Business Bites: A risky business

Nick Walsh FBDO MBA MCMI MIoL
ABDO head of corporate development

Investopedia definition of business risk: “Business risk is any exposure a company or organisation has to factor(s) that may lower its profits or cause it to go bankrupt”.

Business risks may be due to either (or both) internal and external factors and will impact your bottom line. Internal factors may be driven by management and leadership decisions in search of business growth. They may be due to leaked privileged information, or from missed opportunities due to an aversion to risk.

External factors are more challenging in that you have little or no control over them occurring. They may include (but are not limited to) technology changes, regulatory changes, compliance issues, changes in consumers’ tastes leading to change in demand, the current and future states of the economy, failing suppliers, price increases from suppliers, new or renewed competition, etc. One of the most impactful external factors in recent memory is of course the Covid-19 pandemic which had far ranging impacts globally. Many businesses found themselves forced into a risk management situation due to these impacts, some being better prepared than others.

As risk is unavoidable, risk management is an important factor in running your business. If you have a thorough risk management plan in place, you are more likely to survive the impact of both internal and external risk by mitigating or managing the risks identified.

From the McKinsey article ‘What is business risk’, we see that: “Risk controls are measures taken to identify, manage, and eliminate threats. Companies can create these controls through a range of risk management strategies and exercises. Once a risk is identified and analysed, risk controls can be designed to reduce the potential consequences. Eliminating a risk—always the preferable solution—is one method of risk control. Loss prevention and reduction are other risk controls that accept the risk but seek to minimise the potential loss (insurance is one method of loss prevention). A final method of risk control is duplication (also called redundancy). Backup servers or generators are a common example of duplication, ensuring that if a power outage occurs no data or productivity is lost.”

But in order to develop appropriate risk controls, an organisation should first understand the potential risks.

Identifying risks

In an article  for American Express, ‘Types of business risk and ideas for managing them’, Dina Gerdeman states: “There are a few key ways to identify business risks:
• Reviewing financial statements and performance indicators: This can help you identify risks related to cash flow, profitability, or solvency.
• Conducting a SWOT analysis: A SWOT analysis (Strengths, Weaknesses, Opportunities, Threats) can also be a helpful tool for identifying risks and brainstorming ways to mitigate them.
• Identifying key dependencies: Key dependencies are things that your business relies on to function, and if they were to fail or be disrupted, it could have a serious impact on your business.
• Carrying out root cause analysis: Conducting root cause analysis can help you to identify what underlying factors could lead to a problem or issue.”

Figure 1

Assessing the level of risk

Once risks have been identified, they need to be recorded in a Risk Register. The Risk Register requires a severity rating for the level of risk for each item. Some may take a simple approach of stating a risk level of low, medium, or high. More common, however is the use of a risk matrix in which the severity ‘score’ is calculated as the product of Probability x Impact. The matrix is sometimes a 3 x 3 and sometimes a 5 x 5, the difference being the level of granularity that can be achieved. Figure 1 shows a template for a 5 x 5 grid created by the author. A simple internet search may give you alternatives that you deem more appropriate.

The scores in the main body of the matrix in Figure 1 are calculated by firstly assessing where the probability is on the scale of Rare to Almost certain (1-5) and then assessing where the impact is on a scale of Insignificant to Severe (again 1-5). The score is calculated by multiplying the Probability by the Impact, for example, a probability of Moderate (3) and an Impact of Severe (5) gives the risk rating of 15 (Very High).

Figure 2

Risk Register

To decide the key factors in controlling the risk, it is advisable to produce a Risk Register. Again, there are a variety of templates available to you that you can find with a simple internet search. You may find the examples on stakeholdermap.com useful as a starting point, or a template as shown in Figure 2.

Once the register is created, it obviously needs an Assess, Plan, Do, Review (APDR) approach to ensure that actions are taken in the appropriate manner and timeframe. It is also vital that successful actions are reviewed and recorded as they may need to be used again in future should the same/similar risks arise. It is worth noting however that external factors may change over time meaning new management and mitigation measures.

Risk management cycle

The full cycle for risk management can be seen as represented in Figure 3.

Figure 3

Competitive advantage through risk appetite

Everything that has been discussed thus far has implied risk is unplanned and needs to be managed/mitigated. But what about planned risk that a business may take on in order to secure competitive advantage. This may be through groundbreaking technology, new product lines, new supply routes, etc.

Referring back to the McKinsey article, we are informed that there are three questions companies should consider:
1. How much risk should we take on? Companies should reevaluate their risk profiles frequently according to shifting customer behaviours, digital capabilities, competitive landscapes, and global trends.
2. Are there any risks we should avoid entirely? Some risks are clear: companies should not tolerate criminal activity or sexual harassment. Others are murkier. How companies respond to risks like economic turmoil and climate change depend on their particular business, industry, and levels of risk tolerance.
3. Does our risk appetite adequately reflect the effectiveness of our controls? Companies are typically more comfortable taking risks for which they have strong controls in place. But the increased threat of severe risks challenges traditional assumptions about risk control effectiveness. For instance, many businesses have relied on automation to increase speed and reduce manual error. But increased data breaches and privacy concerns can increase the risk of large-scale failures. Organisations, therefore, should evolve their risk profiles accordingly.

Risk aversion by a business may lead to missed opportunities, but obviously all risk must be identified, assessed and controlled – even if it is planned risk.