While entrepreneurs and business leaders are still adjusting to the “new normal” brought about by Covid-19, a new extraneous event has come as a shock — the Russia-Ukraine conflict.
We are already feeling its impact in terms of high fuel prices and the escalating costs of food and commodities. Interest and inflation rates will most likely surge and global economic growth will slow down.
Coupled with the forthcoming national elections, which have been described as turbulent due to the divisions between political camps and supporters, the external landscape is fraught with risks.
But not all risks are external to an organization. There are risks related to operations and people, like the Covid-19 infections, that may disrupt operations, or those related to internally instigated cybersecurity breaches. These are easier to manage with the establishment of policies and procedures.
Rule-based risk management, however, will not lessen the impact of external factors such as a pandemic, disasters, calamities, financial crises, and the impact of wars.
A framework I use in understanding and managing risks is from Robert Kaplan and Anette Mikes who, in the article “Managing Risks: A New Framework” in the June 2012 issue of the Harvard Business Review, presented a new risk categorization that allows executives to tell which can be managed through a rules-based model and which require alternative approaches.
According to the authors, the first step in creating an effective risk management system is to understand the qualitative distinctions among the types of risks that organizations face. Based on their research, risks fall into three categories.
Category 1 comprises preventable risks. These are internal to the organization, are controllable and need to be eliminated or avoided. They are mostly due to breakdowns in routine operational processes such as unauthorized, illegal, unethical, incorrect or inappropriate actions by personnel.
Organizations should have a zone of tolerance for oversights, defects or errors that will not result in severe damage to the organization and for which achieving complete avoidance is too costly.
Generally, they should seek to reduce, if not eliminate, these risks since they don’t derive any strategic benefit from taking them on. A rogue trader or a salesman bribing a government official may produce some short-term profit, but over time, such actions will be damaging to the company’s value.
This type of risk is best managed through active prevention such as closely monitoring operational processes and constantly guiding employee behaviors and decisions toward desired norms. There is considerable literature already existing on rules-based compliance approaches.
Category 2, meanwhile, is that of strategy risks. An organization consciously takes on some risk in order to generate superior returns from a strategy. For example, a bank assumes credit risks when it lends money or many companies take on risks through research and development activities.
Risks arising from strategy formulation and implementation are quite different from preventable risks because they are not inherently undesirable. A strategy that expects high returns generally requires the company to accept significant risks and managing these is a key driver in capturing potential gains.
To manage strategy risks, the organization needs a risk management system instead of a rules-based control model. This is to reduce the probability of the assumed risks materializing and to improve the organization’s ability to manage or contain the risk events should these occur. The system should enable companies to take on higher-risk, higher-reward ventures instead of stopping them from trying risky activities or investments.
Category 3, lastly, involves external risks. These arise from events outside the organization and are beyond its influence or control. These include natural disasters and political/major macroeconomic shifts. Because organizations cannot prevent such from happening, management must focus on identification and impact mitigation. Executives can deal with external risks by using tools such as scenario planning, long-range analysis, and war gaming.
It pays to understand the categories of risks that your organization is facing and correspondingly apply the appropriate tools to manage the risks. As it appears, we will be facing more risks in the near and medium-term.
The author is the founder and CEO of Hungry Workhorse, a digital and culture transformation consulting firm. He is a fellow at the US-based Institute for Digital Transformation and teaches strategic management in the MBA program of De La Salle University. The author may be emailed at firstname.lastname@example.org.