Kaplan and Garrick (1981, p. 12) provide a simple equation for risk, which is “risk = uncertainty + damage”. They believe that it is irrelevant as to what context risk exists in, and that the same equation can always be used to identify and manage risk. However, risk can still be categorized differently depending on what facet of the organization it is affecting.
Before a risk management strategy can be decided upon, the risk event must first be identified. An organization should conduct three steps before deciding on the best risk management strategy to use. As risk management can use a substantial amount of resources, clarification and direction should be decided upon before conducting risk management. The three factors are;
- Identification of the risk: The organization should first review all of the possible risk sources. Furthermore, they could use a risk assessment tool to identify the risk event that may occur.
- Assessment of the possible risk event: Once the organization has identified the risk, they must assess the potential damage that the risk even could case. As previously stated, the severity of the risk is an extremely important factor for an organization to consider, as it will help shape and design any relevant risk management strategies.
- Develop an educated response to the risk event: After the risk has been successfully identified and assessed, the organization can begin to decide what resources may be needed to limit or completely negate the potential risk event.
Once an organization has identified any unexpected risk events that may occur, they must focus all their resources of deciding which risk event should be tackled first. Most organizations will have a limited amount of resources, and will only be able to tackle one of two risk events at a time. If a plethora of risk events are likely to occur, this means prioritizing which ones to minimize. This means that companies have to assess the impact that a risk event can have on an organizations financial and market performance, and focus all their resources to eliminate the most dangerous risks first.
Risk management is imperative, and executing it unsuccessfully can have severe impact on an organization. The extent of the consequence for not managing risk will be dependent on the risk event, but can have impacts such as; financial loss, employee injury, business interruption, damaged reputation or failing to achieve corporate objectives. There are a plethora of other potential consequences for not managing risk, all unique to the particular risk event, but none will other anything positive to business performance. This highlights the significance for an organization to conduct risk management successfully.
There are a few different frameworks and ideas that exist to help an organization prioritize which risk event they should focus on minimizing. One of the most comprehensive frameworks for prioritizing risk is the probability and impact framework. This framework depicts independent, variability and ambiguity risks, and measures the probability that these risk events may occur and the severity they may have for the organization if they were to ever occur. These findings can be summarized in a probability-impact matrix which is where the probability and impacts of each risk are assessed against defined scales, and plotted on a two dimensional grid.
Furthermore, there are a few other methods for prioritizing which risk event to tackle. Risk events can also be ranked using multi-attribute techniques. For companies that want to adopt a more adaptable risk priority technique, the multi-attribute method would be preferred. This is because the attributes of interest can be selected based on the interests and prioritization of the organization and any relevant stakeholders. This has many similarities to a probability impact matrix, but offers a more creative and free way to define variables that will be used to prioritize risk. There are variations of this technique, including a bubble chart, risk prioritization chart, uncertainty-importance matrix and high level risk model.
The final technique that will be covered for prioritizing risk is the use of quantitative models and techniques. These methods are not as rigorous as the previous methods, however they do still offer a few benefits for a company. The main reason a company will use a quantitative risk priority method is because it is an incredibly cheap method, that requires little, to no, preparation and planning. This means that a quantitative risk priority method will be preferred for companies that want to prioritize risks efficiently, at a cheap cost, and using the least amount of resources as possible.
Once the risk has been successfully prioritized, it must also be thoroughly assessed. There exist a few different methods of assessing risks, with two prominent methods of risk assessment being quantitative risk assessment and comparative risk assessment. Quantitative risk assessment relates to an activity or substance and attempts to quantify the probability of adverse effects due to exposure. In contrast, comparative risk assessment is a procedure used for ranking risk issues by their severity in order to prioritize and justify resource allocation.
Furthermore, comparative risk assessment is becoming the preferred method of risk assessment for many companies across the world. This is because a comparative risk assessment has been found to be more thorough and rigorous and pinpointing the details and severity of a risk event. Furthermore, a comparative risk assessment aims to identify the more serious risk event, before moving onto tackling any other risk events.
