8/3/2019 How to Develop an Effective Business Risk Management Plan

1/4

How to develop an effective business riskmanagement planCA

I am"CA" Atreya(PMP, MBA), the author of this blog. I help businesses in Atlantic Canada achieve

theirBHAGsuccessfully. You may subscribe to this blog using afeed reader (RSS).

Lets get this straight. If a risk has already occurred in your business and you are looking

at solutions (i.e.; reacting to the risk), then it is an issue - a problem. It is no longer a risk. Lets go back to the

definition of risk. Risk is the possibility that something good or bad is likely to happen in the future. So when a risk has

occurred, there is no such thing as probability then the risk has turned into an event. The underlying premise of

developing any risk management plan is that the risk has not yet occurred.

Risk management is a continuous and iterative process in which you are constantly evaluating your good and bad

risks, its probability of occurring and plan what you would do if the risk occurs. If you have not thought about a

particular risk and it occurs, then you will immediately switch into a reactive mode and take decisions that you have

not thought through. Risk management is all about being proactive.

Developing an appropriate risk management strategy takes considerable effort and planning. One approach might be

a good idea to look at each functional area of your business and plan your risk management strategy at a strategic,

tactical operational and execution level. However, before you get all excited and jump into the exercise of identifying

risks, you need to define your business goals.

Risk - Business Strategy Fit

Your business strategy and goals should already be in place. Once you have identified your goals into measurable

units, it becomes easier to do the risk assessment exercise. Risk assessment and its management must always roll

back to your goals. Be careful on what you decide are going to be your corporate goals. I find the putting things down

into a matrix format helps me. If I cannot fit things into a box, then I have to give the strategy and goals more thought.

Row headings outline each functional area and column headings outline the time-lines.

http://www.atlanticcanadabusinessblog.com/index.php/author/admin/http://www.atlanticcanadabusinessblog.com/index.php/about-atlantic-canada-small-business-blog/http://www.atlanticcanadabusinessblog.com/index.php/about-atlantic-canada-small-business-blog/http://www.atlanticcanadabusinessblog.com/index.php/about-atlantic-canada-small-business-blog/http://www.atlanticcanadabusinessblog.com/index.php/about-atlantic-canada-small-business-blog/whats-bhag/http://www.atlanticcanadabusinessblog.com/index.php/about-atlantic-canada-small-business-blog/whats-bhag/http://www.atlanticcanadabusinessblog.com/index.php/about-atlantic-canada-small-business-blog/whats-bhag/http://www.atlanticcanadabusinessblog.com/index.php/feed/http://www.atlanticcanadabusinessblog.com/index.php/feed/http://www.atlanticcanadabusinessblog.com/index.php/feed/http://www.atlanticcanadabusinessblog.com/index.php/feed/http://www.atlanticcanadabusinessblog.com/index.php/about-atlantic-canada-small-business-blog/whats-bhag/http://www.atlanticcanadabusinessblog.com/index.php/about-atlantic-canada-small-business-blog/http://www.atlanticcanadabusinessblog.com/index.php/author/admin/

8/3/2019 How to Develop an Effective Business Risk Management Plan

2/4

Tactical plan

Tactical plan is where you define how you are going to achieve your strategic objectives. For example if your

marketing and sales objective is to increase customer base to 300% in five years, then your tactical plan defines the

accomplishments that need to happen in years four, three, two and one. If you think of a ladder, the topmost step is

strategic objective while the rungs that lead to the top rung is your tactical plans.

Operational plan

Your operational plan is where you define the accomplishments you need to do in the first year to meet your tactical

objectives.

Execution plan

Your execution plan is weekly, monthly and quarterly plans to meet your operational goals.

Does everything fit

When you do your planning, make sure your financial, marketing and sales, HR and operations plan are all in sync,

i.e.; if you need to increase revenues by 300%, you need to hire more people, you need to increase production

capacity accordingly. Usually your corporate goals would either be financial or marketing &sales in nature and your

HR and operations goals will be a function of these two. You cant have a financial goal of increase revenues by

300% and cutting staff at all.

The risk management process

Undertaking a risk management exercise without having a clear idea of your objectives is an

exercise in futility.

Once you have your goals defined, you need to figure out what risks will impact your goals. By this I mean what

events could occur that will hamper you desire to meet stated objectives. Undertaking a risk management exercise

without having a clear idea of your objectives is an exercise in futility.

