4
WHICH Risks Do We Need to Be Concerned About?
“I feel like I am king of the world, or at least I am on top, and want to go out that way.” Allison P.
It was a 41° Celsius May morning when I next met with PJ Investment’s (PJI’s) management team. As I led them into our room they noticed numerous flipchart sheets taped to the left and right side walls, but the sheets were folded in half, so they could not see what was on them. Their curiosity was high, which is what I desired, but they would have to wait to satisfy their curiosity. I needed to ease them into what I knew would be an exhausting session.
There is a saying that goes, “It is not the same to talk of bulls as to be in the bullring.” Therefore, today, we will grab the bull by the horns and face the situation. This, in essence, is the first step in managing risk.
“The last time we were together I asked each of you to make a list of the possible risks or obstacles that both you and your employees felt this organisation faced. The 21 sheets on the left side of this room show what you came up with.” (My assistant opened the sheets, so that participants could see the data.) “There are 169 unique risks that employees in this organisation are concerned about.”
Selecting one of the newer additions to the management team, Sondra, I asked her, “What does this long list of risks tell you?”
She replied, “It tells me several things. My company faces a lot of issues each day, many that could undermine our success. It also helps me to understand why we are going through this training with you, but suddenly I’m worried about our future. Should I be?”
I said, “Before I answer your question, Sondra, would all of you please turn your attention to the information on this chart?” I pointed it out. “As you are aware we surveyed your employees and asked them to describe this company’s readiness to deal with surprises or unexpected challenges. We gave them six categories to choose from.”
| I am confident that we are ready. | 8% |
| I believe we can handle unexpected surprises. | 11% |
| I think we can in some areas but not all areas. | 27% |
| I do not have a lot of confidence that we can handle unexpected surprises. | 44% |
| I believe we are not ready for surprises. | 7% |
| I have no opinion or do not know. | 3% |
“We received 291 anonymous responses to the survey, which means 72% of your employees responded. Notice in the percentages that the rule of 80/20 applies. Only 20% of your employees have confidence that this organisation has the ability to handle risk, and 80% do not share this confidence. This tells me most employees are not sure that you are capable of dealing with these identified risks.
“Sondra, you asked if you should be worried. As an important decision maker in this company, based on the statistics, should you be concerned?”
Sondra answered, “I think I should be.”
Immediately Paul raised a hand, looked at me sternly and said, “Ron I disagree with your conclusion to the survey. I concede there are certain parts of the organisation that employees perceive as not managed well.” I noticed that he glanced over at Justin as he said that. “But I know there are many business units that manage their risks well. Maybe the employees in those safe areas did not answer the survey.” I sensed that Paul was provoking a fight.
The normally relaxed Justin stirred in his seat, and before he could defend himself I said, “I agree with Paul that there is a difference in how risk is managed in this diverse organisation, but rather than trying to justify or dismiss your employees’ opinions, we will complete an exercise that explains the employees’ responses.”
Enterprise Risk Management Step One-Obtain Consensus on Allowable Risk
Risk Management Tool Two: Process for Gaining Consensus on What Risk Looks Like
These were my instructions to each small group:
Individually, write out the phrases or terminology you would use to define the word risk. In other words complete this sentence, “Risk is...”
Read your definition out loud to the other members of your group.
As a group please boil the essence of your individual responses into one combined definition you all can agree on. This will take time and patience. Your final product must be one that the six of you will support.
This exercise demonstrates that there are a wide variety of ways for people of your organisation to see and define risk. The outcome of your hard work will jump-start the process of gaining a consensus on a commonly acceptable definition of what is risky and what is the cost you cannot afford.
All humans want to be successful, but most do not take the risks that are necessary to achieve success. Why? The answer lies in how people view risk: something desirable or something to avoid.
When it comes to understanding how we humans look at risk in two very different ways, the “Uncertainty Domino” helps. If you have never played traditional dominos, I assure you it is a fun game. Every domino tile contains two numbers, either of which can be an option for play. Similarly people can look at risk in either of two ways: as a problem or an opportunity.
Some of your internal employees will see risk as a problem because they focus on the problem, know the dire implications of risk failure and let their fears come into play. Many employees see risk as a problem because that little voice in their brain says, “I don’t think I should be doing this.”
An equal number of people see risk taking as a great opportunity and would define the risky choice as a chance to try something new or a thrilling experience. For all employees to embrace risk with a common attitude, you need to learn this next truism:
Sixth Principle of Risk Management
Risk taking is in the eye of the beholder.
