How to prepare a plan and analyse the impact
Risk is a necessary part of any endeavour, and it is impossible to run a risk-free business. You can, however, reduce the risk of risk.
What do we mean? Well, the probability and impact of any risk are variable factors. So, by facing up to and strategising around the biggest risks for your business, you can reduce the probability that they will occur.
Creating a business risk management plan helps to clarify what is and is not an acceptable risk for the company on ethical, legal, and financial bases. Not only that, but it also enables you to put plans in place to minimise the impact if the worst does happen.
Here, we’ll run through what you need to think about when preparing a business risk management plan:
Business risk management plans – the basics.
Overall, you need to consider four main things: Possibility, Probability, Impact, and Mitigation.
- Possibility. What could happen? What are the possible risks associated with any given operation? Cover as many bases as you can with this one – think of technical, legal, logistical, physical, emotional, criminal, natural, and any other kind of risk which may apply, including those which are out of your control.
- Probability. Having identified as many possible risks as you can, now consider the probability of each of these occurring. Some may be out of your control, but it is still really important that you assess the likelihood of them happening.
- Impact. Then, for each risk identified, assess the impact that it would have on your business. Would there be legal penalties? Could you recover from a significant loss of resources? What about brand damage? Get really catastrophic with your thinking – what is the absolute worst that could happen in each of your scenarios?
Now that you have a list of risks, rank them according to the probability and scale of the impact you believe they could have. Having done this (and perhaps scared yourself silly in the process!) it’s time to move on to the more positive side of the process: mitigation.
So, you should by now have some idea of which risks are most likely to happen and which risks will be the most damaging should they occur. Now start matching the ‘probability’ and ‘impact’ lists up. This will give you an idea of the risks most in need of attention.
For example, a risk with both a high probability of occurring and a high impact is one that needs serious consideration. A risk with a potentially high impact but a low probability of occurring is less worrying, but still needs thought. A risk with a low impact and a low probability of occurring needs no more than a quick discussion. And so on.
Once you’ve got an idea of the risks most urgently in need of mitigating, you can start bringing in plans to do so. There are two types of mitigation to think about: contingency, and impact reduction.
- Contingency. A contingency plan is a plan designed to reduce the probability of a risk occurring. For example, if you have identified cybercrime as a risk, a contingency plan to mitigate that risk might involve staff training, the installation of new software, more security protocols and so on.
- Impact reduction. As the name suggests, impact reduction strategies are all about reducing the fall-out from a risk should it occur. So, if you have identified legal penalties as something that could occur as a result of your business activities, an impact mitigation strategy may involve finding a legal expert to call for advice should things head south – or taking out the relevant insurance.
So far, so simple. There is, however, another element to consider in all of this: the cost/benefit equation.
If the potential risk is high but the cost of a contingency plan is prohibitive, you may be better off concentrating on an impact reduction strategy rather than investing in the contingency plan. For example, if you have identified one transport route as riskier than another, the obvious contingency plan would be to take the latter route. However, if the latter route would cause significant delays (resulting perhaps in loss of sales, revenue, or customer satisfaction), then the lesser risk for your business is actually to keep using the faster route.
Cost/benefit analyses can be tricky calls at times. Sometimes, cost, benefit, and potential impact get into a Mexican standoff which can be very hard to figure out. This is when you really need to think hard about what your business can stomach and what storms it can weather. Is the potential profit really worth it if the job may pose a danger to your workers? Can you afford to install the necessary security software to carry out the processes you need for a risky operation? And what about the ethical angle – does this job tally with your company values?
All in all, business risk management is never a clear-cut thing, but it is still infinitely preferable to the ‘head in the sand’ approach preferred by many businesses. Forewarned is forearmed, so make sure you have a full picture of what could go wrong - however scary it might be to think about - so you know you have the best chance of tackling whatever lies around the corner.