When business is booming, and the company is running on optimism and excitement, it’s not easy to maintain ongoing conversations about what might go wrong. But the truth is, not having a plan for unforeseen incidents and circumstances are probably the biggest risks of all.
Identifying risks and guarding against them is at the heart of risk management. The goal is ensuring that the company takes action in time to prevent an emergency or minimize losses. At the same time, risk management helps companies understand which risks are worth taking to help ensure their success. In other words, if you can see the bumps in the road ahead, you have time to decide whether to slow down or drive around them.
Why risk management matters
When companies take the time to consider and plan for all the potential dangers that face them, they can work to prevent them—or, at least, protect themselves. They can also make more informed business decisions with a clear vision about the amount of risk they’re willing to assume, with a roadmap to help avoid pitfalls and creates additional workplace security, safety, and compliance. Risk management also:
Decreases legal liabilities. If a plan is in place and the right people know how to activate it, you’ll avoid collateral damage and losses.
Demonstrates corporate social responsibility. In an event that could be environmentally hazardous, implementing a well-thought-out mitigation plan shows regard for the planet and minimizes damage.
Protects people and assets from potential harm. Lowering additional costs, avoiding negative news, and helping others understand how to avoid the risk in the first place
Ensures the company is appropriately insured. Knowing which threats are more likely to occur provides a better picture of the corporate insurance landscape.
Risky business: Types of risks companies face
Assessing risk is both an art and a science. Risk managers use their knowledge of different types of risk, understanding of the company’s tolerance for risk, and ongoing assessments, along with workplace technology to root out issues that could spell trouble for the company. They also help company leaders to understand which risks might be worth taking. Business risks are divided into four categories:
Hazards: These are risks that could hurt people or cause physical damage to property. Chemicals, electricity, machines, fires, and other natural disasters that aren’t within the control of the workplace environment fall into this category.
Financial risk: All companies take financial risks every day. Decisions about suppliers, distributors, mergers, pricing changes, and more are all financial risks.
Operational risk: People make mistakes, computer systems fail, and the threat of cyberattacks is a daily reality. Risk managers look for ways to minimize losses, alert company leaders, and try to prevent these events from happening.
Strategic risks: Changes to the economy or business environment, poor business decisions, inaccurate forecasts, and inadequate cash flow are all examples of strategic risks for which managers need to be on the lookout.
So, how do you identify risks before they happen?
Conducting a risk assessment isn’t a guessing game. Some risks are apparent. For example: if your company stores private customer data, what is the chance that the information can get out? How many ways can the data be leaked? That’s called risk identification. It’s the first step in creating a risk management plan.
In the oil and gas industry, for example, risk assessments are a crucial part of every offshore rigging project. Companies need to identify potential physical, political, and environmental dangers, supply chain bottlenecks, understand the integrity of emergency services in the area, and understanding the suitability of planned evacuation and escape routes. They need to optimize workplace technology for offshore workers who rely on it to communicate with the outside world. Having a clear idea of these risks gives the company a better roadmap to a safe and successful project.
Making sure you’ve planned appropriately
Benjamin Franklin’s saying, "An ounce of prevention is worth a pound of cure," is still good advice, but there is more you can do. Risk management teams can look at several strategies and approaches, depending on the situation and the type of risk involved:
Risk avoidance. We can’t control everything. But if there is a way to avoid danger altogether, taking that step is a legitimate form of risk management. Choosing not to make a strategic investment or preventive repairs or updates are ways to avoid risk. But sometimes, avoiding one risk will cause another. Not investing could keep a company from growing, and unnecessary updates run the risk of overspending. That’s why avoidance might not always be the right choice.
Reducing risk. Reducing exposure to dangers is everybody’s job. On the simplest level, think about signs warning people about wet floors as a metaphor for all risk reduction. If we’re aware of a problem, alerting others can help ensure nobody gets hurt. The same principle applies to financial and operational decisions: awareness triggers better outcomes.
Sharing risk. Risk-sharing appears, for the most part, in the form of strategic partnerships. Think: signing in to third-party apps using Google or Facebook, or aerospace companies who outsource airplane parts to a multitude of vendors. In the event of an emergency, all the companies involved share the consequences.
Retaining risk. If you’ve ever heard the phrase "put your money where your mouth is," you might know that it’s about willingness to take a risk on something you believe in. Silicon Valley was built on those who took enormous risks and who were ready to lose everything. Companies will often gladly take on some risk if they firmly believe the profit will be higher than the cost of a potential failure.
Translate your risk management strategy into a concrete plan
Once you’ve pinpointed serious risks and determined them to be realistic threats, writing a concrete plan for response comes next. For example, for a company whose risk is data loss or theft, the team should recommend risk management solutions ranging from increased workplace security, anti-phishing training, and drills, to redundant cloud storage and more robust encryption.
You may have heard a recent story on the news about a popular fast-food chain and a series of incidents with contaminated food. Though the chain made its name on providing fresh and sustainable ingredients, it had failed to conduct the right risk management procedures to cover food quality from its vendors. Had they put such a plan in place, they could have avoided the situation entirely, or been able to more quickly identify its source and keep the bad product out of the supply chain.
Risk management is a guide for making decisions in the event of an emergency and can be the "cooler head" that prevails during stressful times.
Compliance and risk management: two sides of the same coin
Even though risk managers help ensure that companies stay in compliance with state, federal, and global laws, risk management is not the same thing as compliance management. Risk managers’ interest is in protecting the company as it undergoes regular strategic planning. Yet risk and compliance management often intersect. In the wake of privacy laws like GDPR, SOC 2, HIPAA, and CCPA, being out of compliance itself is a considerable risk.
One of the most tightly-regulated industries in the world is biotech. In this environment, not only is compliance management tied to risk, but it’s also highly integrated with workplace security.
At one biotech firm, the risk team at a processing facility decided to take on all three. To stay in compliance, they needed to have an accurate record of every person who visited the facility. But the sensitive nature of the business requires the additional security of ID checking, photography, and block lists to protect employees. Their solution was a visitor management system that was SOC 2-compliant itself. In one fell swoop, they were able to avoid, reduce, and share risk—while retaining the right amount of risk necessary for innovation.
The biggest risk of all: managing expectations and bias
All of this sounds like wins for everyone. So why do people dislike discussing risk? Forbes tackled that question recently by speculating that it’s just human nature. "Managing the risks that come with any business is not something that anyone particularly enjoys," author Mary Juetten said. "We’d rather be rid of them entirely, free to focus all of our energies on more productive efforts rather than preventative."
Many studies on the subject have reached the same conclusion. We tend to believe we have more control over events than we do, so we’re overconfident assessing risk. Why? Because we put too much faith in information that supports our original beliefs—a confirmation bias that also leads us to dismiss data that suggests we could be wrong.
Feeling squirmy? It’s an uncomfortable topic, but it’s necessary to face it head-on with effective risk management teams that prevent such biases. When we’re open and receptive to the idea that there are multiple dangers in the business world, that’s when we’re ready to prevent them.
For more insights on risk management and how it relates to keeping your business in compliance, get the ebook, "The essential guide to workplace compliance."