In a time of crisis, it is normal to respond to the most urgent things to keep operations running and cash flowing. However, it is important to start thinking about risks, both short-term (1-3 month horizon) and longer term (3 months - year plus). Below are a few elements of risk management:
For any entity, have someone who is not the primary decision-maker run the risk process in order to provide an independent, unbiased, and objective view of the risks facing the firm.
It is helpful to think of risks broken down by categories. While each industry and firm may have unique risk categories, the typical categories are: financial, operational, legal, regulatory, market, organization, and strategic, etc. Some of these categories can be combined or broken out further as needed.
Step 1: Using surveys and interviews of internal stakeholders and external market research of the industry, identify risks in each of the buckets. Some risks will be obvious or intuitive and some may require looking into past indicators, data, and other sources.
Step 2: Once a preliminary list of risks is generated and categorized, the next step is to prioritize these risks. In order to prioritize risks, quantify the risks and quantification doesn’t have to entail a complicated model. Instead, use a survey to get input on magnitude and likelihood of each of the risks:
Risk = magnitude x likelihood.
Risk response could include any one of four options for managing risk. For each of the risks, determine how the risk should be managed:
Risk Acceptance: it is perfectly ok to accept a risk if the risk is fundamental to the business strategy. The key thing to remember is that the acceptance must be a deliberate process and made at the appropriate level of authority.
Risk Transfer: Some risks can be transferred to another entity. Some examples of risk transfer: insurance or reinsurance as the case maybe, SLAs with a vendor, performance based incentives or disincentives with third parties, hedging, etc.
Risk Avoidance: If the activity that is creating the risk is not central to the business mission, re-evaluate and avoid the activity.
Risk Mitigation: Determine if there activities or projects that can be undertaken in order to mitigate the risk. It is important to keep in mind the cost of mitigating the risk vis a vis the risk.
As a firm, to have a view on what risks (or risk categories) the firm wishes to take and what the risk appetite (how much risk to take for each of the risks would be helpful in determining the appropriate response.
Net Risk vs. Gross Risk
In the first pass of the risk assessment gross risk is determined. In the second pass, after the appropriate risk response is applied, risk assessed is the net risk. This process is iterative and can be applied periodically (quarterly or annually depending on the nature of the industry and size of the firm.)