If the popularity of my article from early 2017 outlining risk response strategies is any indication, organizations spend a lot of time thinking about the best way to address a particular risk.
When I previously wrote about transferring risk, the focus was different approaches for transferring strategic, talent, and other enterprise risks.
In this piece, I’ll be going into a little more detail on risk reduction or risk mitigation.
COSO explains that risk reduction:
…involves any of myriad everyday business decisions that reduces risk to an amount of severity aligned with the target residual risk profile and risk appetite.
An excellent definition I think, but one you will not want to use when explaining risk reduction to executives and other non-risk people in your organization. In order to explain this concept in a way that people understand, you need to use terminology that fits your organization’s culture.
That being said, a better definition of risk reduction that you can work off of can be:
Decision or action taken to either reduce how bad the end result of a risk will be or the chances of it occurring in the first place.
The best lay-persons’ example that comes to mind for explaining risk reduction is wearing a seatbelt – putting a seatbelt on before driving doesn’t reduce the chance of an accident occurring. However, what it does do is reduce the negative effects of an accident should one occur.
Before getting into examples of risk reduction in action, there’s one point I want to reiterate that COSO references in their definition, and that is…
The proper response cannot be determined until the risk has been analyzed to see how it compares to the organization’s risk tolerance.
Because…if a risk falls within acceptable tolerance levels, nothing has to be done. This is great – no additional people, time, or money needed!
But if it doesn’t fall within acceptable tolerance levels, a decision will need to be made on how to proceed.
Risk reduction or mitigation is one such choice that can be as complex as a process overhaul or cultural change or as simple as a decision to stop doing something.
Some business examples of risk reduction can include the following:
- Pulling out of a market – This example comes directly from one of my clients. They are currently evaluating their presence in the Asia market. Being in Asia opens up all sorts of risks relating to culture and the stability of the workforce. And the recent tariff increases in China are significantly cutting into the profit margin. While a final decision hasn’t been made yet, the organization is strongly considering the option of pulling their operations out of Asia altogether.
- Process change – While this example may be interpreted as traditional risk management, it also blends with enterprise risks like reputation. Any business with delivery or service vehicles has huge risks around their drivers they must address. To prevent drivers from speeding, the business may opt to put a governor, or a speed-limiting device, on all of its vehicles. This not only reduces the risk of speeding fines and accidents, it also reduces any reputation risks borne out of careless driving on the part of employees.
- Culture change – If the organization is experiencing a higher than normal rate of talent loss, there may be a cultural issue at play that’s prompting people to leave and seek opportunities elsewhere. In this case, exit interviews can be examined to see what this trigger may be…perhaps people are leaving because they don’t get fulfillment out of their jobs. A change in culture could reduce talent and other risks like this, but it should be noted that any risk reduction activities regarding culture can’t be done in the short-term. Setting realistic expectations with management is crucial to culture change being successful.
- Discontinuing a product – While risks remain for products that were already sold, discontinuing the product definitely reduces the potential impact in a variety of areas. For example, due to reports of adverse side effects and orders by the FDA to add warnings on product packaging, Bayer announced in mid-2018 that it will no longer be offering its Essure permanent birth control device in the U.S. Besides the health risks to women, continuing to offer the product could have led to a host of legal and reputational risks to the pharmaceutical giant.
Although it is very helpful to see examples, exactly how you go about reducing a risk depends on many factors like impact, likelihood, velocity, culture, and others specific to your organization. And when analyzing the risks for prioritization, consider an action or decision that would reduce multiple risks simultaneously, as this is a better way to use available resources.
CAUTION: Don’t manage risks so much that you end up managing yourself out of business!
One word of caution I want to mention in relation to risk reduction is something I have encountered many times over in my years as a risk management professional.
A standard practice in ERM is to use heat maps and color coding to organize risks. Color coding can be designated using the RAG approach (Red, Amber, Green).
The problem comes in when people within the organization say “we need to get this risk to green.” While this could be true for some risks, it certainly doesn’t apply to all. One of the most common mistakes I see when evaluating an organization’s risk program is how many cross a line and end up over-mitigating risks.
