I like to think that effective risk management helps the managers of an organization, at all levels, make the informed and intelligent decisions necessary for success – reliably achieving enterprise objectives considering all the things that might happen, both positive and negative.
It’s not about managing the possibility of harmful events or situations.
It’s about managing the likelihood and extent of success.
The likelihood and effect of harmful events and situations, including the consequences of decisions, have to be weighed against the positive outcomes that may arise, and the right risks taken for success.
Let’s consider the things that might flow from a decision.
Imagine we are thinking of raising the sales price of our flagship product. A number of things might happen:
- Revenue is likely to increase in the short term, especially until customers are willing to change suppliers because our competitors have not increased their price.
- The additional revenue could fund further investment in our product line, with positive longer-term revenue increases.
- But, customers might also be unwilling to pay the higher price, impacting revenue. The change might be immediate but it could also be longer-term.
- There might be an impact on our reputation, with both short and, especially, longer-term consequences. Perhaps we are no longer seen as a low-cost provider. Perhaps we are seen as a company that takes advantage of its customers. The likelihood is greater that this will harm our reputation than benefit it. Revenue could be impaired, particularly in the longer-term.
- On the other hand, our competitors might increase their prices right away. Any negative effect would likely disappear, leaving only the positive revenue and cash flow impacts.
- But, they might seek to take advantage, perhaps with an aggressive marketing campaign, seeking to steal customers and revenue.
Multiple things might happen if we increase our prices.
The effects are not all immediate, with some potential longer-term and even permanent impacts on our business.
We can change their effect if the price increase is lower, raise them if the increase is greater.
But we need to look further and deeper.
Each of the scenarios that can be envisaged leaves us in a changed situation. Before we can decide whether and by how much to change our prices, we need to consider whether those situations would be acceptable. If not, what can and should we do?
The options facing us to treat unacceptable situations flowing from our initial price decision will themselves have a range of effects, often a combination of potential and negative consequences. They will lead to another set of situations where we might have to make decisions and act.
For example, a price change now might change our perception in the marketplace as a low-cost supplier of quality products. If that will have a negative effect on revenue, what are we going to do about it? Can we modify our own marketing campaigns? Can we justify it based on quality or other factors like customer service or warranty periods? Can we take advantage of it to reach premium customers?
Let’s say we decide to increase our marketing budget to counter any reputation impact. That money has to come from somewhere. Perhaps our budget for marketing our other products and services will be impaired.
Where am I going with this?
A so-called risk assessment that only focuses on shorter-term effects (even if it includes both positive and negative effects) is limited in its value. Some effects occur later. We may need to act either to address those negative effects or take advantage of opportunities. All of that needs to be considered before an intelligent and fully informed business decision can be made.
There’s a domino sequence of situations that flow from any potential decision. Making a decision now without considering longer-term consequences can have disastrous results.
Consider the US invasion of Iraq. If we were to use all the benefits of hindsight to see what might happen, a series of situations and responses to them, we would probably question the initial decision.
A gives rise to B (after consideration of options), which gives rise to C (again, after considering options), which gives rise to D – and so on.
Are decision-makers thinking through the full range of potential consequences, including those over time and the responses and effects of the responses to them – and so on, for a long period of time?
Is the risk manager helping people make these considered decisions, not only with information and analyses but with quality decision-making processes?
If there is a lack of quality in decision-making, shouldn’t internal audit be drawing attention to it?
Which is the greater risk or threat to an organization, a data breach by outsiders or an inability to make quality decisions?
I welcome your thoughts.