The Spectrum Of Business Risk Management – Nicky Jardine
Risk in general terms exists on a scale of the chance or likelihood that things can and will go wrong.
Only when we appreciate the range of possibilities can we take varying measures to inoculate our business from the impact of these events.
A risk management process allows those within the business to identify, assess and treat risks that could potentially affect current and future operations.
For example, an audit of an IT or financial area within the business may capture poor security measures or financial leaks.
Risk management could be perceived as a spectrum, from the most obvious and easily resolved areas, with minor repercussions, through to those risks that are rare, unpredictable and with an extreme impact.
An Only White Swans Exist Attitude
The origins of a modern metaphor relating to risk and swans began back in the second century of Europe when the black swan was thought not to exist.
So confident were some people of this ‘fact’ that a Latin saying was developed as early as the second century to reflect that sentiment.
This common phrase used the logic that because only white swans had ever been seen, a black swan was an impossibility.
That was until the sixteenth century when this ‘fact’ was debunked by Dutch explorers who had travelled to Western Australia and observed black swans.
From that time forward the same term was then used to remind us that an idea that is currently perceived as impossible may later be disproven.
Black Swans Events At The Tip Of Risk Management
In recent years the term ‘Black Swan’ was coined by a book of the same name by Nassim Taleb as a metaphor for low probability but high impact events and is now a term often used in science or economics.
When looking at risk management, surely these extremely rare, catastrophic and unpredictable black swan events are beyond the risk management spectrum.
The recent pandemic lies at the far end of this risk spectrum and is sometimes erroneously referred to as a black swan event.
The pandemic was not a black swan event as there are plenty of examples documented in previous centuries. As such, there is some predictability regarding the possibility of pandemics in the future.
Even so, the imagining of events such as a pandemic can at least inspire other possibilities towards the black swan end of the risk spectrum, and from there, a point from which to work back toward those more common risks.
Although pandemics and other rarer eventualities are outside our expectations, the elements we use to manage those risks may derive from the systems we have refined for everyday operations.
So these systems already in place that benefit the daily running of a medical practice may only require minor adjustments to current technology and protocols to then utilise them for those rarer, high-risk events.
For example, remote rural Australian medical practices had been using Telemedicine well before the now common adaptation of TeleHealth by most medical clinics in a post-pandemic world.
Nicky Jardine had implemented such technology over the last decade through her general practice consulting services and kept up to date will all elements of remote practice management over those years.
As such, she was able to quickly and seamlessly transfer urban medical practices at the start of the pandemic across to Telemedicine as she had already developed and streamlined a secure and tested Virtual Practice Management process.
Those Risks Right Under Our Feet And Everything In-between
If a black swan is something we can neither predict, nor plan for, then every day, smaller-scaled and more easily identifiable risks lie at the other end of this risk management spectrum.
The risks at this other end of the spectrum lie at our feet in that they are common, in plain sight and individually are of seemingly little consequence. Often these simple missed tasks are due to a minor procedural error and as they are daily tasks will accrue over time.
An audit can catch these daily errors and provide an opportunity to alter staff behaviour and procedures. Through training and monitoring of the process in question, the cumulative effect of these daily tasks is halted. In turn, business efficiency is optimised and corrects the accumulation of unnecessary costs or missed income.
Keep in mind though, that even if your practice is currently running smoothly and at maximum profitability that risk is inevitable.
Managing any business has its risks and whether we act or not they will still be there on any given day. A risk management plan can allow us to seize the opportunity in facing those risks and the potential consequences.
But where to start when having never dealt with risk management?
Creating a basic risk management plan
The idea of creating a risk management plan may seem overwhelming, yet a basic risk management plan addresses three key steps: identifying the risk, assessing the risk and managing the risk.
Identifying the Risk
The first step in creating a Risk Management Plan is to identify the potential risks that are relevant to the type of business that you operate. Start by asking yourself “What are all of the possible things that can go wrong in my business?” This can be a daunting question in itself, especially if you have just started your business venture or are working in a new industry. To help ensure you cover all aspects of your business and to provide some structure to answering this first question, there are several ways to help categorise risk. It is useful to think of different types of risk falling into two broad categories: external and internal risk. External risks are possible threats to the business which are not within your control to prevent. Natural disasters such as storm damage or flooding would fall into the category of external risk. Pandemics and IT security attacks are further examples. Internal risks occur from within the business and can range from HR or compliance issues, WH&S or cash flow problems.
External and internal risks can be grouped into four categories to cover different aspects of your business: strategic risk, operational risk, financial risk and reputational risk.
