Each of us, as individuals and business owners, faces risks all day, every day. There are risks to our health and safety. For example, advancing age is a risk factor for everything from arthritis to a heart attack to Alzheimer’s Disease. Statistically speaking, you’re more likely to land in the hospital (or the morgue) when you’re 80 than when you’re 25, everything else being equal. Of course, there’s no such thing as “equal” in nature, or in behavior. Heredity and personal habits are among the factors that increase or decrease our risk, as is risk awareness.
There are forever risks to our financial well-being. Whether we save any of our income, where we put our savings, what those banking and financial institutions do with our savings, the uncertainty of the stock and job markets – all of these and more are risks we take or ones that are forced on us. But, what do we mean by “risk”, what kinds of risk do we face in business, and – most importantly – how do we deal with risk?
What Is Risk?
Risk is loosely defined as either the possibility of loss or injury or as someone or something that creates or poses a hazard. In business, risk is the combination of (a) the likelihood we’ll encounter an adverse event and (b) the severity of that event’s consequences. The risk matrix (below) is probably the best-known method of describing and analyzing risk.
Some organizations use a 3×3 matrix, while others use 7×7 or larger matrices. Some have the “consequence” axis going down instead of up. All have the same purpose, though. They’re easy to understand, which makes them an excellent tool for communicating with management. They also help us prioritize – which risks we need to address first, second, and so on.
What Kinds of Risk Do We Typically Encounter in Business?
Rather than try to provide an encyclopedic view of business risk, I’ll provide a few examples. There are four general categories of risk we encounter, which are:
- Financial risk
- Strategic risk
- Operational risk, and
- Hazard risk.
Financial risks include cash flow, credit, and interest rates. (Obviously, we’re at risk of negative cash flow when we don’t sell enough product.) Strategic risks include changes in our line of business, the level of competition, changing customer demands, and (increasingly) intellectual capital. Our intellectual capital is at serious risk due to the ubiquity of the Internet and globalization.
Operational risks include our own information systems and technologies (i.e., Is IT helping or hindering our strategy?), regulatory changes, and the effectiveness of our supply chain. The fluctuating price of fuel is an operational risk for everyone in business, no matter how large or small. Hazard risks include our employees (absenteeism, performance, skills, training, etc.), our products (e.g., quality is declining, don’t have features the public wants), and natural disasters (e.g., March, 2011, Japan earthquake/tsunami), ongoing drought in Texas).
How Do We Generally Deal with Risks?
There are four general risk management categories:
- AVOIDING risk – For example, we stop developing a product because the risks outweigh the expected benefits, we postpone a merger because the cost of borrowing has increased, or we sell a product because it would cost too much to keep it competitive;
- MITIGATING, or REDUCING, risk – We act to reduce the likelihood and impact of a given threat (e.g., we install failure detection technology and auxiliary power sources to reduce the risk of down time on our websites, we get flu shots);
- TRANSFERRING (or SHARING) the risk – To reduce the impact of a threat (e.g., a prolonged power outage), we’ll buy insurance or join a risk pool; and
- ACCEPTING the risk – This means we do nothing to affect the likelihood or impact of an event. The cost of managing the risk to an asset may exceed the cost of repairing or replacing it. (For instance, how many of you are willing to buy a seller’s $39 extended warranty on a toaster that cost you $49?)
How Should We Address Specific Risks?
There are many ways small businesses can address particular risks, not all of them good (re, “the law of unintended consequences”). In our next post, we’ll delve further into risk awareness, risk management planning, and risk management systems. Until then, take care.
- “Risk Management Standard, A”, Institute of Risk Management, London (2002) – http://www.theirm.org/publications/documents/ARMS_2002_IRM.pdf.
- ISO 31000:2009, “Risk Management Principles and Guidelines”, Institute for Organization and Standardization (ISO), 2009 – http://www.iso.org/iso/catalogue_detail?csnumber=43170.