5
WHEN Is It Appropriate to Plan for Risk?
“I wish we had taken the time to plan for the unexpected and the ridiculous.” Mark R.
Just when I did not think it could get any hotter, it was. Phoenix, Arizona, would reach 45° Celsius today! I would use the heat, which Arizona natives are used to, as another lesson in enterprise risk management (ERM).
Plan for Risk before It Happens
Standing in front of PJ Investment’s (PJI’s) management team, I asked them, “How do you plan for this intense heat?” I received many puzzled looks, which was my intent.
“Let me restate this question. Imagine that a cousin of yours, Vanessa, who lives in Reykjavik, Iceland, announces she is moving to Phoenix and wants you to advise her on how she should adapt to the summer weather, something Vanessa has never experienced. Think about this question as I relate a story about a client’s pitfall.”
Mark’s Failure to Anticipate Risk
Mark and Mary had a passion for helping others. Early in their marriage, even though they were living pay packet to pay packet, they committed to one day starting a foundation to help children afflicted with Apert syndrome.
Mark’s younger sister was born with this rare disease. Catherine, or Cat, as her family called her, was never treated for it because her parents could not afford the expensive test and surgeries. At that time there was no funding or other form of support for young victims of this random disease. Cat’s life, as Mark saw it, was one misery after the other. Due to her abnormally shaped head and fused fingers that resembled fins, Cat was frequently made fun of and spent most of her life indoors as a way to shield her from the embarrassment and unwanted attention.
When Mark and Mary made this pact to fund early medical intervention for infants born with Apert’s syndrome, they had no clue where the money would come from, but that did not deter them. Over their first 30 years of marriage, they saved what they could (approximately $750,000), which got the M&M Foundation started. Then three unrelated events took place that Mary considered a blessing and Mark called good timing. They could now afford to fund their dream.
First, Mary won the state lottery in which she collected $5m after taxes. Next, Mark patented one of his many ideas and sold it for $1m. The most surprising gift was from Mark’s aunt, Minnie. Upon Minnie’s death her family discovered she was a saver and died with over $2.3m in her savings account. She willed this money to the M&M Foundation because she also had witnessed the sad impact the syndrome had on Cat’s life.
On his fiftieth birthday Mark retired and devoted his full-time attention to running the foundation, which had accumulated $10.2m in cash resources. Mark, who is more of a dreamer and visionary than a planner, spent most of his time managing the investments and meeting with Apert syndrome research organisations. He also brainstormed with doctors and hospitals to determine the best ways to fulfil the numerous requests he received to pay for early detection and surgery. These came from anguished parents, similar to his Mom and Dad, who could not afford these costly procedures.
Once he took the CEO role full time, Mark was frequently reminded by Mary to write out a management plan to ensure that the foundation was properly managed and would continue to exist beyond their lifetime. Each time Mark promised her that he would, but he didn’t. Because he hated sitting behind the desk and writing out his thoughts, Mark procrastinated on this obligation.
In its fourth full year of operations, the M&M Foundation was hit by two unexpected lawsuits. One was from a family whose son died from complications of the surgery to correct his cervical spinal fusion. Their punitive damages claim for $10m was directed at the hospital, the surgeon and the foundation that funded the surgery. Seven months later an ambitious solicitor convinced a potentially unethical research organisation to sue the M&M Foundation for $5m. The reasoning, as stated in the lawsuit, was that “Mark’s decision to not fund their research was a capricious and badly researched decision.”
These lawsuits put Mark into a state of panic. He had never considered that the people and organisations he dealt with wouldn’t always take the high road.
For the next year Mark and Mary spent considerable time and personal and foundation money to defend their dream from the two lawsuits that their solicitors described as “frivolous yet winnable.”
Mark’s Pitfall
Mark assumed that the compassionate purpose of this foundation, its reputation and deep pockets could never be a magnet for people who want something for nothing. He was unprepared to deal with time-consuming and wasteful events, such as defending his foundation from these lawsuits.
Mark was correctly spending his time setting the vision for his foundation, but he also needed to spend time envisioning the best way to protect his organisation’s future. Both are vital leadership responsibilities that are done simultaneously.
Back to PJI
“Let’s return to my question. Walk through your thought process, on paper, of how you would prepare cousin Vanessa for a typical Phoenix summer. Remember she spent her life in Reykjavik, where the winters get down to -15° Celsius, and the summer temperatures rarely rise above 20° Celsius.”
I broke them into small groups and provided each with a flipchart, requesting they list a step-by-step process to help Vanessa prepare for a Phoenix summer. When they were finished we reviewed each team’s process and then condensed those into a comprehensive process. The major steps were
establish a new mind-set.
change her wardrobe.
relocate in fall or winter.
live in a house or an apartment with a good air-conditioning system.
drive a car with a working air conditioner and park it out of the sun.
adjust her diet, and tell her to drink a lot of water.
adjust her daily schedule (eg, do not go outside between 10.00 am and 5.00 pm).
never put herself in a situation where she is outside for long periods of time.
monitor her health (heat stroke usually is detected after it’s too late).
make the transition one step at a time (it will take several summers to fully acclimate herself).
After we reviewed the steps I pointed out, “Please notice that in your plans for Vanessa’s care and ability to deal with the extreme change in climates, she would need to prepare herself before she encounters the intensity of a Phoenix summer.”
