Understand the Meaning of Risk
Risks can be difficult to identify because they are hypothetical. A risk is not an incident or event, but rather the possibility that one will occur. Enterprise risks involve both potential rewards, such as increased business or profits, and potential problems—theoretical events that could cause financial or other losses or jeopardize the business’s ability to function.
TYPES OF ENTERPRISE RISK
- FINANCIAL RISK This includes bad debt, the interest rate on money borrowed by the business, credit extended to customers, and a drop in the organization’s stock value.
- COMPLIANCE RISK Failure to maintain compliance with government or industry standards can incur hefty fines and reputational damage.
- STRATEGIC RISK A shift in demand for an organization’s products or services is one example; being undercut or outsold by competitors is another.
- SECURITY RISK Data and systems breaches, building break-ins, and theft of proprietorial information by employees are all types of security risk.
- OPERATIONAL RISK What if a major piece of machinery breaks down? Any potential event that could affect business operations is a risk to consider and mitigate.
Not all risks are negative. What if a surge in demand depletes your stock, or too many visitors crash your website? These are the kinds of problems every business wishes it had. But you need to be prepared to mitigate positive risks, too. Otherwise, your enterprise could miss valuable opportunities to increase sales and grow business.
Risk is not what happens after an incident or event. It’s not declaring bankruptcy after your stocks plummet. It’s not calling the tow truck after a car accident. It’s not even the mitigation plan launched when a problem strikes. And it’s not going away, no matter how hard you ignore it.
FOUR WAYS TO HANDLE RISK
Conventional wisdom says there are four ways to deal with business risk: accept it, avoid it, manage the accepted risk by transferring it, or, once risk materializes, mitigate it. But this rule of thumb neglects the most effective risk-management strategy of all.
- ACCEPT Do you drive to and from work? You’re taking a risk— quite a sizeable one, according to the National Highway Traffic Safety Administration. By getting behind the wheel instead of taking a train or bus, you’re accepting that risk. We also accept risks when we fly and when we invest in the stock market.
- AVOID You can also choose to avoid some risks altogether. You can ride a train or bus to avoid the risks incurred by driving. You can choose not to invest in the stock market. Often, though, avoiding risk means foregoing expected rewards: the flexibility of having your car at work, the opportunity to make money on the stock market, and the added convenience and profits from taking your business online.
- MITIGATE For every risk your enterprise accepts, it’s important to have a mitigation plan. Mitigation, however, does nothing to prevent risks from becoming reality. It merely controls loss or damage should the risk materialize and become an incident. What would your organization do if a competitor started taking your business? If your enterprise’s system were breached, how would it protect its data, clients, and customers?
- TRANSFER We may protect ourselves against loss or damage by transferring risk elsewhere. Purchasing motor vehicle insurance transfers the financial risk of driving to an insurer. At work, your enterprise might have cybersecurity insurance or catastrophic coverage.
This four-point framework for risk management is widely used. But it doesn’t go far enough. To manage enterprise risk effectively, enterprises must employ a fifth, proactive alternative, one that we as individuals use every day, but that too many businesses overlook:
- CONTROLLING VULNERABILITIES We enter into risk with the hope of reward—that, rather than lose money or suffer harm, we will gain something. To make our odds more favorable, we must protect ourselves where we are most vulnerable. This strategy helps avoid the negative consequences, such as financial loss or reputational damage, that would occur if our risks materialized.