Why risk So Much for So Little by Mimile Mukuna Maisha

Why Risk So Much For So Little?

. Printed in South Africa ALL RIGHTS RESERVED No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means—electronic, mechanical, photocopying, recording, or otherwise—except for brief quotations in printed reviews, without the prior written permission of the author For information: admin@argin.org

Contents

Foreword Acknowledgements Introduction PART ONE

ENTREPRENEURSHIP, More than just RiskTaking

1. AFRICAN BUSINESS CHALLENGES 2. Entrepreneurial Deficiencies

The Concept of Entrepreneurship The Critical Evolution 3. AFRICAN BUSINESS CHALLENGES 4. Poor Corporate Entrepreneurship What is “Intrapreneurship” Features of Intrapreneurship Difference between an Entrepreneur and an Intrapreneur 5. AFRICAN BUSINESS CHALLENGES 6. The Adverse Business Environment The Business Environment Micro/Operating Environment Macro/General Environment 7. SOUND BUSINESS PRINCIPLES Introduction Imperative Business Principles 8. AFRICAN BUSINESS MERCENARIES The Mercenaries’ Survival Techniques The Survival of the Fittest? 9. OVERCOMING FAILURE Entrepreneurial Resilience 10.PLANNING FOR SUCCESS Integrating Business Plans, Strategic Plans and Risk Management 11.SCENARIO PLANNING Preparing for the Future 12.THE CONCEPT OF RISK Defining business risk

ix xi xiii 1 9 9 9 10 12 12 12 13 13 15 15 15 15 16 18 18 19 21 21 22 24 24 28 28 31 31 34 34

The Right Perspective Objective risk Subjective risk

13.THE CONCEPT OF RISK MANANAGEMENT

What Risk Management is Not What is Risk Management 14.ETHICS AND RISK MANAGEMENT 15.RISK COMMUNICATION 16.PRELIMINARY STEPS Overview Communicate and Consult 17.IDENTIFYING RISKS Introduction 18.ANLYSING RISKS Introduction 19.RISK EVALUATION Introduction ALARP as an Essential Risk Evaluation Method

34 35 35 37 37 38 40 42 45 45 45 46 46 47 47 48 48 48

20.RISK RESPONSE PLANNING Introduction Terminate/Avoid risk Treatment/Control of Risk

Frequency Reduction Severity Reduction Passive Retention

Transfer Risks

Contractual and non-insurance transfer

Risk Financing

Introduction Retention Conclusion

Alternative Risk Financing

21.IMPLEMENTING 22.THE RISK MANAGEMENT PROCESS Introduction

23.THE COST OF MANAGING RISK

49 49 50 51

54 55

57 59 59 59 61

Risk Management Administrative Costs Retained Losses Insurance Premiums Loss Control and Safety Costs External Services Costs

24.DOCUMENTING 25.THE RISK MANAGEMENT PLAN

Risk Management Plan Contents of a Risk Management Plan

Introduction Conclusion

54 55 56 57

61 61 62 62 62 63 63 63 63

Executive Summary Risk Policy Statement Introduction Risk Register

26.ENTERPRISE RISK MANAGEMENT 27.The Next “Under construction” Level

51 52 53

63 63 64 64 65 65 65 66

Foreword There are many different risk management books available. Often times these books are unnecessarily technical or written for an academic audience. As both a risk management expert and entrepreneur, I have endeavoured to write this book from risk managementâ&#x20AC;&#x2122;s best practices and personal business experience in Africa in a way which African entrepreneurs and business executives can relate. This book has been inspired by the consequences of my own failures to identify and manage the risks I have encountered in my business ventures in Africa and especially in my native country. The failures of other African entrepreneurs and top managers that I have observed support my conclusion that African business owners and executives must not have a high risk appetite, but instead a well measured risk tolerance. Often it is not business risks that bring down a business, but the entrepreneurs or executives who fail to adequately respond to these risks. Hence, the most important risk they should guard a business against, is themselves. It is also my view that the most successful entrepreneurs or business executives are not the ones who can prevent their business from failure, but the ones who can comeback from failure. I hope you find this book as interesting and relevant to read, as I found writing it!

Acknowledgements Writing this book took some of my attention away from my two children, my daughter Mia and my son Maël. I am sorry that for almost a year I have failed to give you the best of me. You are my precious treasures. You bring me so much joy, strength and purpose that you could never imagine; being your father is my greatest pleasure and reward. The mistakes you should avoid and the principles you should uphold when or if one day you run or own your own business, have motivated me to write this book. Eudoxie, we have lost some battles in the past but we both know the “war” will be won. Your kindness has enabled me to close the most difficult chapter of my life and to therefore concentrate on finishing this book. Thank you for being you. This book, like everything else I have achieved in my life, is the result of Grace through which I have received the inspiration and support of very special people I have encountered in my professional and business life. I extend my deepest gratitude and thanks to: My long-time friend Collin Griffiths. Collin was instrumental in my employment at Munich Re in the early nineties. Without him, I probably would not have known much about insurance, reinsurance or risk management. For many reasons, including for his support when I was the Managing Director of Compania Geral de Seguros de Moçambique, I am indebted to him. His unwavering belief in me has always given me the strength I needed to overcome professional difficulties. It is that same strength that I have drawn from to write this book. My late friend and business partner Billy Saad. Billy helped me set up Continental Risk Management as a Division of his company, Maritime Brokers and Consultants. He opened the doors to my career as a risk management consultant in Africa. He found my memos and reports to be rather literary and as a result, told me on more than one occasion that I should write a book about my professional and business experiences in Africa. Billy, I owed it to you to write this book. My former colleagues at Eikos Risk Applications. It would have been impossible for me to write this book if it was not for the experience I gained in my interactions with these risk management and risk financing experts. They helped my career evolve to a level that has enabled me to provide pertinent

consultancy work internationally. This book is somewhat a fruit of many of their thinking. Sydney, Sophia, Aberi, Brad and Jabu Stone, our friendship has not just been about helping one another to see beyond circumstances but most importantly to stay beyond them. Because of your friendship, I was more emotionally equipped to finish this book earlier then I could have. And finally, thanks to all of the entrepreneurs and other participants who attended my seminars these past few years for sharing their experiences and thoughts with me. Your heroic efforts in dealing with the African business challenges, your enthusiastic attempts to respond to business risks, and the remarkable lives you have all created are the inspiration that led me to write this book and share your experiences with others. Thank you for being the models of vision, discipline, purpose, passion and responsibility that Africa so desperately needs. In Part Two, I have drawn information from three main sources. These include: Triple Bottom Line Risk Management by Adrian R. Bowden, Malcolm R. Lane and Julia H. Martin; Risk Management and Insurance (9th Edition) and Integrating Corporate Risk Management by Prakash Shimpri. I conducted most of the research alone and therefore I take the responsibility for any errors that I may have unintentionally made in the book.

xii

INTRODUCTION Termites are small insects that are highly organised and very cooperative in their search for food and in building their colonies. They are hardworking, intelligent and capable of astonishing accomplishments such as building huge mud towers, hollowing trees, moving vast amounts of soil, andâ&#x20AC;Ś devouring a house. Whether a house is in stucco, brick or wood, once termites enter they hide away in all kinds of crevices in the walls and ceilings, working day and night eating anything made of wood, synthetic materials, plants and cotton. They may also attack stored food, books and household furniture. Over time, their damage weakens the structure of the house and eventually leads to the collapse of the building. If you intend on investing in a home situated in a termite-infested area, you should be certain that your house will suffer termite attacks. What will however be uncertain is whether these attacks will result in any damage, which, if it happens, might negatively affect your objective of having the house as a sound investment. Likewise, if you intend to start or grow a business in Africa, you should recognise that it is certain that your business will endure particular adversities which I would refer to as African business challenges such as corruption, poor infrastructure, political instability, high inflation or entrepreneurial deficiencies. What will however be uncertain are the negative effects that these challenges might have on your business objectives if they eventuate. The damages or negative effects which if they occur, will prevent the home owner in a termite-infested area or the entrepreneur in Africa from achieving their objectives constitute the risks that they may potentially face because they are uncertainties. Termite attacks for the former and the well-known African business challenges for the latter cannot be considered as risks since, in both instances, they are certainties. A risk is an event or an outcome that may occur, in other words it is an uncertainty. However, for a risk to be considered relevant in any activity, it must be deemed so in relation to the activity objectives that may not be achieved if such a risk occurs. I refer to these objectives as the â&#x20AC;&#x153;objectives at riskâ&#x20AC;?, a distinct concept that can be used as a simple tool to identify the real risks or the uncertainties that matter in any given activity.

xiii

For instance, in Noah’s mission to save two of every kind of creature from the flood that God had ordained he would have easily identified his real risk by establishing his “objective at risk”, which was to keep the ark afloat until the flood had receded. Presuming that in his mission Noah also had to save termites, he would have, for example, understood that the real risk for him considering his objective at risk was not the presence of termites on board the ark but the potential damage that these termites could inflict to the ark. In a business context, if an entrepreneur intends to introduce a product due to the insufficient supply of the product in the market, one of his main “objectives at risk” would be to ensure that the product is profitable in the long run. With this “objective at risk” in mind, he will be able to understand that the real risk for him is not a potential lack in demand of the product but rather to have a product that may not satisfy customers due to its low quality or poor customer service. Establishing their “objectives at risk” should therefore be a matter of priority for African entrepreneurs, to be able to adequately identify the real risks their businesses are exposed to. They should also have a good understanding of the different kinds of the challenges that create risks to businesses in Africa, because just as each termite specie causes a different type of damage, different challenges give rise to distinct business risks. Sound business practices can however assist them in putting their businesses on a firm footing and in the direction of success in spite of the African business challenges, but only the effective management of risks can help them ensure that their business objectives are achieved and, as a result, their business success is guaranteed.