8/3/2019 How to Develop an Effective Business Risk Management Plan

3/4

In one of my earlier posts, I have mentioned a fewrisk managementtools to help you with this exercise. Developing a

risk management strategy is a 3-step process:

Identify your risks

Quantify your risks, and

Develop a risk response plan

Say you decide your business strategy is going to be to just one: and that is to increase revenue to 10 million in 5

years. Its usually hard to look out into the future for more than one year. The rapid descent into recession in the latter

half of 2008 bears testimony to that. How many people would have access to the necessary data to make that call? In

fact how many would even know how to read the economic data to arrive at the right conclusions? Not many. Even

the vast majority of those who had access to detailed economic indicates and data failed to see the speed of descent.

So I would focus my risk management efforts starting from Execution to Operational to Tactical to Strategic.

Remember: set goals by moving from strategic to execution and assess risks in the reverse order.

For each of the above risks, your risk management strategy needs to process the following steps.

1. Identify the risk that could impact your goal

Remember that the impact could be positive or negative. A great place to start would be a SWOT Strengths,

Weaknesses, Opportunities and Threats. Events that could increase your Weakness and Threats are good

candidates for negative risks and events that decrease them are good candidates for positive risks. Similarly, events

that could increase your Strengths and Opportunities are good candidates for positive risks and events that decrease

them are good candidates for negative risks.

Other tools you can use are PEST analysis (Political, Economical, Social and Technological factors). Use the goals

framework to identify and associate each risk into their respective buckets.

You cannot do this exercise alone. You need to brainstorm with your colleagues, mentors, employees and if you

have never done this before a risk management consultant. Within each functional area of your organization, you

can even look at each process and identify risks along each process.

For example; the objective of marketing and sales process is to make a sale product development, pricing,

promotions, lead generation, lead contact, moving the lead to sale, offering the product as a demo, gain prospects

trust and establish relationship, close the sale. Of course, not all of the above may apply to your business and I may

not have included all the tasks. But you understand what I am getting at. Once you have identified each step along

http://www.atlanticcanadabusinessblog.com/index.php/2007/06/17/strategy/small-business-risk-management-strategy/http://www.atlanticcanadabusinessblog.com/index.php/2007/06/17/strategy/small-business-risk-management-strategy/http://www.atlanticcanadabusinessblog.com/index.php/2007/06/17/strategy/small-business-risk-management-strategy/http://www.atlanticcanadabusinessblog.com/index.php/2007/06/17/strategy/small-business-risk-management-strategy/

8/3/2019 How to Develop an Effective Business Risk Management Plan

4/4

the process, then it become s bit easier to think, What could go wrong in this step? or If I am flooded with orders,

can my production team handle the volume?

The questions you ask are the risks. Document them. This document is your risk register.

2. Quantify the risks you have identifiedHere is where we leave the realm of science and precision and enter into the world or art. For each of the identified

risk, figure out its probability of occurring. You could define the occurrence of each risk as percentage or just as

High, Medium and Low. It all boils down to your judgment and experience; and more importantly, your perception

of the future.

Against each risk in the risk register, determine the impact if each risk were to occur. If you two of your key

employees quit, will it positively or negatively impact your goals? Write down details on how the risk will impact your

business.

Arrive at a risk rating by combining the impact and the probability of occurrence. I prefer numbers so that I can rankthem, but its your choice on what you use for a risk rating.

Example on how to arrive at a risk rating: Suppose you determine that the impact of a certain key employee leaving

your organization will cost you $40,000. You also determine that the probability of this risk occurring is 40%. The risk

rating in this case would be 16000. Go through this exercise with each of your risks. I am guessing by the end of this,

the risk with the highest rating will have the highest priority and the others will follow in decreasing order of ratings.

3. Plan a response to each identified risk

Now that you have rated each of your risk, you can then decide what to do if the risk were to occur. You can:

Mitigate the risk: This implies that you find ways to reduce the probability of the risk occurring or try to reduce its

impact. Usually, its the latter we can control.

Accept the risk: Sometimes we just have to accept the fact that there is nothing you can do i f the risk occurs.

Transfer the risk: Think insurance. You are transferring your risk of something bad happening to another party

for which you typically pay a premium.

Avoid the risk: This typically would mean changing your goals and objectives entirely. The most radical form of

risk avoidance would be to shut down your business.

Exploit the risk: If a positive risk were to occur how would you exploit this opportunity to further your goals and

objectives?

One final point. Do not let your initial plan gather dust. Frequently, considerable effort is expended to develop the

initial plan and is documented. No one ever looks at it for the next year. Do yourself a favor: review and update your

risks at least every quarter. Youll be surprised on how the risk priorities change in as little as three months.

Ignore risk management planning at your own peril!