In ERM you must examine risk where it starts. If you consistently do this, you quickly will have the capability to prevent, avoid or minimise costly perils. Then as you drive down the road, any inevitable potholes you encounter will be less detrimental to your journey because, like Vanessa, you will face them with a sense of confidence and preparedness.
Murphy’s Law of Risk Timing
Disaster seems to occur on Friday afternoons, weekends, holidays, vacations and when you are away from your desk.
Risk management is not a programme, but it is an attitude and awareness. It is not enough to have a risk management structure in place, you must practise risk management. According to conventional wisdom the pessimist sees the worst, the optimist sees the best but the realist sees the best of both, which is the attitude you want to instil in your own risk management programme. If employees believe the sky is falling, they will pick apart every action and decision while looking for the pothole. If employees think nothing can go wrong, they will miss or ignore the potholes. Your goal is to propagate the attitude that we will take risks and be on the lookout for the potholes along the way because they exist. The confidence to act with realism is built by seeking out the true sources of risk.
ERM Step Two-Seek Out the Global Sources of Risk
ERM is a broad set of processes that apply across the entire organisation. It enables the achievement of the entity’s objectives in four realms:
Strategic objectives
Operational objectives
Reporting objectives
Compliance objectives
The first two objectives are covered in this chapter, and the latter two will be covered in later chapters.
ERM is the best practice for overall risk management in highly successful organisations and is quickly becoming the standard as an integrated approach to managing a broad spectrum of risks called a risk portfolio. It is a strategy for overcoming the preferred and dangerous “silo” approach to risk management in which different groups or teams within the company focus on different sorts of risks, with little or no interaction between them: “siloed” risk management.
Risk portfolio is a view of risk in an aggregate manner. In ERM, risk is viewed from an organisation-wide perspective, known as a holistic, an integrated or an aggregate approach. Risk is addressed in a portfolio manner to create a consistency of approach and communications. In most companies informal risk mitigation is more likely to be performed on an ad hoc basis and done separately, described as a “silo” approach. This is where managers are responsible for managing only the specific risks of their individual functions. For example, the purchasing department is responsible for managing the commodity price risk, and the treasury department takes ownership of foreign exchange and interest rate risk. This approach lends itself to certain risks going unnoticed because no single employee is uniquely accountable.
If an organisation adopts the integrated approach to risk management, it must evaluate the entire portfolio of risks that it faces globally and locally.
ERM offers you a holistic methodology for identifying, assessing, quantifying and addressing strategic, operational, market, financial and human risks in order to optimise your organisation’s risk-reward profile.
Organisational value in ERM refers to the ongoing worth of your organisation. In a public company this is measured by its market capitalisation. In a privately held company it can be measured by tangible net worth. A non-profit making company’s value could represent the nonprofit’s fiscal health or viability. In formal risk management you are attempting to protect this predefined value from being harmed or diminished by unwarranted risks.
Strategic Objectives and ERM
Just as a river has a source, all your highest-level risks have one too: the way you define your organisation in your mission or purpose and business model. A company’s business model is made up of two components:
The organisational structure and processes
The impact from opportunities faced and decisions made
If your organisation is unable to perform or execute its strategy, you risk execution failure. To prevent this you need to focus on the results generated from the structure of your marketplace and business model. Three specific global risks reside within the theory of your business model:
Strategic risk
Operational risk
Innovation risk (this topic was covered in chapter 3, “WHY Is Risk Management Important to Us?")
Strategic objectives are 10,000-metre goals aligned with your organisation’s mission. Any internal and external events and scenarios that can inhibit your organisation’s ability to achieve its intended objectives are named as strategic risks. Strategic risk management is a critical part of the organisation’s overall ERM process. Strategic risk starts the moment you create a business model from a mission.
Today’s leader needs this high-level view of his or her road to success because it is easy and dangerous to lose sight of the big picture. As you fly over to see things like detours, avalanches and washed-out roads, you are looking far ahead, so that your journey is safe and prosperous. Traditionally, senior leaders do some of this work as they conduct strategic planning that generates a budget.
Relationship of Strategic Planning and Risk Management
Strategic planning is managing change and overcoming risks and must become a process in which global risk can be identified and dealt with. The standard flow of strategic planning is shown in Figure 5-1:
Strategic planning starts with your mission statement because it sets your organisation on a course and instigates change from today’s status quo to where you want to be in the future.
A basic outcome when you engage in strategic forecasting is your actual strategic plan: the measurement of your mission. In this document you identify specific metrics and methods of measuring whether you are accomplishing your mission over the next 18-24 months. Specific global risks can be measured, so you can monitor them.
Information from the strategic forecasting flows into the second product—your operating plan—that identifies the bricks, mortar and people you need to achieve each specific objective in your strategic plan. The annual operating plan defines where you are heading and what you will commit to accomplishing in the next 12 months.
Out of your operating plan comes the third product: your financing plan. In this document you highlight the methods of payment for the bricks, mortar and people required to fulfil your operating plan. These are the questions that get answered in the financing plan:
How much of the money will come from internal sources and profits?
Will some of the funds come from outside investors?
Will additional funding be required from our banks or other lenders?
Finally, after the financing plan, you produce three more products detailing your fiscal plans: the operating budget, capital budget and balance sheet budget. These three documents become your control and feedback systems over the risks and changes you instigated with your mission and strategy.
