An MBA student once asked me to give her a simple explanation of the "risk management function." After a few minutes of fumbling, I told her that risk management is the process of identifying, prioritizing, and mitigating the impact of unforeseen (and usually negative) events. In other words, it's a form of proactive contingency planning -- either to completely avoid difficult situations, or prepare for them so that any undesirable consequences are lessened.
Her question got me thinking about who is actually responsible for managing risk in an organization. There are many types of risk, and the official risk management function usually only addresses the most critical ones. For example, in a bank, risk management concentrates on financial risk; in a hospital, the focus is on patient and legal risk; in a manufacturing firm, the concern might be product or environmental liability; and in a utility the priority is outages.
Since these "big" risks are either integral to conducting business or threaten business continuity, it's appropriate that they receive special attention and resources. But on a day-to-day basis, managers face many other types of risk that are less visible and therefore receive less attention. But these risks also need to be managed -- and if you're in a position of leadership, the act of managing them is probably up to you.
Here are a few of those less obvious risks that come to mind:
- Project Risk: From the time a project is launched there are many factors -- or risks -- that might cause the project to be over budget, late, or unsuccessful in some other way. As a project leader you need to continually think through the risks that might endanger a project, focusing on how to get around them or limit their impact.
- Reputational Risk: Companies derive great value from their reputations both at a brand level and in terms of overall image, but reputations can be easily damaged. Take for example the reputational damage done to Goldman Sachs last year when a single manager arrogantly defended business decisions widely considered antithetical to the firm's stated concern for its customers. Similarly, managerial inattention to quality standards severely harmed J&J's reputation for product safety. As a manager you need to be mindful of the risks to your firm's reputation that stem from your actions.
- Customer Risk: Customers, both internal and external, are the lifeblood of an organization. If they don't want your product, service, or information, then you're out of business. Therefore you have a big stake in your customers' success and need to be aware of the risks that they face. This means doing more than just providing what's asked for -- but proactively looking for other ways to add value.
There are undoubtedly many other types of risk that every leader needs to manage -- staffing or skill gap risks (what happens if we lose some key people?); budgetary risks (how do we get our work done if the budget is cut?); supplier risks (how do I cover a shortage of key materials?); and many more. The often-unrecognized part of the manager's job is to identify these risks and prepare for them should they occur. And that goes for unanticipated positive developments as well, for example how to cope with a sudden surge in orders.
Yet at the same time, one of the recurring themes for managers these days is the need to learn how to take risks, which may seem contradictory to the notion of managing them. But in many ways the thought processes for each are the same. To take risks effectively you need to anticipate the possible impacts of your actions, and then make a conscious decision about whether to go forward or not, or to go forward in a way that will reduce negative consequences.
Perhaps one way of learning how to take risks is to be more conscious about the built-in risk management aspects of your job. If you improve your ability to identify and mitigate the ongoing business risks, it should give you more confidence in dealing with the personal risks required for innovation and working outside the box.
To what extent do you consider yourself a risk manager?
Cross-posted from Harvard Business Online