Risk is as inevitable for business as taxes. And they generally approach it somewhere between two broad extremes:
- They see risk as an enormous, inevitable and insoluble problem, just hope for the best, and crack on; 0r
- They see risk as such an enormous, inevitable and intractable problem, they become paralysed in thinking about it, so don’t, and fail to control it at all.
All businesses have to deal with risk, some of which can be life threatening, every day, in everything they do. But the best businesses find ways of living with it, and limiting uncertainty. How, in our experience, do the best businesses deal with risk, but stay functional?
Above all, they take time to think, realistically and practically, about the risks they confront, and how to approach them. There needs to be real commitment from the very top of a business that this thinking is fundamentally important. The best businesses make sure that everyone, to an appropriate level, “walks the talk”: that risk is constantly thought about and engaged with.
The best businesses also all have a thorough understanding of where their risk lies. Their core thinking on risk is that it:
- is inevitable
- needs to be thought through in every decision, strategic and operational
- needs to be accepted always, and limited where possible.
It is entirely trite, but true, to say that people are fundamental to every business. It’s people that run a business, not systems, but the best businesses make sure their people have systems to help them manage risk. Having systems means that someone at the centre has thought the relevant risks through.
In general terms, risk falls into four main categories – strategic, operational, financial, and compliance.
Different people in the business need to focus on the different categories; clearly it is not necessary for everyone to evaluate every risk across the entire organisation. But, there does need to be a broad statement of policy around how risk is managed generally, that people can turn to when trying to work out how to evaluate and manage specific risks.
So, there need to be policies for each category of risk. For instance, it’s fundamental to have health and safety and cyber security risk strategies. Highly acquisitive businesses will usually (but, surprisingly often, don’t) have statements of the risks that an M&A process can throw up – for instance around integration – and how best to deal with them.
Those responsible for specific projects in a business need to know that relevant policies exist and how to use them. They need to know that the business takes these risks seriously – and that, while, risk is part of a business life, a carefully considered and managed risk, which goes against you, is not a sign of failure. But, above all, they need to know that risks have to be faced up to.
There is a great deal of available knowledge around risk management systems, processes, and check lists, all of which play a vital part in risk management. Our firm does loads of good and proper work helping clients put these systems and processes in place.
But, in our experience, all of this is utterly pointless unless the corporate state of mind, at every level, acknowledges that risk is inevitable, and that it must be carefully thought about every time – but that the mere existence of risk never paralyses action.