Risk management strategy and tactics
There are two main risk management strategies: passive protection and active response.
Passive protection against risks does not make revolutionary changes in the nature of the enterprise’s activities, the volume and structure of its property. Its essence lies in the selection and use various types and insurance methods:
Insurance through insurance companies;
Use of hedging procedures;
Self-insurance.
Insurance through insurance companies allows you to insure:
‣‣‣ property from loss (destruction), shortage or damage;
‣‣‣ business or a separate transaction from losses due to violation of their obligations by the company’s counterparties, changes in operating conditions due to circumstances beyond the control of the company, non-receipt of expected income;
‣‣‣ liability of the enterprise to third parties for causing harm to them. For example, liability insurance of a transport company-carrier for damage caused to passengers, cargo owners, consignees; liability insurance for enterprises that are sources of increased danger, etc.
When advancing insured event the insurance company (insurer) fully or partially compensates the company (insured) for losses and damages.
Hedgingʼʼhedgeʼʼ translated from English as ʼʼfence, fenceʼʼ allows you to insure yourself against unfavorable price changes under contracts for the purchase (sale) of commodity resources, securities or currency values.
There are certain hedging instruments:
- futures contract(futures) is a standard document that indicates an obligation to sell (buy) a corresponding amount of an underlying asset (commodities, securities or currency) at a certain time in the future at a price fixed in the contract at the time of its conclusion;
- forward contract- this is a bilateral agreement in a standard form, indicating an obligation to purchase (sell) the corresponding quantity of the underlying asset (commodities, securities, currency) at a certain time and on certain conditions in the future with a price fixed at the time of concluding the contract;
- option- this is a standard document that secures the right (and not the obligation, as when concluding futures and forward contracts) of its owner to purchase (buy option) or sell (put option) within a specified period of time a certain amount of the corresponding asset at the price fixed in the option . The owner of the option may not exercise the right enshrined in the option, losing only the premium (the price paid for the option), which is usually a small fraction of the price of the underlying asset on which the option is issued.
1. Options, futures and forward contracts are derivative securities (derivatives) that can be traded on financial market, i.e. they themselves are a product, and not just a way to insure transactions.
2. Two types of hedging are used: a) long hedge - when a futures contract is purchased in anticipation of rising prices; b) short hedge - when a futures contract is purchased to protect against price declines.
Self-insurance - it is a way of protecting against risk by creating internal reserve funds for financing possible losses. This method is advisable to use when there is a high level of probability of losses or when the value of the insured property is relatively small compared to the company’s income. But the creation of insurance reserve funds diverts funds that could generate income; therefore, managers, on the one hand, strive to minimize them, and on the other, to reduce the risk of losses.
Actively responding to risks - this is a strategy for managing them through the implementation of various technical measures, diversification of the enterprise’s activities, which radically change the previous patterns of doing business, generate new economic ties of the enterprise, change the volume of its property and assets.
A proactive risk response strategy should be implemented in the following ways:
1) risk sharing As a rule, it is carried out by dispersing the property of the enterprise in order to reduce possible losses. Property can be distributed in two ways:
Separate physically (for example, open accounts in different banks to store funds);
Divide property between owners (for example, between the parent company and subsidiaries);
2) risk transfer involves the conclusion of contracts that stipulate what risks the other party assumes (for example, a construction contract, when the contractor assumes all the risks associated with construction; an agreement on the storage and transportation of goods, under which the transport company risks associated with damage or loss of goods are transferred);
3) risk diversification is based on the diversification of the enterprise's activities.
The most difficult thing is diversification financial activities for the following reasons:
- horizontal integration involves a merger (or acquisition) with an enterprise that produces the same (similar) products. In other words, it is a strategy to absorb competitors. This path, of course, can significantly reduce the risk of an individual enterprise, but it poses a risk of market monopolization. For this reason, it must be taken into account that the actions of managers in this direction in all countries are limited by antimonopoly legislation;
- vertical integration consists of establishing control over intermediary enterprises (or their acquisition), between the enterprise and the end consumer, or over intermediaries (or manufacturers) supplying the enterprise with raw materials, supplies, and components;
- organization of joint ventures with foreign partners can significantly reduce the risk of production and economic activity by choosing countries that are able to provide the necessary resources (financial, labor, material, raw materials) on favorable terms; combining the capabilities of partners from different countries allows you to reduce costs, increase income, and reduce the likelihood of losses;
- concentric diversification- this is penetration into a new area of activity, but with high compatibility with current activities, through the acquisition of enterprises whose products, markets, distribution channels, technologies and resource base are related, but not identical to their own;
- conglomerate diversification carried out through the acquisition of the most profitable, highly profitable enterprises, regardless of their types of activity. This direction requires significant financial investments and is available only to very large companies. Huge conglomerates created in this way become less vulnerable to almost all risks, since losses in one area of activity are offset by income in others.
Each enterprise approaches the choice of the optimal option for diversifying its activities with different criteria. It should be borne in mind that, while reducing some financial risks, diversification creates new risks, which are also extremely important to manage. At the same time, not all risks can be reduced through diversification. For example, risks caused by macroeconomic processes (economic crises, movements in bank interest rates, etc.) are non-diversifiable (or systematic).
In the economic literature, as part of risk management strategies, sometimes, along with a passive risk protection strategy and an active response strategy, a conservative strategy is called, which is not entirely correct. The fact is that a conservative strategy manifests itself after the occurrence of a risk event, when the enterprise has already suffered damage. In this case, the goal of the financial manager is not to manage the risk, but to localize it and minimize its negative consequences.
5. Regulation of business risks. Responsibility and risk
The need to take risks is one of the conditions for successful entrepreneurial activity. But risk can become a destabilizing factor if the management decision is made unreasonably and is of an adventurous nature.
Posted on ref.rf
The possibility of such a development of events indicates the extreme importance of creating a social, legal and economic system in society to protect entrepreneurs from the consequences of risks. If there are no such guarantees, the entrepreneur will have no incentive to carry out risky operations.
