6 Ways to React to a Risk

January 12, 2016

Many people assume that anytime an organization is faced with a risk, efforts must be made to mitigate the risk. While best-in-class organizations seek to mitigate and reduce risks, reality is more complex. There are many ways to react to a risk, including doing nothing. The ISO 31000 Risk Management standard mentions six ways of treating risks. Sometimes the differences between the risk treatment options are so subtle that they may go unnoticed. But each risk treatment option has different impacts on costs and processes. Let’s take a look at each of them, along with examples.

1) Avoid the Risk by Completely Eliminating a Process or Activity

This is known as “Risk Avoidance”, and is perhaps the most radical approach to treating a risk. Under this scenario, a process or activity is entirely eliminated because the costs of other risk treatment options are too high, or the costs of treating the risk outweigh the business benefits. However, before choosing this option, it is important to consider impacts on business objectives (e.g. loss of potential revenue, lower profit margins, increased operating costs, reduced worker productivity, etc.)

Example: A chemical manufacturer decides not to sell a product line in Japan, because there are too many local regulations to comply with, thus the costs of mitigating regulatory risks are too high. While this would avoid regulatory risks for Japan, the company must take into account impacts on its revenue (i.e. Japanese sales forecasts) and its competitive positioning (i.e. how competitors may benefit from the decision).

2) Remove the Risk by Removing the Source of the Risk

This is known as “Risk Removing”, and it resembles “Risk Avoidance” but there are differences regarding costs and processes. Under this scenario, the risk is successfully mitigated by completely removing the hazard(s) that creates the risk in the first place. Unlike “Risk Avoidance”, the process or activity is not eliminated. Rather, the risk of an incident or adverse event associated to a process is removed by getting rid of a hazard or hazardous condition.

Example: A coating (e.g. industrial paint, ink, varnish, etc.) is applied by a worker through spray painting. The coating contains chemicals that create an inhalation hazard that can lead to respiratory problems for the worker applying the paint or other workers in the same area. The risk of respiratory problems is removed by using another technique besides spray painting, such as dipping, brushing or flow coating, and another coating. The new technique does not release chemical particles in the air, thus removing the hazard.

3) Reduce the Level of the Risk Through Controls

This is known as “Risk Changing”, and it’s the approach that most people are familiar with. Under this scenario, the level of a risk is reduced by introducing or modifying controls that reduce the likelihood of an incident, adverse event or unwanted consequence. In addition, the residual risk (what is left after the inherent risk is reduced) is assessed to determine if it is acceptable and if additional controls are required. When choosing this risk treatment option, the costs of implementing controls must be weighed against the costs of not reducing the risk or the costs of other risk treatment options.

Example: A consumer products manufacturer is concerned about the reputational risks that an actor in its supply chain may create. This can be the result of the social or environmental performance of the supplier, or because of the potential presence of toxic chemicals in materials purchased from the supplier. To reduce reputational risks associated with the supplier, the company decides to send an annual questionnaire to the supplier, and also proposes to conduct on-site annual audits of the supplier’s facility. In addition, the company takes steps to identify alternative suppliers, in case it needs to change suppliers.

4) Share the Risk Through Insurance or Outsourcing

This is known as “Risk Sharing”, and it involves transferring the risk to a third party, i.e. an insurer or contractor. This risk treatment option becomes attractive if a company: 1) struggles to reduce the risk to an acceptable level, 2) lacks expertise to manage the risk, or 3) thinks that transferring the risk is more cost-effective. It is very important to note that sharing a risk does not mean sharing responsibility. A company will still be viewed as responsible for any incident resulting from a risk, even if it involved contractors.

Examples: 1) A construction company using vehicles takes an insurance policy to obtain compensation if a vehicle breaks down and impacts operations. The insurance policy can include providing a temporary replacement vehicle at no cost until the malfunctioning vehicle is repaired, or a claim payment to compensate for operating losses. 2) An automotive company uses laboratory testing services of another firm in order to make sure that automotive parts meet the company’s quality and safety standards.

5) Do Nothing and Accept the Risk

This is known as “Risk Retaining”, and it means taking no measures to address the risk and living with it. Under this scenario, the risk is tolerated because of one of the following reasons: 1) it is seen as a “normal” part of doing business, 2) the consequences are not that severe and have limited impact; 3) other risks are of higher priority; 4) the level of the risk does not meet the criteria that would require risk mitigation, or 5) it is impossible to implement controls or to insure against the risk. While risk retention is acceptable, it is nevertheless important to document the decision to show stakeholders that the organization is aware of the risk being retained.

Example: A mining company has purchased a new model of excavators for an open-pit mine. The company is the first in the industry to use this new excavator model. Because the excavator model is new to the market and has not been used for a long time, its long-term track record and performance in the field are unknown. This creates a risk that the new excavators may break down and require maintenance more frequently than other established models. Nevertheless the company decides to accept the risk because the mine where the new excavators are used is responsible for only 8% of the firm’s global revenue, and the new model represents only 30% of all excavators used at that mine.

6) Increase the Risk to Increase an Opportunity

Some may think that this risk treatment option, “Risk Increase”, should not be on the list, but we included it because ISO 31000 talks about it. There are instances where exposure to a type of risk is the result of the pursue of a new business opportunity or process improvement opportunity. If the potential gains from the opportunity exceed the costs of the risk (e.g. costs of implementing controls, costs brought by potential consequences of the risk), a decision could be made to increase the risk to increase the pursued opportunity.

Example: A petroleum refining company implements a costly new technology to control air emissions at one of its refineries. The new technology creates a risk that profit margins may be negatively impacted. Anticipating new environmental regulations and increased pressure from stakeholders to improve environmental performance, the company expands the new technology to additional refineries, despite the costs, and pursues the following opportunities: 1) complying with potential new regulations quicker than the competition and therefore gaining a competitive edge, 2) reducing potential regulatory compliance risks, and 3) improving corporate reputation.

Finally, there are two key takeaways to remember. First, risk management involves tradeoffs. It requires human judgment taking into account internal and external factors. Specifically, two types of tradeoffs must be managed: 1) The costs of controls versus the consequences of risks, and 2) the rewards or opportunities of taking on risks versus the consequences of risks. Second, under no circumstance is the denial of a risk an option. Even if a risk is accepted, its presence must be acknowledged to provide stakeholders an accurate assessment. This is a matter of effective and also a matter of proper governance.

Webinar GRC Operational Excellence