Starting a Dialog on Risk Management
By: Brian Newton
Risk Management is a topic of deep concern for financial services companies. Assuming it is of less import for other companies, I believe, completely misses the boat. In fact, Risk and Crisis Management are critical for all companies dealing with the public, especially in our litigious society and the absolute dollar cost of a failed event.
Firms are in business to make money and as everyone knows, returns only go to those that take risks. (The risk-free returns currently available in short term Treasury securities – measured in small numbers of basis points – tend not to attract most firms.) So firms take risks. The question is, how should these risks be managed? And what tools can be used to manage risk?
We first must identify the risks to which the firm is exposed. There are risks in all functional areas. Does your firm rely on a wide ranging supply chain? If so, have you identified alternative suppliers from which you could source the required inputs in reasonable time, of sufficient quality and at a competitive price? Do you have a relationship with alternative suppliers? Could you open a new supply link in a timely way and still meet your deliver obligations? What would be the downside of having to delay deliveries to your clients? Would this result in lost customers, and thereby impact your expected revenues? What about developing a new to the world product? Does the financial and business risk potentially outweigh the reward of success? These are a few of the many questions to answer.
Identifying the risk is non-trivial. We must evaluate the risks in terms of both impact (positive and negative) and likelihood. A risk with little downside likely does not warrant direct management. However, awareness of such an occurrence may be well worth knowing as it may indicate the business environment is changing. And this may require a reassessment of all risks to which the firm is exposed as well as the firm’s overall business strategy. Best to know this as early as possible!
Here’s a framework we, at C-Level Partners, use to help companies define and manage business and functional risk.
Those risks with sufficient downside and potential knock-on impacts will require management of some type. This could entail allocation of resources to do precisely this, manage the risk. It could also entail laying off the risk via an insurance arrangement. Clearly this entails a cost, but depending on the nature of the risk, it may well be worth the cost. Oh yes, those resources to manage the risk aren’t free!
Other types of risk to which any firm is exposed include business disruption risk. It’s easy to contemplate this in the context of a natural disaster. Here in Southern California earthquakes are rare but highly disruptive events. Do you know what your firm needs to do to maintain its business activities should such an event occur? For this to be the case a firm must have a business continuity / disaster recovery plan in place. If so, this is a good indicator of awareness. However, is this plan current (reflective of current business activities) and has the plan been tested recently? A sports analogy is useful here: The best game plan in the world fails almost certainly when there has not been sufficient practice. There has never been a winning sports team that talked about what they were going to do but did not practice actually doing it. The same is true for disaster recovery plans.
One key element of managing unexpected events is communication. Depending on the nature of the event this could simply be internal communication. What happens when the delivery of a necessary input is delayed? The actions required should be known to those responsible for that production area. Ideally, these action plans are written down as the responsible people themselves may be out and their replacements need to have quick access to these instructions so as to prevent a negative outcome for the firm.
Another internal form of communication that is key and might be required and practiced is the Calling Tree. When something unexpected happens, the person first finding this out should know who in the management chain needs to be informed. This initial call in most cases will prompt by that manager a cascade of calls across the parts of the firm affected by the event. By doing this, all who need to know and need to adjust their activities will be informed in a timely manner, which itself should reduce the impact of the event. This calling tree puts into action people and resources to tackle the issue and manage the negative effects.
When external communication is required, with clients and possibly the public, it is very important to have a single person control the communication. The message for clients should be delivered by relationship managers that have received the approved message for their use. For general public announcements, ideally the senior manager responsible for all communication makes these announcements. Clarity and consistency of message are critical attributes of this communication.
We’ve just taken a quick look at risk management issues … and we’ve begun to see the complexities involved. Every firm’s business will be exposed to a variety of business risks to greater or lesser degrees. And the degree of exposure, i.e. risk impact, is a factor when devising the plan and when testing it. The test results themselves are useful information to be used in updating the plan as well as training the staff with business responsibilities.
To give you one perspective, the consulting side of one of the Big 4 accounting firms has a rule of thumb that firms should be spending about 2% of their revenues on managing risks. So if yours is a $50MM company, then $1MM is an approximate budget for risk management activities. Recall, this includes insurance premia, continuity planning and testing, and staff costs for those focused on these activities.
Whether business risk management requires this level of expenditure depends on the firm. In many cases, good contingency plans, laid out when the risks are identified, might suffice to manage and control many business risks (realizing that the budget for this contingency planning is part of this 2% estimate). For example, a product manager working to commercialize a new to the world product may see that channel risk is very high. Therefore, his/her plans should include contingencies that may, in fact, include having multiple distribution channels from the start, even if it is less efficient.
If you have a different view, please let me know as I’m always interested in other’s views. Contact me at firstname.lastname@example.org or on (949) 445-1080 x301.