Many people think that risk management is only relevant to major organizations with big budgets who run mega-projects or who work in a regulated or safety-critical industry sector. Those of us who own or manage a small-to-medium-sized enterprise (SME) might be tempted to think that we don’t have time for risk management, or if we do have time then we’ll manage risk intuitively and without the overhead of a risk process or formal risk tools and techniques. But perhaps we’re missing something important that could help our businesses to succeed, create more value, reduce problems and make our lives easier.
Let’s start with the basics: Is risk a good thing or a bad thing? Everyone involved in an SME knows that it’s risky, especially in the early days, and there are many ways it could all go wrong. But we also know that the entrepreneurial spirit that drives so many SMEs requires us to take risk. Unmanaged risk can certainly sink an SME, as it leads to wasted resources, damaged reputation, loss of market share and demotivated staff. But informed risk-taking can support innovation, creativity, enhanced performance and value creation.
A useful way to think about risk is as “uncertainty that matters”. We don’t care about every uncertainty in the world, only about those that have the potential to affect our goals and objectives. It’s true that if an uncertainty could lead to additional cost, reduced performance or poor stakeholder relationships, then it matters – we need to know about these risks and deal with them proactively. But it’s also obvious that uncertainties that could lead to cost savings, productivity gains or improved reputation also matter – and we need to know what they are and capture them where possible.
Modern risk management aims to avoid or minimize threats (downside risks), to protect us against their damaging effects. But it can also help us to capture or maximize opportunities (upside risks), turning them into additional benefits and value. And anyone responsible for an SME will surely be interested in doing both these things – minimizing threats and maximizing opportunities, protecting ourselves from avoidable problems at the same time as ensuring that we take advantage of every possible upside.
So it’s clear that SME owners and managers need to manage risk. But how? Surely we can’t afford the overhead of a bureaucratic process, taking time out for risk workshops, creating risk registers and reports, then making sure these are kept up to date? We need to be much more agile than that, so obviously we can’t waste precious time on risk management, right? Well maybe.
There are six basic questions that any manager will naturally be asking themselves:
- What are we trying to achieve?
- What might affect us achieving these goals?
- Which of those things are the most important?
- What shall we do about them?
- When we took action, did it work?
- What’s changed and what have we learned?
At its root, the risk process is structured around asking and answering these questions. Each process step relates to a question, starting with objective-setting (Question 1), then risk identification (Q2) and risk prioritization (Q3). When we know the worst threats and the best opportunities, we can plan responses to address them (Q4), then we should implement those responses and see if they worked in some sort of risk review (Q5). Finally we need to remain alert to changes in risk exposure (Q6).
By using these simple questions as a framework, we can make the risk process scaleable for any size of project or organization. Big companies like NASA, Boeing, Rolls-Royce, Shell or Pfizer will need a detailed risk process to cope with the many major risks they face across their businesses. They may choose to employ full-time risk managers or use specialized risk software, with monthly risk workshops and detailed risk reports. But an SME can run through these same six questions in a team meeting in an hour or so, following the same outline process but with less formality. The important thing is to match the level of the risk process to the risk challenge faced by the business.
Risk is important to SMEs because we need to take controlled risk in order to create value. We need to find and counter the real threats to our business, at the same time as identifying and pursuing opportunities that could help us achieve our goals. But the risk process need not be heavy or present an insurmountable barrier to the smaller organization. We can run a flexible risk process by asking and answering key questions to focus our attention on the key risks, allowing us to take effective action fast.
Running an SME requires effective management of both threats and opportunities if we are to survive and thrive in our uncertain world. The success of our businesses is too important to be left to chance!