This is the fourth article in our series of Managing a Mature Business. If you haven’t caught up, the other articles in the series, published so far, are:-
- Managing a Mature Business – Managing Cash Flow
- Managing a Mature Business – How to Keep Innovating
- Managing a Mature Business – Marketing for Continued Growth
In this article, we will deal with identifying, prioritising, and mitigating risk – Risk Management Planning in a mature business.
But first, to recap what a “mature business” is. The business cycle of a business, starts with a new business, then rapidly moves into a growing business, and then eventually morphs into a “mature Business” and ultimately – unless you do something at maturity – goes into decline. Each stage of this business cycle has different challenges.
In a “new” business, those challenges are all about establishing the business – proving the product, finding customers, poor cash flow. In a growth business, the issues are around retiring debt, satisfying demand, larger customer bases and proportionately larger debt-collection problems, control over organisation and business systems.
In maturity, it is about fading demand, older products, reducing customer bases, reduced cash flow. If this is recognised, businesses can “kick-off” a new growth phase by innovating and finding new products and markets through expansion or change. In this way, they can stave off the ultimate slide into decline.
Risk Management Planning is important at every stage of the business, but why is it especially important in maturity?
The characteristics of a mature business – reductions in sales activity, customer bases, markets and cash flow, mean that the implications of any adverse risk becoming manifested in reality is large. Where a growing business may be able to withstand a risk factor such as a fire taking place due to its growing sales and cash flow, a mature business could be seriously affected by having to close and remodel for a few months. Will you have the cash reserves to stay closed? Will the customers return?
The COVID-19 pandemic is a good example of how a well-prepared business with disaster-management strategies in place may have been better prepared to deal with it than another business that did not prepare and had to make up action as the situation developed.
Nobody could have predicted how COVID-19 developed and what it led to, from travel restrictions to social distancing and shutdowns, and the potentially fatal consequences of transmission of the virus amongst staff or customers.
However, businesses that had prepared Risk Management Plans with strategies to deal with major disasters would have been able to adapt those strategies to deal with COVID-19. They would have put into place existing plans to stand down workers, arrange work-from-home procedures, and implemented their prepared communications protocols. These Risk Management Plans may not have, probably did not, predict a worldwide pandemic, but they may have identified a serious event with similar consequences that they could have adapted prepared strategies to deal with the situation.
So what is a Risk Management Plan?
Risk Management Planning is the process of:
- Identifying all the possible risks that your business faces,
- Analysing and assessing those risks,
- And then developing strategies to manage those risks.
A Risk Management Plan helps to support operational continuity when events threaten your business. By understanding what these risks are, and what the risk events mean to your business, you can either find ways to reduce the likelihood of them taking place, or reduce their impact if they do happen.
While the risks can vary from business to business and even within the different parts of a business, the process of preparing a Risk Management Plan is an easy logical step-by-step process that anyone can follow.
There are six steps in the Risk Management Planning process:
Step 1: Identify the risks
Step 2: Assess the risks as to their likelihood and their potential consequences
Step 3: Map the risks into a matrix that categorises the risks into critical, moderate and minor risks
Step 4: Create appropriate strategies to manage the risks by either reducing their likelihood or by reducing the potential impact
Step 5: Ensure the Risk Management Plan itself is properly managed and implemented
Step 6: Consistently and regularly monitor and evaluate the plan
Identify the risks
The first step in preparing your Risk Management Plan is to identify your business’ potential risks.
It is important not only to identify the cause of the risk (for example, “Change in tax law”) but also the actual risk to your business resulting from the cause (for example, “Change in tax law leading to a change in how we pay our employees, leading to a loss of good staff”).
As you can see in the above example, having identified the real risk you can better understand the scope of the cause of the risk and therefore prepare a strategy aimed at managing a loss of good staff rather than simply trying to manage a change in tax law.
It is important to include all the types of risks that might affect your business – think broadly – rather than just identify the more obvious or pressing concerns like fire, theft or work health and safety think of hidden risks that may not seem relevant or not likely, but could be catastrophic (like say a global pandemic)!
There is a process to follow when you identify risk, such as first reviewing your business systems and internal capacity, then reviewing any external social, economic and legislative trends.
Assessing both your business model and the world around your business will help you think about:-
- What you cannot do without in order to provide your services and do your work?
- What would happen to these critical resources or activities if something bad happened?
- What work procedures (checklists, processes etc.) or organisational arrangements are open to risk?
Then, use the following risk categories to develop a list of risks that could negatively affect your operational model: –
- Strategic Risks – big-picture risks such as those caused by the state of the economy or your industry/services, epidemics, natural disasters, and so on;
- Compliance Risks – risks around your legislative and statutory compliance such as audit requirements, lodgement of statutory and tax returns, and so on;
- Operational Risks – risks affecting operations like health and safety, computer maintenance, record-keeping, service delivery, human resources issues;
- Financial Risks – risks around your finances such as poor internal controls and fraud, theft, poor cash management, insolvency;
- Reputational Risks – risks that affect your reputation and credibility such as customer disputes, poor product quality control, and so on.
Assess the Risks
You need to assess your identified risks to see how critical they are (the “level of risk”). The level of risk is a function of the likelihood of that risk happening and the consequence of that risk happening.
