GRC Tuesdays: Is Risk Management Only for Big Companies?
“Risk Management is only for big companies”. Now there’s a sentence I have heard many, many times! I believe this assumption comes from the association that risk management equals management of compliance risks, which applies mostly to regulated companies or public companies.
As we’ve already discussed many times in these GRC Tuesdays blogs, this is a misconception – compliance risks only compose one risk category that deserves to be managed. It certainly doesn’t define a complete risk management scope.
All companies manage risks since they’re inherent to any production or service delivery activity. For instance, small and medium enterprises (SMEs) might manage:
- Treasury risks: suppliers and employees aren’t paid on time
- Business interruption: production or service are no longer provided
- Recruitment and retention of key employees: knowledge and expertise isn’t kept within the company. This includes the very high profile succession planning risk, where a survey from the Canadian Federation of Independent Business found that only 8% of SME business owners have a formal plan to pass their business on to a new generation
- Loss of intellectual property: technological progress, literary, and artistic works are infringed
- Privacy breaches: loss or corruption of confidential information
Risk Management Can Help Large Corporations and SMEs
Your company, whatever its size, is most certainly facing at least a couple of the risks above… And probably many more as well. The good news is that risk management can help!
- Well, first of all, risk management can help in identifying the risks themselves; using pre-defined risk libraries by industry sector is a good start. Once these risks have been identified, risk management suggests detailing them and find the root cause(s) for each event. These are the drivers that could trigger the risk.
- Then what?
- Then comes the analysis part: assessing what would be the impacts – not only financial impact, but also impacts such as operation disruptions, reputational damage, legal repercussions and so on, and also the likelihood that this risk could occur in the future. Going back to the succession planning example, if the founder is 60 today and plans to retire at 65 but no formal succession plan has been defined, then there is a 100% chance that this risk will be realized in the next 5 years.
- And the next step?
- The next step for all the high profile risks is to define measures to reduce their likelihood or, if this isn’t possible, to reduce the magnitude of the impacts.
Risk management, therefore, is for all companies that intend to stay in business for a long time. It’s not only for the multinationals that need to comply with financial regulations.
But Wait, There’s More!
There’s another side of the coin: risk management is not just about managing negative outputs, but it’s also about leveraging upsides. Launching a new product, starting a new project, investing in a new market… all inherently carry the risk of failure. But they should also represent significant opportunities like additional market shares, increase revenues, and so on.
Performing a sound risk management exercise enables any company to weigh both the negative and positive aspects before making the appropriate decision. Should we move full steam ahead, limit activity to a reduce scope, or determine it’s a no-go?
What about you? How does risk management help you and your company perform better?
I’d be very interested in reading your examples either on this blog or on Twitter @TFrenehard
Originally published on the SAP Analytics Blog