xvi

PART ONE

ENTREPRENEURSHIP More than just risk-taking

1 AFRICAN BUSINESS CHALLENGES Entrepreneurial Deficiencies The Concept of Entrepreneurship The present chapter is an examination of African entrepreneurial deficiencies with a purpose of helping understand their effects on African business failure. For this examination to be precise, it is important to understand that entrepreneurial deficiencies relate to the challenges that originate from entrepreneurs themselves and are usually evident in their decisions, actions, approaches, thinking in or about the business they own. It is however relevant, before we explore these deficiencies to discuss what the word entrepreneur means. But at this stage I need to state that by “entrepreneur” I also refer to corporate managers who in my view should become more “intrapreneurs” or “corporate entrepreneurs”. I will expand on the concept of intrapreneurship in chapter two. “Entrepreneur” originates from the French word “entreprendre” which is composed of two words, “entre” i.e. to enter or to go into, and “prendre” i.e. to take. But its translated meaning is to “undertake”. In a business context, it means a person who is willing to assume the responsibility, risk and rewards of starting and operating a business. The concept of entrepreneurship has a wide range of meanings. On the one extreme and entrepreneur is a person of very high aptitude who pioneers change. On the other extreme, anyone who wants to work for himself is considered to be an entrepreneur. It is difficult, if not impossible, to define what an entrepreneur is. The word itself is best used in the past tense to describe a successful business person. However defined, the entrepreneur is the key to the successful launch and operation of any business. The major characteristics of entrepreneurs that have been listed by many experts include: •

•

Self-confident and multi-skilled. The person who can make the product, market it and count the money, but above all they have the confidence that lets them move comfortably through unchartered waters. Confident in the face of difficulties and discouraging circumstances.

African Business Challenges; Entrepreneurial Deficiencies

• •

•

Innovative skills. Not an “inventor” in the traditional sense but one who is able to carve out a niche in the market place, often invisible to others. Results-orientated. To make be successful requires the drive that only comes from setting goals and targets and getting pleasure from achieving them. A risk-taker. To succeed means taking measured risks. Often the successful entrepreneurs exhibit an incremental approach to risk taking, at each stage exposing themselves to only a limited measured amount of personal risk and moving from one stage to another as each result is achieved. Total commitment. Hard work, energy and single-mindedness are essential elements in the entrepreneurial profile.

However, two warnings need to be attached to this partial list of entrepreneurial qualities. Firstly, thinking that the individuals can be successful entrepreneurs on the basis of such a set of attitudes and skills is not a foregone conclusion. The same traits shared by two individuals can often lead to vast different results: successful and unsuccessful entrepreneurs can share the characteristics commonly identified. As well, the studies of the life paths of entrepreneurs often show decreasing “entrepreneurship” following success, which tends to disprove the centrality of character or personality traits as a sufficient basis for defining entrepreneurship. Secondly, the entrepreneurial characteristics required to launch a business successfully are often not those required for growth and even more frequently not those required to manage it once it grows to any size. As the business now needs a professional management focus, which calls on a different set of skills, to manage and sustain growth, that are distinct from the skills necessary to start an enterprise and promote an idea. Applying management skills allows the adolescent enterprise to continue to do well, but the business culture begins to change. The emphasis of management is structure, policies, procedures and the bottom line. The role of the entrepreneur needs to change with the business as it develops and grows, but all too often the entrepreneur is not able to evolve by creating or adopting capabilities that can help them grow and mature.

The Critical Evolution African entrepreneurs, possessed of considerable drive, vitality and high risk appetite, have established multitudes of small businesses. Such undertakings are easy to start, even by men and women with little education,

2 AFRICAN BUSINESS CHALLENGES Poor Corporate Entrepreneurship In their 2011 book Corporate Entrepreneurship: How to Create A Thriving Entrepreneurial Spirit Throughout Your Company, authors Robert D. Hisrich and Claudine Kearney explain why businesses of all types need to embrace entrepreneurial values: “Entrepreneurs challenge existing assumptions and look to generate value in more innovative and creative ways. Entrepreneurs change the way business is conducted by identifying opportunities and successfully filling them.” My argument in this chapter is that existing African business (small, medium or large), need to develop internal entrepreneurial capabilities also known as “intrapreneurship” to ensure that they become innovative and competitive. I am not saying that entrepreneurs are smarter than corporate businesses, or that they are strategically and morally superior. They just work harder under challenging conditions, with fewer resources and no tolerance for failure.

What is “Intrapreneurship” Intrapreneurship is the practice of entrepreneurship by managers and employees within establish businesses of any size. The business encourages its employees especially its managers to become corporate entrepreneurs. The managers/intrapreneur can use their creativity and start-up business techniques within a firm to create for their employer new products, services or new entire business units for the firm with the full backing of the firm’s resources The term is derived from a combination of “intra” or internal, and “entrepreneurship”. Intrapreneurs are usually highly self-motivated, proactive and action-oriented people who are comfortable with taking the initiative in pursuit of an innovative product or service. According to this definition, a corporate manager who starts a new initiative for their company which entails setting up a new distinct business unit and board of directors can be regarded as an intrapreneur. In contrast, a corporate manager who starts a new initiative using pre-existing corporate

Poor Corporate Entrepreneurship

structures is not an intrapreneur. Nor is a leader of a Research and structures is not an intrapreneur. Nor is a leader of a Research and Development unit within an organisation, whose innovations are managed by the organisation. Were this R&D leader to create a new stand-alone organisation, which performs its own functions and sells its own products—albeit with strong continued links to the parent company—it would count as intrapreneurship.

Features of Intrapreneurship Entrepreneurship involves innovation, the ability to take risk and creativity. Entrepreneurs is able to look at things in novel ways, i.e. to “think outside the box”. They have the capacity to take calculated risk and to accept failure as a learning point. Intrapreneurs is and thinks like an entrepreneur—looking out for opportunities, taking new initiatives which profit the business they work for. Persistence, creativity and the need to defy overwhelming odds are common parts of the entrepreneurial journey; the way to success lies with protagonists who do not quit because they are fully invested (in all senses of the word) in their project. Hence, the most important characteristics of intapreneurship, like in entrepreneurship, is the acceptance of risk or failure. This means that intrapreneurs must have a personal stake in their initiative’s success.

Difference between an Entrepreneur and an Intrapreneur An entrepreneur takes substantial risk in being the owner and manager of a business with expectations of financial profit and other rewards that the business may generate. On the contrary, an intrapreneur is an individual employed by a business for remuneration which is based on the financial success of the unit, product or service he initiated. The major difference between entrepreneurs and intrapreneurs is that the fruits of success default to the business rather than to them. Intrapreneurs also have the comfort of knowing that failure will not have a personal cost—as it would for an entrepreneur—since the business would absorb losses arising from failure. Intrapreneurs share the same traits as entrepreneurs such as conviction, zeal and insight. As intrapreneurs continue to express their ideas vigorously, the gap between them and the philosophy of the business they work for is revealed. If the business supports them in pursuing their ideas, they succeed, if

3 AFRICAN BUSINESS CHALLENGES The Adverse Business Environment The Business Environment It has been maintained so far that one of the major impediments to the success of African businesses is attributable to entrepreneurial deficiencies of most of African people who own a business or want to start one. The other serious impediments are those associated with difficulties in the African business environment. The term “Business environment” is composed of two words “Business” and “Environment”. In simple terms, the state in which a person remains busy is known as Business. The word Business in its economic sense means human activities like production, extraction, or purchase or sales of goods that are performed for earning profits. On the other hand, the word “Environment” refers here to the aspects in the surroundings of the business other than entrepreneurs’ abilities. Business environment has two components, internal environment, which is usually within the entrepreneurs’ influence and external environment which entrepreneurs cannot influence. The internal environment includes 5 Ms, i.e. man, material, money, machinery and management and despite the fact that entrepreneurs can influence them, they are dissociated with their abilities since they do not derive from entrepreneurs. The external environment relates to factors that literally exist outside the business. Without any confusion, these are independent from entrepreneurs ‘abilities. These factors exist in two types, micro or operating environment and macro or general environment.

Micro/Operating Environment The environment which is close to business and affects its capacity to work is known as Micro or Operating Environment. It consists of Suppliers, Customers, Market Intermediaries, Competitors and the Public.

African Business Challenges; The Adverse Business Environment

•

Suppliers: They are the persons who supply raw material and required components to the company. They must be reliable and the business must have multiple suppliers i.e. they should not depend upon one supplier only. Customers: These are regarded as the kings of the market. The success of every business depends on the level of their customers’ satisfaction. The main types of customers are: - Wholesalers - Retailers - Industries - Government and Other Institutions - Foreign markets Market Intermediaries: They work as a link between business and final consumers. They include: - Middleman - Marketing Agencies - Financial Intermediaries Competitors: Every move from a competitor affects the business. Each business has to adjust itself according to the strategies of its competitors. Public: Any group who has actual interest in the business enterprise is termed as the public e.g. media and local public. They may be the users or non-users of the product.

Macro/General Environment It includes factors that create opportunities and threats to business units. The following are the elements of Macro Environment: •

Economic Environment: It is very complex and dynamic in nature. It constantly changes with policies or political situations. It has three elements: - Economic Conditions of the population - Economic Policies of the country - Economic System - Other Economic Factors: Infrastructural Facilities, Banking, Insurance companies, Money markets, Capital markets, etc.