Well-known rules of doing business, dictated by sound logic, can also be considered as a kind of regulation.
Rule one. You cannot take more risks than the company's own capital can allow. Before investing, the investor must determine the maximum possible amount of loss for a given project, compare it with the amount of capital invested and with all the enterprise’s own financial resources. As a result of such comparisons, the answer is given to the question: will the loss of this capital lead to bankruptcy of the investor?
The amount of loss from capital investment must be equal to the amount of the given capital, be less or more than it. In direct investments, the amount of loss is usually equal to the amount of venture capital. For example, an investor invested 10 thousand rubles. into a risky business. The case failed. The investor lost 10 thousand, rubles. Moreover, taking into account the decrease in the purchasing power of money, especially in conditions of inflation, the volume of losses should be greater than the amount of money invested.
In this case, the amount of possible loss should be determined taking into account the inflation index.
Rule two. We need to think about the consequences of risk. The implementation of this rule requires that an investor, when starting any transaction, calculate the maximum possible amount of loss, the degree of risk, the likelihood of its occurrence and provide in advance ways to prevent or neutralize it.
Rule three. You can't risk a lot for a little. The effect of this rule is especially pronounced when transferring financial risk. The investor should not accept the risk if the loss is large in comparison with the savings on insurance premiums and in comparison with the sum insured.
However, the effective functioning of an enterprise in a market economy requires constant monitoring of the risk environment in order to manage them, which makes this direction of the manager’s activity inevitable.
Risk management strategy and tactics - concept and types. Classification and features of the category "Risk Management Strategy and Tactics" 2017, 2018.
- Why is it especially important to systematically manage risks today?
- Risk classification for practical application
- How to structure risk management work
- Which of your managers is responsible for which risks?
The crisis has brought issues to the agenda risk management strategies: This is something that the senior management of almost all companies planning to survive should think about. Until the fall, risk management in a formalized form existed only in large Russian companies and financial institutions, and companies located lower in business success ratings (by turnover or capital) generally considered risk management to be something like another foreign fashion, nicely named, but absolutely useless. At the same time, there is no doubt about the fact that companies that continue to conduct operations and invest in their future in the current unfavorable environment have, albeit not formalized, albeit fragmented, but at the same time successful risk management. It’s just that managers call this activity not risk management, but labor protection, implementation of quality standards, environmental management, verification of personnel loyalty, economic, physical or information security, insurance,” hedging, reserving and stockpiling, and so on.
At the same time, few of these “involuntarily risk managers” imagine to what extent he has the right to take risks in his position, what the company’s general level of sensitivity to losses and financial losses is, and what is the threshold of unprofitability, beyond which the company will face ruin or a change of ownership . I recommend that any company today evaluate its operations taking into account risk management, even if the company does not have the opportunity to have a risk manager on staff. The tips below will help you organize your risk assessment work.
Every time we make a mistake, we are obliged to draw certain conclusions in order to turn it into our advantage. So, your colleague from St. Petersburg formulated a personal rule after he spent 2 million rubles on a business that did not work. Thanks to his rule, over the next two years he was able to found three new businesses and abandoned a dozen ideas in time.
In the article you will find 4 more stories from your colleagues that will benefit your business.
Risk classification
Risks are classified according to the levels of possible consequences in descending order of catastrophicity (vertical classification), as well as by the nature of their origin (horizontal classification).
The vertical classification of risks is directly related to the determination of those who are able to manage risks.
| Type of risk | Description |
| Supranational (global) | Climate change (for example, global warming), pandemic, epizootic (for example, bird flu), global financial crisis, etc. - that is, situations that no country or company can influence. The risk managers (regulators) in this case (despite the fact that there is no global legislation) are government associations (UN, G20, etc.) |
| Country (sovereign) | This is the level of risks of an individual state: man-made and transport disasters, military operations, “brain drain”, alcoholism, drug addiction, population aging, demographic problems, etc. At this level of risk manager there are top officials of the state, government, central bank, etc. |
| Corporate | This is the level at which risk management historically appeared. This includes all classic risks - defaults, investment risks, project, operational, etc. Risk managers are the owners and top officials of the enterprise ( General manager and key top managers). |
| Personal | This is the level at which each of us is a risk manager. And the risks are corresponding - the risks of the city in which we live; the routes we take to get to work; medical institutions where we receive treatment; risk of losing your job, etc. |
There are more than 20 classifications of corporate-level risks. I consider the following classification to be the most oriented towards the real sector, the simplest and most logical.
- Strategic risks that interfere with the achievement of the company's long-term goals. As a rule, they are associated with global projects that require large investments - the implementation of an ERP system, the construction of a new production facility, etc. If such a risk materializes, the company may be on the verge of default in quite a while. short term.
- Financial risks are dangers associated with money: insufficient liquidity, fluctuations in exchange rates, stock indices, changes in interest rates, etc. The lists of these risks are similar for everyone: both large oil and gas companies and the grocery store located across the street from Your home.
- Operational risks associated with daily work: production process, technology, IT, errors or disloyalty of personnel, transportation of goods, finished products etc.
- Risks of dangers and threats. These risks are mainly external - floods, fires, explosions, corporate raids, lawsuits, etc.
- Legal risks associated with compliance of your activities with legal norms, industry standards, labor protection standards, general and information security rules, environmental standards, etc.
- Evolving risks (re-emerging). This category includes, for example, genetically modified products, mobile communications (we are the first generation to use mobile communications, and it is unclear what will happen to our children and their children because of this), nanotechnology, etc.
In fact, risks can be classified in any way that is convenient and understandable to the owners and management of the company - even based on the organizational structure of your company (for example, risks of the sales department, risks of financial management) or on the distribution of powers between managers (for example, risks of shareholders, risks of the financial director) . The main thing is that in the end everyone clearly understands what risks we are talking about. Classification is needed only for the convenience of grouping identified risks and assigning responsibility - the so-called risk owners.
- Risk management system: the essence of risk management in a nutshell
Glossary
Risk is the threat that an event or action will adversely affect the ability to achieve the desired business result, achieve goals and (or) strategic plans (COSO ERM and AS/NZS 4360:2004 standards).
