A framework for identifying risks
The primary challenge for any manager tasked with a risk audit is where to start.
You may have noticed; there’s a great deal of discussion about risks these days, a double-dip, Bitcoin collapse, interest rate rises, inflation? When the Bank of England published the “EU withdrawal scenarios and monetary and financial stability” Report. It stated that less than 20% of UK businesses have a hard Brexit plan (see para 2.2.5 of the report). You might imagine that some business leaders and stakeholders should have asked for a review of Brexit risks. Now that we no longer part of the EU, (we are still part of Europe!)
The primary challenge for any manager tasked with a risk audit is where to start. Finding a structural approach would be an excellent place to begin. In 2012 the Harvard Business Review Published Managing Risks: A New Framework by Robert S. Kaplan and Anette Mikes, they suggested a framework for structuring risks and identified three categories:
- Preventable
- Strategic
- External
The HBR framework does provide a structure for reporting threats. However, it doesn’t help to identify the areas of risk. Unless you know where to look, how do you know you have not missed a whole group of risk types.
In 2014, Enterprise Risk Management (ERM) professionals developed the Enterprise Risk Management Integrated Framework — (ISACA) it focusses on defining a language to describe identified risks. Again, it does not support the general manager to detect and diagnose hazards, but it does provide some greater granularity in classifying risks. It’s a more structured way of reporting than the HBR article of two years earlier. Both start with Risks and their classification, and this is not how general managers view company operations. What’s needed is a better way of identifying areas of risk in the first place — one that naturally fits with the way business managers think.
Business management has, in its purest form, three distinct loci of business activities. These areas are:
- Business Operations — all of the activities that make up the Business
- People — employees, customers and the public
- Intellectual Property — the IP that is the basis of the company, might be a unique product or a standard service provided to local or specialist communities. It’s the knowledge of the Business.
Think of this as a business Venn Diagram, three overlapping pools of light covering all the subdivisions of business activity. The shaded areas provide a focus around which business activities happen, so where Business Operations overlap with People, we find employees, where all three join we find customers. The Venn Diagram (figure 1.) identifies areas of business activity, operations, sales, marketing, people management, quality and IP management, etc.
The diagram provides a key that can be used to identify business risks. While they fall into the three main areas, less obviously, they also lie in some subdivisions where activities overlap.
Business operations — these are the operational risks, and they include:
- Manufacturing, sales and marketing practices (note this overlaps with IP)
- Tradition and methods of the Business
- Finance audit and control criteria
- Information Technology
- Manufacturing practice
- Services
- Physical and IT security
The audit must include formal and informal business practices; some risk will lie in the history and traditions passed down between employees. These are often hard to define but can be some of the most significant threats.
People — the People circle of the Venn Diagram includes everyone directly, indirectly or possibly affected by the Business. Members of the public can be Customers and or Employees, but they can also be passers-by that may be placed at risk by the Business. Think of the Caribbean’s fishermen, post the BP Deepwater Horizon disaster or Bhopal citizens of Bhopal. These risks include:
- Employee
- Customers
- Suppliers
- Supply chains and logistics partners
- Advisors
- Contractors
- Public — those that interact with the Business and those that may be unwittingly affected by it.
Intellectual Property — This circle includes the detail that defines the businesses way of doing things. Think of it as the paperwork that stitches everything together:
- Finance, tax and banking rule
- Loans
- Customer lists
- Manufacturing plans and process
- Registers
- HR rules and Regulations
- Customer and supplier CRM data
- Security
- Ownership
- Leases
- Contracts
- Deeds and titlesLegalGuaranteesLiability
- International Standards and measurements
This diagram aims to identify areas of risk in Business, the structure is flexible, and each subdivision can be changed to meet each industry’s needs. You may find that the HBR or ISACA frameworks are useful to report the risks you have identified. The latter being a much more comprehensive framework than that of the HBR.
Of course, the active mitigation of the most likely risks and threats is another long-term business activity that needs to mitigate the likelihood, seriousness and outcomes of each identified risk.
Good Luck!
