Thursday, November 10, 2016

RISK MANAGEMENT FOR SMALL TO MEDIUM ENTERPRISES


What is risk management?
As a small to medium business owner or manager, is risk management something you think about or do you even think it applies to your business? What is risk management anyway? In fact, what is risk?

Risk can be considered to be ‘the effect of uncertainty on your business objectives’ and it is an inherent part of being in business.  When you make investments in your business the hope is, that they will generate a positive return, but that return can be negative, positive or even far beyond your expectations.  It is that type of uncertainty that we would call risk.  The management of risk is concerned with reducing business uncertainty and the impacts arising when risk events do occur.

 “It seems to be a law of nature, inflexible and inexorable, that those 
   who will not risk, cannot win.”
John Paul Jones

The greatest challenge for small and medium business owners is to find the proper balance between risk, peace of mind and profitability.  Trying to completely eliminate risk from your business is unrealistic and can be prohibitively expensive or cause you to institute policies that may be so risk averse that your business never grows.  Gauging the correct level of risk will position a company to grow and be robust enough to withstand adversity. 

So where do I start? - Identify & Assess

Risk management can be very complex, but it doesn’t have to be.  The first step is to take a very honest and thorough look at your company and then to identify and evaluate the risk events that could impact it.  Here are some of the questions that you should be asking:

  • Do I you really know our business objectives beyond mere profitability? 
The strategic objectives in your business plan are a good starting point here, but you need to think about those business objectives that support your strategic plan.  Consider things like:
    • Your ability to attract and retain the right staff
    • Business processes
    • Workplace safety
    • The environmental impact of operations
    • IT Systems
    • Your relationship with suppliers and customers 
    • Regulatory compliance.

  • What types of risk events can impact our objectives?  
This involves identifying the risk events that can specifically affect your objectives and assessing both the likelihood of occurrence and the impact upon the organization.  This goes beyond looking at the downside, the catastrophe, or major issues that can hit your business. You also have to look at what new sales or growth opportunities are out there and the risk of not achieving them or the risks of not achieving them well.

  • How can I deal with our risks? 
We all deal with risk every day and the same strategies we use in our daily lives apply in the business context as well.  If we decide that a motor vehicle accident is a risk event that we wish to manage then we can control or treat that risk in a number of ways: We can decide to drive during a snow storm and ACCEPT the risk of an accident or AVOID the risk by staying at home.  We could put winter tires on our car to REDUCE the likelihood of an accident.  We buy cars with safety systems such as air bags to REDUCE the consequences of the accident.  We purchase insurance to REDUCE the financial impact of the accident or we could take public transit and TRANSFER the risk of having an accident.  

The same principles apply to risk in a business context.  The approaches of acceptance, avoidance, transfer, reducing the likelihood and reducing or mitigating the consequences, form the basis of risk management policies and treatments which can be used individually or in combination.  You should decide how to manage the identified risks to fit within your risk tolerance and resources available.  Most often a combination of approaches is the most effective.

  • Peace of Mind vs Profitability?  
In the risk management world, this is often referred to as ‘risk tolerance’.  Remember you cannot eliminate all risk, so you must decide how much risk your business can accept.  Achieving the correct balance is at the heart of risk management.  

These questions are the basis of the complex ISO 31000 risk management standard used by large companies to manage ERM when dealing with complex and dynamic risks.  This simplified process should, however, provide the tools and insight, not only to allow you to quantify your risks but also your position your strategic business plan to be more resilient.  

What’s next? – Monitor & Review

Now you understand your business objectives at a comprehensive level, you have identified the risk events that can affect the achievement of those objectives, you have decided how to manage those risks and now you can sit back and run your business?  Maybe not!  To be effective, risk management should be a dynamic and iterative process, your business doesn’t stand still and neither does the environment in which you operate.  To be truly resilient you must take it a little further.

