Risk management for many organisations, and specifically small and medium enterprises (SMEs), is an almost forgotten element and function within the spectrum of management responsibility. Whilst there is an acceptance that risk is associated with business, the reality of engaging with, and actively seeking to treat areas that pose potential risk, seems alien to many senior managers and leaders, and is often dismissed on the grounds that is in not affecting operational performance.
SMEs and their management teams need to seriously examine risk from a business perspective, as a fuller understanding of this area of management is essential. Risk management in this context is defined as a:
‘Systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analysing, evaluating, treating, monitoring and reviewing risk.’
(ISO Guide 73:2009: Risk Management)
Risk management ensues that a business is able to operate at all times, and reduces the likelihood of potential events that may impact upon operations. From a business perspective we can contextualise the notion of risk as:
‘A condition in which managers have a high knowledge of alternatives; know the probability of these being available; can calculate the cost and know the benefits of each alternative; and have a medium predictability of outcomes.’
(Buchanan and Huczynsk. Organizational Behaviour, 2004: 877)
The Buchanan and Huczynski concept of risk indicates the importance of this area of management. It is critical to note that risk is not merely the uncertainty of future events, but also the forethought of the uncertainty of the effect of specific events, which in turn could have an impact on the achievement of the objectives of an organisation.
Further consideration is also needed in respect to the benefits of operating risk management as a function, and embedding it into organisational culture. However, the benefits to an organisation are subjective and will depend upon a number of factors e.g. the thoroughness of the initial evaluation, the regularity of review and follow up, and the communication and embedding of the risk management process throughout the organisation. A set of generic benefits of utilizing risk management as part of organisational operational practice includes:
- Decision making process based upon systematic well informed methods
- Reduced financial surprises and unforeseen costs
- Increased decision making speed
- Greater income streams due to predictable and secure information
- Increased reassurance from stakeholders
- Reduced likelihood of reputation damage
- Access to greater opportunities that the organisation would not have been aware of, and increased ability to react to said opportunities
- Greater protection of organisation’s image and reputation
- A better basis for the allocation of resources
- Increased likelihood of achieving organisational objectives
For organisations to take advantage of these benefits a straightforward risk management process can be undertaken, which includes the following aspects:
- Understand the organisational context
- Distinguish between different types of risk
- Identify risks and potential causes
- Analyse and evaluate risks
- Decide how to respond to risk
- Take appropriate action to mitigate or eliminate risk
- Ensure compliance with regulatory requirements
- Encourage a culture of personal responsibility
- Monitor, review and report
The undertaking of such activities will create a risk management cycle, and through this process the organisation will be able to operate more effectively moving forward. The following diagram illustrates this process:
This process enables risk to be identified and categorised in order of priority based upon the impact of an event and the likelihood of an event. As such the priority of the risk is indicated in regard to: immediate action; contingency plan; action to be considered; or lesser concern with periodic review. The following diagram outlines a basic model:
(CMI Risk Management – Guidance for Managers, 2010:5)
Therefore, if risk management is embedded into an organisation and its culture, the potential for predicting issues that may affect the business are increased, and the organisation is able to speculate on possible opportunities. As such, the probability of organisational growth, cost savings and profitability is increased, and the organisation can move forward with greater confidence.