your business

Risk2

Protecting your business  

Business is inherently risky.   And many of us thrive on risks associated with starting, running and growing a business; new staff, new customers and new products are all inherently risky and risks we openly seek and may indeed revel in. 

However, there are risks that we don’t seek, risks we need to plan for, and to positively avoid… and, to complicate matters further there are also what have been called. 

  • Acts of commission and
  • Acts of omission

 Acts of commission are about things we've done that perhaps we shouldn't have done, and acts of omission are about things that we have haven't done but perhaps we should have done. And usually, it's a hell of a lot easier to see, probe and prod acts of commission.  Each of which will of course have risks associated with them. 

In thinking about any risk, we are peeking into the unknown, we are trying to glimpse the future, it's obviously also impossible to eliminate all risk but entirely possible to significantly reduce most of it.  And in order to properly consider risk we really need to account for its three moving components: 

  • The probability of the risk occurring
  • The cost or impact of the risk materialising
  • And the ability to control the risk should it occur   

In our view, ambitious managers and leaders wanting to drive their businesses forward should obviously have a three-to-five-year business plan, an annual plan, and quarterly plans or 90 day sprints and these quarterly plans should be revisited, reviewed and revised monthly.  And as part of this monthly review sequence the risks to plans should be regularly re-assessed because when you think systematically about what could go wrong, you dramatically increase the chance of creating something that might actually go right!

 So, what’s the process?  

There are various stages to implementing a robust risk assessment process and we're going to use a six step process that includes a table showing; the risk probability, cost and control-ability of the risk and then once we have this information, we’re going to place each risk on a chart to view it. 

Step #1 – risk identification - aka “productive paranoia”  

The first step in the process is to brainstorm all of the things that possibly could go wrong.  

This is what we like to term “productive paranoia”.  You need to turn yourself into Doctor Doom for a few hours. (Hopefully not too long).  

This might be done as a formal brainstorming session with the top team or it might simply be done with your business partner and a pint in a pub; there is no right and wrong answer, it will largely depend on the size of your business, its complexity and the hostility of your external environment.  Essentially, you just need to come up with your list of risks. 

You want to concentrate on the big stuff, most of us are not nuclear power stations where we would actually need to think about, and plan for, the 0.0001% chance of a jumbo jet crashing into your facility. 

But it does make sense to think about: 

  • A rogue salesperson defecting with your client list
  • A complete telecoms or IT failure
  • Your weekly cash burn and how long you could survive with no payments
  • The loss of a major customer or indeed a critical supplier
  • Over reliance on a single member of staff
  • The list is long so includes any other business risk pertinent to your individual situation! 

When going through this process and thinking about the often hostile external environment it is useful to apply tools like PESTLE analysis and Porter analysis the results from which can feed into the opportunities and threats component of a SWOT analysis, where your internal strengths and weaknesses are also assessed.    

As part of this first stage, questions you might ask yourself include: 

  • What assumptions have we made about our plans and our risks that are simply wishful thinking?
  • Where are we being over optimistic?
  • How strong is our defence and what can we do to improve it?
  • Are there any second or third order consequences to our current plans and initiatives?
  • Where have we let greed and optimism infect our assumptions? 

Step #2 – chance of occurrence (probability assignment)  

Having identified the risks, take each one and simply apply the idea of a “best guess” about the chances of each one occurring.  Is absolutely NOT about being precise… it's about understanding the scale of the issue; an educated guess is what we're looking for.  It might also be, as you begin to assign numbers to particular risks, you go round the process a couple of times before you're happy the numbers are “there or thereabouts”. 

As a general rule, it's probably not useful to be interested in risks that have a less than 5% probability of occurrence.  As the saying goes “don't sweat the small stuff”.   

Depending on the size and complexity of your business, if you've done this properly a small company might have anywhere from half a dozen to a dozen risks, up to maybe 20 to 30 for larger more complex organisations. 

Step #3 – impact assessment  

For each of the risks we now need to estimate the impact of that risk should it materialise. 

There are various ways to do this, for instance, to assign a number between 1 to 10.  We like the numbered approach because it provides a greater level of granularity, but equally you could use High, Medium, Low or Red, Amber, Green.  Alternatively, you could you use money, say less than £500, £500 to £5k, £5k to £50k.  The method employed is really one of preference. 

However, to put things into a context, it might be useful to think about risk from an individual health perspective, taking the numbered approach: 

  • Low risk, let's say, from one to three is a bit like having a pebble in your shoe.  It's irritating not much fun but you can still pretty much function at full capacity
  • Medium risk, say 3 to 7 is a, bit like having a broken arm.  It's difficult to operate a keyboard, mouse or machine but you are still mobile and can function, you won't work nearly as efficiently, you’ll be in pain and you'll need to apply much greater effort, but you can still get stuff done. 
  • High risk is the game changer and scores 8 to 10. This incapacitation or even death. At the very least we are looking at recuperation and physio taking months.  If this risk materialises there is a catastrophic impact on the business.     

Step #4 – manageability assessment  

The final stage assesses the manageability or control-ability of the risks.  Again, there are various ways to do this, assign a number from 1 to 10, use High, Medium, Low or Red, Amber, Green.  And again, the method employed is really one of preference.  We're going to use numbers again. 