•

Non-Economic Environment: The following are included in noneconomic environment:

4 SOUND BUSINESS PRINCIPLES Foundation for Business Success Introduction It is possible for African entrepreneurs to put their businesses on the path for success by establishing and applying sound principles in their businesses. As they build the foundations for their businesses, ground rules or guiding principles that they and their employees will abide by will need to be established. These ground rules or principles will dictate what and how decisions should be made, how their businesses should operate and these should be viewed by other people and other businesses. If these principles are established up front, there will not be any questions about how African entrepreneurs will react when dealing with both the challenges relating to their deficiencies and those relating to the business environment. Planning for business success requires African entrepreneurs to do a few things. Firstly, they must decide on the ideals for their business. If they want their business to be very professional and white collar, then they should include these ideals in their guiding principles so there is clarity on how as to how the business should operate. Secondly, they need to hire employees who agree to abide by the guiding principles. Much like a standard of behaviour that larger corporations institute through their human resources office, the guiding principles must be accepted by all of the employees. If one employee breaks the mould by not agreeing with these principles they could create a slippery slope of dissent that will result in the business being undermined. These guiding principles should be put into place and adhered to by anyone who wishes to have a future within the business. Finally, setting up a business for success should begin with African entrepreneursâ&#x20AC;&#x2122; introspective look at what the guiding principles mean and if they, as the business leaders, can uphold them. Business principles can make or break a business but if the entrepreneursâ&#x20AC;&#x2122; life reflects sound principles then their business will simply be an extension of who these entrepreneurs are, rather than an alter ego that they slip into when they go to work each day. The guiding principles should be stated clearly and in plain view of employees and

Sound Business Principles; Foundation for Business Success

customers so they all know what the entrepreneurs and their business stands for. Sound business principles will dictate how a business will operate and will inspire and reinforce solid management practices. Bad business principles teach bad habits to employees, will let entrepreneurs and employees settle for less than the best. As leaders of their businesses the onus are on African entrepreneurs to set from the beginning the principles that will determine how their business will operate and deal with challenges. Business principles govern every area of a business. African entrepreneurs will need to put these into practice to handle human resources issues. Without sound practices there will not be any standard method for hiring employees and there will not be an organised structure of benefits, time off, sick days, or conflict resolution. Sound business principles are also vital for the marketing function which determines how a business gets the word out about its products and services. Without a solid marketing plan in place there is no way of knowing which products or service should be sold, where to reach target audiences, the best way to reach them and how much money to spend for reaching those audiences. African entrepreneurs should also develop solid business practices for their management team. If the management of the company does not have solid business principles then there is no hope for the business. The people who make decisions within a business must all adhere to the same principles so there is continuity and consistency within the business. Following a set standard of guiding principles is a solid foundation on which a business can operate on grounds of professionalism, integrity, efficiency, and credibility.

Imperative Business Principles In my opinion, the solid business principles that can prevent African entrepreneurs from being subjected to their own inadequacies and to those of their business environment include:

Having a good solid business plan This applies to your business and to a new product or a new service you want to launch. There is an old saying: â&#x20AC;&#x153;Those who fail to plan, plan to failâ&#x20AC;?. A detailed set of plans for success needs to be made. You need to have the steps from point A to point B listed in great detail, including realistic cost estimates for and risks involved in accomplishing each step.

5 AFRICAN BUSINESS MERCENARIES In Africa, despite the efforts that entrepreneurs may make to promote and observe sound business principles, the fact is that most entrepreneurs find themselves powerless and unprepared in the face of the ever-present and overwhelming challenges so much so that most of them end up depressed and discouraged to the point of abandoning their business endeavours. Some entrepreneurs manage to bounce back after suffering a setback or after experiencing failure, not just with renewed determination and new resources but also with a commitment to adhere to business principles that they know will guard them from succumbing to the effects of African business challenges. Some entrepreneurs conversely choose to use deceitful practices as means of surviving in business when facing African business challenges. I refer to these types of entrepreneurs as â&#x20AC;&#x153;business mercenariesâ&#x20AC;?.

The Mercenariesâ&#x20AC;&#x2122; Survival Techniques The techniques of survival used by these so-called entrepreneurs are varied, but undoubtedly the most predominantly applied tactics are a blatant disregard for certain laws. The first of these tactics is recourse to the currency parallel markets. Businesses with heavy reliance and dependency on imports or whose exports do not yield sufficient foreign exchange, resort endlessly to sourcing their foreign currency requirements in the illegal alternative markets. The other frequent disregard for the law is profiteering, especially on the retailing of imported goods. Another technique is the reduction in overhead expenditures wherever possible including nonproduction of auditing of financial statements and non-insurance of assets against the countless risks confronting enterprises. Most businesses also address containment of operating costs by resorting unusual maintenance of plant, machinery and equipment, although doing so, lessens the value of those assets and often impacts on the quality of products and on productivity. However, these businesses seek the benefit of immediate reduction of costs in order to survive, despite knowing that doing so is a sure catalyst for future cost increases. A further method of cost containment in order to survive is by cutting expenditure on personnel training and development and by maintaining unfair labour practices.

African Business Mercenaries

To counter increasing inflation which erodes capital resources of most businesses, some resort to borrowings, but at considerable cost, as interest rates rise gradually, driven upwards by inflation. Such costs diminish prospects of survival, unless other compensatory cost reductions could be effected. Other businesses address their capitalisation needs by seeking investors that are willing to acquire a stake in the business, whilst others seek to reduce their capitalisation needs by discontinuing provision of credit to customers, lowering levels of stockholdings, and by disposals of assets. Corruption is another but one of the most practiced methods of survival. It generally involves businesses ensuring that they receive preferential treatments or access to business opportunity and security through bribery or payment (in money or kind). These include kickbacks, gratuities, pay-off, sweeteners, greasing palms, etc. Many businesses owe their apparent resilience to favouritism and nepotism which exempts them from the application of certain laws or regulations or give undue preference in the allocation of scarce resources. Other businesses base their operations on fraud using trickery, swindle and deceit, counterfeiting, racketing, smuggling and forgery in order to survive. In Africa are funded through the misappropriation of public money by public office holders, and the apparent strength of these businesses is due to the political position or connections of the people involved. Often the category of entrepreneurs who employ bad business practices have as their sole pursuit in business to “make money and more money”. In other words, the love of money is their only objective for entering or staying in business. They often do not have any notion regarding cost, profit, cash flow, ethics or management as they only care about how much money they can make and take through their business. They view their businesses not as an enterprise that offer products or services to the public or a vehicle that adds value to customers and creates its own value by successfully achieving its mission. The popular Christian saying that the “love of money is the root of all kind of evil” cannot be more true when one tries to understand their behaviour and motives of this type of entrepreneurs. Benjamin Franklin rightly stated that “he that is of the opinion money will do everything may well be suspected of doing everything for money.” In any case, it is commonly known that greedy people do not have a moral compass.

The Survival of the Fittest? “It is a jungle out there!” is the general saying used when referring to doing business in Africa. This implies that the best way to succeed in the African

6 OVERCOMING FAILURE The Spirit of Entrepreneurs Entrepreneurial Resilience African entrepreneurs generally face unusual business challenges which result in high rate of business failure. As is the case elsewhere business failure means a personal loss. They are distressed when passing through traumatic events and setbacks and react negatively to business failure. These negative reactions take four forms: emotional, behavioural, physiological and mental: The emotional reactions to failure include helplessness, depression, loneliness, anxiety, and withdrawal. A strong emotion is as that of guilt and self-blame as they feel responsible for the failure of the business. The behavioural reactions to failure include evasion from reality and suicidal intentions or actions. Some entrepreneurs who will not endure the scrutiny of society or family and cannot face the reality will chose to “evade” or “die”. Physiological reactions generally involve the physiological changes that a failed entrepreneur suffers due to emotions and behaviours. The entrepreneur may lose weight, get sick. Finally the mental reactions include the entrepreneur becoming sleepless, lunatic, addicted to alcohol and obnoxious. These negative reactions are generally due to the pressure of financial liabilities, inability to meet one’s family basic needs, loss of self-worth, feelings of being useless to society, slander of personality and lawsuits after the failure. The main causes of negative failure reactions are “loss of control” and “loss of social status”, as many entrepreneurs would struggle to integrate failure in their personal lives. “Loss of control” is one of the principal factors leading to the entrepreneurs’ reactions failure. Most of the entrepreneurs are motivated to start a business in order to “be in control” of their own destiny and work. However, when things are out of their control, entrepreneurs will often interpret this as a loss of influence and power. The “loss of social status” is also one of the key causes of entrepreneurs’ reactions failure. Entrepreneurs are devoted to their business and regard it as a personal achievement. People in society show respect for their success. However, once they fail, their statuses disappear and they feel worthless, escaping from the world to ease the pain and shame caused by the failure.

Overcoming Failure; The Spirit of Entrepreneurs

Most management and business studies, however, mainly focus on how entrepreneurs succeed failure by advocating that entrepreneurs are optimistic, active, result-orientated, self-controlled, risk takers, showing autonomy and problem solving capability. Some literature on leadership and business advice assume that leaders are rational beings, hardly focusing on the leaders’ irrational side. These books are less likely to explore how entrepreneurs face their business misfortunes or adapt to psychological weaknesses. Nonetheless, it has been my experience and observation that most successful entrepreneurs and leaders experienced fluctuant career and business failures. They are not always optimistic, positive and brave in facing challenges when they slump, which result in some entrepreneurs’ collapse after a failure or setback. But some entrepreneurs are willing to bounce back from business loss and treat the opportunity as a new start up process for re-positing self-identity. How true entrepreneurs are able to bounce back after business bankrupts or failure is neither fully known nor effectively conveyed. I will first state categorically that business failure is normal. A failed business may mark the end of a venture, but it does not mark the end of a true entrepreneur. My experience shows that, for real entrepreneurs, failure can be an opportunity to succeed, to build on what has been learnt. True entrepreneurs are the ones who are able to pick up the pieces and move forward. In this chapter, I explore and share how the failed entrepreneur can overcome the dark side of failure and misfortune in business through entrepreneurial resilience. Resilience is one of the great puzzles of human nature, which is neither ethically good nor bad, but merely the skill and the capacity to be robust under conditions of enormous stress and change. It is more than education, more than experience, and more than training. A person’s level of resilience will determine who succeeds and who fails, and it does matter in business. There is a gap between business practice and the theory of how an entrepreneur bounces back after business failure or whilst facing difficulties. One psychiatrist indicated this phenomenon in a magazine interview, “The patient who faced business failure and suffered from psychosis is the hardiest case to cure for us.” Thereby, entrepreneurial resilience seems increasingly important for the business field but is less exploited when entrepreneurs faces high failure rate and how they can restart new business if failed. My argument here is that typical successful entrepreneurs’ capabilities of calculated risk taking, innovativeness and aggressiveness are not inherent but are cultivated from experiencing failure and challenges. Therefore, it is critical for entrepreneurs to assess the failure causes and the reaction to these causes,