This holistic view of your planning process serves to remind you that you really need to plan your journey carefully because there will be potholes on the road to success.
Because of the necessary holistic approach, your ERM programme consists of your operating plan, financing plan and the three budgets. What goes terribly wrong in most organisations is that your leaders perceive risk management as a function of insurance. From this flawed view the job of risk mitigation is delegated to the CFO or risk manager, if the company even has a formal position for a risk manager; many do not. Yet, CFOs and risk managers are rarely included in the leader’s strategic planning process. This means that your executives embark on a global plan, ignoring risks or underestimating the risks’ costs, and then turn the risk analysis over to the employees, ultimately dropping the hot potato in the risk manager’s lap and asking, “Do we have adequate insurance coverage for this journey?”
As you can see from Figure 5-2, making this fatal blunder will not really protect the firm from potholes. Your ERM programme needs to be a key agenda item at all strategic thinking sessions when the leaders are devising their plans for next year. This is when they must define risk, as we did in Step one.
Assessing Your Strategic Risk
Strategic risk is defined as the inability to prepare your organisation for competitive pressures and customer satisfaction. Three threats may compromise your strategy:
Integrity risks, including ethical lapses, that harm your reputation and brand
Reputation risks that harm your reputation and brand
Intellectual capital risks that harm collective wisdom and trade secrets.
The executive team should focus on the identification and management of strategic risks, which are those risks that are most consequential to your organisation’s ability to carry out its strategy, achieve its business objectives and protect or build value. The 10,000-metre level focus of strategic risk management is not intended to identify every risk that you face but only to identify those that are most significant and can harm your organisation’s ability to achieve its core business strategy. A focus on strategic risk reinforces the direct relationship and critical linkage that connects your strategy to the execution and then to your risk management structure, as shown in Figure 5-3:
The entry point of a strategic risk assessment is designed to identify your organisation’s strategic risks and action plans that will address those risks. The strategic risk assessment tool is described later in this chapter. Your strategic risk assessment is a systematic and continual process for assessing significant risks that an organisation faces and will provide valuable insight to both your executives and board. A key responsibility for a board of directors is to deeply understand the organisation’s strategies and associated risks and to verify that the management team practises proper risk management.
These steps you go through define a basic high-level critical process that allows for tailoring and customising the plan’s execution to reflect the maturity and capabilities of your organisation. The steps also show that your strategic risk assessment is an ongoing process, not just a singular event. It is a process designed to reflect the dynamic and ongoing nature of risk and to become a circular process that should be ongoing while continually improving as learning takes place.
The National Association of Corporate Directors published the article Key Agreed Principles to Strengthen Corporate Governance for US Publicly Traded Companies in September 2011, which states the following:
“For most companies, the priority focus of board attention and time will be understanding and providing guidance on strategy and associated risks . . . and monitoring senior management’s performance in both carrying out the strategy and managing risk.”
Source: www.nacdonline.org/Resources/Article.cfm?ItemNumber=2686.
Increased expectations from shareholders, regulators, rating agencies, employees and the general public directed at both directors and executives demand that they understand and manage risks and have a formal risk management process in place. Your leaders must also ensure that there is transparency in the risk management process. Strategic risk management is focused on the most consequential and significant risks to organisational value.
Operational Objectives and ERM
As your firm travels on its road to success, operational tasks and activities in the form of action items must get accomplished on time and on budget, and you want to know about the potholes that will prevent this. In ERM these are called operational risks.
Operational Risk
Operational risk is defined as the losses resulting from inadequate internal control, poor processes, deficient people and broken systems. Managing this potential meltdown requires examining your business from the inner working’s perspective. Sadly most existing financial feedback is inadequate to gauge your firm’s operational risk for these specific perils:
Execution risk, which is the failure to fulfil your strategy and goals
Financial risk, which is the lack of adequate monetary resources
Hazard risk, which is the loss of tools, equipment and facilities
E-commerce and technology risks, which grow each day
The value of managing operational risk is only now gaining recognition. All firms incur operational risk simply when choosing their marketplace and customer base. Business complexity and revenue volatility increase operational risk and so do technology, regulations, your consumer and the global economy. Because they all affect risk, these must be factored into the assessment of your operational risks.
Operational risk management is managing the potential hazards resulting from
inadequate or failed processes or systems,
human factors and
external events
and it requires clearly defined authority and accountability for each sort of identified risk.
Mitigating Operational Risk
Managing operational risk requires a systematic framework that assesses all the non-financial variables that could contribute to your risk portfolio. Timely, accurate and unbiased information is the underlying support system for these next solutions.
The starting point to managing operational risk is to make sure you are collecting the right data. This requires a complete and balanced view of your key business metrics and must include a mix of leading and lagging indicators. Your operational feedback data must be able to describe how all key operations are conducted. By tracking operational indicators and metrics, you will identify opportunities and threats before they affect the company’s finances.
Your risk management programme requires a reporting mechanism for it to work as designed. Here are four solutions that will lower your operational risk while increasing transparency and decreasing rash or unwarranted risk taking:
To minimise any inability to execute, such as insufficient internal capability to deliver as promised, your executives must develop acute foresight and conduct regular in-depth self-assessments on the ability to bring their plans to fruition.