How to Create a Consensus About Risk
It took several hours for each group to finish writing their consensus-driven definition of risk. My assistant and I taped each handwritten sheet to one wall.
The next step is for everyone to walk around and study the various definitions that each group wrote down. Compare these definitions to your own group’s response. You will see some terminology or concepts that are similar and terminology that is different. Next go back to your tables and write down any similarities you noted.
“I would like you all to turn your attention to the flipchart pages on the right wall of this room.” (My assistant unfolded the sheets that were filled with words.) “Through our survey process we asked your employees to answer the same question that you addressed. You will notice that the range of descriptors they used for risk is similar to yours, going from pessimistic to optimistic. Remember in our survey we asked employees to think generally about their views before they responded.”
The following are the most common answers to how others define risk:
Doing something different
Going outside of my comfort zone
Scary
Worth the effort
Something that has an upside and a downside
Putting something valuable on the line that I could lose or that could be harmed
The unknown or X-factor
Where I could get hurt or harmed
A goal or destination that may not be achievable but is worth trying
A means to an end, hopefully rewarding or beneficial
A movement forward despite any downside
A gamble
Something to avoid at all costs
What You Will Discover in a Common Definition
Your primary objective is to craft a commonly accepted definition of risk that all employees will internalise and use in their daily decisions.
By going through this exercise of examining different employee’s views of risk, you will discover that diversity of definitions, with opinions ranging from the optimistic to pessimistic. Some people will focus on the upside or payoff (worth the effort), and others will focus on the downside or pain (I could get hurt). Others will give you a balanced definition (something that has an upside and a downside). I am always amazed at how pessimistic some internal managers tend to be when discussing risk. Likewise I am never surprised when externally focused managers and executives see risk as something necessary, inevitable and rewarding.
When you compare all the various employees’ answers, you will discover several trends in similar responses. It is important not to get hung up on the specific wording but instead to focus on the message behind the words. Your goal in Step one is to get the leadership body to arrive at a consensus on a mutually acceptable definition for both risk and risk taking. Based upon my experience, a well-conceived consensus will almost always be a balanced view.
Why Defining Risk Is Necessary in Enterprise Risk Management
Murphy’s Law of Opportunity Blindness
The person who created the mess is clueless and always blames others for his or her mess.
Every organisation is striving to achieve a level of success that is uniquely and individually defined.
Because of recent changes in the world of corporate governance, boards of directors and other stakeholders of corporations are more wary of risk. Therefore, to ensure their job security, CEOs must become acutely aware of the need to develop more systemised means to measure and manage everyday business risks. Numerous experts agree that there is far less tolerance by stakeholders (especially in public organisations) for the executives who fail to prepare for a disaster of some sort. This leaves boards, shareholders and executives searching for broader and better ways to manage risk in order to achieve their goals and ensure strategy viability. Thus the entire organisation must focus on the causes of risk instead of the traditional method of treating only the symptoms or focusing on protection through insurance.
The recent economic crisis and nearly fatal events of 2008 and 2009 created a significant awareness of the need for risk management and the widespread consequences of undetected risk. Boards of directors are now focusing on risk management efforts within their organisations and are posing questions to CEOs about how their organisation identifies, assesses, monitors and manages those risks. This trend is especially evident in companies outside the financial services industries. This new focus and awareness has fostered activities such as improved governance, risk assessments, risk initiatives and enterprise risk management (ERM).
Step one of an effective risk management programme is necessary to ensure that every decision maker in your organisation is on the same page about the costs you cannot afford. As you will discover in this activity, there are many different views of what is risky. Without a common or mutually accepted view of risk, some employees will behave like they have a blank cheque when it comes to being innovative or attempting new things.
Evaluating Risk
Murphy’s Law of Risk Ownership
Denial is the tool used most often to define the problem.
Now that your leadership has come to a consensus about risk, it is time to look at the risks your organisation faces and to classify these risks. Risk can be evaluated in a variety of ways, including immediacy, size, impact and scope.
