The Importance of Managing Risk
A variety of academics have provided numerous definitions of risk, with some being centred around a specific business environment and others being a more generic definition of risk. A comprehensive risk definition that is tailored around the business environment can be defined as an event that will likely lead to substantial losses for an organisation, which could also be made more dangerous by the likelihood of the risk event occurring (Harland, et al., 2003). Furthermore, The English Oxford Dictionary defines risk as "A situation involving exposure to danger" or "The possibility that something unpleasant or unwelcome will happen". (Oxford Dictionary, 2015)
Kaplan and Garrick (1981, p. 12) provide a simple equation for risk, which is "risk = uncertainty + damage". They believe that it is irrelevant as to what context risk exists in, and that the same equation can always be used to identify and manage risk. However, risk can still be categorised differently depending on what facet of the organisation it is affecting. For example, supply chain risk can be defined as ""the variation in the distribution of possible supply chain outcomes, their likelihood, and their subjective values" (March & Shapira, 1987, p. 1404). This is quite different to other, more generalised definitions of risk.
Before a risk management strategy can be decided upon, the risk event must first be identified. An organisation should conduct three steps before deciding on the best risk management strategy to use. As risk management can use a substantial amount of resources, clarification and direction should be decided upon before conducting risk management. The three factors are (Stanleigh, 2015);
- Identification of the risk: The organisation should first review all of the possible risk sources. Furthermore, they could use a risk assessment tool to identify the risk event that may occur.
- Assessment of the possible risk event: Once the organisation has identified the risk, they must assess the potential damage that the risk even could case. As previously stated, the severity of the risk is an extremely important factor for an organisation to consider, as it will help shape and design any relevant risk management strategies.
- Develop an educated response to the risk event: After the risk has been successfully identified and assessed, the organisation can begin to decide what resources may be needed to limit or completely negate the potential risk event.
Once an organisation has identified any unexpected risk events that may occur, they must focus all their resources of deciding which risk event should be tackled first. Most organisations will have a limited amount of resources, and will only be able to tackle one of two risk events at a time. If a plethora of risk events are likely to occur, this means prioritising which ones to minimise. This means that companies have to assess the impact that a risk event can have on an organisations financial and market performance, and focus all their resources to eliminate the most dangerous risks first.
Risk management is imperative, and executing it unsuccessfully can have severe impact on an organisation. The extent of the consequence for not managing risk will be dependent on the risk event, but can have impacts such as; financial loss, employee injury, business interruption, damaged reputation or failing to achieve corporate objectives (SCU, 2015). There are a plethora of other potential consequences for not managing risk, all unique to the particular risk event, but none will other anything positive to business performance. This highlights the significance for an organisation to conduct risk management successfully.
There are a few different frameworks and ideas that exist to help an organisation prioritise which risk event they should focus on minimising. One of the most comprehensive frameworks for prioritising risk is the probability and impact framework. This framework depicts independent, variability and ambiguity risks, and measures the probability that these risk events may occur and the severity they may have for the organisation if they were to ever occur. These findings can be summarised in a probability-impact matrix which is where "the probability and impacts of each risk are assessed against defined scales, and plotted on a two dimensional grid" (Hillson, 2001, p. 237).
Furthermore, there are a few other methods for prioritising which risk event to tackle. Risk events can also be ranked using multi-attribute techniques. For companies that want to adopt a more adaptable risk priority technique, the multi-attribute method would be preferred. This is because the attributes of interest can be selected based on the interests and prioritisation of the organisation and any relevant stakeholders. This has many similarities to a probability impact matrix, but offers a more creative and free way to define variables that will be used to prioritise risk. There are variations of this technique, including a bubble chart, risk prioritisation chart, uncertainty-importance matrix and high level risk model (Hopkinson, et al., 2008).
The final technique that will be covered for prioritising risk is the use of quantitative models and techniques. These methods are not as rigorous as the previous methods, however they do still offer a few benefits for a company. The main reason a company will use a quantitative risk priority method is because it is an incredibly cheap method, that requires little, to no, preparation and planning. (Hopkinson, et al., 2008). This means that a quantitative risk priority method will be preferred for companies that want to prioritise risks efficiently, at a cheap cost, and using the least amount of resources as possible.
