You've now analysed and evaluated the risks to the organisation, division, department or project. You should now have a pretty clear picture of the priorities of these risks and importantly, those that require a judgement to be made on treatment options.
There are seemingly a myriad of ways to treat risks - reducing the likelihood of a threat or increasing the impact of an opportunity, or getting rid of the risk all together. Generally you'll find that the options fall into one of four categories:
Avoid the risk
Reduce the risk
Transfer the risk
Accept the risk
So lets look at each option in a bit more detail.
Avoiding the risk is pretty straightforward. You avoid processes, systems or arrangements that give rise to the risk.
Say the organisation was looking to expand its operations to a new country. The opportunity is attractive as there is a large population and a demand for your product or service. However, corruption is rife and getting required permissions to establish a presence in the country will require frequent dealings with a variety of government departments and private entities.
For an organisation with zero tolerance for bribes, corruption or any form of illicit payments, this opportunity would not be worth the risk to their reputation so they would avoid the risk.
The above is a fairly complex case - frequently the avoid decision will be more straight forward. For example, if a task is unsafe for staff members, then eliminate the task or find another way to get it done.
Reducing the risk is the choice made where the threat (or opportunity) is one that is vital for the organisation to stay in business, therefore can't be avoided.
So the challenge for the organisation is to mitigate these risks to minimise the likelihood of the threat eventuating or maximise the chance of the opportunity being realised.
Efforts can also be focussed on minimising the impact should the threat materialise or maximising the benefit in the case of an opportunity.
Say for example our business operates in an area prone to earthquakes. Alternative sites are not an option and for the business to thrive and survive it needs to be located in this region.
To reduce the risk, we build using earthquake resistant material and techniques (remember the hazard is the earthquake, the risk is the building collapsing as a result of an earthquake) therefore lessening the likelihood of the risk eventuating.
Organisations will also have strategies in place to minimise the impact of a risk should it eventuate. Often known by the term, Business Resilience, the elements are:
Emergency response plans
Business Continuity plans
IT Disaster Recovery plans
Crisis Management plans
Transferring the risk means moving the impact of the risk, in part or fully, to a third party. There are a few different ways to accomplish this.
Insurance is the most well-known and common form of risk transfer. For the payment of a premium, the insurer will assume the consequences of the risk occurring. Usually there is also a deductible or excess payable in the event of a claim.
Hedging is a financial instrument used to transfer risk. For example, if the organisation buys goods from overseas, a significant movement in the exchange rate could seriously affect the business. To avoid this, organisations can buy a 'hedge' which locks in the exchange rate at the agreed amount.
Outsourcing or co-sourcing also enables risk transfer. Access to specialist skills, additional resources or just capability to do 'non-core' work reduces the risk to your firm of carrying out those activities itself.
Finally, joint ventures or partnerships are also ways of transferring risk, or specifically sharing risk. Bringing on board another party provides additional finances, people and skills, systems etc to improve the likelihood of the opportunity being realised. While sharing the benefits, any downside is also spread amongst the venturers.
When transferring risks, it's worth remembering that there is no such thing as a free lunch! There will be a financial impact on the organisation to transfer risks - the question is whether the cost is less than the impact of a risk being realised.
Accepting the risk means just that. There are some risks that the organisation will be able to do very little about. For others, the cost to treat the risk may be prohibitive (especially when compared to the potential impact).
In these cases, an organisation accepts that an uncertain outcome may occur. But this doesn't mean do nothing - at the very least, response plans should be thought through in the event that the risk eventuates.
Funding may need to be put aside to address potential losses and to recover the organisation back to 'business as usual'.
Whether a risk is accepted because it is not feasible to treat it, or it is considered a low risk, they should still be monitored on an ongoing basis in case the situation changes.
It is also worth having in place a process that determines who is allowed to accept a risk on behalf of the organisation - 'low' risks may be a functional managers call, whereas 'very high' or 'extreme' should be a CEO and Board approval.
Treating risks may seem like the culmination of all of your risk work and in some ways it is. But it is not the end! How do you know the treatment is working? Or if the situation has changed? We'll review the next step, Monitor and Review, in the next post.