Immediacy of Risk
Top risks, as identified by 168 senior finance executives in a survey conducted by CFO Research Services and Liberty Mutual Insurance Company in June 2010 and published in the July/August 2010 issue of CFO magazine, are as follows:
Financial exposure (an operational risk)-51%
Supply chain or logistics disruption (an operational risk)-37%
Legal liability or reputational harm (a strategic risk)-35%
Security breach (an operational risk)-23%
Technology failure (an operational risk)-33%
Natural and man-made disasters (an external risk)-21%
Physical asset failure (both strategic and operational risks)-8%
A common fallacy in risk management is the belief that the more imminent risk, the more you must mitigate it, but this next truism defines reality.
Seventh Principle of Risk Management
The more time you give yourself to plan for any risk, the more options you have. The less time you provide for planning, the fewer options you have.
In ERM your risk portfolio is sorted into possible risks, probable perils, immediate threats and disastrous crises.
Right after I explained this to PJI’s management team, I received the inevitable question, “How can we tell the differences?”
I replied, “It is your risk management team who assesses each risk and its consequences by conducting a risk triage with specific tools. You will learn how to use these tools before you are done with this material. What I need you to remember is the importance about time. When you provide yourself with sufficient time, you can better manage, mitigate or reduce almost any risk.
“Let’s assume you face this risk. You are very concerned that a profitable line of business will be shut down because of a potential government regulation in the works. Think about ways that you could respond and protect yourself using the following time frames. Assume you have an advance notice of
90 days.
nine months.
three years.”
Notice you could accomplish more in the three-year time frame than the 90-day one. This is why a systematic process for evaluating, sizing up and mitigating risk is the core of ERM and why you analyse all types of risk. How you face up to each one will vary depending on its size, impact and scope.
Size of Risk
In ERM, as your team assesses each risk using risk triage, each harmful or disastrous risk gets placed into a portfolio category. At times a risk can qualify for more than one category. Each organisation has its own definition for portfolios, but in general the sizes of risks will be sorted by the following portfolios:
global or universal.
specific.
immaterial or negligible.
emerging.
Eighth Principle of Risk Management
Formal risk management is getting in the habit of frequently and broadly asking, “What could undermine our mission and business model?”
Global or Universal Risk Portfolio
These perils are your strategic and external environment types of potholes, which makes it challenging to determine their size and impact, but you must do this because their cost can be expensive and their impact extensive.
Specific Risk Portfolio
These perils could possibly affect a specific area, such as turnover, operations, brand or intellectual capital. They are more tangible to size up and define, making your determination of the cost you cannot afford easier.
Immaterial or Negligible Risk Portfolio
These are everyday perils you face and believe will not be harmful or costly, yet it is crucial not to overlook them. Many companies make the mistake of believing that any risk in this category is unimportant and not worth effort, which is equivalent to denying the existence of Murphy’s Law. Quite often a perfect storm occurs when several normally manageable risks “blowup” at the same time.
Emerging Risk Portfolio
This portfolio of risks is actually the scariest of all because they require the most attention, yet due to the numerous constraints on management’s time, they rarely get managed or monitored. These risks often start out as rumours or distant rumblings, thus ignored or discredited because there seems to be no visible substance to them until it’s too late.
The spring uprisings that occurred in the Middle East in 2010 and 2011 are examples of emerging risks that quickly became global ones. Later you will discover a tool that aids you in better assessing the size of a risk.
Impact of Risk
As your risk management team conducts its ongoing assessments of particular risks and determines their immediacy or size, they also attempt to define their impact. The common categories of risk impact are
disastrous.
disruptive.
painful.
negligible.
The key measure of impact is how much and how likely the risk will affect your organisation’s viability. Your team must seek out answers to the question, Could this particular risk affect our
business model?
revenue stream?
operational capabilities?
reputation or brand?
physical plant?
financial condition or cash flow?
intellectual capital?
employees?
other stakeholders?
Scope of Risk
As your risk management team attempts to get a handle on the size and impact of a particular risk, they should also analyse its scope. Scope in risk management is defined as the impact zone. This analysis is simultaneously done when assessing impact. A major risk to a key area will also most likely affect your profits, business model and one or more stakeholders. For example an earthquake similar in size to Japan’s in 2011 that damages your building could also displace employees, lower earnings and distress certain physical assets.
Back to PJI
I could tell that the managers were somewhat overwhelmed by all the different ways they would have to slice and dice risk. After a long break I paused and solicited questions.
Q: Why does ERM put risks in so many different classifications?
A: You manage all risks as a combined package instead of individually. The approach you take to deal with the risk depends on its classification. A high-level danger that the whole organisation faces is managed one way, but the daily pitfalls inherent in an employee’s job are managed another way.
