If you don’t invest in risk management, it doesn’t matter what business you’re in, it’s a risky business. - Gary Cohn, American Business Leader IBM
2020 taught us two distinct things: organizations are capable of adapting to monumental change, and identifying and eliminating risks must be a central focus for survival. A risk management plan does not need to be extensive and complex. It does, however, need to be approached with a proactive mindset rather than a reactive one.
Most organizations already have risk management in their organization, even if they do not realize it. If you survived through 2020, your organization had to develop a plan and implement procedures for the pandemic, thus you identified, prioritized, implemented solutions, and most likely have a process of monitoring those risks. Now we need to take a proactive look at other existing risks. Allow yourself to be pessimistic when identifying risks. Ask yourself, what is the worst thing that can happen? How much do we risk losing if we do not act?
To identify risks, we start with looking at the bigger picture, not just the obvious of the main financial aspects such as loss of sales, customers, or suppliers. Expand your risk thinking to all areas of your organization. These can include Reputation of Brand, Human Resources, Logistics, Operations/ Production, Safety, Maintenance/Equipment, Workforce, Quality Systems, Information Systems/Cyber Security, Regulatory functions, and Infrastructure. Think about these areas of downstream customers within your organization and ask yourself what it takes to satisfy each of these customers.
Each organization has its risks. By following a systematic plan for identification, prioritizing, implementing solutions, and monitoring risks, we then can say we have a risk management plan. Let’s review the systematic approach to a risk management plan.
First, an organization needs to identify existing risks, and identify possible future risks. Remember to approach identification with proactive thinking. Some common approaches for risk identification are given below:
Get input from all members of an organization. We tend to get tunnel vision when we work only in silos. Some of the best risks are identified from those new eyes.
Strengths-Weaknesses-Opportunities-Threat (SWOT) is very simple and helpful for identifying risks within the organization and external threats. Using this tool while brainstorming can be very effective. Every department can use this tool to drill down the threats that are unique to them, then combine them to identify like threats.
After we identify risks in our organizations, we need to consider the frequency and severity of the risks. Simple tools, such as a risk assessment matrix, can assist in prioritizing your organization's risks by assigning a risk rating numeral system or color-coding. Organizations can make their own matrix, based on what works for them.
See the example below:
The matrix is a visual indicator of severity and the frequency of a given risk, thus allowing an organization to focus on the most detrimental risks identified.
After identifying and prioritizing risks, you must act on eliminating said risks within your organization by developing a Risk Action Plan. This plan should outline the risk, the action/ solution including any external resources needed, an owner of the action, and a timeline for implementation. Encourage cross-functional team members and communicate the progress often through the implementation process.
If possible, use measurables as indicators if risks are negated or eliminated. Example: Loss of business contracts may be at risk because of an organization’s weak Quality Management System (QMS). More and more customers and suppliers require a robust QMS and proof of ISO certification to conduct business with an organization. Measured positive data including results of internal audits, customer satisfaction, and decreased complaints are examples as evidence of a robust QMS system and will negate the risk of losing business.
Risks can be unique to an organization and are constantly changing and developing. The Risk Management system is never to be viewed as completed progress. A global pandemic reminds us that organizations need to adopt a mindset of “what if.” Proactively thinking about ever-evolving risks and understanding the path to risk reduction is key for an organization to be successful. Without a risk plan, your organization is a risk.
Disruption is a change from the normal – and 2020 is the epitome of change. Even as you work through the uncertainty of today, it’s essential to let past reactions inform your future risk plan.
This webinar highlight tools to guide you to craft a disruption plan that will limit the negative impacts of the next inevitable change.