To overcome any information deficiencies, your organisation must combine operational and financial data in order to gain a complete and timely picture of operational risk. This means your managers must decrease their reliance on historical financial data. You need to assemble a list of possible and predictive metrics for your business and then test them to ensure that they correlate the activity to a particular financial impact.
To overcome the danger of not succeeding, your leaders and employees must grow in their ability to both spot and manage risks and convert them into opportunities. By understanding and then assessing your risk profile via regular updates, your tough resource allocation decisions benefit everyone, including your shareholders, customers and suppliers.
To ensure your success is multidimensional, the leaders must routinely access many non-financial factors, such as the quality of corporate governance, employee morale, customer satisfaction, implementation and execution of goals, and applications and deployment of new technology. In ERM a firm cannot afford a singular approach to measuring its operational risk; therefore, you must update your existing accounting system and reporting technology. As you implement ERM you employ numerous tools that enable you to easily measure your operational risk, such as the balanced scorecard, activity-based costing or driver-based forecasting.
No one likes to be in a vehicle in which the person at the wheel drives with his or her eyes closed. Yet most companies rely on accounting and budgeting processes and historical reporting techniques created in the 1930s. The ultimate payoff of relying on multiple and varied operational metrics to predict risks is the strengthening of your overall budgeting process.
When to Apply Risk Management
Murphy’s Law of Foolproof Risks
The failure of only one system will never happen. Instead you will experience the failure of numerous systems that were failure proof.
Once you have established a risk management programme, you will notice numerous everyday activities where you can apply the principles and tools. This next section will define several areas where you can begin to impact and reduce the risk of doing business by applying ERM:
When setting goals
When implementing strategic initiatives
When making everyday business decisions
When identifying opportunities
When tackling threats to your business
When conducting scenario planning
When practising governance
Daily, Monthly and Annual Goals
Operational objectives are the goals and targets established in the conduct of normal business operations. Executives set goals for themselves and their employees as indicators of achievement. These targets or milestones could be related to sales, production, customers or members, or expenses. An organisation fails whenever these goals go unmet; therefore, a huge risk exists if there is no way to determine if operationally oriented goals are not being met. If the goals are unrealistic, and employees waste time working on them, failure is also inevitable.
Managing operational risk is then simply managing the goals and objectives to ensure they are supported, realistic and achievable and then consistently making sure they get accomplished. In every organisation execution of goals related to the operation of the business is priority number one.
New Initiatives
Risk management becomes a way of operating so any time your organisation decides to take on a new project, a major activity or an initiative, the group of people who are making the decision automatically will do a risk analysis. By maintaining an awareness and a global mandate, potholes and perils will need to be addressed. The advantage of ERM is that this becomes a standard way of thinking, and over time people will soon forget they are doing a risk assessment. Analysing how Murphy’s Law can affect your future becomes part of your daily work routine.
Everyday Business Decisions
Similar to how risk assessment enters into your big long-term decisions, the act of sizing up potential perils in your everyday business decisions also becomes a standard protocol. It can be difficult for those who have never been through a risk management process to understand that in every key business decision, there could be a potential pitfall.
In ERM, because you have embedded in your organisation’s cultural awareness that risk could be costly and must be addressed up front, people will adopt the habit of reflecting on the potential downside of their decisions. ERM does not prevent decisions nor slow them down. It does help decisions to be comprehensive, and it makes employees, especially key decision makers, aware that their decisions have repercussions beyond the present moment.
Opportunities and Threats
Practising ERM, as it is designed, means your firm is alert to opportunities. Each day your employees miss out on lucrative opportunities. Do you recall a time when you saw an opportunity, missed it and later found out that someone else grabbed it? Frustrating, isn’t it? This regularly occurs because of a natural tendency known as confirmation bias. We tend to notice data that confirms our existing belief system and ignore or discredit information that challenges that bias.
Being able to capitalise on the opportunities in your strengths, limitations, opportunities and threats (SLOT) analysis starts with paying attention to subtle clues, such as contradictions, incongruities or anomalies, which are all information that does not agree with conventional wisdom or what everybody else believes to be true.
Every day your employees encounter opportunities, but because they are not paying attention, they go to waste. Recall that in risk management, awareness is a fundamental way to uncover risk.
An article written by Donald Sull, professor of strategic and international management at the London Business School, in the autumn 2011 issue of strategy+business magazine names ten opportunities that organisations frequently miss:
A product should exist but does not.
The customer experience is time-consuming or annoying.
The product, service or resource is underpriced.
An innovative idea has not gained traction.
A product or service should be everywhere but is not.
Your customers have adapted a product or service in ways you did not plan for.
Customers (members) should not want a product or service, but they do.
Customers (members) are excited about a product or service you do not offer.
A product or service is in demand elsewhere but not locally.
A product or service, on paper, should not make money but does.
Awareness of information that goes against conventional wisdom is a critical clue that your organisational assumptions need updating. Any situation in which conventional thinking differs from reality is a huge indicator of risk. Leaders who consistently notice and explore anomalies usually are able to capture emerging opportunities before everyone else. Similarly they have less risk exposure.
In Chapter 6, “WHERE Do Our Efforts Need to Be?”, you will be introduced to the SLOT analysis in which two components are your opportunities and threats. In ERM, each time that you go through a SLOT analysis, you are conducting an aspect of risk management by being aware of major threats to your business.
