Business is inherently risky. And many of us thrive on risks associated with starting, running and growing a business; new staff, new customers and new products are all inherently risky and risks we openly seek and may indeed revel in.
However, there are risks that we don’t seek, risks we need to plan for, and to positively avoid… and, to complicate matters further there are also what have been called.
- Acts of commission and
- Acts of omission
Acts of commission are about things we’ve done that perhaps we shouldn’t have done, and acts of omission are about things that we have haven’t done but perhaps we should have done. And usually, it’s a hell of a lot easier to see, probe and prod acts of commission. Each of which will of course have risks associated with them.
In thinking about any risk, we are peeking into the unknown, we are trying to glimpse the future, it’s obviously also impossible to eliminate all risk but entirely possible to significantly reduce most of it. And in order to properly consider risk we really need to account for its three moving components:
- The probability of the risk occurring
- The cost or impact of the risk materialising
- And the ability to control the risk should it occur
In our view, ambitious managers and leaders wanting to drive their businesses forward should obviously have a three-to-five-year business plan, an annual plan, and quarterly plans or 90 day sprints and these quarterly plans should be revisited, reviewed and revised monthly. And as part of this monthly review sequence the risks to plans should be regularly re-assessed because when you think systematically about what could go wrong, you dramatically increase the chance of creating something that might actually go right!
So, what’s the process?
There are various stages to implementing a robust risk assessment process and we’re going to use a six step process that includes a table showing; the risk probability, cost and control-ability of the risk and then once we have this information, we’re going to place each risk on a chart to view it.
Step #1 – risk identification – aka “productive paranoia”
The first step in the process is to brainstorm all of the things that possibly could go wrong.
This is what we like to term “productive paranoia”. You need to turn yourself into Doctor Doom for a few hours. (Hopefully not too long).
This might be done as a formal brainstorming session with the top team or it might simply be done with your business partner and a pint in a pub; there is no right and wrong answer, it will largely depend on the size of your business, its complexity and the hostility of your external environment. Essentially, you just need to come up with your list of risks.
You want to concentrate on the big stuff, most of us are not nuclear power stations where we would actually need to think about, and plan for, the 0.0001% chance of a jumbo jet crashing into your facility.
But it does make sense to think about:
- A rogue salesperson defecting with your client list
- A complete telecoms or IT failure
- Your weekly cash burn and how long you could survive with no payments
- The loss of a major customer or indeed a critical supplier
- Over reliance on a single member of staff
- The list is long so includes any other business risk pertinent to your individual situation!
When going through this process and thinking about the often hostile external environment it is useful to apply tools like PESTLE analysis and Porter analysis the results from which can feed into the opportunities and threats component of a SWOT analysis, where your internal strengths and weaknesses are also assessed.
As part of this first stage, questions you might ask yourself include:
- What assumptions have we made about our plans and our risks that are simply wishful thinking?
- Where are we being over optimistic?
- How strong is our defence and what can we do to improve it?
- Are there any second or third order consequences to our current plans and initiatives?
- Where have we let greed and optimism infect our assumptions?
Step #2 – chance of occurrence (probability assignment)
Having identified the risks, take each one and simply apply the idea of a “best guess” about the chances of each one occurring. Is absolutely NOT about being precise… it’s about understanding the scale of the issue; an educated guess is what we’re looking for. It might also be, as you begin to assign numbers to particular risks, you go round the process a couple of times before you’re happy the numbers are “there or thereabouts”.
As a general rule, it’s probably not useful to be interested in risks that have a less than 5% probability of occurrence. As the saying goes “don’t sweat the small stuff”.
Depending on the size and complexity of your business, if you’ve done this properly a small company might have anywhere from half a dozen to a dozen risks, up to maybe 20 to 30 for larger more complex organisations.
Step #3 – impact assessment
For each of the risks we now need to estimate the impact of that risk should it materialise.
There are various ways to do this, for instance, to assign a number between 1 to 10. We like the numbered approach because it provides a greater level of granularity, but equally you could use High, Medium, Low or Red, Amber, Green. Alternatively, you could you use money, say less than £500, £500 to £5k, £5k to £50k. The method employed is really one of preference.
However, to put things into a context, it might be useful to think about risk from an individual health perspective, taking the numbered approach:
- Low risk, let’s say, from one to three is a bit like having a pebble in your shoe. It’s irritating not much fun but you can still pretty much function at full capacity
- Medium risk, say 3 to 7 is a, bit like having a broken arm. It’s difficult to operate a keyboard, mouse or machine but you are still mobile and can function, you won’t work nearly as efficiently, you’ll be in pain and you’ll need to apply much greater effort, but you can still get stuff done.
- High risk is the game changer and scores 8 to 10. This incapacitation or even death. At the very least we are looking at recuperation and physio taking months. If this risk materialises there is a catastrophic impact on the business.