PART TWO

RISK MANAGEMENT DEMISTIFIED

7 PLANNING FOR SUCCESS

Integrating Business Plans, Strategic Plans and Risk Management

The ability to manage risk is often indicative of an entrepreneur’s ability to achieve long term success. But an entrepreneur may decide not to deal with some risks because the chance that they will happen is slight or the effects are trivial. Some will have a minimal impact and can be managed easily, whilst others may threaten the longevity of their business. The management of risks or risk management therefore helps entrepreneurs to anticipate potential adverse events and problems, be more forward-looking, and establish appropriate risk responses, thereby reducing the possibility of bad surprises that may cause the disruption or termination of their business endeavours. The success of a business depend less on entrepreneurs’ risk taking ability and more on their risk management capacity as the consequences of failing to adequately manage risks can be critical to the survival of a business. African entrepreneurs should therefore adopt risk management as an overriding business principle and an integral part of managing their businesses to ensure that they create long term value for their businesses. In most developed countries all sectors of the economy have focused on management of risks as the key to making businesses successful. Businesses of all types and sizes face a range of risks that can affect the achievement of their objectives. As discussed in previous paragraphs, some risks are given rise to by challenges existing in the business environment such as changes in exchange rates or the changes in interest rates. The others are as a result of deficiencies relating to entrepreneurs’ own shortcomings and include risks occurring following non-compliance with laws and regulations. When it comes to risks originating from challenges in the business environment, one of the most predominant risks is that of a change in customers’ demand for the goods and services produced or sold by the business. If the change is a positive one, and the demand for the offerings of the business increase, the amount of risk is decreased a great deal. However, if consumers demand for the offerings decreases, either due to loss of business to competitors or change in general economic conditions, the amount of risk

Planning for Success

104

involved will increase significantly. When a business’s risk factor is considered to be increased due to outside factors that are beyond the control of the entrepreneur or management to correct, chances of growing the business are very slim. Challenges relating to the entrepreneurs’ inabilities may also result in significant business risks. Often, these can easily be identified and corrected. For instance, if failing sales can be attributed to an ineffectual marketing effort or a sales force that is not performing to expectations, changes can be made in the marketing approach or sales efforts can be restructured to maximise success opportunities for the business. The same is true if a business’s manufacturing facilities are not operating at optimum efficiency. Revamping the operational structure of the plants and facilities will decrease the element of business risk and result in higher profits at the same level of production and sales. Risk management is simply a common-sense and structured approach to dealing with uncertainty, whether this uncertainty is given rise to by inadequacies in the business environment or by the inadequacies pertaining to entrepreneurs’ own deficiencies. The aim is to allow proactive management, rather than waiting for risks to mature leading to situations requiring a reactive crisis response. How to approach risk management will depend on the size, activities, internal environment and management structure of a business. The scope of the risk management needs also to be considered in how risk management should be approached. For instance, large business organisations may need comprehensive risk management planning but in smaller businesses specific areas of activity can be chosen for risk management. However the most important variation that needs to be taken into account in establishing how risk management should be approached is based on whether a business is starting or already established. For new business initiatives; the risk management plan should be integrated in the initial business plan. For businesses already established, risk management should be an integral part of the strategic plan. Business and strategic plans should clearly define how business objectives will be achieved and how the risks that can affect these objectives or the achievement process thereof should be dealt with. These plans are important management techniques in a business of any size and risk management can assist greatly in the business or strategic planning process. Risk management can achieve this by assisting the business to effectively manage the weaknesses and threats to achieving the objectives of the business, as well as recognising where opportunities exist and capitalising on these to help the business grow

8 SCENARIO PLANNING The Precursor of Risk Management “Every organisation must think ahead, but how? We look out into the future, trying our best to make wise decisions, only to find ourselves staring into the teeth of ferocious and widespread uncertainties. The future is complex, uncertain and not in our control, but the future is where the strategies we enact today will lead us.” Shell Website

Preparing for the Future It has become a cliché to say that those who do not learn from the past are doomed to repeat it. In today’s business world, we can say that those who do not “learn from the future” are doomed. From time immemorial, man has had to prepare himself for various eventualities. Just to survive, he has had to ask questions like: What if it does not rain? What if there is a poor harvest? Indeed, it is this type of thinking, which made man think of taking various solutions, such as storing food, building dams, etc. It happens to us all. We look to the future, trying our best to make wise decisions, only to find ourselves staring into the teeth of ferocious and widespread uncertainties. How do we decide what kind of studies our children should pursue when it is not clear what industries will exist in ten or fifteen years? How do we plan buying a house in a country when we cannot know what sort of socio-political condition this country will be in the future? As we face each of these problems, we confront a deeper dilemma: how do we strike a balance between predictions - believing that we can see past these uncertainties when in fact we cannot. Today, entrepreneurs face a similar dilemma, and also they recognise that adapting blindly to the future outcomes of external events is not desirable. But they often carry the additional weight that on their decisions rest the destiny of their businesses. It is often said about entrepreneurs or Chief Executive Officers that “it is lonely at the top”. But for most entrepreneurs these days, the bigger problem is that “it is confusing up there”. It is no longer enough simply to execute, to “do things right”. Entrepreneurs have to choose “the right thing to do”: set a course, steer through the strategic issues that cloud

Scenario Planning, The Precursor of Risk Management

120

their business’s horizons. Do we or do not we invest in that industry? Launch that product? Establish a presence in that market? Or wait and save money? The pressure of the future will only increase in the years ahead. Technological, economic, and social change in will continue to accelerate. Technologies are cross-fertilising and mutating-unpredictability spawning new technologies, new products, and new markets. Blink and your business is history. The bad news is that you cannot predict the future. The good news is that you can prepare for it. Whatever you decide to do will make a life or death difference to a business - t it can take years to learn if your decision was wise. Entrepreneurs have often to immediately make a decision—and often make it now. The rest of the stampeding world will not wait until certainty appears. Anything that can help make a decision in the midst of uncertainty will be valuable. When the business environment encounters a high level of uncertainty and confusion, which occurs from either complexity or rapid change or both, one of the most prudent and useful things you can do is spend time considering what your business’s future may look like in different environmental conditions. To manage risks related to business growth that will extend long into the future, entrepreneurs must be willing to look ahead and consider uncertainties. But rather than doing that, many African entrepreneurs react to uncertainty with denial. They take an unconsciously deterministic view of events and take it for granted, that some things will or will not happen. Not having tried to foresee surprising events, they are at a loss for ways to act when upheaval takes place. Scenario planning is one very powerful technique to limit risks from external influences and to identify future opportunities and uncertainties is. As the name implies, it serves entrepreneurs to plan for several different future possibilities. It is a “what if’” exercise. It asks questions such as: • •

What if the price of raw materials doubled? What if we lost our biggest two customers?

The purpose of scenario planning is not to pinpoint future events but to consider the forces which may push the future along different paths therefore shaping which the forces that are likely to catch entrepreneurs unawares. It is about making these forces visible by projecting them forward and by exploring their implications, so that if they do happen, entrepreneurs will at least recognise them and be prepared in advance rather than simply meeting them as they come. The advance preparation can often save a great deal of time and

9 THE CONCEPT OF RISK Defining business risk The Right Perspective The ultimate origins of the word risk have never been satisfactorily explained. English acquired it via French “risqué” from Italian “risco”, a derivative of the verb “riscare” which means “run into danger” or “to dare”. Risk is present whenever circumstances give rise to an outcome that cannot be predicted with certainty. Depending on the context, there are many accepted definitions of risk in use. In the business context however, the basic understanding one should have in order to define risk is that everything an entrepreneur does aims to achieve objectives of some sort and wherever objectives are defined, there will be risks that could make difficult their successful achievement. Business risks are therefore determined in relation with the business objectives that would be affected if those risks occur. I call these objectives “objectives at risk” which may include starting a new business, launching a new product or service, entering a new market or trying to increase profit and market share, meeting customer’s expectations, complying with specific regulations or licence requirements, meeting obligations toward stakeholders such as suppliers and employees or mobilising adequate financing to grow a business. The notion of “objectives at risk” is built on four conditions, namely: • • • •

The objectives must be relevant to the success of the business. Causes that can create the uncertainty in the achievement of these objectives must exist. The business must have the ability and resources to achieve these objectives. The failure of achieving these objectives must have a direct impact on the interruption or termination of the business activities.

This notion allows the understanding of the fact that a business risk is an “uncertainty that matters”, recognising the fact that there are other

The Concept of Risk

144

uncertainties that are irrelevant in terms of objectives, and these should be excluded from the risk identification step. For example if you have a printing business in South Africa and source raw material from say Kwazulu Natal, a South African province, the uncertainty about whether there may be a drought in Senegal next week is irrelevant. But if your business involves supplying mining equipment in the Democratic of Congo, the possibility of war or social uprising in that country is not just an uncertainty, it matters. Business risk can therefore defined as an uncertainty that, should it occur, could negatively a business from achieving its objectives and ultimately result in the business failing. Whilst it is essential to relate business risks to business objectives, it is also important to note that entrepreneursâ&#x20AC;&#x2122; view of risk is either subjective or objective depending on the experience they may have had in dealing with business risk or on their perception of it.

Objective risk An objective risk is the likelihood of an actual risk event materialising. It is what can really or objectively happen. This risk has been scientifically or statistically established using available data and knowledge. Operating in a regulated industry without the required license or not paying the relevant taxes is objectively risky and may lead to the closure of the business.

