SME guide: Identifying risks and opportunities

This article focuses on the ability to identify and communicate risks and opportunities, ie risk management.

Effective risk management relies on information.

However, information of itself is just another raw material. Only by understanding its latent worth with the ability to process it to your needs, (ie derive advantageous knowledge), does it truly have value.

Liken it to wind, another valuable but ethereal resource. We know its latent energy, but it has limited worth until it is ‘processed’ via a wind turbine.

Risk management is an iterative process requiring the ability to:

• Access relevant information;
• Interpret that information, as to:

1. initial accuracy,
2. ‘shelf-life’, (ie will its accuracy deteriorate gradually or ‘drop off a cliff’),
3. exclusivity and/or confidentiality,
4. scope and limitations,
5. the potential implications – both direct & indirect and risk & reward;

• Effectively communicate those interpretations, (ie the knowledge);
• Understand the knowledge and validate the implications;
• Consider the potential applications and relationship within current business activities, (ie the implementation strategy):

1. Risk - rating analysis, whether it changes the risk appetite, and the resulting impact on the business’s risk profile, controls and countermeasures, and
2. Opportunity – marketability, utilisation/ROI analysis, budget and production forecasting, deployment or re-deployment of required resources and on-going production management;

• Implement the strategy, including scheduling the monitoring, testing and intervention reviews, to ensure the outcomes are meeting expectations;
• Repeat – ie access relevant information.

The above sequencing of information gathering, evaluating and planning, implementing and reviewing is not some novel construct. It is a derivation of the continuous improvement cycle, based on the Deming Cycle* (Plan-Do-Check-Act).

It’s all about establishing a team you can trust.

The stages within the above sequence requires a team of trusted and competent personnel with differing skill sets, roles and responsibilities, working together.

Each member of the team must have responsibility that comes from being empowered and sufficiently competent to be delegated the requisite authority to undertake a defined role within a team, department or organisation, (or a task within a project); and be accountable for its delivery.

The trusted team is scalable depending on the size and complexity of the organisation or project, and as outlined briefly above, team members can be employees, departments or external consultants.

However, no matter how the team is structured, to be effective, each member’s respective responsibilities, (no matter how limited or extensive in scope those responsibilities are), must be real, understood, and trusted by all other members of the team.

Regulatory Intervention – the unavoidable risk

The rules and regulations imposed by the state (eg HMRC, health & safety and equality, competition, FCA), and relevant organisation with whom a business is associated, (eg Banks, BSI, ISO, trade associations and institutions) are ‘the unavoidable risks of doing business’.

If you wants to convert an identified opportunity into a rewarding business, then you must comply with associated rules and regulations. Failing to comply with rules and regulations, whether due to being unaware, misunderstanding, unintentional or blatant disregard, is a huge risk.

There are no excuses for noncompliance, only the reduction in fines or sanctions.

To summarise, for risk management to be effective, access to relevant information is required, from which advantageous knowledge is derived by a competent and trusted team, who are responsible for enabling a decision to implement a risk strategy or exploit an opportunity.

How the implemented risk strategy or the exploited opportunity is managed is the subject of the next article.

Bill Freeman is a risk management consultant at Freeman Risk Solutions