Q: It feels like the management team will spend a majority of its time hunting for risks. Is that true?
A: If you look at risk management from the point that if it is rarely done, it may seem that the executives and others will spend an inordinate amount of time looking for dangers. The reality is that, with a systematic approach to risk, doing this becomes a normal part of everyone’s job. Before e-mail became the accepted way for business communications, it was normal for the nonuser to believe he or she would spend a whole day addressing all the e-mails in his or her inbox. After we all learned how to use e-mail, it is now an ordinary responsibility of your job.
Q: Who gets to decide the classification of the risk? What happens if there is disagreement on the portfolio, size, impact or all of these?
A: It is the risk management team, sponsored and supported by the senior executives, who decide the classification of a specific risk. There will be disagreement because of the “Uncertainty Domino” I explained earlier. Some employees on this team may view a risk to be minor, but others may believe it is major. It is in the discussion about the risk’s assumptions where the primary work of risk management gets accomplished.
Murphy’s Law of Risk Catalyst
Denial is the greatest contributor to the existence of Murphy’s Law.
How to Make an Internal Strategic Risk Assessment
When it comes to evaluating risk, leaders need to take a view that involves focusing more attention on truly understanding the risks inherent in the organisation’s strategy and tactics. A risk management process must also reflect and support the organisation’s culture, so the concept gets embedded and then owned by your organisation’s management. If both risk assessment and risk management processes are excluded from the firm’s DNA, leaders will never own or treat them as an integral part of their day-to-day management.
Risk Management Tool Three-Strategic Risk Assessment
The Institute of Internal Auditors (IIA) is a great resource for information and tools to deal with the downsides of risk. Although its primary mission is to support the internal audit community, internal auditors are valuable contributors to ERM. In large companies the internal auditor regularly examines operational areas where potholes are likely to exist.
One of the IIA’s tools is the self-assessment presented in Exhibit 4-1 and designed for senior managers, executives and board members to create a global awareness regarding risk. As you go through it, see how many of these you can honestly answer “Yes” to. Each “No” answer indicates an aspect of ERM that you need to be more concerned about.
Exhibit 4-1 Strategic Risk Assessment
Is there a process within the organisation responsible for assessing and monitoring risk?
Do I have assurance that controls are operating as planned?
Is there a thorough and an appropriate reporting mechanism within the organisation that allows for adequate checks and balances for fraud prevention and risk management?
Do I have assurance that financial and other information is correctly reported?
Are risk management, control and governance processes being evaluated and reviewed for efficiency and effectiveness on an ongoing basis?
Do I have a clear understanding of enterprisewide risk and the organisation’s key areas of vulnerability?
Does the organisation have an operational system for managing risk?
Is there an internal process within the organisation for adding value to and improving operations?
Are the organisation’s stakeholders provided with reliable assurances that their investments are protected?
If I were not a part of management or the board, would I be comfortable with the assurances provided to me as a stakeholder?
Am I able to sleep at night without worrying about risk in the organisation? Am I comfortable that all risks have been appropriately addressed?
Source: The Institute of Internal Auditors. Altamonte Springs, Florida. www.itaudit.org.
At the May session I asked PJI’s managers and executives to complete this assessment. They discovered to their horror that the firm as a whole was not very sensitive to risk. This was not surprising because a majority of large and small organisations fail to consistently practise formal risk management.
What Strategic Risk Management Is
Now that I had their (and your) undivided attention, I presented the seven facets of a global assessment of risk. Strategic risk management is
a process for identifying, assessing and managing both internal and external events and risks that could impede the implementation of strategy and reaching strategic objectives.
a formal structure with the ultimate goal of creating and protecting value for the owners and all other stakeholders.
a primary component of the organisation’s overall ERM structure.
effected by the board of directors, management and others as a component of the firm’s overall ERM programme.
something that requires a strategic view of risk and a consideration of how external and internal scenarios will affect the ability of the organisation to achieve its objectives.
a continual leadership-level process that must be embedded in firm strategy by setting, executing and managing it.
viewed as a core competency at both management and board levels.
Three Examples of Tools to Assess Risk
Later in this session I demonstrated specific tools we could immediately apply to three specific risks that PJI currently faces.