There is also one other method for assessing risk events. This is through the use of the comprehensive outsource risk evaluation (CORE) system. This is a tool developed by Microsoft and Arthur Anderson to aid a company in identifying, assessing and preventing any risk events. The tool identifies a total of 19 risk factors and categorizes them into four different sub-categories; infrastructure, business controls, business values and relationships. This gives organizations a lot of freedom, as each individual company can decide on the importance of each factor, dependent on the significant it has towards the day-to-day activities of the organizations operations. Furthermore, after the risk has been successfully assessed through the use of CORE, it is analyzed objectively through the organizations financial data and subjectively through the measurement of relationships and integration within the firm.
It becomes quickly apparent that the majority risk assessment methods and techniques share a common theme, predominantly the measurement of the probability and impact of potential risk events that could occur and effect an organizations daily operations. This highlights the importance of risk assessment, and why it is an imperative skill that a risk manager should become adept at utilizing.
There is also one other factor that may be taken into consideration when deciding on a risk management strategy, that is the character and personality of the manager. Certain managers will follow traditional methods and not take advice from others, which also means they will not be willing to adapt to a risk management strategy they are unaware of, even if it proves to be more successful.
After a company successfully completes the three steps mentioned above, identification, assessment and development of a response, they will be able to proceed with the fourth step. The final stage is deciding and implementing the preferred risk strategy, which has been decided through the aforementioned three steps, to best limit or negate the potential risk event.
A risk management strategy is focused on identifying and assessing the probabilities and consequences of risks, and selecting appropriate risk strategies to reduce the probability of, or losses associated with, adverse events. Risk mitigation focuses on reducing the consequences if an adverse event is realized. Although there exist a plethora of risk management strategies, with some being more beneficial dependent on the situation, three key risk management strategies are.
- The Avoidance Strategy: There are two main types of avoidance strategy. The first type is where an organization will attempt to drive the probability of a risk event occurring down to zero, or as close to zero as possible. Furthermore, the second type of avoidance strategy is where an organization is attempting to predict the risk event. This will allow them to set in place any contingency plans to try and limit the impact to zero or as close to zero as possible. Both of these strategies have a considerable amount of uncertainty about them, as it can be very hard for an organization to predict the details of a risk event, or the implications that one might hold for the company.
- The Security Strategy: A risk management security strategy seeks to minimize the risk of any event occurring. This is very similar to the avoidance strategy, however it acknowledges the fact that a risk event is going to occur, and merely tries to protect the organization as much as possible from any effects the risk event may cause. Implementing a security strategy can be achieved via number of ways, including working closely with any local governments, proactively complying with regulations or ensuring internal security over the organization and its resources.
- Control/share/transfer: This strategy can take the form of vertical integration. This furthers the ability of a manager within an organization to control more processes, systems methods and decision. Having greater control of the day-to-day operations of a company can help minimize the probability and impact of risk. This is because it can help spread the risk over many operations, and thus reducing the severity of the risk event. However, the need for greater control can also cause the need for greater side integration, which can be difficult for companies to achieve.
If the risk event will cause significant issues for an organization, and is considered a ‘high risk’, then a company should aim to utilize an avoidance strategy. This would be best because it would minimize or completely deplete the probability of that risk event occurring. However, this can come at a huge expense to the organization, and consumer a substantial amount of resources. On the other hand, if the risk event will have a limited impact on a company’s performance, and is considered a ‘low risk’ event, then a security strategy may be more suitable as it will protect the company’s operations and resources from the risk event.
Deciding on the most optimum risk management strategy to use can be an incredibly difficult job for any manager to accomplish. If the manager chooses the wrong risk management strategy then the risk event could cause substantial problems towards the organizations financial and market performance. One of the most significant factors that can affect the decision of which risk strategy to pursue is the severity of the risk.
To conclude, there are a variety of steps that a risk manager should go through in order to successfully implement a risk management strategy. One of the most importance stages of this process is to spend ample time identifying and assessing the risk, so that a clear and concise strategy can be decided upon. If the risk manager acts without knowledge, then they could implement the wrong risk manager strategy, thus wasting resources and still allowing the risk event occur.
Furthermore, the risk manager should attempt to utilize an avoidance strategy in most instances, by predicting any likely risk events that may occur and putting in place any relevant contingency plans to handle these events. However, due to a number of factors including limited resources, it is not always possible for a company to do this, in which case they should focus on a risk management strategy that limits the effects of the risk event, instead of avoiding it completely. The majority of risk events can be spotted with careful planning and analysis, and some sort of action can be put in motion to at least limit the effects of the risk event that will occur.