Identifying, Evaluating, Recording and Responding to Your Risks (IERR)

The first step to managing risk is to identify the risks to your business and then evaluate them. You then record and report on them and finally respond by developing appropriate strategies to address the threats they pose in a structured way. Using this ‘IERR’ process, you can judge how risks impact on your business.

As you may have spotted, the process of risk assessment is closely linked to the Business Impact Analysis (BIA) that we discuss in Chapter 4, which is where we also help you identify your critical activities and assess the maximum period for which they can potentially be disrupted before the disruption proves threatening to your entire business.

A risk strategy is simply deciding how you’re going to address a risk or a group of risks. You may decide that for specific risks you need insurance. For others you may choose to invest to reduce the risk. For still others, you may choose to do very little or even nothing because of a low impact or slight chance. You can blend risk strategies to optimise the benefits, reduce costs or create more effective solutions.

This process may seem like a lot of work initially, but it’s all manageable. And when the systems are in place and you’ve trawled the risk-infested waters in which your organisation swims and assessed what you’ve found, ongoing maintenance is fairly plain sailing. The stormy waters that catch businesses unawares are the problem.

In the rest of this section, we show you how to build a risk register you can use as a basis for your business to make decisions and as a useful way to monitor risks.

IERR Stage1: Identifying your business’s risks

Risks to your organisation abound far beyond your own building or systems, and also lie in services you depend on – telephones, power supplies, water, technology, suppliers and transport systems – out in the wider environment. Failures in these areas are common and have a domino effect that means your business can be seriously affected even though the event didn’t happen to you directly.

Risk environment

When you think of risks, you need to consider not only your organisation, but also the environments in which it operates.In this section we split the risk environment into three areas (see Figure 5-1):

Wider environment: Risks over which you have little control but can militate against, such as major transport disruptions.

Immediate environment: Risks that you have more control over, such as not having a contract with one of your key suppliers.

Internal business environment: Risks on your doorstep that you can control the most.

This way of thinking about your risk environment provides you with an overview of all the type of risks that your business faces.

Your organisation has resources and uses processes that it depends on to operate. For a one-person plumbing business, say, these may be tools, a mobile phone and a van, but don’t forget all the materials you use, the insurance and licences to operate and a whole host of other things that you need for your business to work. Even with the smallest business, the risks of disruption exist and can have a serious impact pretty quickly.

You may find that identifying risks arising from the wider environment is easier than detecting those right under your nose. This is because most of the wider risks are the sort of things that you read about in the newspapers or see on the evening news: flooding, flu pandemics, extreme weather, terrorist atrocities and so on.

Despite this, you (or an appropriately experienced person within your company) are best equipped to identify the internal business environment risks to your organisation. You know it better than anyone else and probably have seen some near-misses that you need to bring onto your risk radar. Or if you’ve been unlucky, you may have been involved in some real-life disruptions that themselves offer lessons and information for making sure that they don’t occur again. Or, if they do, that you can at least continue trading.

As you work through this section, draw up a table similar to the one in Figure 5-2, which allows you to jot down the risks as you think of them. The columns to fill in here are:

Brief description for the risk.

Where you identified it – that is, as part of your wider, immediate or internal business environment.

Which grouping it seems to fall under – for example, staff, premises and so on.

Use a spreadsheet package if possible so that the information is easier to group and read later on.

The detail is unimportant here and so don’t spend loads of time thinking about the likelihood or severity of the risks that you identify; you do that in the later section ‘Looking at a scoring system’, which is also where you complete the ‘Owner’ and ‘Dependency linked risks’ columns.

Wider environment

This area includes all elements of the environment that impact on your organisation’s critical activities but with which your business doesn’t have direct contact. A good, effective and simple starting place is to look at the National Risk Register (NRR; check out the nearby sidebar ‘Consulting the National Risk Register’ for more details). This government publication sets out a range of risks that the UK faces and that may have a major impact on all or significant parts of it. The NRR is freely available and updated on a regular basis. It tells you which risks are relevant nationally and gives you an indication of their potential likelihood and national impact. Take a look at www. cabinetoffice.gov.uk/resource-library/national-risk-register.

