So what is risk? Generally, we think of risk as a threat or vulnerability that could lead to potential loss. However, especially from a business perspective, it is important to keep in mind that risk refers to variance from the plan. That variance can be bad and lead to loss, but can also be good and lead to something positive. There are a few caveats before we get into the risk assessment. First, though this is a simple exercise that serves as a starting point, it is not a replacement for a comprehensive risk analysis or risk management program. This risk assessment method is purely qualitative, meaning we're not going to use any real budget numbers, loss estimates or historical statistics. Hence, your mileage may vary.
Second, this exercise will show you how easy it is to fall into "analysis paralysis". There is a point of diminishing returns when it comes to creating your first list of risks. Your list is ever-changing and growing. So keep in mind that, initially, we are going after the low-hanging fruit. Having an exhaustive list is unnecessary right now.
Step 1: Identifying Risks
Open a new Excel spreadsheet and start listing the threats to your organization. Don't worry about how big or small they are, nor how likely. We will get to that later. The first items you think of are probably going to be from the category I call "Natural Disasters/Man-Made Hazards". This would include things like fires, power outages, blizzards, tornadoes, hurricanes, floods, etc. In case you get hung-up on these, you can visit this list of categories I use to get your mind thinking about other business risks. Make sure you're thinking not just about physical threats to your facilities, but also threats that impact cash flow, your ability to make your product or perform your services, your ability to process and deposit receivables and pay bills on time and those things that might expose your company to costly litigation.
Again, don't worry about building an exhaustive list. You can always add to it later.
Step 2: Impact Assessment
With your spreadsheet open to your list, add a second column. To keep it simple, using a scale of 1 to 5, enter an impact value for each threat. Let 1 be the least impact and 5 be the most. For now, consider the worst case. So if "tornado" is on your list, consider the impact a worst-case tornado will have on your business. Keep in mind that this is a relative scale. The impact value you assign for any threat is relative to the other threats on your list.
Step 3: Probability Assessment
Now, add a third column. Using a 1 to 5 scale, determine the probability of that threat occurring, where 1 is negligible and 5 is very likely. This is going to be subjective. Again, consider the threats relative to the others.
Step 4: Prioritize
This is the easy part. Just multiply the impact by the probability of occurrence to get a "risk factor". Then sort your list with the highest-impact, most-likely-to-occur threats at the top.
Step 5: Plan
From your prioritized list, take the top 5. For each of those, ask yourself, "What can I do to either reduce the impact or reduce the probability?" I'll give you a hint: for big events like natural disasters, you're looking at business continuity planning coupled with insurance. If all of your top 5 are natural disasters, go to the next 5. You might find things like "New competition entering the market" or "Critical supplier fails to deliver raw materials". If these are near the top of the list, you should start thinking about how your business is going to respond when that happens.
Identifying Opportunities
Now to turn the tables just a bit, go back to your list of threats. For many items this likely won't make sense, but for those that do, consider the opposite of that threat. Go through the same process for each, identifying the positive impact the event might have on your business and the probability of the best-case occurring. Prioritize the list, then go through each and ask yourself, "What can I do to either increase the positive impact or increase the probability?" So, for example, if "Slow paying customers" is a threat, "Customers paying early or on-time" might be an opportunity that you can influence and take advantage of when it happens.
Summary & Next Steps
As I mentioned, this is a qualitative tool and not precise at all. After a few iterations, you will likely have dealt with the low-hanging fruit and this method won't be of much use as-is. At that point, you will want to throw in some actual dollar-value loss estimates to help you gauge whether mitigating that risk warrants spending any money. You will also likely dive a bit deeper into the scenarios and instead of evaluating just worst and best-cases, look at the spectrum in the middle taking into consideration just how much does a specific risk-mitigation measure affect the threat impact or likelihood.
Finally, this exercise focused on external threats and opportunities. But it also proves valuable with respect to big decisions and subsequent changes within the organization. Prior to making the decision or implementing the change, run through your list of threats and opportunities to see how that decision may affect them.
0 comments:
Post a Comment