Risk is a random event that has two characteristics: the probability of the event occurring and damage (benefit) as a consequence of the occurrence of this event.
Risk management is the process of identifying critical risks, assessing their impact, developing and implementing comprehensive solution to manage them, integrating strategy, people, processes and technology.
Risk management – in impact on risk, leading to a change in risk characteristics - a change in probability and (or) a change in consequences
10 main risks
Ernst & Young's annual study (Business Risk Research) is based on a survey of company executives. Here are the risks they believe are most important today:
- Crisis in the lending market (+1).
- Non-compliance with legal requirements (–1).
- Deepening recession ( new look risks).
- Radical greening (+5).
- Increased competition from non-traditional participants in industries (+11).
- Cost reduction (+1).
- Fight for talented specialists (+4).
- Concluding alliances and deals (–1).
- Obsolescence of business models (a new type of risk).
- Reputational risks (+12).
Risk management strategy
Risk identification
At this stage, you can use classical techniques, such as questionnaires and surveys of key employees and top managers of the company, meetings and brainstorming sessions to identify risks, risk benchmarking (adaptation for your enterprise of risks inherent in the industry). The main thing is to identify which events of any nature could be catastrophic or dangerous for the company. As a result, you will be able to compile a list of risks for your company.
Risk assessment and prioritization
Risks included in the preliminary register need to be grouped thematically. Next, you need to determine unified risk assessment scales based on two main parameters - damage and its probability in the period of interest to you. The time horizon is usually chosen in accordance with the budget or strategic planning cycle. A single scale is determined in a currency convenient for you (the one in which the company maintains management accounting and reporting or in which it is denominated greatest number contractual obligations). It is important that all risks, regardless of their type, are assessed in the same units.
Risk prioritization should be carried out by the same experts who compiled the initial list of risks. It is carried out by voting (secret or open - depends on the assessment of what degree of frankness you need). As a result, you will receive estimates of the possible damage from the risk and the likelihood of its occurrence.
- Currency risk management: how to protect your business from rising dollar and euro rates
For example, in your production there is a risk of an explosion in the oxygen workshop. The production director has an approximate (most likely, with a very small error) idea of how much it will cost to clear the rubble, build a new workshop, and purchase equipment. Let’s assume that the risk is expertly estimated at a million US dollars. This million-dollar risk, multiplied by a 10% probability, costs 100 thousand dollars, and if the probability of an explosion is 50%, then the cost of the risk is 500 thousand dollars. But when assessing such a risk, it is necessary to take into account the fact that the downtime will depend on time , which will be required for all activities preceding the launch of the workshop. You also need to estimate how long the company will be able to pay wages to idle employees, what penalties will be charged for outstanding loans, and how quickly the company will be able to repay them.
The result of this stage of work will be a corporate risk register. In it, the risks will be arranged in the form of a kind of hit parade - in descending order of a balanced assessment of damage. To better perceive the resulting picture, you can build a two-dimensional risk map: on one coordinate axis the probability of risk occurrence will be displayed, on the other - financial damage, and on the map itself the risks will be given in the form of points (you will receive the coordinates of these points from the results of assessment and prioritization) ( cm. rice.).
Without proper risk assessment using common units of measurement for prioritization, you may become hostage to the most charismatic, most persuasive or most educated department head, the “risk owner”, who can eloquently and convincingly argue that his risks (for example, worn-out core funds from the director of capital construction, “nonsense” and terrorists from the head of the security service, the inability to raise funds from the financial director) - all risks, risks and measures to manage them need to be financed first of all, in in full and with the highest possible budget.
Comparison of risks with the company’s “sensitivity level”
The resulting register of risks must be compared with the “level of sensitivity” of your company to risks. This level is also determined by experts based on the possible size of the loss: what the company can withstand and what it cannot. Comparison will help to identify which risks on the time horizon you have chosen are small (in the classification of risk managers - “up to the level of tolerance”), which are significant (between tolerance and the “pain threshold”), and which are catastrophic and can lead to the collapse of the business (above the “pain threshold”). Risk management depends on this: it is important to understand which of them should not be paid attention to, which should be dealt with by the company's management, and which fall within the competence of business owners.
The first risk management cycle, of course, will not identify absolutely all the risks and threats that accompany the activities of your company. But each subsequent cycle will provide more and more reliable information. Understanding the main risks and setting priorities is definitely a help for managers and company owners in times of crisis that will inevitably end.
Doctor of Economic Sciences, Professor St. Petersburg branch of National Research University State University " graduate School economics"
In their business activities, non-financial companies are exposed to various types of risks. At the same time, they strive to eliminate (exclude) risk factors that negatively affect their value.
In this study, Risk Response Planning is understood as a set of strategies, methods and tools (methods) for minimizing the negative consequences of risks in a company.
In the process of eliminating risks, the company develops strategies (methods, tools) to reduce the negative impact of risks on its key economic indicators (KEP). At the same time, the company is looking for management solutions that provide a certain compromise between achieving the EPI and the threat of potential damages (losses). Finding an acceptable risk allows you to assess the impact of risks, concentrate and distribute resources, and develop an appropriate risk elimination program aimed at preventive and subsequent impact on the risk.
The main goal of eliminating risks in a company is to bring identified and assessed risks to an acceptable level. The concept of acceptable risk replaces the approach to defining “absolute safety”, which is usually used in various branches of engineering and technology. In accordance with the “absolute safety” approach, it is considered practically possible to exclude any possibility of the occurrence of negative impacts of risks for engineering, technical systems, hazardous industries, etc. In this case, the company focuses on a zero probability of risk occurrence. However, in practice, in the course of business activities, a company will not be able to completely eliminate potential risk factors that could lead to an undesirable scenario for the development of individual business processes - a deviation from the selected strategic business goals. In these conditions, risk elimination is an important component of the company's integrated risk management system.
In highly competitive markets, companies are forced to optimize the acceptable level of risk exposure. This allows it to consistently receive income that exceeds the market average (for example, by balancing risk elimination strategies that do not allow it to exceed a “critical mass” of risks).