You may be thinking that this information is all about civil emergencies and isn’t likely to affect your plumbing business in Kettering. However, these situations are precisely where considering the wider environment is so important, because although a flood may affect everything within, say, Cambridge, your suppliers may be caught up, leaving you unable to carry on and so cost you money.

Figure 5-3 shows the 2012 NRR risk matrix and gives an idea of the likelihood and impact for each risk along with its relationship to other identified risks.

Immediate environment

This area covers the risks contained within the running of your business, such as ones connected to partners, competitors, suppliers, distributors, customers and other entities that have direct contact with your organisation. If they come to pass, these risks are likely to impact your critical activities, including the production and sale of products, the preparation and delivery of services, or a number of other things depending on the type of business you have.

Factors to consider here are:

What happened to your business in the past?

Have you had any near-misses?

Have other similar companies to yours sustained a disruption or crisis?

Have other businesses within your geographical area been subjected to any problems that may affect you?

Do your staff know of anything within their areas that’s causing them concern, such as something that they keep sticking a plaster over to get by?

A good starting point when looking at your immediate environment is to get hold of a copy of your local Community Risk Register (CRR; see Figure 5-4 for an example). These registers are in the same family as the NRR from the preceding section, but look only at risks and hazards within a specific area. Risks vary in different geographic locations and for areas with different demographics. The CRR gives you a good idea of any larger risks to your critical activities that you need to be aware of; for example, being situated near to a hazardous site.

You can find more information on community resilience on the Cabinet Office website: www.cabinetoffice.gov.uk/content/community-resilience .

To demonstrate this risk area, we use the example of a business selling products to supermarkets (the principles are the same for all businesses).

Your business Shine Cleaning Co. sells four products that you produce in a number of different ways as follows, including the percentage of revenue generation for each product:

Oven cleaner: Outsourced to a manufacturing firm in Coventry. Accounts for 80 per cent of revenue.

Disinfectant: Outsourced to a small firm outside London. Accounts for 5 per cent of revenue.

Hand soap: Outsourced to a firm in China. Accounts for 12 per cent of revenue.

Sponge cleaner: Produced in-house from components ordered in. Accounts for 3 per cent of revenue.

Based on the revenue percentage, you identify your critical activities to be those associated with the production and sale of your key product – the oven cleaner. If a disruption hit your own business, it would cause problems, but any sustained failure by your supplier to produce the oven cleaner threatens closure of your company.

Setting aside the other products, you can break down the activities into the following categories:

Partners: The risks in this category include the following: a partner with your business not having sufficient components to make up orders; machinery defects resulting in loss of production capacity; labelling not meeting your customers’ standards; quality of product falling below acceptable standard of your customers; and delivery unable to take place.

In the example, although an outside firm produces the oven cleaner, you view the firm as your partner because it purchases components for the product on your behalf. Your business relies on this manufacturing firm to order in the components and be able to produce the products, pack them and ship them to your warehouse.

Competitors: The threats that arise from your competitors include things such as the threat of substitution, the ease with which a new competitor can enter your market and releasing a rival product onto the market.

You’re already in the cleaning industry, so you have a good idea of the level of competitive rivalry within it and the bargaining power that suppliers and customers have. These factors combined give you a good idea of the risks from competitors and the things that are at the back of your mind as worries. You now need to bring them out and record them as not just worries but risks to address.

Suppliers: The obvious risk here is that your suppliers can’t supply you with your product – in this example, the oven cleaner. But other risks apply as well, such as under-delivery of quantities needed or delivering poor-quality products. Here you see clear links with the wider environment risks (check out the preceding section) in such areas as transport disruption from extreme weather or major accidents.

Distributors: The risks here are interwoven with other areas but worth making plain. We are, of course, talking about transport and warehousing. These are integral parts of the supply chain because everything else going without a hitch is all for nothing if the goods don’t reach the customer due to problems with transport or road problems.

