Risk is inherent in every business: Without risk, there is no reward. But that doesn’t mean you should simply accept every risk that comes along.
Quite the opposite: By systematically cataloging the risks your company faces in every area, you can establish a plan to respond to each according to strategic priorities. The risk response process begins by first identifying your company’s appetite for risk.
“Your risk appetite is a broad statement about the overall types and levels of risk that the organization wishes to assume in pursuit of its strategic objectives,” says Joe Underwood, principal at Albert Risk Management Consulting. “It’s closely tied to your mission statement.” Risk appetite is a descriptive benchmark against which you can establish a tolerance level for each specific risk.
After you’ve identified risks, you need a risk response process to establish priorities, usually by assessing impact and likelihood. “I feel it is critical for an early-stage risk management program to demonstrate value quickly, so I also like to include the practical opportunity for improvement within the assessment,” Underwood says. “Start with the low-hanging fruit: What risks can be addressed quickly and inexpensively while maximizing results?”
But address how? There are four possible ways to respond to risk: accept, because it falls within your tolerance level; avoid, because the risk reward aspect is not favorable; reduce, because there are practical means to do so, or transfer to another party when economically feasible. “For each risk, various and often multiple responses may apply,” says Underwood, adding, “There are no free lunches—each has its advantages and disadvantages.”
Here’s a closer look at each type of risk response:
- Accept. You may choose to accept the risk either because its potential impact or probability is low, or that the cost and effort of taking a different action is out of proportion to the risk itself. Accepted risks should still be documented, and may require ongoing observation to ensure that acceptance is still the best response. The downside? “Acceptance can run you into an unfortunate streak of bad luck,” Underwood says.
- Avoid. Some risks are simply not worth taking, often because they violate or imperil the organization’s fundamental imperatives. Obvious examples would be illegal or unethical activities or unsafe manufacturing processes, but there are many other reasons to sidestep a risk entirely, particularly if a less risky alternative is available. “Often these decisions are guided by the broad statement of risk appetite,” Underwood explains, “though avoidance usually means missed opportunity for reward as well.”
- Reduce. This response requires taking action to reduce the probability or impact (or both) of a risk to bring it within tolerance. An example would be to implement firewalls, passwords and other protocols to protect sensitive data. “Reduction usually means added cost or lost productivity,” Underwood cautions. “For example: physical safeguards cost money; policies and procedures require time to develop, implement and monitor.”
- Transfer. Here, the risk is transferred to a third party so that they are responsible for its management and impact. Examples include insurance policies, financial hedging instruments, and contractual agreements. “Transfer usually means added cost,” Underwood explains, “but it can mean opportunity for those who take it on, if they develop processes and check to make sure it’s not an unwise decision.”
Risk management is an ongoing process, and the result of each assessment should be carefully documented—including who is responsible for monitoring, reporting, and responding to each risk. The key is communication and organization-wide awareness. “Senior leaders need to develop eyes and ears on the ground,” Underwood says. “They need their people thinking and talking about risk in conjunction with reward, as well as reliable communications to parties who are in a position to take appropriate action when warranted.”