What is Enterprise Risk Management? Risk is inevitable and sometimes desirable

Before you start throwing stones, here are the words of the master, Peter Drucker, in our defense:

There are two types of risk: one which we cannot afford to occur, and one which we cannot afford not to occur. - Peter Drucker Click To Tweet

Of course, no one pursues risk and it’s clear that it’s not an objective, but – by definition – capitalism is only profitable if there is a risk.

And in the context we are going through today, with enterprise risk management crises still fresh in our memory, how can we manage this duality?

That is, how do we know if the degree of risk we are “accepting” to leverage our business is not a shot in the foot?

What’s more, what about the inevitable and inherent risks of any operation, how should you deal with enterprise risk management properly and assertively?

If you’re looking for answers to these questions, we’ve prepared a series of recommendations, concepts and even tips. Read them carefully and use them in your business.

Also see: Compliance: Less risk and more transparency

Enterprise Risk Management: A Practical Guide

We say that at some times a certain degree of risk is desirable. This happens, especially when it comes to innovation processes.

But before we go into more detail on this perspective of enterprise risk management, let’s align some basic concepts:

What is Risk?

Risk, within the business scope, is nothing more than a probability, the probability of an event occurring that causes considerable impacts to the sustainability of your business.

It’s interesting to note that when people talk about risk, people soon think of negative impacts. In fact, the impact of these random events on your company can be both positive and negative.

What is Enterprise Risk Management?

Enterprise risk management is a process that seeks to take full advantage of the advantages of random events; And, on the other hand, to take the necessary measures to minimize the undesired and negative consequences as much as possible.

To achieve this, the correct management of corporate risk involves planning, organization, and control of the company’s human and material resources, as well as an analysis of its probability of occurrence and the severity of the consequences.

To put all this into practice, a number of actions can be taken. But before we go into the details of these actions, let’s better understand the objectives of enterprise risk management.

How can enterprise risk management help your business?

From what we’ve talked about so far, it has become clear that enterprise risk management is not just about avoiding hazards and disasters.

In fact, if risk is inherent in any business, it’s necessary to define which of them are acceptable, which should be avoided at all costs and which are inevitable and even accepted by a company’s strategy, because by assuming them, profitability can even increase.

For example, imagine a company that operates a fleet of machines that are already technologically outdated but caters to a portfolio of customers satisfactorily. If you decide to renovate your machinery, you will incur a number of risks and opportunities. This is what enterprise risk management should help manage.

Business Management Objectives Summary:

1- Align risk with the organization’s strategy

It’s necessary to evaluate the risk profile acceptable by the company in order to be able to make strategic decisions, like the example above.

2 – Define what decisions to take in response to the occurrence of risks

It’s necessary to identify and make a selection of alternatives to respond to risks, such as avoiding, retaining, reducing, sharing and taking risks. We’ll provide more detail on this further on.

3- Reduce contingencies and losses in the operation

Corporate risk management should identify risk-bearing events and define responses to them.

4- Identify and manage diversified risks

Your company can have different areas and departments, branches, plants and even business lines. Each of these perspectives must be considered by corporate risk management, allowing an integrated response and identifying correlations between these risks.

5- Seize opportunities

Just as the company prepares for negative events, you should be aware of how to make the most of the opportunities that arise.

6 – Potentiate the use of capital

By preventing negative events and preparing for opportunities a company must plan how to allocate its capital in the best possible way.

But how do you achieve these goals?

Check out how to identify, classify, evaluate and measure risks to be able to take the necessary actions to achieve the objectives listed above.

See also: Critical Business Process Examples: Risk Management Ideas

Types of Risk

There are 4 main types of risk:

  1. External Risk: These are events outside the company’s environment that interfere with its management, such as the climate, the lack of infrastructure in a country’s transport and communication system, changes in the political scenario, economic conditions and many others.
  2. Personnel Risk: This occurs when the company’s human resources need to be changed, or there’s a shortage of qualified personnel, poor motivation, poor organizational climate, and so on.
  3. Process Risk: Every business needs to model its business processes according to its operation. When this doesn’t occur, its performance may suffer. There is also the inherent risk in specific processes, such as in hospitals, mining and the chemical industry, for example, when compared to the risk of food manufacturing or the marketing of consumer goods.
  4. Systemic Risk: Those that are inherent to systems, like interaction systems between agents and entities and their rules, such as company information systems, which may be inadequate, obsolete, flawed and even hacked.

As for the latter type of risk, the United States (US) still has a reasonable risk of data loss, according to the study Cost of Data Breach 2017, see chart:

enterprise risk management

Source: Cost of Data Breach 2017 – IBM

The United States has a 26.8% risk of having a leak, a worsening from its 22.9% average over the last 4 years.

Once you understand the 4 types of risk, you need to assess the risks and their likelihood of occurrence. To do this, you must create the so-called Risk Matrix.