Risk Management Tool Four-Risk Tolerance Questionnaire
This tool, shown in exhibit 4-2, is a series of layered probing questions that will aid you in determining your tolerance level or the cost you can afford. Determine, before you undertake your next urgent strategic initiative or action plan, the full consequences of the failure to achieve the desired outcome. Compare the potential losses, including the softer, hard-to-measure ones, to the alleged or expected payoffs.
Exhibit 4-2 Risk Tolerance Questionnaire
Name the goal __________________
Why are we undertaking this goal?
What is the designed impact?
How is this goal connected to our mission?
What is the specific risk in this goal that we can afford to take?
What is the risk that we cannot afford to take?
At what point will the cost of completing this goal be considered too much to bear?
Risk Management Tool Five-Critical Risk Questionnaire
The tool can be used to identify the scope of a potential risk and consists of specific questions that will help you differently look at risk. Exhibit 4-3 shows six very important questions that need to be asked before the risk is undertaken:
Exhibit 4-3 Critical Risk Questionnaire
Specific risk or vulnerability ______________________
What is the worst that can happen?
What is the best that can happen?
What is the most likely outcome?
What are the negative effects of the likely outcome?
How can we handle the negative effects?
How will we minimise or protect ourselves against the negative effects?
Risk Management Tool Six-Critical Risk Path
This tool can be used to identify the implications of the decision to be made about an opportunity and a risk known as the critical risk path. Figure 4-2 shows the tool. Walking through this step-by-step process before the organisation takes a major risk will help you and others make smarter decisions. Please do not assume this tool is simplistic because its value lies in what comes after your initial decision.
Once you have determined the likelihood, you move to the choices you have to deal with the risk. One option is to accept it (knowing the cost cannot hurt you). Another option is to minimise the risk. There are plenty of actions to take before undertaking the risk to keep its impact or cost low. A third option is to insure, but that does not mean that insurance is your only option. Sharing the risk by partnering with another firm or putting a stop-loss through a limited investment of both time and money are ways to insure the risk. Best of all your three options are not mutually exclusive. For example you could accept part of the risk, insure part of it and closely manage it, so that you minimise the potential downsides.
Three Case Studies
Case Study: The Risk in Giving Incentives to Certain Employees
Using Risk Management Tool Four to Gauge Risk Tolerance
Karl is the vice president of human resources for PJI. Weeks before we discussed a programme he was about to implement that would offer administrative employees a bonus if they met certain goals. At my suggestion Karl held off on rolling out the programme until we could test for pitfalls.
“Karl, please answer the questions in this tool.”
What is your goal? “We need our administrative employees to work smarter. If they do we become more profitable, and I think we should share the saving with them. The incentive will be a carrot for them to be more productive and efficient.”
Why is PJI undertaking this goal? “We want to increase the productivity of our support people, so that as we grow, we do not need to hire more people.”
“So you are assuming that PJI will grow and that people are underutilised, correct?”
“Yes,” he said.
What is the designed impact of this goal? “Our payroll costs will go up, which will be offset by an increase in productivity and less head-count.”
How is this goal connected to PJI’s mission? “PJI’s mission is to convert problems into opportunities. I see this goal as taking the problem of underutilised people and converting it into work products that are more in line with employees’ skills and talents.”
“From this do you feel your admin employees have the talents but are not performing at a level equal to their skills?” Karl nodded in the affirmative.
What is the specific risk in this goal that PJI can afford to take? “Both Tracy (the CFO) and I believe that paying more money out in compensation will pay for itself in having a better revenue-per-employee ratio. We also agree that when employees can handle higher-level problems, the investment managers will have more time to manage their business units.”
What is the risk that you cannot afford to take? “I won’t tolerate our compensation, which includes the inventive pay, going up, but we still have to hire more people to get the work done. Another risk is that we lose some of our best employees from overloading them with work because other employees are not stepping up.”
At what point will the cost of completing this goal be considered too much to bear? “Currently our employee-per-revenue ratio is at $600,000. From past experience we hire five employees every time we acquire a new investment. If, after a year of offering the incentives, this metric does not improve, and we increase support personal by the same amount, I will deem this programme a failure.”
I asked Karl to take his seat and turned my attention to the entire group.
“At this point in the tool you start a dialogue on the potential pitfalls and things that have not been considered. In your small groups I would like you to discuss these five questions:
How can we deal with the productivity issue without incentives?
How do we strive to retain our best employees without the incentives?
What would employees think if we offered them an incentive programme and then, a year later, take it away?
How could employees obtain the incentive yet not be more productive or valuable?
