How to manage strategic risk
Following a full-blown crisis people, naturally, take steps to avoid a recurrence. “Those who cannot remember the past are condemned to repeat it” as the often-misquoted George Santayana said. But there is a problem in managing risks retrospectively and that is the tendency to overreact and be driven by fear rather than opportunity.
The current crisis we are all experiencing will no doubt lead to an examination of our collective preparedness and a renewed focus on the whole process of dealing with uncertainty. If the 2008 financial crisis is anything to go by this reflection will include businesses tightening up their risk management, scenario planning, disaster recovery and business continuity disciplines. (At least until the mists of time and selective memory work their magic).
What this means for some organizations is a temporary shift in their approach to risk from one of blissful ignorance to one of zero tolerance. A rapid policy reversal that bypasses the most effective position which, as is often the case, sits somewhere in the middle.
Risks shouldn’t be ignored and can’t always be eliminated. They need to be acknowledged and managed because, in the majority of cases, risk doesn’t travel alone. It usually rides out with its trusty sidekick, opportunity, by its side.
Identifying Risks – the basics
There are all sorts of risks out there and they vary hugely in impact. Some risks are a minor inconvenience while others are able to completely ruin your day. So, the first step, once you have a project or initiative scoped out, or are just looking at the robustness of your current strategy, is to capture as many risks as you can think of that may impact your success. Use a ‘brainstorm’ approach and have your team think of as many things that can go wrong as possible.
This is usually an easy brainstorm, people seem to have no problem imagining disasters, in fact they often enjoy it. Although this enthusiasm can create a problem when less dramatic risks get overlooked. It is no use having a list including asteroid strike, zombie apocalypse and the reawakening of Godzilla if you miss, say, loss of production capacity, disruptive technology, or raw material price increases.
You will want to have a starter list of topics to steer the brainstorm to include a range of risks by focusing them on technical risks, supply chain risks, environmental risks, demand side risks, competitor risks, regulatory and compliance risks, and so on. Once you have terrified/depressed yourself with this doom-laden list it’s time to prioritise.
In its simplest form, prioritisation requires two dimensions. What is the probability the risk will happen, within the time frame under consideration, and what would be the impact on your business/project if it did happen? You score these two dimensions on a ten-point scale. The higher the number the higher the impact and the higher the probability. So, a risk that scores a ten on both dimensions is both a near certainty to happen and a major catastrophe when it does. A risk that scores one on each dimension is almost certainly not going to happen, and even if it does it will have little impact. Most risks, of course, exist between these extremes.
When you have finished your impact/probability assessment you plot each risk in a chart as shown below. You will need to prioritise the top right box but don’t ignore the bottom right or the top left, these will need some thought also. Once you have identified the principle risks you need to think about how you intend to handle them, should the need arise.
Prioritising risks is obviously an important step but it is of little use if that was all you did. You need to decide what actions you are going to take. Specific actions will depend on the nature of the risk and the resources at your disposal. But there are four general approaches to managing risks. You can avoid the risk, you can mitigate/reduce the risk, transfer/share the risk, or you can accept the risk.
Some risks can be side stepped by not taking the action that will create the risk. You can avoid the risk of rejection by never asking for what you want, for example. Which of course replaces the risk of not getting what you want with the certainty that you won’t get what you want. Which is the problem of risk avoidance; you often throw out the baby of opportunity with the bathwater of risk. Which is not to say that you should never avoid risk.
If you were on safari and are thinking about approaching a sleeping lion, on foot, to get a really great photo you may well consider the opportunity to get a few instagram likes is insufficient to justify the risk of becoming Leo’s afternoon snack.
Before you decide to avoid a risk, you need to quantify the potential reward as well as the risk. Can you afford to take the risk? (can you afford not to?) Have you considered alternatives (telephoto lens?) Recklessness has no place in business, but neither does timidity. Faint heart never won fair maiden, as the old, gender specific, saying goes.
Risk avoidance is as much art as science, but the general rule is to only avoid those risks where the probability and scale of reward is insufficient to justify the probability and scale of the risk.
A problem shared is a problem halved and the same sentiment goes with some risks. If you can get others to take a share of the risk, or sometimes all of the risk, you can relax a little. Of course, there is a cost to this, either in the form of an insurance premium or in sharing the potential rewards.
Take an example of a client golf day where you want to offer a ‘nearest the pin’ competition on a par three hole, in which the prize is $1000, and you want to spice it up by offering $100,000 for a hole in one. You are doing this to attract a higher number of prospective clients to your event and create a ‘buzz’ but clearly there is a risk it could turn out very expensive.
Luckily, you can buy insurance from a third party who will assume the risk for a fixed fee of say $4000. You have traded an uncertain future where the cost could be zero or $100,000 to a certain future where the cost is fixed at $4,000. Given the odds of an amateur golfer hitting a hole in one is about 12,500:1 you might decide to take the risk yourself. It’s all about the depth of your pockets and the size of your appetite (and your ability to quantify risk accurately).
Non-insurance examples could be a joint venture with a software company who will design and develop a new app for you but for a share in future revenues. Or a manufacturing partner in a foreign country who is better suited to managing local economic and political risks.
The essence of transfer/sharing is to trade some of the potential reward for a portion of the potential risk. It will always cost you, but it might help you sleep a little better.
If you don’t avoid or transfer the risk, you will probably want to mitigate it to some extent. For example, some companies don’t allow the chairperson and chief executive to travel on the same plane. And professional sports teams often place contractual obligations on their star athletes that prevent them from taking part in risky activities such as riding a motorcycle or rock climbing.
All this is aimed to reduce the odds in the favour of the entity bearing the risk. Mitigation often includes modelling future scenarios to find the right balance between risk and reward. These can get pretty complicated. Take the case of an airline.
An airline has to decide a seating configuration for a plane. It has to match supply and demand, too many business class seats and they might fly with these expensive seats empty, too few and they are leaving money on the table. They also need to decide on pricing both for advance tickets and for last minute travellers and assess the effect this will have on demand. They also need to consider what level of overbooking they allow to ensure full planes.
These sort of optimisation problems are a subset of risk/reward management and are solved with various approaches from decision trees and pay-off matrixes to linear programming, Monte Carlo simulations, Bayesian networks, etc. Some similar problems are approached with A/B testing and experimentation.
Mitigation is really about thinking like a bookmaker rather than a gambler. You accept risk but seek to optimize the balance between risk and reward.
Sometimes the best approach is to accept the risk. Which is not the same as ignoring the risk. Accepting means you have evaluated the risk reward equation and have reached an informed decision to undertake the risk. This would be the sensible approach if the downside is known, limited and acceptable. And the upside is sufficient to justify the risk.
Think about buying a lottery ticket. You accept that the money you spend for the ticket will almost certainly be lost. But you also know there is a very small chance you might win big. You accept the near certainty of a small loss for the near impossible chance of winning millions.
Risks are an essential part of life. They can prevent us from behaving recklessly and they can help us put a context for the rewards we are seeking. They should not be ignored, and they cannot always be eliminated. They hold some people back and drive others to seek their fortune.
Muhammed Ali said “He who is not courageous enough to take risks will accomplish nothing in life” which is true, if a little simplistic. If it isn’t too heretical, I would suggest a slight modification.
“People who are not courageous enough to take risks, and smart enough to know which risks to take, will accomplish nothing in life.”