Building Your Business Risk Matrix

The Risk Matrix is the main tool used in enterprise risk management.

It’s derived from two other matrices, the Event Frequency Classification Matrix and the Event Severity Matrix.

The objective of the Risk Matrix is to indicate 4 possible risk levels for each event, depending on its frequency and severity.

  • Low risk
  • Medium Risk
  • High risk
  • Extreme Risk

Let’s take a step-by-step look at how to build this matrix, starting with the other two that make it up.

Each of these two matrices (frequency and severity) will define a number that will be used as a weight later in the Risk Matrix.

1- Building the Frequency Risk Matrix

It’s a table that will serve as a basis for classifying a weight to be used in the Risk Matrix, depending on the number of times it’s believed that the event may occur, based on historical data that the company has or is in the construction of Scenarios.

Here’s an example of this type of table:

Event Frequency Classification
Classification Description Weight
Very Rare Less than once a year 1
Rare Once a year 2
Average Twice a year 3
Frequent Once a week 4
Very Frequent More than once a week 5

Source: Adapted from Scielo – Paulo, Fernandes, Rodrigues, and Eidt

Thus, if your company knows that power supply failure occurs once a year, this risk can be classified as rare. It receives a weight of 2.

2- Building the Risk Relevance Matrix

Risk relevance is defined by a range of monetary losses that the occurrence of the risk would cause the company.

See example:

Event Severity Classification
Classification Description Weight
Very Low Losses $0.01 $500.00 1
Low Losses $500.01 $5,000.00 2
Average Losses $5,000.01 $50,000.00 3
High Losses $50,000.01 $500,000.00 4
Very High Losses $500,000.01 5

Source: Adapted from Scielo – Paulo, Fernandes, Rodrigues, and Eidt

Thus, if energy interruptions mean a loss of $10,000, they will be classified as medium relevance. This is due to the loss also being average, with a weight of 3.

3- Using the weights found in the Risk Matrix

The Risk Matrix, as we said, creates the relationship between frequency and relevance, using the following classification table.

enterprise risk management

Source: Adapted from Scielo – Paulo, Fernandes, Rodrigues, and Eidt

In this case, the interruption in power supply, frequency 2 x relevance 3 = 6, this is medium risk.

After that, enterprise risk management should define, for each level of risk, different levels of readiness that the company should adopt. These are are a reflection of increasingly stricter controls, the greater the risk of each event.

Learn more: Governance, risk, and compliance: All there is to know

How To Deal With Risk

When a risk event occurs, there are 5 attitudes that enterprise risk management should take:

Avoid the Risk: focus is on preventive measures, strict controls, and contingency plans, should they occur.

Retain the Risk: Even if you identify the risk, the company decides not to take the necessary avoidance steps. It assumes the risk as acceptable. For example: not renewing the vehicle fleet, for cost savings, knowing the risk of failure to supply customers.

Reduce the Risk: adopt a middle ground. If we can’t change the vehicle fleet, what about doing a general review on all of them?

Share the Risk: passing on process responsibility to a third party, such as outsourcing to a logistics company.

Explore the Risk: it’s about seizing an opportunity. The company could negotiate with the logistics company to transfer its vehicle fleet as part payment for delivery services.

6 Practical Tips for Enterprise Risk Management

Although we’ve given examples, shown surveys and presented practical tools for use in your day-to-day enterprise risk management, an assertive opinion of who is dealing with this in their daily lives is always worth it.

That’s why we’ve brought together these 6 tips outlined in a Harvard Business Review article:

Six mistakes that executives make in enterprise risk management

  1. Thinking that it’s enough to only predict extreme events in order to manage risks: Rather than just predicting the worst events, determine what to do if they happen
  2. Believing that studying the past helps you control risks: Lessons from the past are important, but predicting the future by looking back will surely make your company not see a disaster right in front of you.
  3. Ignoring advice about what not to do: Avoiding mistakes is always more effective than trying to reach the mark.
  4. Using standard deviation as a measure of risk: It’s not that this indicator is not important, but there are much more variables to analyze.
  5. Not understanding that psychology and mathematics are different: Cold mathematical data, depending on how they are presented, can mask or exaggerate actual risk.
  6. Avoiding redundancy to reduce costs: Having redundant processes, systems and controls are not always wasteful or inefficient, it’s a way to reduce risk. The human being, for example, has 2 lungs and 2 kidneys. If you lose one, the other keeps you alive.

Risk-Free Innovation Doesn’t Exist

We opened this article with a catch phrase from a master of the old guard, with always current ideas.

We find it interesting to close the text with another catch phrase, this time from a genius of modern business management, but more recent, Mark Zuckerberg.

His quote makes it clear that risk is part of business reality. If a company doesn’t have it, it’s impossible to evolve and prosper:

The biggest risk is not taking any chances. In a rapidly changing world, the only strategy that will surely fail is not taking risk. - Mark Zuckerberg Click To Tweet

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.