Based on your interactions what is the likelihood that the incentives alone will induce a majority of the administrative employees to be more productive and valuable?”
The Result
After the groups reported in and presented their conclusions to Karl, he told us, “I can see I did not think this through very well. The likelihood of this getting the behaviours we desire is small. My team and will go back to the drawing board.”
I thanked Karl and asked, “Aren’t you glad you found out the pitfalls in your initiative before you implemented it, rather than finding them out 12 month from now?”
Karl had a relieved look on his face as he said he was glad.
Case Study: The Risk of Doing Business in a Third-World Country
Using Risk Management Tool Five to Identify the Scope of Risk
I selected an investment executive to demonstrate the power of the second tool. “Juanita, you are leading the effort to acquire a company with mineral rights in Mozambique, Africa. Would you say that this could be a major risk?”
She replied, “Yes. It is risky because we do not have experience doing business there, and I hear stories about the poverty and corruption that currently exist in that part of Africa.”
“Why does PJI want to make this investment?” I inquired.
“Our opportunity is that there is a growing demand for black tourmaline in electronics. If we do not act swiftly, someone else could beat us to this company.”
“The question you face therefore is, Do we go through with the purchase: yes or no?”
For everyone’s benefit and to show the effectiveness of the tool, I walked Juanita through the tool step by step.
What is the risk? “We have a golden opportunity to bring a rare mineral to market just as demand for it is growing.”
What is the impact of doing this? “If our geological studies are accurate, and we manage this properly, our initial $3m investment could grow to $10m within four years. However we are investing in a third-world country where the government is unstable, and there is little in the way of infrastructure. A big unknown is the potential need for a security force to protect the mine’s employees and operations.”
What is the worst that could happen? “We could lose all of our initial investment plus the additional money we put into the company.”
What is the best that could happen? “We could generate a greater than average return of our $3m-$4m outlay within four years, plus we have an asset that we could sell.”
What is the most likely outcome? After a learning curve of six to ten months, the income stream and cash flows would become stable and then grow. Before our opportunity window closes, a company already doing business in that area might buy us out.
What are the negative impacts of the most likely outcome? “I can think of three:
We would be hard-pressed to find another opportunity like this one of investing in a rare precious mineral for the booming American electronics market.
We would not generate our desired return on investment (ROI) of three.
We might be induced to sell our stake in the company at less than full value due to the political instability in that region.”
How would you handle the negative impacts? “Right now I predict we could:
position the company for sale from the start.
get a regular appraisal of the unrecovered minerals every six months.
lower our ROI threshold from 300% to 200%.
strive to maximise the amount of profits and cash flows in the first two years of operation.
induce the mine’s customers to sign long-term contracts.”
How would you minimise these negative impacts? “We could:
hire an experienced geologist/mining manager to oversee the operations.
look for a strong financially secure partner located in Africa.
seek out the latest mining best practices and use them.”
“Using this tool, Juanita, you now have the outline of a strategic action plan on ways to mitigate the risk while protecting your investment. Do you see that?”
“I do. That was not painful at all.” She said this with a big smile.
Case Study: The Risk of New Technology
Using Risk Management Tool Six for Acting or not Acting
For the next example I selected Tracy, PJI’s CFO. “Justin told me that you are in charge of making the Yes’ or No’ decision on investing in a cloud-based information system for the entire company. Have you made your decision yet?”
“No,” she said.
“Let’s walk through the critical path tool on the information that you have already gathered.”
How would you define the opportunity? “We want to become a virtual company, so that project managers and portfolio executives can work wherever the company they manage is located. We spend nearly $1m dollars annually on airfare. Because many employees are visiting our investments, we don’t need a desk for every employee. I feel we have more office space than we need. By having a company wide database that uses cloud computing, we could be more responsive and flexible by giving employees access to information wherever they are in the world.”
“Tracy, assume you say No’ to this opportunity.”
What are the impacts or negative results of saying “No”? “So far I thought of three:
Our managers will continue to travel back and forth.
We will continue to rely on paper reports sent out via e-mail.
Our current information system is rapidly becoming obsolete, so we will still spend a large amount of money upgrading it yet not get the cost savings I want.”
What is the likelihood that these negative results will take place if you say “No?”
This question is very important because you now have to quantify the risk.
Tracy said, “I estimate a 50% probability that we would not acquire a cloud-based database system because not all the executives are sold on it. Plus I estimate there is a 90% probability we will have to invest nearly $500,000 to upgrade our current system.”
