In the commercial environment, businesses make decisions daily, irrespective of whether they are operating in a boom or a recession. Each decision has an associated level of risk: where to invest, what product to produce, what quantity, which vendor to use, what price to charge, what marketing activity to pursue. The list is endless. Although these decisions have potentially business-critical consequences, many organisations do not take a strategic approach to decision-making.
The concept of risk analysis and management has been around for many years, but is still not well executed within many industries. However, given the current state of the global economy, there has been a lot of talk recently about the need for ‘proper risk analysis.’
Today, organisations are focusing on methodologies that can help them assess risks more accurately. By exploring the full space of possible outcomes for a given situation, effective risk analysis can both identify pitfalls and uncover new opportunities. Instead of taking a siloed approach to managing risk, organisations should address risk holistically. All risks are interrelated, so an organisation’s risk modelling must follow this pattern. A key concept is the necessity to model correlations – or dependent relationships – between risks. For example, it is unrealistic to assume that what goes on in the legal risk department is not going to affect what happens in R&D risk.
Increased use of risk analysis in the form of quantitative risk management (QRM) and decision-making under uncertainty (DMUU) is helping organisations to be prepared for unforeseen risk. Simply put, QRM and DMUU mean thinking more quantitatively, with numbers and probabilities. It means recognising that uncertainty exists in nearly every decision, and accounting for it in a quantitative way. One good example of this is the use of Monte Carlo simulation, which is an analytical technique that evaluates and measures the risk associated with any given venture or project. A computerised mathematical process, it allows users to define uncertain variables in their models and see, as a result, a range of possible outcomes and the probability that each will occur.
Monte Carlo simulation is a highly flexible tool used extensively in risk management to gain insight into what could happen so that resources can be allocated more effectively, better strategies designed, mitigation plans developed, and better decisions made. The technology is simple to use and available on any desktop computer, even as an add-in to the common spreadsheet. Combined with greater public awareness, risk managers are currently in an ideal position to progress a cultural change towards making risk analysis an integral part of corporate operations.
There are many benefits of conducting risk analysis, with key advantages including:
- Identifying pitfalls and uncovering previously unidentified opportunities
- Understanding the risk factors that are the most important and have the biggest impact on the bottom line
- Targeting specific variables to avoid wasting resources on low-impact or extremely unlikely events
- Improving credibility, making the case more persuasively to upper management, corporate, investment banks or other stakeholders when funding is needed or advancing a project
- Getting buy-in from those on the team when implementing a project
The downfalls of not conducting risk analysis can be significant. Not to over-simplify, but it can be argued that the recent financial crises had roots in improper or nonexistent risk analysis. Risks were ignored for the sake of short-term profitability. Not employing risk analysis strategies means ignoring what could happen and allowing an organisation’s business model to be disrupted by the surprise of unexpected – yet inevitable – emergencies and disasters.
With the increased focus on organisational risk analysis, it is worth considering the following guidelines for implementing a strategy:
Embrace risk management
Risk management is not an optional extra. It is a business critical tool that is an asset and an integral part of the project. Company culture – not just an isolated department – must be developed to embrace QRM and DMUU in order that everyone understands their benefits and the need for them.
Business tools cost money, but managing risk is an investment, not an overhead. Allocating resources and making it a formal business process should be seen as an insurance policy that, by identifying potential risks, can protect the organisation against unexpected costs in the future.
As with any organisational change, it is essential that everyone is clear on the new processes. Create a common risk language – using numbers, not fuzzy ‘what-ifs’ – which everyone can understand to avoid confusion and ensure a consistent approach to risk and decision analysis.
Illustrate with numbers
Qualitative assessment is essential, but numbers are more powerful. For example, talking about the percentage chance of meeting a deadline or budget is much clearer than discussing how it ‘probably’ will or won’t happen. This is critical for avoiding miscommunication regarding assumptions. Monte Carlo simulation provides the actual probabilities of various scenarios occurring, and is a good way to illustrate the consequences of different courses of action.
Create the right organisational structure. Individuals and groups need clearly defined roles, and must take responsibility for their own area of expertise.
No enterprise operates in isolation, so other external variables must be included in the decision-making model and process. For example, even a small rise in fuel costs could have a major effect on revenues if raw materials need to be transported across long distances.
View the complete picture
Political, cultural and social risk factors can be explored by involving all stakeholders. Investing time and money in consultation and research ensures that businesses have a clear idea of the complete environment in which they operate, and therefore minimise the chances of products and services failing.
Report, review and learn new tricks
Risks, and their management, must be reviewed regularly – and the programme amended if necessary. Instigate a reporting process in which risks are clearly identified and prioritized. Businesses should be careful to avoid ‘the way we’ve always done it’ approach, instead keeping up-to-date, learning new tricks and being prepared to be bold.
Back up the commitment to a thorough QRM and DMUU programme with documentation on why it works. This validates the budget and buy-in requested at the start. And it’s good for business – organisations this thorough are guaranteed a competitive edge.
It must also be remembered that paying close attention to the way risk models are constructed is the key to ensuring an accurate outcome, along with re-examining the assumptions underlying the models. Ask questions such as ‘Which probability distribution do I use?’, ‘How do I properly model my situation?’ and ‘What is the worthwhile analysis to do?’ before embarking on a risk analysis project. Ensuring that the model is accurate is the most important step – after that the simulation is easy.
Image courtesy of Damian Gadal @Flickr, re-used with permission