Starting
a Dialog on Risk Management
By: Brian Newton
Risk
Management is a topic of deep concern for financial services companies. Assuming
it is of less import for other companies, I believe, completely misses the
boat. In fact, Risk and Crisis Management
are critical for all companies dealing with the public, especially in our
litigious society and the absolute dollar cost of a failed event.
Firms are
in business to make money and as everyone knows, returns only go to those that
take risks. (The risk-free returns currently available in short term Treasury
securities – measured in small numbers of basis points – tend not to attract
most firms.) So firms take risks. The question is, how should these risks be
managed? And what tools can be used to manage risk?
We first must
identify the risks to which the firm is exposed. There are risks in all
functional areas. Does your firm rely on
a wide ranging supply chain? If so, have you identified alternative suppliers
from which you could source the required inputs in reasonable time, of
sufficient quality and at a competitive price? Do you have a relationship with
alternative suppliers? Could you open a new supply link in a timely way and
still meet your deliver obligations? What would be the downside of having to
delay deliveries to your clients? Would this result in lost customers, and
thereby impact your expected revenues? What about developing a new to the world
product? Does the financial and business risk potentially outweigh the reward
of success? These are a few of the many questions to answer.
Identifying
the risk is non-trivial. We must evaluate the risks in terms of both impact
(positive and negative) and likelihood. A risk with little downside likely does
not warrant direct management. However, awareness of such an occurrence may be
well worth knowing as it may indicate the business environment is changing. And
this may require a reassessment of all risks to which the firm is exposed as
well as the firm’s overall business strategy. Best to know this as early as
possible!
Here’s a
framework we, at C-Level Partners, use to help companies define and manage
business and functional risk.
Those risks
with sufficient downside and potential knock-on impacts will require management
of some type. This could entail allocation of resources to do precisely this,
manage the risk. It could also entail laying off the risk via an insurance
arrangement. Clearly this entails a cost, but depending on the nature of the
risk, it may well be worth the cost. Oh yes, those resources to manage the risk
aren’t free!
Other types
of risk to which any firm is exposed include business disruption risk. It’s
easy to contemplate this in the context of a natural disaster. Here in Southern
California earthquakes are rare but highly disruptive events. Do you know what
your firm needs to do to maintain its business activities should such an event
occur? For this to be the case a firm must have a business continuity /
disaster recovery plan in place. If so, this is a good indicator of awareness.
However, is this plan current (reflective of current business activities) and
has the plan been tested recently? A sports analogy is useful here: The best
game plan in the world fails almost certainly when there has not been
sufficient practice. There has never been a winning sports team that talked
about what they were going to do but did not practice actually doing it. The
same is true for disaster recovery plans.
One key
element of managing unexpected events is communication. Depending on the nature
of the event this could simply be internal communication. What happens when the
delivery of a necessary input is delayed? The actions required should be known
to those responsible for that production area. Ideally, these action plans are
written down as the responsible people themselves may be out and their
replacements need to have quick access to these instructions so as to prevent a
negative outcome for the firm.
Another
internal form of communication that is key and
might be required and practiced is the Calling Tree. When something unexpected
happens, the person first finding this out should know who in the management
chain needs to be informed. This initial call in most cases will prompt by that
manager a cascade of calls across the parts of the firm affected by the event.
By doing this, all who need to know and need to adjust their activities will be
informed in a timely manner, which itself should reduce the impact of the
event. This calling tree puts into action people and resources to tackle the
issue and manage the negative effects.
When
external communication is required, with clients and possibly the public, it is
very important to have a single person control the communication. The message
for clients should be delivered by relationship managers that have received the
approved message for their use. For general public announcements, ideally the
senior manager responsible for all communication makes these announcements.
Clarity and consistency of message are critical attributes of this
communication.
We’ve just
taken a quick look at risk management issues … and we’ve begun to see the
complexities involved. Every firm’s business will be exposed to a variety of
business risks to greater or lesser degrees. And the degree of exposure, i.e.
risk impact, is a factor when devising the plan and when testing it. The test
results themselves are useful information to be used in updating the plan as
well as training the staff with business responsibilities.
To give you
one perspective, the consulting side of one of the Big 4 accounting firms has a
rule of thumb that firms should be spending about 2% of their revenues on
managing risks. So if yours is a $50MM company, then $1MM is an approximate
budget for risk management activities. Recall, this includes insurance premia,
continuity planning and testing, and staff costs for those focused on these
activities.
Whether
business risk management requires this level of expenditure depends on the firm.
In many cases, good contingency plans, laid out when the risks are identified,
might suffice to manage and control many business risks (realizing that the
budget for this contingency planning is part of this 2% estimate). For example,
a product manager working to commercialize a new to the world product may see
that channel risk is very high. Therefore, his/her plans should include contingencies
that may, in fact, include having multiple distribution channels from the start,
even if it is less efficient.
If you have
a different view, please let me know as I’m always interested in other’s views.
Contact me at bnewton@clevelpartners.net or on (949) 445-1080 x301.