The pragmatic way for Risk Mitigation
Whilst in the middle of an heavy and unexpected crisis, company leaders are requested to keep looking far ahead and shape the future of their company by (re-)designing the strategy and how to implement it.
Current times are full of worries and threads, every day are more negative than positive news that capture our attention. How to concentrate on our business, sailing in calm waters and heading to a bright future? Yes, company leaders must keep this attitude! Nobody else can do this, it cannot be delegated. And recent research proves that CEOs like crafting strategy most than other task their are responsible for!
Nevertheless, we are all prone to see risks everywhere now during the COVID-19 crisis. This was a risk that nobody was really ready to mitigate. Nobody actually ever thought it could ever been real!
In our life of leaders, in our companies, many can be the risks that we might face and that need to be considered and need a mitigation plan. How to identify and prioritize risks?
I apply a good pragmatic method that derives out of FMEA. FMEA stands for Failure-Mode-and-Effects-Analysis and was invented by the US military in the late 1940s. I am not going to describe in detail what that is (there is plenty of literature around it), but I want to describe how I use this to prioritize risks. The beauty of this approach, is that it helps to put some objective criteria into an exercise that could else be very theoretical and subjective. FMEA is a semi-quantitative evaluation.
The first step for all companies should be to define a risk catalog. This can follow a structure on three main areas: strategic risks, financial risks and operational risks. Probably many would ask now “What type of risk is COVID-19?”. This affects all three areas! Our strategy is put in danger and no longer valid at least in the mid-term, company’s cash-flow and share value are depleting, employees and other resources (e.g. materials) are not available right now. The risk catalog is a good start but is also a dangerous tool: if all the risks were equally important, where should I start the mitigation from?
FMEA helps me here to prioritize by assessing each risk under 3 lenses: Severity, Occurrence, Detection. What does that mean? Let’s look one at the time.
- Severity. This is the impact that a certain risk could create to my company. Impact can be defined in many ways, it depends on which type of the organization am I leading (e.g. private-own company, NGO, etc.) and what is the main business of it. In general, I use a financial indicator to rate Severity e.g., EBITDA decrease or cost increase. Severity (S) is given a numeric value in the range 10-1, where the highest is the worst scenario, or highest impact.
- Occurrence. This is the likelihood that a certain risk will materialize. Estimating Occurrence is a tough job but we can follow 2 guidelines: 1) Use data as much as it is available. Events often have happened in the past (e.g., supplier failure, strikes, IT-virus, order cancellation) and some data could help us to estimate that frequency. 2) Don’t pretend to be exact, use the “80-20-rule”, be pragmatic and realistic. Even a “70%-guestimate” has higher reliability than just guts feelings. Occurrence (O) is also given in the range 10-1, where 10 is most likely to happen.
- Detection is the ability to detect upfront something going to happen. For me this factor is the only one sometimes we can really influence and it is a must for a leader to thoroughly understand how. Simple examples to increase Detection are available in everyone’s day life. A smoke detector is a detection mechanism to inform that a fire may start inside an hotel room. By mandating this, authorities reduce the risk that human lives are put in danger when a fire is out of control. In our daily management tasks we can increase detection by installing the right performance management system to detect upfront when a “leading indicator” (e.g. Order Intake) is going down and might lead its “lagging indicator” (e.g. Revenues) to deteriorate. Detection (D) follow the range 10-1, the value 10 means no detection available.
My first draft is now available. How? Multiplying the three factors will lead to the RPN or Risk Priority Number: S x O x D. Risks with higher RPN are those that need a mitigation plan.
Before freezing this list and start working on mitigating actions, we should just stop and validate the outcome. The way company leaders use their brain and experience makes the difference between good and excellent ones. Never trust blindly a formula result without some sanity check. Are unexpected results in the ranking? Why? Are assumptions double-checked and plausible? Often we estimate something that is very far from our control e.g., market development for an innovative product. Here is best practice to develop scenarios. By doing this, our risk assessment will have a realistic and a pessimistic scenario.
Risk mitigation is not an exact science and can be done in different ways. But my observation in this recent crisis is that too many plans to mitigate risks are useless and not actionable. Some companies even don’t have one! I strongly believe that a proper thorough risks analysis is a must to-do for company leaders that don’t consider their duty just to design a strategy but do their best to implement it.