Taking into account the noted provisions, the company is developing basic procedures for eliminating risks (Fig. 1).
Fig. 1 Enlarged block diagram of the main elimination process
risks in the company
Block 1. Determining a company's risk tolerance is carried out to determine the propensity of executives, managers, shareholders and stakeholders to risks and their consequences.
Block 2. The choice of risk elimination strategies is made taking into account market conditions, the financial position of the company, the accepted contracting system, the characteristics of industrial and technical products, as well as the specifics of business activities, etc. Companies, as a rule, use (sometimes simultaneously) the following types of risk elimination strategies: risk-free strategy, risk-taking strategy, preventive impact strategy and post-impact strategy.
Block 3. Selection (determination) of risk elimination methods. To implement one or another risk elimination strategy, a wide range of methods (approaches) is used. The choice of one of them (for example, insurance or self-insurance) is made on the basis of a comparative assessment of their effectiveness and impact on the value of the company.
Block 4. Analysis and use of risk elimination tools (mechanisms). At the stage of analysis of elimination tools (methods), the selected method is specified (brought to a clear algorithm), performers and the necessary resources are identified to implement the appropriate tools (for example, the use of futures and options is justified for the hedging method).
Block 5. Planning the main process of risk elimination involves the development of a set of control actions in the form of anti-risk measures and the volumes and sources of financing required for this.
Block 6. In the budgeting process, individual and consolidated budgets of the company (independent business units) are developed taking into account the approved limits.
Block 7. An assessment of the effectiveness (effectiveness) of risk elimination is carried out in order to compare the achievement of set goals (strategies) for risk elimination with the costs of certain resources that support the integrated risk management system at a given level.
In the process of eliminating risks, the company develops an action program to optimize risk exposure: what needs to be insured, where self-insurance is possible and how, based on a comparison of the benefits and costs of optimizing each type (class) of risk and taking into account the relationships between risks, a decision is made on their optimal level.
The main mechanism for achieving risk elimination goals in a company is risk management strategies.
In accordance with the concept of integrated risk management, the following risk management strategies in the company are distinguished:
· risk-free strategy;
· risk taking strategy;
· strategy for preventive impact on risk;
· strategy for subsequent impact on risk.
Risk-free strategy (risk avoidance) is an effective means of avoiding the negative consequences of a company’s business activities in cases where the likelihood of risk and the consequences of its impact have a significant impact on the company’s assets.
Risk Taking Strategy applies when the company does not provide for any special actions in relation to a certain type (class) of risk. In this case, the company's management consciously takes risks and develops the business until losses from the consequences of the risks that occur lead to irreparable losses. Such a strategy also does not seem optimal due to the fact that the likely end result - negative profit - does not correlate with the main goal of the business. The main miscalculations in this case are the lack of a systematic analysis of the market state and its dynamics, risk factors, as well as a flexible response to changing conditions.
Strategy for preventive impact on risks carried out with the aim of creating conditions that exclude the emergence of causes and risk factors. In the process of implementing the strategy, measures are developed aimed at reducing the likelihood of damages (losses), as well as minimizing their consequences.
Strategy for subsequent risk management is developed with the aim of creating conditions for reducing (minimizing) the impact of the consequences of a risk event on the company’s activities.
The choice of one or another strategy for eliminating risks is determined by the overall business strategy of the company. So, if a company is focused on conquering the market, then, as a rule, the second and third risk management strategies are used. If a company is focused on maintaining its current position in the market or ensuring its financial stability, then the first and second strategies are most often the choice.
In their business activities, companies are exposed, as already noted, to systematic and specific risks. Moreover, specific risks in the general list (catalog) of company risks are about 70-80%. In these conditions, companies strive to eliminate risk factors that affect their projected cash flows. In this regard, such cash flows will be significantly greater for companies that use elimination methods (tools). Their cost of debt financing will be significantly reduced, since the risk of default depends on both specific risks and market risk. The share of debt that a company can use to finance its production activities may increase due to a decrease in the impact of specific risks.
Eliminating risks primarily increases the value of relatively small companies whose share capital is concentrated in the hands of a small number of majority shareholders, as well as for companies with significant debt obligations and the ongoing costs of potential default.
In the process of eliminating risks, it is necessary to consider the potential costs and benefits of elimination (i.e., those risks are eliminated when the benefits of elimination exceed the possible costs).
Eliminating risks in a company has both explicit and implicit costs, which vary depending on the risk being eliminated and the method (tool) of elimination. It should be noted that some risk elimination procedures are integrated into standard investment and financial decisions that companies make under conditions of uncertainty. In this case, the degree of influence of integrated risk on the company’s business activity is determined by the assets in which investment is made and the financing schemes used.
Some of the integrated risk can be eliminated by the investment decisions that the company makes. Investment decisions can influence not only company-specific risks (for example, the type of technological equipment), but also systematic risks. In this case, the company diversifies its business into many areas in order to reduce the variability of earnings, which makes the company more resilient.
Companies can influence integrated risk through their financial decisions. In these conditions, companies strive to optimize financing schemes (for example, by borrowing and purchasing assets in a single monetary equivalent). Failure to provide this condition increases the risk of default and the cost of debt financing, which will ultimately increase the value of the company as a whole. Sometimes companies that believe that short-term rates are low compared to long-term rates may take cash for a short period to finance long-term investments with a view to later transitioning to long-term debt.
Explicit costs are costs that can be determined specifically for the forecast period (for example, costs of insurance protection, costs of options, etc.).
Implicit costs relate to costs that may or may not be incurred (for example, the use of forward or futures contracts). A company that buys a futures contract to lock in the price of its products may not face immediate payments, but it will have to give up potential profits if product prices rise.
The greatest efficiency of risk elimination systems is ensured in companies that have the following characteristics:
· high volatility of cash flows in the future;
· presence of high barriers to entry into the market (aerospace industry).
This is explained by the fact that risk elimination strategies are closely interrelated and determined by the company’s business strategies (i.e., when making risk decisions, strategic goals prevail over financial ones).
