How to Build Risk Management Systems
Everything a business does is risky to some extent. It’s one of the things business people have to live with on a continual basis and the willingness to shoulder more risk is one of the things that separates business owners from employees. Learn how to build Risk Management Systems in this article. Blue Belt
You should develop a Risk Management Plan for your own protection. In fact, the way Health and Safety law is going, you may be legally obliged to.
If you don’t, you put your wealth, and possibly your freedom, at risk as you can be jailed for some types of business accidents and failures.
Risk Management is a never ending and cyclical process. You should monitor your risks regularly and tune your Risk Management System perhaps each year when you take out insurance against your risks.
Risks have two dimensions; the chance (likelihood) of it occurring and the impact if it does. Something might occur often but be of little impact (e.g. cuts and bruises) and so can safely be put on a low watch list. On the other hand, a computer crash might be rare but have a very large impact and so should be “managed” by your Risk Management System.
To help with prioritising the risks you face you can arrive at an “expected value” of a risk by positioning it somewhere in a risk matrix like the one below.
Along the top, we have the impact of the risk if it occurs. We give them a numeric score like the one below.
Down the side, we have the chance of it happening; also with a numeric score.
In the body of the table, we have a score for each cell that is the chance multiplied by the cost for each cell in the table. A high cost (10) times a high risk (10) scores 100 in this example.
The value of this is that you can see at a glance that the impact of some combination of cost and likelihood is more or less than the impact of some other combination. This way you can rapidly prioritise the various risks by their likely impact on your business.
|Very High Cost (10)
|High Cost (8)
|Average Cost (6)
|Low Cost (4)
|Very Low Cost (2)
|Very High Chance (10)
|High Change (8)
|Average Chance (6)
|Low Chance (4)
|Very Low Chance (2)
For example, a life threatening situation might be ‘very high’ on the cost scale but ‘unlikely’ if you are an accounting office. For a company building high rise buildings though, the cost would be the same but the likelihood of it happening would be much higher.
Begin by identifying the risks your business is exposed to. Some will be Health and Safety and you might want to retain an expert to advise on this to be sure you have identified the legally required risks. Some will be financial and business operations, for example, a failure of a computer system because there are no data backups. Some might be ‘reputation’ meaning that you suffer a loss of credibility with your customers or community.
Once you have a list of risks and a score for each of them, we need to develop a method of mitigating or controlling each significant risk. These controlling methods are called “controls“.
Because of their potential impact, we start with the the biggest scoring risks and work down the list in declining order of the risk attached to each event. It might be most convenient to list these risks in a spreadsheet along with their “score” from the matrix above. This will allow you to sort the spreadsheet by score and automatically rank the risks by significance. This document is usually called a “Risk Register“
First, you want to focus mainly on the 20% of the risks causing 80% of the exposure.
Go to the Skills Module introduction: SM2.0 80/20 Sales Growth; Double Sales, Triple Profits to learn why you should use these ratios.
For each risk, try to work out a ‘control’ which, when applied, reduces the original risk to something more manageable. Let’s say there is a serious risk of falling off a balcony. The ‘control‘, is to erect a balustrade to prevent people accidentally falling off the balcony. Put the control in a column in your spreadsheet
With a computer system, the damage done from losing the Accounts Receivable information will have an economic impact on your business that you might scale as “high” risk; either because it is likely to happen and/or, if it does the economic loss to your business is high. The control might be regular (ideally automated) off-site backups to the ‘cloud’.
Once you have a ‘control‘ you can apply, you can re-access where that risk lies in the Risk Matrix above and give it a “Residual Risk Score‘ which will be less. Calculate the Residual Risk by placing it in the new chance * cost cell in the matrix above. For example, a 10 chance * 10 cost =100 initial risk might drop to 3 chance * 10 cost = 30 after installing the balustrades in the example above. Note that the likelihood reduced but not the cost should it happen because that often will stay the same. Put the Residual Risk score in a column in your spreadsheet.
Even after applying a control, the Residual Risk may still be high which means that it is a risk you need to continue to be very observant about as it can’t easily be reduced to a low level of risk.
Some of the risks will be so small that managing a ‘control‘ for that risk might cost more than having the risk event happen. So, at some point (possibly based around the 80/20 ranking), you will not put in ‘controls‘ other than common sense and a general safe work place environment.
For a quick visual overview, the cells in your spreadsheet containing the Initial and Residual Risks can be coloured in red, yellow and green “traffic lights“. Red are the high Initial and Residual Risk and so on. This immediately draws your attention to the ones to be most concerned about. After a while, you get used to looking for the ‘red‘ risks and hope they turn ‘yellow‘ or ‘green‘ after the control is applied.
Having documented and measured risks and their controls, you need an active process of applying the controls and training staff on what the risks are and how to manage them.
Risks are not stationary. New work practices, changing laws and different staff will change your risk profile. Therefore, you should revisit the Risk Register with a frequency that reflects how quickly your risk environment might change.
Many risks can not be entirely removed. For this reason, you usually take out insurance cover to minimise the cost impact on your business if a risk event occurs.
You should match your risks that remain high after the ‘control‘ is applied to your insurance cover to ensure you have that risk covered and for an adequate amount.
For example, if a high Residual Risk is a computer crash without an up-to-date backup leading to the loss of your accounts receivable data so that you can’t recover debts owed to you, you might take out insurance for loss of income equivalent to the normal value of your accounts receivable. Your insurance broker can advise on how to cover your risk profile.
Insurance will not be sufficient if you are deemed to be negligent when a serious event occurs. The impact of such events can be very heavy. A workplace death by accident could lead to manslaughter charges and jail time, for example.
If you are in a risky environment, a proper Risk Management Strategy can prove that you did your best to manage risk and might save you from prosecution or the insurance company denying you cover under your policy.
You also need to document your actions for external policing bodies so they can see you are on the ball. Your insurance company might be more supportive if they can see you have taken steps to manage risk.
Wikipedia: Risk Management