A basic risk management framework and processes will add value to your business, protect you from surprises and support your business in building long-term sustainable competitive advantage.
Risk management is not overly complicated and all organisations have been doing this in one form or another for as long as they have existed. Sadly too many rules and regulations forced the focus of risk management to centralised controls and an over-emphasis on quantification as the keys to managing risk.
No information technology system, no amount of data analysis, and certainly no mathematical model, can mitigate risk; only people can.
During the recent economic downturn, a number of problems began to reveal themselves, some of which had been implemented without due consideration:
There was an over-reliance on the use of financial models, with the mistaken assumption that the “risk quantifications” (used as predictions) based solely on financial modelling were both reliable and sufficient tools to justify decisions to take risk in the pursuit of profit.
There was an over-reliance on compliance and controls to protect assets, with the mistaken assumption that historic controls and monitoring a few key metrics are enough to change human behaviour.
There was a failure to properly understand, define, articulate, communicate and monitor risk tolerances, with the mistaken assumption that everyone understands how much risk the organisation is willing to take.
There was a failure to embed enterprise risk management best practices from the top all the way down, with the assumption that there is only one way to view a particular risk.
(*”The 2008 Financial Crisis, A Wake-up call for ERM”)
Transform your approach
To mend economies it is important for the SME sector to change the way they look at risk management and transform their businesses to have better risk management capabilities. SMEs should have a more formal approach to risk management, but must be careful not to overdo it.
Do not build complicated structures that will just irritate your staff, but build a framework and process that will support everyone in the business to take better (risk-aware) decisions. Help them to control and optimise risks; and keep them motivated to build long-term sustainability for the business.
SME business leaders need to answer three questions:
What are the key risks in your business that will prevent you from achieving business goals?
How do you evaluate and control any large changes in the risk profile or any new risks your business might face?
How will you communicate these in your business?
Identify key risks
Do you actually know what the business goals are? Very often SME leaders think that this is not required for a business their size and that they are the only ones who should know where they are going. This is only true if your business is a one-man show.
All employees should know what the business objectives are and they will then be able to identify the risks associated with those business goals and focus on those that will prevent them from reaching those business goals. If a risk is not going to prevent you from reaching such targets, it is not a risk to worry about.
Once you have identified these risks, the next step is to plot them in a simple risk profile. It is of no use looking at any risk in one dimension only; all risks must be evaluated in two dimensions. First, how often can it happen (the frequency) and secondly, how bad is it if it does happen (the impact).
From this simple risk profile you can then identify the top five or top ten risks and proceed to formulate your action plans on how to mitigate, control or optimise these risks to the benefit of your business.
Risk treatment can also include the option of risk transfer is normally where you take out insurance for certain risks that you find too large to accept. It is important to discuss your risk profile and your business’ risk management culture with your insurance broker or underwriter so as to obtain the optimum insurance cover at the best price. If you practice good risk management principles within your business, you should be paying less in premiums than a comparable business with no risk management process.
Evaluate changes in risk
The risk profile is a snapshot in time and many internal and external factors will influence your risk profile. You have to adjust your risk management strategies accordingly.
Therefore, you need a process to assess the large changes internal to your business and for the same reason, you also need to be cognizant of external changes and the effect those will have on your business.
If any internal of external change will affect the way you do business or, the way you planned to achieve your business goals, you need to re-assess your risks and re-plot your risk profile. Doing this will help you to effectively implement new action plans to mitigate and control to optimise those risks to your advantage.
Communicate the risks
The quality of your risk management is not measured by the size of your risk register or the thickness of your risk report. In most SMEs there might not even be a need for any kind of formal risk report. The key to effectiveness is the efficiency and value of your risk nervous system running through your business; this is the accuracy and speed of risk communications flowing up and down in your business.
A risk nervous system is just clear pathways in your business that carry the flow of risk information in your business. Risk information needs to be shared at all levels within your business to enable everybody to take the right decisions to mitigate, control and optimise risks to the benefit of the business. A very important factor in your risk nervous system is that bad news must travel faster than good news – this is pivotal to the survival of any SME.
Where to begin
Implementation of risk management in your business can be achieved through five easy steps. The basic principles are to build on processes, systems and data that you already have and just place a risk-focus on them. You may not require all the aspects mentioned under each step as your risk management framework must be relevant to your business requirements and must be aligned to the corporate culture within your business.
A clear strategy and policy
The risk management strategy must set a clear direction to follow for all employees. It must also cover all business areas and a clear commitment to continuous improvement must underpin the risk strategy.
In addition, it must be a cost effective approach; what is needed and relevant for your business in order to reduce and prevent financial losses.
Create structure culture
Put in place an effective management structure to deliver the policy. All employees should be motivated and empowered to evaluate the risks associated with their jobs and take risk-informed decisions. All employees should also be committed to protecting the long-term success of the company.
The risk management policy acts as a guideline for operations and a filter for decisions. Effective communication will ensure full employee involvement and participation and the sustained effective communication and promotion of competence will ensure success.
A positive risk management culture is fostered by the visible and active leadership of the owners and executives. Therefore, encourage all employees to freely share ideas and best practice.
Implement a plan
Have a formal planned and systematic approach. Decide priorities and set objectives to mitigate, control or optimise risks, with regular assessments of controls in terms of their design and effectiveness, but guard against costly over-controls.
Effectively arrange for the transfer of risks (insurance) where applicable and establish the overall risk profile—have a consolidated view of the business, establishing performance indicators and key risk indicators as required.
Set risk performance standards to measure against and introduce pro-active self monitoring of all internal and external risk factors. It is important to investigate why controls failed, which can be achieved through re-active monitoring and causal analysis.
Scrutinise internal and external risk events and their affect on the company’s risk profile and identify the underlying causes and the implications for the design and operation of the risk control system.
Audit and review
Use public information to do an external comparison with competitors and best practice – learning from all relevant experiences and events and then applying the lessons is paramount (it is better and cheaper to learn from the mistakes of others than from your own mistakes).
Also, revise policies, systems and techniques as your business grows and when external and internal factors force changes. Make a relevant risk disclosure in annual financial statements, whether required by regulation or not.
SMEs do not require complicated risk frameworks, detailed regulations or expensive software systems to drive real value from risk management; just the basics of risk management will go a long way in adding true value and building sustainable competitive advantage. The future of risk management and corporate survival lies in making every employee a risk manager
Horst Simon is the Director of Operational Risk at Horwath MAK Risk Consulting in DIFC, Dubai. He is responsible for risk management consulting and training. He is also the Owner of the Risk Culture Builders – a group on LinkedIn and a regular speaker on People Risk and Risk Culture Building at International Conferences. He can be contacted at firstname.lastname@example.org