Once the risk has been successfully prioritised, it must also be thoroughly assessed. There exist a few different methods of assessing risks, with two prominent methods of risk assessment being quantitative risk assessment and comparative risk assessment. Quantitative risk assessment "relates to an activity or substance and attempts to quantify the probability of adverse effects due to exposure". In contrast, comparative risk assessment "is a procedure used for ranking risk issues by their severity in order to prioritize and justify resource allocation" (Hester & Harrison, 1998, p. 2).
Furthermore, comparative risk assessment is becoming the preferred method of risk assessment for many companies across the world. This is because a comparative risk assessment has been found to be more thorough and rigorous and pinpointing the details and severity of a risk event. Furthermore, a comparative risk assessment aims to identify the more serious risk event, before moving onto tackling any other risk events. (Finkel, 1994, p. 337).
There is also one other method for assessing risk events. This is through the use of the comprehensive outsource risk evaluation (CORE) system. This is a tool developed by Microsoft and Arthur Anderson to aid a company in identifying, assessing and preventing any risk events. (Michalski, 2000). The tool identifies a total of 19 risk factors and categorises them into four different sub-categories; infrastructure, business controls, business values and relationships. This gives organisations a lot of freedom, as each individual company can decide on the importance of each factor, dependent on the significant it has towards the day-to-day activities of the organisations operations. Furthermore, after the risk has been successfully assessed through the use of CORE, it is analysed objectively through the organisations financial data and subjectively through the measurement of relationships and integration within the firm.
It becomes quickly apparent that the majority risk assessment methods and techniques share a common theme, predominantly the measurement of the probability and impact of potential risk events that could occur and effect an organisations daily operations (Yates & Stone, 1992; Hallikas, et al., 2002). This highlights the importance of risk assessment, and why it is an imperative skill that a risk manager should become adept at utilising.
There is also one other factor that may be taken into consideration when deciding on a risk management strategy, that is the character and personality of the manager. Certain managers will follow traditional methods and not take advice from others, which also means they will not be willing to adapt to a risk management strategy they are unaware of, even if it proves to be more successful.
After a company successfully completes the three steps mentioned above, identification, assessment and development of a response, they will be able to proceed with the fourth step. The final stage is deciding and implementing the preferred risk strategy, which has been decided through the aforementioned three steps, to best limit or negate the potential risk event.
A risk management strategy is "focused on identifying and assessing the probabilities and consequences of risks, and selecting appropriate risk strategies to reduce the probability of, or losses associated with, adverse events. Risk mitigation focuses on reducing the consequences if an adverse event is realised" (Manuj & Mentzer, 2008, p. 141). Although there exist a plethora of risk management strategies, with some being more beneficial dependent on the situation, three key risk management strategies are (Norman & Jansson, 2004; Juttner, et al., 2003)
- The Avoidance Strategy: There are two main types of avoidance strategy. The first type is where an organisation will attempt to drive the probability of a risk event occuring down to zero, or as close to zero as possible. Furthermore, the second type of avoidance strategy is where an organisation is attempting to predict the risk event. This will allow them to set in place any contigency plans to try and limit the impact to zero or as close to zero as possible. Both of these strategies have a considerable amount of uncertainty about them, as it can be very hard for an organisation to predict the details of a risk event, or the implications that one might hold for the company.
- The Security Strategy: A risk management security strategy seeks to minimise the risk of any event occuring. This is very similar to the avoidance strategy, however it acknowledges the fact that a risk event is going to occur, and merely tries to protect the organisation as much as possible from any effects the risk event may cause. Implementing a security strategy can be achieved via number of ways, including working closely with any local governments, proactively complying with regulations or ensuring internal security over the organisation and its resources.
- Control/share/transfer: This strategy can take the form of vertical intergration. This furthers the ability of a manager within an organisation to control more processes, systems methods and decision. Having greater control of the day-to-day operations of a company can help minimise the probability and impact of risk. This is because it can help spread the risk over many operations, and thus reducing the severity of the risk event. However, the need for greater control can also cause the need for greater side intergration (Anderson & Gatignon, 1986), which can be difficult for companies to achieve.
If the risk event will cause significant issues for an organisation, and is considered a 'high risk', then a company should aim to utilise an avoidance strategy. This would be best because it would minimise or completely deplete the probability of that risk event occurring. However, this can come at a huge expense to the organisation, and consumer a substantial amount of resources. On the other hand, if the risk event will have a limited impact on a company's performance, and is considered a 'low risk' event, then a security strategy may be more suitable as it will protect the company's operations and resources from the risk event.
