SME guide: The knowns and unknowns of risk and opportunity - part one

We are all facing uncertain times, and not just the immediate future. Uncertainty can lead to a climate of economic hopelessness as we feel powerless to control how our business should respond to the current economic environment

Having been involved with business risk for longer than I care to remember, I realise there is a knowledge gap between large organisations, which can afford a specific risk management function, and the vast majority of businesses which can’t.

SME business owners and their senior management teams are, and always have been, the key risk managers. However, many lack the knowledge and understanding to be able to identify and manage their opportunities and the associated risks.

My aim is to provide those business owners and their senior management teams, with simple and easy guidance gleaned from many years of practical experience, observation and reading. It is an attempt to address the SME knowledge gap.

The basics

Risk can be defined as:

• The relationship between the likelihood of a hazardous event, and
• The impact if it did occur.

A hazard is anything with the potential to cause harm, (eg physical, mental, financial). The occurrence could also be a future event (eg a mesothelioma, silicosis, and many other threats to personal safety and health, property damage including data and reputational, or the liability for fines/prosecutions and other litigation).

Understanding the relationship between the likelihood of the hazardous event and the severity of the impact, if it occurs is fundamental to managing risk.

However, as an introduction to the concept to risk management, risk can also be defined as:

• The potential obstacles that could be encountered when converting an opportunity into a rewarding business.

Every business has identified at least one opportunity from which it expects a reward; but it must take risks to attain that reward.

For a business to succeed in a normal economic environment i it requires knowledge, (eg know your market, the competition, the supply chain, relevant regulations, to name but a few). Lack of, or misinterpreted knowledge, will have a negative impact on a business.

However, as explained so infamously by former US congressman Donald Rumsfeld, there are different types of knowledge. Knowing this and how easily it influences the management of the risks associated with an opportunity can be a competitive advantage to a business; especially during times of economic uncertainty.

From a business risk perspective, “Unknown knowns” are where the business receives information. It has access to/or control of the ‘known’, but for whatever reason, (eg failure in reporting structure, lack of understanding/recognition of its relevance, significance or value,) fails to communicate the “known” to those within the business who require it.

An example

By way of illustration, using a real life event – CPM, as a manufacturer of pre-cast concrete, was aware of the significant risks associated with its activities. It had established detailed procedures to ensure safe working, including permit to work protocols and isolation by captive safety key systems. These safety measures should have reduced the significant risk of injury.

Yet, in May 2018, it was fined £660,000 after an employee was fatally crushed when undertaking maintenance work on a conveyor belt*.

The risk of significant injury was clearly ‘known’ and thought to be mitigated by CPM. However, the HSE found evidence (ie information that should have been ‘known’) that employees were regularly circumventing the safety measures and the associated monitoring, training and supervision of the activity was deficient.

This example of an “unknown known” led to the death of a man, with the devastating consequences to his family, as well as the significant fine and disruption to the senior management, which an HSE investigation and any subsequent civil action might have brought.

Sadly, it is likely there will be more pertinent examples of unknown known risks as business respond to COVID-19 outcomes.

The “knowns & unknowns” risk management strategy

In essence Risk Management, (ie identifying and controlling risks and opportunities from available information) is a continuous journey.

No matter where you are on your journey, preparing to start out, or well ‘down the road’, the simple approach, explained below, could be the basis on which you can develop, or enhance, your current risk management strategy.

The “Known & Unknown” strategy consists of four elements:

1. The management control of “known knowns” is being aware of and controlling, during the normal course of business:

• The range and significance of the operational risks being taken against the reward for taking those risks, and
• The effectiveness of the procedures, protocols and countermeasures in place to mitigate those operational risks.

Identifying your “known knowns” is an important baseline on which to develop your COVID-19 risk response strategy. Having this baseline enables ‘what if’ comparisons and discussions to be structured, effective and constructive.

2. The identification of and reduction in “unknown knowns” is:

• Having systems and procedures in place to review, monitor and communicate current management controls,
• Developing and/or enhancing the risk/opportunity intervention reviews. For example, every project or production process has key stages, where current assumptions can be reviewed against future expectations. What impact has COVID-19 on these assumptions and expectations. By reviewing the key risk exposures associated to the current assumptions; ensuring they still align with the budgetary expectations; provides the platform to identify any “unknown knowns”,
• Considering existing data and information captured during current business activities, and/or any potential intellectual property of a business process that is an output of those activities – has it value both during and post COVID-19 ?
• Considering the current business processes and activities in relation to the advent of the ‘Internet of Things’ and the resulting quantum leap in commerce. The associated risks and opportunities throws commercial Darwinism into stark relief – if you don’t keep up, you could be the next Blockbuster!

3. The capability to respond to “known unknowns” is:

• Being aware of and preparing for the potential of a business disruption event, (eg fire, flood, cyber), and
• Having the foresight and support systems in place to monitor, influence and respond to emerging risks (eg post COVID-19, impact of Brexit).

4. As referenced above, “unknown unknowns” are a total lack of awareness of a potential future event. However, by having:

• Awareness and control of the “known knowns”,
• The review and support systems in place to identify and reduce potential “unknown knowns”,
• The capability and protocols in place to monitor and respond to the “known unknowns”,

should make businesses more:

• Resilient to a negative “unknown unknown” event, and
• Able to identify and take advantage of a positive “unknown unknown” opportunity.

In summary, risk can be defined as any potential obstacle that could be encountered when converting an opportunity into a rewarding business. In reality, COVID-19 is just another potential obstacle and/or opportunity.

Effective risk management is being able to identify, manage and monitor those potential obstacles thereby ensuring the opportunity is rewarding.

By using the above categories when identifying the obstacles, you can implement control measures and procedures to manage the “known knowns”, which must be monitored to reduce the risk of “unknown knowns”.

This strategy will also enable the monitoring for and identification of “known unknowns”; and respond more effectively to any “unknown unknowns” that could impact on your business.

Bill Freeman is a risk management consultant at Freeman Risk Solutions