At the same time, reducing the level of risks leads to a decrease in the volatility of cash flows generated by the company, cost savings, and also increases the value of the company.
List of sources used
1. Damodaran A. Strategic risk management. Principles and techniques. Per. from English - M.: LLC “I.D. Williams", 2010
2. Prakash Shimpi. Integrating Corporate Risk Management. Texere, 2001
3. Shvets S.K. System of integrated risk management in the company. - St. Petersburg: Publishing house. St. Petersburg State University, 2009
Collection of scientific articles
“Problems of interaction between economic entities in the real sector of the Russian economy: financial, economic, socio-political, legal and humanitarian aspects,”
St. Petersburg: , 2011
The next logical step, of course, is to create a plan to address each risk you identify so that you can manage the risks on an ongoing basis. You will learn how to do this in this tutorial.
We'll start with what a risk management plan might look like and how you can put it together for your business. We'll then look at the options you have when considering each individual risk and how you can decide which strategy to use. And finally, we'll see how you can control risk in your business by on a regular basis and update your plan as needed.
Creating a strong risk management plan is one of the most important things you can do for your business. Companies fail all the time, sometimes blaming bad luck, "the economy" or other unforeseen circumstances. Risk management is about being prepared for as many of these adverse events as possible so you can weather the storms that force your competitors to quit.
Disaster may, of course, still strike best laid plans, But serious attitude to risk management will certainly increase your chances of long-term success. So let's begin.
1. Make a plan
Every business should have a clear risk management plan. Here's a guide to creating one.
The format can vary greatly depending on your company's needs. A risk management plan for a large, complex business can easily span hundreds of pages, while a small business may simply have a small spreadsheet focused on key metrics.
However, there are several important items that need to be included in your risk management plan. Here they are:
- List of individual risks
- Rating each risk based on likelihood and impact
- Assessment of current control
- Action plan
Let's look at each of them in turn. If you've been following the series, you'll notice that we've already covered the first two elements in . So we're already off to a good start with our plan. Here is a sample table that we compiled last time:
Of course, your complete plan will have much more elements, but this example at least illustrates the format. You can refer to another tutorial for additional information about what each score means.
So to complete our risk management plan, we just need to add two more columns to our table.
The first new column is the assessment of current control. For each risk identified, what are you currently doing to control that risk and how effective is it?
For example, let's look at the first element of our table: "Customer XYZ is late paying their bill." You may already be managing this risk by sending automatic reminders in the form of an invoice closer to its due date and having one of your employees responsible for individual work with phone calls and emails. You would list these as existing controls in your risk management plan.
Therefore, the next step is to consider the effectiveness of these actions. How well are things working right now? If your client almost always pays on time, for example, then your controls are effective. But if XYZ Corp is late with payments two or three times already this year, controls are inadequate. Again, you can use a simple five-point scale:
- Very inadequate or non-existent
- Inadequate
- Satisfactory
- Strong
- Very strong
The final element of your plan then describes the actions you plan to take to better manage the risk. What could you do to reduce the likelihood of this happening or minimize its impact when it happens?
This last point is a little more complicated, so we'll look at it in more detail in the next section of this tutorial.
2. Decide how to handle each risk.
In summary, at this point in the series, we have identified all of the major risks in our business, prioritized them based on likelihood and impact, and assessed the effectiveness of our current controls.
The next step is to decide what to do with each risk so that we can manage them better. There are four main strategies in the world of risk management:
- Avoid this.
- Cut it short.
- Pass it on.
- Accept it.
Each strategy has its advantages and disadvantages, and you'll probably end up using all four. Sometimes you need to avoid risk, and sometimes you need to reduce it, transfer it, or just accept it. Let's look at what these terms mean and how to choose the right usage classification for each of your own business risks.
Avoid risk
Sometimes the risk will be so severe that you simply want to eliminate it, such as by avoiding the activity entirely or taking a completely different approach. If a certain type of trade is very risky, you may decide that it is not worth the potential reward and abandon it.
The advantage of this strategy is that it is the most effective way dealing with risk. By stopping activities that are causing potential problems, you eliminate the possibility of incurring losses. But the downside is that you also lose any benefits. Taking risks can be very profitable or perhaps have other benefits for your company. Therefore, this strategy is best used as a last resort when you have tried other strategies and find that the risk level is still too high.
Reduce risk
Unless you want to give up the activity completely, the general approach is to reduce the risk associated with it. Take steps to make the negative outcome less likely to occur or to minimize its impact when it occurs.
With our previous case of “Key Client XYZ Corp is late in paying an invoice,” for example, we can reduce the likelihood by offering the client an incentive to pay their invoices on time. Maybe a 10% discount for early payment and a penalty for late payment. Dealing with non-paying clients can be challenging, and we've covered this in more detail in our textbook by , but here are a few options.
In the same example we could reduce influence by arranging access to a short-term credit line. This way, even if the client does pay late, we won't run out of money. For more information on short-term borrowing options such as factoring and lines of credit, see our primer on .
This is perhaps the most common strategy and is suitable for a wide range of different risks. This allows you to continue your work, but with measures to make it less dangerous. If done well, you have the best of both worlds. But the danger is that your control is ineffective and you end up still suffering the loss you feared.
Risk Transfer
We are all familiar with the concept of insurance from our everyday life, and the same applies to business. An insurance contract is basically a transfer of risk from one party to another with a payment in return.
When you own a home, for example, there is a high risk of loss from fire, theft, and other damage. So, you can buy a home insurance policy and transfer that risk to the insurance company. If something goes wrong, it's the insurance company that bears the loss, and in exchange for that peace of mind, you pay them a premium.
When you own a business, you have the opportunity to transfer many of your risks to an insurance company. You can insure your objects and vehicles, and obtain various types of liability insurance to protect yourself from lawsuits. We will talk about insurance in more detail in the next textbook in the series, but this good option to deal with risks that have a large potential impact if you can find an acceptable policy.
