Risk management is a very important part of any business because it allows for the matching and identification of risk and the associated losses (loss exposures). Practically, this means managers put in place Risk Management Controls.
Most business operations are concentrating on maintaining a customer base and building growth. The Risk Management Controls are different – these are designed to protect assets and prevent problems from hurting other operations.
Managing Risk with Business Objectives
Business is surrounded by risks – if they are not properly managed, the business will shut down.
The first step in the risk management process will be to know what losses the business will be exposed to. Loss can come from property, such as the building structures, or something the business owns, such as financial records. Loss can also come from liability from poorly-made products or employee complaints. Loss can also occur when the business loses key sources of income. Loss can come from many areas, but once they are identified they can be assessed for the amount and likelihood of damages.
Afterward, the risk management team will be able to develop tools, techniques, and methods for company employees to use to manage risk and loss. The first step in putting in place risk management controls is defining the objectives – different stages of risk require different approaches.
Objectives Before Loss Happens
Before a loss occurs, the best thing any business can do is to make sure they have the plans and structures in place of mitigating risks. This usually means developing some controls to help prevent losses from being incurred to begin with. For example, a company should have code of ethics, business operations manual, and an employee handbook that covers what is appropriate and inappropriate in the workplace. This will prevent some ethical conflicts from damaging the business. Also, the organization should have a legal department, internal auditors, compliance officers, and a risk management division to regulate what happens inside the business and to offer insight and understanding of the complexities of functioning in the business and to clear up any confusions behind it all.
Objectives During Loss
When a loss happens, this means that the risk management program and process need to be reevaluated and adjusted to prevent future losses of a similar kind. First things first: the actual loss must be reduced before it spreads or gets worse. At this point, the risk of loss cannot be avoided or prevented because it is happening right now. For example, to reduce the loss of computer records because of hacking, you can use backup data stored in offsite servers while appropriate personnel works on destroying the computer virus. A company must accept what has happened and not be paralyzed by fear or indecisiveness when a loss does occur.
It helps to have contingency plans and decisive leadership, which helps a business to remain flexible even while losses change the game.
Objectives After Loss
Once the loss has been incurred and fixed, the company must contain the after effects of the loss and prevent it from ever happening again. In the case of an ethical breech causing the loss, the press and media will seek to diminish a firm’s reputation through negative stories. Failing to prevent something from happening or letting something bad happen will only make a business look bad in the eyes of the public. A company should ensure their continued survival by taking responsibility for what happened, confronting the threat, identifying the problems while avoiding blaming others, explaining how the problem is being handled, showing how the problem has been solved, and practicing social responsibility so that people and the environment will not be harmed (or further harmed).
Risk Control Systems
After identifying and assessing risks of loss, risk management techniques are selected and implemented. Risk control is the third and fourth step of the risk management process, because a risk control mechanism is selected and then implemented. A business is able to control risk and loss in three ways:
This is the easiest and least costly risk control system because all a business has to do is stay away from the person, thing, entity, activity, event, or whatever else that will put them at risk and will inevitably cause some sort of loss. For example, an organization should avoid endorsing a celebrity who is constantly portrayed in the media as a party animal, a junkie, a criminal, etc. because it can ruin the company’s brand. In operations, the clearest example is safety measures – making sure accidents do not happen in the first place. Avoid cost cutting, put safety and people first.
Having already experienced the loss, the business must defend against the spread and growth of the loss. This seen in a global business where factories, warehouses, and other infrastructures are located in many different places in different parts of the world. If a factory in Lima, Peru explodes and all the inventory and supplies are destroyed, there is still a factory in nearby Rio De Janeiro, Brazil to fulfill customer orders. Another example, by compensating workers for work-related injuries with wages that could have been earned, plus extra to cover expenses of the injury, adequate time to recover, and anything else the employee may require, which also involves changing work conditions, the company will reduce further losses from fines and penalties carried out by government, health, and safety agencies by doing right by those who are harmed and getting things right with the law. This is a case where spending extra money up front reduces the probability of a bigger loss down the line.
Redistributing risk means offloading onto a third party. The most common way to do this is by purchasing insurance to insure against risk. Other common ways to redistribute risk is by forming partnerships and joint-ventures with other companies, which shares both the risks and rewards.
Legal risks tend to be the most expensive risks. This means preventing internal fraud at your company, or breaking rules and regulations. Legal liability arises when an organization has failed to do their duty to serve the best interests of employees, customers, and the public in general by intentionally or unintentionally causing harm or damage mentally (towards a person) or physically (towards a person or property). In any case, a business must answer to the public, to the law, and to government and regulatory agencies. Legal violations are classified into three categories: crimes, contracts, and torts.
When a business commits a crime, the consequence can range from hefty fines to imprisonment (if specific individuals are definitively linked to the crime). For example, this happens when many people get sick or die when using a company’s product or service and management knowingly signed-off on the inclusion of life-threatening materials. More commonly this is accounting fraud, where the management of a business knowingly manipulates their financial statements.
A company breaches a contract, which can be implied (when there is a strong reliance on a company’s word) or written (on paper) when they do not do what they promised to do. Breaking promises amount to monetary reparations that depend on what was promised, when the promised should have been completed, and the size of the promise. As part of risk management, most companies retain a lawyer to review any contract before it is signed to make sure they are able to meet all obligations.
With torts, a person reserves that right to go after the company for wrongs they believed to have suffered at the hands of the organization responsible for proving that negligence took place. This also includes wrongful termination lawsuits, if a person feels they were fired because of discrimination or other protected reasons. Companies often conduct frequent Human Resources training sessions with management to help avoid torts. Risk management and the risk management programs in place should focus more on preventing or challenging torts because they are more costly (more than $200 billion) and time-consuming (from a few weeks to several years) concerning financial liabilities.
At the center of torts is negligence, any person suing a business needs to prove that they were owed some duty by the company to perform something that would protect them, show that they were owed that duty and how that business failed in performing those duties, and that there were damages and harm caused by the negligence. Unfortunately, there are not many strong defenses against alleged negligence if those three factors hold up in court and even if the business wins the case they still have to compensate the victim (the plaintiff) with money even if they prove contributory negligence (the injured person played a part in causing their injury) and comparative negligence (the injured person acknowledges they caused some part of their injury).
Put Risk Management in Everything
Every business requires a solid risk management program that addresses property, liability, customers, employment, products, services, and everything else in an organization. It should provide adequate internal control mechanisms for accessing, altering, and inputting data in computer systems, including environmental and human safe ingredients into products, following all laws and regulations in all aspects, maintaining a safe working environment free of harm and hazards, being socially responsible in everything, and a litany of other things. Many companies have specific managers or divisions that oversee a general risk management strategy. At the same time, it is essential for every level of management to constantly work to identify and address risks with proper controls.