“Risk comes from not knowing what you’re doing.” –Warren Buffett
Managing organizational risk includes admitting that there is a high probability something could go wrong. It requires humility to accept that we do not and cannot know everything that could happen to our organization, employees, competitors, job market, or global economy.
Risk management also includes planning for, and mitigating, potential threats and opportunities. Although you cannot plan for all scenarios, you can learn and practice a time-tested, step-by-step approach to analyze and prepare for a variety of organizational risks. In this article we will review several types of risk and introduce a process for managing organizational risk.
Types of risk
These are some of the most important types of risk to consider when evaluating opportunities and threats:
- Systematic risk describes the impact the global economy (external) has on an organization, specifically its financial outlook.
- Unsystematic risk refers to company-specific (internal) financial uncertainties.
- Operational risk is also company-specific (internal), based on potential shifts in supply chain, product and service delivery, or other operational considerations.
- Management risk results from potential company decisions by a senior leader team, shareholders, or Board of Directors.
- Political or regulatory risk includes the organizational impacts of changes in regulation, legal requirements, compliance, or policies.
- Social risk is due to changes in social norms, disruption from movements, or the impact of cultural unrest.
- Environmental risk is uncertainty from liabilities or changes in the environment.
- Competition risk acknowledges that competitors’ choices have an impact on a company.
Which of these types of risk are front of mind for your organization right now? Which are potential blind spots worth a greater deal of focus?
A process for managing organizational risk
Approaches for managing organizational risk abound. They all include the same four basic steps: identifying, analyzing, responding, and monitoring. Let’s break them down.
First, choose whether you will go micro with a particular organizational program or macro with a broader assessment of company-wide risk. Then, assemble your risk management team. This group includes a variety of internal and external stakeholders such as senior leaders, frontline employees, customers, and even community members. Using the above categories of potential risk, spend time brainstorming all of the possible threats that exist. Helpful tools for risk identification include a SWOT analysis, Ishikawa diagram, or flowchart.
This stage involves estimating the likely impacts of identified risks. Use qualitative and quantitative analysis to make these determinations. Qualitative analysis filters and prioritizes risks per their importance and severity and is used for risks that are most critical. Quantitative analysis is more accurate, but also more complicated and time-consuming. It involves a comprehensive systems analysis using assistive tools such as SPSS or other mathematical software. Assigning an overall risk score is the final goal of this stage; this assessment is based on the significance of the risk as far as its impact on the organization, as well as the probability that the risk will occur.
Respond to risk.
Enter the action planning part of risk management. Depending on the results of analysis, responses could include mitigating the risk to reduce its possible impact, transferring the risk to an outside party, or dealing with the risk in its current state. This latter choice is perfectly valid if the risk management team decides the threat is beyond the agency’s scope of control. In this instance, however, it is important to also develop a contingency plan, so the organization is prepared to respond if and when the risk moves from probable to actual.
Controlling risk includes keeping a vigilant eye on possible threats. This final step is ongoing and includes regularly reviewing results of the first three steps and revising as needed. Managing risk involves agility, innovation, problem solving, critical thinking, and resilience. It also requires perseverance. Your organization will always face a multitude of risks, and your ability to spot and thwart them is only as good as your capacity to monitor.
Managing risks is a messy process, and some organizations find great value in working with an outside partner who can guide them through each step. Brighter Strategies provides risk management consulting through its systems-based philosophy, comprehensively assessing an organization’s people, planning, processes, and performance. Learn more today.
I’ll be giving a webinar on risk and change management on August 11th. You can register here.