November 2022
by Michael Herrera, CEO, MHA Consulting
[originally published on mha-it.com; written by Colin Garrison based on an interview with Michael Herrera]
For the past few years the news has been a drumbeat of threatening events—and the beat seems to be growing louder. In such times, the best thing an organization can do is get serious about risk management.
An Unstable Global Environment
Not since the height of the Cold War has the global environment felt as shaky as it does now. The world is being rocked by overlapping crises and conflicts including the pandemic, economic uncertainty, the rise in extreme weather, the war in Ukraine, and rising tensions between the West and Russia and China, to name a few.
It’s enough to make an organization leader or business continuity professional feel unwell.
Organizations are worrying about what might happen if there’s a recession, the war in Europe widens, or tension with China makes our current reliance on them as a supplier untenable.
These days risk is at the forefront of everybody’s mind. It’s certainly on mine, not only in my role as a business continuity consultant but also as a business owner and CEO.
There’s one factor in all this that’s brand new. In the past, many organizations could paddle along just fine no matter what happened in the wider environment. They felt safe in their own little world. Nobody lives in their own little world any more.
The Best Response to Rising Turmoil
What’s an organization to do in an environment of rising global turmoil? I’ll start by listing a few things they shouldn’t do, in my opinion:
- Carry on as if everything’s fine
- Panic
- Freeze
- Hunker down
- Worry themselves sick
What should they do? I think they should take a good, stiff dose of risk management. In other words, they should begin, with high energy and commitment, working through the risk management cycle.
Breaking Down the Risk Management Cycle
The risk management cycle is the process of carefully analyzing the risks an organization faces, determining which pose the greatest threat to its ability to carry out its mission-critical operations, and managing those risks down by implementing some combination of the four risk mitigation strategies: risk acceptance, risk avoidance, risk limitation, and risk transfer.
I included MHA’s definitions of the strategies last time in my post on enterprise risk management. In case you missed it, here they are again:
- Risk acceptance is a conscious decision to remain vulnerable to a potential harm, usually based on a cost-benefit analysis.
- Risk avoidance is when an organization alters its behavior to eliminate a given risk.
- Risk limitation is a strategy involving a combination of risk avoidance and risk acceptance, in order to reduce risk without completely eliminating it.
- Risk transfer is when an organization passes risk on to another organization, such as by hiring a third-party vendor to perform a given function.
By applying some combination of these strategies to its greatest risks, an organization can go from being at the mercy of events to being the captain of its own fate.
Learning to Maneuver in a Risky World
The companies that are doing risk management well are doing it from the senior management level on down. The relevant policies and standards are integral to the culture of the organization.
I alluded to it above, but it’s worth repeating: successfully navigating risk in uncertain times does not mean going in your room, closing the door, and hiding under the bed. If you inform yourself about the risks inherent in various courses of actions, and take steps to mitigate them, you can still maneuver. You can still make acquisitions or add new products or services.
There are always people making money no matter what the economic environment is. Generally speaking, the people or organizations that thrive in adverse circumstances are ones who have learned how to use risk to their advantage.
What’s that old saying? “Keep your friends and your enemies closer”? Risk might be the enemy, but it’s an enemy you should get on close terms with. By becoming intimately acquainted with the risks your organization faces—and the measures you have implemented to mitigate them—you can act with confidence even in an unstable environment.
Making Risk Management Part of the Company Culture
I’ve been talking about risk management as though it’s a one-time treatment for a tough condition. Ideally, it should be more than that.
If the current situation spooks organizations into getting serious about risk management, then great. That’s just about the most productive thing they could do in response to today’s conditions.
But organizations should make risk management a routine part of their activities, no matter how the headlines are tending. It should become a part of the company culture. Regular review is necessary because conditions and organizations change. Ongoing mitigation is necessary because if you don’t take action, you remain vulnerable.
The bottom line is, if you don’t currently have a sound risk mitigation program, get started as soon as you can. And then keep it going.
Acting with Confidence in Uncertain Times
The world is presently experiencing a great deal of turmoil. Leaders and business continuity professionals are justified in feeling uneasy about what the future might hold. The best response to unstable conditions is not ignoring the potential for trouble or worrying too much. It’s engaging in active, mindful risk mitigation.
This kind of risk mitigation involves thoroughly assessing the risks and managing them down by using some combination of the four main mitigation strategies: risk acceptance, avoidance, limitation, or transfer. By becoming adept at risk mitigation, organizations can maneuver with confidence even in uncertain times.