• Risk management

  • The huge catastrophe caused by the BP oil spill in the Gulf of Mexico can teach medium-sized businesses about risk management. BP clearly did not adequately assess the risk and failed to put in place procedures for managing potential risk and the results of a risk being realized. In a column in The Globe and Mail, Ian Brown quoted “This is what I don’t understand,” an unnamed person admitted. “If BP doesn’t know how to cut off the well, why are they drilling at the bottom of the ocean in the first place?”

    Despite the fact that BP probably has an “army” of risk managers, they have not succeeded. Does that mean that risk management is a waste of time? Not in my opinion. In fact most medium-sized businesses neglect to do any conscious risk management beyond covering those risks that are commonly insured. I submit that there are numerous and very simple cost effective steps that most businesses could implement, that would be well worth the time and the small amount of resources involved.

    Consider the recent global fiscal crisis in which Canadian banks have been called by some, to be the best in the world. This belief was essentially based on the relatively conservative regulation and risk management in Canadian banks. If this worked for them, do you not have at least as large an interest in the long-term viability and profitability of your business? I am not suggesting that you engage in the sophisticated risk management appropriate for a global financial institution, but that you should consider investing considerable resources, proportionately. Consider that “stuff happens” and that if you consider the implications you often can manage your risks.

    As I started to write this article, I realized I was focusing more on the tactics, rather than the need to provide readers with a strategic framework for risk management. A Wikipedia article I came across provided much of the content (to which I give all due credit here).

    The key steps in risk management consist of the following elements:

      1. identify, characterize, and assess threats;
      2. assess the vulnerability of critical assets (tangible and intangible) to specific threats;
      3. determine the risk (i.e. the expected consequences of specific types of attacks on specific assets);
      4. identify ways to reduce those risks; and
      5. prioritize risk reduction measures, based on a strategy

    Risk management should:

      • create value;
      • be an integral part of organizational processes;
      • be part of decision making;
      • explicitly address uncertainty;
      • be systematic and structured;
      • be based on the best available information;
      • be tailored;
      • take into account human factors;
      • be transparent and inclusive;
      • be dynamic, iterative and responsive to change; and
      • be capable of continual improvement and enhancement.

    The first step in a risk management process is to identify all risks and then to prioritize the list by identifying the size of each risk, often the maximum anticipatable cost, and the likelihood of the event occurring.

    A fundamental difficulty in risk assessment is determining the rate of occurrence since statistical information is not available on all kinds of incidents. Furthermore, evaluating the severity of the consequences (impact) is often difficult. The difficulty in obtaining accurate data should not prevent one engaging in the assessment process. Where no data is available, estimates will usually result in valuable information that can provide a basis for management. Risk assessment should produce such information for the management of the organization that the primary risks are easy to understand and that the risk management decisions may be prioritized.

    There have been several theories and attempts to quantify risks. Numerous different risk formulae exist, but perhaps the most widely accepted formula for risk quantification is:

    Risk = Rate of occurrence X impact of the event

    The above formula can be expressed in terms of a Composite Risk Index. The impact of the risk event is assessed on a scale of 0 to 5, where 0 and 5 represent the minimum and maximum possible impact of an occurrence of a risk (usually in terms of financial losses).The probability of occurrence is likewise assessed on a scale from 0 to 5, where 0 represents a zero probability of the risk event actually occurring while 5 represents a 100% probability of occurrence. The Composite Index thus can take values ranging from 0 through 25, and this range is usually arbitrarily divided into three sub-ranges. Further, both the above factors can change in magnitude depending on the adequacy of risk avoidance and prevention measures taken and due to changes in the external business environment. Hence it is absolutely necessary to periodically re-assess risks and intensify/relax mitigation measures as necessary.

    Once risks have been identified and assessed, all techniques to manage the risk fall into one or more of these four major categories:

      • Avoidance – eliminate, withdraw from, or not become involved;
      • Reduction – optimize processes and mitigate;
      • Sharing – transfer risks to others e.g. outsource or insure; and
      • Retention – accept and budget.

    Risk avoidance includes not performing an activity that could carry risk. An example would be not buying a business in order to not take on the liability that comes with it. Avoidance may seem the answer to all risks, but avoiding risks also means losing out on the potential profits and benefits that accepting the risk may have allowed.

    Risk management also faces difficulties in allocating resources as there is an opportunity cost to utilizing resources on risk management. Resources spent on risk management can sometimes be spent on more profitable activities. Ideal risk management minimizes spending and minimizes the negative effects of risks; or strives for a balance between taking risks and striving for perfection and absolute risk free certainty.

    Hazard prevention refers to the prevention of risks in an emergency. The first and most effective stage of hazard prevention is the elimination of hazards. The second stage is mitigation.

    Risk reduction or “optimization” involves reducing the severity of the loss or the likelihood of the loss from occurring. For example, sprinklers are designed to put out a fire to reduce the risk of loss by fire. Optimizing risks recognizes that risks can be positive or negative and therefore finding a balance between negative risk and the benefit of the operation or activity; and between risk reduction and the resources committed to risk management.

    Risk retention involves accepting the loss, or benefit of gain, from a risk when it occurs. Risk retention is a viable strategy for smaller risks where the cost of insuring against the risk would be greater over time than the total losses sustained. All risks that are not avoided or transferred are retained, by default. This includes risks that are so large or catastrophic that they either cannot be insured against or the premiums would be infeasible. War is a common example, since most property and risks are not insured against war, so the loss attributed by war is retained by the insured. Also any amount of potential loss (risk) over the amount insured is a retained risk.

    Create a risk management plan and select appropriate controls or counter-measures to measure each risk. One advantage of a document for risk planning is that it often is a good way to ensure that the many different perspectives of each risk are considered. It is too easy, without a disciplined structured approach that often comes with a comprehensive plan, to forget about some of the stakeholders affected by a risk. Some examples are the surrounding community to a facility, the family of staff, governmental agencies, etc.

    Risk mitigation needs to be approved by the appropriate level of management. For instance, a risk concerning the image of the organization should have top management decision behind it, whereas IT management would have the authority to decide on computer virus risks.

    Implementation follows all of the planned methods for mitigating the effect of the risks. Purchase insurance policies for the risks that have been decided to be transferred to an insurer, avoid all risks that can be avoided without sacrificing the entity’s goals, reduce or share others, and retain the rest.

    Whereas risk management tends to be pre-emptive, business continuity planning (BCP) deals with the consequences of realized residual risks. The necessity to have BCP in place arises because even very unlikely events will occur if given enough time. Risk management and BCP are often mistakenly seen as rivals or overlapping practices. In fact these processes are so tightly tied together that such separation seems artificial. Risk management also proposes applicable controls for the observed risks. Therefore, risk management covers several areas that are vital for the BCP process. However, the BCP process goes beyond risk management’s pre-emptive approach and assumes that the disaster will happen at some point.

    In next month’s article I will describe some specific tactics that I have seen implemented at small and medium sized businesses that have low cost and resource requirements.

    About the Author
    James Phillipson is a Chartered Accountant and a Principal of Mastermind Solutions Inc. with over twenty years experience in large and small businesses. He has provided financial counselling to his clients since 1996, often in the role of a Controller or Chief Financial Officer. James has experience in financial roles in a wide variety of businesses and industries.

    Click here for more Finance Information

    View James Phillipson