Take the risk
As we have seen, risk management is related to price. Avoiding risk means narrowing your company's activities and missing out on potential benefits. Risk mitigation may involve expensive new systems or cumbersome processes and controls. And risk transfer also comes with costs, such as insurance premiums.
Therefore, in case of minor risks, it is best to simply accept them. There's no point in investing in a whole new package of expensive software only to mitigate a risk that would not have had much impact anyway. For risks that score low for impact and likelihood, find a simple, low-cost solution, and if you can't find one, it may be worth just accepting the risk and continuing business as usual.
The benefit of taking risks is pretty clear: there are no costs, and it frees up resources to focus on bigger risks. The downside is also pretty clear: you don't have any controls. If the impact and likelihood are negligible, that might be a good thing. But make sure you evaluate these things correctly so you don't end up with an unpleasant surprise.
3. Follow
It is not enough to introduce measures; You also need to check that they are working and regularly monitor your business to identify and deal with new risks.
The starting point is the plan you wrote. You should now have a list of all the risks in your business, an assessment of their likelihood and impact, an assessment of your current controls, and an action plan to address them. Here's an example of what it might look like when you put it all together (click the button "Risk Management Plan" and the “Register” button at the bottom of the page).
The danger with a document like this is that you spend a lot of time preparing it, but then never go back and update it later. A good risk management plan should be a living document, constantly reviewed and updated to reflect new situations, new risks and the effectiveness of your actions.
First of all, every activity you define must have an end date for completion, and a person who is primarily responsible for it. For example, with our customer client, we may decide that our salesperson Tina will be responsible for renegotiating payment terms with XYZ Corp. to create incentives for timely payment, and that this will be completed by March 1st.
When Tina is done doing this, you will move it from the "actions" column to the "current controls" column. Then, over the next months, you will evaluate how effective the new payment terms are in reducing risk. If they are still not effective, you may want to look into a short-term financing option to reduce the impact of late payments.
If none of these options work, you can look for other alternatives. If you've tried everything and the client is still late, then you can accept the risk if the client's business is truly important to you, or you can go the nuclear option of eliminating the risk altogether by avoiding doing business with that client.
Over time, the situation will constantly change as the risks change and your responses to them have their own effect. Some controls you put in place can make it less likely that a customer will pay too late, making it less important to the decision. Or you could take on so many other clients that XYZ Corp. takes into account a smaller share of your income, so the impact of a late payment will be less. All this must be taken into account.
There is no hard and fast rule about how often to update your risk management plan. Large companies have entire departments dedicated to risk management full-time, whereas in a smaller company the resources you can devote to it will likely be more limited. The key is to commit to updating your plan regularly, whether monthly, quarterly, or even annually.
One best approach is to make small changes to individual elements on an ongoing basis as changes occur, and then conduct a more comprehensive review of the document on less frequent, but still regular, schedules. Full review will involve going back to the steps outlined in previous parts of this series, brainstorming all the risks your business faces, adding new items to the list, and ranking them by importance. Then do the same with existing risks, noting any changes.
Next steps
If you take all the steps outlined in this tutorial and the previous parts of this series, you will be in a good position to protect your business from the many pitfalls that will come your way.
You now have a comprehensive risk management plan that lists all the risks your business faces and ranks them based on how likely they are to occur and how severe their impact will be.
You have assessed the effectiveness of the controls currently in place and developed an action plan to prevent, reduce, transfer or accept the risk.
Your action plan has a clear timeline and a person responsible for its implementation, and you have made a commitment to monitor the success of your actions and update the plan as necessary.
Congratulations! You are in a better position than many other business owners. Truly unexpected events may still arise and cause problems, but you have done your best to plan for possible risks and protect yourself as much as possible.
The final tutorial in this series will explore the risk transfer option in more detail. There are quite a few different types of business insurance, and the categories are different from what you might be used to in your personal life. So keep an eye on the essential types of insurance your business needs.
Practical content of the work of a risk manager.
Risk management, as an emerging new profession, was noted in scientific publications in the mid-50s. twentieth century. But the application of the risk management process itself in practice and the emergence of professional management managers financial risks were finally established only in the early 70s. Currently, risk management has gone far beyond financial management, being present in almost all sectors of economic activity and based primarily on the use of specially developed computer programs.
Risk management in practice - enough difficult task, since the manager makes most business decisions in conditions of uncertainty, rapid changes in external and internal circumstances of business life. In the ordinary understanding of risk management, a risk specialist constantly analyzes various information and then evaluates the situation taking into account personal experience. Often such an assessment is subjective and does not take into account the degree of uncertainty of the risk factor. As a result, an incomplete picture is created in understanding the market situation. Such an approach to risk management in the business conditions that emerged at the beginning of the 21st century is imperfect and of little relevance. The level of competition in many sectors of economic activity, which has increased to previously unimaginable limits, has confronted risk managers with the task of professional mastery of methods that allow, if not eliminating, then at least reducing the degree of risk in each specific situation, relying not on personal experience and, above all, on analytical information obtained during continuous monitoring of the external and internal environment of a business organization. The use of risk tools that allow for the assessment of risk factors helps the manager develop risk responses based on the most reliable information.
The set of practical actions of a risk manager can be depicted schematically (Fig. 3.3):
Rice. 3.3 Decision-making procedure through risk management
Currently, large financial and industrial corporations, trying to minimize, first of all, external economic risks, create target groups of risk managers. The tasks of such groups are to timely identify, and then measure and reliably assess the most dangerous risks for each business unit and then make proposals for timely changes to the overall corporate strategy. At the same time, the volume of risks taken must comply with the general corporate principles of the risk strategy.
Heads of large Belarusian enterprises and heads of industry departments should today actively adopt the best intellectual developments of foreign risk management. Being in the environment of the world market in the group of “catching up with the leader”, the pillars of the Belarusian economy have every chance in the long term to be among the leading companies of the European and even world level in their industries.
What principles should managers of large domestic businesses adhere to in the field of risk management?
