Risk in business is inevitable – in fact it is essential. A business which does not take commercial risks will not grow and a business which does not grow is doomed to decline.
Yet, by and large, people in business, as in life, are risk averse, seeking, where possible, to follow the path which provides the lowest perceived risk.
That is not to say that business leaders should behave recklessly, taking unnecessary risks with little regard to the consequences – rather, they should take managed risks and it is the job of the board to ensure that the risks are managed robustly and rigorously.
Businesses need to identify the risks that they face, think of ways in which they might reduce the impact of each risk on the operation of the business and prioritise their focus onto the risks with the highest likelihood of occurrence and the greatest impact to the business.
In so doing, it is useful to group the risks into a number of categories. The following is a list of frequently used categories of risk:
Strategic Risks are the overarching risks the business takes when it sets or modifies the direction of travel of the business. These risks can be external, when the business is affected by changes in the environment in which it operates or internal risks arising from the adoption of an inappropriate strategy or the setting of unrealistic objectives.
Operational Risks arise from the delivery of the goods or services which the business undertakes.
Financial Risks are to do with the management and flow of the business finances
People Risks are associated with both the employment of staff and, for a charity, the involvement of volunteers.
Regulatory Risks are concerned with the legislative framework within which the business operates.
Governance Risks are to do with the way the business is organised and run.
Reputational Risks are any aspects of the activities of the business which would affect its reputation
A good place to start with identifying risks is the Business Plan or overall strategy document for the business.
A useful tool to help to identify risks is an analysis of the strengths and weaknesses of the business and the opportunities available to it and any potential threats to its success.
This analysis can be done at a strategic or operational level within the business to produce a number of items within each quadrant. Sometimes items will appear in more than one quadrant, as a strength can also be a weakness, for example, the involvement of a large number of staff in running a social enterprise is a strength as they are more likely to be engaged with the business but it can also mean that the decision making process is longer and less effective than an organisation with a leaner management structure so it may also be seen as a weakness.
Although when people think of risks they usually focus on the negative aspects – what can go wrong, it is also useful to think of the ‘positive’ risks presented by opportunities.
Once risks have been identified they can be entered into the risk register so that they can be prioritised and managed.
The Risk Register
The risk register is a list of the identified risks faced by the association prioritised in order of likelihood and impact.
It is a tool to enable the board to satisfy itself that the business's risks are being managed effectively and should be viewed on an exception basis, for example always reviewing the top five risks plus those risks which have either increased or decreased in likelihood or impact since the previous review.
Each operating unit or department of the business will also have its own risk register which will feed in to the overall risk register for the company.
The format of a typical risk register is likely to consist of a table with the following headings:
- Risk Category
- Risk Description
- Risk Mitigation
The most important elements of the risk register are (b) the description and (c) the mitigation
A clear description of the risk including, where possible, examples to illustrate the nature of the risk, for example:
|Risk: Lack of a clear understanding of the market for high-precision widgets
Example: The research department develops a new product which sells in very low numbers and fails to make a return
A description of the actions the business is taking and the controls that are in place to minimise or remove the risk, for example:
|Mitigation: Regular review of high-precision widget market
Controls: Monitoring of product sales to identify buying trends
From SWOT to Strategic Risks
For each item in the SWOT table it should be possible to identify one or more risks which are represented by the Strengths, Weaknesses, Opportunities or Threats.
Risks in this category are generally those that would reduce the identified strength, making it less of an asset to the organisation. Strengths will provide the organisation with commercial advantages or differentiators to existing competitors or act as barriers to entry to new market entrants.
Organisations never exist in a vacuum and there is always competition, either for the customers or the customer’s funds which will seek to erode the advantages and dilute the differentiation.
For each risk there should be one or more measures that will predict the likelihood of the risk becoming a reality and it should also be possible to identify controls which can be put in place or actions which can be taken to mitigate, reduce or remove the risk.
Having identified the organisation’s weaknesses the most logical step is to make plans to strengthen or remove them or reduce the impact that they might have on the business if they continue to remain as weaknesses.
Risks in this category are associated with not making those plans or taking actions to address the weaknesses or any factor which might make the weaknesses worse or increase the negative impact that they might have.
Risks associated with opportunities are mostly associated with the risks of missed opportunities – not being able to capitalise on the organisation’s strengths or market position to take opportunities which would advance the achievement of the strategic vision or strengthen the ability to match competitors.
Threats are those things which might have a negative impact on the performance of the organisation and the risks are to do with failing to mitigate, minimise or remove the threats.