The Complete Idiot’s Guides

Browse Quick Guides by Subject

• Art & Photography
• Automotive
• Business & Personal Finance
• Computer & Technology
• Education
• Family & Relationships
• Food & Entertainment
• Foreign Language
• Games
• Health, Fitness & Diet
• History
• Hobbies & Crafts
• Home & Garden
• Literature & Philosophy
• Math
• Music & Performing Arts
• New Age
• Pets
• Political Science & Law
• Reference
• Religion & Spirituality
• Science & Nature
• Self-Help
• Sports & Recreation
• Travel

Risk management can minimize the chances and effects of bad outcomes and can accelerate an organization’s recovery from disasters. But it doesn’t mean avoiding all risks. In this guide we’ll look at the ins and outs of risk management—what it is and how it works.

What Is Risk and Risk Management?

Risk management calls for understanding business risks in general, as well as the specific types of risk an organization faces based on its industry, goals, strategies, and activities. Before looking at specific types of risk, here are a few general points about risk in business.

• Risk in general. Risk is the possibility that the organization or one of its business units or activities will fail to achieve its objectives, or will create or encounter an unintended negative outcome.
• Risk cannot be eliminated, so it must be managed. Many organizations try to avoid risk by sticking with what they do best and repeating the strategies that made them successful in the past. These companies are invariably outflanked by those willing to take risks.
• Risk can be managed. The risk of investing in financial instruments can usually be quantified, particularly if the issuing company has a track record. The amount of property at risk, say, in case of a fire, is usually limited to its historical or replacement value. Other risks can be harder to quantify, but they can be analyzed, measured, and managed.
• People in business take on risk in anticipation of rewards. Usually, those rewards are monetary, but they come as a result of, for example, launching successful new products, increasing market share, and acquiring other businesses. Those activities have potential rewards associated with them, as well as risks.
• Risk is broken into categories. Although the major risk is the risk of failure, that is too general to be managed. Therefore, executives and risk managers break risk down into discrete types, which enables them to manage risk more effectively.

How Risk Is Managed

The practice of risk management includes the following key activities:

• Identifying the risks the organization faces
• Assessing the size and likelihood of those risks
• Having the right risk-management tools and the skills needed to apply them
• Developing a culture in which everyone feels responsible for risk management

Top 10 Types of Risk

The number of risks that an organization faces can appear overwhelming. However, classifying risks makes them less overwhelming. Doing so also helps people develop, choose, and use the right risk-management tools.

Organizations face these key types of risk:

• Financial risk: Money invested in a project could be lost, or returns could be less than expected or less than another investment would offer.
• Currency (or foreign exchange) risk: An investment or stream of payments may lose value due to currency fluctuations.
• Credit risk: A company or lender might not be paid for goods sold on credit or for money loaned to a customer.
• Security risk: The company faces threat of fraud, theft, embezzlement, or misdirection of funds, goods, or other company assets.
• Property risk: Company property could be destroyed due to fire, flood, earthquake, storms, war, terrorism, or similar causes.
• Regulatory risk: A domestic or foreign government agency could find the company to be in noncompliance with requirements or regulations.
• Legal risk: Customers, suppliers, employees, competitors, investors, or other parties could launch lawsuits, or the company could break the law.
• Information technology (IT) risk: The company’s IT systems could be breached or misused.
• Country (or political) risk: A foreign government could appropriate or nationalize a business or its assets, or otherwise create losses.
• Reputational risk: Statements or actions of employees or the company’s agents or spokespeople could harm an organization’s brands or reputation.

Identifying Risks

You identify risks by considering the organization’s strategies and activities and asking these questions: What can go wrong? What types of failures or events could negatively affect this strategy, initiative, activity, or product?

Potential answers may include these:

• Human errors or failures, such as inattention or confusion
• Hostile human action, such as theft, embezzlement, or other crimes
• Process or product failure, or failure of materials or systems
• Market and cultural forces, such as bad publicity or changing styles
• Government or regulatory actions, such as changes to laws or to tax, trade, or economic policy
• Natural or manmade disasters, such as earthquakes, storms, fires, terrorism, and war

To identify risks, you look for the possibility of these events within each strategy, initiative, process, and activity. The more familiar you are with the types of risk in the previous section, the more precisely you can identify risk. For example, if your company plans to introduce a new product, you can see how a specific failure, such as a botched advertising campaign, could generate various risks. A botched advertisement might, for instance, lead to financial risk, because of money invested in the product; regulatory risk, because of laws regarding product claims; legal risk, because of product-liability suits; and reputational risk, because the company’s brands may be harmed.

Measuring the Size of Risk

Measuring the size of a risk means assessing the potential effect on your company. This can include direct monetary losses due to property destroyed (which is what insurance companies pay for) and from the effects on your customers, suppliers, employees, and other stakeholders (which might not be insurable).

You have to ask questions such as these:

• What if our largest customer shut down its operations? What would be our lost revenue and profits?
• In a terrorist attack or hurricane scenario in which one or two of our locations were partly destroyed, what would be the time for repair and the potential costs of repairs and lost business?
• If interest rates were to rise by 50 percent in a two-year period, how would our borrowing costs be affected?
• If a new technology were to supercede our technology in three years, what losses might we incur?

In measuring the size of a risk, you often develop a range rather than a single number. This range might be a percentage, say, of revenue or profits, rather than a monetary amount. However, percentages can usually be converted to amounts. If you are a $10 million company and the loss of a major customer would be 20 percent of your revenue, you know that is $2 million.

Once you have gauged the magnitude of a potential risk, you then turn to the likelihood of the risk occurring.

Measuring Likelihood

Measuring the likelihood of a risk can be straightforward or difficult. It is fairly straightforward for routine risks for which the company has experience and data. One good example is credit risk. Banks and companies have a good idea of the delinquency and default rates that their credit policies will generate. A bank knows that when it lends money to someone with a certain credit score, income, and employment history, in a certain percentage of cases, the money will not be repaid. A company selling on credit can obtain a credit rating from an agency, such as Dun & Bradstreet, and have a good idea of the probability of being repaid.

The likelihood of other risks, such as the risk of an economic downturn, are far more difficult to measure. Most difficult to measure is the likelihood of the extraordinarily bad but relatively rare situation such as natural disasters, financial crises, industrial accidents, and terrorist attacks.

In cases for which there is little data and thus little chance of predicting likelihood, many managers dismiss the risk as highly unlikely. However, “highly unlikely” does not mean impossible. Responsible managers prepare for highly unlikely risks when those risks could result in huge losses for the company.

This means that you must do some scenario planning and develop contingency plans as part of your risk management.

Managing risk is never a simple thing, but it is an important aspect if you want your business to be successful. For more information on risk management, be sure to check out our quick guide, Finance 101: The Tools for Managing Risk. Good luck!

From The Complete Idiot’s Guide to MBA Basics, Third Edition, by Tom Gorman