Customers: The risks that arise from your customers are generally centred around them no longer using your firm for their products and services; in this case, oven cleaner. You need to record this risk because failure to address it may leave your business lost when a significant customer that you rely on stops ordering. Nobody wants to consider losing customers, but you’re more likely to survive if you think about it and are prepared.

Others with direct contact with your organisation: You look at all other aspects that you haven’t captured in the preceding categories. In the oven cleaner example, you need to be aware of a couple of additional players: regulatory bodies; in this case trading standards and the health and safety executive. Your oven cleaner is corrosive, and so you need to produce and register a medical safety datasheet with the relevant authorities. Failure to have a safety datasheet means that you can’t sell the product.

Ask yourself whether any regulatory obligations are associated with your business.

Figure 5-5 illustrates that this process doesn’t need to be complicated or a beautifully crafted piece of work; it’s simply about looking at the risks that you face by breaking down your key products and services. In Figure 5-5, we show the product at the centre with the suggested risk areas coming from it, spreading into risks that may materialise. In the figure, we stop there, but for your business, you may want to go a step further in breaking these risks down.

Internal business environment

This area covers the aspects within your business, the ones you know the most: staff, premises, IT systems, machinery, equipment, heldstock and vehicles.

Examine these areas through the lens of your critical activities. To get you thinking, we stick with the Shine Cleaning Co. example from the preceding section and work through each of the elements:

Staff: Your aim is to continue producing and selling your key product, here the oven cleaner. Although you rely heavily on outside parties such as suppliers and haulers, your staff need to manage these contacts. The risks include not having the staff available to invoice customers or send over dispatch paperwork to the transport company.

Look at staff members you know contribute to your critical activities and identify the associated risks such as illness; being unable to get into work through bad weather or school closures; leaving your organisation after winning the lottery; or getting stuck in a foreign country after a holiday because a volcano is blowing ash over the continent.

Premises: Risks to your premises are likely to be that you can’t get access to it, perhaps because it’s flooded, and yet you store essential equipment and information there. Start to look at how you’d handle this situation. So, if you think, ‘We don’t really need an office, just a broadband connection,’ hold that thought because it may form part of your response strategy.

Know your local area and building so that you can recognise when something begins to go wrong. You can easily discover some things for yourself if you take a bit of time. For example, walk around the outside of your building and look out for any frayed wires, a slight leak, a pipe that you don’t know the purpose of and all the things you don’t notice as you hurry past every day.

IT and other systems: We could write pages here, but you know the risks – so scribble them down. Threats include viruses, denial of access attacks, hackers, the air-conditioning units in the ceiling leaking all over your server and causing a power failure – and that’s just the beginning.

Machinery and equipment: Equipment can be anything from the forklift for getting the pallets onto the truck to the printer ink cartridges for printing off your invoices. If you have equipment, you also have risks in that it can stop working (or stop working effectively). In the oven cleaner example, you outsource your manufacturing, but this doesn’t mean that you outsource the risk. Just because you aren’t carrying out preventative maintenance yourself, doesn’t mean that you don’t need to see the schedules from your supplier.

Held stock: If you hold stock and it’s part of your critical functions, look at the risks to it. Damage, theft and too little to meet immediate orders are the obvious risks, but plenty of others apply too, if this is an important area to you.

Vehicles: Having identified the vehicles that you use when carrying out your critical activities, now is the time to look at the associated risks. These can range from failure to start, to being written off in an accident or not having suitable staff around to drive them.

Write down the risks that you’re aware of, because they’re the sort that become reality just at the wrong moment. Urgent deliveries seem to attract road closures and tyre blowouts. You’ve seen the shredded rubber from tyres on the side of the motorway; likely as not, that happened on an urgent delivery to a customer.

If you find yourself thinking, ‘But what about such and such . . .’ put it in; our example is just to give you an idea.

