Recently, some neighbors invited us to come and pick some ripened citrus from their trees (before they all froze). At first, this was easy to do since much of the fruit (grapefruit, tangerines, satsumas, etc.) was lower down the tree and easily reachable from the ground, even for our son to reach.
What does this have to do with our topic for today?
Many people unfamiliar with “risk management” understandably think that it is solely about value protection, or otherwise managing the downside.
However, as you become more familiar with ERM, you learn that it is about so much more than this.
For an organization to thrive in today’s business environment, ERM needs to simultaneously be about value creation as well, which means finding and pursuing opportunities, or as Norman Marks explains in his book Risk Management in Plain English: A Guide for Executives:
When you are running the business, you have to do both: avoid unnecessary loss and seize opportunities for gain.
Now this isn’t the first time I’m mentioning this by any stretch of the imagination, but not long ago, I realized there is little to no guidance out there on how to actually identify opportunities. One article on my blog takes a specific look at optimizing processes and how eliminating unnecessary steps can create opportunities to shift resources elsewhere…or in another example going back farther discusses how revamping risk assessment processes can free up ERM team resources.
Besides some brief mention of using ERM as a tool for pursuing opportunities, that’s about it.
We talk about the subject of opportunities, especially in the context of risk appetite, quite extensively, but what exactly goes into identifying opportunities in the first place?
Believe it or not, this is a pretty extensive subject, so I am breaking it into three different articles in the weeks to come. These three topics include:
- Over-managed risks related to operations (today’s article)
- Turning risks to strategy into an opportunity
- Seeking out opportunities all to themselves (all upside)
Today’s topic is really the “low-hanging fruit” of identifying opportunities since it is about freeing up resources from over-managing risks in the operational sphere. While this appears to be about value protection on the surface, it is actually about seeing which risks your company is spending too much attention on and re-allocating those resources (i.e., time, money, people) to other uses.
Like money in your bank account, knowing which risks your company is over-managing doesn’t just magically appear. You will need to complete a couple of the standard preparatory steps you would be doing anyway, namely:
- You need to understand where a risk currently stands, or in other words, to conduct a risk assessment at both an individual and category level. Don’t make this overly complicated by trying to understand “inherent” risk.
- You also need to have a good understanding of not only the amount of risk the company is willing to take, but also what it is able to withstand in the area(s) you’re looking at. The overarching term for describing this is “risk universe,” but you may be more familiar with the terms risk appetite, risk tolerance, and risk capacity. To learn more about these concepts, I highly recommend checking out one of my previous conversations with Hans Læssøe.
With these two steps complete, you can then compare the current state of the risk against the company’s tolerance for said risk(s).
This may seem simple, but it isn’t easy…
That is because, as many of its detractors point out, risk appetite isn’t necessarily the easiest thing to master. And I agree – IF your organization’s risk appetite statement(s) consist of 2-3 generic sentences, then you have nothing to compare assessment results to, which makes these statements close to useless. Without getting into too much detail here, risk appetite should be applied at the same level as your assessments for these comparisons to be effective, which is why I’m a big proponent of using performance metrics in the development of risk appetite, tolerance, etc.
With an actionable appetite and tolerance for risk(s) and business area(s), you are now ready to compare the two for the purpose of identifying opportunities.
How a risk stacks up against a company’s tolerance and capacity will fall into one of three different possibilities.
If the comparison shows the risk is still more than your risk capacity level, then either additional mitigation measures will need to be taken to bring the risk down to a more acceptable level or the company can choose to accept the risk as-is and determine ways to reduce the after-effects should the risk materialize.
Second, you may discover in your comparison that the risk aligns exactly with the risk capacity for that specific area. In this case, there really isn’t much to adjust. However, there is the possibility that adjustments can be made to how this particular risk is managed, thus freeing up resources that way.
The third and final possibility is where the real excitement is (yes, I am a risk geek at heart)…
If it’s determined that the current state of a risk is below the risk capacity, this shows that the risk is being over-managed. Perhaps there are more processes or personnel in place than what’s really needed, or maybe a specific process is more overbearing than is needed.
The difference between the current state and the risk capacity is what could be referred to as an opportunity gap.
Of course, this brings up all sorts of questions around the time and money, plus the people and systems needed for the risk to be that low. This won’t be true for all risks, but for certain ones, you may discover that new thresholds can be established around processes to eliminate the need for so many layers of effort.
We’re familiar with the issues around talent these days, so shifting people’s time from areas where a risk is being over-managed into more urgent areas represents an opportunity to relieve overburdened staff. Without doing this detailed comparison though, the company will not know where this is even an option.
Now, it may be tempting to think simple “automation” will address this, but unfortunately, many people jump to that option without thinking about the process itself. Instead of automating a bad process, first determine the benefit(s) of the process and understand why it’s even being performed. Perhaps it was relevant when it was established, but now the situation (whether the company, the risk capacity, or the external environment) has changed and made the process now obsolete.
As stated earlier, these types of opportunities are really the low-hanging fruit, and in my experience, the fruit basket can fill up pretty quickly. With an uncertain economy, organizations will need to find money- and time-saving opportunities where they can, and this is a good place to start.
Low-hanging fruit implies there is potential further up the tree, and in the context of our subject today, this means opportunities around strategic goals. We’ll get into this topic in a few weeks, so be on the lookout.
In the meantime…
What low-hanging fruit has your company been able to turn into opportunities for saving money, time, or other resources?
To share your experiences on this important yet under-covered topic, please feel free to leave a comment below or join the conversation on LinkedIn.
It can be difficult to pinpoint opportunities like this when you have so much else on your plate. If your company finds itself in this spot, and you would like some help in unearthing and implementing this type of low-hanging fruit, please don’t hesitate to contact me today to begin discussing your specific needs and goals.
Featured image courtesy of the Florida Department of Citrus