Subjective risk A subjective risk is the perceived risk or what you think may happen. It is the uncertainty based on a personâ&#x20AC;&#x2122;s state of mind. Two persons in the same situation may have different perceptions of risk. High subjective risk often results in conservative behaviour As the term suggests, subjective risk can be defined as the degree of uncertainty perceived by an individual. For example, a business that has invested in developing in or distribution of a product and intends to launch it in a market without prior marketing research will be uncertain if the product will sell. This mental uncertainty is an instance of subjective risk. It is often assumed that business initiatives and management decisions are more directly determined by subjective estimates of risk than by objective risk. In the context of African entrepreneurs, while this may be the case for events about which there is little experience such as the global economic crises, it is certainly not the case for everyday events such as the risks of inflation.

10 THE CONCEPT OF RISK MANANAGEMENT What Risk Management is Not At one time, risk management meant a business having enough fire extinguishers, safety and security. It was more about protection of physical assets and employees through “loss” prevention and reduction programs. Although these techniques are still widely used, modern business have reduced their reliance on these more conventional and archaic arrangements as many entrepreneurs have discovered that they do not adequately and strategically provide the tools that can help them achieve their business objectives. Some African entrepreneurs also consider insurance to be the only sophisticated way of managing risk. They think insurance can take care of every loss. “Do not worry, we’ve got insurance” some entrepreneurs and managers say to their staff. While insurance is very valuable, it is not a panacea for risks inherent to businesses. It is a common method of managing significant physical risks with low probabilities of occurrence and some of their consequences such as loss of income. However, even for events that insurance can cover there are deductibles, exclusions and limits that are applicable. Basic to an understanding of how insurance works is the reality that insurance does not and cannot eliminate risk. Nor can it directly help business achieve their objectives such as increasing income, market share or profit. It is only intended to deal with measurable or known risks and serves to spread the impact of loss. It cannot deal with uncertainty itself and cannot prevent losses. Also, entrepreneurs should remind themselves that insurance is a product sold by insurers in pursuit of their own profit and not in the interest of businesses they cover. This fact is truer with regards to pure commercial insurers and not with mutual types insurers. “Crisis management” is another concept that some African entrepreneurs take for risk management. This technique may address immediate problems, but it creates potential consequential aggravation of future problems. Let’s get this straight. If a risk has already occurred in your business and you are looking at solutions (i.e.; reacting to the risk), then it is an “issue”—a “problem”. It is no longer a risk. Risk is the possibility that something bad may happen in the future. So when a risk has occurred, there is no such thing as probability then—the risk has turned into an event.

The Concept of Risk Management

174

Many African entrepreneurs also believe that “fate” plays a major part in the results achieved by businesses. A considerable number of them is however realising that business results are rather influenced by their own deficiencies, by the difficulties in the African business environment as well as by the effects of globalisation, of world economic and financial crises, and of climate change. Their access to modern management tools and techniques are also helping them to better understand their business environment and improve their business capabilities, making them able to predict, to some extent, the various risks that may have a critical impact on their business objectives.

What is Risk Management To be successful a business must achieve its overall objectives which are to create and maximise its owners’ wealth whilst ensuring that the other’s stakeholders’ expectations are met. Other specific objectives might be providing the best quality service, maximising revenue and decreasing expenses, having quality employees, increasing productivity and product quality, and increasing market share. If they want their business to succeed, entrepreneurs must therefore ensure that nothing makes uncertain the achievement of their business objectives, and a business risk is exactly the uncertainty which, if it occurs, would negatively affect the achievement of business objectives. In this context, risk management is a process through which business risks are identified, analysed, responded to and monitored in order to enable a business to achieve its objectives. Risk management is recognised as good management practice in business and is not only about the management of risks. It also allows the opportunity to focus efforts on areas where the business can benefit most, through better understanding of the risk/reward decisions. Risk management is pre-emptive not reactive. Its purpose is to improve outcomes or to secure good outcomes, in other words, it aims at increasing the probability of success, and reduces both the probability of failure and the uncertainty of achieving the business’s objectives. To be effective, risk management cannot be merely a checklist or a process that is disconnected from business decision making. Rather, it should be integrated into on-going business practices so that risk can be managed as part of day-to-day decision making, in a manner consistent with the business’s objectives. Risk management should, for instance, be triggered within the business process when special circumstances arise outside of the on-going

“Do everything ethically….within reason of course”

11 ETHICS AND RISK MANAGEMENT Philosophers and scholars have defined ethics as the study of what is right or wrong, fair or unfair, just or unjust. Others have argued that ethics is, in essence, morality. Ethical problems typically stem from two human qualities: greed and ignorance. Lapses in ethical behaviour caused by greed are easily recognisable, for example kickbacks, expense account padding, stealing either time or materials from employer. Lapses due to ignorance is more difficult to recognise and appear often with questions of conflict of interest, for example accepting large gifts from suppliers, failing to report significant risks to the insurers, accountants accepting consulting assignments from audit clients. Business ethics set the standard for how your business is conducted. They define the value system of how a business operates both internally and externally. With scandals concerning entrepreneurs involved in conflict of interest, fraud, corruption, sexual immoralities making the news, it is no wonder that businesses are increasingly giving attention to the ethical basis of their business and how to lead in an ethical way. While the examples above seem to be clear cut breaches of ethics, many ethical dilemmas that not so clear cut are faced on a daily basis in business. In fact, there may not even be a “right” or “wrong” answer to the dilemma, but how you deal with it will say much about you and your business. These decisions are often referred to as being in the “grey area”. They are not blackor-white, but could be argued appropriately either way. There are three questions you should ask yourself whenever you are faced with an ethical dilemma:

• Is it legal? In other words, will you be violating any criminal laws, civil laws or business policies by engaging in this activity?

• Is it balanced? Is it fair to all parties concerned both in the short-term as well as the long-term? Is this a win-win situation for those directly as well as indirectly involved?

• Is it right? Most of us know the difference between right and wrong, but when push comes to shove, how does this decision make you feel about yourself? Are you proud of yourself for making this decision? Would you like others to know you made that decision?

12 RISK COMMUNICATION When a crisis occurs, one of the first casualties is the business reputation. The public always believes that many business offences are more serious that violent crimes. This chapter is dedicated to helping entrepreneurs prevent their businesses from losing reputation through risk communication. At any given point in time, entrepreneurs are likely to encounter public outrage of some sort due to perceived risks associated with the product or service their business provides. The perceived risks are generally expressed by the public in terms of integrity or safety concerns which can arise from intentional bad publicity, damages suffered by a member of the public after consuming a product or service offered by the business concerned or by the entrepreneur’s or his employee’s unethical actions. Whatever the situation, when a business eventually faces public outrage, a variety of options for dealing with the situation are available. One is to bury the head in the sand and hope that the will pass. Of course, when one is in that position, a certain part of the anatomy is extremely vulnerable to shack-and you may never know what kicked you. Another option is to charge into the fight, to intimidate the public. The main problem with this tactic is that the entrepreneur is likely to get shout out of the saddle as a “Lone Ranger”. Also, people often handle highly charged conflict by discounting the credibility of others and thinking in terms of black and white: “mad-dog” media, “redneck” producers, and “crazy” consumers. This is a human reaction to controversy and most of us soon get a grip on ourselves and look for more effective approaches to dealing with a problem. One of the most common methods employed by entrepreneurs and businesses is “damage control” whereby an incredible amount of time and energy suddenly has to be focused on attempts to limit the scope of damage that can affect the business’s reputation and effectiveness. Usually entrepreneurs and businesses would focus on media management. Entrepreneurs need to understand that it does not pay to manipulate the media. The fact is the days of controlling the release of damaging information are gone. Media reports abound from situations where supposedly “controlled” information was leaked. Also our round-the-clock media-based society spreads information like wildfire.

PART THREE

THE PRACTICE of Business Risk Management

Risk Identification

Risk Analysis

Risk Response

Risk Review

13 PRELIMINARY STEPS Overview The generally accepted approach to risk management comprises a series of steps that when undertaken in sequence, they enable continual improvement in decision-making. These steps include the Establishment of the context, the Identification of risks, the Analysis of risks, the Selection of risk response options, and the Implementation and monitoring and performance review. The elements of the risk management process are summarised in the figure below.

Communicate and Consult

Establish the Context

Analyse the risks

Identify the risks

Evaluate the risks

Treat the risks

Monitor and Review Each step offers a convenient milestone and each subsequent step is dependant, and builds, on the work completed in the previous step, providing an evolving understanding of the issues and development of progressively more robust risk management actions.

Communicate and Consult Communication and consultation aims to identify who should be involved in the assessment of risk (including identification, analysis and evaluation) and it should engage those who will be involved in the treatment, monitoring and review of risk. As such, communication and consultation will be reflected in each step of the process. As an initial step, there are two main aspects that should be identified in order to establish the requirements for the remainder of the process. These are

14 IDENTIFYING RISKS Introduction Risk cannot be managed unless it is first identified. Once the context of the business has been defined, the next step is to utilise the information obtained to identify possible risks the business is expose to. Risk identification involves finding, listing and categorising ALL risks which may affect activities and the achievement of business objectives. It combines retrospective or prospective identification methods. Retrospective identification relates to the risks that have previously occurred, such as incidents or accidents. It is often the most common way to identify risk, and the easiest. It is easier to believe something if it has happened before. It is also easier to quantify its impact and to see the damage it has caused. There are many sources of information about retrospective risk. These include hazard or incident logs or registers, audit reports, customer complaints, insurance claims, conducting interviews with the entrepreneur or his long serving staff about the history of the business and the challenges it has endured in the past, past newspapers reports about the business, the entrepreneur or the industry. Prospective risk identification is often harder to conduct. It relates to events that that have not yet happened, but might happen sometime in the future and should include all risks, whether or not they are currently being managed. Methods for prospective risk identification include brainstorming with staff or external stakeholders, researching the economic, political, legislative and operating environment, undertaking surveys of staff or clients to identify anticipated issues or problems, and flow charting a process. It is important to remember that risk identification will be limited by the experiences and perspectives of the person(s) conducting the risk identification. Also, one of the most common failings in the risk identification step is identifying things which are not risks. Clearly if this early stage of the risk management process fails, subsequent steps will be doomed and risk management cannot be effective. It is therefore essential to ensure that risk identification identifies risks.

