Risk management. Why make it difficult when you can make it easy? That is perhaps what Andy Osborne thought when he wrote his most recent book, Risk Management Simplified. The cover says that is is “A practical, step-by-step guide to identifying and addressing risks to your business”, and it doesn’t come much more practical than this. This is a handbook and a self-assessment tool that leaves practically no risk uncovered. It’s practical, well-illustrated, to the point, not academic at all, filled with case examples and easy to work with. In this post, I will take a closer look at the book, because despite it’s simplicity, it does hold a couple of hidden gems worth mentioning.
The risk management cycle
Chapter one dives straight into the matter and Andy Osborne comes up with a long and dismal list of all the things that can go wrong in business. At the core of the book, and introduced here, is the risk management cycle, which provides the outline for the individual chapters of the book. This cycle is similar to the risk management cycle used in ISO 31000 Risk Management and ISO 28002 Supply Chain Security, which I have posted about before, and it follows the traditional Plan-Do-Check-Act principle.
Identify risks > Quantify risks > Identify countermeasures > Implement countermeasures > Monitor and review > Identify (new/changed) risks > …
Each chapter deals with one of the above stages, and first off, Osborne illustrates how risk management pervades practically almost every business activity one can think of:
This is very similar to what can be seen in Hamilton’s circle of risk.
Identify risks
Chapter two takes a closer look at risks and Osborne separates risks into 8 categories, partially derived from the figure above:
- Strategic risks
- e.g. business growth and future direction
- Operational risks
- e.g. supply chain issues
- Financial/commercial risks
- e.g. cash flow problems
- Regulatory/compliance risks
- e.g. failure to meet legal or contractual requirements
- Health and safety risks
- e.g. workplace accidents
- Personnel risks
- e.g. loss or unavailability of key staff
- Technology risks
- e.g. IT failure
- Project risks
- e.g. failure to meet timescales
While this is a list that has to be adjusted to the individual business of course, I think that these categories fully capture the entire internal and external environment a business operates in. You may also want to look at Kiser and Cantrell (2006) or Manuj and Mentzer (2008) for comparison.
Quantify risks
In chapter three Osborne describes how to quantify risks. Here, Osborne applies the traditional risk matrix, with a 1 to 4 scale for likelihood and impact. Osborne prefers to keep it simple and argues that for most risk management purposes it is sufficient to rank likelihoods on a low-medium-high scale rather than using exact probability estimates. I would agree with that. When determining impact then, Osborne advocates to distinguish between financial and non-financial impacts, as non-financial impacts, e.g. loss of credibility or damage to reputation could be just as devastating as an economic loss. By the way, Garry Honey has written a whole book on reputation risk.
Identify countermeasures
After identifying the risks and the impacts the company is now left with four types of risks it needs to address:
- Risks that must be mitigated
- Risks that should be mitigated
- Risks that could be mitigated
- Risks that do not need any action
This is what the fourth chapter is about, namely applying the four responses below. Note that the “Avoid” category, as seen in Deloach (2003) “Enterprise-wide risk Management” is not seen here, and I am inclined to agree with Osborne. Reducing is better than avoiding.
- Accept risks
- Manage risk
- Reduce/Transfer risks
- Insure/Planning for risks
Accept risks: If the likelihood is low and the impact is low, it may be a perfectly reasonable decision to do nothing and to accept certain risks. There may also be occasions when, although there is a higher likelihood or impact, it is either uneconomic or even impossible to implement countermeasures, for instance where the cost of addressing the risk outweighs the potential loss.
Manage risks: For risks with a higher likelihood but a low impact (such as pilfering of low value items, minor operator errors or other “glitches” which cause inconvenience as opposed to significant problems), a sensible approach might be to manage and control them, for instance by improving and documenting processes, by providing adequate training and education and by implementing controls and procedures to regularly monitor and review the situation.
Reduce/transfer risks: For risks with a high likelihood and a high impact, risk reduction measures are absolutely essential. For instance, hazardous or dangerous procedures should be modified, stringently controlled and monitored or outsourced to someone more qualified or better equipped to carry them out safely.
