According to Elroy Dimson at the London Business School, risk means more things can happen than will happen. This means no one truly knows the limits of what can possibly happen, but that’s okay as not all of it will happen. It also does not mean that bad things will happen; results may even turn out better than expected.
So we have to address risk by first defining it, and then managing it. Risk in business can be in the form of:
· Income or cash flow interruption
· Liquid and highly liquid assets (cash, inventory, etc.)
· Physical property
· Other, such as cyber or market dynamics
Managing risk has both a cost and a benefit which need to be balanced. Risk can be managed by being:
· Insured over
· Limited via contracts
· Purely accepted
· Entirely eliminated
Mitigating risk is what most organization focus on, and where AuditLabs has the biggest impact. Mitigation refers to the things an organization can do on a day-to-day basis to reduce risk, and can consist of enhanced policies and procedures, improved internal controls and segregations of duties, etc.
Insuring over risks is an approach for very focused risks, and one that every organization should consider taking. Think of professional liability or product liability insurance, D&O coverage, fidelity bonds, worker’s comp and property/casualty insurance, etc.
Limiting risk via contracts is a great way to reduce very specific risks, such as changes in commodity prices, currency exchange rates or interest rates. Hedging and similar transactions focus on these types of risks. Outsourcing to a contractor is also a way of reducing certain risks by shifting them to the contractor.
Purely accepting the risk is to simply not address it. There are many instances where the cost of any mitigation outweighs the potential benefit. There are other instances where it is inherent to the business – such as the risk of your workforce not showing up when you need them most.
Eliminating the risk is on the opposite end of the spectrum, but not necessarily the last resort. Elimination could be by exiting a business, selling an asset or terminating an employee.
We help our clients manage risk through mitigation- improving policies & procedures, testing adherence to policies & procedures and other internal controls, segregating duties, conducting internal audits, trainings, etc.
In our next post we talk about one of the most cost effective means to address risk; changing attitudes at your organization.