Risk management is vital for virtually all businesses, especially given the precarity of the current global economy. But according to research from Ropes and Gray, 69% of executives have expressed a lack of confidence that their current risk management practises will be sufficient to mitigate future risks.
With the right tools and techniques though, risk can be identified and analysed on a more granular, nuanced level. Doing so will allow for a more robust future-proofing process, helping leaders better understand their projects and organisational health.
In this article, we’re going to explore exactly what those tools and techniques are. First though, we need to understand the basic process of risk management.
The four phases of risk management
While most businesses have their own variations and ‘best practices’, the risk management process generally involves four distinct ‘phases’:
1. Risk identification
Wherein intelligence and critical thinking are used to pinpoint specific paint points and challenges, as well as identifying unknown factors that must be tracked and understood.
2. Risk analysis
Once risks have been identified, two broad approaches are taken to analyse and generate useful information about those risks: Quantitative analysis uses statistical and mathematical methods to analyse risk factors and create projections to help understand the levels of risk involved, while Qualitative analysis uses subjective measures and expertise to make decisions about what to focus attention on.
3. Response measures
Various actions are taken to avoid or mitigate key risks, including drawing up contingency plans and transferring risks onto third parties – i.e. insurers.
4. Risk monitoring
Once a project is up and running, it must be carefully overseen to ensure new risks don’t appear and existing risks aren’t exacerbated.
Now that we understand how the risk management process works, let’s look at how the identification and analysis stages can be improved using simple-but-effective techniques.
Tools and techniques for risk identification
The Delphi technique
The Delphi Technique is designed to provide unbiased expert insights into the potential risks a specific project or action will create.
The process is simple: you take a line-up of professionals highly knowledgeable in a specific area and have them answer a questionnaire; by compiling and cross-referencing their answers, you should gain a more granular view of the challenges and risks you face.
The process is generally repeated at least twice, in order to probe at deeper insights and create a more robust perspective.
Benchmarking leads off from the insight that risks are often hidden, siloed in specific areas where it is hard to gain visibility.
Simply put, you draw careful comparisons between periods of time or departments, searching for anomalies, incongruities or contradictions. The premise is that such comparisons might uncover otherwise undetected risks or weaknesses in performance.
SWOT stands for Strength, Weakness, Opportunity and Threat. By brainstorming in a rational way, the idea is to create a clear view of the potential gains, losses and risks involved in a particular action or project.
This not only helps identify risks – it also helps contextualise those risks and work towards a fuller overview of the assessment.
Root cause analysis
Risks are often interconnected, and this can make it difficult to gain real clarity on the situation.
In a Root Cause Analysis, you look closely at the causes of the problem, identifying the various causal relationships it has with other factors. This may then be mapped out using decision trees (see below) in order to achieve a clearer assessment.
By making sense of the root of a risk, you may find you can mitigate or remove it without actually incurring any losses or disrupting the project.
Tools and techniques for risk analysis
Failure Modes and Effects Analysis (FMEA)
Review as many components and subsystems as possible to identify potential points of failure in a system, and understand their causes and effects.
In many ways, this is similar to Root Cause analysis, except that FMEA looks at entire complex systems.
By analysing them, a more granular understanding of the workings of a specific risk factor will be gained. It can be undertaken either quantitatively (using statistical modelling) or qualitatively, using insights gained in the initial phase.
Experiment by introducing different variables to the pre-existing risk assumptions, measuring how much risk would fluctuate depending on the accuracy (or, more importantly, inaccuracy) of the initial forecasts.
What would happen, for example, sales decreased by 5%, or operating costs ran over by 12%? This is what sensitivity analysis intends to find out.
The idea is to understand how assumptions or projections have shaped the risk management strategy, and to stress-test them so that hidden risks aren’t allowed to manifest beneath inaccurate assumptions.
Analyse all identified risks (either qualitatively or quantitatively, depending on the data available) and sort them into distinct categories. This will help manage the response to them, by decreasing complexity and helping to prioritise more immediate and intense risks.
A popular version of this is Red, Green, Amber (RAG), wherein all risks are divided into the categories of high, medium or low risk.
Draw up a diagram relating every decision within a project and its expected outcome. You should also include random (but plausible) events, in order to cope better with uncertainty, as well as financial and business-related factors which would be affected by the changes.
These decision trees will help you understand how individual decisions forge a larger pattern, closing off certain possibilities and creating others.
This tends to be a labour intensive technique, which is best used in smaller scenarios, rather than as an overarching approaching – the branches of a large project would be truly enormous.
Formulating a strategy
Of course, few businesses will use every one of these techniques. Instead, you must focus on formulating a strategy which helps you better understand your project; reduces the complexity of risks; and gives you maximum control over potential disruptions.
Here are three important factors to consider:
Embrace diverse perspectives
The greatest danger in the risk management process is the undetected bias; if a group of analysts share the same assumption or belief, they will never notice it in each other and potentially huge risks can be allowed to slip into the fray undetected.
This is exactly what the Coronavirus pandemic has shown us: the possibility for systematic failures of risk management, largely based on institutionalised assumptions and ideas about what is and is not a credible threat.
With growing complexity across the global economy and political instability, risks are only becoming more numerous and more difficult to detect. So embracing a risk management strategy which is as diverse as possible will help weed out dangerous assumptions and detect pre-existing blindspots.
Combine techniques effectively
Most organisations will benefit from numerous of the tools and techniques we’ve discussed, but the most effective way of using them is as supplements to each other.
By focusing not on individual techniques but the ways they interact, time and resources can be more effectively used. Equally, potential weaknesses in particular approaches can be fixed and reinforced by other approaches.
As with the team and perspective you instantiate, the actual techniques used should be as diverse and harmoniously combined as possible.
Make use of technology
Most risk management processes already involve using simple tech, like spreadsheet and number crunching systems. But there are a heap of exciting new applications which will radically alter the playing field.
AI in particular offers a means of labour-efficient analysis and data gathering which is faster and more robust than anything humans could plausibly do. And the time-saving will allow the humans involved to focus on more creative, strategic factors.
At Contingent, we use AI to provide realtime supplier information, which can be visualised and analysed to create a far richer map of the supply chain, ultimately allowing organisations to understand their risks in far greater and more reliable detail.