It seems like it never ends, right?
Between deciding what to do for lunch, when to fit that meeting in and what you’re going to wear to the upcoming conference, there are other decisions that you and risk owners will need to make regarding risks you’ve identified and assessed. What are we going to do now?
Determining which of the following 4 risk response strategies you choose will depend on a variety of factors internal to your organization, but the chief measuring stick should be how the particular risk aligns with your risk appetite. If you want to know more about risk appetite, check out my previous article on ERM governance, which includes setting risk appetite and risk tolerance.
If your company has zero appetite for a particular risk, it will be wise to avoid it. Any risks that can jeopardize employee safety or knowingly violates a law or regulation are a couple of common examples. If the risk is more than the identified risk appetite, you can reduce or mitigate the risk to bring it within acceptable limits.
Keep in mind, a risk response strategy can change over time, which is why consistent monitoring of known and emerging risks is important to ensure you are taking the right route.
Continue reading to learn more about the 4 possible risk response strategies to handling strategic, operational, legal or any other risks you identify in your organization.
Risk response strategy #1 – Avoid
As the name implies, quitting a particular action or opting to not start it at all is one option for responding to risk. When you choose the avoidance option, you’re closing off any possibility that the risk will pose a threat to your enterprise. Like explained above, companies will often choose this option if the risk will impact employee safety, violates the law or poses a threat to the company’s existence.
Examples of risk avoidance can include halting production of a product line, selling a part of the company or deciding against some sort of expansion.
While this may seem like an attractive option, it’s not always practical. Companies who exercise the avoidance option too much can end up operating well below its risk appetite. According to a report from McKinsey and Company, companies who rely on the avoidance option too much “…can actually squander reasonable opportunities to grow and achieve enterprise objectives.”
However, if there is absolutely zero tolerance for the risk in question, then avoidance is the proper risk response strategy.
Risk response strategy #2 – Reduce
Reduction or mitigation is the second risk response strategy you can consider. What this means in ERM speak is to take action to reduce the likelihood or impact of a loss. If the risk in question currently sits slightly higher than the appetite, reduction is a reasonable strategy to employ to bring it within your tolerance level.
Whether you know it or not, all of us employ some sort of risk reduction in our everyday lives. When you get in a car, you put on your seatbelt; this action will not reduce the risk of an accident, but it can reduce the negative impact of one.
To reduce the risk of unauthorized entry into your company building, you could install a badge system. However, this doesn’t completely eliminate the risk of unauthorized entry since employees can (and most likely) will “piggy-back” or hold the door for others.
On the financial side, a common risk reduction strategy is to require two signatures for checks over a certain amount. Having one person write the checks and another person balance the books is another commonly used risk mitigation strategy in organizations ranging from neighborhood associations to large companies.
When thinking about reducing the risk, the actions could be as simple as making a tweak to a process flow or as complex as introducing a new software to automate a process to reduce the number of people touching the transaction. Or the organization could choose to hire additional resources to create a new function.
For example, you have a structured process to procure services or products but an informal process to manage those contracts and vendors going forward. This situation means big risks to the company – are vendors in compliance with their contracts? Who is responsible for monitoring the viability of the vendor? Do the vendors’ actions introduce risk to the company? So – the company decides to create a vendor management program. That’s a great decision…and a commitment from the leadership to hire the right people to do the job and work with the business people to develop a process that works with the company culture. Leadership decided to reduce the risk, even though this strategy will take time to see the results affecting the risks to the company.
Risk response strategy #3 – Transfer
Another option for responding to risk is to transfer the risk. When doing so, you don’t eliminate or reduce the risk like you do with options #1 and #2, but rather delegate or transfer it to a third-party.
The two most common methods for transferring risk are purchasing insurance or including specific language for a contractual arrangement. Many manufacturing firms may “hedge” source material prices to protect themselves from higher raw material costs down the road.
In the case of an insurance policy, the risk is transferred to the insurance company in exchange for a price, or premium. For example, purchasing insurance for a building doesn’t reduce the risk of a fire, but instead provides a financial safety net in the event one occurs.
Herein lies an important point – transferring the risk only kicks in post-event. The purpose of insurance or indemnification provisions in other types of contracts is to make you whole again after the covered event. Indemnification provisions are common in construction and service job contracts, rental contracts, purchase order agreements, lease agreements, consulting agreements and more.
In the context of managing risks to the enterprise, the goal with risk transfer is to ultimately reduce the impact should something materialize. You, as the company, are willing to take a gamble on the risk occurring.
Risk response strategy #4 – Accept
The last, but certainly not least, option is to just accept the risk as-is and do nothing. This risk response strategy is often used for risks with a low probability of occurring or that would have a low impact if they did happen. Many companies will have budget reserves set aside to deal with situations like this.
Emerging risks, or ones that may pose some sort of threat in the distant future, are also ones commonly placed in the “accept” category.
If you want to get really technical, all risks except ones you completely avoid can fall into the accept category.
For risks you reduce, you’re still accepting the part that is within your risk appetite. If you transfer the risk via an insurance policy, you still accept part of the risk as it relates to your monthly premiums and deductible. Once a covered event exceeds this amount, the insurance will take over to compensate you for the losses.
In essence – unless you’re avoiding the risk altogether, you are by default using a combination of the reduce (mitigate), transfer and/or accept risk response strategy.
Regardless of the risk response strategy you choose, monitoring will be a key part to ensuring you stay on the right track…
As explained in the intro, a risk response strategy can change over time. If risk reduction was your initial strategy but the risk suddenly becomes a bigger problem, you can look at either avoiding it, if possible, or transferring it. According to author Norman Marks in his book World Class Risk Management, risks “…need to be monitored so that management can act promptly if and when the nature, potential impact, or the likelihood of the risk goes outside acceptable limits.”
This is not to say that you and risk owners (i.e., managers and subject-matter experts) have to monitor each and every risk equally – that would not only be a daunting task, it would be very annoying to the department heads, directors and managers who “own” that risk.
The frequency at which you monitor or “check-in” on a particular risk will depend on assessment variables like velocity, impact and/or probability.
If a particular risk is low impact and has a low probability of occurring, you won’t need to monitor it as frequently. Likewise, if the speed or velocity at which the risk will occur or move outside acceptable limits is slow, then you don’t need to worry monitoring it as frequently.
On the other hand, risks that are prone to change quickly or ones requiring a longer response time will need more frequent monitoring so management can take the necessary action before the issue becomes a real problem.
We’ll explore the topic of risk monitoring more in a future article…
To reiterate one key point, the risk appetite is the measuring stick you and the risk owner(s) use to determine the right response strategy.
Risks that are well below your appetite can typically be accepted and monitored periodically. However, if there is absolutely no tolerance for a particular risk, it’s best to take steps to avoid it altogether.
If your organization is seeking clarity on what course to take after identifying risks to the enterprise or to develop ideas into risk strategies, please don’t hesitate to contact me to discuss possible risk response scenarios.
And as always, please feel free to continue browsing ERMInsightsbyCarol.com to learn more about developing a risk appetite, identifying risks, how enterprise risk management is different and much more. You can always subscribe to my blog by entering your email on the right, or connect with me on LinkedIn.
Image #1 courtesy of “iosphere” via FreeDigitalPhotos.net
Image #2 courtesy of “koko-tewan” via FreeDigitalPhotos.net