A risk that will almost certainly occur, and if it occurs will have a catastrophic effect, is at an “extreme” level of risk. On the other hand, a risk event that is very unlikely to happen and will only have a marginal effect on your business is at a “low” level of risk. Identifying the level of risk allows you to prioritise and allocate your resources accordingly.
The process to assess the risks you have identified is therefore two-fold: –
- First, you assess the likelihood of it happening; then
- You assess what the impact of it on your business could be.
There are a number of different ways you can rank your assessment of likelihood and consequence but a simple ranking system is to ask yourself if the likelihood of something is:
- Rare, or
- Unlikely, or
- Possible, or
- Likely, or
To rank the consequences of it happening, ask yourself if it would be either:-
- Negligible, or
- Marginal, or
- Critical, or
Map the risks into a Risk Matrix
Step 3 of the Risk Management Planning process is to map all the assessed risks into the Risk Matrix. It is at this stage that you prioritise all the risks by analysing their likelihood (how likely is it to happen?) and their consequence (what will be the impact if it does happen?).
The Risk Matrix is made up of intersecting squares with the Likelihood Ranking on the left and the Consequence Ranking at the bottom.
Here is an example of a Risk Matrix:
If a risk that you have identified is rated “Certain” and its impact is rated “Catastrophic”, then it is placed in the upper-most right square. If a risk is categorised as “Rare” and “Negligible” it is placed in the lowest left square, and so on.
Once you map the individual risks into the Risk Matrix:
- you have a one-page picture of all the risks you have identified
- you can quickly see which are your most critical risks (those with a high likelihood of happening and with a high consequence if it happens – the ones grouped into the upper right squares)
- it allows you to set priorities according to the level of risk that each risk identified represents – risks to the upper right are critical, those in the lower left are “low” and those in between are “moderate” to “high”.
- it allows you to identify the appropriate type of strategy to employ.
Create appropriate risk management strategies
There are four types of strategies that you can employ depending on the level of risk:
- If the level of risk is critical, you can employ “Immediate Action” strategies
- If the level of risk is high, you can employ “Rigorous Management” strategies
- If the level of risk is moderate, you can employ “Manage and Monitor” strategies
- If the level of risk is low, you can employ “Accept But Monitor” strategies.
Not every risk has to be managed immediately. Some risks, you can just accept and just monitor, for example, those showing on the Risk Matrix in the bottom square of “Rare” and “Negligible” where they are expected to be rare and if it took place, the effect would be negligible. We prioritise strategy and action depending on the level of risk because we do not have sufficient resources to do everything at the same time—a fact of life!
In creating risk management strategies, you first take the most critical risks – those at the top right-hand squares of the Risk Matrix, deal with them urgently, and then move to the bottom left with less urgent strategies. For example, we have already written about some basic strategies to adopt in relation to COVID.
Management of risk relies on two principles. First, you want to try to reduce the likelihood of it happening, and second, if it does happen anyway, you want to reduce the consequences of it happening:-
- You can take action to reduce the likelihood of the risk for example, by increasing quality control or checking;
- You can take action to reduce the consequences of the risk, for example by ensuring you have backup systems or having contingency plans;
- You can remove or avoid the risk – for example by stopping the activity where the risk might occur;
- You can transfer the risk – for example by taking insurance or sub-contracting the activity;
- You can accept the risk as a low-level risk, but even then, it would be good practice to develop an incident response plan if the effect could be large (think global pandemic)
Steps 5 and 6 are about the management and implementation of the plan.
You need to ensure that the Risk Management Plan is acted on and not just left on a shelf. That means naming somebody responsible for carrying out the actions in the plan and reporting on the completion of tasks. At the very least, this means including a timed schedule of rollout tasks in the plan.
Management of the plan may also include preparing supplementary plans such as disaster recovery plans or office shutdown plans. It may even include rehearsals for critical events such as evacuation in a fire.
Ultimately, a plan is only as good as its effectiveness, so you should monitor and evaluate the implementation of the plan.
From time to time, test the circumstances to see if you are prepared, and evaluate how you might need to change your plan. The feedback and communication loop is important to keep your Risk Management Plan relevant and up to date. You should ensure that sufficiently regular reviews are scheduled to review changes to risks, changes to levels of risk, and the effect of strategies carried out so far (which hopefully have reduced the level of risks identified).
The aim is to continually improve the Plan and its strategies.
The above steps may seem like a lot of work, but consider what could happen to your mature business if something catastrophic happens? Under your current financial situation and level of sales and customer engagement, could you withstand an event that shuts down your business for several weeks? Could you withstand the loss of a key person who has been working in your business for the past 20 years? Could you withstand the loss of a customer that represents 10% of your business?
As a young and fresh business startup, you may have had the energy and determination to deal with these risks manifesting. You may have had the cash reserves or financing available to withstand these issues. You may have been new enough not to feel the loss of experienced staff.
But in a mature business, all these risks are leveraged by your situation.
You need to ensure that you have mitigated as many and as much of the risk as possible, and you need to have contingency plans in place.
In the next article in the series of Managing a Mature Business, we are going to review all the moving parts of the business to see if they can be made more efficient, or changed to become more productive. This may provide more thought about additional risks.
So, don’t miss the next article – make sure you sign up to get it delivered directly to your inbox here.