When contributing to devising a risk management plan some years ago for a FTSE 100 company, I read many Corporate Governance articles encouraging me to do the expected. Categorise the key risks to the strategic plan and the budget so as to be sure to identify those relating to financial, operational, infrastructure, people, IT and legal and regulatory matters and give each a score by assessing their likelihood and their impact. Then came the most difficult part. How best to mitigate each risk?
At this stage I stopped reading the articles and used a simple acronym -TRAP or Terminate, Reduce, Accept or Pass on. These four are the prime levers a business can pull to address risks which are capable of causing it material damage. You may decide that the risk is so great that the only viable response is to terminate the activity by stopping the practice concerned. Alternatively, you can continue the operation concerned but identify actions to reduce one or both of its likelihood and impact or simply come to a conclusion that operating as you have always done is key to revenue and profit and thereby accept the risk. The final option is to seek to pass on all or a part of the risk either by means of insurance or by contractual obligation whereby a third party, perhaps a component supplier, assumes the relevant risk. However, when selecting which of these levers to pull each business must have a sound understanding of its “Risk Appetite”. It must ensure that its risk management plan is not just an academic exercise designed to satisfy regulators but is aligned properly with business success imperatives.
As we applied our risk management plans over the years and saw our risk mitigation plans begin to bear fruit in relation to the key risks identified, experience taught us to expect the unexpected as in all businesses there are risks, often unidentified, over which management has little or no control. These include natural disasters (tsunamis, volcanos and diseases) and political risks (state actions, riots etc). For instance, would a business compiling a risk management plan in 2015 have seen Brexit as a likely threat even though Grexit was a distinct possibility at the time? Also, in 2009 would an airline operating in the UK or, for that matter, anywhere in the world have realised that an ash cloud pouring out of a remote Icelandic volcano would cause European airspace to be closed between 15 and 23 April 2010 at a cost of $200M to the industry? Further, would a business in the last quarter of 2019 have on its radar the possibility of a pandemic that would cause many businesses to cease all or the majority of their operations for a period of months? These were the types of issues that caused the business with which I was involved to build in a substantial contingency fund to its annual business plan and to consider catastrophe insurance. We also learned to value excellent broking and risk management advice from an external source that came to thoroughly understand our business model.
However, when all is said and done, a prudent and robust approach to risk mitigation must be carefully balanced with a degree of flexibility so that the entrepreneurial spirit is not inhibited. We must not kill the goose that lays the golden egg!