Risk Management is when a manager tries to organize his company (or business unit) to prepare in case of, and try to prevent, something going wrong. Risk management is one of the most complicated branches of management, as it requires managers to be able to assess unknown situations and try to be prepared for anything. It is the technique of distinguishing, investigating, and acknowledging uncertainty and speculation management choices. Essentially, risk management occurs whenever a financial specialist or fund manager analyzes and tries to determine the potential for loss in any given situation, and later makes the appropriate action to try to minimize that risk.
Internal versus External Controls
Tools for Risk Management are usually divided between Internal Controls, meaning tools to prevent problems coming from inside the organization, and External Controls, which means preparing to face threats and problems coming from somewhere else.
Internal Controls are the procedures and processes in place at an organization to make sure everything operates smoothly and mistakes stay rare. This includes things like building Standard Operating Procedures (SOPs), Quality Assurance (QA), and Auditing. It also includes checks and investigations to make sure those SOPs and QA processes are being followed properly, not just unused documents. Most of the examples in this article will focus on internal risk management.
External Controls are in place to protect an organization from damage done from some outside force. This includes things like assessing how likely a new product might fail to sell, how much damage would be sustained in case of an accident, and making sure the organization is properly insured in case of disasters. External Controls include relatively minor things like building security (to make sure industry secrets are kept safe) through currency hedging to make sure the organization is not overly damaged if exchange rates start fluctuating.
Nature of Internal Risk Control
Internal Risk Control is what a manager and organization put in place to minimize risks coming from inside the organization. These controls fall into 4 broad categories:
- Monitoring: These are controls put in place to keep an eye on operations and identify problems before they escalate
- Control Environment: This means organizing the workplace to minimize risk. This can be anything from a factory installing safety equipment to the IT department putting up firewalls to protect against viruses.
- Information and Communication: This is the establishment of regular reports and communication channels between departments, workers, and managers. Sometimes workers and managers believe they have a problem “under control”, but it could be on the verge of spiraling into disaster – good communication and reporting helps prevent this from happening.
- Risk Valuation: This is the method that an organization uses to put a dollar amount on how much risk each aspect of operations is adding to the whole.
Risk valuation is the most tricky, but also the most important. Each organization has finite resources that it needs to spread to minimize risk as a whole, and this valuation process helps guide those efforts. At the same time, every time a company adds more monitoring, controls, and reporting duties to its staff, the staff spend more time focusing on risk management, and less on what generates revenue. Every time a new internal control is imposed, it must be balanced with the cost it imposes on the team it is trying to protect.
Internal risk control is done at every level of management. The lowest-level managers are trying to minimize the risks inherent to their team in meeting their objectives, while higher levels of management examine risks running throughout the organization as a whole. Effective controls are also bottom-up as well as top-down, by adding direct avenues of communication from rank-and-file workers to report any time they believe internal controls are being disregarded, or if new controls may be necessary to address new risks.
Contrast with External Risk Control
External risk control is more free-form, since the risks from outside an organization cannot be quantified quite as easily. This usually starts with a SWOT analysis (Strengths, Weaknesses, Opportunities, and Threats), and focuses on addressing the Threats identified. External Risk Control is usually addressed by the higher level managers, who then issue directives to the lower levels of management to address these risks.
While internal controls are put in place to ensure the organization continues to operate smoothly, external risk controls try to address threats to the business itself. For example, airlines are always at risk for the price of oil going up, which causes a huge spike in their operating expenses. One major form of external risk control they exercise is purchasing oil futures, which locks in a set price for several months in the future, removing some uncertainty. External risk controls try to look at everything from input prices changing to new laws and regulations being passed, and everything in between.
Ways to assess risk
Risk evaluation has no settled guidelines on how it ought to be done. However, there are a couple of general rules that are followed. There are five stages to risk evaluation that can be taken after to guarantee that risk appraisal is completed accurately. These five stages are:
Stage 1: Detecting the hazards
Before a risk can be assessed, the first step is identifying what exactly that risk is. The goal of Step 1 is to have a clear and concise definition of what exactly the potential problems are and what kinds of damage might be caused. For example, dangerous machines in a workplace have a defined risk of harming workers, which both loses productivity and results in lawsuits.
Many hazards are initially very vague, but effective controls cannot be put in place until the managers identify what exactly they are trying to control. Hazards can be recognized by utilizing various diverse procedures, for example, strolling around the work environment or asking the workers. A few hazards might be anything but difficult to distinguish and others may require some help from different experts outside of one’s business.
Stage 2: Identifying the stakeholders
This stage builds on the hazards and risks found in stage one. A problem in the workplace has a few different levels of stakeholders. For example, with dangerous machinery, the workers at risk of being injured are obvious stakeholders. Additional stakeholders would be the other units of that business who will be put behind schedule if there is an incident earlier in the production chain. It will also impact the families of those who might be injured, as well as the stockholders of the company who may pull their investment in light of the bad press following an injury.
Stage 3: Evaluating the dangers and choosing control measures
Evaluating the dangers means trying to assign some probability of how likely the hazard is to occur. No hazard can be completely eliminated – only minimized. This means businesses first identify how likely a problem will arise from that hazard, and how much potential control measures will lower that possibility.
Potential controls are evaluated by balancing their cost to implement (both in dollar value and how much time/effort of the staff it will take to enforce the control) with how much risk is actually reduced. Once several alternatives are compared, new controls can be introduced.
Stage 4: Record the findings
Effective controls are implemented on a trial basis. This means the team has a training session to outline what the hazards are and the new controls being implemented to address them. While the trial progresses, the entire team (from rank-and-file workers through the management involved) record how the implementation impacts their work, both in terms of actually addressing the risks the controls are addressing and the realized cost of implementing them.
Step 5: Review the assessment and refresh
Risk controls need to be continually reviewed for effectiveness and refreshed, with corresponding communication to all the stakeholders involved. This is usually done by the management team, with a specific “Assessor” tasked with conducting a review or audit of the control and how it evolves over time. Changes need to be implemented to every type of control over time to address new risks and changing business environments.
Importance of auditing risk control
Audits are larger reviews of the internal risk controls that a company has implemented. Audits are separate from the normal risk assessment procedures, but do follow a similar road map for how they are conducted.
Regular audits of internal risk controls are essential to keep an organization running smoothly. Their two major benefits are making sure that the internal controls are being implemented as designed, while also getting a “bird’s eye view” of the overall controls in an organization. This bird’s eye view can help identify redundancies with the internal controls, and streamline the processes, making them cheaper, easier, and more effective.
Risk Identification and Assessment
This is the same as Step 1 through Step 3 in the normal Risk Assessment, but looks at the business operations as a whole, rather than individual business units. The purpose is to identify what risks are present, and what controls already exist to address those risks. If adequate controls are not present, the auditing team will make recommendations to the relevant stakeholders to fix it.
Enhanced Process Efficiency and Effectiveness
This is the process of trying to harmonize the internal risk controls already implemented across an organization. The main goal of these exercises is to try to make it easier for business units to maintain effective controls. This usually means merging SOPs from different business units, enhancing communication channels, and getting more input from managers about what types of controls are eating the most of their time. Effective internal control audits mean workers need to spend less effort on compliance, and more effort building value for the business, without sacrificing protection against risk.