Managing Business Risk

IF THERE IS one positive to be taken from the 2008 global financial crisis, it is the reminder that the world of business offers no guarantees. Just two years earlier, when markets were soaring and profits seemed all but certain, executives tended to think any new product or service would be a surefire hit and that steady long-term growth was a given. 

They underestimated or, in some cases, appeared to ignore the element of risk. Bullish sentiment and the push for profits caused them to approve strategies and forge ahead with projects that now seem to defy belief. 

What key individuals chose to forget is how easily things can go wrong. Markets turn, new products fail to wow the customer, and established companies find themselves struggling to cope with a changing environment. One of the first principles every executive should remember is that, however well their organisation is doing today, risk is always lurking in the shadows. As a business gets bigger, rather than diminishing, the range of risks will multiply and take on new forms that can include everything from financial and economic to environmental, societal, and geopolitical factors.

To develop greater business acumen, the smart thing for managers to do is to not allow justifiable confidence or blind optimism to obscure the need for a regular assessment of what could go wrong. Their ability to innovate should, at times, be used specifically to come up with various worst-case scenarios and plan how to deal with them. Doing this obliges executives to set aside standard assumptions. It also drives home the message that, in most businesses, the only real certainty is uncertainty, and success depends on detecting and coping effectively with the inherent risks. 

Some of these are internal to a business and largely manageable. Others may be completely outside our direct control, but astute anticipation and well thought out reactions can go a long way in mitigating the consequences. 

Like supply and demand, monthly accounts and the annual budget, managing risk is an integral part of any business. Leaders can't eliminate it, but the more they understand the potential sources and possible ramifications, the better the chance of putting in safeguards and "defensive" measures. At different levels, these may be needed to protect the continuing business in terms of markets, finances and competitive advantage, and also to protect the rights and interests of employees, suppliers, customers and the general public.

It helps to divide the types of risk into three broad categories. The first are "known" in the sense that they tend to repeat or can be identified easily by someone with even limited experience or expertise. For example, if you use sub-standard materials in a manufacturing process or play fast and loose with the accounts, it is pretty clear that sooner or later something will go wrong. 

The second category covers "predictable" risks, which can be anticipated if particular circumstances follow a likely trajectory. So, when credit card companies allow consumers to run up a high balance relative to their income, or when banks grant 100 per cent mortgages without adequate background checks, one can foresee that the chance of default is increasing. 

The third category is for "unpredictable" risks, which arrive out of the blue and whatever steps are taken certain things always remain beyond our control. An act of terror, a natural disaster, or a flu pandemic might strike at any time. But while the element of unpredictability obviously exists, people often forget that by envisaging possible scenarios, applying the experience of others, and preparing an outline plan of action, they can move risks into the "predictable" category. 

The intention is not to restrict business initiatives or postpone investment through fear of what could happen. It is to identify and manage the risk by being in a position to exercise as much control as possible and take the appropriate actions.

Doing that requires an approach that combines the methodical and the imaginative. By analysing the operations, contacts, regulations and plans that govern the workings of each department, it should be possible to compile a summary of major and minor risks under a series of headings. One might be financial, relating to turnover, the capital position, or outstanding liabilities. A second could centre on customers in order to assess, for example, the dependence on individual accounts and the effect of losing them would have on total revenue. Others could focus on information technology related issues, environmental risks, or spiraling costs. 

Depending on the organisation and industry, the categories of risk to consider could run from technology, corporate culture, foreign exchange and information security to corporate governance, health and safety, brand reputation, facilities or human resources. There is no reason to impose a limit, especially since companies continually evolve and new areas of risk may emerge. The objective, though, is not simply to identify each risk, but to gauge the likelihood of its occurring, determine how to prevent it and make an informed decision. This can also form the basis of an internal corporate scheme to grade or colour code potential risks based on their chance of happening and the seriousness of their perceived impact. 

Once this is done, it becomes easier to decide on ways to manage each risk. The preferred option may be to eliminate it completely. That could mean closing down factories that failed to meet proper safety guidelines, forbidding travel to known danger zones, or recalling a product that had drawn customer complaints. Even though eliminating the risk by such measures may seem like the logical course of action, it may still result in increased expenses and damage to reputation, which can create heated discussion in the boardroom.

A viable alternative is to consider transferring the risk to another party by taking out insurance. The multibillion-dollar insurance industry can write policies to provide cover for anything from accident and injury to product or professional liability, the interruption of business, or even errors and omissions. This helps to spread the risk. 

Another option, taken by more companies than might choose to admit it, is to identify a risk and then decide to do nothing. Sometimes, this is exactly the right call. Predicted events may never happen, once-in-a-lifetime occurrences may be exactly that, and new factors can quickly supersede old concerns. 

Every business will have to deal with risk in multiple forms. The likelihood in some instances may be low, but each area should receive due consideration to maximise the upside, minimise the downside, and allow the managers and leaders to have a clear understanding of what may impede the company's progress.