frameworks have to be customized for each business
Small businesses have to develop
When I beat up all the business leaders
in my articles, I heard from a whole bunch of them. Some common themes: "I am suggesting a risky approach. We are too small. We can't take risks. We lack resources."
Yes, I agree that size matters in business too. Large corporations with vast resource pool to leverage can afford to have bigger risk appetites. This does not mean, however, that small businesses can not take risks. First of all, you need to understand that, whether you admit it or not, there is risk all around you and everyday you take risks. However, you can either be reactive and deal with risks as they come
(and expose yourself to risk) or proactively manage risks. Remember that "Risk arises as much from missed opportunities as it does from possible threats" (Angela Darlington, Simon Grout & John Whitworth in their paper "How safe is safe enough?"). What this means is that when you have a well-structured risk management framework to monitor, evaluate, and mitigate risk, you can maximize positive impact from opportunities and minimize negative impact from threats.
I have developed a relatively simple framework for risk management for small enterprises. The idea is that risk management starts at the very top. Involving everyone in the enterprise with risk management is a good idea (yes, the guy that shuts the valves of tanks with nasty
chemicals, when one of them is about to explode) but accountability has to be at the top. However, tasks should be
distributed at different levels in the organization.
Risk diagnostic: Almost every employee of the firm (and to the extent possible,
customers/suppliers/advisors/others) should be engaged in identification of risks and how these fit into the overall context of your business.
Risk analysis: This should be conducted by a smart group of individuals working directly with senior business leaders. The goal is to determine high-impact risks, assess their likely impact, and then prioritize them by probability and degree of impact so that the
management/board can make the right decisions. (Related
link: The value of
Risk management strategy development: Again, this has to be top management-drive exercise. Risk management strategy has to be
intimately tied to the overall corporate strategy and should include all such components as financial, organizational, cultural, etc.
I am also a big supporter of feedback loops. Risk environment facing almost any enterprise is very dynamic and feedback loops allow the management team to consistently refine their strategy.
Where to get help?
There isn't much out there. Most risk management experts do not deal with small enterprises and there is hardly any published literature on the subject. Three books that I have found to be useful in developing an understanding of risk mitigation are very interesting to read but you will still need to learn to apply it to your business since the examples and research is directed at large corporations.
"Risk From the CEO and Board Perspective: What All Managers Need to Know About Growth in a Turbulent World" By McCarthy and Flynn
A good book for CEOs/board members and high level executives emphasizing the importance of understanding the risks within a company and how to deal with them. Not a lot of frameworks or other complex suggestions. More of a fast-read book while the CEO is on the corporate jet
and wants to really know 'what the heck is
risk'. I think it is a good read if you want to get some more insights into risk management from a CEO's perspective but does not answer complex implementation-type questions that CFOs and other VP-level folks need to deal with.
"Making Enterprise Risk Management Pay Off: How Leading Companies Implement Risk Management" By Barton, Shenkir, and Walker
This book takes a case study approach and has picked five large companies. I think this is a good read if you learn better from 'stories'. The stuff in this book is more real and you can borrow some ideas as you develop and refine your own framework.
"Enterprise Risk Management: From Incentives to Controls" By Lam
Lots of concepts discussed here (e.g. enterprise risk management, portfolio management approach, risk analytics, and then all the risk categories that businesses typically face). Examples are given but mostly of banks and financial institutions (the author worked for Fidelity). I think this will be a good resource when you are ready to develop your ERM framework.
and social risk management
and globalization are linked
from Hurricane Katrina
How to deal with marketplace change
Questions, comments or