With company’s being asked to produce more with less resources, managing risks within any organization is more critical than ever.  Rather your industry is oil & gas, manufacturing, construction, laboratories or education, business risks are becoming greater for both large and small businesses.  Many businesses face risks such as, regulatory, economic, supplier, occupational hazards, environmental, inclement weather, product quality, security and protecting proprietary information.  Sometimes organizations become so accustomed to navigating their inherent risks that they become complacent in identifying and managing them – until something catastrophic happens and they think to themselves how could this happen?  We’ve done this a thousand times before without having a problem.  This is why, it’s important for businesses to systematically perform a risk assessment of their business operations and activities and implement proactive measures to mitigate them.

The Risk Management Cycle

To manage risk effectively, one must first understand the risk management cycle.  The risk management cycle consists of 6 steps:

1. Define your risk profile

2. Identify potential risk

3. Assess and analyze risk

4. Develop risk mitigation controls

5. Decide and implement

6. Evaluate and monitor. 

 

Defining Risk Profile

Defining your company’s risk profile simply means identifying the core activities your company performs as its daily mission and means of generating revenue.  The risk profile will be different from organization to organization, but all businesses have risks; therefore, they have a risk profile.  This should be a relatively easy step, if your company has an established mission statement.  

The mission statement should provide the purpose of the company and provide the framework from which decisions are made. For example here is a mission statement of one of the largest oil and gas companies in the world, “XYZ Corporation is committed to being the world’s premier petroleum and petrochemical company.  To that end, we must continuously achieve superior financial and operating results while simultaneously adhering to high ethical standards.  These principles guide our relationships with our shareholders, customers, employees and communities.”

Looking closer at XYZ’s mission statement, it’s clear that they have several inherent risks of executing their mission. Here are a couple key risks:

 

• Legal & Regulatory risks associated with the petroleum and petrochemical industry

• Operational risks associated with the petroleum and petrochemical industry,

• Financial risks of the company and its shareholders,

• Environmental risks associated with their daily operations,

• Occupational risks associated with employees executing the mission,

• Transportation risks associated with moving and storing petroleum and petrochemicals,

• Public Relations risks associated with managing the perception of the community, and

• Supplier risk associated with the production and refinement of its petroleum and petrochemicals

 

You can see that I simply broke down their mission statement, which allowed me to quickly define a basic risk profile. This is just an example for the sake of understanding, but XYZ’s risk profile is most likely more comprehensive.

The size of your company’s risk profile will be based upon how complex your company’s operations are. A small manufacturing company will have a smaller profile than a large oil and gas corporation, but the principles are the same. When you tie your risk profile directly to the company’s mission statement, the company is on a good path to systematic risk management. Once the risk profile is defined, the organization must now identify its potential risks.

 

Identifying Potential Risks

In the risk profile, the goal is to identify broad categories of risks the company may have exposure to, but the next step of identifying potential risks, involves drilling down further into each category. This process should be very intuitive, as the company simply identifies risks they face each and every day. Who would know these better than the employees of the company?

Sometimes companies become blind to risk, because they have become accustomed to working around the risk. In many cases they become accustomed to working around them without being aware they are even doing it. For example, I’ve had a Toyota Sequoia for some time, that each time I have to step up on my running board to get into my vehicle. Without realizing it, over the years, I had developed the habit of ducking my head just enough to miss hitting my head on the door frame.

This habit was made painfully aware to me, when I forgot to duck one day, because I was trying to get into my car quickly. I never realized the risk of bumping my head existed. I bumped my head so hard that it caused me to have surgery to remove the calcium build up that formed on my head. This is exactly, how many companies work around risks that they have come accustomed to. They only recognize the risk once they bump their heads. Identifying the risks proactively, can prevent the pain and cost of suffering an incident that could have been avoided.

Here is a simple way to identify potential risks within your risk profile categories. Let’s take the operational risk category and drill down further. Just thinking about the process of pumping petroleum from the core of the earth, collecting it, storing it, transporting it, refining it and selling it, I can think of many things that can go wrong in the process. Many of which, have been very well documented over the past couple of years. These things that can go wrong are the potential risks. These potential risks should be identified prior to executing this part of the company’s mission. For this example, here are a few potential risks associated with the operational risk category:

 

• Risk of not having the proper equipment to successfully perform drilling operations,

• Risk of equipment failure during the drilling operation,

• Risk of human error,

• Risk of encountering unanticipated subsurface earth formations,

• Risk of losing circulation of the well,

• Risk of blow-out of the well,

• Risk of employee injuries and fatalities,

• Risk of exposure to gases, such as Hydrogen Sulfide

• Risk of an oil spill, and

• Risk of the environment and employees being exposed to harmful drilling chemicals, to name a few.

 

You can see that the process of identifying potential risks may be very enlightening and may expose risks that the company should address immediately. Again drilling a oil well is very complex, so keep in mind that identifying your company’s potential risks may not be as complex as this, but the principle is the same. This process would most likely be done by having several brainstorming sessions with key personnel within the company. Alternatively, the company may prefer to hire an outside consultant to assist in the process. This may be beneficial, since the company may be blinded to the risk, due to becoming accustomed to working around them. Once the potential risks have been identified, they must be assessed and analyzed.

 

Assess and Analyze Risks

During this step, the company is looking closer at each identified potential risk and further analyzing the probability that the risk will occur and what the impact may be.  This is typically done by assigning a risk criticality rating to each risk.  Again, this step should be relatively intuitive and should be quite simple with the right knowledge and experience applied during the process.  Figure 2 demonstrates a simple and intuitive method of rating the probability and impact severity of each identified risk.

