All businesses are exposed to a multitude of risks daily. These risks can be the result of uncertainty in financial markets, project failures, legal liabilities, credit risk, accidents, natural causes and disasters as well as deliberate attacks from an adversary.
Manie Whisgary, executive head of technical and risk management at Centriq Insurance, explains that while large corporations usually have comprehensive systems and processes in place to manage and mitigate any risk, it’s the small and medium enterprises (SMME’s) that are often left exposed. This, he says, is due to a lack of understanding of the importance of risk management and having the appropriate mechanisms in place to prevent and manage risk.
Whisgary makes mention of the fact that because risk management was closely linked to an insurance package in the past, it was not taken very seriously. Today however, the role of risk management in businesses has changed dramatically, especially with the increased rules and regulations and reliance on key resources. “It is due to these business elements, among others, that risk management has evolved to become a management practice that is every bit as important as financial or facilities management,” he says.
The basic principle of risk management is attempting to identify and then manage threats that could severely impact on an organisation. “This involves reviewing operations of the organisation, identifying potential threats to the organisation and the likelihood of their occurrence, and then taking appropriate actions to address the most likely threats,” he says.
Simply defined, risk management is the identification, assessment, and prioritisation of risks followed by co-ordinated and economical application of resources to minimise, monitor, and control the probability and impact of these events. For this to be achieved effectively, a risk management framework needs to be established.
Whisgary explains that a risk management framework is an all encompassing process where the root cause of a risk is identified and rated in terms of its impact and likelihood. “The current status of the risk should then be measured against what existing procedures are in place to mitigate it. Any gaps between existing processors and procedures and what needs to be put in place must be identified,” he says. “Thereafter a detailed action plan needs to be put into place to mitigate the risk which must be linked to a timeframe.”
In addition, a risk owner must be appointed for each risk. “The risk owner must ensure that the detailed action plan is implemented and must provide regular reports on the status of the risk to management. The residual risk that remains after implementation of the action plan must be within management’s risk appetite, in other words, must be risks that management is comfortable to retain/accept,” comments Whisgary.
It is important to note that it is impossible for an SMME to focus on all the risks that it may be exposed to. “The identification process should therefore focus on the key risks that could threaten the sustainability of the organisation or that could have a significant financial and/or reputational impact on the business.”
The strategies to manage risk include transferring the risk to another party, avoiding the risk, reducing the negative effect of the risk, and accepting some or all of the consequences of a particular risk.
Whisgary says that the objective of the risk management process is to summarise the key principles that drive behaviour in the implementation of the risk management process. He emphasises that this process should be common knowledge within the organisation.
“If a business does not have a clear understanding of the risk, how can they be sure that they are getting the right return in terms of pricing?” Whisgary asks. “Risk management is all about protecting the organisation against uncertainty and threats which will prevent it from achieving its objectives. It’s about business sustainability and providing understanding to key individuals around critical risk exposures and the opportunities these create for enhancing the business and balancing performance expectations.”
While larger corporations will have substantial processes in place in terms of their risk management strategy which includes an IT system, these lengths and expense are not necessary for smaller businesses. Whisgary says effective risk management principles are easily adapted on a smaller scale.
For example, many businesses, whether large or small, have strategy sessions at least once a year to determine business growth, future initiatives and the like. “Risk management is often overlooked in these strategy sessions, where it should in fact be linked to proactive and manageable action plans from a strategy perspective,” says Whisgary.
Whisgary also notes that risks need not always be viewed as negative. He says the benefit of a risk management framework is balancing the risk and reward. “It is through effective risk management programmes that optimum value is generated for stakeholders of a business,” he says.
Whisgary concludes by saying that to this end, organisations should undertake comprehensive and focused assessments of their potential risks at least twice a year. He says this assessment should be undertaken by a team of staff members representing all the major functions of the organisation and should be carefully planned, documented and methodically carried out to ensure the successful minimisation and mitigation of risk.