After our last post on the benefits of risk mitigation and liability management for you and your organization, we now discuss the steps involved in the minimisation of risk.
In a business enterprise risks may arise from uncertainty in financial markets, possibility of project failures, accidents, natural causes and disasters, legal liabilities, danger to creditworthiness of borrowers as well as deliberate attacks from an adversary.
Systematic minimisation of such risks involves a three-step process. The first step requires the identification and analysis of all risks that may be applicable to an organization or a particular project. The second step involves the allocation of those risks among the parties. The principle that the person who is most capable to sustain the consequences of the risk can bear the same at the least cost, may be useful in allocating the risk. The third, and the final step involves the creation of mechanisms to manage the risks.
1. Recognition of Risks
Recognition or identification of all risks is the first step in risk management. For example, some of the risks relevant to an organisation could be financial risk (implying possibility of a fall in values of the investments it has), business risk (the risk specifically applicable to your company), country risk, exchange rate risk (which is relevant if you are concerned about forex rates, (say, if you are in export or import business). Organizations should regularly undertake comprehensive, focused assessment of potential risks. There are several categories of risk. Further, risk may have to be looked at from a project-to-project basis. At the first stage, risk has to be identified at two levels:
2. Risk Allocation
Once the risks are identified, an attempt should diligently be made to minimize them. This could be done in various ways:
- Avoid the risk – this could be done by replacing the source of risk, that is, if the risk is from the vendor, try replacing the vendor. Maybe go for a different type of contract that will do away with the risk at the first place.
- Transfer the risk – If the risk cannot be outrightly avoided, steps should be taken to mitigate the same. At the same time other avenues should be identified through which the risks could be shed off completely (such as subcontracting where it is warranted). This could also be possible by allocating the risk to someone else who is more capable of bearing it (such as an insurer). Legally, such solutions are achieved largely through deploying contractual mechanisms.
- Acceptance of Risk – the third way is to accept the risk and plan the other processes of business within the organization to prevent it from materializing at all; and then to accommodate it if it arises despite precautions. Being caught by surprise is the worst that can happen to a business. For instance, you realize that a situation might arise where you might have to pay damages. Then could plan your finances in such a way that you can pay the damages if required without having a crippling effect on your vision and plans for your organization.
3. Risk Management
Risks must be also managed in order to minimise the possibility of its occurrence, and to minimize its consequences if the event does occur.
Organizations should ensure that they are better informed about riskier events, and that they have greater control on the situation, in the form of preventive or backup measures.
For risks created out of human activities (that is, not forces of nature) between parties, or prospective parties to a transaction (not third parties), creating in-house policies is key to managing a risk that has to be absorbed. Defining the role of employees at various levels (junior, intermediate and senior) and specifying their duties in different kinds of possible circumstances can ensure a few simple things toward minimizing risk:
1. If there is a lawsuit filed by a client, customer or business or a third party, existence of the policy can indicate that the organisation has exercised due care and shield it from certain kinds of legal liability.
2. By authorising specific people to communicate the possibility of miscommunication by different employees of the organisation and its other business parties is minimized. If there is still a miscommunication, it also helps in pinning responsibility on the defaulting employee, minimizing contractual risks.
The manner in which such policies are drafted goes a long way towards addressing concerns about various risks. They should ideally specify two things:
1. The acts the employees are authorised to do, the way in which they should deal with sensitive information (sensitive for the client or the employer). Anything that they are not authorised to do may be forbidden, and
2. What employees should do in the event that they come to know of something untoward that is happening in the organization. It should specify what measures employees can take to bring the event to the notice of the appropriate concerned authorities, so that the occurrence of something your organisation does not want is not gone unreported merely because the employee who knew about it had no compelling reason or duty to inform you about it. The policy should oblige (and if possible, even incentivize) employees to report unexpected and undesirable outcomes to concerned management.