Why Risk Management is Important for Your Business

by Krish Kapani

Why is risk management so important for your business? According to a study done by FEMA (Federal Emergency Management Agency), 40% of businesses fail to reopen after a disaster. Risks are categorized differently by every firm, but some consistent categories are technology, financial, legal, strategic, and security risks. A risk management program is designed to help an organization properly evaluate its risks and their potential impacts.

Risk assessment, or risk analysis, is the foundation of any organizational risk management program. According to the National Institute of Standards and Technology (NIST), risk assessment is the process of identifying risks to organizational operations, organizational assets, individuals, and other stakeholders[i]. When performing a risk assessment, potential severity and likelihood of impact are the key determining factors in prioritizing risk remediation and avoiding catastrophic business disruption in the future..

Risk management is often overlooked within many organizations; however, as more firms increase their reliance on technology and information systems and geopolitical instability continues to rise, risk management is quickly becoming a strategic imperative.

Topic 1. Why Political and Geopolitical Change Necessitates a Consistent Approach to Risk Management

Political and geopolitical change is constant throughout history, and that remains true today. However, the impact of this ongoing change on organizational risk is perhaps greater than ever. Why is that?

In the modern age, political narratives can be transmitted at a moment’s notice thanks to the internet. That means the fallout from political/geopolitical change and natural disasters can be more severe due to the pace of informational and the interconnectedness of the global economy. Soon enough, those “fallouts” begin to affect businesses. Two recent examples are COVID-19 and the Russia-Ukraine War.

The arrival of the pandemic in 2020 and the subsequent lockdowns resulted in a global economic fallout. Most companies had to navigate business closures, a spike in unemployment, growing debt, and shrinking revenue—all at once. Although nobody could have predicted a global pandemic, having a risk management process in place could have helped many firms minimize damage to their business in multiple ways. Perhaps most critically, such a process would have stipulated a financial risk evaluation; the risk assessment for financial risk would have pointed out all the possible impacts from scenarios like the closure of customer or partner firms or sudden revenue depletion. Examples of such impacts include the timeline until bankruptcy or changes to payments on loans or accounts payable.

Similarly, the Russia-Ukraine War led to multiple sanctions that disrupted direct and indirect supply chains with Russia and Ukraine. This disruption resulted in a spike in the prices of raw materials and energy and impacted the entire electric vehicle (EV) industry by limiting access to lithium and iron. The supply chain risk could have been obviated by the operational risk assessment inherent in a robust risk management program, which would have prescribed appropriate action in the case of a supply shortage. The war also led to multiple companies pulling operations out of Russia to avoid political scrutiny and show that they are not in support of Russia. For example, Equinor, a Norwegian oil and gas company, had announced that it had $1.2 billion in long-term investments in Russia at the end of 2021 and operated in Russia for over 30 years is pulling out of Russia and resulted in a huge setback for the firm.

Although events like COVID-19 and the Russia-Ukraine War seem like anomalies, there are multiple ongoing or recurring events, such as climate change and natural disasters, that can similarly impact businesses. Climate change affects virtually every economic sector—with agriculture being the most impacted—and natural disasters such as forest fires, floods, and tornadoes threaten all businesses to varying degrees. All of these events can potentially damage or destroy buildings, utilities, data and other critical infrastructure and assets. A risk management program enables a firm to not only evaluate the likelihood and impact of such destruction, but also to adequately prepare for it. For example, if a company is data heavy and has local servers in an area susceptible to natural disasters, a risk management program would reveal the need to migrate data to the cloud and take backups of the servers in multiple regions across the country. A company that takes action to mitigate potential risks is no longer vulnerable to a data wipe due to infrastructure damage to a data warehouse.

Political and geopolitical changes, global crises, and natural disasters often result in sudden economic change. These changes can directly or indirectly impact businesses in unexpected ways. Risk management enables firms to better prepare for and face those unforeseen situations.

Topic 2: FI Practices for Risk Management

All institutions, companies, and agencies need to emphasize risk management and aim to continuously improve on their practices. Depending on the industry and type of client, each firm’s risk management process will look different, but should ultimately have the same goal of identifying, assessing, and controlling any risks which could affect capital and earnings. A risk assessment should be conducted firm-wide as well as at the project level. The firm-wide risk assessment should be conducted annually, on a consistent timeline, to ensure awareness of any potential risks and able to adequately prepare. Yearly goals are aligned in a way that mitigates any potential negative impacts. Project-level risk assessments should either follow the firm-wide timeline, and be conducted on a yearly schedule or follow client-specific protocol. Project-level risk assessments may be conducted annually, semi-annually, or even quarterly. However, there might be external circumstances (such as those described above) or changes in internal operations that warrant immediate or more frequent risk assessment.

FI Consulting evaluates risk by following some of the guidelines established by Soc2 (Service Organization Control 2) and NIST, while adding some criteria specific to the business we conduct. We have categorized risks into five major segments: operational risk, project risk, client relation risk, legal risk, and financial risk. The chart below provides a glimpse of how we think about each segment.

Once we have identified risks at a categorical level, the next step is to conduct an impact assessment. This includes examining a particular risk in terms of frequency and potential effect.

We classify risks with respect to effect and frequency in accordance with pre-determined metrics. The chart above illustrates a similar approach, where effects could be assessed using the following criteria:

• Catastrophic – infers critical financial loss that could result in bankruptcy of the organization
• Critical – infers serious financial loss in more than one line of business leading to loss in productivity and no return on investment
• Marginal – infers minor financial loss in line of business and a reduced return on investment
• Negligible – infers minimal impact in line of business

Frequency could be indicated as follows:

• Frequent – likely to occur very often and/or continuously
• Likely – occurs several times over the course of a transformation cycle
• Occasional – occurs sporadically
• Seldom – occurrence is remotely possible (and would probably occur not more than once during a transformational cycle)
• Unlikely – will probably not occur

Combining the two factors, we could infer impact using a heuristically based but consistent classification scheme for risks. The scheme to assess corporate impact we use at FI Consulting is generally as follows:

• Extremely High Risk (E): the transformation effort will most likely fail with severe consequences
• High Risk (H): significant failure of parts of the transformation effort resulting in certain goals not being achieved
• Moderate Risk (M): noticeable failure of parts threatening the success of certain goals
• Low Risk (L): certain goals will not be wholly successful

Using this methodology, FI Consulting will document existing risks, assess potential impacts for a given time period, and help clients align objectives and initiatives accordingly. In our experience, most firms have at least some flavor of risk management (and any consistent practice can provide a solid foundation to build upon). The key to developing a truly resilient business is to understand that risk management is a process that can never be perfected, for the sole reason that risks are unavoidable and can be unpredictable. However, by continually re-evaluating your risk management approach and aiming for iterative improvement, you can equip your organization to thrive in the face of virtually any adverse circumstances.

References:

https://www.lucidchart.com/blog/risk-assessment-process

https://www.ccohs.ca/oshanswers/hsprograms/risk_assessment.html#:~:text=Risk%20assessments%20are%20very%20important,the%20public%2C%20etc.).

https://kirkpatrickprice.com/blog/how-a-risk-assessment-can-save-your-business/

https://www.businessbasics.com.au/four-reasons-why-risk-management-is-important-for-your-business/

https://dataconomy.com/2022/09/cyber-risk-assessment-example-framework/

 

https://online.maryville.edu/blog/why-is-agriculture-important/

https://news.climate.columbia.edu/2019/06/20/climate-change-economy-impacts/

[i] https://csrc.nist.gov/glossary/term/risk_assessment