For leaders who are optimistic, the opportunities outcome of the SLOT analysis is where they put their attention. If your organisation has a viable business model, there will always be opportunities to sell more products, provide more services or lower your expenses. In the thoughtful process that goes into a SLOT analysis, as you identify each opportunity and decide when to pursue it, it is natural to do a risk assessment to determine what could undermine the opportunity or prevent you from capitalising on it.
Risk Assessing When Scenario Planning
Running through risk scenarios is one sure-fire method to help you understand risk and its likelihood at the 10,000-metre level. This helps you establish a clear high-to-low internal metric that represents the acceptable and unacceptable costs for the organisation. The more your leadership team runs through scenarios, the better it will understand the causes and forces of risk. Great information will be found in these scenario discussions. Of course leaders need to include not only financial implications of risks (earnings and cash flow) but also operational implications, such as brand, reputation, employment, and oversight of regulators and government agencies.
Scenario planning traditionally has been used by organisations in their budgeting, forecasting and financial planning processes. Today, however, scenario planning is being widely used by both large and small organisations that operate in uncertain or volatile markets.
Two driving forces behind the increased popularity and use of scenario planning are the
rapid and global impact of totally unpredictable events, such as September 11, the Japanese earthquake and resultant nuclear plant meltdown, and the global credit crisis.
accelerating pace at which new trends have an impact.
This scenario planning is focused on finding reasonable and viable answers for three critical questions:
What could happen (define the event)?
How would the event affect us beyond our strategies, plans and budgets?
How should we respond to the event?
Scenario planning is often used as an evaluation tool for an overall risk management process and can aid in the areas of risk appetite determination; capital planning; and credit quality, cash flow forecasting, hedging strategies and insurance coverage selection.
Finance professionals are vital to a scenario planning programme because they help managers better understand the current and future threats and opportunities and convert them into the potential financial impact. Your CFO’s team (or accounting firm) can effectively support a scenario planning effort with these vital tasks:
Analysing the financial implications of alternative strategies under different future scenarios
Testing the sensitivity of key assumptions, financial measures and variables under different scenarios
Developing alternative financial plans and forecasts using different selected scenarios
Defining key performance indicators (KPIs) and leading indicators to track potential triggers
Defining, measuring and monitoring key risk indicators (KRIs) to serve as early warning signals
Monitoring and reporting on internal performance and external indicators likely to impact the current strategy.
As your organisation struggles to deal with an increasingly uncertain world, you can use scenario planning to help you understand your risks and then layout your choices for each one.
We recommend a simple step-by-step process for conducting a scenario analysis on a selected issue that concerns you. Each step describes the outcomes and tasks. Steps two and three can be simultaneously accomplished. The most important step is the first one because everything you do after this one is based upon consensus on the basic principles or assumptions.
Step One: Define Your Objective and Scope. Write out the issues, decisions and key variables to be evaluated. Set the scope of the study and the time horizon to be considered. Obtain consensus on the approach, select the team members and seek senior management’s commitment if they will not be intimately involved. Finally select the tools you will use to test the scenarios.
You can address four broad types of scenarios in your scenario planning exercise:
Social conditions
Economic conditions
Political conditions
Technological conditions and changes
After you have agreed on the issue(s) to be studied and defined the scope and time horizon, these key information bits should be documented, confirmed and communicated to everyone involved in the scenario planning process.
Before conducting a scenario planning exercise, be clear about the issue that you want to address, and define the appropriate scope and time horizon for the scenarios you will construct. Be sure to answer these four questions that will help you determine if scenario planning makes sense and assist you in defining both the scope and objectives:
What decisions are we trying to make?
Is there a high degree of uncertainty about the future?
Is there is high uncertainty?
What is the time horizon for making decisions and executing them?
Step Two: Define Your Key Drivers. Identify the key external drivers that are likely to influence the scenarios. Define the major internal variables that need to be addressed. Establish critical relationships between the drivers, looking for relationships of cause and effect.
Scenario planning is a projection of things that will shape your organisation’s future and a tangible way of understanding the driving forces or causal factors that affect your desired future, such as
changing demographics.
war, conflict or hostilities.
weather conditions.
political pendulum swings.
globalisation.
technology changes.
environmental sustainability efforts.
Step Three: Collect and Analyse Data. Collect both quantitative and qualitative data, as well as expert opinions. Assess the predictability and impact of the selected key drivers. Define the appropriate measures to keep track of your key drivers.
Step Four: Develop Scenarios. Construct different scenarios and develop a narrative description for each one. Test these scenarios using the data you collected. Update each scenario as necessary, and set the criteria for evaluating both the strategies and tactics. You will likely need to use a technology tool that allows you to easily and quickly conduct sensitivity analysis.
Step Five: Apply Scenarios. Test the sensitivity of the strategies and tactics under each scenario. Formulate contingency plans, and establish risk mitigation strategies. Communicate these plans and strategies to all stakeholders.
The scenario plan you produced from these activities allows your organisation to make fast, confident decisions by providing a sound basis for evaluating the impact of changing conditions.
Step Six: M aintain and Update. Integrate the KPIs and KRIs into your regular management reports. Refresh the data, and update scenarios as needed over the selected time horizon. Repeat as needed.
Tool for Measuring Risk
It was time for the managers to learn another risk management tool.
Risk Management Tool Seven-Risk and Opportunity Measurement and Management Strategy Grid
A risk measurement and strategy grid is a common matrix that is often used to assist decision makers in fostering smarter decisions. It also applies to effective risk management.