How would you ensure that these effects will not be too costly or detrimental? “I would invest in a database that would allow us to use cloud computing later instead of now, but as rapidly as technology changes, I estimate there is a 40% probability this would be a bandage and not a solution.”
How would you accept this risk? “I and others would explore other ways that allow our managers and executives to not have to travel to Phoenix.”
How would you minimise this risk? “I would launch a study on alternative ways for us to end our reliance on stand-alone workstations and desktops. If we decide not to move to the cloud for our data and communications management, there must be other alternatives.”
“Tracy, we now will switch gears and assume you say ‘Yes’ to this opportunity.”
What are the impacts or negative results of saying “Yes”? “We will need to
invest in expensive laptops for managers to use.
beef up security.
train everyone in the organisation on how to use the system, so we obtain a maximum benefit quickly.
allow adequate time to integrate this new system into our operations and then change our existing processes.
decide how best to utilise about 70,000 square feet of office space that could be freed up.”
What could be the negative results of saying “Yes”?
“If we fail to train properly to use the new system we will never obtain full value for our huge investment.
We will face some resistance from employees who will be uncomfortable using this new system.
If we fail to address security, relying on the cloud makes us more vulnerable than we are today.
Of course with any undertaking like this, if we don’t manage it well, it could take longer.
If our current system ‘dies’ before the new one is ready, we would have a big problem.”
What is the likelihood that these negative results will take place if you say “Yes”? “I like to estimate the odds:
Not doing adequate employee training-90%
Not overcoming employee resistance-20%
Increasing system vulnerability-30%
Conversion failure due to improper management-40%”
How would you ensure that these effects will not be too costly or detrimental? “Starting from the moment that the decision is made to acquire the software, we must begin training everyone on how to use it properly.”
How would you accept this risk? “Recognise that there will be resistance in whatever system we switch to. Therefore we must work closely with all the managers and executives to ensure adoption through ongoing training and daily usage. In addition we must accept that by relying on the cloud, technology vulnerability increases.”
How would you minimise this risk? “I think we would need to
strengthen our security procedures.
find ways to generate income from the extra office space, such as moving some of our smaller investment companies into that space. This will also help our cash flows.
hire an experienced project manager to run the conversion and make sure the project gets funded and staffed and receives a top priority status.”
The Result
“Tracy, what do you think of your ability to make a quick decision now?”
She said, “I can see our risks and mitigation strategies much more clearly. I am eager to spend more time on this analysis, so I can make a decision sooner.” Employees who were in favour of the cloud system applauded Tracy as she sat down.
Onward
Room for Improvement
Ernst and Young conducted a survey of senior executives spanning all industries regarding their risk management efforts and the findings.
Ninety-six per cent of executives say their company’s risk management processes leave room for improvement.
Only 6% of organisations planned to significantly expand risk management resources over the next 12-24 months.
Thirty-two per cent of organisations anticipate a slight increase in investing in risk management.
Steps one and two of your risk management programme require leaders and key decision makers to annually sit down and examine risk. At this meeting you should dispassionately define what is considered risk taking and the costs you cannot afford. Over the life of the organisation this definition will dramatically change.
If your organisation fails to take the first two critical steps in implementing a risk management programme, you will find employees who take on more or fewer risks than they should. Employees will solely focus on either the upside or downside of a risk, depending on their frame of personal reference. Some employees will ignore or overlook activities or decisions that contain risk, but others will over dramatise the odds of failure. None of these are good outcomes because you will end up like PJI’s situation: unprepared for the risks that are inherent in running an organisation.
I closed the session with the advice of another expert.
“The first step in the risk management process is to acknowledge the reality of risk. Denial is a common tactic that substitutes deliberate ignorance for thoughtful planning.” Charles Tremper
Your Action Plan
Step One
Complete the strategic risk assessment for your organisation. Even if you cannot answer a question, think about its implication for your company or firm. Describe, in general, what this says about those you work with and for.
Step Two
Think of an important personal or business opportunity, risk or challenge that you currently face. Use the critical risk questions on it. How did the questions help you? Is the challenge as big as you thought before going through the questions?
Step Three
Use the same important opportunity, risk or challenge as before, or select a new one. Walk your decision through the steps of should I or shouldn’t I be using the critical risk path. How did the map help you? Is the challenge of saying “Yes” or “No” as frightening as you thought before using this tool?