3 Types of Risk you Should be Managing!
We often meet managers who have a solid understanding of the concept of risk, and enterprise risk management, but who have a narrow view of what risk actually is.
For them, risks are bad. They represent things that could go wrong. Risks should be managed out of existence.
While that’s certainly one way of looking at risk (and a common way), those negative risks aren’t the only type of risk facing your company. And you don’t have to try to remove all risk to be a good risk manager.
Let’s look at the 3 types of risk your business is facing. The people in risk management roles in your business should be taking all of these into account for their planning.
1: Hazard Risk
Hazard risks are the kind your project managers will be very familiar with. These are risks that could stop you from achieving what you want to achieve. If something creates uncertainty on a journey to completing something else, and the outcome would be negative, then that’s a hazard.
For example:
- The cost of construction materials rising, making your contract less profitable
- Your key member of staff is taken sick
- The local government decides to build that theme park they’ve been thinking off right next to the wildlife reserve you run, with all the environmental impact that would have
- There’s a fire at the warehouse and all your stock is damaged
- You are hit by a cyber attack due to poor security patching on your IT network.
And you can, no doubt, come up with dozens of others from your own corporate risk registers.
Often organizations include compliance risks in this category, where failure to comply with regulation or governance requirements has a bad outcome. You might get fined, for example, for breach of regulatory standards.
You may choose to manage the risk aggressively, taking steps to make sure it could never happen, or if it did, it could never disrupt your business. For example, you could have a completely separate IT network running an identical system, so that if one system was hacked, the other could be switched on and run safely.
In reality, that solution would be technically difficult, expensive and hard to manage, and overkill for the likelihood that you’ll be hacked. There are some risks that would have a negative outcome for the business but that you would choose to manage with a lighter touch.
Treating everything as a negative is a pitfall of risk management, so watch out for that.
The next type of risk is precisely the opposite of bad things happening.
2: Opportunity Risk
Your more experienced project managers will be familiar with opportunity risks at a project level. This type of risk is also relevant at a company-wide level.
Opportunity risk is where something might happen and the outcome would be positive. Typically, you would take the risk, because you believe the outcome is worth it.
That could mean investing in new product development when the market is tough because you believe in the product. Hopefully, that new product will be worth the risk of the investment and generate a lot of customers for your business.
Opportunity risk doesn’t always have to be about money. It’s about all kinds of positive outcomes. The benefits could relate to staff morale, customer satisfaction, your reputation in the industry or your commitment to environmental sustainability.
All of these would present an upside for the organization but may involve taking a risk to get that return.
3: Other Risk
Yes, there is a catch-all bucket category of ‘other’!
In this category, your business will face risks that are about control. For example, buying car insurance. The act of buying insurance won’t stop your car breaking down, but it’s widely seen as a sensible option to manage the situation, should you find yourself by the side of the road with a vehicle that won’t go.
Control risks are sometimes created by law. There are things you absolutely must do because the state deems that the situation warrants it. However, some are just common sense good practice, such as having your car serviced regularly. You aren’t obligated to do take the car for servicing, but it’s a sensible thing for car owners to do.
You could bundle all of these risks into the Hazard category, if that better suits the way you manage your business risk. Ultimately, it doesn’t really matter how you put risk into groupings. The groups or categories are only there as a prompt to help you identify the risks facing the company so you can take active steps to manage them.
At an organizational level, you are typically only recording the significant and major risks affecting the business. Department leaders would have their own detailed risk registers, and project managers also have their own for the work they lead. Risk cascades up the organization to the top so the substantive risks end up being managed and monitored centrally. This information allows senior managers to take decisions based on the current and predicted risk profile of the organization.
Risk management training is one way to make sure your risk team are taking all these different types of risk into account. When your business is looking at risk on an enterprise scale, you can make better decisions and use your management information more intelligently.
So, do you have these 3 types of risk recorded on your enterprise risk management software? And if not, are you able to take steps to broaden your internal definition of risk to include other types of uncertainty and what you do about it?