This tool comes in three parts. The first, represented by Figure 5-4, is to help you determine the significance or impact of a particular risk. Each risk you analyse is defined by its probability or likelihood of occurring and its impact on your business or future. If a particular risk is both impactful and highly probable, it will be a high risk. If the risk is impactful but has a low probability of occurring, that it is a medium risk, as is a risk in which the likelihood is high, but its impact is low. Finally a low risk has a low probability and impact. Even small risks need to be analysed because they could grow, worsen or be underestimated.
Part One-How to Use the Risk and Opportunity Measurement Grid
Step One: Identify the risk and/or opportunity. At times, they can be one and the same.
Example: Your organisation is seeking to obtain a long-term contract with a government agency for your products. You are one of two suppliers that submitted sealed bids. However, your competition is more experienced in this arena. The future of your company depends on winning this business. If you do not get the order, you will need to lay off employees and significantly cut spending.
Step Two: Estimate the upside for an opportunity or the downside for a risk.
Example: If you win this contract, it could mean about $50 million in new business.
Example: If you do not get awarded this contract, you will have to cut the operating budget by 20%.
Step Three(A): Determine the likelihood of the upside as a probability.
Your marketing director estimates that you have a 65% chance of being awarded the entire contract. However, the agency has the right to split the overall contract between your firm and the competition. The marketing director has no idea how much business you could get if the split happens.
Step Three(B): Determine the likelihood of the downside as a probability.
If you do not get any part of the order, there is a 90% chance you will need to cut spending immediately.
Step Four: Determine where the upside and downside risks will have their biggest impacts to your organisation. If there is more than one, you can apply this step to each area. The impact could be to something tangible such as sales (turnover), profits or cash. And it could impact things such as your brand, reputation, or viability.
Example: If you are awarded the full order, it will significantly improve the viability of your organisation. If you do not get any part of the order your cash balances will take a big hit.
Step Five: Use the grid to determine the size of your opportunity.
Example: Regarding winning the business, you think the probability is high (left side) and the impact will be high as well. Your opportunity falls into the “high risk” category, as shown in the upper right-hand quadrant.
Step Six: Use the grid to determine the size of your risk.
Example: Of course, if you do not win the business, you will be in dire straits. That can be slightly tempered in that you might be awarded part of it. Based upon thoughtful analysis, you think the probability of running out of cash is low and the impact on your business, should it happen, is high. Therefore, this risk falls into the “medium risk” category, as shown in the lower right-hand quadrant.
Step Seven: Next you turn to the second grid for your approach to managing the risk.
Part Two-How to Use the Risk and Opportunity Management Grid
The second part of this tool, in Figure 5-5, assigns each quadrant a number, which indicates a management strategy to use. This tool focuses mostly on the negative impact of both opportunities and risk. Remember, even upsides and windfalls have a cost attached to them that you may not be able to afford.
Step Eight: As before, go through the same thoughtful process for the opportunity. Focus on the potential negative impact of it.
Example: If you are awarded the entire contract, you will have to ramp up production quickly. Since there has been a hiring freeze for some time, getting your production facility up to speed will requiring hiring expensive temporaries, buying large quantities of materials and depleting your cash balances (and tapping lines of credit) until you get paid by the agency.
Step Nine: As before, go through the same thoughtful process for the risk.
Example: You are feeling some pessimism that you will get the full order and assume that your firm will be awarded about 20% or $10 million in new orders. This will mean no further layoffs but you will need to carefully watch cash balances and expenses carefully for the next year.
Step Ten(A): Use the risk management grid tool to determine how you will manage the risk inherent in this opportunity
Example: Since you believe you have a 65% chance of being awarded the entire order you think that the likelihood of the drain on your cash will be high. You also think that the negative impact on your liquidity will be high as well. This means this opportunity falls in Quadrant IV (upper right hand quarter).
Step Eleven(A): Next, you turn to the Risk and Opportunity Management Strategies Matrix, in Table 5-1 to determine how to best manage the “cost” of your opportunity.
Table 5-1 Risk and Opportunity Management Strategies Matrix
| Quadrant | Risk Level | Meaning | Management Strategy |
|---|---|---|---|
| I | Low | This is a small pothole. | Acceptance: Accept this as a normal operating reality. |
| II | Medium | This is a large pothole that could hurt you. | Awareness and Monitoring: Stay aware of this, conduct regular monitoring, and consider reassessing in the near future. |
| III | Medium | This is a large pothole that could hurt you. | Awareness, Monitoring and Planning: Increase awareness of this, conduct ongoing monitoring and develop a contingency plan. |
| IV | High | This is a major pothole that could seriously undermine your success. | Managing, Insuring and Exiting: Appoint a manager to manage it, “insure” it by partnering, sharing or purchasing insurance coverage, and develop an exit plan. |
Example: The downside of your opportunity falls in Quadrant IV. Therefore your strategy for managing it becomes “Managing, Insuring and Exiting.” This means you appoint a responsible senior executive as the point person of this risk, you consider ways to insure yourself as well as develop an exit plan should Mr. Murphy make his appearance in the form of an employee strike, fire in your production facility, the inability to obtain a much needed raw material, etc.