First of all, this training of highly qualified risk managers and the creation in the medium term of corporate (industry) centers with the involvement of the most valuable intellectual resources there. With the help of such structures, preliminary development of solutions with innovative content should be carried out, allowing the risk to be minimized to a rationally justified level. It is necessary to attract successful young specialists here with the prospect of their further career growth.
Another, no less important principle of practical risk management is division of duties. It is necessary to specialize riskological activities, which will make it possible to highlight specific areas in ensuring the risk protection of an individual enterprise and the industry as a whole, to deepen the study of economic risks, and to apply computer software technologies for their accounting and control.
From the above-mentioned principle of separation of responsibilities follows the following, third principle - distribution job responsibilities . Its use makes it possible to develop regulations on risk management target groups, as well as sets job descriptions for each of the professional workers according to their specialization in this area management activities.
No less important is the fourth principle of practical risk management – distribution of responsibility for risks taken. Despite the personal assignment of risk protection areas to specific specialists, a certain share of responsibility for completing risk protection procedures and obtaining the planned result should be assigned to the relevant production structural units of the organization. Risk management specialists provide only the first level of enterprise protection from accepted risks.
At the end of this section, the author invites the reader to evaluate the complexity and versatility of modern practical risk management using the example of a (reduced!) set of services offered to their client organizations by specialists from the Russian company Areopag-Center, specializing in business risk management:
1. Diagnosis of socio-political risks in aspects of organizing regional business (analysis of social tension, level of criminalization of the region, political activity of the population, power of specific officials, decision-making algorithms, features of the regulatory framework, etc.).
2. Analysis of the features of investment policy in the regions (level of corruption of the administrative apparatus / according to open sources /, recorded violations of legislation, etc.).
3. Analysis of the features of local self-government (the powers of specific officials, decision-making algorithms, the level of corruption of the administrative apparatus (open sources), spheres of influence of financial and industrial groups, etc.).
4. Services to neutralize socio-political risks.
5. Representation of your interests before government, commercial and non-profit structures.
6. Services for diagnosing risk areas of the competitive environment.
7. Analysis of the features of the economic activities of competitors (assessment of the criminal aspects of the activity, features of commercial activities, etc.).
8. Diagnostics of methods of competition.
9. Analysis of zones of influence of financial and industrial groups.
10. Diagnosis of industrial and economic espionage.
11. Identification of technical devices for unauthorized retrieval of information
13. Identification of contractors and agents dangerous to the enterprise.
14. Services to neutralize risk areas of the competitive environment.
15. Countering unfair competition.
16. Trademark protection program.
17. Countering industrial and economic espionage
18. Formation of the structure of a trade secret.
19. Diagnostics of the organization to identify objective (potentially given) ways of committing crimes in the enterprise.
20. Identification of risk areas when expanding business.
21. Services for the protection of commercial databases, storage and destruction of commercial information in emergency situations.
22. Prevention (neutralization) of objective (potentially given) ways of committing crimes in an enterprise.
23. Independent monitoring of the activities of departments to identify discrepancies between the actual and declared activities of employees (in order to prevent fraud, theft, forgery, etc.).
24. Creation of tools for remote monitoring of departments’ activities for top managers and founders.
25. Programs aimed at creating systems of management accounting, planning, control, a unified technological cycle of the enterprise, etc.
26. Consultations with managers and founders on the issues of choosing optimal behavior in situations of blackmail by staff.
27. Identification and investigation of signs of theft, fraud, forgery by employees and personnel (non-procedural forms).
28. Risk assessment of the financial and economic activities of an enterprise
29. Consultations on the features of existing financial schemes.
30. Consulting services in the field of customs taxation.
31. Diagnostics of radioactive radiation of territories and premises .
From the above list it is clearly seen that the set of risk-related services offered functionally intersects with personnel management, investments, projects, finance, competitive environment, etc. It is impossible in the activities of a modern manager to completely separate the functioning of individual services and finally formalize the organizational and economic mechanism of economic activity . On the contrary, according to the modern management paradigm, the management team should have an interconnection of all services, which ensures an additional synergistic effect and allows for a deeper understanding of the maturing management situation in the medium and long term.
As a “finishing touch” on the issue under study, it is useful to cite the principles of a modern manager, in which the importance of risk management is clearly visible:
Realize that the only constant is change, although people resist change, even if it will benefit them;
Be able to convince people to take responsibility and not be afraid of risks, reward those who successfully overcome difficulties;
When improving tactics, never forget about the current strategy, i.e. constantly remember the end result;
To create an organization in which all employees would know what a grandiose goal is facing it and personally before them, and were ready to achieve it;
Pay attention not so much to solving problems as to preventing their occurrence;
Constantly improve your knowledge, understanding that success can become worst enemy training;
Anticipate, develop intuition;
Understand that what you expect actually happens;
Concentrate efforts on the main thing (it is necessary to identify 20% of actions that provide 80% of results);
Do not accept work that is not completed in the best possible way, otherwise in the future you will only be given work of this quality.
Today, everyone aspiring to the role of a leader must follow the practice-tested advice of foreign management specialist Yoji Berra: “Observe and you can understand a lot.”
When developing risk management tactics industrial enterprise its leader should first of all take into account the principle given earlier in this work: tactics are the current manifestation of one of the elements of a previously developed and currently implemented strategy. Of course, any approaches used in this case are advisable to comply with the main condition: the risk management process must be continuous. Regular repetition (monitoring) of risk analysis allows you to constantly increase the reliability of assessing the likelihood of negative phenomena occurring in business, and further compilation of regular reports on the most significant risks can significantly improve the quality of tactical decisions made by the top management of a business organization.
What tactical actions are most appropriate in the management activities of domestic risk managers?
According to the author, effective tactics in risk management should be based on the professional use of the entire operational set of risk reduction methods available in each specific case at a certain point in time. The faster the operational information received by the risk manager is processed on computers and then by specialist analysts, the more reliable and useful, and most importantly, the more timely are the options for his proposals to senior management for making final decisions of a tactical nature.
What are these methods?