Completing your risk register

The activities that you carry out to produce your risk register give you a structured way of identifying a large number of the risks facing your business. How you write them down precisely is less important than physically recording them. Your aim is to have a risk-management process in place that you can build upon as you think of and discover new risks. Nothing stays the same, including your risk environment, which means that your risk register can’t either.

IERR Stage 2: Evaluating your businesses risks

From IERR Stage 1 (in the preceding section) you have your risks, at least the ones that you’ve identified anyway.The next step is to take these rough jottings, now bursting at the seams, and evaluate them and turn them into something that you can present as a risk register. In a lot of ways, Stage 2 is the most tricky because you have to assess the likelihood and impact of these things occurring. At times, you may have to make a best guess, though at others you may have a fairly clear idea, certainly on the impact factor.

As we work through the chapter we build towards providing a clear visual representation of the risks you’ve identified on a grid. We plot these on the grid using your assessment of the likelihood of these risks occurring and your judgement of the impact they’d have on your business.

The methodology of the NRR (from the ‘Wider environment’ section, earlier in the chapter) is worth remembering because we use an adapted version to guide you through the next stages.

Creating a risk matrix

The risk picture that you’ve started to build up can be difficult to absorb, because single pieces of the puzzle aren’t enough to enable you to rely on them in making decisions. For this reason, you need a risk matrix that puts these pieces together to form your organisation’s all-important risk picture. This picture is the overall view that allows prioritisation: where to act and provide support in rationalising why you aren’t spending money in certain areas. The risk picture also enables you to communicate this information clearly to colleagues, owners, shareholders and, if required, customers and suppliers.

After you’ve evaluated your identified risks, you can see which ones are more likely to happen than others. And then which of these are going to have the most impact on your business. But before you can do this, you need to calculate these ratings. So to evaluate the risks that you’ve identified, you need to work out a scoring system based on factors that make sense to you. Of course, the system needn’t and can’t be perfect.

You’re looking for an idea of the risks that are going to have an impact on your critical activities, how much of a problem they may cause and whether they’re worth worrying about or are never likely to happen. So forget, say, about the 1-in-every-200-years flooding event – you really want to know about the likelihood of your premises being flooded (again) by that faulty dishwasher hose that you’ve never put right and how to stop it happening. Or the likelihood that the whole accounts department is going to be off at the same time with flu and you can’t get your invoices out.

Looking at a scoring system

We present a simple 1–5 scale that you can use for both risk impact and likelihood, with 1 being the most minor and 5 being red alert; you get the picture, we’re sure.

Here’s the risk-impact scoring scale:

1 = Limited

2 = Minor

3 = Moderate

4 = Significant

5 = Company crushing

Table 5-1 shows the risk-likelihood scoring scale.

This scoring system is just a very simple example. But to get you started in this area, the simpler the better. For each risk that you identify on your risk register, you need to allocate a score for its impact on your business and the likelihood of it occurring.

These scores are only ever going to be a best guess because not even the largest organisations can accurately rate each risk; even with the most expensive systems. The likelihood columns just give you an idea of the chance ratings that may be associated with your scoring system, but if you find them confusing then ignore them.

The key to this exercise is that at the end you can relationally compare your risks.

When you begin attributing scores to your risks, you may need to return to some and have a re-think; this is the benefit of considering all your risks as they crop up and not just one in isolation. Also, examine the risks that are linked and put the risk number in the ‘dependency linked risks’ column of your risk register from Figure 5-2, which then looks something like Figure 5-6. Doing so enables you to put strategies in place for dealing with multiple events that relate to each other.

Of course, you can describe the risks that your business faces to staff using words that give a flavour for the severity or likelihood. A staff member who doesn’t frequently deal with risk may respond better to being told that something is ‘highly likely’ rather than ‘a 5 on the scale’. Use whatever works best for you, but being consistent throughout your workforce makes communication easier in a stressful situation.

This evaluation stage is about starting to look at your risks in relation to each other and leads you nicely on to the next section, which covers plotting your risks onto a relational matrix. Contain your excitement!

