What is Risk Management?
Life is in no certain terms certain. Simply put it means, Life is Uncertain. This is primarily because of the fact that we cannot anticipate or predict the future. For all I know I may come across a huge stash of gold while digging in the fields tomorrow. But what we as humans can possibly do is presume what would happen with the information and knowledge that we presently have. For instance, if a thief stashed the gold in my field while evading the police, he can presume that when I work in my field there is a fair possibility that the gold gets unearthed. This is a valid presumption. Such presumptions and action taken on the basis of such presumptions lie at the basis of certain tasks involved in management and especially planning. One such task of management that relies on this is Risk Management.
Risk Management is “the systematic application of management policies, procedures, and practices to the tasks of establishing the context, identifying, analyzing, assessing, treating, monitoring and communicating”. Risk management is an essential for all businesses irrespective of their size, location, and nature.
Risk management in a business involves identifying, evaluating and prioritizing risk and thereby on the basis of such evaluation and prioritization using coordinated economical application of the resources for the purpose of minimizing, monitoring and controlling the probability or impact of such risks. It is the process of identifying potential risks in advance, analyzing them and taking precautionary steps to prevent them. Risk management is prominently done when a business makes a financial investment so as to identify the economic risks and their impacts and to tackle them.
According to Wikipedia,
“Risk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities. Risk management’s objective is to assure uncertainty does not deflect the endeavor from the business goals.”
Five Steps of Risk Management Process
Risk management as a process involves the following broad steps:
1. Identify the Circumstances
It is essential to recognize the circumstances in which a risk arises before it can be clearly assessed and mitigated. Firstly, defining the relationship between your organization and the environment in which the risk exists, this helps in identifying the boundaries to which risk is limited. For instance in the strategic context, consider the environment within which the organization operates or in the organizational context, consider the objectives, competencies, employees and goals.
2. Risk Identification
Risk identification is the process of identifying the specific risks associated with the identified hazards. For instance, the presence of inflammable substances is an hazard and it catching fire is a specific risk. The identification of risk does not imply a situation where the management has to factor in distant possibilities. For instance, a management cannot identify a serial killer coming over to the factory at night and taking the flammable liquid to burn his victims as a risk to the hazard. They can but in the next step such a remote risk will be discounted.
Risks may be categorized into legal, physical, financial, or ethical.
Legal risks constitute liabilities to other stakeholders in the business including shareholders, clients, suppliers, staff, or any other concerned party, revoked by a certain event, not in line with federal, state or local government laws.
Physical risks involve injuries, physical assets of the organization such as real estate, plant, vehicles, inventory, lands etc.
Financial risks involve financial assets of the organization including loans, fees receivable, attendances, other fees, insurance costs, lease payments, damage claims and penalties or fines.
Ethical risks involve real or possible damage to the repute or principles of your organization.
3. Risk Assessment or Risk Evaluation
Risk assessment or evaluation involves understanding the various risks identified and determining how dangerous and how likely that particular risk is. The above serial killer example is a very dangerous however insanely unlikely risk and will be categorized so. And a person slipping due to a leaky pipe is a High Risk and a employee stationed under a machine that will fall any moment is a critical risk. The assessment takes two factors into account Severity and Likelihood. A highly severe and a very likely risk will be critical and a highly severe and not very likely risk will be moderate and so on.
This step involves evaluating the probability of occurrence and resulting impact of each identified risk factor and shortlisting over the risks that possibly have the highest impact and should be therefore managed first. The priority of the risk can be evaluated by combining effects of likelihood (probability) and impact of consequences.
The probability of occurrence or likelihood can be based on the 5 scale framework: 1-Rare, 2-Unlikely, 3-Possible, 4-Likely, 5-Almost certain. Similarly, the impact of consequences can be scaled on: 1-Negligible, 2-Minor, 3-Moderate, 4-Major, 5-Catastrophic. Greater the combined score of the parameters, higher the risk factor should be prioritized for mitigation.
If the risk is small or acceptable, they can be continued with minor adjustments/ treatments. However, they should be continually monitored going forward. If the risk is big, it should be mitigated at priority before executing the original plan.
4. Risk Control
Once the risk is evaluated, it has to be controlled. In the case of the worker working under the machine that will fall any moment on top of him, risk control implies primarily moving the worker from under there and then fixing the machine so as it does not fall on anyone. Thus the steps involved are immediate directions preventing the risk and isolating or better removing the hazard to eliminate the risk. The risk control hierarchy includes the following in order of their importance, Elimination of hazard, Substitution of hazard, Isolation of hazard, Exercising restrictive control, Providing equipment etc
Following listed are the standard risk treatment options. These options provide different solutions for different levels of risks which were identified in the previous steps:
Accepting the risk – for instance participating in a sporting event has an inherent risk of witnessing minor injuries.
Avoiding the risk is the decision of either proceeding in the planned direction or opt for an alternate route which has less risk and is in line with the final objective. For example, an NGO aiming to raise funds may decide that rather holding a sporting event, a cultural event is a safer way of raising funds.
Reducing the risk occurrence probability or impact of its consequences or both can be considered while facing a risk, for instance, utilization of complete safety kit for players in a particular sporting event.
Transferring the risk is another option, mostly done through buying insurances. Nowadays, even re-insurance is even getting popular, which can further be treated as a backup of a backup. Other ways include lease agreements, waivers, disclaimers, tickets, and warning signs.
Retaining the risk can be another strategy where one knows that it is an inherent part of the event. For instance, consider a sports betting club, if the risk is not the part of their game, the business would not work. The inherited risk brings in the participant and underlying motivation basis of betting business.
Financing the risk means allocating financial allowances to absorb the consequences of the risk in case it happens. This is a scenario where risk impact is manageable and is not as big as to cause bankruptcy or the like situations for any organization.
After the control measures are implemented it has to be documented. This has multiple benefits such as understanding what was done to tackle a risk thereby allowing similar risks to be tackled in that fashion, to prove that sufficient measures were taken to minimize and eliminate risks and due diligence were exercised etc. It is a appreciated practice
5. Monitor and Review
Monitoring and Review as the final step involves understanding the impact of the control mechanisms developed on the hazard and the risk it poses. If the hazard does not pose the same risk which was intended to be controlled then the control mechanism will be evaluated as successful and if not it will be evaluated unsuccessful and a better solution will have to be developed. This follow up is essential to ensure that no mistake was made and that the risk does not perpetuate
There are risks that do not change and are static in nature. However, other dynamic risks if not continually monitored and reviewed may grow like a bubble and their financial, legal and ethical impacts soon get out of control.