Step #4 – manageability assessment
The final stage assesses the manageability or control-ability of the risks. Again, there are various ways to do this, assign a number from 1 to 10, use High, Medium, Low or Red, Amber, Green. And again, the method employed is really one of preference. We’re going to use numbers again.
- Controllable risks, say 1 to 3, are usually pretty rare simply because there’s very little we can totally control especially if it’s a risk! You can’t totally control whether you get run over by the proverbial bus. But you can control the fact that you look both ways when you cross the road and you’re not texting when you do so.
- Manageable risks, say 4 to 7, are those that you don’t have complete control over, but you can influence or manage the probability of them occurring or indeed the costs associated with them. You might not be able to determine when your invoices get paid, but you can send them out on time, you can have a robust credit chasing process and you can control when your suppliers get paid.
- Uncontrollable risks, say 8-10, are things like interest rates, general economic growth rates, sector growth rates and your competition.
Step #5 – overall assessment??
The overall assessment of risk then is about managing both probability and impact and as per the hopefully amusing adjacent diagram.
However, we need something slightly more constructive than an amusing diagram and we now have all the information we need to create a simple and effective pictorial assessment of your risks. We now need a graph where along the bottom (X) axis will plot the degree of controllability of the risk and on the side (Y) axis we are going to plot the financial impact in pound notes.
Each of the individual key risks will be represented by a circle, a small circle for the smaller risks and a big circle for the big risks. Let’s look at an example.
Suppose you identified the following risks as part of your assessment:
- A 95% chance that corporation tax was likely to increase from 19% to 25% within the next four years (as if!).
- A 70% risk that a large but indirect cash rich competitor is about to take over a small but direct competitor who is selling the business because the senior team is approaching retirement age.
- A 60% chance that a critical member of staff wants to take early retirement in the next 2 years.
- A 60% chance that the already long lead times from a key supplier will lengthen further.
- A 70% chance that there will be a significant overrun to your latest (increasingly expensive) IT project (again…as if!)
|Step #3Cost £ or 1-10
|Step #4Controllable 1-10
|Concentration of competition
|Critical staff member retirement
|Supply chain problems
We can now take the data from the above table and plotted on a chart which reveals the following:
Step #6 – Managing risk
One of the primary jobs of ambitious leaders is to manage risk on an ongoing basis.
Its now time to break out the thinking caps. Some will be easier to manage than others and you have more control over something than others, but now you have pictorial representation of your risk it becomes much easier to see and much easier to manage. Risk management can be undertaken by:
- Shrinking the circle – looking for ways in which probability of occurrence can be reduced
- The project overrun issue could be resolved by re allocating staff or getting in external resources to bring it back on track.
- Moving the circle down – by thinking about ways to mitigate the cost or impact of the risk should it occur.
- The supply chain problem could possibly be mitigated by investigating, vetting and bringing on new suppliers.
- Moving the circle left – by thinking about the different ways in which the risk can be managed and controlled.
- The staff retirement problem could be addressed with a combination of succession planning, training and bringing in new people.
The above are just ideas, but hopefully you get the picture. Your problems, and the associated solutions will obviously be different.
How does this fit with our management systems?
The latest versions of the ISO suite of standards (Health and Safety – ISO 45000 Information security – ISO 27000, Environmental – ISO 14000, the ubiquitous Quality standard – ISO 9000 and many others) seek to ensure your business will survive and thrive over the longer term. Essentially, all of these standards seeks to provide a framework to ensure your business is “sustainable” in the widest sense of the word. As a result, each of these standards asks you to investigate, prepare for, mitigate and exploit both the risks and opportunities available to you.
It has been said that progress is not always measured by the ground gained, progress can also be measured by losses avoided. Managing risks is about employing “productive paranoia”, peeking into the future thinking about what could go wrong and then attempting to reduce the risk in order to improve your chances of longer-term success.
I suspect, if you were to stop and think about the losses you have endured in the past are likely to have arisen as a result of:
- Excessively optimistic assumptions
- Inadequate scepticism or
- Failure to consider what could go wrong.
Developing and growing companies is clearly about going on the offensive, more marketing, more sales, more customers. Managing risk is about playing defence. Regardless of your chosen sport there are not many that are entirely focused on the offensive, in business, as in sport, you need a complementary blend of offensive and defensive strategies.
Related tools and ideas
- PESTEL Analysis
- Porter Analysis
- SWOT Analysis
- Is your business balanced?
- The Cycle of business
- Acts of commission and omission
- The Road Less Stupid by Keith Cunningham
- Against the gods the remarkable Storey of risk – Peter Bernstein
To find out how Statius can help you deliver:
• Better strategies
• Better systems
• Better measurement and
• Engaged people delivering
• Better results
Call us now on 0208 460 3345 or email firstname.lastname@example.org