Risk assessment is a tricky business. By definition, risk is somewhat unforeseeable; you can predict what risks exist, but how exactly they’ll play out is outside of your hands. A much maligned Donald Rumsfeld quote about risk comes to mind. To paraphrase, in risk management there are known risks, there are unknown risks, there are risks with known consequences, and unknown risks with unknown consequences. Identifying risks is the key to mitigating their potential to cause problems – making the unknowns known, so to speak.
While it’s tempting to categorize risk into known knowns, known unknowns, and unknown unknowns, simply to keep with the Rumsfeld quote, we can expand on this categorization in some useful ways:
Let’s call our “known knowns” preventable risks. These are the risks that you’re aware of – they’re in your control and you can reasonably establish what the consequences of those risks might be. Internal losses caused by employee misconduct are one kind of preventable risk. You can easily mitigate the risk by employing internal loss prevention strategies. Wear and tear of equipment is another preventable risk; you know you can lessen it through maintenance strategies.
Our “known unknowns” might be called “strategic risks” – these are risks that are harder to predict, but that you take in order to expand your business. The simplest example of a strategic risk is a loan. There are a lot of unknown variables involved, and you’re banking on business growth in order to ensure the loan (plus interest) are worth your while. Strategic risks are the lifeblood of most business growth.
“Unknown unknowns” can be called external risks; they’re outside of your control, and to a certain extent, impossible to know. Take, for example, the strategic decisions of your competitors; while you might guess at what they will do, their choices are, for the most part, outside of your control. The importance of insurance for your business is, more often than not, to lessen external risk.
Categorizing risk is essential to identifying risk, because it enables you to conduct research specific to the type of risk you’re trying to avoid.
You can conduct research into all the types of risk we identified above. You already conduct research into strategic risks – market research, for example, is used to make sure you’re positioning yourself properly, and enables you to correctly evaluate whether or not financing a particular venture will pay dividends.
Researching cutting-edge methods of internal risk management, from new loss prevention techniques to weighing maintenance-to-replacement costs can help you reduce your preventable risks in very predictable ways.
External risks are much harder to research, though competitor research and SWOT analyses might help you in this category. We’ll address external risks in a more detailed manner in the “Play Games” section.
Insurance companies, like Paradigm Insurance, employ research as the core of their risk analysis model. Without continuous research into market trends and internal controls, you risk falling prey to risks – taking a pessimistic attitude is helpful in these matters.
You’ve certainly experienced losses in the past. These losses don’t have to be viewed through an entirely negative lens – by asking why your business lost market share, profits, or anything else, you can shed light on which risks can negatively affect your ventures.
Asking “why?” on its own is a somewhat effective tool for risk analysis, but you can expand upon this thinking in a number of novel ways. An excellent method of asking why is the fishbone diagram, which helps illustrate the multifaceted possible causes of a problem. The 5 Whys are another good way of going about things; ask yourself “why” a minimum of five times to try to approach the root of a problem. When a problem’s roots are addressed, you can successfully shrink risk in a number of areas.
Feedback from a wide variety of stakeholders, be they customers or shareholders, can help you assess your risks. Customers are most valuable for assessing strategic risks – they can help you determine whether or not a potential product or service will be worth the cost of loans, research, development, and roll-out.
People are not pessimistic enough. This may come as a surprise, especially in the world of business. Too much pessimism can stop you from taking worthwhile risks. Nonetheless, it’s best, when evaluating risks, to establish worst-case scenarios. When it comes to risk, we tend to be overconfident in our assessments, and too prone to linear extrapolations on data. This is problematic, because risks carry unknowns, so there will be, by definition, data that you’re lacking.
Do research into cognitive biases, logical fallacies, and other methods of rationality. Finding out where the blind spots in your own thinking are is essential to being able to properly identify risks posed to your company.
Risk management is not a one-person process. In order to truly identify and manage all the risks your company is exposed to, you need to develop the risk analysis skills of every member of your organization.
This can be expedited by employing facilitators who can run seminars on risk management. What’s more, when a perceived risk appears, these facilitators can be points of contact for employees who want to report the risk. The facilitator can then help assess the severity of the risk and come up with strategies to mitigate it.
We’ve looked at a few methods of identifying preventable and strategic risks. External risks are much harder to approach because they can only be thought of hypothetically, and not easily controlled. In order to bring these hypothetical risks to light, it can be useful to play games.
War games are a concept you’ve undoubtedly heard of; they’re just as useful in the boardroom as the war room. Each team can roleplay as a competitor, taking into account their assets, liabilities, market position, and more. From that point, establish a number of different avenues those competitors might pursue, then develop strategies your company could use if your competitors do in fact pursue those avenues.
Scenario planning is another game, but it’s more useful for rather large multinationals. In scenario planning, you take the role of various countries and other non-business entities, and create scenarios which would be to your business’ detriment (or boon). A business whose scenario planned a pandemic, for example, would be particularly adept at managing the problems that have come about as a result of our present circumstances with COVID-19.
Evaluate Risk Interplay
A particularly tricky thing about risks is that they don’t exist in a vacuum. Say, for example, an external risk causes you to lose a substantial amount of cash flow. You may then find it difficult to pay back lenders, causing problems for your strategic risks. Furthermore, you may find yourself unable to pay for maintenance for some equipment, exposing your business to preventable risks. This is why it’s important to always adjust your planning, and to consider how one risk may affect other risks.