Whether you're crossing the road, ordering rolls from a new location, buying stock in Netflix, or taking an unusual route to work, risks and dangers lurk everywhere. Business faces especially many dangers (it is also very sensitive to them). If you don’t believe (you never know), here are two random facts for you so that there is no doubt about it:
- more than 50% of affected companies cease to exist after natural disasters;
- 48% of SMBs are convinced that a major data breach will shut them down forever.
It is not always possible to avoid risks, but it is quite possible to reduce potential damage. Moreover, risk management does not necessarily have to be a specialized manager or consultant - you can do it yourself (or better, in a team), following the steps, which I will talk about a little later.
But before diving into the risk management process, let's take a step back and understand what risk is all about.
Types of risks
Risk is a potential danger, a random action or the inability to predict an event. With all the variety of risks, by analogy with restrictions, they can be divided into two groups:
- Internal risks that arise within a business. For example, when an employee of a company shares financial information with third parties, when, due to a poor IT security system, attackers can steal your data and the data of your customers, or when the company lacks qualified personnel.
- External risks that originate outside the business but affect how it operates. The clearest example of external risk is the COVID-19 pandemic. The probability of this event was low, no one expected it, but it affected all companies very strongly.
I will deliberately omit here the grouping according to the factors of occurrence (political, economic, production, etc.) - there are so many of them that it is just right to write a separate text for this.
Why you should manage risk
Risk management is the process of identifying and assessing risks, as well as planning and directly responding to threats. The main goal of risk management is to be prepared and have a plan for any emergency. I briefly explained at the beginning that if risks are not managed, it will be bad. But still, why is this?
By managing risks and studying their causes, the company:
- saves money and protects against losses;
- makes the working environment safe and reliable;
- protects team members, clients and partners from potential harm;
- can determine their insurance needs to save money on unnecessary insurance premiums, etc.
In short, when you and your company are ready for various potential challenges, you can grow and develop more confidently.
How to manage risk
The risk management process in any company (and in life too) consists of the same steps: first, risks must be identified; then evaluate; try to soften; monitor the implementation of the plan and the emergence of new risks; report on work to keep the right people in the loop.
Let's look at each stage in more detail.
1. Identify risks
First, write down all the potential events that could negatively affect individual processes or projects of the company. This can take a long time, because not everything will come to mind right away. To make the list of risks more complete, ask other leaders to do the same.
To build on something, it's helpful to ask yourself what events have taken the company by surprise in the past.
In order not to get stuck at the risk detection stage, I advise you to allocate a separate time box for it. Perhaps not just one - most likely, you will be adding risks to the list over time.
2. Assess the risks
Having a list of threats and risks in hand, you can determine the chances of occurrence of relevant events and the magnitude of the consequences. This will help prioritize risks so that resources can be allocated wisely.
For evaluation, you can use a simple matrix:
For each risk on the list, determine the likelihood of occurrence and the level of damage that it will cause, and write the risks in the appropriate boxes.
It is better that such a matrix is interactive so that the risks can be moved if something changes in relation to them. To do this, the matrix can be made either in the task manager with kanban boards, or in Google tables, or on a virtual board, such as Miro. By the way, all these options are possible in WEEEK.
3. Mitigate risk
This is the main stage of risk management. This is where you create a plan to mitigate them through concrete action. In addition to mitigation measures, the plan also includes measures to prevent risks, and actions for emergencies when the risk has materialized. You may not be able to come up with a plan for every risk, but you should at least try to determine what changes can be made to business processes to reduce potential damage.
Start with the risks in the red boxes. Assign a responsible person and write down for each risk an action (or several) that will help reduce the damage. That is, it does not have to be some kind of multi-stage plan - one idea may be enough. For example, if there was a problem with laid-off employees who, in order to spoil the companies, entered the cloud with their old password and deleted important files, you can set a rule to generate a new password after each employee leaves. Better yet, every month.
Risk Management Approaches
At this point, you might have the impression that risks are mostly avoided or mitigated, but in fact, there are several different tactics for dealing with risks:
Risk avoidance.. While it is impossible to completely eliminate all risks, you can try to get rid of as many threats as possible in order to avoid dire consequences.
Risk reduction.. Sometimes you can reduce the damage from risks by adjusting the overall plan or internal processes in the company.
Risk sharing.. You can also share the risk between team members or entire departments to reduce damage. Risks can even be transferred to a third party.
Saving risks.. Sometimes, a company decides that the reward associated with the risk is worth it, and it is better to leave the risk and deal with the consequences.
4. Watch out for risks
Now that you have a risk management plan, you need to monitor its effectiveness and the emergence of new risks. That is:
- see how things are with the existing risks;
- keep an eye on whether new ones have appeared;
- monitor how effectively your plan reduces damage;
- Discuss it all with interested team members.
And all this happens throughout the risk management process.
5. Report the risks
At first I did not understand why there were some reports here.
But then it dawned on me that risk reporting serves two important purposes:
- you have the opportunity to analyze, evaluate and improve the risk management plan;
- risk reduction progress becomes shared because the whole team can participate in this work. The common cause, "part of the ship - part of the team", that's all.
In general, the topic of risk management is very interestingly connected with the unity of the team. You cannot do this alone, and in order for colleagues to take part in risk management, you need to somehow motivate them. Alternatively, the same risk reporting can be integrated into the overall one to tell one big success story. People love such stories, especially when they are directly involved in them.
This is where our little dive into the world of risk management ends. We literally looked at the other side with one eye, but this is already enough to understand what this important process is. I will return to this topic in future articles, but for now, follow the five-step sequence that I described above, attach the team and do not take risks in vain.