By RICHARD LONG
The challenges of the COVID-19 pandemic have understandably monopolized most business continuity professionals’ attention over the past six months. In today’s post, I want to remind you of what the five types of risk are, talk about which have been getting neglected lately, and explain why it’s important to keep track of all five types of risk at your organization, even during a pandemic.
Since the coronavirus pandemic began, the people involved in managing risk at organizations have focused almost exclusively on two of the five types of risks. They’ve almost completely ignored the remaining three types. (Keep reading for the details.)
This tendency is understandable and even reasonable during an acute situation, but it’s not sustainable over the long term.
It’s time for organizations to resume taking a broad view of risk, and to get back to thinking about the risks they’ve been ignoring over the past several months.
Before we look at which kinds of risk have been getting short shrift for the past half-year, let’s have a quick refresher on the five types of risk.
THE FIVE TYPES OF RISK
In risk management, the risks that organizations face as they carry out their missions are commonly divided into five types:
- Operational. The possibility that things might go wrong as the organization goes about its business. Reflects the fact that assets, processes, and people can fail, leading to consequences for the business ranging from negligible to sizable to catastrophic.
- Financial. The potential costs or loss related to threats. This is often included in other risks, but should be considered separately as well. Can include lost revenue; delayed revenue; restricted cash flow; and cost increases (such as for labor or supplies).
- Strategic. The potential to limit the ability to execute strategies, achieve objectives, and make decisions. Strategic risks are those pertaining to the possibility the company is moving in the wrong overall direction. Could include changes in business demand or need; competitive changes or pressure; technological changes; senior management turnover; and stakeholder concerns or pressure.
- Compliance. The potential to fall out of compliance with the guidelines, laws, or contracts that the organization is obliged to operate under. This could happen if, for example, the company becomes unable to perform a certain function or loses the ability to monitor compliance activities. Common compliance areas include: regulatory requirements; best practices (as in accounting); elective compliance with standards such as ISO or ITL; and contractual terms and conditions.
- Reputational. The potential to lose financial, market, and social standing due to damage to reputation. This damage could be either warranted or unwarranted. Reputational risks include: management gaffes; criminal proceedings against the company or its employees; technology issues; strategic decisions; issues with product or service quality; and associations with vendors or partners. In recent years, social media has added a volatile new element to reputational risk.
RISK DURING COVID-19
The unique nature of the COVID-19 pandemic has had a curious result on how businesses think about risk. It has caused business to focus intently on two of the five areas of risk and virtually ignore the other three.
The pandemic has increased the focus on the two areas that can be thought of as short-term risk and led to the almost-complete neglect of the areas of risk that pose more long-term threats to an organization.
Can you guess what the two areas are that are currently getting all the attention?
The answer is: operational risk and financial risk.
This is understandable. Those are the areas that are about making the operational changes needed to keep the organization running during the pandemic (such as having staff work from home) and looking at the financial impacts on the organization of the current challenging environment.
Meanwhile, strategic, compliance, and reputational risk—which tend to be about longer-term threats and are the foundation of an organization’s long-term viability—have been virtually forgotten.
KEEPING TABS ON LONG-TERM RISK
It’s time we resume keeping tabs on our long-terms risks. In addition to considering operational and financial risks, we need to get back to looking at the threats posed to the organization by strategic, compliance, and reputational issues.
Operational and financial matters can seem more urgent in the short term. But strategic, compliance, and reputational problems have the power to do grave injury to the company over the medium and long term.
This is why it’s not wise to neglect those kinds of risks. They also need to be assessed, planned for, and mitigated in order to protect the company’s viability into the future.
It’s great when the operational side of the company is humming along like a well-tuned car. But if the company has made a mistake in terms of strategy, then that well-tuned car has been driving in the wrong direction. How long can your company survive while doing that?
Have you ever stayed up all night to finish an assignment for school or work? In the short term, finishing the assignment seemed more important than getting your sleep, and maybe it was. Does that mean you could do without sleep indefinitely? Sleep is a survival requirement for human beings. It’s similar for a company when it comes to keeping track of and mitigating its long terms risks in the areas of strategy, compliance, and reputation. Perhaps during an emergency, it’s justifiable to defer looking at these risks, but they can’t be ignored indefinitely, at least not safely.
The responsible company—the company that wants to protect its future—assesses and mitigates its risks across all five areas: operational, financial, strategic, compliance, and reputational.
MANAGING YOUR RISKS ACROSS THE BOARD
The following are some steps you could take to help your company get on top of its risks over all risk types (for more detailed information on how to manage risk, see the posts on risk listed below under FURTHER READING):
- Assess your risks over all five areas and identify those that have the highest probability of occurring and those that would have the greatest impact if they did occur.
- Develop a set of actions (such as avoiding, accepting, sharing, or reducing the risk) to align the risks with the company’s risk tolerance and risk appetite.
- Establish and implement policies and procedures to help ensure that risk responses are effectively carried out.
- Identify, capture, and communicate important information in a format and timeframe that enables people to carry out their responsibilities.
- Monitor the company’s risk management process and position and modify them if necessary.
- Assess the residual risk after you have developed plans and mitigation strategies.
THERE’S NO NEED TO GAMBLE
The risks businesses face in carrying out their activities can be divided into five types: operational, financial, strategic, compliance, and reputational. The COVID-19 pandemic drove many companies to focus almost exclusively on operational and financial risks, ignoring the other three. This was not an unreasonable thing to do in the early stages of the pandemic, but there’s no need to continue gambling in this manner. It’s time every organization got back to looking at the types of risks it faces over all five areas. To do otherwise is to needlessly jeopardize the organization’s long-term viability.
For more information on the types of risk, long-term risks, and other hot topics in risk management, check out the following recent posts from MHA Consulting and BCMMETRICS:
- Rinse and Repeat: Using the Risk Management Process to Manage Uncertainty
- Don’t Just Hope: Choosing Strategies to Mitigate Risk
- Weighing the Danger: The Continuing Value of the Threat and Risk Assessment
- Everything You Always Wanted to Know About Managing Risk but Were Afraid to Ask
- BCM’s COVID-19 Challenge: Coping with Chronically Degraded Capacity
- Take It Easy: It’s OK to Go Slow With Your COVID-19 Back-to-Work Plan
- Back in the Saddle: Resuming Regular BCM Activities
Richard Long is one of MHA’s practice team leaders for Technology and Disaster Recovery related engagements. He has been responsible for the successful execution of MHA business continuity and disaster recovery engagements in industries such as Energy & Utilities, Government Services, Healthcare, Insurance, Risk Management, Travel & Entertainment, Consumer Products, and Education. Prior to joining MHA, Richard held Senior IT Director positions at PetSmart (NASDAQ: PETM) and Avnet, Inc. (NYSE: AVT) and has been a senior leader across all disciplines of IT. He has successfully led international and domestic disaster recovery, technology assessment, crisis management and risk mitigation engagements.