Last week I spoke at a Performance Reporting and Business Improvement conference on the topic of KPIs – Putting the K back in KPIs.
However what I’d like to talk to you about here is the subject of Risk Management.
One of my fellow speakers was talking about Risk Management, and one of the things he mentioned really stuck with me. He said that “in 30% of projects, key risks were first identified after the contract was signed.”
I find this remarkable. This strikes me as a massive fail in project scope and due diligence, and quite frankly, depending on the size of the project and consequently the potential cost of the risks, rather careless.
The formulas, spreadsheets and models that this expert spoke about for managing risk on a large scale are detailed and not something that I will attempt to go into here. It’s certainly not my area of expertise at that level, but risk management needs to be taken seriously with any size business or job.
“Risks are uncertain future events that could impact on the organisation’s ability to achieve its objectives.” – Getting on Board, A governance resource guide for arts organisations, prepared by Graeme Nahkies for Creative New Zealand, Revised Edition, 2014.
Identifying risks is a significant part of the scoping process for any job, project or business plan.
Identifying the potential pitfalls of the business, their underlying causes, and their potential impact, is the first step towards managing and controlling such events, and of lessening their impact should they occur.
So where to start if you’re a small to medium sized business?
Identifying risks should be part of your business’ SWOT analysis (Threats & Weaknesses). I would suggest taking the time to brainstorm any factors – events or resources – that have the potential to impact the business’ operations and/or cashflow.
These could be internal or external factors and you need to be very honest about this. It can also help to talk to others who may recognise things that you haven’t thought of.
Some examples are customers who go into liquidation and don’t pay, employee fraud, an electrical or IT issue creating downtime, natural events, or even potential changes to legislation.
Determine how risky they are, it can help to give them a weighting, and determine what can be implemented to manage the risks, either by avoiding, transferring, or minimising, and at what cost.
The cost of managing the risk should be weighed against the cost of not managing the risk. For example if fraud is a risk you can implement a policy of separation of duties for any person in a position of risk. This means that more than one person is involved in the process, and you create verifiable systems, thereby lessening the risk. This is a relatively inexpensive solution to what could potentially be seriously damaging to the business.
(Side note: I know of at least 2 businesses who have been victims of fraud to the tune of approximately $500,000 each over a period of some years. The impact of this was enormous and far-reaching. If you want any help to implement processes to minimise this risk please contact me).
Next, monitor and review. This is not a one-off thing to do. You don’t tick the box and then file it away in a drawer and never look at it again. It should be reviewed and monitored on a regular basis. Business changes and business risks change as well.
Several years ago a significant business risk was losing data stored on an in-house server, and IT professionals implemented backup plans to minimise any disruption to business that this had the potential to create. These days much is stored in the cloud with relevant safety protocols attached to the service. Losing data and systems is still a risk and one with a high impact, but perhaps the risk is less than what it used to be and the impact and steps to manage it easier.
This story illustrates that things change, but in two different ways. For the business with the server the risk was losing crucial information and critical systems. But for the IT company, changes to their industry with the increased intake of cloud based services has meant that they have had to fundamentally change the way they do business. This would have been seen as a business risk to forward thinking business owners back then. Managing that risk has meant that their business has had to change with the times and implement additional training and employment criteria. Not managing that risk would likely have seen a business go out of business.
Risk Management is potentially a very big topic, but at the very least each business should be aware of the risks to their business and have plans for them should they occur.
For more detailed info on small business risk management I found the following resources useful:
Cover Image by Andrew Toos.