1. A method of eliminating risky decisions or developing backup plans for tactical interaction. Allows you to most quickly eliminate negative factors or reduce their impact. It is recommended to combine it with bonus motivation for the actions of employees who promptly pointed out realized risks or proposed the most effective measures to eliminate them.
2. Method of generating a list of risks separately: by business processes, functional management subsystems and the company’s management cycle. The introduction of a system for monitoring economic risks makes it possible to do this at a fairly high level.
3. Method of qualitative risk assessment with determination of the degree of their controllability. It is necessary to take into account the scope of manifestation of each of the risks under consideration and constantly systematize and process the resulting expert assessments using a modified concordance coefficient.
4. Quantitative risk assessment. The method most used in risk management tactics, currently based on computer processing of the received data with the establishment of mathematically optimal risk indicators and determination of the permissible range of changes in their values.
5. Method for constructing a risk tree (as well as a tree of management goals). Allows you to systematize and link the results obtained, taking into account the relationships and previous qualitative and quantitative characteristics of risks.
6. Development of risk standards: establishing limit values of risks acceptable for the business entity under study. Must be combined with a quantitative risk assessment method.
7. Method of system expert analysis. The most complex option for accounting and assessing business risks. Includes technologies such as economic and mathematical modeling, deductive analysis using the “cause-result” scheme, analysis in the form of data reconciliation across tables using generalizing coefficients, etc.
What tactical tasks are the basis of modern risk management of a business organization?
1. Organization of operational management of the risk protection system, which includes structures: internal control, personnel safety training, organization and training of interactions between company departments in the event of an emergency.
2. Conducting a current assessment of the likelihood of risks occurring and the possible consequences of their manifestation in the short term.
3. Organization of a system of corrective influences on elements of the external and internal environment of a business organization, including adjustments to the risk management system.
What should be the expected results from the tactical actions of a risk manager?
Firstly, a systematic list and quantitative parameters of the risks of a business organization will be created and then constantly updated.
Secondly, the enterprise (in the industry) will have a system for monitoring, forecasting, accounting and preventing economic risks.
Thirdly, a set of internal regulatory documents for the risk management and internal control system of a business organization will be developed.
Tactical actions in risk management include such organizational activities as preparing and holding operational meetings dedicated to strengthening the risk protection of the enterprise. It is best to conduct them in a creative environment, using the brainstorming method.
Considering the content of strategic activities in risk management, the following should be noted:
1) a strategic approach to risk management is its essence, since risk management is primarily an applied tool for developing strategies for a business entity;
2) the basis of strategic risk management is, first of all, medium- and long-term forecasting of risk situations in the economic activities of the enterprise;
3) the development of a risk protection strategy for an enterprise should always be based on the current mission of the organization, taking into account the philosophy of the business being developed;
4) the main strategic task of risk management is triune and consists of macro-settings for growth, protection and development economic organization.
Like any other, risk strategy is a multifaceted concept. According to G. Mintzberg (8;94), any strategy can be viewed through five “Ps”:
Strategy is plan, guidance, guideline or direction of development from the present to the future;
Strategy is principles behavior or behavior pattern;
Strategy is position;
Strategy is perspective;
Strategy is reception, a maneuver to outwit an opponent.
It must also be remembered that the correct choice of strategy is about 80% of the 100% probability of achieving or not achieving the goal.
Strategic management economic risks in practice, it is a continuous process of developing risk strategies for a business organization, taking into account the final and intermediate goals, the available ways to achieve them based on a systematic analysis of factors in the external and internal environment of the organization and the implementation of risk control (monitoring the progress of implementation of decisions made and the possibility of their timely adjustment) ( Auto.). The product of strategic risk management is management decisions, which should specifically state who, what, when And How will do within the scope of his job responsibilities to ensure the risk protection of the organization.
The process of strategic risk management at the enterprise level is associated with the sequential implementation of several stages (Fig. 3.4):
Fig. 3.4 Stages of organizing and implementing a strategic risk management system at the enterprise level
In the above diagram, on the right, the controlling process taking place in parallel at the enterprise is highlighted, without the use of which today
It is unthinkable to use risk management procedures in any large enterprise. The use of a significant amount of statistical and, above all, accounting information, which is present in the controlling system on electronic media, can significantly increase the efficiency of strategic risk management and accelerate the pace of making the necessary adjustments to the current risk strategy of a business entity.
To reliably ensure the risk protection of an enterprise, in addition to all of the above, it is also necessary efficient system ensuring public relations. Many enterprises of the Republic of Belarus are in quite difficult economic situation and are periodically forced to carry out certain anti-crisis measures aimed at eliminating or reducing existing risks. This can lead to increased psychological tension in the team, the emergence of unwanted speculation and various false rumors. In such a case, the role of the public relations department can hardly be overestimated; the burden of their professional responsibility for the organization’s successful recovery from the crisis becomes very obvious.
In practical risk management, especially in banking, the integration efforts of all management personnel aimed at increasing the risk protection of their organization are usually expressed by the following types of strategic interaction:
Development of the main trends in the implementation of risk strategies in the form of clearly defined decisions of senior management;
Projecting a risk strategy onto all divisions and services of a business organization that, by the nature of their activities, are associated with the implementation of risks;
Strategic planning of the parameters of identified risk positions, taking into account the economic interests of counterparties and the existing production potential of the enterprise;
Development, based on situational analysis, of corrective action plans to influence manageable risks within a strictly defined time frame, in order to effectively track the trajectory of risk positions;
Conducting scientifically based examinations and preliminary testing of risk management methods and tools, with further implementation in practice.
Questions to Study
1. Name the main methods of risk management.
2. What are the main features of industrial risk management?
3. Reveal the content of the risk protection mechanism for management personnel of a business organization?
4. Define the term “subjective risk action”?
5. How is the decision-making procedure carried out through risk management?
6. How does the “social recognition” factor manifest itself?
7. What is the essence of strategic risk management?
8. What are the five main conditions for the formation of a risk strategy according to Mintzberg?
9. Describe the stages of organizing and implementing a strategic risk management system at the enterprise level.
10. What are the main types of strategic interaction?