15 ANLYSING RISKS Introduction The purpose of risk analysis is to provide information to the entrepreneurs to enable them to make decisions regarding risks that are a priority, risk response options, or balancing costs and benefits. In the risk analysis stage, the registered risks are assessed in terms of their significance on the business objectives and activities based on their frequency and severity levels. Risk analysis involves combining the possible consequences or severity of an event, with the likelihood or frequency of that event occurring. The result is a â&#x20AC;&#x153;level of riskâ&#x20AC;?; that is: Risk = Severity x Frequency Frequency and severity are two most important components of risk that need to be measured. Some risks are low in severity and happen frequently, such as small shoplifting and workers arriving late at work. For example Minor accidents are common in the construction industry and, while unfortunate, they do not bring the building site to a halt. These risks are very probable but have a small impact because they are common, the business should guard against them, but usually they cause negligible loss or damage. Severe events, such as natural catastrophes, business license suspension or death of a key employee, are very improbable. A terrorist attack is catastrophic as it can cause a business to close, but it is a very improbable risk in most African countries. For most businesses, this type of risk probability of occurrence is very small, there is no point in trying to manage it. If, however, the business had an office in known terrorist area of some East African countries, the probability of this risk materialising would be higher. However, some severe events happen frequently. For example the risk of fire in a textile plant is both quite probable and catastrophic or the corruption of tax and administrative authorities in some countries are common and severe that many African entrepreneurs are discouraged to start a business or forced to close their business due to the financial and psychological price they have to pay.

16 RISK EVALUATION Introduction It is important that entrepreneurs establish, after analysing risks, what exactly the “frequency” and “severity” terms means to their businesses. Risk evaluation helps them to clarify this issue by comparing the level of risk found during the analysis process with previously established risk criteria and, as a result, enables them to decide what level of risk is acceptable to the business. “Acceptable” means the business chooses to “accept” the risk because the opportunities presented outweigh the threats to such a degree that the risk is justified or because the cost of treatment far exceeds the benefit, so that risk acceptance is the only option. It also means that the level of the risk is so low that specific treatment is not appropriate with available resources or the risk is such that there is no treatment available.

ALARP as an Essential Risk Evaluation Method This principle of weighing risks against the risk criteria is known as ALARP (As Low As Reasonably Practicable).Thus, ALARP describes the level to which risks is to be kept to ensure that the business achieves its objectives. The ALARP principle recommends that risks be reduced “so far as is reasonably practicable,” or to a level which is “As Low As Reasonably Practicable”. If a risk falls between the two extremes (that is, the unacceptable region and broadly acceptable region) and the ALARP principle has been applied, then the resulting risk is the tolerable risk for that specific application. According to this approach, a risk is considered to fall into one of 3 regions classified as “unacceptable”, “tolerable” or “acceptable” (see Figure below). Above a certain level, a risk is regarded as unacceptable. Such a risk cannot be justified in any ordinary circumstances. If such a risk exists it should be reduced so that it falls in either the “tolerable” or acceptable” regions or the associated hazard has to be eliminated. Below that level, a risk is considered to be “tolerable” provided that it has been reduced to the point where the benefit gained from further risk reduction is outweighed by the cost of

17 RISK RESPONSE PLANNING

Introduction The Risk Response Planning phase is where strategies are determined and actions are developed, the implementation of which will allow entrepreneurs to have appropriate responses to risks they take to achieve business objectives. It is therefore the most important phase in the risk management process as it ensures that risk is dealt with appropriately based on a business’s acceptable risks. Most risk management guidelines recognise at least four types of strategy in responding to identified risks. A useful framework is to use the 4 Ts characterising Risk Response Options: • • •

Terminate (or Avoid) Treat (or Control) Tolerate (or retain)

• Transfer However risk management has seen in the past two decades new concepts of response techniques as a result of large businesses and organisations applying capital and investment concepts and strategies in the management of risks. The two main new techniques are the so called” Risk Financing” and “Alternative Risk Financing” Solutions. In order for entrepreneurs to ensure that their risk response plan is effective, they should try their best to plan a specific risk response for each acceptable level the appropriate risk response. For example, those that fall under the acceptable levels will be retained or controlled, while those over the risk tolerance should be avoided or transferred. The correlation table can better facilitate to describe the Risk Response Planning.

The Practice of Business Risk Management

271

Terminate/Avoid risk

This strategy is used to make the risk cease to be a possibility. This means staying clear of the risk altogether. But it is NOT the same thing as treating your business risks as an afterthought! Risk avoidance is a conscious, rational decision by an entrepreneur to avoid the occurrence of a serious threat by suspending the business activity that poses the risk to his business. By avoiding the occurrence, the impact as well as the consequential negative financial impact could also be avoided. In other words, you might decide to stop manufacturing a specific product, or to stop delivering a specific service because of the high risk involved. Risk avoidance is important, since it involves the taking of actions which will prevent the risk from having an effect on the objectives of the business. In this way risk avoidance can be said to decrease one’s chance of loss to zero. Risk Avoidance involves changing the business risk context, i.e. changing the nature of a business or an activity to avoid its inherent risks. It also can be accomplished by changing the process or the resources to attain an objective or sometimes modifying the objective itself to avoid the risks involved. Other ways to avoid risk include: • • • • • • • •

Adding resources or time to an activity or project Adopting a familiar approach instead of an innovative one Avoiding an unfamiliar subcontractor Clarifying contract requirements Improving communication Obtaining more information on a service or product specification Acquiring professional expertise Reduce scope of business or project to avoid high-risk activities

The Practice of Business Risk Management

273

to risks. When risk is avoided, the potential benefits, as well as costs, are given up. An example an example is the liability risk of owning or leasing premises from which the business is to be conducted or the doctor who quits practicing medicine does indeed avoid future liability risks but he also forfeits the income and other forms of job satisfaction that may be associated with a career in medicine; and the business that avoids manufacturing pharmaceuticals relinquishes potential profits as well as liability risks. Some risks will only be treatable, or containable to acceptable levels, by terminating or avoiding the activity or activities that give rise to the risk. We may rarely be able to stop doing the activity altogether, but should avoidance be gained for a small cost, then it is the approach which should be used.

Treatment/Control of Risk When I spoke of risk tolerance, I said risks that were above the entrepreneurâ&#x20AC;&#x2122;s risk tolerance limit were not acceptable risks and that something had to be done about them. Risk mitigation or control is a strategy where some work is done on unacceptable risks to reduce either their frequency or their severity to a point where their significance falls below the maximum risk tolerance level. 100% reduction would be equivalent to avoidance. Risk control is generally approached on the basis of the focus and the timing of loss control. The Focus of loss control considers frequency and severity reduction whilst the timing of loss control considers the pre-loss control, the concurrent control and the post-loss control.

Frequency Reduction As a risk control technique, the goal of frequency reduction is to prevent loss from occurring thereby reducing the number of losses from that exposure over time and cutting the cost of paying for those losses. Properly done, loss prevention does not need to be as potentially disruptive as exposure avoidance. Some examples of loss prevention could include: â&#x20AC;˘

â&#x20AC;˘

Keeping any cash that is needed for business operations in a locked box or even a safe, so that any potential robbers would have great difficulty getting to it. Training employees in how to do their jobs safely, and monitoring their job performance so that accidents and injuries to employees would occur less frequently.

Risk Response Planning

•

274

Increasing clearances between parking spaces so that collisions (and the resulting property damage and potential liability claims) would be less likely and less expensive in the long run. Clearly marking the building exit so that pedestrians would be alerted to the danger of stepping in front of a motor vehicle leaving the garage.

Severity Reduction As Much as loss prevention reduces the probability of losses from given risk exposure, loss reduction aims to reduce the size or severity of such a loss. To illustrate: •

•

An automatic fire detection and suppression system in operational areas of a business would tend to reduce the size of any fires which broke out in those areas. So would hand-held fire extinguishers— provided the garage staff was trained in their proper use. Keeping no more than $500 dollars cash on the business premises could well reduce robbery and embezzlement losses, even if the cash register was occasionally left unlocked. There would be no more than $500 dollars there for any embezzler or thief to steal. Keeping first-aid kits in the office area and training employees in their proper use would be likely to reduce severity of injuries to both employees and third parties. This should in turn reduce the size of any liability claims against the business for such injuries. An auto manufacturer having air bags installed in its fleet of automobiles. This business is engaging in severity reduction. The air bags will not prevent accidents from occurring, but they will reduce the possible extent of injuries to the occupants of vehicles in a case of an accident.

Other special forms of severity reduction are: •

•

Separation which involves the reduction of the Maximum Probable Loss associated with some kind of risks. For example, a business may disperse work operations in a way that an explosion or other incidents will not damage more than a limited number of persons and property. Duplication is a very similar technique, in which spare parts or supplies are maintained to immediately replace damaged equipment and/or inventories. Duplication is creating a backup copy of the asset at risk. With a building, this is a very expensive proposition, but for other assets (data, critical documents, machinery parts, etc.), duplication is an

Risk Response Planning

280

Tolerate/Retain Risks

As with risk avoidance, risk acceptance is also a conscious and rational decision by entrepreneurs. They accept the fact that they cannot counteract a specific risk by avoidance, reduction, or transferring it, although, at the same time, he acknowledges the need to continue with the business activity that poses the risk to his business. Using the acceptance or a retention strategy means that the severity of the risk is lower than the entrepreneurâ&#x20AC;&#x2122;s or businessâ&#x20AC;&#x2122;s risk tolerance level. If this were not the case, it would not make sense to accept the risk. Accepting a risk does not mean that we will not do something about the risk when and if it occurs; it means that we will do something about it only if it occurs. It is the category where the many insignificant and predictable risks are put. Many of these risks cost less to fix when they occur than it would cost to investigate and plan for them. The difference between risk retention or acceptance and risk avoidance is that with risk avoidance an entrepreneur avoids the occurrence of a very serious threat that could damage his businessâ&#x20AC;&#x2122;s financial position forever. However, with risk retention, the entrepreneur decides to accept a risk, and the consequential financial impact, and the fact that it cannot be counteracted with additional controls. There are two kinds of acceptance, passive and active.

