Risk management: The essentials
Why smaller companies need to pay closer attention than ever to their risk management processes
Thanks to the blue-chips making a hash of their risk management, smaller companies need to pay closer attention than ever to their own processes.
Why are we in such a mess? As hindsight sheds light on the origins of the global financial crash, it’s obvious that large corporations such as AIG, Citibank, RBS and Goldman Sachs failed to assess their exposure to predictable outcomes of the extended credit management. In short, their risk management strategies were either inadequate, overlooked, or non-existent.
Risk management is common sense, says the chief executive of the Institute of Risk Management (IRM), Steve Fowler. IRM’s definition of risk management places it at the centre of any organisation’s strategic management. “It’s the process whereby organisations methodically address the risks attaching to their activities with the goal of achieving sustained benefit within each activity and across the portfolio of all activities,” it states.
Why small businesses need to manage risk
A large company can ride events in ways a small company can’t. “Risk management is a survival issue for small and medium-sized companies,” says professor Patrick Gougeon of ESCP-EAS management school.
“Globalisation, outsourcing, new technologies and increasing competition have all made the business environment more complex, and, therefore, riskier. At the same time, there has been pressure on companies to improve their financial performance.”
Gougeon identifies three types of risk medium-sized businesses tend to neglect:
- Business interaction risk: “If you have a fire at your factory, the insurance may pay for it to be rebuilt, but can you recover from being unable to trade for six months?”
- Crisis management: “When events happen, small companies often focus on fixing them, neglecting other areas that then become new crises.”
- Intangible assets: “Many small and medium-sized companies are not aware of the value of intangibles they have – brands, reputation, human resources and the like.”
More immediately, for smaller businesses the establishment of a risk management system is essential, since it affects their ability to continue to receive credit from banks, according to Dr Thomas Henschel of Napier University in Edinburgh.
“When rating a medium-sized business, the lending bank will always assess the proper implementation of a risk management system,” he points out.
You should frame risk management around your business’ objectives and strategies, says Fowler. “Prioritise, but keep a broad view of what is going on elsewhere in your industry, what is happening in countries you trade with, and what is happening in parallel industries that might affect your own business,” he advises.
Your risk assessment will reveal which, out of property, engineering theft, money, credit, goods in transit, business interruption, vehicles, legal, public liability, life, pensions and so on, you might need. Major insurance brokers cover all risk angles, but it may be worth retaining an adviser who knows your business well for tailor-made advice.
About 70% of uninsured or under-insured small businesses that suffer a big loss fail within 12 months, according to brokers Southall Harries. They need a contingency plan to help minimise exposure to severe interruption in the event of a major crisis, such as fire, flooding or systems failure.
Another business benefit from having a risk management plan is that companies can be rewarded with lower insurance premiums while still being adequately covered for a major catastrophe and loss of trading.
‘Engineers, not actuaries’
Insurance relies on a tried and tested model of balancing probabilities and premiums. Mike Wilkinson, a risk specialist at insurance consultancy EMB, understands that risk is a business tool. “Entrepreneurs place a premium on risk,” he says.
“Risk management is about taking that balanced view between how much risk I take, how I understand the risks, and how I keep these within the bounds of the risk I want to accept. Also, how do I manage the bit that I don’t want to accept?”
Consequential risks that you may not fully understand are a danger area, according to Wilkinson.
“Good risk management is about spreading the risk, but that makes life difficult for an entrepreneurial business – there is little you can do about the recession, so it may be time to look at diversification,” he says. “Alternatively, how do you make your business model flexible enough to be able to weather downturns of the sort we’re currently experiencing?”
Other insurance consultancies take a slightly different approach. Stuart Selden, of insurance firm FM European, puts risk management above purely actuarial considerations, because he believes that the majority of losses can be prevented. “We don’t employ actuaries, we employ engineers,” he says.
It all comes down to how good your risk analysis is. Craig Ferri, managing director of risk analysis business Palisade Europe, believes much uncertainty can be removed from the process given the right tools.
“A lot of current decision-making is based on best-case and worst-case scenarios, whereas a mathematical and logical process, that also acts as an ‘audit trail’, is needed to track complex variables,” he says.
Nothing’s harder to pin down than data. At a time when you can get a terabyte on a USB hard drive, any employee could walk out with the entire company database – its crown jewels – in a briefcase or on a laptop.
