The risk landscape has changed dramatically over the last two decades.
The risk landscape has changed dramatically over the last two decades and at an increasing velocity. Whereas risk assessments were once primarily concerned with financial and operational functions, businesses have learned that strategic risk has become equally, if not more critical, to any risk assessment. Most notably, strategic risk is a reflection of the external market forces and a company’s preparedness for them.
While a private company may have a risk strategy in place, once it goes public it is faced with having to consider the wants and demands of investors and other stakeholders, who regard risk at a much more complex level.
What is especially important when identifying risk factors within your organization is to avoid making it a mechanical process. It’s not enough to distribute questionnaires or circulate a generic list for ranking risk. Risk identification has to be a much deeper dive that requires significant time and effort. Otherwise, your entire baseline will be wrong, and your company will end up managing and addressing the wrong issues.
A simple definition of risk
Let’s begin by considering the basic definition of risk: Anything that prevents or impedes an organization from achieving its goals and objectives.
Businesses often take that too literally by focusing solely on operational and budget issues. To put this in perspective, missing a sales target by one per cent will likely not cause significant damage to the overall long-term health of a company.
Real but sometimes less glaring factors such as reputation, corporate culture, cybercrime, deception, corruption or quality (e.g., product recalls) can be far more harmful.
For instance, in the past, companies expanding into Asia considered primarily capital allocation, financing and supply chain risks. Over time, organizations learned that the more crucial issues were related to having the appropriate business partners, fostering good communication with the subsidiary operations and engaging appropriately with local governmental bodies.
Commonly overlooked risks
There are of course the obvious risks that make up every profile; for example, regulatory compliance, financial reporting and operational controls. Then there are risks that are specific to industries that may not be applicable to the broader population of public companies – such as climate change or supply chain risk. A great deal depends on the products you produce, the services you provide, your location in the world and myriad of additional factors.
But experience has also shown there are some “hidden” risks that are often unaccounted for and are relevant to a large percentage of public companies. A few examples are:
A continuous process
Once an organization goes through a baseline exercise, often the assumption is that the go forward job is maintenance. The reality is, risk identification should be a continuous process that must engage the organization at all levels, from the Board to the production floor. Some companies appoint “Risk Champions” in its various divisions, while others adopt a top-down approach to seeking out feedback on risks. As a company grows and enters new markets, risk prioritization needs to be reviewed, adjusted and discussed frequently to ensure you are well-positioned to meet potential challenges as they arise.