Step Ten(B): Next you turn to the risk of getting only part of the order. After careful study, you think that the likelihood of the strain on your working capital will be high and the negative impact will be low. (Your organisation has been on an austerity budget for 16 months, so what is another 12?). Therefore the risk falls into Quadrant II.
Step Eleven(B): Using the Risk and Opportunity Management Strategies Matrix again you determine the best management tool for the “cost” of your opportunity is “Awareness and Monitoring.”
Step Twelve: This last step is to move ahead with your plans. Should any conditions change significantly up or down, go through these steps again.
Example: The downside of your opportunity falls in Quadrant IV. Therefore your strategy for managing it becomes “Managing, Insuring and Exiting.” This means you appoint a responsible senior executive as the point person of this risk, you consider ways to insure yourself as well as develop an exit plan should Mr. Murphy make his appearance in the form of an employee strike, fire in your production facility, the inability to obtain a much needed raw material, etc.
Part Three-How to Use the Matrix Values and Impact Zones Tables
Some organisation’s leaders want a more statistical method for measuring their risk before deciding what to do. That is where the rest of this tool comes into play.
The third aspect of this tool, Tables 5-2, 5-3, and 5-4 are used to assign numerical rankings and management responsibility to particular risks and opportunities.
Step One: Define the risk or opportunity in as much detail as possible.
Step Two: Use the Risk and Opportunity Measurement Grid (Figure 5-4) to decide the level. First select the probability as either high or low. Be clear about how you define each of these terms. Then do the same for the impact or significance, as either high or low. Be clear about how you define those because you want to use consistent definitions as you examine a portfolio of similar risks.
Step Three: Use the Matrix Values from the Criteria Ranking Table (5-2) to assign your risk or peril a relational number from 1 to 9 with nine being the highest.
If you believe your risk is a level 10, then it needs to be treated as a crisis, eg, the explosion at the Japanese nuclear power station.
Table 5-2 Criteria Ranking Table
| Area of Significance | Probability | Priorities | Ranking |
|---|---|---|---|
| Global or strategic or cultural (10,000 metres) | High | High | 9 |
| Global or strategic or cultural (10,000 metres) | Medium | High | 8 |
| Operational or capability or marketing (10,000 metres) | High | High | 7 |
| Global or strategic or cultural (10,000 metres) | Low | Medium | 6 |
| Operational or capability or marketing (10,000 metres) | Medium | Medium | 5 |
| Administrative or activity (100 metres) | High | Medium | 4 |
| Operational or capability or marketing (10,000 metres) | Low | Low | 3 |
| Administrative or activity (100 metres) | Medium | Low | 2 |
| Administrative or activity (100 metres) | Low | Low | 1 |
The second table (5-3) is the Alternative Matrix Criteria Ranking Table. They both show the same numerical rankings. The first is more linear than the second. Use the one that is easier to explain to people.
Table 5-3 Alternative Matrix Criteria Ranking Table
| Probability is... | Numerical Ranking | ||
|---|---|---|---|
| High | 6 | 8 | 9 |
| Medium | 3 | 5 | 7 |
| Low | 1 | 2 | 4 |
| Significance | Low | Medium | High |
Step Four: Define where the greatest impact of the risk or opportunity will be. You have three choices: 1) the Global or Strategic or Cultural (10,000 meter) level; 2) the Operational or Capability or Marketing (3,000 meter) level, and 3) the Activity or Administrative (100 meter) level.
Examples: A natural disaster will be detrimental to all three levels so it has global impact. A limited general strike could be detrimental to making or delivering your products so it is classified as having an operational or capability impact. A fatal car accident involving a key non-executive employee will likely have the lowest level impact, so you classify it as activity or administrative.
Step Five: Use the Risk or Opportunity Management Responsibilities Matrix (5-4) to define who would be responsible and accountable for both monitoring and managing the specific risk.
Table 5-4 Risk or Opportunity Management Responsibilities Matrix
| Matrix Value | A rea of Impact | Opportunity or Risk Managed by | |||
|---|---|---|---|---|---|
| Global | Operational | Activity | Primarily | Secondarily | |
| 7–9 | ✓ | Senior executive | Manager or Director | ||
| 4–6 | ✓ | Manager or Director | Informed employee | ||
| 1–3 | ✓ | Informed employee | Informed employee | ||
| 7–9 | ✓ | Manager or Director | Informed employee | ||
| 4–6 | ✓ | Manager or Director | Senior executive | ||
| 1–3 | ✓ | Informed employee | Informed employee | ||
| 7–9 | ✓ | Manager or Director | Informed employee | ||
| 4–6 | ✓ | Informed employee | Informed employee | ||
| 1–3 | ✓ | Informed employee | Informed employee | ||
Step Six: To communicate what your analysis looks like and support why you chose a specific way to handle it, use the next two views of this comprehensive tool, shown in Tables 5-5 and 5-6.
For an effective risk management programme it is wise to appoint a primary manager over the risk that is supported by a second employee. Here is what your final product or report will look like.