IERR Stage 3: Recording what you discover

After you’ve identified and evaluated the risks facing your business to help protect your critical activities, you arrive at the recording and reporting stage. The initial questions that you need to ask here are:

Do you have any regulatory needs in terms of reporting?

What information should you be reporting to the board on risk?

What do your other stakeholders, such as shareholders, need to know about risk?

For the last two questions in this list, such risk reporting enables people to make strategic decisions up to and including ceasing ventures and projects or investing in them in ways that reduce the risks.

Knowing and understanding your risks isn’t going to take them away, but it is going to help you deal with them. Clear reporting provides a sound footing on which to do so and good risk information can be pure gold to your organisation.

Creating your relational matrix

One of the most common ways to show clearly your risks is to plot them on a relational matrix. This matrix has the benefit of easily showing the following:

Impact scorings

Likelihood scorings

Relationship of these factors to other risks

The scorings that you have on your risk register (from the preceding section) are all you need to create a relational risk matrix. Figure 5-7 shows a grid with the vertical axis representing impact and the horizontal one representing likelihood.

The grid is split in the same 1-to-5 way as the scoring system in the earlier section ‘Looking at a scoring system’. Now you’re going to create a similar grid, using a spreadsheet package, to plot the risks using the numbers that you allocated in the risk register; in the example diagram we label our risks R1, R2, R3 and so on for simplicity. You can do this, or if you have different types of risk, prefix them with a letter, such as O1 (for operations risk 1) and A1 (for administrative risk 1); whatever makes sense to you and your business.

Your completed grid then provides a clear visual aid to spotting those risks that you need to tackle and deal with now (the darkest shading in Figure 5-7 indicates the most serious and likely risk combinations), those that you can begin to prepare for (medium shading) and those that you simply ignore at this time and monitor (lightest shading).

IERR Stage 4: Responding

After you’ve produced your risk register and displayed your findings in a risk matrix, you immediately have a better understanding of the ones that you ought to be looking at soonest. The question now is what to do. A lot depends on how much resource your business has at its disposal and the attitude that your board or senior management has regarding risk (we explain risk appetite a little further on). Although your business’s spare cash may be low and its appetite for risk high, you may have highlighted that some risks exist that you can’t afford not to do anything about. This section looks at some of the broad options that you have in dealing with risks, and also provides some guidance on other things that you can do to ensure that you keep on top of new and emerging risks.

Strategies for dealing with risk

Your organisation’s risk appetite is the amount of risk that you’re prepared to tolerate before you consider action is necessary to reduce or remove the threat. For each risk to your critical activities, you need to draw up a strategy to bring it within your business’s risk appetite. Unless, of course, it’s already within it. We show five strategic types of response in Table 5-2 to start you thinking.

Table 5-2 Five Strategic Types of Response

Strategic Type	Response Description
Prevention	Terminate the risk by doing things differently and removing the risk. Put measures in place that stop the threat or problem from occurring or prevent it having any impact on your critical activities.
Reduction	Treat the risk by taking action to control it in some way that reduces the likelihood of the risk developing or limits the impact on your critical activities to an acceptable level.
Transference	This is a form of risk reduction where the management of that risk is passed to a third party via, for instance, an insurance policy or penalty clause. Nonetheless, if your critical activities come to a halt and your insurance is unable to help you recover, the risk is still yours and your critical activities have still come to a halt. The same applies if your supplier fails to deliver; you may get paid later but you’re still at a standstill for now. And you remain the business that fails to supply your customer.
Acceptance	Tolerate the risk, perhaps because you can’t do anything at a reasonable cost to mitigate it, or the likelihood and impact of the risk occurring are at an acceptable level.
Contingency	These are actions planned and organised to come into force as and when the risk occurs.
© OGC

You can select many different ways to respond to the risks that you’ve identified, and listing all the options here would be almost impossible. The response very much depends on the type of business you have.

Residual risk

The level of risk remaining after you employ your strategies is the exposure in respect of that risk. This residual risk needs to be acceptable and justifiable; essentially, it should be within your business’s agreed risk appetite.