All firms, regardless of size, face risks in their activities. There are a few steps one must take to ensure these risks do not result is bad outcomes. And following through on these should not be deemed a cost, but rather an investment in more effective and profitable growth for your firm.
Identifying the risks is the first step in the risk management process. One needs to take care to ensure that all of the risks are identified. Whether you plan to manage the risks, offload some risks by using an insurance arrangement or outsourcing the activity, or simply decide the probability of a bad outcome is sufficiently low that you can safely ignore the risk. But, you need to identify all of the risks facing your business.
possible. If you have been successful and not missed anything, the pat on your back will be well-deserved. But that is very unlikely. And don’t beat yourself up over having missed a few things.
To ensure training conforms to current activities, the documentation has to be current. Only then can you “pass the bus test” and the back-up person filling in for an absentee can perform the task correctly and in a timely manner.
A useful way to think about risk management is applying the old adage that the chain is only as strong as its weakest link. In this context that means every staff member has to “get it.” Getting it means they have been trained and understand their job and are able properly to carry out their tasks. This includes highly skilled and experienced individuals as well as new staff.
I’m reminded of my former London-based firm’s policy of hiring disadvantaged school leavers to give them an opportunity they wouldn’t otherwise have. One was a 17-year-old woman that had never worked before and I was tasked with providing an induction to risk management. This was part of the process the firm employed with all new employees so that early on they would be introduced to all activities of the firm and be better able to perform their role. I have to admit that initially I was at a loss in this case. Then I asked her what tasks she had been told that she would perform. Her reply gave me what I needed to bring her to the point where she “got it.”
She said that one task she would be responsible for was sending out monthly reports to clients. This meant she would be printing and binding the reports, placing them in FedEx envelopes and passing them to the FedEx driver the first few days of each month. I pointed out that this was a very important task as each client needed to receive their report in a timely way each month. And I also noted that this meant that the reports had to be placed in the correct envelope with the client’s address on it. If there was a mix-up, that would mean we had disclosed confidential information of a client to an unauthorized third-party which is a breach of contract and this might result in being fired by the client resulting in the loss of many thousands in revenue each month.
When I explained this she was very worried that she would not be able to perform this task as there was such a large associated risk. I continued our conversation by saying there is a straightforward way to nearly eliminate the risk of a mistake. She could prepare all of the reports for shipping, place them in their respective envelopes and before sealing the envelopes, go back and check that the account codename corresponded with the client’s address on the envelope. Then she could seal the envelope knowing the correct report was going to the addressee.
She agreed that following this procedure would substantially mitigate the risk of sending a client the wrong report. So I asked her to draft the procedure, I reviewed it confirming it was appropriate, and incorporated it into the firm’s overall procedures manual for future reference by any person responsible for sending out monthly reports. I should also say that for the next three years that reports were sent this way, all reports were sent to the correct client.
I should also point out that the overall procedures manual was a key element of developing and implementing an effective risk management framework.
We’ll take a simple example of a firm that produces items that other firms use to create things to be sold to end users. That is, your firm is a member of the supply chains of your customers’ businesses. Your customers have selected you because you provide a quality product that they rely on to create the products they sell to their customers. So what do you need to worry about?
This list could be quite long. Your business almost surely also relies on a supply chain. Most if not all of the following are concerns for any business.
- Are all members of your supply chain reliable providers of the input you need?
- Have you assessed this attribute across your entire supply chain?
- What contractual arrangements are in place with these firms?
- Do you have recourse should one or more of them experience a business disruption?
- Do you hold input inventories to guard against such a disruption impacting your ability to deliver to your customers?
- How long will your inventory allow you to meet your obligations to your customers?
- Is this time sufficient to source an alternative supplier to meet your needs going forward?
- Do you maintain current lists of alternative suppliers to make supplier replacement a straightforward activity?
Now let’s look downstream toward your customers. How is your output delivered to each of them? Do you have a fleet of delivery vehicles that you manage? If so you probably see the many levels of complexity associated with this aspect of your business. Alternatively, you may outsource this by contracting with a logistics firm such as UPS, FedEx or the Postal Service. Each of these businesses has a reputation for reliability and it may be well worth outsourcing deliveries. This may even result in improved margins as your cost of shipping falls. Also there are obvious alternatives should a local office of one of these suppliers be hit by a fire, say. But you still need to be aware of the options and be ready to shift gears to keep your production reliably arriving at your customers’ locations.
These last two sets of risks are all associated with activities upstream and downstream from your firm. Regardless of the specifics of your firm and its clientele, these external risks likely are very important to the success of your firm, and therefore need to be managed.
Of course your own firm’s internal activities are exposed to risks and these will be highly specific to your production processes. All risks to which your processes are exposed need to be identified and assessed. Once the impacts of risk events have been assessed you will be in a position to determine whether the risks are manageable, whether in some instances the downside is too great and sufficiently likely that an insurance arrangement may be appropriate to offload the risk, and for some activities whether outsourcing may be a more cost-effective option.
Of course in all cases your processes should be documented for the usual reasons:
- training of new staff,
- increasing the reliability of production activities, and
- ensuring that absenteeism does not impact production.
And this internal documentation should be viewed as an investment in the firm’s business reliability. It also eases the burden of any regulatory inspection or due diligence by a potential acquirer of the firm, as well as make standard audits less time consuming. These returns are rarely accounted for but are benefits from devising and maintaining comprehensive and up-to-date documentation.
The final step, monitoring your firm’s activities, is extremely important as only by doing this will you know things are going well or it something unexpected or untoward has taken place. Also, you will have the best chance to correct the issue – whether it’s a supply chain issue, a staff training lapse, a customer service issue, whatever it may be – before it gets out of control.
This discussion has been at a high level, in part because many of the risks associated with any firm’s business will be very specific. The initial example discussed above was for an investment firm and non-financial firms are unlikely to have a directly analogous activity in their business as few firms report confidential information to clients in the same way. The types of questions that one should ask when identifying a firm’s risks naturally begin at a high level and would include those discussed above about the supply chain. Of course, the internal activities of the firm need to be considered and the risk associated with each of these must be assessed as to their likelihood and potential impact. With this set of information senior management can determine which risks are best managed internally, which activities may best be outsourced, and if appropriate, where insurance arrangements should be made. And there will be some risks that the firm self-insures as the occurrence of such risk events is almost never.