Contingency planning: If the likelihood is low but the impact is high – such as loss of operational capability, serious damage to reputation, large financial losses or even failure of the business – contingency plans should be developed. This often referred to as business continuity (or in some cases disaster recovery) plans.
Insurance: Insurance is a common, and extremely important, form of risk management. Insurance may provide a safety net for business if things go horribly wrong, but it should be borne in mind that insurance only addresses (some of) the financial impacts of some of the risks: It merely provides a pre-defined sum of money in the event that certain pre-defined risks occur. The appropriate use of insurance is an important weapon in your risk management armoury, but it’s a big mistake to view it as the only weapon.
Implementing countermeasures
Chapter five considers the implementation of countermeasures. A helpful tool that Osborne suggests and exemplifies is a risk register. A risk register is a document which summarises the risks identified, along with the likelihood, impact and the resulting risk rating and the appropriate countermeasures for each, plus the actions decided to take for each risk and the current status of them. This may perhaps seem like an overly simple tool, but it is definitely a technique that helps keeping track of what should be done, what has been done and what has not been done.
Monitor and review
Chapter six looks at the finals stage of the risk management process, ongoing monitoring and reviewing. Actually, monitoring and reviewing is not that difficult, Osborne says, because it is all about considering for each countermeasure, whether
- it does the job it’s intended to do?
- it reduces the overall exposure to risk?
- it improves efficiency?
- it continues to be cost-effective?
- the level of residual (remaining) risk is acceptable?
- it is being adhered to?
“What gets measured gets done”, Osborne says, so in order to assess the above some metrics must be used,
- financial measurements, such as cash flow
- operational measurements, such as service delivery or downtime
- commercial measurements, such as increased or lost sales
- customer feedback, such as complaints and product returns
Osborne also spends some time discussing the necessity of building a culture of risk awareness and setting the appropriate level of risk appetite. After all, while many risks do have a downside loss, in most cases there could be a potential upside opportunity as well, and Osborne suggests that this level is set individually for all risk categories mentioned in chapter two above.
Tools and techniques
Chapter seven discusses some of the tools a company can apply to assess and manage risks, such as
- Brainstorming
- Dependency modelling
- Process mapping
- SWOT analysis
I guess there could have been a lot more, but as Osborne rightly says,
Because the purpose of this book is to simplify and demystify the risk management process and make it more relevant to those who feel it’s important but for whom it isn’t necessarily a full-time occupation, there’s no room for most of them here.
Nonetheless, for the small business owner, there’s still more than enough to read and ponder in this book.
Examples of risks and countermeasures
The best part of the book is perhaps the 10-page appendix, where Osborne systematically lists risks and countermeasures, according to what has been said above. Even if you do not read the whole book, these 10 pages should be required reading. Every day in fact, just to remind yourself of all that can go wrong, and what you can do about it, which in fact is quite a lot, so there is no reason to ignore risk, pretending to see no evil and hear no evil.
Conclusion
This is a book that is very easy to follow. Each chapter provides hints and tips highlighting particular issues, and a couple of case studies to illustrate the points that are made, including self-assessment worksheets. The back end of the book is made up of a step-by-step guide with risk examples and possible countermeasures. This makes the book perfect for small and medium sized firms who want to tackle their risk environment themselves rather than hiring some consultant to do the job for them. That said, in my opinion, risk assessments should always be carried out by the company and not the consultant, in any case. Even in all it’s simplicity, this book is far from superficial as far as risk management goes. Osborne has managed to scoop up the essentials and presents them in an elegant and completely non-academic approach, and therein lies its greatest value.
Reference
Osborne, A. (2010) Risk Management Simplified. Hothive Books.
Author link
- acumen-bcp.co.uk: Andy Osborne
Buy this book
- riskmanagementsimplified.co.uk: Risk Management Simplified
Related
- riskmanagementsimplified.co.uk: Risk Management Simplified
(Official book website) - acumen-bcp.co.uk: Acumen
(Andy Osborne’s consulting practice) - acumen-bcp.co.uk/blog/: Oz’s Business Continuity Blog
(Andy Osborne’s blog. By the way, on Andy’s blog you can read what Andy says about his moment of fame when a crew came to make an e-book version of his book.)
