Show Me Your Risk Assessment
Thursday, 21 May 2009 08:09
What can go wrong with your business? If you plan and prepare for the worst, you will be better able to overcome those obstacles if/when they come your way. Drafting a Risk Management Plan is your vehicle for bolstering your business:
Brainstorm
Identify all threats and vulnerabilities relating to inventory, staffing, location, customers, weather, etc. Group the problems into categories on a spreadsheet or database.
Impact and Likelihood
Assign the impact of each problem in a spreadsheet column or database field. For each problem assign a number for the damage that problem would affect your operation, should it occur. In a second column or database field, determine the probability that that problem would occur in your business. I use a rating system of 1-5, 1 being the least severe/likely, 5 being most severe/likely. You can derive impact numbers based on a number of factors, like the monetary impact the problem would have to your business, calculated loss of productivity. Probability estimate can come from past experience and/or monitoring industry trends, particularly ones that your competitors have endured.
Prioritize
Multiply the Impact rating with the Likelihood rating for each item in your spreadsheet, or record in your database. This number is the severity factor. Sort the rows by the severity factor. If you are using the 1-5 rating as mentioned in "Impact and Likelihood", the severity factor will range between 1 and 25, 25 being the items with the greatest risk associated with them.
Contingency and Mitigation
You probably will not have the budget or the time to address every problem on the list. If you do, your risk assessment is likely too short. To focus on the most problematic possibilities, identify the first few most severe items in your list. It does not have to be a round number, like "10"; you can eye the list to see a convenient breaking point for your first pass. For each problem, come up with ways to prevent or lessen the impact of the event happening.
A contingency plan will cover ways to react to an event if it occurs. For example, if your credit card processing unit goes down, your contingency plan could be to call in each transaction to the merchant account.
A mitigation plan will lessen the damage should a disastrous event occur. Building codes have many mitigation strategies, like installing the necessary number of sprinklers to put out a small fire or slow the spread of a larger fire.
Cost Analysis
The contingency and mitigation plans are not free. They will cost time and money to prepare them and use if necessary. The cost analysis will compare the time and money needed to prevent a vulnerability occurring with the time and money needed to address the damage control.
Cost analysis is a cold hard truth to how some companies run a business. The dollar is the bottom line, regardless of the potential threat a product may have on consumers. Product recalls are expensive, and companies take a hit in the PR arena. Sometimes it is cheaper to release a product with a defect in the hopes that it will not affect x number of consumers than to fix the defect. Do not underestimate the rising trend of corporate responsibility when performing your cost analysis.
Presenting the Results
Now you are ready to present your risk management plan to your stakeholders for approval. Take time to explain the results to your audience. Some stakeholders will want just the bottom line. Others are more interested in the process that took you through your risk assessment. A Risk Management Plan is not a "wet finger in the air" activity. Always be prepared to substantiate your calculations and assumptions.
Brainstorm
Identify all threats and vulnerabilities relating to inventory, staffing, location, customers, weather, etc. Group the problems into categories on a spreadsheet or database.
Impact and Likelihood
Assign the impact of each problem in a spreadsheet column or database field. For each problem assign a number for the damage that problem would affect your operation, should it occur. In a second column or database field, determine the probability that that problem would occur in your business. I use a rating system of 1-5, 1 being the least severe/likely, 5 being most severe/likely. You can derive impact numbers based on a number of factors, like the monetary impact the problem would have to your business, calculated loss of productivity. Probability estimate can come from past experience and/or monitoring industry trends, particularly ones that your competitors have endured.
Prioritize
Multiply the Impact rating with the Likelihood rating for each item in your spreadsheet, or record in your database. This number is the severity factor. Sort the rows by the severity factor. If you are using the 1-5 rating as mentioned in "Impact and Likelihood", the severity factor will range between 1 and 25, 25 being the items with the greatest risk associated with them.
Contingency and Mitigation
You probably will not have the budget or the time to address every problem on the list. If you do, your risk assessment is likely too short. To focus on the most problematic possibilities, identify the first few most severe items in your list. It does not have to be a round number, like "10"; you can eye the list to see a convenient breaking point for your first pass. For each problem, come up with ways to prevent or lessen the impact of the event happening.
A contingency plan will cover ways to react to an event if it occurs. For example, if your credit card processing unit goes down, your contingency plan could be to call in each transaction to the merchant account.
A mitigation plan will lessen the damage should a disastrous event occur. Building codes have many mitigation strategies, like installing the necessary number of sprinklers to put out a small fire or slow the spread of a larger fire.
Cost Analysis
The contingency and mitigation plans are not free. They will cost time and money to prepare them and use if necessary. The cost analysis will compare the time and money needed to prevent a vulnerability occurring with the time and money needed to address the damage control.
Cost analysis is a cold hard truth to how some companies run a business. The dollar is the bottom line, regardless of the potential threat a product may have on consumers. Product recalls are expensive, and companies take a hit in the PR arena. Sometimes it is cheaper to release a product with a defect in the hopes that it will not affect x number of consumers than to fix the defect. Do not underestimate the rising trend of corporate responsibility when performing your cost analysis.
Presenting the Results
Now you are ready to present your risk management plan to your stakeholders for approval. Take time to explain the results to your audience. Some stakeholders will want just the bottom line. Others are more interested in the process that took you through your risk assessment. A Risk Management Plan is not a "wet finger in the air" activity. Always be prepared to substantiate your calculations and assumptions.