Similarly as to an individual, “a risk” to a company represents a future uncertain event with probable negative consequence. People see, or notice those risks, that have a negative impact on their physical health that can result in a death (such as cancer, stroke, traffic accident). For companies, such events represent all risks that negatively impact the company`s financial health, causing its financial death. Remember: people need blood the same way as companies need money to survive.

The key mistake we usually identify with those who attend our workshops is the perception of the employees on the key risks for their company. This is mainly due to the general misunderstanding of the risks the companies actively deal with.

In general, we divide risks into four large categories: firstly, by the size of the negative impact, and secondly, by the likelihood of the occurrence. Looking at them, we can conclude that from the company`s point of view, the biggest exposure is in the categories C or D, which carry a potentially high or extreme negative financial impact. Group D defines the risks that occur frequently, and group C those that are rare.

It is only natural that companies concentrate on category D due the fact it defines risks with high negative impact, and high likelihood of the occurrence. However, such risks rarely (or don’t even) exists.

A) low financial impact – low likelihood of the occurrence
B) low financial impact – high likelihood of the occurrence
C) high financial impact – low likelihood of the occurrence
D) high financial impact – high likelihood of the occurrence

silverbulletrisk-blog-erm-risk-matrix-2

The reason is simple: those companies that were exposed to such risks no longer exist. Why? According to the law of statistics, risks with frequent high impact are deadly to all companies, no matter their general financial health. It is similar with people: we survive several colds or strokes, but rarely a cancer.

This is why companies need to focus on the risks that might result in high loss (the value of “high loss” varies, but for Slovenian companies this means 1 million EUR or more), even if such risks are less probable.

The given starting point is also a good basis for analyzing the other two risk categories. Usually, companies and employees don’t even notice the risks that occur rarely and have low financial impact, as they don’t disrupt the workflow nor the financial health of the company. Crashed windows, or broken computers don’t represent a serious threat.

On the other hand, employees usually pay the most attention to the risk category B: a low financial impact, high likelihood of occurrence. This includes frequent personnel changes in non-key jobs, deterioration of non-key hardware and software, etc. An example of this type of risk would be a frequent change of a tenant or a business secretary. From company`s perspective, the event is undoubtedly not crucial, however it disturbs the working process of the employees. This is the reason such events represent the core of risk management for majority, even though they are not crucial. In other words, we deal with colds, while letting cancer to spread.

Regardless of the likelihood of occurrence, the risks that are crucial for a company are those that can cause a serious financial loss. This is the reason we recommend you to make an exposure test within your yearly regular new and potential risk assessment, and mark the risks that can cause you a high operating profit, or a big hole in the balance sheet.

***

Contact our team if you want to identify risks adequately.

For more information about risk management follow our LinkedIn & Twitter account. You can join the debate in Linkedin group ERM – ENTERPRISE RISK MANAGEMENT.

Before starting any systematic risk management efforts, it is crucial to identify the risk that the company is exposed to.
The aim of the risk identification process is to establish a catalogue of risks or so called “risk register”. While this process usually is relatively intuitive there are few pitfalls that should be taken into consideration.

What constitutes a risk?

The first step in identifying a risk is to agree on a common definition of what a risk is.

ISO 31000:2018 defines risk as “effect of uncertainty on objectives”. After this the definition goes on to specify that “An effect is a deviation from the expected. It can be positive, negative or both, and can address, create or result in opportunities and threats.”

While this definition is theoretically sound, we feel that it is too vague for practical use in many companies. Therefore, we generally advocate to use two conditions that tell whether something can be called a risk or not:


1. Uncertainty: Risk exists if there is uncertainty about the future events or developments.

2. Financial damage: Risk exists if this uncertainty may cause a significant financial loss or in other way cause the firm’s financial performance to be below the planned level.

Effectively this definition assumes that company’s primary objective is financial gain, so any uncertainty that might lead to financial loss is a risk.

At the same time as we can define what is a risk, we can also give examples of what does not constitute a risk.

Risk is not a foreseen/ expected adverse development
For instance, if the sales of given product group are expected to decline, this does not constitute a risk. On the other hand, a possibility that the sales are unexpectedly lower than planned is.

Risk is not a difficulty or challenge
A difficulty or a challenge is not an unexpected if the situation exists already now. Risk would be “possibility that the new market entry fails” instead of “challenging market situation”.

Getting the terminology straight

There is an unfortunate confusion about the risk terminology that should be rectified sooner or later. Below are some common terms and the explanation of what is their relationship with each other.