Monitoring your competition, customers, suppliers, technology and changes in the law or regulations and will provide early indications of changes in your risk profile.  Perhaps you may consider establishing some key risk indicators, such as commodity prices, competitor pricing or currency exchange rates.  When these indicators fall below or rise above your indicator levels, certain actions may be initiated.  For example, lower fuel prices may prompt a shipping company to consider highway transportation for longer hauls, but at what point does it become more economical to switch to the railways? Similarly, the fluctuations in the exchange rate for the Canadian currency may influence where a manufacturer sources raw materials or what market in which to concentrate sales activity.

Taking a few days periodically to review and update your risk management plan is a wise investment.  The review should involve multiple levels of management from within your organization and (if warranted) a risk management consultant, to provide insights and perspectives that you may not have considered.  To identify new and emerging risks ask questions like:
  • Will a change in operations, or the addition of new equipment create new risks or change     existing ones?  
  • Will a new supplier or customer change your supply chain risk? 
  • Does a fluctuating exchange rate present a commodity price risk or an export opportunity?  

Having recognized that change may be occurring, an evaluation of your risk management plan is recommended.  Are your policies and internal controls at the right level? Are you reaching your target market or have new markets become accessible and if so what new risks may arise? Do you have a plan A, B and even C if things change unexpectedly?  Do you have a business continuity plan if you are faced with a catastrophic event? And finally, is your insurance coverage appropriate for your business today? 

What about insurance? – An Essential Component

When many business owners think about “risk management” it’s usually limited to purchasing standard insurance protection without much consideration for other ways to protect the business. Insurance is an essential part of any risk management plan but you must understand its limitations.  Insurance can mitigate the financial consequences of a liability claim or of a loss event such as a fire, or windstorm or even a major operational loss if you have business interruption coverage. But insurance will not reduce the likelihood of a risk event occurring nor will it help manage risks that are uninsurable such as supply chain risks or strategic risks.  

The optimum level of insurance is attained when your insurance is structured to provide your desired level of coverage, specific to you risk profile at the lowest possible cost.  This will raise the question of how much risk can I can accept?  You may be able to lower your premiums by accepting a higher deductible or you may decide that you need a higher level of liability coverage to do business in the US.  This comes back to that question of peace of mind vs. profitability. 

The coverage and policy limits offered by your insurance should be reviewed at least annually as your business develops.  It is important to look at the detail of your policies to make sure that you are not paying for coverage you don’t need and to confirm that the policies limits are reflective of your business today.  If you merely renew your policy every year you run the risk of misalignment occurring between your expected level of compensation and your actual policy limits.  Factors that lead to misalignment include changes in the cost of building or equipment replacement, changes in the size of the entity insured, business development into new markets and new or emerging risks.


 “One thing that makes it possible to be an optimist is if you have a contingency plan for when all hell breaks loose.” 
-Randy Pausch

Insurance is often considered to be a risk transfer mechanism but this is only correct insofar as it transfers the financial impact of a risk event to the insurance provider.  Insurance is most effective when it is combined with activities that reduce the likelihood or occurrences, mitigate the impacts and business continuity planning that can provide for rapid recovery.  For example in the event of a major fire at one of your facilities, your insurance will provide with the financial resources to rebuild or restore operations, but a business continuity plan will give you the roadmap to business resumption, allowing you to recover quickly.

It’s up to you – manage the risks or accept them?

There is no ‘one size fits all’ strategy for risk management.  Every industry has its specific risks and every company within an industry has its own unique risks based on its culture, maturity, market position and so on.  The amount of risk management activity each company undertakes will be different as well.  It could be as little as an annual review of insurance coverage and consideration of key business risks for a sole proprietorship, or as comprehensive as a department with a large staff managing claims, insurance and daily monitoring of key risk indicators for a large financial enterprise.  

For you, however, taking these few simple steps can kick start your risk management program and help you define and align your risk appetite with your strategy and the way you operate your business.  The end result is that you should have a business that is positioned to take advantage of opportunities when they arise and one that is more resilient when adversity strikes.  

 “Good Risk Management fosters vigilance in times of calm and instills discipline in times of crisis.”  
  - Dr. Michael Ong

Ivan R. McClelland LLB, MBA, P.Mgr. CRM