Employers are confronted with having to regularly anticipate and measure emerging risks so they can mitigate those threats, which helps to reduce the chance of being blindsided by an unknown threat. Designing, implementing and maintaining risk management processes throughout an organization with a risk management plan offers employers a way to do a better job in identifying, measuring, and managing risks.
Creating a Plan
The International Organization of Standardization (ISO) defines risk management as the "effect of uncertainty on objectives" in the ISO 31000:2009 standard. To begin developing a risk management plan for your organization, you will need to identify, assess and evaluate factors that pose a potential risk to your organization. You may want to handle this internally, or think about engaging a risk management consultant to build a risk assessment, mitigation process and insurance plan.
Identifying Potential Risks
Risks come in many forms, but not all companies are vulnerable to the same risks. The risk management plan will help you determine risk that may threaten you company and to what degree. Examples of potential threats for companies of all sizes include:
- Major regulatory changes or reform (such as healthcare, energy, and/or financial)
- Data privacy, security and technology regulatory reform or mass data mining
- New disruptive technology erodes competitive positions or makes products obsolete
- Cyber-crime (such as cyber-espionage and cyber cyber-attacks)
- Organized crime
- Loss or theft of intellectual property
- Significant or prolonged IT systems failure
- Brand or reputation risks from social media
- Increased taxation
- Commodity price shocks
- Domestic and global financial shocks
- Banking crisis and limited lending
- Slowdown in key emergency markets
- Exit of countries from the Eurozone
- Natural hazards (e.g., hurricanes, tornados, floods)
- Civil disobedience
- Workplace violence
Assessing Impact of Risks
Risks could negatively impact the workplace in a variety of ways, including:
- Safety of employees and customers
- Economic performance
- Professional reputation
- Integrity of facilities
- Environmental and societal outcomes
Keep in mind that not all risks are bad. Examples of 'good' risks include buying another company or making an Initial Public Offering (IPO). Those are very exciting times. Hopefully, the reward will be well worth the risk.
One you have an idea of what risks your company faces and how they might impact your organization, you will need to evaluate them to determine which ones need to be included in your plan and how significant that might be. To evaluate the risks, you will need to:
- Assess how likely the risk will affect your project or the overall workplace. How probable is it that the risk will take place and how often?
- Identify what your company's risk threshold. How much is too much risk?
- Decide what should be done to mitigate or nurture those risks.
- Calculate what the aggregate cost of those risks would be.
- Identify an employee who will be in charge of implementing risk reduction measures and how success will be measured.
Strategies to Minimize Risk
As a result of identifying, assessing and evaluating risks, you will be able to develop strategies to minimize risk factors with the potential to affect your organization.
According to International Organization of Standardization's standard, ISO 31000:2009, the following strategies are options for managing risk:
- Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk
- Accepting or increasing the risk in order to pursue an opportunity
- Removing the risk source
- Changing the likelihood
- Changing the consequences
- Sharing the risk with another party or parties (including contracts and risk financing)
- Retaining the risk by informed decision
Examples of Specific Mitigation Measures
Depending on your risks, specific workplace risk mitigation measures might include:
- Elect for an integrated, enterprise-wide risk management approach with the ability to effectively identify, assess and manage risk exposure rather than an impromptu and reactive risk management structure.
- Install sophisticated security monitoring systems.
- Protect your company's intellectual property through investment in cyber security personnel and software.
- Develop a Foreign Corrupt Practices Act (FCPA) compliance policy.
- Develop hard copy and electronic data control measures to ensure you can demonstrate regulatory compliance should the need arise.
- Conduct contract compliance reviews to check for issues such as third party controls, joint venture operating agreements, intellectual property and software licensing, and audit requirements.
- Use a web-based employee travel tracking system to help immediately in case of a perceived or real threat especially for international travelers.
- Offer and mandate employee FCPA, fire, OSHA training as appropriate.
- Develop and exercise emergency response plans.
- Recruit and retain a dedicated security team to monitor security risks, respond to threats / emergencies, and prevent the exploitation of vulnerabilities through robust security policies and standards, and automated dashboards and applications.
- Augment your insurance policies to be sure that you have sufficient coverage in place. Consider if you have just the right insurance type and amount or if you need more due to new risks. For example, decide if you need terrorism insurance.
When considering ways to improve your company's individual risks, you will find:
- Low and high cost risk mitigation options
- Risk mitigation measures that have to be addressed immediately
- Areas where mitigation measures are needed, but that you may be able to delay
Which risk management mitigation measures you select will be based on probability of risk, management support, resources allocated, and the risk management budget.
For many companies, risk management has become an executive level responsibility because of the importance of assessing risks, managing risks, and making sure risk information gets to the right people within the organization so that risk management becomes a company-wide effort. Businesses interested in adopting a robust risk governance structure work to guarantee that the following activities are well managed by a senior staff member:
- Link risk management to the corporate strategy and executive-level officers.
- Use cutting edge technology to capture risk data.
- Identify a clear line of reporting for risk-related information including escalation measures.
- Anticipate, collect, analyze, monitor, and disseminate accurate and timely risk management data.
- Allot sufficient executive level staff -and if applicable, board of directors- time is dedicated to risk management.
- Share risk management initiatives with investors, if applicable.
- Recruit and retain appropriate personnel with risk management expertise.
- Train all staff on risk awareness to instill a risk culture in the company.
- Manage regulatory compliance (e.g. Food and Drug Administration, Occupational Safety and Health Administration, Environmental Protection Agency, etc.).
Championing a Plan
Spearheading the development of a risk management plan will offer you the ability to be seen as someone who understands the company's big picture and one that is truly committed to the long-term growth and reputation of the company.
As part of developing you company's risk management plan, you may want to consider also developing a business continuity of operations plan, a disaster recovery plan and a crisis management plan to ensure a well-rounded risk management and emergency response program.
Remember that you know your business better than a risk management consultant knows your business. Get help when you need it, but don't give up the reins.
Business is full of uncertainty, which leads to expected - and sometimes not so expected - risks. Employees, investors, and insurers raise the stakes with small and large businesses in light of history-making, multi-million dollar liability settlements paid out as well as government fines for corruption. Companies that ignore risk can potentially fail when a single threat is exploited or risk is underestimated. However, improving your company's risk management capabilities will help to put your company on a path to resiliency.