Strategic risks are threats to the ability of your business to both generate revenue and maintain payment of expenses. An obvious example of strategic risk is when a new competitor moves into either your geographic location or online presence and as a result, threatens your customer base. If you sell a product, a strategic risk will recognise the possibility of increasing the prices of your raw materials. To identify strategic risk within your business, ask yourself the following questions ‘What can take revenue away from the business?” “What can increase my expenses to a degree that it will affect my profitability?” Strategic risks identify risks that are threats to your business model and which ultimately affects your bottom line.
Operational risk refers to potential problems which can affect the daily operations of your business. It covers all aspects of how business functions and captures both external and internal risks. An example of an external operational risk is a power outage that might occur as a result of a storm. It is not a risk within your control to prevent, but when it occurs it impacts the ability of your business to operate and can result in a loss of revenue. Operational risks can be caused by place, processes or people.
Financial Risk identifies scenarios that may result in significant financial loss to the business. It looks at how money enters and leaves a business and covers situations such as cash flow problems, serviceability of debt and revenue being generated from a small number of clients.
Reputational Risk acknowledges the importance of reputation and goodwill in any business. With the advent of social media and the internet, it has never been easier for a customer or client to provide feedback on the service or product they have received. Threats to the reputation of a business can include potential lawsuits from staff or clients and negative online reviews about your staff or product. A business with a damaged reputation has difficulty in attracting new customers and keeping its current client base. It also has difficulty in recruiting and maintaining staff. It can lead to a loss of revenue and affect the potential value of your business if you choose to sell down the track.
With the above knowledge in hand, it is now time to identify the potential risks to your business. An example is provided below and whilst is by no means exhaustive of all possible threats to your specific industry, use it as a guideline or framework.
| CATEGORY | SUB CATEGORY | RISK IDENTIFIED |
|---|---|---|
| STRATEGIC RISK | Revenue Loss | New competitor sets up down the road |
| New competitor online | ||
| Key salesperson leaves | ||
| Loss of a business partner | ||
| Changes to third party funding agreements | ||
| Poor performance of individual salesperson | ||
| Absence of property lease agreement | ||
| Increased Expenses | Increased cost of raw materials | |
| Increased wage costs to attract staff |
| CATEGORY | SUB CATEGORY | RISK IDENTIFIED |
|---|---|---|
| OPERATIONAL RISK | Place | Loss of power |
| Building or property damage | ||
| Injury to clients or staff | ||
| Lack of sufficient security | ||
| People | Unable to attract staff | |
| Unable to keep staff | ||
| Theft of intellectual property | ||
| Processes | Unsafe work procedures | |
| Lack of documented processes | ||
| No Induction Procedure | ||
| Privacy breach | ||
| Legal & Compliance | Changes to employment law | |
| Changes to accreditation procedures | ||
| Inadequate or absent contracts | ||
| No approval for current signage | ||
| Technological | Server Outage | |
| Cyber attack or data breach | ||
| Website hosting disruption | ||
| Hardware failure |
| CATEGORY | SUB CATEGORY | RISK IDENTIFIED |
|---|---|---|
| FINANCIAL RISK | Theft of goods or cash | |
| Increasing debt | ||
| Poor cash flow | ||
| Reliance on one revenue source | ||
| Increasing interest rates |
| CATEGORY | SUB CATEGORY | RISK IDENTIFIED |
|---|---|---|
| REPUTATIONAL RISK | Negative reviews online | |
| Complaints made to the business | ||
| Lawsuit from client or staff |
Assess the Risk
Once you have listed as many risks as possible which are relevant to your particular business, it is time to have a closer look at your table and rank your risks in order of importance. When assessing each risk the first question you need to ask yourself is “how likely is it to happen?” Rate each risk as having either a ‘high’, ‘medium’ or ‘low’ likelihood of occurring. As you are evaluating each risk, try to also identify the potential contributing factors that make that risk possible.
The second question you need to assess each risk against is the potential impact on your business if that risk becomes a reality. Will the consequences be minimal and easily addressed or will they impact the livelihood of your business and cause major disruptions? Some risks will have a larger impact on your business than others and will require your attention sooner.
The impact can be measured in many ways but from a business perspective, the often critical measure is how much will it cost you? The cost comes from two directions: how much revenue you will lose as a result of the risk eventuating and also the cost of fixing the problem or event. To help prioritise your risks, assign a rank of impact – from high impact to medium impact to low impact.
Below is an example of assessing potential risks using a category from the table listed above.
| RISK CATEGORY | IDENTIFIED RISK | LIKELIHOOD | IMPACT |
|---|---|---|---|
| Reputational Risk | Negative reviews online | High | Low |
| Complaints made to the business | Medium | Medium | |
| Lawsuit from client or staff | Medium | High |
Depending on the industry you work in, you may assess the risks outlined above very differently.
