Sunday, 22 November 2009

Responding to risks

Responding to risks - the actions you can take once you've identified a risk and understood its probability and impact.

There are usually risks that cannot be avoided in business, no matter what alternative we choose.  Our decisions therefore focus on how we will respond to them, rather than trying to avoid them.   Responses to risk will vary from business to business and from risk to risk, but they tend to fall into one of these categories:
  • eliminating
  • tolerating
  • minimising
  • diversifying
  • concentrating
  • hedging
  • transferring
  • insuring
Deciding which of these responses is appropriate in any given situation requires careful analysis of the risk in terms of probability, impact and potential outcomes (expected values).

Getting it right

Whatever approach you choose to the risks you face, there are central themes to risk management that have to be in place for it to be successful.

Effective decision making and risk management are based on understanding, information and consistency.  It is vital that everyone involved is working from a shared idea of the significance of the risks facing the business, the probability of them occurring and the actions that they need to take in order to minimise downsides (or maximise upsides).

Here are some questions to ask in key areas to assess your risk management capabilities:

understanding operational risk:
  • are the risks that can arise in key business process understood?
  • are the implications of choosing or creating particular new processes understood?
  • are the impacts of operational risk understood, in terms of their immediate impact and also any potential impacts at higher levels?

understanding strategic risk:
  • are decision makers aware of the strategic risks facing the business?
  • are the implications of 'doing nothing' or continuing along the present course understood?
  • has 'business as usual' been examined in the same way as a 'risky' new direction would be?
  • have the risks implied simply by entering or remaining in a particular market been examined?

understanding probability:
  • have probabilities been quantified in a consistent way, that allows for comparison?
  • what evidence is there to support estimates of probability?
  • where there is uncertainty, has this been understood and acknowledged by decision makers?
  • is there shared understanding of the subjectivity involved in probability calculations?

understanding impact:
  • have impacts been quantified wherever possible, to allow for comparison?
  • is it clear where risks might impact on more than one area of the business?
  • is there the potential for risks to have interdependencies, making the occurrence of two or more risks together more significant?
  • are the different levels of impact understood (operations, strategy, financial, cultural)?

information:
  • documenting:  how will risks, responses and results be documented?  what proceducres will be used for recording the actions taken to manage risks and their results?
  • sharing:  how will information on risks and the success (or otherwise) of particular response be disseminated throughout the business, to avoid duplication of effort?
  • communicating:  who owns key information? who does it need to reach in order to support decisions on risk? what are the best media, formats and techniques for communicating?

clear roles and responsibilities:
  • whose responsibility is each risk? who 'owns' it by default?
  • who has enough authority and/or information to take a decision on how risks will be managed?
  • who will take action to manage the risk?  who will become its new 'owner'?

reporting and monitoring:
  • who needs to know what, and when?
  • what is the best medium or channel to provide information on risks, such that those who need to take decisions have the information they need in a format they will find conducive?

consistency of approach:
  • if similar risks occur in different parts of the business, is the response the same?
  • could risks easily be aggregated across the business if this kind of concentration brought benefits?

consistency of analysis:
  • where possible, are risks assessed using standard, objective criteria, or at least those that are agreed by all within the business?

consistency of tools and techniques:
  • where decision-making tools are used, are they used in a consistent way across departments and teams?
  • is there a genuine shared perspective on risks that affect different groups?

consistency of terminology:
  • are risks described in terms that allow meaningful comparison and evaluation across the business?
  • are common terms used with the same sense throught the business?
  • are there any aspects that need to be quantified, or made less subjective, to allow for more focused discussion between those involved?

No comments: