I’ve said it dozens of times here and have seen repeated elsewhere – trying to manage each and every risk can be mindboggling and, at best, lead to wasted resources in the form of time, people, and money. In the most extreme circumstances, attempting to manage every risk can lead to business failure, which is the exact opposite of what risk managers are there to do.
In my experience during assessments of risks and controls, many companies by default will jump on any risk without any control linked to it. Steps will not be taken to assess and truly understand risk…
Therefore, instead of ensuring that only the unacceptable risks receive the attention they deserve, companies end up creating a lot of busy work for risks that aren’t really a big deal, which is why I discourage my clients from the practice of attempting to manage all risks.
When used properly, analysis tools like risk appetite and tolerance help us understand where risks should fall on the “priority list” and therefore determine what to respond to first.
The meaning of risk appetite and tolerance will vary depending on who you ask, so it can be a really confusing topic for many. I have personally found Hans Læssøe’s description to be the most helpful at transforming this nebulous concept into something actionable and helpful for strategic decision-making.
As you know, Hans is the former head of strategic risk management at the LEGO Group and founder of AKTUS, which is the merger of two Danish words for “active uncertainty.” He provides a great summary of the topic of risk appetite and tolerance in his book Prepare to Dare, but I also had the pleasure of speaking with him in-depth about it.
In the beginning of our discussion, Hans explained how risk appetite, tolerance, and capacity represent a spectrum. How a company approaches a particular risk will depend on where it falls on this spectrum.
When framed this way, it’s easy to see how risks exceeding the company’s capacity should take the highest priority since these risks can put the company’s very survival in jeopardy.
But what about risks that fall at other points on the spectrum?
Below risk capacity, there are risks beyond what the company is willing to tolerate, so these will require attention.
But next, we have risks that fall between the risk tolerance and risk appetite. As Hans explains in the interview, these are risks you have accepted and prepared to take in pursuit of strategic objectives.
These risks don’t need to be “managed” per se…they don’t need any sort of controls to bring them down to an acceptable level.
However, this doesn’t mean you should just ignore them.
Hans then goes on to point out a distinction that I think is important – handling these “risks” is not risk management but rather should be called process optimization or improvement.
The concept of process optimization has been around for quite a long time. It can be defined as:
…a business practice of identifying, analyzing and improving existing business processes to optimize performance, meet best practice standards or simply improve quality and the user experience for customers and end-users.”
You’ve probably heard of different approaches a company can use for this purpose like Six Sigma, Lean Six Sigma, Kaizen, Total Quality Management (TQM), and more.
As an example, let’s say your company manually collects data from customers (like during a call with the customer), which comes with risks for typos, mistakes, and misstatements. To address this risk, your company can optimize this process by improving how different systems talk to each other. Instead of re-creating information with each customer interaction, you could possibly import it from another system where it already exists.
This is process improvement or optimization in a nutshell…
While this may sound simple, it is not easy.
After all, processes become ingrained in a company for different reasons, but two common ones include:
- Outdated systems – workarounds will be created to patch weak spots in existing systems. However, since the process itself is so ingrained, the company will not revisit it even if they purchase a new system. Rarely do companies take the time and effort to ask “what do we currently do?” and “why do we do it?”
- Regulatory requirements – this is especially true in my primary industry, insurance. Regulators at the state (or federal for publicly traded companies) level may require certain information be collected or reported a certain way. The process the company uses to fulfill this requirement will become so ingrained that they will neglect to ask if there’s a better way to do it.
In some instances, taking actions like process optimization can sometimes eliminate the risk. However, this is by no means the only reason to evaluate and optimize business processes…
Instead of focusing solely on preventing failure in the form of reducing risks, process optimization also creates opportunities and potential advantages for the company.
It’s important to remember that process optimization is not just about addressing risks in the negative sense, but also taking actions that ultimately create opportunities and a competitive advantage.
For example, improving, optimizing, and automating processes can free up people to focus on other things. Also, with many companies experiencing staffing issues, this sort of optimization can help a company realize more productive capacity from their existing staff without leading to burnout.
Process optimization also helps keep the focus on your customers.
Take our data collection example from earlier…
By connecting two systems and eliminating the need for such intensive data gathering, customers could save time when they call the company, which of course makes their experience smoother and improves the company’s reputation.
I can promise that if a company makes their phone support or communications simpler, they will earn many accolades from their customers.
Hans states in his book Prepare to Dare that companies create a distinct advantage by taking these steps, which will be how companies will ultimately survive and thrive in the years ahead.
As he and I discuss in our interview, this spectrum is ultimately the filter through which you determine which risks to focus on. Hans wraps up this portion of our discussion by explaining how anything below your risk appetite should be totally ignored. Worrying about these risks are certainly a waste of time.
While risks that fall between your appetite and tolerance may not be the most critical, addressing them through process optimization can ultimately create opportunities for further sustained growth.
Does your company try to establish controls for each risk? Or do you prioritize using methods like the one described above?
To share your thoughts and experiences on process optimization or another related topic, leave a comment below, join the conversation on LinkedIn, or to share your thoughts privately, email me directly at firstname.lastname@example.org.
And if your company is struggling with prioritizing risks so you can be sure you’re addressing the most impactful areas (both upside and downside), please don’t hesitate to contact me directly by email or schedule an appointment through my online calendar to discuss your specific needs today!