Cyber crime is making all the headlines at the moment and it was recently reported[i] that cyber crime and fraud are now the UK’s most common offences. Any company that operates online is exposed to the risk of cyber crime and the bigger and more dependent the organisation is on the internet, the greater the damage that may be done. Note the use of the word ‘may’ because that is what a risk is: something that might happen. If and when it does happen it is no longer a risk but an issue…… that needs resolving.
So we can see that risk is the possibility of something (normally bad) happening with consequences that will damage the business. Damage or impact could be financial, reputational or on the people connected with the business. This concept of risk being two dimensional is important to recognise because people will sometimes focus too much on the impact forgetting or ignoring the probability. The fear of flying, for example, is irrational because the likelihood of an incident happening when you are flying is extremely small but the impact/consequences may, of course, be catastrophic.
Human beings have always managed risk: our ancestors use to live in caves to protect themselves from animal attacks; the Romans maintained a well-trained army in case of insurgency: the plimsoll line was created to help prevent ships from sinking when cargo was being loaded. Nothing has changed to this day save for the fact that most organisations nowadays have to actively demonstrate that they are managing risk. In other words, there has been a move has been from implicit/informal to explicit/formal risk management. This move from implicit/informal to explicit/formal risk management has manifested itself in businesses setting up risk registers, appointing Chief Risk Officers and supporting staff and even developing methods to quantify risk exposures as a basis for providing reserves should such risks manifest themselves.
So where do you start if you want to be more explicit with your risk management? The first thing to do is to understand the process of risk management which typically has four phases:
Identification – a subjective exercise in identifying all the risks that might affect the business. These are often grouped into areas such as financial, operations, IT, legal and so on. The aim is to develop a list of risks without ignoring any that are identified.
1. Assessment – a subjective evaluation of the likelihood of a the risk occurring and the impact that it would have if it were to manifest itself. There are various scales that can be sued for this process and the starting point is to consider these risks as if there were no controls in place (see next step) to mitigate the risk.
2. Selection – selecting a suitable way in which the likelihood or impact may be reduced. Mitigation techniques are often referred to as the four Ts:
Treat – techniques which implement or improve controls to prevent the risk from occurring;
Transfer – techniques which move the risk out of the business (insurance is the best example of transferring a risk);
Tolerate – accept the risk and choose to do take no further action, may be because the probability is too remote;
Terminate – avoid the risk completely by, for example, deciding not to move into a new business line.
3. Implementation – the final stage in the process involves re-assessing the likelihood/impact with the mitigation actions in place, implementing the agreed actions and then providing a follow-up/monitoring plan to ensure the risk remains ‘under control’
Risk identification is, by definition, an ongoing process as new risks emerge (such as cyber crime) but that doesn’t mean that the process needs to be done on a daily basis. In fact, once the process has been documented in a suitable risk register[ii] then it is just a question of reviewing the results every 3/6 months to make sure that nothing has changed. Of course, if there is an unexpected external event (such as a terror attack) which may affect your business then a review can take place immediately. In fact, scanning the external environment for new and emerging risks is part and parcel of the risk identification process.
An assessment of the risks facing a business should be broadly based and look at both internal and external risks. Typically the former are easier to control whilst the latter are harder. First aid is one area that should be included in your risk assessment as, not only is it a statutory requirement, it is also good business practice to prepare your business for the types of eventualities where well trained employees are able to react to an emergency in the workplace. More information on first aid risk assessments can be found on the Health and Safety Executive website[iii].
At this point, it is worth pointing out that the negative connotations of risk management thus far described need to be balanced against an organisations requirement to take risks. Any new business is taking risks when it first sets out. Any new venture for an existing business is risk-taking. The very simple message that comes from this is that an organisation has to manage risks to protect the business and take risks to grow the business. As always in business, there is a balance to be struck between the two and achieving that balance is down to the directors.
The litany of failures caused by poor management of risks is endless. The consequences of poor risk management can lead to huge financial losses (witness the global financial crisis) or even loss of life (witness the Mid Staff NHS enquiry). Many of these failures hit the Press with headlines that “this should never be allowed to happen again”…….but sadly they do. Such catastrophic events may be confined to larger organisations but smaller businesses are not immune and can protect themselves without creating too much bureaucracy and recognising that good risk management is a necessary part of doing business in today’s complex working environment.