Risky Business isn’t Good Business

April 13, 2016

By T.H.L. Gordon, Missouri Enterprise Project Manager

In simplest terms, “risk” can be defined as “the effect of uncertainty on objectives.”  The hard reality of business is that there is no such thing as “the future” in the singular sense.  There are only multiple, unforeseeable futures, which will never lose their capacity to take us by surprise!  The developing history of risk management is simply an attempt to minimize the dangers and accentuate the positives, preparing an organization in advance for risks that could become reality in the future.

Perhaps the most mundanely recognized risks are the uncontrollable forces of nature or accidents, so called “acts of God” including natural disasters such as tornadoes, floods, storms, lightning and earthquakes and so on.  Many insure their companies against such events, yet they don’t develop and implement effective plans to deal with such catastrophic events should they occur.  Having insurance is misinterpreted as having a plan.  There are of course other risks which loom even more heavily and can have devastating impact on a business; logic dictates a company should be especially prepared to deal with them simply because of their greater likelihood of occurrence.  Few do so effectively.

Take for example the potential impact of another economic downturn on your business. The Economist Leader Column of June 3th, 2015 stated that, “It is only a matter of time before the next recession strikes,” and points to potential hazards that could cause a downturn, such as the Greek debt saga and China’s shaky markets.  What better time to prepare for the worst by reshoring and strengthening the domestic supplier base?  With such a large part of manufacturing success based on a healthy supply chain, it simply makes sense to continuously strengthen your network of suppliers and minimize risk exposure to unpredictable foreign markets.

Health and Safety issues in the workplace also factor heavily into a company’s risk.  Companies who are dependent upon the skillsets of one or two key employees face incredible risk if a serious injury (or worse!) should happen.  Without adequate redundancy in critical skills, the plant can literally stop production or lose efficiency at an incredible rate, causing serious loss in profitability or even closure.  Operate at diminished efficiency for too long, and the results can be disastrous. 

The modern risk of information security has become incredibly real, and no company can afford to ignore it.  According to an article in the June edition of National Defense cyber-attacks are becoming the “new normal of enterprises.”  Weak user names or passwords are the culprits in the vast majority of information security breaches, and even though relatively simple protection protocols can be implemented at very little expense, very few companies commit to the effort, and they do so at their peril. (ISO 27001 is one of the relatively straightforward ways to address this issue).  The message about passwords has been repeatedly delivered by clarion call to the public, yet one only needs to tune in the daily news to understand that companies are failing to act.  Imagine losing critical proprietary operational information to a competitor, or finding your company vilified in the local, national or international press as a laggard more interested in profits than protecting customer information.  Even mega-corporations fall against such onslaughts.  The risk to small to medium sized manufacturers is daunting.

About half of the manufacturers in Missouri are closely held or family owned companies, typically in that small to medium size range, and they are extremely susceptible to risk when they fail to plan effectively for leadership transition.  Statistics show approximately 50% of Missouri manufacturers will attempt a transfer of ownership in the next five years, and projections indicate less than 40% of those companies will make a successful transfer!  This sobering reality can change if companies better plan for succession, managing the risks that come with leadership transition and ensuring effective knowledge transfer as key leaders or team members age out or leave the company.  Ideally, transition of leadership is managed with foresight over a period of years to minimize the risks and maximize the value and continued vitality of the company into the future.  But a practical succession plan can also mean the difference between success or failure in the event of catastrophic changes due to the serious injury, disability or even the untimely death of a key leader. 

These are just a very few of the countless risks and very real possibilities an organization may face.  How companies prepare for such risks varies wildly, from the very risky “do-nothing,” reactive approach to the forward-looking and proactive management of seen and unforeseen change.  The do-nothing folks are most susceptible to disaster of course, keeping their “heads in the sand” and letting events dictate their future.  The forward lookers understand the concepts of risk appetite and risk tolerance; they know how much risk they are willing to take to achieve their strategic objectives, and they understand their tolerance and ability to handle swings in financial fortunes of the company.

Too many businesses just allow things to happen, then react when risks become realities.  Successful companies are resilient because they plan strategically against risk in advance, minimizing the impact of risk when problems occur, and measuring their steps forward with a real understanding of risk potentials.  The approach to risk should be made in the context of what an organization wishes to achieve.  For this reason, risk management must be closely linked to the management of change and decision making in the organization.

ISO 31000:2009 has defined a systematic process for managing all forms of risk, and integrating risk management into the organization’s overall management system.  By tying everything together under a dedicated commitment from top management on down, a company can attain a state of constant vigilance and focus on their strategic objectives.

In the final analysis, Risk Management is an exercise in sound judgment, based upon data.  It is an invaluable exercise to consider how many businesses fail.  Research has shown that 10% is the average extinction rate of businesses every year, while 30% of businesses fail after 3 years.  There are valid reasons for this high level of failure and they all appear to be centered upon the approach to risk. 

Risk is inherent in virtually all activities, but careful planning can ensure that an organization is prepared for foreseeable eventualities and is, therefore, in a position to protect itself from harm or to accentuate a positive result: a negative event to one organization might mean a positive opportunity to another.  The one thing no organization can afford to do is to ignore the risks inherent in doing business today.  The “head in the sand” approach can only lead to disaster, generally sooner than later.

But one cannot commence with a successful Risk Management strategy without first conducting a genuinely comprehensive and unbiased assessment of the myriad risks their organization may face.  Although a few corporations might have the in-house expertise required to conduct a proper Risk Assessment, it’s a highly specialized skillset.  Most companies will benefit greatly by engaging outside expertise with the knowledge and experience to guide them through the processes of Risk Assessment and Risk Management planning.  But it doesn’t stop there.  To prevent the wasted expense of time and money creating a manual to sit on the electronic shelf, the key is to fully and effectively implement the strategic plan so it permeates every level of the organization. 

There’s a time-worn old adage that seems to have lost its depth of meaning through repetition, but it truly applies to risk management:  If you fail to plan, you plan to fail.