Table of Contents
Risk management is a structured business process that identifies, assesses and manages the risks associated with firms to ensure they remain in good health and able to operate successfully. When done well, risk management therefore helps businesses to achieve their goals.
In recent years, the traditional, narrow view of risk management, where risk was seen as something external to the company, uncontrollable and purely negative, has gradually been abandoned. The modern meaning of risk management is more extensive: it considers the consequences of risks both in the negative sense of a threat and in the positive sense of an opportunity stemming from an unexpected event (for example taking a financial risk).
Risk management is therefore increasingly closely tied to business strategy and culture.
Risk management: some examples of business risk
So what are the potential sources of business risk that need to be managed through risk management? Here are some types of risk, along with some specific examples:
- Accidents, natural disasters and human or technical error. These types of risk are known as operational risks and involve internal or external factors that disrupt the operational continuity of the business.
- Financial uncertainty and large or small financial events such as market fluctuations, financial crises or economic cycles. These economic and financial risks can lead to a loss of capital.
- Legal obligations and failure to comply with rules: these compliance-related risks could mean the company having to pay sanctions and fines.
- Cyber risks. Cyber security is increasingly important, and failures in this area, such as data theft, can lead to economic consequences, disruption to operations and damage to the company’s reputation.
- Reputational risks – negative coverage in the media or bad reviews have always been a potential risk, but social media has amplified this threat in recent years.
- Errors in a business’ strategy can jeopardise the firm and its ability to remain competitive on the market: these are known as strategic risks.
- Plus many more!
These are just some of the types of risk you may come across: a lot depends on the company’s objectives and the sector in which it operates.
How risk management works
So what precisely is risk management? It is a process launched by a company’s managers, a single expert or a dedicated team that considers the impact of various risks on the health of a business: on its services, operations, assets and profit.
The risk management process involves several stages. Put simply, these can be summarised as:
- Risk identification and analysis: identifying the potential risks that could have a negative (or positive) affect on the health of your business and on whether you reach your targets. These risks need to be analysed, assessing the probability of them occurring and what the impact on your business would be.
- Risk assessment. Once you’ve mapped out the risks, you can move on to the assessment. The risk value stems from the probability of it occurring multiplied by its impact: a risk with a catastrophic impact but an extremely low probability of occurring will have a lower value than more likely risks with a lower impact. This assessment allows the business to recognise and be aware of the risks it faces.
- Risk management. Once you have established the potential risks and their impact, you need to implement strategies to manage them. Some risks can be mitigated, prevented and reduced by lowering the chance of them occurring or reducing the scale of their impact. For example, frequent software updates can make computer hacks more difficult, while frequent backups reduce their impact. Some risks can be transferred – to an insurance company, for example, or a partner – and others can be consciously accepted, either in full or in part.
- Risk monitoring: it goes without saying that risks and business objectives change over time. The evolution of risks and the risk management process itself should therefore be monitored constantly.
Risk management: advantages for businesses
All businesses practice some sort of risk management in their own way. Larger, more structured firms have dedicated teams and staff members for the process, while smaller companies tend to manage risks in a more informal manner, often unknowingly, with little integration with the rest of the business’ dynamics.
Why should businesses consciously carry out risk management in a structured way? Because risk management ultimately protects and improves the value of the business. In particular:
- It helps firms to meet their targets.
- It improves performance by reducing variability.
- It increases investors’ trust in the business.
- It makes the business more competitive on the market by allowing it to respond to changes better and more quickly.
Risk management should therefore form part of any business’ culture, and should be integrated into every firm’s strategy. Where necessary, a business’ structure and processes should be changed to account for it.
The role and responsibilities of the Chief Risk Officer
Risk management is a process decided upon by the board of directors and management and instigated both by them and by other figures at the company, chief among them the Chief Risk Officer (CRO).
Essentially, the CRO is the manager in charge of assessing and mitigating all the operational, economic, legal, technological and reputational risks they deem significant for the health of the business, its capital and its profit.
The responsibilities of the CRO vary depending on the type of business, the sector and the size of the company. In all cases, however, they include:
- Developing a risk management plan and implementing it.
- Ensuring that the various stages of risk management are completed: risk identification, assessment, management and monitoring.
- Allocating the appropriate financial resources to the various risk management activities
- Communicating the risk assessments to the board of directors and all interested parties at the business.
Creating the right environment for business risk management
Risk management is a valuable tool to help companies start managing risks in an organised way, thereby ensuring greater stability and continuity. Appointing a CRO is not enough to guarantee effective risk management, however. You also need to:
- Ensure the directors of the company are committed to risk management.
- Allocate enough resources to the risk management process.
- Integrate risk management into the business culture through training events.
Finally, managers must assign risk management responsibilities to people within the organisation. But how do you go about choosing the right person to be Chief Risk Officer?
The CRO undoubtedly requires a wide range of skills: of course, they must understand the principles of risk management and be acquainted with risk analysis and assessment tools. But that’s not enough: they also need a deep knowledge of the sector in which the business operates, the company structure and the processes already in place within the firm. Finally, the CRO must have excellent interpersonal skills, must be able to talk to the various people involved and must have some knowledge of insurance and business management.
Useful risk management resources
FERMA (the Federation of European Risk Management Associations) offers useful tools both for businesses and risk management professionals. These include training events, some of which are held online, reports and updates on the regulatory framework in Europe and certification for professionals in the sector.
The main UK risk management association is Airmic, the Association of Insurance & Risk Managers. Their website contains useful information on training, events and various useful materials.
ISO 31000 and ISO 31010 are both standards offering principles and guidelines for risk management and assessment. They are not specific to any sector, and can therefore be used by any business or public body. They can be applied to any type of risk faced by businesses or organisations (with both positive or negative consequences), and cover various areas. You can read ISO 31000 free of charge here, while ISO 31010 can be accessed here.