4 Risk Response Strategies You Will Have to Consider after Assessing Risks

Decisions, decisions…

It seems like it never ends, right?

Between deciding what to do for lunch, when to fit that meeting in and what you’re going to wear to the upcoming conference, there are other decisions that you and risk owners will need to make regarding risks you’ve identified and assessed.  What are we going to do now?

Determining which of the following 4 risk response strategies you choose will depend on a variety of factors internal to your organization, but the chief measuring stick should be how the particular risk aligns with your risk appetite.   If you want to know more about risk appetite, check out my previous article on ERM governance, which includes setting risk appetite and risk tolerance.

avoid risk

If your company has zero appetite for a particular risk, it will be wise to avoid it. Any risks that can jeopardize employee safety or knowingly violates a law or regulation are a couple of common examples. If the risk is more than the identified risk appetite, you can reduce or mitigate the risk to bring it within acceptable limits.

Keep in mind, a risk response strategy can change over time, which is why consistent monitoring of known and emerging risks is important to ensure you are taking the right route.

Continue reading to learn more about the 4 possible risk response strategies to handling strategic, operational, legal or any other risks you identify in your organization.

Risk response strategy #1 – Avoid

As the name implies, quitting a particular action or opting to not start it at all is one option for responding to risk. When you choose the avoidance option, you’re closing off any possibility that the risk will pose a threat to your enterprise. Like explained above, companies will often choose this option if the risk will impact employee safety, violates the law or poses a threat to the company’s existence.

Examples of risk avoidance can include halting production of a product line, selling a part of the company or deciding against some sort of expansion.

While this may seem like an attractive option, it’s not always practical. Companies who exercise the avoidance option too much can end up operating well below its risk appetite. According to a report from McKinsey and Company, companies who rely on the avoidance option too much “…can actually squander reasonable opportunities to grow and achieve enterprise objectives.”

However, if there is absolutely zero tolerance for the risk in question, then avoidance is the proper risk response strategy.

Risk response strategy #2 – Reduce

Reduction or mitigation is the second risk response strategy you can consider. What this means in ERM speak is to take action to reduce the likelihood or impact of a loss. If the risk in question currently sits slightly higher than the appetite, reduction is a reasonable strategy to employ to bring it within your tolerance level.

reducing risk

Whether you know it or not, all of us employ some sort of risk reduction in our everyday lives. When you get in a car, you put on your seatbelt; this action will not reduce the risk of an accident, but it can reduce the negative impact of one.

To reduce the risk of unauthorized entry into your company building, you could install a badge system. However, this doesn’t completely eliminate the risk of unauthorized entry since employees can (and most likely) will “piggy-back” or hold the door for others.

On the financial side, a common risk reduction strategy is to require two signatures for checks over a certain amount. Having one person write the checks and another person balance the books is another commonly used risk mitigation strategy in organizations ranging from neighborhood associations to large companies.

When thinking about reducing the risk, the actions could be as simple as making a tweak to a process flow or as complex as introducing a new software to automate a process to reduce the number of people touching the transaction.  Or the organization could choose to hire additional resources to create a new function.

For example, you have a structured process to procure services or products but an informal process to manage those contracts and vendors going forward.  This situation means big risks to the company – are vendors in compliance with their contracts? Who is responsible for monitoring the viability of the vendor?  Do the vendors’ actions introduce risk to the company?  So – the company decides to create a vendor management program.  That’s a great decision…and a commitment from the leadership to hire the right people to do the job and work with the business people to develop a process that works with the company culture.  Leadership decided to reduce the risk, even though this strategy will take time to see the results affecting the risks to the company.

Continue reading Risk Reduction – A Response Strategy for Decreasing the Impact of Potential Risk Events for more…

Risk response strategy #3 – Transfer

Another option for responding to risk is to transfer the risk. When doing so, you don’t eliminate or reduce the risk like you do with options #1 and #2, but rather delegate or transfer it to a third-party.

The two most common methods for transferring risk are purchasing insurance or including specific language for a contractual arrangement. Many manufacturing firms may “hedge” source material prices to protect themselves from higher raw material costs down the road.

In the case of an insurance policy, the risk is transferred to the insurance company in exchange for a price, or premium. For example, purchasing insurance for a building doesn’t reduce the risk of a fire, but instead provides a financial safety net in the event one occurs.

Herein lies an important point – transferring the risk only kicks in post-event. The purpose of insurance or indemnification provisions in other types of contracts is to make you whole again after the covered event. Indemnification provisions are common in construction and service job contracts, rental contracts, purchase order agreements, lease agreements, consulting agreements and more.

In the context of managing risks to the enterprise, the goal with risk transfer is to ultimately reduce the impact should something materialize. You, as the company, are willing to take a gamble on the risk occurring.

Continue reading Risk Transfer – A Response Strategy to Limiting Damage from a Negative Event for more…

Risk response strategy #4 – Accept

The last, but certainly not least, option is to just accept the risk as-is and do nothing.  This risk response strategy is often used for risks with a low probability of occurring or that would have a low impact if they did happen. Many companies will have budget reserves set aside to deal with situations like this.

Emerging risks, or ones that may pose some sort of threat in the distant future, are also ones commonly placed in the “accept” category.

If you want to get really technical, all risks except ones you completely avoid can fall into the accept category.

For risks you reduce, you’re still accepting the part that is within your risk appetite. If you transfer the risk via an insurance policy, you still accept part of the risk as it relates to your monthly premiums and deductible. Once a covered event exceeds this amount, the insurance will take over to compensate you for the losses.

In essence – unless you’re avoiding the risk altogether, you are by default using a combination of the reduce (mitigate), transfer and/or accept risk response strategy.

Regardless of the risk response strategy you choose, monitoring will be a key part to ensuring you stay on the right track…

As explained in the intro, a risk response strategy can change over time. If risk reduction was your initial strategy but the risk suddenly becomes a bigger problem, you can look at either avoiding it, if possible, or transferring it. According to author Norman Marks in his book World Class Risk Management, risks “…need to be monitored so that management can act promptly if and when the nature, potential impact, or the likelihood of the risk goes outside acceptable limits.”

monitor risks

This is not to say that you and risk owners (i.e., managers and subject-matter experts) have to monitor each and every risk equally – that would not only be a daunting task, it would be very annoying to the department heads, directors and managers who “own” that risk.

The frequency at which you monitor or “check-in” on a particular risk will depend on assessment variables like velocity, impact and/or probability.

If a particular risk is low impact and has a low probability of occurring, you won’t need to monitor it as frequently. Likewise, if the speed or velocity at which the risk will occur or move outside acceptable limits is slow, then you don’t need to worry monitoring it as frequently.

On the other hand, risks that are prone to change quickly or ones requiring a longer response time will need more frequent monitoring so management can take the necessary action before the issue becomes a real problem.

We’ll explore the topic of risk monitoring more in a future article…

determining risk response strategy

To reiterate one key point, the risk appetite is the measuring stick you and the risk owner(s) use to determine the right response strategy.

Risks that are well below your appetite can typically be accepted and monitored periodically. However, if there is absolutely no tolerance for a particular risk, it’s best to take steps to avoid it altogether.

If your organization is seeking clarity on what course to take after identifying risks to the enterprise or to develop ideas into risk response strategies, join my coaching and consulting waitlist by completing the form below. I will notify you when as spots become available…

And as always, please feel free to continue browsing ERMInsightsbyCarol.com to learn more about developing a risk appetite, identifying risks, how enterprise risk management is different and much more. You can always subscribe to my blog by entering your email on the right, or connect with me on LinkedIn.

Image #1 courtesy of “iosphere” via FreeDigitalPhotos.net

Image #2 courtesy of “koko-tewan” via FreeDigitalPhotos.net

, , , , ,

Related Posts

11 Comments. Leave new

  • The article is mistaken Step two after identification is evaluating. The next step is developing alternatives to employ as risk treatment which may be all or part of all four responses The next step is implementation

    Reply
    • Hi, Charlies. I appreciate you reading the article and commenting. The risk evaluation step was implicitly discussed as part of the comparison of the risk to the risk appetite to determine what response strategy would be best for the organization.

      Agree with you on the development of risk strategies, as stated in the article. You can use one or a combination of strategies to address a risk. Sometimes the hardest part of risk management is the actual implementation of the selected strategy/strategies.

      Cheers,
      Carol

      Reply
  • Nice article thank you Carol. I cannot agree more that implementation is often where things fall down. In my view, a few too many risk identification and mitigation assessments are acknowledged and endorsed, but left to gather dust as implementation is seen as a burden.
    Nicely written and welcome – thanks.

    Reply
    • Thanks, Stuart. Glad you enjoyed the article. In my view, the implementation of the bigger response strategies should be included in any project or portfolio planning that the company goes through in order to secure resources (people and money) and buy-in from executives.

      Reply
  • You can also:

    Match the risk – 1:1
    Absorb the risk
    Leapfrog the risk
    Ignore the risk

    All have positive and negative consequences associated with them as do your 4 points.

    A good article that I enjoyed reading.

    Reply
    • Thanks for your comment, Geary. Glad you enjoyed the article. Your thoughts on other responses are interesting. Can you provide an example of how an organization would “leapfrog” over a risk?

      Reply
      • Leapfrogging a risk is getting ahead of the risk – a hedge against the future. In financial terms one might sell options, buy options, create a hedge, etc. In operational terms one might assess alternatives for materials used in a process, change supply chain configurations, find ways to become “antifragile” as Nassim Taleb would term it. Breakdown the risk into smaller less impactful elements.

        Reply
        • Basically, it sounds like what you label as “leapfrogging” are different ways to reduce or avoid the risk. Right? In your examples, I see the use of financial options as reducing the financial impact of a risk; alternative materials as a way to reducing the risk; changing the supply chain reducing the dependency on vendors, etc.

          I agree that breaking down the risk into smaller elements makes it more manageable…and more palatable for management to tackle for determine the appropriate risk response, as long as you don’t lose the big picture with those smaller elements. Great input, Geary. Thanks!

          Reply
          • It is more of a getting ahead of risk – sort of estimating the future risk profile. But, yes, it is a way of avoiding risk or actually anticipating the minimization of risk impact. I have written about this and posted on LinkedIn and Continuity Central websites. The ability to get ahead of risk materializing can actually alter risk exposure.

            You are also right to mention that not losing the big picture is critical. Changing the nature of the potential impact of risk is what I refer to as the ongoing process of risk morphing into a different state – you do something to buffer the risk and it changes the risk, requiring an alteration of the risk buffering tactic employed.

  • Thank you Carol for this good article although I dont have full agreement with some points but maybe that because of tailoring risk under different experience, but still there is a main point I would like to highlight that is (Risk Transfer) its could be listed as one of risk response strategies under the conventional RM but not the new thought of RM (ERM) this became the strategy of sharing risk.

    Reply
    • Hi, Raida. Thanks for your comment. Risk transfer can be accomplished in several ways, one of which is sharing in the risk. But at the highest level, you (as a company) are still transferring some of the risk to another party. So I think it comes to do labels. And ERM abounds with different labels for the same things, which is one of the things that I believe has hindered the progress of ERM adoption around the globe.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.

Menu