Why does this matter and how does it apply to the statement above?
It all boils down to resources…By over-emphasizing the need to have every risk in the “green” level, the organization ends up spending resources on risks that really don’t need much attention in the grand scheme of things.
There is an opportunity cost when committing resources to mitigate or reduce a risk. This opportunity cost of course means that you are not using resources to achieve objectives…
If a line is crossed and the organization ends up over-mitigating risks, the consequences can include not just a failure to achieve objectives, but missed opportunities as well.
Therefore, it’s important to keep this in mind when exploring options for reducing risk…you don’t want to manage risks so much that you end up managing your organization out of existence.
How does your management decide which risk reduction strategies to use to get risks within your organization’s tolerance? Have you encountered a situation where risks were being over-mitigated and therefore creating new risks to the organization?
I’m interested to learn more about how your organization approaches risk reduction. Share your thoughts by leaving a comment below or joining the conversation on LinkedIn.
And to review strategies on how your organization can reduce the impacts of risk, please reach out to me to discuss your specific situation today.
Sign Up For Our Newsletter
Sign Up For Our Newsletter
Helping companies achieve their vision and strategy, and succeeding in today's turbulent world, is something I'm honored to be a part of. Whether you're an occasional blog visitor or a long-term client, thank you for letting us be a part of your journey.
Most Recent Posts
Without a doubt, one of my family’s favorite holidays is Christmas. Part of the fun, especially for our son, is seeing what “Santa” brought, but most importantly, we treasure the spirit of peace and goodwill the season brings. And after what seemed to be a never-ending warm spell, the weather is expected to be good…Read More
As the end of the year draws near, I think we’d all agree that while it wasn’t without its challenges, this year also wasn’t quite as turbulent as the previous two. While a lot of people are juggling company parties, shopping for friends and family, and special activities for the kids, most companies are putting…Read More
Strategic planning is a challenge – of all people, I understand… After all the meetings, risk and data analysis, and brainstorming of the preceding months, it’s tempting to think this is the end of the road and you can relax. Contrary to this common perception though, this is exactly not the time to relax, but…Read More
Be honest – have you ever done something that you soon realized was a real rookie mistake? Me raising my hand… Considering the nature of ERM’s role to ask questions and challenge assumptions (often during conversations with executives), it can be argued that, in at least some cases, the expectations bar for risk professionals is…Read More
On occasion, I like to take some of the concepts we risk professionals think about in our jobs and apply them to different personal situations…take some of the same concepts we use when working with executives to develop corporate strategy and manage risks or uncertainty around that strategy. It’s Thanksgiving week in the U.S. –…Read More
Periodically, I have the pleasure of speaking one-on-one with Hans Læssøe on a variety of topics around ERM, strategic risk, and other issues and trends. As you know from my previous conversations (here, here) and posts featuring his work, Hans was formerly a practitioner at the iconic LEGO Company, but even more notably, is a…Read More
Everyone likes a clear-cut template that offers an easy way to create or manage something…I mean what’s not to like about a step-by-step process for accomplishing what you want? Sometimes this can work without any issues, such as the case with the Project Management Book of Knowledge (PMBOK), ISO 9001 standard, or a new cooking…Read More
One thing I was taught to appreciate from a young age was the value of education and knowledge. It didn’t necessarily matter what the subject was, just that I always maintain a learning or growth mindset regardless of my current status in life. This mindset has served me well over the years, and it’s a…Read More
It’s amazing how technology has developed and changed our working world over time. Imagine trying to run my risk and strategy consulting firm without tools like Zoom, Box, Slack, and other ERM-specific technology tools. There is no way we would be able to serve our clients the way that we do. Just consider how the…Read More
If you’ve been handed the task of creating an ERM program for your organization, let me first offer my congratulations quickly followed by my empathy for the task ahead of you. I don’t say that to scare you but to provide a small dose of reality. Building, launching, and refining an ERM program that is…Read More