Deciding on the most optimum risk management strategy to use can be an incredibly difficult job for any manager to accomplish. If the manager chooses the wrong risk management strategy then the risk event could cause substantial problems towards the organisations financial and market performance. One of the most significant factors that can affect the decision of which risk strategy to pursue is the severity of the risk (OSBIE, 2015).
There are a variety of steps that a risk manager should go through in order to successfully implement a risk management strategy. One of the most importance stages of this process is to spend ample time identifying and assessing the risk, so that a clear and concise strategy can be decided upon. If the risk manager acts without knowledge, then they could implement the wrong risk manager strategy, thus wasting resources and still allowing the risk event occur.
Furthermore, the risk manager should attempt to utilise an avoidance strategy in most instances, by predicting any likely risk events that may occur and putting in place any relevant contingency plans to handle these events. However, due to a number of factors including limited resources, it is not always possible for a company to do this, in which case they should focus on a risk management strategy that limits the effects of the risk event, instead of avoiding it completely. The majority of risk events can be spotted with careful planning and analysis, and some sort of action can be put in motion to at least limit the effects of the risk event that will occur.
Anderson, E. & Gatignon, H., 1986. Models of foreign entry: a transaction cost analysis and propositions. Journal of International Business Studies, 17(3), pp. 1-26.
Finkel, A., 1994. Worst things first: The debate over risk-based national environmental priorities. 1st ed. Washington: Resources for the future.
Hallikas, J., Virolainen, V. & Tuominen, M., 2002. Risk analysis and assessment in network environments: a dyadic case study. International Journal of Production Economics, 78(1), pp. 45-55.
arland, C., Brenchley, R. & Walker, H., 2003. Risk in supply networks. Journal of Purchasing & Supply Management, 9(2), pp. 51-62.
Hester, R. & Harrison, R., 1998. Risk assessment and risk management. 1st ed. Cambridge: Royal Society of Chemistry.
Hillson, D., 2001. Extending the risk process to manage oppurtunities. International Journal of Project Management, 20(3), pp. 235-240.
Hopkinson, M., Close, P., Hillson, D. & Ward, S., 2008. Prioritising Project Risks: A Short Guide to Useful Techniques, Buckinghamshire: Association for Project Management.
Juttner, U., Peck, H. & Christopher, M., 2003. Supply Chain Risk Management: Outlining an Agenda for Future Research. International Journal of Logistics : Research & Applications, 6(4), pp. 197-210.
Kaplan, S. & Garrick, J., 1981. On The Quantitative Definition of Risk. Risk Analysis, 1(1), pp. 11-27.
Manuj, I. & Mentzer, J. T., 2008. Global Supply Chain Risk Management. Journal of Business Logistics, 29(1), pp. 133-155.
March, J. & Shapira, Z., 1987. Managerial perspectives on risk and risk taking. Management Science, 33(11), pp. 1404-1418.
Michalski, L., 2000. How to identify vendor risk. Pharmaceutical Technology, 24(10), pp. 180-184.
Norman, A. & Jansson, U., 2004. Ericsson's proactive supply chain risk management approach after a serious sub-supplier acciden. International Journal of Physical Distribution & Logistics Management, 34(5), pp. 434-456.
OSBIE, 2015. Select Appropriate Risk Management Strategies. [Online] Available at: http://osbie.on.ca/risk-management/manual/SelectStrategies.aspx
Oxford Dictionary, 2015. risk. [Online] Available at: http://www.oxforddictionaries.com/definition/english/risk
Rhee, S. J. & Ishii, K., 2003. Using cost based FMEA to enhance reliability and serviceability. Advanced Engineering Informatics, Volume 17, pp. 179-188.
SCU, 2015. Risk Likelihood and Consequence Descriptors. [Online] Available at: http://scu.edu.au/risk_management/index.php/4
Stanleigh, M., 2015. Risk Management...the What, Why, and How. [Online] Available at: https://www.bia.ca/articles/rm-risk-management.htm
Yates, J. & Stone, E., 1992. The Risk Construct. 1st ed. New York: Wiley and Sons.