  • Controllable risks, say 1 to 3, are usually pretty rare simply because there's very little we can totally control especially if it’s a risk!  You can't totally control whether you get run over by the proverbial bus.  But you can control the fact that you look both ways when you cross the road and you’re not texting when you do so.    
  • Manageable risks, say 4 to 7, are those that you don't have complete control over, but you can influence or manage the probability of them occurring or indeed the costs associated with them.  You might not be able to determine when your invoices get paid, but you can send them out on time, you can have a robust credit chasing process and you can control when your suppliers get paid.
  • Uncontrollable risks, say 8-10, are things like interest rates, general economic growth rates, sector growth rates and your competition.     

Step #5 – overall assessment??  

The overall assessment of risk then is about managing both probability and impact and as per the hopefully amusing adjacent diagram. 

 Risk Impact2

 

 However, we need something slightly more constructive than an amusing diagram and we now have all the information we need to create a simple and effective pictorial assessment of your risks.  We now need a graph where along the bottom (X) axis will plot the degree of controllability of the risk and on the side (Y) axis we are going to plot the financial impact in pound notes. 

Each of the individual key risks will be represented by a circle, a small circle for the smaller risks and a big circle for the big risks. Let's look at an example. 

Example 

Suppose you identified the following risks as part of your assessment: 

  • A 95% chance that corporation tax was likely to increase from 19% to 25% within the next four years (as if!). 
  • A 70% risk that a large but indirect cash rich competitor is about to take over a small but direct competitor who is selling the business because the senior team is approaching retirement age.
  • A 60% chance that a critical member of staff wants to take early retirement in the next 2 years.
  • A 60% chance that the already long lead times from a key supplier will lengthen further.
  • A 70% chance that there will be a significant overrun to your latest (increasingly expensive) IT project (again…as if!)

 

Step #1

Risk

Step #2

Probability

Step #3

Cost £ or 1-10

Step #4

Controllable 1-10

  1. Tax increase

95%

4

10

  1. Concentration of competition

70%

7

10

  1. Critical staff member retirement

60%

5

7

  1. Supply chain problems

60%

5

5

  1. Project overrun

70%

7

7

 

We can now take the data from the above table and plotted on a chart which reveals the following:

 Picture1

 

 Step #6 - Managing risk  

One of the primary jobs of ambitious leaders is to manage risk on an ongoing basis. 

Its now time to break out the thinking caps.  Some will be easier to manage than others and you have more control over something than others, but now you have pictorial representation of your risk it becomes much easier to see and much easier to manage.  Risk management can be undertaken by:

 

  • Shrinking the circle - looking for ways in which probability of occurrence can be reduced

                                    The project overrun issue could be resolved by re allocating staff or getting in external resources                                         to bring it back on track.

  • Moving the circle down - by thinking about ways to mitigate the cost or impact of the risk should it occur.

                                    The supply chain problem could possibly be mitigated by investigating, vetting and bringing on                                           new suppliers.

  • Moving the circle left - by thinking about the different ways in which the risk can be managed and controlled.

                                    The staff retirement problem could be addressed with a combination of succession planning,                                              training and bringing in new people.

The above are just ideas, but hopefully you get the picture.  Your problems, and the associated solutions will obviously be different. 

Conclusion  

It has been said that progress is not always measured by the ground gained, progress can also be measured by losses avoided.  Managing risks is about employing “productive paranoia”, peeking into the future thinking about what could go wrong and then attempting to reduce the risk in order to improve your chances of longer-term success.

I suspect, if you were to stop and think about the losses you have endured in the past are likely to have arisen as a result of:

  • Excessively optimistic assumptions
  • Inadequate scepticism or
  • Failure to consider what could go wrong.

Developing and growing companies is clearly about going on the offensive, more marketing, more sales, more customers.  Managing risk is about playing defence.  Regardless of your chosen sport there are not many that are entirely focused on the offensive, in business, as in sport, you need a complementary blend of offensive and defensive strategies.  

 


Related tools and ideas

Recommended references

Downloadable resources

  • None

 To find out how Statius can help you deliver:

• Better strategies
• Better systems
• Better measurement and 
• Engaged people delivering 
• Better results

Call us now on 0208 460 3345 or email sales@statius.co.uk

Our Clients Love Us

format_quote

The Easy Choice

“From the initial interview stage, through to a final selection process, it became an easy choice with Statius management being appointed as consultants for SERAPID ISO certification. Clint was integral to us achieving certification and made the whole process relaxed with a very professional approach!”
format_quote

Simply ISO9001

“Statius took time to understand us, then they made ISO9001 very simple whereas other consultants had made it impossibly complicated”
format_quote

Mindset management

“This (assignment) has confirmed some things I knew, and that was useful; some things I didn’t and that too was useful. However, most importantly, I guess we all felt a bit uncomfortable at times but now we have a real and robust improvement plan to go forward with.”
format_quote

Mindset management

“The (performance improvement) work you have undertaken has providing a real opportunity for us to break out of our mindset… I’m just afraid it will stop!”
format_quote

Streamline and simplify

“I have to say from a personal viewpoint, since you came on board you have helped streamline and simplify our systems brilliantly, and continue to do so, which makes my job much more straight forward, and I thank you very much for all your efforts...”
format_quote

Securing new business

“Without the help of Statius and the systems and processes developed we would not have secured £27m of framework agreements and term contracts.”
format_quote

Changing thinking

“Statius challenged and changed our thinking, without them we would never have changed the business model and we’d be far less prepared for sale.”
format_quote

Integrated management

“Statius’s hands on approach and genuine interest in the development of the Integrated Management System meant that we successfully achieved ISO 14001 certification (at the first attempt) and we shall rely on their future support as we develop our systems.”