These aren’t the old days. Business leaders have finally gotten serious about managing topline risk at their companies. Just in time, too. Risk storm clouds have been gathering for a while now.
Where are they coming from? Well, in their work, risk scholars Howard Kunreither and Michael Useem highlight a number of important, cross-industry trends that are exacerbating business risk across advanced economies. Those trends include growing interdependency, shorter-term (management) thinking, increased regulation, greater geographical clustering, higher probability of systemic shock, and new calls for transparency, spurred on by advances in information and communications technology.
When it did a run-through of top business risks this year, global insurer Allianz came to similar conclusions as well, its Risk Barometer included the following top ten:
- Business interruption (including supply chain disruptions)
- Cyber incidents
- Natural catastrophes
- Market developments
- Changes in legislation and regulation
- Fire, explosion
- New technologies
- Loss of reputation or brand value
- Political risks and violence
- Climate change and/or increasing volatility of weather
So, to stay ahead in this tricky business environment, businesses need to get serious about risk management, by developing proactive, forward-looking risk strategies to cope with any number of risk scenarios. But companies can’t just prop up a risk management function only to ignore it when the perceived risk tide ebbs.
Pardon my French, but risk management is a slog. Avoiding backsliding into risk complacency, in particular, requires having a firm grasp on the fundamentals of risk. For starters, risk has three basic components:
- Probability of occurring
- Exposure of people and equipment
Furthermore, risk can be divided into a few categories: identified and unidentified risk. The former is the risk you come across using your analytical tools. Unidentified risk is the risk you don’t find. When both types of risks are combined, they yield total risk; and you better hope identified risk is higher.
Acceptable and unacceptable risk come out of the category of identified risk. Acceptable risk, as the name implies, is the risk you tolerate once you’ve applied controls to manage your risk profile. Unacceptable risk, on the other hand, is the portion of identified risk that you simply can’t accept; unacceptable risk must be eliminated or, at least, actively controlled.
So what are risk controls? Well, they are the strategies and tools you use to manage risk, either to mitigate risk or eliminate it altogether. You know a control is effective if it eliminates at least one of the risk components we highlighted earlier.
Embedded in the very idea of acceptable and unacceptable risk is the fundamental question of risk management: how much risk is too much risk? Veteran risk managers will tell you that it’s virtually impossible to control all risks; there are resource considerations to bear in mind, since allocating resources to risk management isn’t cost free.
So if you can’t run a business without some risk, how much is too much? Risk management is about identifying, evaluating, and determining the risks your company is exposed to and coming up with policies, processes, and procedures to manage those identified threats. Unfortunately, it’s not a simple calculator. To get the information you need to stand up a risk practice and make well-formed risk decisions for your business, download our introductory guide to risk management.
Howard Kunreuther and Michael Useem, Oxford University Press: Mastering Catastrophic Shock: How Companies Are Coping with Disruption
Allianz Global Corporate & Speciality: Allianz Risk Barometer: Top Business Risks for 2018
Federal Aviation Administration: FAA System Safety Handbook
Edward Cho, Exploring Barriers to Effective Risk Management Through a Proposed Risk Governance Framework
For more content, like what you just read, follow @teamnoggin on Twitter