Resource Articles Back to Article List

Defining and Managing Risk

As published in the July 2010 issue of The Greater Lansing Business Monthly.

Every day we face risks in our personal lives we routinely identify, analyze and mitigate without much thought or energy. This process is actually a risk assessment. A simple example would be taking an evening stroll around your neighborhood. As you approach a cross street, you identify a risk (traffic flow), analyze the risk (look both ways) then mitigate the risk (wait to cross until traffic has cleared).

As we build our organizations to perform in a dynamic and complex environment, the ability to accurately assess risks is a desired skill set. Wikipedia defines risk as “…the expected value of one or more results of one or more future events. Technically, the value of those results may be positive or negative. However, general usage tends to focus only on potential harm that may arise from a future event…” Although no one can predict the future, a properly constructed business risk assessment is beneficial to the continued growth and prosperity of any enterprise.

As the following approach to risk assessment is described, please keep in mind most organizations are comprised of a multitude of “systems” including specific people, processes and tools (software, hardware, equipment and so on). Each system has a purpose and related risks associated with its operation.

Since risks run across an entire organization, one approach during the identification phase is to place responsibility for identification of risks on specific functions such as:

• Sales
• Operations
• Customer service
• Human resources
• Finance
• Marketing
• Legal

At the functional level of risk identification, it’s recommended that a cross section of talent and skill sets be selected to document potential risks. For example, operations may include a group of six to eight people (employees, managers and senior leadership), whereas human resources may be comprised of only one person. The number isn’t as important as the knowledge the individuals bring to the table based on their particular functional area and expertise. This phase should include the people engaged with the system(s) on a daily basis who can identify the system weaknesses such as potential human errors, process breakdowns or equipment failures. Senior leadership should guide the cross functional group to achieve the objectives in the allotted time period.

Although the identification phase is important to understanding both your internal and external risks, the analysis phase will define the scope of the risks and assist management in determining which risks should have resources devoted to their mitigation. Normally, you will need your subject matter expert (SME) to complete the risk analysis since this person is most familiar with the particular system. Once quantified, senior leadership/management will need to determine which risks they are willing to accept without any mitigation and which will receive attention. If several risks are identified and limited resources are available, senior leadership/management must prioritize the risks and develop a mitigation strategy.

In the final phase of the risk assessment, attention first should be paid to the risks with the highest priority. Mitigation will happen on many different fronts and could possibly involve each function listed above. Mitigation tactics may include establishing or changing policies to impact human behaviors (e.g., policies for conflicts of interest, gifts, computer usage, brand management, regulatory compliance and more). In addition, processes may need to be modified to mitigate certain operational risks, such as what transpired in the healthcare industry when dealing with the Health Insurance Portability and Accountability ACT (HIPAA) regulations. Finally, specific tools may require upgrade or replacement if the risk centers on that piece of the system.

A well-organized and documented risk assessment will assist your enterprise in identifying and alleviating the various risks associated with conducting business in today’s environment. Fortunately, a little advanced planning can help you and your organization safely make it to the other side of the street.