Risk is everywhere. Whether relative to cyber security, supplier viability, project failure points, or euro zone finances, discussions about risk have been all over business news recently. That’s understandable, since risk was a key contributor to the recent great recession and financial meltdown and other prominent events and disasters have likewise been related to the concept. Risk has always been around us; it just seems to be in the news a lot more lately.
So, what is risk? It’s defined by dictionary.com as “exposure to the chance of injury or loss; a hazard or dangerous chance”. There are many ways to look at business risks. In a June 2012 article in the Harvard Business Review, Robert Kaplan and Anette Mikes propose looking at risks in three categories:
- Preventable risks. These are internal risks that are normally addressed by operating procedures, rules, company value statements, and controls. An example might be a requirement that employees use an ID card to access certain areas of a facility to prevent unauthorized access.
- Strategy risks. These risks are assumed by a company in order to make money and increase profitability. For instance, a company takes a risk to invest in inventory of a product for its catalog. These risks are usually addressed through monitoring via dashboards, balanced scorecards and the allocation of resources.
- External risks. These are the uncontrollable ones that usually grab all the headlines, such as hurricanes, earthquakes, and financial disasters. These are known sometimes as ‘black swan’ events to denote their rarity. Companies generally try to envision scenarios through war-games and other exercises.
Everybody manages risk a little differently, but the point is that it has to be done. Since the majority of our readers are supply chain or IT-EDI folks, let’s look at what’s been in the news recently relative to those areas.
Most supply chain risks we read about have been related to the strategy and external risk categories described above. A great example of the external risk type was the earthquake, tsunami, and nuclear reactor meltdown in Japan that affected the supply chains of tech and other companies. I doubt any one of them had a crystal ball that predicted the catastrophe, but those who recognized the risk of losing key product sources and had secondary suppliers elsewhere took less of a hit than those who didn’t.
Having a strategic supplier ‘go under’ due to financial difficulties can be just as debilitating to your supply chain. On the Spend Matters website, Jason Busch proposes strategies for early identification of cash flow problems for suppliers. He says there’s an opportunity “to collectively mine the history of payment information, discount requests/acceptance and the like to better drive proactive supply risk strategies going forward”. In other words, Jason feels the analysis of the financial transactions between companies can help pinpoint key suppliers who may be experiencing financial difficulties that could affect their ability to meet commitments. This proactive approach is a great example of a control instituted to address a strategic risk.
Those in the IT and EDI/eCommerce professions deal with risk routinely. Not only are they exposed to those inherent in processing data internally and connecting with the outside world for transactions and commerce (i.e. data theft, denial of service attacks, hackers, network reliability, cloud security), but they also implement safeguards into the applications used by the business to ensure that internal and external risks and legal requirements such as Sarbanes-Oxley are addressed.
Companies likewise depend upon IT to provide innovative solutions to all sorts of challenges and risks, such as those faced by companies that drill offshore for oil. In a CIO magazine article entitled “Risk Busters” (Aug. 1, 2012), Jim Noble, IT SVP at Talisman Energy, stated “In our business, we want people to go home at night safe and sound. You don’t have that if you’re working at a hedge fund or in retail”. His team developed systems and a dashboard to not only drill more precisely, but to also monitor and make adjustments much quicker and more efficiently. Although many consider the traditional purview of IT to be disaster recovery and data security, it’s even more valuable to the organization as a tool to eradicate and mitigate the myriad risks that companies face.
If your company manages risk well, is there a payoff? Obviously, there’s the avoidance of messy disasters and the resultant scrambling around when a problem occurs, but are there other benefits? In a recent study, Ernst and Young found “companies with more mature risk management practices outperform their peers financially." Because they do a better job identifying, managing, and reacting to risks, they’re often able to turn that expertise into competitive advantage. That’s a powerful incentive to improve risk management. The report further stated “Organizations that embed risk management practices into business planning and performance management are more likely to achieve strategic and operational objectives.”
So, let’s cut to the chase. With all that’s been reviewed on the topic of risk, what have we gleaned that might be useful? I’d summarize the most relevant points as:
- Use a risk framework to help you assess risks and develop approaches to eliminate or mitigate them. The one identified in the HBR article discussed seems pretty reasonable and easy to use.
- Discuss risk scenarios and potential approaches. Use scenario planning and look at examples of case studies to give you ideas.
- After identifying preventable risks, try to automate the prevention and identification of them to the extent possible.
- Make sure you’ve identified the relevant organizational strategies that may impact you. For example, your company may opt to increase its electronic commerce presence, so you should look at the ways that may affect your area from a technology, people, and process standpoint.
- Try to move away from a reactive model to one where you’re proactively recognizing risks and issues. The use of tools like visual management and operations dashboards are good examples.
- The best recommendation we encountered was to not waste time trying to identify ‘black swan’ events, but to put your efforts into projecting the effects a catastrophic event would have on your area and do your planning around that. In other words, don’t try to predict a tsunami, but put some thought into what would happen if your sole supplier of a critical part went off-line for an extended period of time.
Whether we realize it or not, much of what we do in our work and personal lives revolves around risk. Although it’s not a cuddly concept you want to metaphorically embrace, it’s critically important that you recognize its presence and plan around it.Last modified on Saturday, 22 September 2012