“IT policies often look as if they have been lifted from someone else’s policy on the web,” laments Mike Warriner, head of technology at corporate finance lawyers White & Black Legal.
“When I review IT, data sharing or processing policies, there seems to be a one-size-fits-all approach. But different departments use that data very differently. You need to make sure that it’s being handled responsibly and that they don’t fall foul of any data protection issues.”
A customer relationship management (CRM) database may well contain private data caught by the Data Protection Act (DPA). But often companies don’t report all their data breaches to the Information Commissioner, says Warriner.
“The DPA says data has to be held securely,” he explains. “So they are risking prosecution, and also their reputation.”
Smaller businesses can be particularly vulnerable if they have external IT support warns Warriner. “Someone in the company gets a call, supposedly from the IT consultant, saying they’re ‘running some tests’,” he says.
“It has been shown to be quite easy to retrieve passwords from individuals in this way.”
The vital asset
In 2007/8, the Health & Safety Executive (HSE) and the local authorities issued 13,750 enforcement notices. Although that was down a little on the previous year, it led to more than 2,500 prosecutions. The average fine was £12,896. Not that the penalties matter compared with the damage to your reputation from a high lost-time accident rate.
Health and safety gets a bad press these days, because people think it’s an excuse for getting 10 people to do one man’s job. Meanwhile, entrepreneurs often bemoan the amount of time they have to dedicate to what they regard as ‘box-ticking’ initiatives. Like it or not, it’s a key part of any company’s risk strategy, not just in construction or the oil business.
You could even argue that we’re fortunate in the UK in having the HSE, which “believes in saving lives not stopping them” and offers help. “A risk assessment is an important step in protecting your workers and your business, as well as complying with the law,” it says. “That means simple, cheap and effective measures to ensure your most valuable asset – your workforce – is protected.” The law does not expect you to eliminate all risk, but you are required to protect people as far as “reasonably practicable”.
However, companies are now under obligation to prove that the correct procedures are in place, says Catherine Golds, head of the certification and training body NQA. The Corporate Manslaughter and Corporate Homicide Act 2007 that came into effect in April last year has put more pressure on companies to manage their risk and take responsibility for their processes, she points out.
“Companies that hold certification of an internationally recognised health and safety management system, such as OHSAS 18001, can be assured that they have taken all measures necessary to prevent accidents. That’s because the standard demands clear identification of potential incidents and the implementation of controls to effectively manage their health and safety risk,” she explains. “If there is an incident, companies will also be able to prove due diligence as a defence.”
While small business owners may feel working towards an accreditation is a step too far, many organisations will have elements required by OHSAS 18001 already in place. These can be supplemented to provide a more cohesive management system to meet the requirements of the standard.
Green issues have pushed their way up the business agenda – now no annual report is complete without a good story on environmental performance.
If you are husbanding resources well, investors will deduce that you are running a tight ship. More importantly, there’s more Eurpean Union legislation on everything from pollution and waste management to hazardous substances and noise.
For guidance, you can approach the Environmental Protection Agency or Defra, which publishes Guidelines for Environmental Risk Assessment and Management, or join the Smith Institute’s Special Interest Group in Environmental Risk Management. But environmental best practice should be codified, according to Golds.
“Managing your environmental footprint is a step in the right direction but, to ensure that an organisation is meeting legislation, taking the next step to certification is fundamental,” she says.
“ISO 14001, the International Standard for Environmental Management Systems, demands a thorough understanding of environmental processes and regulations,” Golds continues. “NQA assessors have broad experience in the field and use their knowledge to the advantage of any company that is looking to tighten up its environmental controls.
“Once these are in place, they can often deliver significant cost savings to businesses. In fact, the cost of certification should be seen as an investment in safeguarding your company against the current recession.”
The greatest risk of all
If you don’t take any risks, you’re unlikely to get very far in business. “Risk management should be about sensible approaches to risk taking, not about avoiding risk altogether,” says the IRM’s Fowler. “You could say that failure to innovate and to take notice of changes in the market is the greatest risk of all.”
Ultimately, managing risk effectively is all about knowledge, judgement, and the skill to be able to slant the odds in your favour, while also avoiding the bear traps.