The probability of the risk occurring is rated along the left side of the table and the severity of its impact is across the top.  The probability rating and severity rating are then multiplied to provide the risk criticality rating.  Keep in mind that a risk may have a high probability and a low impact, which may still deem it as a low risk.  The color coding provides a quick way for companies to quickly identify low, medium and high potential risks.  Green indicates a low risk, yellow indicates a medium risk and red indicates a high risk.  As resources are limited, this gives your company a method to prioritize and allocate resources accordingly.  Once you’ve identified your potential risks, you will want to now place the data into an Excel spreadsheet or table.  I recommend Excel, because it will allow for better sorting and manipulation of your analysis once its completed.  Figure 3 provides an example of how the identified potential risks may be rated.  You may have a different opinion, but this is simply to provide a practical example of how the tool could be utilized.  You will see that each risk associated with the operational risks category has been assigned a probability and impact rating, which were multiplied to provide the overall risk criticality rating.

 

Search

The biggest challenge in assigning probability and severity ratings is being objective.  A company that has become accustomed to working around the risks, may always assign a probability rating of 1 – 2, when the probability should be closer to 4 – 5.  This is why in some cases, its best to have an objective party walk the organization through this process.  By assigning a high probability, the company is not saying that it will happen, but it gives the company an opportunity to implement the appropriate risk mitigation measures to lessen the probability when executing the company’s mission on a daily basis.
Once the company has come up with a risk criticality rating for each potential risk, the risks can now be prioritized.  The company now has the ability to focus its energies and resources according to the probability and impact of the risks.  The next step in the process is to define the risk mitigation controls.

 

Define Risk Mitigation Controls

Defining risk mitigation controls is where the company must put on its preventive action or proactive thinking cap.  This is where companies can save a lot of time, money and drastically improve their efficiency and profitability of their operations.  We all know that most failures within organizations can be attributed to the lack of planning or execution.  This is where we can at least address the planning part.  I recommend this step be carried out in a brainstorming session, with the right people.  Maybe even a representative from the actual employees, so that risks are mitigated from the employee’s perspective.  Figure 4 demonstrates how the risk of human error can possibly be mitigated, so that the likelihood of it occurring is lessened.
Once the risk mitigation controls have been identified, which ones will the organization actually select to implement?  It may be all, but most likely from the brainstorming session the organization will select those that they feel will most likely prevent the potential risks from being realized.  One suggestion is to further prioritize the risk mitigation controls based upon their potential effectiveness in preventing the identified potential risks.  Figure 5 provides an example of how this may be done.

 

Search

These are just some reasons why it’s important to continually evaluate and monitor the effectiveness of the risk mitigation controls, to determine if adjustments are necessary.  Upon evaluating and monitoring, it may be determined that the risk mitigation control is no longer effective, it may need to be slightly tweaked or it may need to be replaced.  Evaluations and monitoring are typically done through performing scheduled audits or site visits.  They can also be evaluated and monitored by establishing performance scorecards to monitor key performance indicators, such as:

 

• injury rates,

• insurance claims,

• insurance costs,

• customer complaints,

• budget overages,

• operational incidences,

• training compliance,

• and any indicators that the company can directly relate to the effective implementation of the risk mitigation controls.

 

Now the organization must decide which risk mitigation strategies will be selected? Most organization have methods on how they select where the company’s resources are invested. When it comes to selecting which resources will be invested to prevent risks, the process is no different. How much will the risk mitigation control cost in time and money? What is the probability and severity of the risk? What will be the return on the company’s risk mitigation investment? How will the company measure return on investment? Successful projects that run smoothly, without injury, without incident, completed on time and on budget all would be great measures of successful risk mitigation. After completing the risk management cycle and having proven success, the organization may also be in a position to renegotiate lower insurance premiums and deductible with their insurance carriers. These are just some measure that can be used in deciding which risk mitigation controls to select and the order in which to implement them. Prioritizing and establishing a budget will assist in the selection process.

These risk mitigation controls would most likely then be delegated to the appropriate Department(s) within the organization. In this example, this may be the Human Resources Department. The Risk Management Cycle doesn’t stop, which is why it’s called a cycle. Organizations must continually evaluate and monitor the effectiveness of their risk mitigation controls to ensure they are still effective.

 

Evaluate and Monitor

How many times have we done something and once we’ve completed it, we take a collective sigh of relief. We sit back and think because we’ve implemented something its sure to always work. We forget that there are many variables that make our solution to a potential risk implemented 3 months ago, may no longer be effective today. In my scenario of preventing the occurrence of human error, many changes may have occurred that would impact the effectiveness of the risk mitigation controls that were put in place. What if the previous HR Manager was no longer with the company and the new HR Manager was not properly oriented on these risk mitigation controls? What if there was a lot of turnover at the job site? What if the client changes the scope of work during the middle of the project?

 

In Conclusion

Risk Management is a cycle that must continually be monitored to effectively mitigate an organization’s potential risks.  The time and money spent in risk mitigation will always be lower than the actual time and cost if the risk occurs.  Organizations must be careful not to become blinded to their risks, because they have become accustomed to working around them and only realize they are there when they bump their heads.  Follow the risk management cycle properly and your organization will manage its risks, improve its operations and increase its profitability.