For most organizations, success or failure is not exclusively determined by winning the thoroughbred trifecta of competitive advantage, sales volumes and profit margins. Of course, all of these are vital, and sustained dips in any of them eventually and invariably leads to a rather terrifying journey into the dustbin of history. However, there is another essential piece of the puzzle that plays a massive role in whether an organization’s best days are behind or ahead: risk management.
“For businesses of all sizes, risk in itself is not the enemy, and in many cases can reveal valuable and profitable opportunities,” commented Bill Scuorzo, President of BCG Advisors. “Rather, the danger is when risk is unanticipated, unidentified and uncontrolled. When that happens, businesses are forced to frantically react to events instead of strategically respond to them. In other words, instead of managing risk, they are managed by risk — and the impact can be anywhere from costly to catastrophic.”
Just as all products, services and customers don’t fall into the same category, there are multiple types of business risk that need to be part of a comprehensive, robust and regularly updated risk management plan. According to Bill Scuorzo, the main types include strategic risk, compliance risk, operational risk, financial risk, and reputational risk. Each type is briefly described below.
Strategic risk refers to the likely or inevitable threats that a business will face if its strategic plan does not unfold as anticipated. For example, a critical supply chain could be destabilized by tariffs or labor disruptions, the preferences and expectations of a key customer segment should change, aggressive competitors could enter the marketplace, disruptive technology could dramatically shift marketplace dynamics, and the list goes on.
Compliance risk refers to significant, large scale management, administrative, investment or strategic changes that a business will be forced to make considering new or changing laws and regulations. What makes managing compliance risk especially challenging, is there is often disagreement — and in some cases, hearted debate — on how rules should be enforced, and how penalties for transgressions (including involuntary and accidental breaches) should be meted out. As a result, organizations in heavily regulated spaces such as nuclear power, petroleum and coal manufacturing, healthcare, financial services, and others allocate significant resources to managing compliance risk; typically, under the direction of an experienced Chief Compliance Officer.
Operational risk refers to realistic hazards that can negatively impact (or in some cases outright halt) day-to-day operations. Operational risks can be triggered by either external or internal events. For example, an Internet Service Provider (ISP) may be victimized by a cyber-attack and forced to shut down, and therefore take a business’s website offline and prevent sending or receiving email. Or, an employee may order the wrong raw materials, which leads to a backlog of customer orders and multiple cancellations.
Obviously, all risks carry a significant price tag. As such, in a sense, all business risk is linked to potential financial loss. However, there is still a need to manage a separate, standalone category of financial risk, which refers to potential threats associated with a business’s financial structure, as it relates to transactions, cashflow, and working capital. For example, a small business discovers that one of its biggest customers that owes tens of thousands of dollars in overdue invoices has filed for bankruptcy.
Reputational risk has always been a piece of the overall business risk management puzzle. However, the explosive growth of the internet — combined with the fact that a growing number of customers, suppliers, vendors, advertisers, sponsors, strategic partners, and even employees are “checking out” a business on the web — has elevated reputational risk to a whole new level of importance and complexity. For example, a business needs to monitor, manage, mitigate and in some cases litigate reputation damage that is inflicted by rogue or negligent employees, angry customers, deceptive competitors, irresponsible (and sometimes blatantly biased) media outlets, third-parties that behave in an inappropriate or illegal manner, and so on.
The Bottom Line
Risk management is not a static achievement, like reaching a milestone or launching a product. It is an ongoing commitment that is constantly changing based on everything from changing customer preferences to shifting regulatory frameworks.
Bill Scuorzo concludes: “A robust and effective risk management plan establishes the foundation, processes and protocols for responding to risks in an effective and controlled manner, which includes comprehensive documentation and analyzing past actions to improve future performance. In this sense, an effective risk management plan is just as important as an excellent business plan; and in some cases, even more important.”