How to develop an effective business risk management plan

CA

I am "CA" Atreya (PMP, MBA), the author of this blog. I help businesses in Atlantic Canada achieve their BHAG successfully. You may subscribe to this blog using a feed reader (RSS).

Lets get this straight. If a risk has already occurred in your business and you are looking at solutions (i.e.; reacting to the risk), then it is an issue - a problem. It is no longer a risk. Lets go back to the definition of risk. Risk is the possibility that something good or bad is likely to happen in the future. So when a risk has occurred, there is no such thing as probability then the risk has turned into an event. The underlying premise of developing any risk management plan is that the risk has not yet occurred. Risk management is a continuous and iterative process in which you are constantly evaluating your good and bad risks, its probability of occurring and plan what you would do if the risk occurs. If you have not thought about a particular risk and it occurs, then you will immediately switch into a reactive mode and take decisions that you have not thought through. Risk management is all about being proactive. Developing an appropriate risk management strategy takes considerable effort and planning. One approach might be a good idea to look at each functional area of your business and plan your risk management strategy at a strategic, tactical operational and execution level. However, before you get all excited and jump into the exercise of identifying risks, you need to define your business goals.

Risk - Business Strategy Fit

Your business strategy and goals should already be in place. Once you have identified your goals into measurable units, it becomes easier to do the risk assessment exercise. Risk assessment and its management must always roll back to your goals. Be careful on what you decide are going to be your corporate goals. I find the putting things down into a matrix format helps me. If I cannot fit things into a box, then I have to give the strategy and goals more thought. Row headings outline each functional area and column headings outline the time-lines.

Tactical plan
Tactical plan is where you define how you are going to achieve your strategic objectives. For example if your marketing and sales objective is to increase customer base to 300% in five years, then your tactical plan defines the accomplishments that need to happen in years four, three, two and one. If you think of a ladder, the topmost step is strategic objective while the rungs that lead to the top rung is your tactical plans.

Operational plan
Your operational plan is where you define the accomplishments you need to do in the first year to meet your tactical objectives.

Execution plan
Your execution plan is weekly, monthly and quarterly plans to meet your operational goals.

Does everything fit

When you do your planning, make sure your financial, marketing and sales, HR and operations plan are all in sync, i.e.; if you need to increase revenues by 300%, you need to hire more people, you need to increase production capacity accordingly. Usually your corporate goals would either be financial or marketing &sales in nature and your HR and operations goals will be a function of these two. You cant have a financial goal of increase revenues by 300% and cutting staff at all.

The risk management process

Undertaking a risk management exercise without having a clear idea of your objectives is an exercise in futility.
Once you have your goals defined, you need to figure out what risks will impact your goals. By this I mean what events could occur that will hamper you desire to meet stated objectives. Undertaking a risk management exercise without having a clear idea of your objectives is an exercise in futility.

In one of my earlier posts, I have mentioned a few risk management tools to help you with this exercise. Developing a risk management strategy is a 3-step process:

Identify your risks Quantify your risks, and Develop a risk response plan

Say you decide your business strategy is going to be to just one: and that is to increase revenue to 10 million in 5 years. Its usually hard to look out into the future for more than one year. The rapid descent into recession in the latter half of 2008 bears testimony to that. How many people would have access to the necessary data to make that call? In fact how many would even know how to read the economic data to arrive at the right conclusions? Not many. Even the vast majority of those who had access to detailed economic indicates and data failed to see the speed of descent. So I would focus my risk management efforts starting from Execution to Operational to Tactical to Strategic. Remember: set goals by moving from strategic to execution and assess risks in the reverse order.

For each of the above risks, your risk management strategy needs to process the following steps.

1. Identify the risk that could impact your goal

Remember that the impact could be positive or negative. A great place to start would be a SWOT Strengths, Weaknesses, Opportunities and Threats. Events that could increase your Weakness and Threats are good candidates for negative risks and events that decrease them are good candidates for positive risks. Similarly, events that could increase your Strengths and Opportunities are good candidates for positive risks and events that decrease them are good candidates for negative risks. Other tools you can use are PEST analysis (Political, Economical, Social and Technological factors). Use the goals framework to identify and associate each risk into their respective buckets. You cannot do this exercise alone. You need to brainstorm with your colleagues, mentors, employees and if you have never done this before a risk management consultant. Within each functional area of your organization, you can even look at each process and identify risks along each process. For example; the objective of marketing and sales process is to make a sale product development, pricing, promotions, lead generation, lead contact, moving the lead to sale, offering the product as a demo, gain prospects trust and establish relationship, close the sale. Of course, not all of the above may apply to your business and I may not have included all the tasks. But you understand what I am getting at. Once you have identified each step along

the process, then it become s bit easier to think, What could go wrong in this step? or If I am flooded with orders, can my production team handle the volume? The questions you ask are the risks. Document them. This document is your risk register.

2. Quantify the risks you have identified

Here is where we leave the realm of science and precision and enter into the world or art. For each of the identified risk, figure out its probability of occurring. You could define the occurrence of each risk as percentage or just as High, Medium and Low. It all boils down to your judgment and experience; and more importantly, your perception of the future. Against each risk in the risk register, determine the impact if each risk were to occur. If you two of your key employees quit, will it positively or negatively impact your goals? Write down details on how the risk will impact your business. Arrive at a risk rating by combining the impact and the probability of occurrence. I prefer numbers so that I can rank them, but its your choice on what you use for a risk rating. Example on how to arrive at a risk rating: Suppose you determine that the impact of a certain key employee leaving your organization will cost you $40,000. You also determine that the probability of this risk occurring is 40%. The risk rating in this case would be 16000. Go through this exercise with each of your risks. I am guessing by the end of this, the risk with the highest rating will have the highest priority and the others will follow in decreasing order of ratings.

3. Plan a response to each identified risk

Now that you have rated each of your risk, you can then decide what to do if the risk were to occur. You can:

Mitigate the risk: This implies that you find ways to reduce the probability of the risk occurring or try to reduce its impact. Usually, its the latter we can control. Accept the risk: Sometimes we just have to accept the fact that there is nothing you can do if the risk occurs. Transfer the risk: Think insurance. You are transferring your risk of something bad happening to another party for which you typically pay a premium. Avoid the risk: This typically would mean changing your goals and objectives entirely. The most radical form of risk avoidance would be to shut down your business. Exploit the risk: If a positive risk were to occur how would you exploit this opportunity to further your goals and objectives?

One final point. Do not let your initial plan gather dust. Frequently, considerable effort is expended to develop the initial plan and is documented. No one ever looks at it for the next year. Do yourself a favor: review and update your risks at least every quarter. Youll be surprised on how the risk priorities change in as little as three months. Ignore risk management planning at your own peril!