Threat – the source or the trigger of the risk event that causes the uncertainty. Threat without any risk exposure is not problematic.

Risk exposures – the amount that theoretically is at risk if threat realizes. In financial risk management the exposure is simply used to indicate how a relative (%) changes in value of the underlying variable (interest rate or exchange rate etc.) translates to profits or losses.

Risk – the collection of threats/causes and exposures that is treated and managed as a single whole.

Risk levels – risk level is the result of a risk assessment process that indicates how serious the risk is considering the probability of different loss amounts.planation of what is their relationship with each other.

Issues to keep in mind when identifying risk

More identified risks does not mean better identification
While it is a natural urge to identify as many risks as possible, this approach often leads to so many risks that in the end none of the risks get properly managed.

Key aim is to first find risks that have, in the worst-case scenario, the largest potential loss or financial impact. Try to avoid identifying risks that at worst have minor financial consequences. Such risk can be added when the risk management effort matures, but before that, it is crucial to find the ‘large’ risks.

Another way to reduce to keep the amount of risks more manageable is to remember that there might be several causes and several outcomes for the same risk. For instant, instead of listing, “shutdown of machine A”, “Shutdown of machine B” etc. we can simply identify a risk “machine interruptions”

The key of grouping smaller ‘risks’ together is to ensure that these smaller risks are either highly similar or that they can be effectively managed as a group. For instance, in the example above, a single person might be responsible for maintaining all the machines and thus he would naturally be responsible for risk management.

Risk should not ‘overlap’
When identifying risk, we should ensure that we do not accidently double or triple count the same risk. This can easily happen when many people are separately identifying risks and the risk are then collected to a joint catalogue.
For instance, consider a situation that a person responsible IT and person responsible for production have identified key risk in their respective departments.
Production side considers an interruption in the supply of semi-finished goods to be among the key risks. On the other hand, IT department sees the unavailability of enterprise resource management system to be critical risk. Key here is that many of the production interruptions bight be due to IT failures and thus such risk is accounted twice in the risk identification.
Counting the same risk multiple times causes additional burden in the risk management system and might lead to wrong results if risk estimates later on are aggregated.

Avoid too vague risks
Another major issue that hinders the risk identification process is the tendency of identifying risks that are too vague to be managed. Consider the “risk of decline in employee morale”. For such risk it is almost impossible to assign financial consequences. Likewise, it is hard to even know when the risk has realized. In short, the risk is too vague to be managed. A good substitute for such risk could be “an increase in employee sick days” or something similar, making the risk more tangible and manageable.

Lack of imagination
Most of the major disasters that happen to companies were one unimaginable and had never happened before. Therefore, when identifying risks, one needs to move the mindset from what has happened to what is in the realm of possibility. In doing this we have to overcome our natural mechanism of not worrying about everything that keeps us sane in everyday life.
For risks that are unlikely, Human psychology has the natural tendency to either dismiss the possibility of something going wrong completely (“that cannot happen”) or get overly paranoid about very low probability risks (flight accidents). At the risk identification stage, we want lean toward being paranoid about everything, and then only later on the risk assessment stage, start thinking about the actual seriousness of the threat. If rigorous analysis show that the risk is unrealistic, then we can still dismiss it.

Risk identification techniques

Risk identification can be done in two complementary ways:

– First method is to ask the people with knowledge about the functioning of the organization, what could go wrong. In this class of techniques one can use variety of specific approaches such as, risk workshops, brainstorming, questioners, self-reporting etc. For an organization in the early part of the risk management effort, the group-based methods are more suitable since they foster the risk culture. For more mature risk organization the individual approaches are more suitable since new risks that are identified are likely the once that are missed initially and are therefore likely identified during the normal course of work by single individual.

– Second class of methods are more analytical and engineering methods that are base on careful analysis of company’s or operations value creating process. These methods are better suited to find hidden critical failure points that might be missed in the intuitive level. Method in this class include structured what if analysis, Scenario analysis, fault tree analysis, bow-tie analysis, incident analysis and peer incident analysis.

Key points

Risk is presence of uncertainty that can cause financial damage.

Common failures in risk management are:
– focusing on generating as many risks as possible,
– identifying overlapping risks or double counting the same risk,
– identifying too vague risk and
– lack of imagination.

Risk identification can be done by asking people what they could happen or analysing the company’s process and finding hidden failure points that might lead to major losses.

***

Contact our team if you want to manage risks systematically.

For more information about risk management follow our LinkedIn & Twitter account. You can join the debate in Linkedin group ERM – ENTERPRISE RISK MANAGEMENT.