All firms, regardless of size, face risks in their
activities. There are a few steps one must take to ensure these risks do not
result is bad outcomes. And following through on these should not be deemed a cost, but rather
an investment in more effective and profitable growth for your firm.
Identifying the risks is the first step in the risk
management process. One needs to take care to ensure that all of the risks are
identified. Whether you plan to manage the risks, offload some risks by using
an insurance arrangement or outsourcing the activity, or simply decide the
probability of a bad outcome is sufficiently low that you can safely ignore the
risk. But, you need to identify all
of the risks facing your business.
possible. If you have been successful and not missed
anything, the pat on your back will be well-deserved. But that is very unlikely.
And don’t beat yourself up over having missed a few things.
To ensure training conforms to current
activities, the documentation has to be current. Only then can you “pass the
bus test” and the back-up person filling in for an absentee can perform the
task correctly and in a timely manner.
A useful way to think about risk management is
applying the old adage that the chain is only as strong as its weakest link. In
this context that means every staff member has to “get it.” Getting it means
they have been trained and understand their job and are able properly to carry
out their tasks. This includes highly skilled and experienced individuals as
well as new staff.
I’m reminded of my former London-based firm’s
policy of hiring disadvantaged school leavers to give them an opportunity they
wouldn’t otherwise have. One was a 17-year-old woman that had never worked
before and I was tasked with providing an induction to risk management. This
was part of the process the firm employed with all new employees so that early
on they would be introduced to all activities of the firm and be better able to
perform their role. I have to admit that initially I was at a loss in this case.
Then I asked her what tasks she had been told that she would perform. Her reply
gave me what I needed to bring her to the point where she “got it.”
She said that one task she would be responsible for was
sending out monthly reports to clients. This meant she would be printing and
binding the reports, placing them in FedEx envelopes and passing them to the
FedEx driver the first few days of each month. I pointed out that this was a
very important task as each client needed to receive their report in a timely
way each month. And I also noted that this meant that the reports had to be
placed in the correct envelope with the client’s address on it. If there was a
mix-up, that would mean we had disclosed confidential information of a client
to an unauthorized third-party which is a breach of contract and this might
result in being fired by the client resulting in the loss of many thousands in
revenue each month.
When I explained this she was very worried that she would
not be able to perform this task as there was such a large associated risk. I
continued our conversation by saying there is a straightforward way to nearly
eliminate the risk of a mistake. She could prepare all of the reports for
shipping, place them in their respective envelopes and before sealing the
envelopes, go back and check that the account codename corresponded with the
client’s address on the envelope. Then she could seal the envelope knowing the
correct report was going to the addressee.
She agreed that following this procedure would substantially
mitigate the risk of sending a client the wrong report. So I asked her to draft
the procedure, I reviewed it confirming it was appropriate, and incorporated it
into the firm’s overall procedures manual for future reference by any person
responsible for sending out monthly reports. I should also say that for the
next three years that reports were sent this way, all reports were sent to the
correct client.
I should also point out that the overall procedures manual
was a key element of developing and implementing an effective risk management
framework.
We’ll take a simple example of a firm that
produces items that other firms use to create things to be sold to end users.
That is, your firm is a member of the supply chains of your customers’
businesses. Your customers have selected you because you provide a quality
product that they rely on to create the products they sell to their customers.
So what do you need to worry about?
This list could be quite long. Your business
almost surely also relies on a supply chain. Most if not all of the following are concerns for any business.
- Are all members of your supply chain reliable providers of the input you need?
- Have you assessed this attribute across your entire supply chain?
- What contractual arrangements are in place with these firms?
- Do you have recourse should one or more of them experience a business disruption?
- Do you hold input inventories to guard against such a disruption impacting your ability to deliver to your customers?
- How long will your inventory allow you to meet your obligations to your customers?
- Is this time sufficient to source an alternative supplier to meet your needs going forward?
- Do you maintain current lists of alternative suppliers to make supplier replacement a straightforward activity?
Now let’s look downstream toward your customers. How is your
output delivered to each of them? Do you have a fleet of delivery vehicles that
you manage? If so you probably see the many levels of complexity associated
with this aspect of your business. Alternatively, you may outsource this by
contracting with a logistics firm such as UPS, FedEx or the Postal Service.
Each of these businesses has a reputation for reliability and it may be well
worth outsourcing deliveries. This may even result in improved margins as your
cost of shipping falls. Also there are obvious alternatives should a local
office of one of these suppliers be hit by a fire, say. But you still need to
be aware of the options and be ready to shift gears to keep your production reliably
arriving at your customers’ locations.
These last two sets of risks are all associated with
activities upstream and downstream from your firm. Regardless of the specifics
of your firm and its clientele, these external risks likely are very important
to the success of your firm, and therefore need to be managed.
Of course your own firm’s internal activities are exposed to
risks and these will be highly specific to your production processes. All risks
to which your processes are exposed need to be identified and assessed. Once
the impacts of risk events have been assessed you will be in a position to
determine whether the risks are manageable, whether in some instances the
downside is too great and sufficiently likely that an insurance arrangement may
be appropriate to offload the risk, and for some activities whether outsourcing
may be a more cost-effective option.
Of course in all cases your processes should be documented
for the usual reasons:
- training of new staff,
- increasing the reliability of production activities, and
- ensuring that absenteeism does not impact production.
And this internal documentation should be viewed as an investment in the
firm’s business reliability. It also eases the burden of any regulatory
inspection or due diligence by a potential acquirer of the firm, as well as make
standard audits less time consuming. These returns are rarely accounted for but
are benefits from devising and maintaining comprehensive and up-to-date
documentation.
The final step, monitoring your firm’s activities, is
extremely important as only by doing this will you know things are going well
or it something unexpected or untoward has taken place. Also, you will have the
best chance to correct the issue – whether it’s a supply chain issue, a staff
training lapse, a customer service issue, whatever it may be – before it gets
out of control.
This discussion has been at a high level, in part because
many of the risks associated with any firm’s business will be very specific.
The initial example discussed above was for an investment firm and
non-financial firms are unlikely to have a directly analogous activity in their
business as few firms report confidential information to clients in the same
way. The types of questions that one should ask when identifying a firm’s risks
naturally begin at a high level and would include those discussed above about
the supply chain. Of course, the internal activities of the firm need to be
considered and the risk associated with each of these must be assessed as to
their likelihood and potential impact. With this set of information senior
management can determine which risks are best managed internally, which
activities may best be outsourced, and if appropriate, where insurance
arrangements should be made. And there will be some risks that the firm
self-insures as the occurrence of such risk events is almost never.
No comments:
Post a Comment