Passive Retention Passive or unplanned retention or acceptance involves the failure to plan a response for a risk because the risk was not identified or because the existence of risk is acknowledged but neglected on the assumption that the risk is simply too remote or insignificant to be of concern or sometimes because the cost of developing a plan can be higher than the cost of dealing with the risk without preparation.

The Practice of Business Risk Management

283

Transfer Risks Risk transfer means to shift the responsibility for loss or damage to another party who will carry the risk impact and ownership of the risk response. Partial transfers are known as risk sharing. The general rule about risk transfer is that a business may transfer either the actual risk or the financial consequences of a loss to another party. Two methods are generally used to transfer risks. They involve the contractual transfer and non-insurance transfer method as well as insurance.

Contractual and non-insurance transfer Waiver of subrogation. The relinquishment by an insurer of the right to collect from another party for damages paid on behalf of the insured. The waiver of subrogation condition in current standard policies is referred to as "transfer of rights of recovery." Named as an additional insured. A person or organisation not automatically included as an insured under an insurance policy, but for whom insured status is arranged, usually by endorsement. Hold harmless (HH) or indemnification agreements. They are clauses in a contract under which you transfer the Responsibility for Payment to, for example your subcontractor or tenant. They agree to assume your liability if you are held liable for their negligent conduct. The different types of Hold Harmless Agreements are: • Broad Form which covers all acts or omissions with no exceptions. • Limited Form which covers only negligent activities of contractor. It may be limited to property damage or bodily injury. • Intermediate Form which covers all acts or omissions except for your sole negligence or wilful acts. Hold Harmless functioning consists of the following: • It does not absolve you of liability • It gives you a pocket from which to pay • It does not mix with insurance requirements • It is only as good as the person making the promise • It defends and indemnifies any and all claims, suits, proceedings; the costs paid as incurred, the full extent as permitted by law, the

The Practice of Business Risk Management

295

Risk Financing Introduction Risk financing refers to techniques that provide adequate financial resources for those losses that a business cannot avoid or control. It is primarily concerned with ensuring the availability of funds in the event of a loss. For instance, rather than installing a sprinkler system, a business may choose to protect against potential fire damage by transferring risk through the purchase of an insurance policy that provides compensation if a fire occurs. Or, if a business feels that its risk exposures are particularly “well-behaved”— reasonable in size and predictable with some degree of certainty—it may retain a portion and pay for it from the contingency or retention funds. It is important to consider a business’s risk financing options in terms of various layers of losses. Primary or bottom Layer. This layer contains the high frequency/low severity losses which are essentially predictable. It is unlikely that any single loss in this layer could seriously impact a large business although an accumulation of claims in any one financial period may create a problem. This layer generally falls within deductibles. Middle or Working Layer. This layer contains the medium frequency/medium severity losses where there are only a few losses a year expected. An individual loss may seriously distort the budget/financial performance of any operating unit although it is not likely to present a major problem for the business as a whole. The decision to insure or self-insure this layer of risk depends on the appetite for risk-taking that the management of the business has and sometimes it is influenced by the terms offered by insurers. Top or Catastrophe Layer. This layer contains the low frequency/high severity losses. An individual loss of this magnitude can seriously distort the financial results of the organisation in any one financial year and, may even threaten the whole business. It is essential that insurance or an alternative method of risk transfer is used to deal with these risks. Depending on the size of the business the determination of these layers will vary based on its financial strength and the historical loss experience. The next step is to evaluate the most effective risk financing option for each one of these layers. Businesses have 3 main options to finance their losses. They include: Internal sources of funds or Risk Retention, External sources of funds or Insurance and Alternative Risk Financing.

Risk Response Planning

296

It makes sense to consider all options for risk financing. There are costs and benefits associated with each approach. These need to be weighed and compared in light of a business’s strategic risk policy. Key matters to think about are: • • • • • •

Financial criteria—net present value, time-adjusted rate of return, budgeting goals. Other criteria—legality, continuous operation, stable earnings, growth, humanitarian concerns. Integrating organisational, financial and risk financing objectives. Ease or difficulty of implementing the chosen techniques. Establishing fund sources, drawing on fund sources, allocating costs, technical decisions, and managerial decisions. Monitoring to ensure implementation, to achieve planned results and to adapt when appropriate.

Retention Retention in the risk financing context involves the assumption of risks by a business. It means that the organisation maintains financial responsibility for all or part of a loss and involves the payment of losses from internal sources of funds. Retention can be planned or unplanned. Unplanned retention is when a business does not recognise that risk exists and unwittingly believes that no loss could occur. It also happens when the existence of a risk is acknowledged but if the maximum possible loss associated with the recognised risk is significantly underestimated. For example, a manufacturer of kitchen appliances may recognise the potential for product liability suits. But the potential size of adverse liability judgements may be much greater than he anticipates. Thus even though the exposure is recognised, the business is engaging in unplanned retention of losses that exceed its estimate of maximum possible loss. Planned or active retention involves a deliberate of recognised risk. It sometimes occurs because it is the most convenient risk treatment technique or because there are simply no alternatives available short of ceasing operations. The main forms of planned risk retention include: unfunded retention, funded retention, and insurance covers exclusions. Unfunded retention. Losses are treated as current expenses. It also tends to be used for low severity/low frequency risks. •

Risk Response Planning

348

Conclusion The optimal retention level of an organisation can be defined as one allow the assumption of the proper portion of the loss whilst creating a premium savings, an investment opportunity and financial stability that are balanced by the consideration of the risks and consequences involved. The risk retention review should be a never-ending process for the risk management professional. Viewing retention as an investment decision that will result in moving retention up and down based on the claim results and the state of the insurance marketplace. While this “yo-yo” approach to risk retention may run contrary to risk management tradition as businesses normally set a risk retention philosophy for stability—increasing it gradually over time as part of the overall risk management plan, will result in a lower cost of risk and measurable financial gain in today's drive for peak efficiency. Increasing risk retention, regardless of risk financing structure, may save premium payments, but without a thoughtful review of the return on investment, and organisation's economic value may not be maximised.

Alternative Risk Financing The traditional insurance market is perceived as having failed to deliver what its business customers want. Others have stepped in to fill the gap with Alternative Risk Finance solutions. Insurance is a source of finance to pay for losses if and when they arrive. The risk financing through insurance is subject to conditions but there is the advantage of stability in settled law and practices. For larger businesses, insurance tends to be more a “loss-smoothing” device rather than risk transfer, because claims are likely to be reflected in increased premiums. It is most obviously a case of “dollar swapping” in high frequency/low severity risks. With insurance, there is a potential for delay in restoring assets and for disputes over claims—the insurer's first loyalty is to its shareholders. On top of premiums, an Insured will incur management costs of administering and reviewing its insurance portfolio. There are also likely to be fees for intermediaries such as to brokers and advisers. Insurance companies emphasise “protection”, but for business customers uncertainties remain in the form of underinsurance, over-insurance, overlapping covers, incorrect assessment of exposures, insurer solvency, and even policy wordings being negotiated after the inception of cover. There are other negative aspects to insurance provision: poor quality of service; cost of premiums may relate more to insurers overall portfolio rather

The Practice of Business Risk Management

349

than to insured’s loss experience; insurer “knee-jerk” reactions to market-wide or insurer-specific claims problems resulting in volatility of premiums and/or rapid withdrawals of cover (e.g. asbestosis, professional indemnity, terrorism); premium determinations being heavily influenced by blanket re-insurer needs; the heavy reliance on historical data for setting premium rates and little or no recognition of the value of proactive risk management; traditionally slow to offer new covers; primary insurers’ limited capacity; insurer takeovers and mergers improving individual insurance business capacity but leading to shrinking market choices; the attractiveness of personal lines business to insurers over commercial business; costs arising out of insurers operating inefficiencies built into premiums; and hidden costs such as broker over-riding commissions. The field of Alternative Risk Financing (ARF) grew out of a series of insurance capacity crises in the US in the 1970s through 1990s that drove purchasers of traditional cover to seek more robust ways to buy protection. Modern businesses depend on more than physical assets and cash resources—they rely on intellectual assets, critical just-in-time supply chains, information and other technologies, communication tools, developments in their marketplace, legal and regulatory compliance, brand value and reputation. All such developments have implications for risk. Commercial insurance has, to a certain extent, adapted with, for example, integrated or bundled covers where claims are viewed from the perspective of the total loss to the insured and not just an amalgam of individual policy claims. Policies have been developed for risks previously regarded as uninsurable, such as financial risks. But moving beyond developments in traditional commercial insurance, we have seen the world’s capital markets develop ways to handle insurance risks (so-called “insurance convergence” products), especially catastrophe risk and financial risks such as interest rate and foreign exchange risks. Demand, supply, taxes and regulation, and information technology are drivers of financial innovation and we have seen a rethinking in insurable risk and principles such as indemnity and insurable interest. In short, the alternatives to traditional insurance products are many and varied. Alternative Risk Finance is the use of techniques other than traditional insurance and reinsurance to finance insurable and uninsurable risks. These mechanisms are said to be “alternative” as conventional risk transfer and financing structures are amended, combined and finally used as alternatives to traditional mechanisms, whenever additional cover and capacity is needed.

