4 steps to better risk identification and mitigation
As a direct result of the rigged emissions scandal, Volkswagen incurred over Euro 25 billion of costs, in addition to the loss of brand value and reputational damage. Banks have had to pay billions in fines for what was essentially a failure in operational risk management – in the same way as for inadvertent sanction breaches. Samsung took a USD 10 billion loss due to a failure in vendor risk management.
Although risk management has always been in force, it was the 2008 financial crisis and subsequent events which really spurred a rethink of how risks are managed. This crisis was the result of a rare “black swan” event and it called into question the practice of using historical data to predict the probability of future events. Corporate risk management has since undergone considerable change and here we take a very brief look into the resulting best practices to improve the process and structure.
Step 1: Risk identification
The process of risk identification varies significantly across sectors, the type of organisation and even for each project. In a mature industry, potential risks are generally well known, and failure is usually not the result of an unexpected risk but rather that of not managing the risk properly. For a company at the growth stage however, there can be numerous unforeseen dangers, and this is where management experience is essential to prior identification.
Step 2: Screening and impact analysis
Prioritising risks in order of severity and impact is undoubtedly the most important step as it determines the level of resources dedicated to mitigating specific risks. This is usually done in the order of their probability-weighted impact.
There are certain risks which are numerically quantifiable – in terms of probabilities and expected losses. However, certain types of risks like reputational or political require a more subjective analysis. Some organisations rely on weighted factors to calculate these risks, while others use historical data. None of these models are perfect however, and this itself needs to be accounted for as model risk.
Step 3: Risk mitigation planning and strategies
The risk mitigation process aims to minimise the impact of an adverse event. The exact process varies depending on the type of industry and type of risk, but the broader strategy falls into one of these areas:
Avoidance – changing business strategy to avoid a high-risk event. For example, delaying the launch in a new country till local elections are over.
Controlling – putting thresholds or other controls in place and then monitoring them for any breaches. Risks are not avoided here but rather kept at an acceptable level.
Hedging – a simple example would be an airline buying future oil contracts to hedge against the risk of a future increase in oil prices.
Transfer – transferring risk to a third party such as for example buying insurance protection.
Maintaining flexibility – the ability to quickly change direction in the case of an adverse event.
Step 4: Monitoring and feedback
This is essentially the feedback loop. Whatever strategies have been put in place, these are monitored to assess their effectiveness. Internal or external risk management professionals may be tasked with stress testing and providing feedback. The result of this analysis is then fed back into the existing risk management structure.
In summary, the basic structure of risk management has not changed a great deal. What has changed however is how risks are weighted and prioritised.
On the hunt for your next role? Upload your CV below and we’ll be in touch to discuss your requirements.
For employers seeking the right skills and cultural fit for your business, send us your vacancy to find out more about how we can help.Submit CV Send Us Your Vacancy