Table 5-5 Tool Report Part 1
| Risk Examples | Probability | Significance | Matrix Value |
|---|---|---|---|
| 1) Earthquake or other natural disaster | Low | High | 7 |
| 2) Unauthorised entry into company database | Medium | High | 8 |
| 3) Unexpected loss of CEO | Low | Medium | 4 |
| 4) Vehicle accident | Medium | Low | 2 |
| 5) Employee strike | Medium | Medium | 5 |
Table 5-6 Tool Report Part 2
| Risk Examples | Matrix Value | Managed by | Supported by |
|---|---|---|---|
| 1) Earthquake or other natural disaster | 7 | Senior executive | Manager/Director |
| 2) Unauthorised entry into company database | 8 | Senior executive | Manager/Director |
| 3) Unexpected loss of CEO | 4 | Manager/Director | Informed employee |
| 4) Vehicle accident | 2 | Informed employee | Informed employee |
| 5) Employee strike | 5 | Manager/Director | Informed employee |
This comprehensive tool provides several solutions. It is a tool that a key employee, supervisor and director can easily use and teach to others. It also quickly points out the optimal strategy to manage the opportunity or risk and then shows the most viable employee to take on that responsibility.
Regular use of this tool leads to quicker decision making once specific risks and opportunities are identified.
Case Study: The Opportunity to Invest
For our first case I selected Grace, the treasurer of PJI. Grace said, “I am concerned about temporarily placing $750,000 of our money in a fund that has a wildly fluctuating rate of return.”
I walked her through the tool. “Grace what is your average rate of return on the excess cash you invest?”
“On an annual basis we earn about 2.9%. This fund could provide a return of 7.9%, or we could earn nothing. That is how volatile this fund is.”
“And how much is that in terms of dollars?”
“Roughly $9,000 for the 90 days our money will be in the fund.”
“Grace, what is the likelihood that you would not gain that differential?”
“Based upon my research, the probability I would say is medium to low.”
“Before I ask about the impact, what could happen if you only earned 2.9% or less?”
“I might lose respect for my financial acumen.”
“Is this overall impact to you and the company high or low?”
“The dollars we do not earn would not be large, and when compared to our total earnings from our investments, I would describe this as low.”
“Therefore, Grace, what quadrant does your risk fall into?”
“This would make it a low risk.”
Case Study: The Risk of Losing Qualified Talent
For our second case I asked Mario to describe his concern.
“We own a clothing company that makes an extremely popular high-end hunting jacket. My concern is that sewing is a dying art in the United States, so we will have a hard time finding trained workers with the skills to make a high-quality product. Many of our skilled sewers are retiring in the next 18 months.”
“Mario, what is the probability or likelihood that you will be unable to find qualified employees?”
“In the short run the probability is high, in my opinion.”
“What and where is the impact?”
“Our jackets command a premium price due to their quality. If we are unable to find trained sewers, it could hurt both our profits and brand. Its impact is almost immeasurable because without quality products, we would no longer have the edge over the competition.”
“Therefore, Mario, based on this tool would you say that your risk is a high one?”
“Yes, I agree with you.”
Case Study: Avoiding Termination Blowback
The third case was offered by Letitia, an investment manager.
“I have a performance issue with the VP of operations of my technology company. She is a 65-year-old woman who clearly does not have the talent or interest to run a fully automated production plant. My concern is if we demote her, she would claim age discrimination.”
“Letitia, what is the likelihood that this employee would do this?”
“Very high.”
“And what is the likelihood that the Department of Labor would penalise your company if it believes her story that your decision was based on her age and sex, rather than her competency?”
“I would say that the probability is low because we have documented this issue well.”
“Assuming that the agency did rule in her favour, what is the impact on the company you manage?”
“I would say that the financial impact on us would be negligible.”
“Letitia, based on what you told us what is the size of your risk?”
“It would be a moderately low risk. I now understand how this tool works.”
Lessons from the Case Studies
I asked each manager to summarise for the rest of us how this tool could assist him or her in determining the approximate size of his or her risk.
Grace: “This great tool would help me isolate specific concerns regarding where I place our excess cash. I can use it before I make an investment and later to analyse if I should switch.”
Mario: “I can see that I need to address this now instead of later. This tool helps me to focus specifically by looking at it as two dimensions. This shows me that my risk is a major one, and I must make it a priority.”
Letitia: “I have been stressed about this coming termination but don’t need to be. Due to this analysis I do not need to be afraid of facing this issue, which I have been dreading.”
Onward
I explained today how risk starts with your business model, which is a primary source of strategic risk. Risk management is especially important in business turnaround situations and during turbulent and unstable times. ERM suggests that you use the team approach in assessing strategic and operational risk because proactive cross-functional risk management allows an organisation to deal with potential land mines with optimism.
I ended the day with another quote about risk taking.
“Progress always involves risk; you cant steal second base and keep your foot on first.” Frederick Wilcox
Action Plan
Step One
Does your organisation do the form of strategic planning as shown in the Strategic Planning Flowchart? If it does, how well does it prepare the organisation to deal with risks and opportunities?
Step Two
Think about where you and/or your organisation conduct scenario planning. Does the process generate a list of reasonable alternatives? Does the process consider the cost and size and impact of each option? What aspect of this scenario planning process needs improving?
Step Three
Think of an important opportunity, risk or challenge that you face currently—personal or business. (You can use one you used before.) List the significant impacts, good or bad, it could have on you or your company. Think about the probability of these impacts. Use the Risk Measurement Grid to determine which quadrant the risk falls into.
Step Four
Continuing with the opportunity, risk or challenge in the previous step, focus only on a bad outcome or negative impact. Again think about the likelihood of this occurring or coming to fruition. Using the Risk Strategy Grid, what are your “best” options for dealing with the unpleasantness of your risk or opportunity?