If the popularity of my article from early 2017 outlining risk response strategies is any indication, organizations spend a lot of time thinking about the best way to address a particular risk.
When I previously wrote about transferring risk, the focus was different approaches for transferring strategic, talent, and other enterprise risks.
In this piece, I’ll be going into a little more detail on risk reduction or risk mitigation.
COSO explains that risk reduction:
…involves any of myriad everyday business decisions that reduces risk to an amount of severity aligned with the target residual risk profile and risk appetite.
An excellent definition I think, but one you will not want to use when explaining risk reduction to executives and other non-risk people in your organization. In order to explain this concept in a way that people understand, you need to use terminology that fits your organization’s culture.
That being said, a better definition of risk reduction that you can work off of can be:
Decision or action taken to either reduce how bad the end result of a risk will be or the chances of it occurring in the first place.
The best lay-persons’ example that comes to mind for explaining risk reduction is wearing a seatbelt – putting a seatbelt on before driving doesn’t reduce the chance of an accident occurring. However, what it does do is reduce the negative effects of an accident should one occur.
Before getting into examples of risk reduction in action, there’s one point I want to reiterate that COSO references in their definition, and that is…
The proper response cannot be determined until the risk has been analyzed to see how it compares to the organization’s risk tolerance.
Because…if a risk falls within acceptable tolerance levels, nothing has to be done. This is great – no additional people, time, or money needed!
But if it doesn’t fall within acceptable tolerance levels, a decision will need to be made on how to proceed.
Risk reduction or mitigation is one such choice that can be as complex as a process overhaul or cultural change or as simple as a decision to stop doing something.
Some business examples of risk reduction can include the following:
- Pulling out of a market – This example comes directly from one of my clients. They are currently evaluating their presence in the Asia market. Being in Asia opens up all sorts of risks relating to culture and the stability of the workforce. And the recent tariff increases in China are significantly cutting into the profit margin. While a final decision hasn’t been made yet, the organization is strongly considering the option of pulling their operations out of Asia altogether.
- Process change – While this example may be interpreted as traditional risk management, it also blends with enterprise risks like reputation. Any business with delivery or service vehicles has huge risks around their drivers they must address. To prevent drivers from speeding, the business may opt to put a governor, or a speed-limiting device, on all of its vehicles. This not only reduces the risk of speeding fines and accidents, it also reduces any reputation risks borne out of careless driving on the part of employees.
- Culture change – If the organization is experiencing a higher than normal rate of talent loss, there may be a cultural issue at play that’s prompting people to leave and seek opportunities elsewhere. In this case, exit interviews can be examined to see what this trigger may be…perhaps people are leaving because they don’t get fulfillment out of their jobs. A change in culture could reduce talent and other risks like this, but it should be noted that any risk reduction activities regarding culture can’t be done in the short-term. Setting realistic expectations with management is crucial to culture change being successful.
- Discontinuing a product – While risks remain for products that were already sold, discontinuing the product definitely reduces the potential impact in a variety of areas. For example, due to reports of adverse side effects and orders by the FDA to add warnings on product packaging, Bayer announced in mid-2018 that it will no longer be offering its Essure permanent birth control device in the U.S. Besides the health risks to women, continuing to offer the product could have led to a host of legal and reputational risks to the pharmaceutical giant.
Although it is very helpful to see examples, exactly how you go about reducing a risk depends on many factors like impact, likelihood, velocity, culture, and others specific to your organization. And when analyzing the risks for prioritization, consider an action or decision that would reduce multiple risks simultaneously, as this is a better way to use available resources.
CAUTION: Don’t manage risks so much that you end up managing yourself out of business!
One word of caution I want to mention in relation to risk reduction is something I have encountered many times over in my years as a risk management professional.
A standard practice in ERM is to use heat maps and color coding to organize risks. Color coding can be designated using the RAG approach (Red, Amber, Green).
The problem comes in when people within the organization say “we need to get this risk to green.” While this could be true for some risks, it certainly doesn’t apply to all. One of the most common mistakes I see when evaluating an organization’s risk program is how many cross a line and end up over-mitigating risks.
Why does this matter and how does it apply to the statement above?
It all boils down to resources…By over-emphasizing the need to have every risk in the “green” level, the organization ends up spending resources on risks that really don’t need much attention in the grand scheme of things.
There is an opportunity cost when committing resources to mitigate or reduce a risk. This opportunity cost of course means that you are not using resources to achieve objectives…
If a line is crossed and the organization ends up over-mitigating risks, the consequences can include not just a failure to achieve objectives, but missed opportunities as well.
Therefore, it’s important to keep this in mind when exploring options for reducing risk…you don’t want to manage risks so much that you end up managing your organization out of existence.
How does your management decide which risk reduction strategies to use to get risks within your organization’s tolerance? Have you encountered a situation where risks were being over-mitigated and therefore creating new risks to the organization?
I’m interested to learn more about how your organization approaches risk reduction. Share your thoughts by leaving a comment below or joining the conversation on LinkedIn.
And to review strategies on how your organization can reduce the impacts of risk, please reach out to me to discuss your specific situation today.