The Basics of Risk Analysis in the Enterprise
Risky business – bad news? Not necessarily. While the word risk has a negative connotation for some, it’s a source of business opportunity for others. Good risk analysis and follow-on enterprise risk management (ERM) consider both the upside and the downside of risk. While unfavorable currency exchange rates, supply chain disruption or natural disasters can all contribute to losses, competitive opportunities or sudden availability of prime business real estate may be the way to increased profit. Risk analysis can and should show an enterprise both sides of the coin.
What are the Risks?
Practically everything can be characterized in terms of risk. However, some risks will be more important than others to any given enterprise. There is also the likelihood that some risks will be interrelated: for example, changing currency exchange rates and national business economies. Risks can be assessed for their importance (impact on the enterprise should they materialize) and their probability of occurring. Depending on the complexity of the analysis being done, software modeling of risks allows identification of the key risks and a measure of the importance of individual risks in affecting projected outcomes. Tools that can help enterprises better get to grips with their risk analysis include the ISO 31000 International Risk Management Standard.
Risks that may affect an enterprise include:
- Hazard risk: legal liability, damage to physical assets, natural disaster
- Financial risk: pricing, financial assets, currency rates, corporate liquidity
- Operational risk: customer satisfaction, product success/failure, reputation enhancement/degradation
- Strategic risk: competitors, market trends, investment funding
Is Every Enterprise Affected by Risk?
Yes, although not every enterprise takes the precautions to analyze or manage risk. The notion of enterprise also extends to non-profit organizations, educational structures and countries: risks for all of these can be modeled and analyzed in the same way as for a commercial company. Insurance companies are in a unique position in terms of risk analysis: not only do they do this for themselves, but by the very nature of their business, they are continually involved in identifying and assessing (negative) risks for other companies. And while banks have also traditionally been held up as paragons of risk analysis and management, events of the last few years such as the sub-prime mortgage crisis have shown that they too need to continually revise and update their risk analysis. Credit rating companies are also taking a closer look at how financial services organizations assess and manage their risks.
First Steps towards Risk Analysis
Risk analysis itself requires planning with clear definitions of the objectives. Input comes from people who can provide useful insights into risks affecting the enterprise and from available information, for example on the past outcomes of different situations. The ‘appetite for risk’ of the enterprise is also defined, before the probability and impact. Business modeling can be done at various points in this process, including SWOT (strengths, weaknesses, opportunities and threats) analysis in the objectives definition step.
What Can Go Wrong?
Doing a risk analysis can be a risk in itself! Quality risk analysis can be achieved by ensuring that data inputs are renewed and updated appropriately, the modeling process yields clear and meaningful results, and that those results are acted upon by the enterprise – meaning that enterprises must also guard against ‘paralysis by analysis’, where the process never finishes and no useful end-result is achieved.» Back