SME guide: Managing risks and opportunities

This is the third in the series of articles primarily aimed at providing risk management support and guidance for Small & Medium-sized Enterprises (SME) business owners and their senior management teams through these unprecedented times. 

As explained in ‘The Knowns & Unknowns of Business Risks & Opportunities’ risk and opportunity are two sides to the same coin when it comes to identification. Therefore, by identifying and understanding the risks, one could identify and realise the opportunities.

In ‘Identifying Risks & Opportunities’, we considered how for risk management to be effective there needs to be:

• Competent and trusted personnel, whether an internal employee or department, and/or external consultants; with
• Access to relevant information, from which the team is responsible for identifying useful data and material, (ie advantageous knowledge) and interpret the potential implications; thereby
• Enabling an informed and knowledgeable decision to implement a risk strategy or exploit an opportunity.

This article attempts to address ‘the how’ to manage different types of risk and thereby realise opportunities. As a recap, risk is defined as:

• The relationship between the likelihood of a hazardous event, and
• The impact if it did occur.

A hazard is anything with the potential to cause harm, (eg physical, mental, financial etc). The event could also be in the future, (eg mesothelioma, silicosis and many other threats to personal safety and health; property damage including data and reputational; or the liability for fines/prosecutions and other litigation).

Understanding the relationship between the likelihood of the hazardous event and the severity of the impact should it occur, ie its risk rating, is fundamental to managing risk.

The simplest way to illustrate this relationship is by using a Risk Matrix, upon which risks can be rated and thereafter mapped.

Mapping the risk ratings for a selected range of business activities on a Risk Matrix, using the ‘risk category’, (ie low through to high) will establish a ‘risk profile’, which is a schedule of the risk ratings; by risk category. To get a real idea of a business risk profile it is best to map each risk before any mitigation or control measures are implemented (ie the inherent risk) and then compare the same risk when the mitigation or control measure is in place (ie the residual risk).

This may seem a bit pointless, because if one has implemented a control measure then the risk has been mitigated. However, whilst it is mitigated, it is still a risk. Consider, for example the all-pervading exposure to cybercrime. With the ever-increasing reliance on the internet, for both business and consumers, the inherent risk of being a victim of cybercrime is High, (ie using the illustrative Risk Matrix the likelihood – ‘Likely’ to ‘Very Likely’ impact – ‘Major’ to Severe’). Implementing anti-virus/malware products, and system security protocols, the residual risk of an incident occurring could be mitigated to ‘Unlikely’ or even ‘Very Unlikely’. 

However, due to the nature of the risk, there could still be a ‘Major’ to ‘Severe’ impact if a very unlikely incident occurs. That is, despite implementing countermeasures to respond to the incident, and having insurance in place, there is a residual risk, with a significant impact due to the potential business disruption, interventions and fines from the regulator, together with the resources and time need to reinstate lost or damaged data; and the potential reputational damage.

Therefore, mapping the inherent risks and comparing them with their residual rating, provides an assessment of the overall risk exposure for the selected range of business activities (ie how many risks have been mapped within differing categories). This risk mapping exercise enables a business to decide the level of risk it wishes to take (ie its risk appetite) and the strategies that can be adopted to manage the risks and again realise opportunities. By simply recording these details one has started to establish a risk register.

Risk Management Strategies.

The Risk Matrix includes a column ‘Risk Management Strategy’, that references the “4Ts” – Terminate, Transfer, Treat and Tolerate. These are the basic risk response strategies:

• Terminate – unless one can reduce or mitigate the inherent risk to a more acceptable level, (as in the example of cybercrime risk), then the risk associated with the activity is too great. Therefore, either do not take the risk or waste resource pursuing the opportunity.
• Transfer – is a risk mitigation strategy whereby a proportion of the risk is transferred, or isolated from the business’s business activities. Examples range from insurance (ie transferring the risk of a potential significant expense (a claim), for a lower fixed cost (the premium), joint venture partnerships (which isolates the risks between the two parties) and appointment of third-party specialist contractor or consultants to provide a specialist resource, (eg skill, experience, knowledge and capacity). The appointment transfers the risk and capital outlay of acquiring, maintaining and retaining a specialist resource to a third-party specialist, whilst also transferring a degree of liability, (eg lawyers, tax advisers, insurance brokers and health & safety advisors. 
• Treat – the range of risks that fall within the ‘Treat’ category will depend on the business’s risk profile and its risk appetite. Every business has a different risk appetite, even in the same business sector. 
• Tolerate – you accept the risk, either by accepting the residual risk, (ie after transferring and/or treating) or taking no action. For example, actively focusing on a niche market, based on premium revenue, (i.e. Higher Risk = Higher Reward) taking the risk that the market will remain niche, and competition will not impact on premium revenue.

‘Tolerate’ also includes ‘regulatory intervention’. These are the rules and regulations imposed by the state supervisor and relevant organisation with whom a business is associated and are ‘the unavoidable cost of doing business’.

For example, a fire risk assessor was shocked to be told that, due to it being “highly unlikely that there would be a fire in their council offices.” and “… anyway they didn’t have staff with wheelchairs”. It was decided to remove the emergency evacuation equipment; thereby making a budgetary saving on maintenance and training. When do austerity measures go too far? Presumably the budget covering the prosecution costs, fine, and heaven forbid deaths and injuries in the highly unlikely event of a fire, will come out of someone else’s budget!

If one decides to undertake the activity then one must Tolerate, and potentially Treat compliance; there is no Terminate or Transfer without fundamentally compromising the anticipated reward derived from the opportunity. Failing to comply with ‘regulatory intervention’, whether due to being unaware, misunderstanding, unintentional or blatant disregard, is a huge risk. There are no excuses for noncompliance, only the reduction in fines or sanctions.

Managing your Risk Profile is a blended approach

It’s the type and number of risks that fall within the Transfer and Treat categories, together with their inter-relationship which is the key to understanding one’s ‘Risk Profile’.

How one chooses to control, manage and tolerate these risks informs one’s ‘Risk Appetite’. That is, how much risk to accept for the anticipated budget/revenue/turnover = Operational Risk.

On a salutary note – tolerating risk by taking no action must not be confused with ignoring the risk and doing nothing. Taking no action must be a positive decision after assessing the risk.

In reality Risk Management is a blended approach. For example:

• Treat a significant risk (that has a potential for significant reward);
• if the residual risk has a potential for a significant liability then Transfer a proportion to insurers, and
• retain an appropriate excess on the insurance policy to potentially maximise the reward, without significant impact should the risk event occur, ie Tolerate.

Taking no risk is as unsustainable as taking high risks for minimal return. A business must assess its risks to establish its risk profile. Once its risk profile is established it can understand and develop its risk appetite. Managing its risk appetite is recognising the balance and the relationship between the risks and opportunities and how to blend the 4Ts to maximise the rewards from that relationship.