In this situation the rationale for the above risks is outlined below:
- Negative reviews online. Nowadays with everyone having access to technology and with the relative ease of logging a review, there is a very high likelihood of a client or staff member leaving a negative review at some stage in the life of an ordinary business. However, the impact on the business is likely to be low if the review is managed well, if they do not occur frequently or if they are balanced with a greater number of positive reviews. However, if you are experiencing a large number of negative reviews, perhaps due to poor customer service, then you would rank the impact of this risk as High and address it sooner.
- Complaints are made to the business. Usually, these complaints are made over the phone or directly to your front desk/customer serving staff. They may occur less frequently than an online review but generally, the customer or staff member is very upset and the impact is likely to be greater as it will affect word of mouth referrals to the business. If not managed well, then it may also be followed up with a negative online review. The impact ranking for this risk has been determined as medium.
- A lawsuit from client or staff. The likelihood of this risk occurring varies across the different industries but perhaps occurs more often than is to be expected. It only needs to occur once to have a potentially significant impact on any business; hence the impact rating of high.
If we continue with the example above, we would then rank the importance of the identified Reputational Risks as follows:
- 1st – Lawsuit from client or staff
- 2nd – Complaints made to the business
- 3rd – Negative reviews online
Manage the Risk
The final step in your risk management plan is to now look at each of your risks and determine how to manage each risk. There are a variety of options in dealing with each category of risk. We can aim to transfer the risk, reduce the risk or accept the risk.
Insurance is the simplest way to transfer some risks from your business to a third party in exchange for taking out a policy. Insurance can certainly mitigate the impact once a risk has occurred and potentially prevents catastrophic business loss of property or income. Simple insurances that businesses should have in place include workers compensation, public liability insurance, building and contents insurance and professional indemnity insurance. It is beyond the scope of this article to delve into these specific insurances but we recommend you seek professional advice.
Sometimes it may be difficult to avoid risk from occurring in the first place, but there might be ways to reduce the likelihood of the risk from occurring and to minimise the impact on your business if it does.
As an example, let’s take the potential risk of a staff member sustaining an injury at work. Adequate workers’ compensation insurance will help cover the medical & wage costs of the injured worker and reduce the impact of the incident on the business. But have you done enough to prevent the injury from occurring in the first place? Do you have adequate induction processes for any new staff which cover the safe operation of any equipment or which teaches them the proper way to lift heavy items? Do you have a process in place to document and act on any identified hazards or incidents in the workplace? Do you have procedures in place to inspect equipment every 6 – 12 months? If you are employing staff for physically demanding jobs, do you have pre-employment medicals in place to ensure you hire staff capable of fulfilling the job requirements safely?
Sometimes risk cannot be eliminated, but there can be many ways to reduce the impact by creating processes to deal with risk when it occurs.
If we return to the example above of reputational risk to a business, we could look at how to manage the review process.
| RISK CATEGORY | IDENTIFIED RISK | LIKELIHOOD | IMPACT |
|---|---|---|---|
| Reputational Risk | Negative reviews online | High | Low |
| Complaints made to the business | Medium | Medium |
Do you have regular monitoring of social media platforms? Who is responsible for responding to both positive and negative feedback online? Is there a process in place that identifies when the review needs to be escalated to your attention? How do handle complaints made in person or over the phone? Do you document complaints? Do you regularly ask your staff for feedback and if you do, how do you respond to any complaints? Questions such as these may help guide solutions.
As a general rule, it’s wise to ensure current business policy and procedures are up to date and reviewed, along with your risk management plan, on an annual basis.
Finally, for those risks that have a low likelihood of occurring with minimum impact on the business, sometimes the best solution is to simply accept the risk.
Although we can monitor a business and look out for such signs, some risks would not be worth the time, energy or money involved to eliminate them.
“Life is inherently risky. There is only one big risk you should avoid at all costs, and that is the risk of doing nothing.”
Denis Waitley
Conclusion
From what seems impossible to very obvious eventualities, management of risk should encompass a broad section of scenarios.
Perhaps for now seeking those risks that lie at our feet may better influence positive change within our business. We can at least work up from there.
Nicky Jardine has over a decade of experience in Telemanagement using both hands-on and virtual practice management to guide medical practices across Australia towards a refined and profitable structure.
She engages the best in the business to ensure that practice setup and reforming of existing medical centres run smoothly and is in line with the vision of key stakeholders.