Risk Management

Risks are the possibility that a threat event/activity will occur that can affect the achievement of an individual’s or organization’s objective: security (physical), reputational, and financial.

Risk management is the process of identifying, assessing, and controlling these risks and making decisions that balance risk costs with mitigation benefits. Risk management mitigates these threats through anticipation. Plans are established to address these anticipations to minimize the potential impact, if and/or when they occur.

Uncertainty is the key component of risk: impact and probabilities may be calculated, but ultimately, it is not known if, when, or how often an event will occur. Nevertheless, the uncertainty must be calculated and addressed.

Types of Threats

Risks stem from threats. Threats may be to an individual, a group of people, an organization, or a brand. These examples of each type of threat are not a complete list. A complete list of threats should be developed for each client, scenario, and/or event. Additionally, a risk event/scenario may overlap with multiple types of threats. For example, a service or product failure may have financial and reputational impacts. Reputational/brand damage tends to lead to financial loss.

Security: Burglary, robbery, theft, kidnapping, assault/battery, harassment, murder, car accident, carjacking, and vandalism.

Financial: Interest rate fluctuations, stock market losses, unplanned expenses (home/office repair, maintenance), loss of income (job loss, client loss, business failure), inflation, increased cost of materials/commodities, natural disaster damage, employee misconduct leading to loss, and lawsuits.

Reputational: Personal/employee conduct, brand smearing, and/or product/service failures

Types of Risks

Risks are caused by controllable circumstances such as human error or system failures. They may also be caused by uncontrollable external circumstances such as natural disasters, regional or global crises, major political or economic shifts, or technological developments. Consequences occur when risks are not adequately managed. Tailor risk management processes to these different risk categories.

Preventable risks are those activities that can be controlled and should be eliminated or avoided. Examples are the risks from employees’ and managers’ unauthorized, unethical, or inappropriate actions. These actions may have security, financial, and/or reputational risks.

Strategy risks are those that a company voluntarily assumes to generate superior returns from a strategy or plan. For example, a client may decide to make a risky financial investment when the possible payoff is very high.

External risks are those that are beyond influence or control. This may include natural disasters, major political changes, or major economic shifts. These types of risks can inflict serious damage.

Rules can be implemented for preventable risks, but rules cannot mitigate external or strategic risks. These types of risks require open discussion, scenario analysis, and scenario wargaming to implement strategies.

Why Risk Management Matters

Individuals and organizations tend to underestimate risks and overestimate their abilities to influence and control events. Positive thinking will not reduce risk. Overconfidence can have serious consequences. Risk management can be tedious. Discussing weaknesses and vulnerabilities is not a natural act. It is important to be rational and unemotional when conducting risk management.

Risk Management Process

Risk management can be simplified and accomplished at all levels of an organization, as well as by individuals, through simple steps.

  1. Identify Threats: Identify potential sources of harm such as injury, illness, or property damage, damage to reputation, or financial damage.
  2. Analyze the Threat: Determine the likelihood that the event will occur as well as the impact the event can have on the individual, business, or brand.
  3. Make a Risk Decision: Balance the cost of mitigating the risk compared with the benefit.
  4. Develop Mitigation Plans: Mitigation plans should include risk indicators an event is going to occur.
  5. Monitor and Reassess: Monitor the indicators that an event may be occurring. Reassess risks and plans on a defined schedule.
  6. A risk event matrix or heat map is used to present the analysis conducted in the risk management process. A heat map is a means of communicating analysis. It should not be a means to do the analysis. The vertical axis indicates the impact a threat event may have, ranging from very low to very high impact. The horizontal axis indicates the probability or likelihood that an event may occur, ranging from very unlikely to very likely. Color ranges should be assigned to the matrix following analysis to provide a visual representation of the risk. Green represents a low risk. As the risk increases, the color changes from yellow to orange, and finally red, indicating a very high risk. In general, events that fall into the yellow, orange red areas should have activities or plans assigned to implement.

Risk Mitigation Activities

Risk acceptance accepts the consequences of a risk and manages events if they occur. Risk acceptance often occurs when mitigation is not feasible or when mitigation costs outweigh projected costs to manage the event if it occurs. Acceptance may also occur when the consideration is that the probability of occurrence is very low. For example, hardening office space against a terrorist attack may cost millions of dollars; if the probability of occurrence is assessed as very low, decision-makers often decide to accept the risk and not put money toward hardening a facility. Wishing away a risk or hoping that it does not occur is akin to accepting a risk without acting.

Risk avoidance is not participating in specified activities: Declining an investment or new product line; not traveling to a high-threat area; not hiring a seemingly competent applicant with a spotty resume. 

Risk reduction accepts the risk but focuses on keeping a loss from spreading if and when the event occurs. Examples include increasing physical security for a person, house, or business location, and providing employees with preventive care incentives. For employees, risk reduction may also be implemented through rules and making sure that all employees follow them. 

Risk sharing involves transferring some or all the risk to another party. A legal corporation is a good example of risk sharing—several investors pool their capital and each bears only a portion of the risk that the enterprise will fail. For an individual, establishing a limited liability company (LLC) limits the risk to the individual or partner(s).

Risk transfer involves contracting a third party to absorb the risk. For example, this method might include purchasing insurance to cover possible property damage or personal injury.