8 Steps to Simplify Your Risk Management Program

Figuring out how to manage the many risks your organization faces can be a difficult process. Issues range from natural disasters, such as tornados and hurricanes, to man-made issues, such as fraud, theft and cybercrime. Add in accidents, workplace violence and reputational risks, and it can all seem overwhelming. How do you protect your company from every possible risk you might face?

Pick and Choose Your Risks

The answer: You can’t, says EMC Loss Prevention Information Manager Jerry Loghry. It’s not cost effective or even desirable to protect your company from all potential dangers. The trick is to determine which risk could most negatively impact your business, calculate the odds of a particular event and pinpoint those severe enough to take action. To do this, Jerry recommends following these 8 steps:

1. Start by brainstorming possible threats (review Financial Education Curriculum from the Small Business Administration to jumpstart your thought process). Don’t worry if the list is daunting. You’ll eventually narrow it down.
2. Consider the probability of a particular event occurring. If you’re located in a flood plain or you store volatile chemicals in your warehouse, these are hazards you need to deal with. Your organizations's history is an important key to future risks, and your company culture may also give clues. In which arenas has the organization suffered setbacks? What is your loss history? Sources such as the National Weather Service and National Fire Protection Association can help you research the probability of a risk occurring in their areas of expertise.
3. For each threat you identify, determine the financial, reputational, moral, production or other impact an occurrence would have on your company. Would it be minor or could it cripple your organization?
4. Track details and sort the risks by building a matrix (an assessment tool) listing probability in one column and potential impact in the other. Add in risks and use your research to rank them. Color code the possible events to provide a clear visual.
5. Fine-tune the matrix by adjusting for threats important to management. These may not be in your top 10 most likely risks but if the possibility of an occurrence keeps company owners awake at night, they are worth elevating.
6. For each risk that lands on the matrix, examine how to address it. You can:
   • Avoid It―This works well if there is a specific hazardous activity you can quit performing entirely.
   • Accept It―You may acknowledge the problem as the cost of doing business or as an event not unreasonably costly in dollars, time or reputation.
   • Reduce It―Sometimes a minor switch moves a process out of the danger range. This might involve switching from a flammable paint to a water-based paint. Recognize that the switch might create a new risk—maybe the new paint isn’t as durable and your products won’t hold up as well.
   • Transfer It―Insurance is a common way to let someone else bear the burden. You can also hire subcontractors to handle tasks you don’t want to worry about.
7. Implement your strategy. Whether it’s buying insurance or modifying a piece of equipment, move forward with risk reduction recommendations and decisions. Use your high-probability/high-exposure items as a guide and if there are some areas of lower risk you can address easily and inexpensively, check those off the list. For example, if the company has a history of vehicle accidents, combine employee education, stricter distracted driving rules and crash avoidance technology in new vehicles. There is little effort and cost to implement this program.
8. Evaluate your progress and update the matrix annually. Make necessary updates if mitigation efforts didn’t pay off or had unintended consequences, you discover new vulnerabilities to add to the matrix or the company’s risk appetite changed.

Remember These Words of Wisdom

• Risk assessment is not a one-time project. You need to keep at it month after month and year after year. Once you have the plan in place, it’s easy to adjust.
• You won’t ever be 100% accurate in your predictions and implementation efforts. That’s why you’ll evaluate and fix things as you go.
• Take comfort knowing that working through the process in a logical way is better than guessing on what the future holds or doing nothing to prepare.
• No tool fits every organization. You must work through the process on your own and not rely on another organization’s matrix (even though it’s a good idea to review examples for inspiration).
• The pressure is on for organizations to manage risk due to a growing concern of threats. Large and publicly-traded businesses face more pressure to cover potential losses, but small businesses have to keep up with industry trends.