Core Risk Management
A Business Continuity Plan involves defining any and all risks that can affect the company’s operations, making it an important part of the organization’s risk management strategy. Risks may include everything from natural disasters to cyber-attacks. Once the risks are identified, the plan should include:
- Determining how those risks will affect operations
- Implementing safeguards and procedures to mitigate the risks
- Testing procedures to ensure the plan works
- Reviewing the process to make sure that it is up to date
The great unfortunate truth for the Risk Management profession is that it is only ever acknowledged or valued in hindsight.
What is Risk Management?
Traditionally, Risk Management has been defined as the process of identifying, controlling and mitigating threats to the company’s earnings or survival. At its most fundamental basis theory, Risk Management is summed up in one simple formula: PD x LGD = EL. It is quite simply, the manner by which a company manages future potential losses in certain events.
Risk Management professionals often gets a bum rap because while a few poor ones often disproportionately tarnish the reputation of the whole, the paradigm is that they are set up to fail: predict the unpredictable and create a mitigation plan that if successful, nobody will ever know its effectiveness.
4 Risk Management Rules
Don't fear the Boogy Man
The Risk Manager of an automotive leasing company (who is already risk averse by nature) intent on justifying his professional existence creates statistical models to prove that the based on historical data, the residual value losses of the returning leased vehicles will be so great that entering the market becomes cost-prohibitive.
Not only does the above scenario lead to internal conflict because of poor goal setting, it is a reflection of a company that does not understand how to manage risk. Risk Management is not the fear of the unknown threats conjured in ones mind at night. It is the practice of mitigating losses as accurately as possible, while placing controls and plans to reduce volatility on the business. The Risk Manager whose sole focus is to eliminate risk is like the financial professional whose only advice or solution is to cut investments to the point where there is never a return on investment.
Actually manage risks
In an effort to ensure no risks of fraud exist, the CEO of a $100 million company with a highly competent CFO and Finance team, insists on signing off on each cheque manually and hand delivering them to the vendors personally.
The practice of Risk Management includes analyzing the riskiest and most sensitive areas of threats and applying the appropriate controls and mitigants to support those areas. It is in no way applying the most critical controls to all areas. That isn’t managing risk at all and such a tactic is not only inefficient, but prohibitive to business.
Treat Risk Management as Opportunity Management
Putting aside the impact of recent events, had you invested in the stock market at the low point of 2009, you could have up until the end of 2019, taken advantage of a 300% return on investment over a 10 year period.
But in order to be able to maximize the opportunity as it arises in crisis, the company must not only survive but maximize opportunity by leveraging past preparation. Although the commonly mistranslated saying that the Chinese word for “crisis” is the same “opportunity”, it does not change the fact adaptability is the key success attribute in evolution.
“Be fearful when others are greedy and be greedy when others are fearful.” – Warren Buffett
Accept that threats exist and will impact the business
Nassem Taleb, the author of the famous book The Black Swan, does not consider the COVID-19 epidemic to be a Black Swan event. Despite the fact that there were numerous warnings and reasons to believe that a global epidemic was not only possible but inevitable, many people in the world chose to ignore it and treat it as another manageable threat.
Before the global COVID-19 Recession, there was the Great Recession (2007), the Dot-Com Bubble(2001), the Oil Price Shock (1990), the Energy Crisis (1979). Economic downturns are inevitable and while many financial “experts” claim to be able to predict or time the market, the fact is that these recessions occurred because they are by nature unpredictable.
Business Continuity Plans should not be built exclusively around the past disruption experiences. If they were, then most BCP’s would contain nothing at all. Instead, plans and controls are put in place to take into account unknown threats and robust systems built around them to ensure not only continuity but preparation to maximize the next opportunity.
Leading Through Risk
Companies that focus on cutting costs and penny pinching employee compensation are doomed to become their own worst enemy focusing on the turbulence of the “unknown unknowns”. On the other hand, a Leadership team that weaves strategic thinking cross functionally in its focus, works to build a company that will thrive in any storm:
- Loyal and collaborative company culture
- A Strong balance sheet and banking relationships that allow for cash flow flexibility
- Solid business relationships that are supportive for mutual growth
Leadership that continuously works towards a solid operational infrastructure, cash flow flexibility, fact based intelligence processes and a strong team culture, sees the potential of today in the future.