Defining Risk


Let’s face it any venture is faced with risk.  We’ve all heard “No Risk, No Reward” and no one would disagree with Earl Nightingale comment “wherever there is danger, there is opportunity, wherever there is opportunity there is danger, the two are inseparable, they go together”.  These comments support how we have previously defined risk (see what is risk). 

Understanding that all things worth doing contain an element of risk is the first step in developing and implementing a risk management program, heck it’s the first word in RISK management.  In order to manage risk, the various risks need to be identified, and assessed for the probability of the event occurring and the impact the event would have on the business

When developing a risk assessment, an organization should create a list of all the risks that it faces, and drilling down, the reason these risks are listed.  Hopefully the list will be generated by a number of individuals within the organization who have different perspectives of risk.  A customer service manager will have a different view of the risks that he/she face as compared to the CFO of the company, or the VP of Sales.  I believe identifying all risks is important.

As the risk list is being developed, the individual risks will be dropping into several broad categories.  These categories identify not only the major focus of the risks, but also provide a road-map on defining the risk and suggested ways to address them.

Typically all the risks will fall into three categories:

  • Strategic- the risks that are associated with the environment the business operates in including marketplace or industry, regulatory issues, competition, reputation, stakeholders, and technology/obsolescence.
  • Financial – The risks to a companies financial strength including cash flow, profit margins, debt and credit management, interest rate fluctuation, and reserve requirements.
  • Operational – The risks involved in the functional operation of the organization like supply chain, fraud, security, human resources, projects, natural and man made disasters, systems and equipment.

Naturally each of these broad risk categories contain sub categories, and the sub categories break down further into additional sub categories that help to clarify and legitimize the concerns these risks pose.

In the next segment of Risk Management 101 we will look at some of the ways to develop the “Risk List”.

REPUTATION – while a company is known for the products and services it provides, one of the major reasons a purchase is made is based on the reputation of a company.   A company’s reputation is a wispy thing.  It’s made up of various bits and pieces, the quality of the product, the professionalism of the staff and management team, the contributions to the community, the handling of problems and issues that arise, the “trueness” of the company actions to the marketing image created.    A small mis-step can cause a stock price to fluctuate, and a large one, or several combined can cause a business to cease operations.

The oil situation in the Gulf of Mexico is a prime example of how perceived mishandling of a disaster affects the reputation of a company and the adverse effects it has on that organization.  In April of this year, BP stock was trading near the 52 week high of $62.50 per share.  This morning, the stock was trading below $32.00 and trending downward.  The disaster in the gulf and the subsequent handling of this catastrophic incident is a primary cause for the nearly 50% drop in stock pricing.

When the oil spill first happened,  I viewed it as a “Black Swan” event, an event that is unpredictable, carries a massive impact and after the fact (and in this case, once we get to after the fact) can be explained in a way that makes it less random and more predictable.  However, when I put this thought to a recent meeting of Business Continuity Professionals, an expert in the profession explained that oil company’s and those businesses associated in the industry are well aware of the hazards and risks related to deep oil exploration and would/should have plans in place for these types of events.  From my experience in building continuity programs, plans for irregular events and catastrophic issues are tested and improved through testing and tweaking.  These exercises are designed to help reduce the impact of the situation, and maintain a positive light on the reputation of the organization by showing:

  1. We have designed the process/program/product to be as safe as possible.
  2. In the event of an incident, we understand what is wrong and how to fix it.
  3. We are in control of the situation and are doing everything to return to normal as soon as possible.

A major part of the continuity event is communicating a common message for the organization and making sure all parties of the organization are in line with that message, in other words say what you are going to do, then do it.  If you make a promise, you need to be sure it is kept.  It’s not only important to manage the message and deliverables, but make sure the perception of what is happening is in line with what is actually occurring.

BP has made many positive commitments to the clean up and economic recovery to the individuals and companies that are being affected.  They have promised to promptly pay all authentic claims associated with the oil spill, they have promised to donate the net profits from the recovered oil to wildlife resuce organization, they have promised to pay for all the authentic claims associated with the spill and not be capped by the Government established level of responsibility.  These are all very positive things that would go a long way towards rebuilding the brand and reputation of the company.

It’s important for companies to remember that just saying something doesn’t make it happen.  People remember what was said (or what they thought they heard) and then measure a company against that point. 

Unfortunately it appears that there may be issues in the promise made and the actual delivery.  In a Bnet article posted on June 11th, Kristen Korosec, highlighted an issue with the oil spill claims that have been filed with BP and outsourced to a third party “BP Risk Management Firm is Really Good at Screwing OverOil Spill Claimants“.  The perception among claimants is that the comments Tony Hayward made concerning the claims process and appropriate payment (See Bnet posting) are not being met. 

From a disaster recovery perspective, it is important to monitor these issues and make the course corrections to keep from further eroding the reputation of the organization.  Additionally, I believe BP needs to get ahead of the curve to make sure these continual mis steps (be they perceived or real) stop happening.  Prompt positive action is needed to stop the downward spiral.

How many cliche’s are there that talks about identifying something after the event occurs.

  • Hindsight is 20/20
  • We couldn’t see the forest for the trees
  • If you didn’t want to go to Chicago, why did you get on the train?

I believe a lot of the reasons the risks were not identified up front was based on how the issue/event/process (known as a “concept” for the rest of the posting)  was framed at presentation. 

Paul Slovic, a professor of Psychology at the University of Oregon indicates that studies show two ways we perceive risk:

  1. An automatic, intuitive system
  2. A more thoughtful analysis system

According to Slovic “our perception of risk lives largely in our feelings, so most of the time we are operating on system number 1.”

SO, if the ”concept” is offered showing all the positive with either no or a minimal down side, we are more likely to accept all the positives and ignore the negatives of the undertaking.   

Another reason may be that the perception is the person presenting the idea has already identified all the things that could possibly go wrong and has prepared contingencies for them. 

A third reason is that we just don’t want to consider something going wrong , if we don’t acknowledge it, it doesn’t exist.

Unfortunately none of these reasons can actually make any negative impact go away.  

It is important for an organization to consider both the up and down sides and that’s where Risk Management comes in.

« Previous PageNext Page »