18 IMPLEMENTING THE RISK MANAGEMENT PROCESS Introduction Risk responses are varied and none really addresses comprehensively the risks that can cause a business to fail. Part of the difficulty is that each business will have different types of risks, so it is difficult to generalise. Selecting the most appropriate risk response option involves balancing the costs and efforts of implementation against the benefits derived having regard to legal, regulatory, and other requirements, social responsibility and the protection of the natural environment. Decisions should also take into account risks that can warrant risk response actions that are not justifiable on economic grounds e.g. severe (high negative consequence) but rare (low likelihood) risks. A number of response options can be considered an applied either individually or in combination. The organisation can benefit from the adoption of a combination of response options. When selecting risk response options, entrepreneurs should consider the values and perceptions of stakeholders and the most appropriate ways to communicate with them. Where risk response options can impact on risk elsewhere in the business, these areas should be involved in the decision. Though equally effective, some risk responses can be more acceptable to stakeholders than others. If the resources for risk response are limited, the response plan should clearly identify the priority order in which individual risk responses should be implemented. It is both interesting and relevant to discuss how entrepreneurs can allocate money for different risk response options. Risk avoidance is frequently going to cost some money. The money that we spend to change or cease a business activity or to redesign a product so that the risk of failure is avoided is money that will have to be spent regardless of the probability of the risk. The additional work of doing the redesign and adding more expensive parts will be part of the operating budget. No money needs to be put into the risk reserves if the risk is completely eliminated. If the risk has already been allocated funding in the contingency budget, the increase in the operating budget can be taken from the contingency budget. Risk control or mitigation will have money put into the contingency budget to handle the risk if it occurs. There will also have to be money put

Implementing the Risk Management Process

376

into the operating budget to take care of the cost of the mitigating activities that are being taken for this risk. The mitigation of the risk will reduce either the probability or the impact of the risk, and the contingency budget should therefore be reduced. Risk transfer requires money to be put into the operating budget to pay for the additional cost of either subcontracting the risk or buying insurance for it. The money to do the work for the activity affected, not including the risk cost, was put into the operating budget when the task was created. The cost of the transfer, either the additional cost that the supplier will receive or the cost of the insurance premium, must be added to the operating budget. This money can be taken from the contingency budget. Risk acceptance or retention including self-insurance programs will have money put into the contingency budget if the risk has been identified. If the risk is an unknown risk and has not been identified, the money for it will be roughly estimated and become part of the management reserve. If the risk does happen, the money is taken from the contingency budget or the management reserve and moved into the operating budget when the plan for dealing with the risk is put into place. The operating budget of the project, sometimes called the performance budget, is the amount of money needed to do the things that are planned for. This includes all of the work to develop a product and implement strategy to sell it. It is not the total business budget; it includes funding only for the things that are planned for. The management reserve is money that is set aside for the risks that have not been identified, the so-called unknown risks. This transfer is made when a risk occurs that has not been identified and money must be spent to solve the effects of the risk. The contingency reserve is the money to do the things that may or may not have to be done but that have been identified. This is where the funding for risks that actually take place comes from. When a risk takes place, the entrepreneur authorises money to be taken from the contingency budget and placed into the operating budget. Generally the entrepreneur must approve money transferred from contingency reserves to operating budgets. Risk response itself can introduce risks. A significant risk can be the failure or ineffectiveness of the risk response measures. Monitoring needs to be an integral part of the risk response plan to give assurance that the measures remain effective. Risk response can also introduce secondary risks that need to be assessed, treated, monitored and reviewed. These secondary risks should be incorporated into the same response plan as the original risk and not treated as a new risk, and the link between the two risks should be identified.

19 THE COST OF MANAGING RISK As an entrepreneur seeks to manage risk effectively, questions of cost also arise since risk management is not a “zero-cost option” for risk management. Cost of risk is driven by several components of the entire risk management program. By understanding those components and how they are affected, an entrepreneur can be able to work at controlling and reducing the total cost of risk which includes all of the expenses a business incurs to treat the risks it faces. Entrepreneurs who do not understand the cost of risk will tend to focus only on the obvious expense of insurance premiums, and will miss the bigger picture, which can result in significant savings through effective risk management. At a minimum, the cost of risk includes these components: • • • • •

Risk management administrative costs Retained (uninsured/self insured ) losses/expenses Insurance premiums and related intermediary fees and commissions Loss prevention and reduction (risk improvement) costs External services

Risk Management Administrative Costs These costs include all of the direct internal costs of operating the risk management function in a business. Every business has to do some degree of risk management, and every business has internal cost associated with it. In larger businesses, this includes salaries, office expenses, training and education, travel expenses, safety supplies, employee benefits, and any other costs that can appropriately be assigned to the effort. In smaller businesses, it is generally the time spent by the entrepreneur’s or manager’s time spent by entrepreneurs to deal with a loss or damage.

Retained Losses There are two kinds or retained losses. Active losses are those that you are aware of and choose to have, generally in the form of a deductible or selfinsured retention. Passive losses are far more dangerous. These are the ones

The Cost of Managing Risk

382

that you are not even aware of being uncovered. It might be an exclusion on a policy or a risk you do not have insured. Part of a business’s overall risk strategy may be to retain certain losses in order to reduce premium. However, problems are still common: • •

Deductible options incorrectly utilised Unexpected passive losses

Insurance Premiums Insurance premiums include all fees and commissions. Virtually every business pays some form of insurance premium. Many entrepreneurs focus solely on the premium they have to pay to insurers as the cost of managing risk. While it is important to keep insurance premiums as low as possible, it should not be done by means that unnecessarily raise the other components of the cost of risk. Effective risk management will not eliminate all premiums, but it should identify wasted or inefficient premium dollars. Some common examples of wasted money through insurance: • • • • •

Inflated premiums that result from risk classification errors Premium loading due to incorrect loss experience models or risk profile Policies covering nonexistent assets Incorrect application of EML or PML Unnecessary or excessive intermediaries fees and commissions

Loss Control and Safety Costs In an effort to avoid or reduce loss, some insureds may invest in loss control and safety. This includes safety devices such as sprinkler systems and safety equipment like safety glasses and fall protection. Granted, some of these are required by regulation, but such costs arise out of the inherent risk of the operation and are thus part of the "total cost of risk."

External Services Costs Outside services incorporate the myriad of service providers available to assist in the implementation and running of a risk management program. The cost of the external services relate to the fees payable to these experts among which we can count risk management consultants, legal advisors or attorneys, accountants, statisticians, actuaries safety consultants, etc.

20 DOCUMENTING THE RISK MANAGEMENT PLAN Risk Management Plan The Risk Management Plan guides a business through the phases of risk identification, risk assessment and risk resolution. This article gives a brief overview of how all three steps are coordinated to comprise the entire methodology of risk management. To ensure that the risk management process is implemented and performs as intended, a documented structured approach is recommended involving the use of risk action plans, risk registers, and monitoring and reporting tools. Many different types of documentation can be used in the risk management process. It is easy to become confused about which documents to use and when. This section offers a one simple way to record the risk management process through the Risk Management Plan. A risk management plan is a document used to record the risks that have been identified through the risk management process, the levels of risks or risk rates established in the risk analysis stage, the risk response strategies chosen for each risk. A risk management plan also documents the strategies in place to communicate the risk information to stakeholders and the method for monitoring and reviewing risk information. It comprises four parts:

Contents of a Risk Management Plan Executive Summary This section summarises the concept of risk and risk management as it is being currently applied to the business, the motivation and objectives of risk management plan for the business.

Risk Policy Statement This section describes the businessâ&#x20AC;&#x2122;s risk management philosophy and the processes and practices that are in place to manage risks across the business. The policy also ensures that responsibilities have been appropriately delegated for risk management.

Documenting the Risk Management Plan

388

Introduction This section sets out the purpose of the Risk Management Plan document, the Goals of Risk Management for the business concerned and it approach to risk management.

Risk Register The individual risks should be registered to facilitate tracking of their status and provide an indication of the residual risk. A risk register is a tool for managing and monitoring risk on a continuing basis. The details of individual risks may be entered into a register database that records the following information: For each risk category, we will use the template to document the risks identified, the current treatment strategy (if relevant), the risk rating elements, the priority levels of each risk and the further treatment options available. The columns in the risk register should be used as follows: • • • • •

•

• •

•

An identifying/Serial number. Use a numbering system to differentiate the risks identified within each category. A brief description of the risk event. Write a risk statement that defines the risk, including what can happen and how it can happen. An outline of the current risk responses and their adequacy. Impact. Describe the possible impact on objectives as a result of the risks. Severity levels. Use a risk analysis tool to estimate the possible consequence or impact upon objectives, taking into consideration existing risk response strategies. Frequency levels. Use a risk analysis tool to estimate the likelihood that a risk may impact upon objectives, taking into consideration existing treatment strategies. Risk rates of risk. Use a risk analysis matrix or similar tool to combine the results of consequence and likelihood to achieve the level of risk or risk rating. Risk priority. Compare the level of risk with the pre-determined risk criteria and rank the risks in order of priority. Risk response options. Identify the various treatment options available for managing the identified risk. (These options should be in addition to current response strategies and should aim to reduce the residual risk). The current status of the risk response strategies

21 ENTERPRISE RISK MANAGEMENT The Next “Under construction” Level Introduction Every business encounters risks, some of which are predictable and under management’s control, and others which are unpredictable and uncontrollable. Risk management involves identifying, analysing, and taking steps to respond to the exposures to loss faced by a business. The practice of risk management utilises many tools and techniques, including insurance, to manage a wide variety of risks. Risk management is particularly vital for small businesses, since some common types of losses—such as theft, fire, flood, legal liability, injury, or disability—can destroy in a few minutes what may have taken an entrepreneur years to build. Such losses and liabilities can affect day to day operations, reduce profits, and cause financial hardship severe enough to cripple or bankrupt a small business. But while many large businesses employ a full time risk manager to identify risks and take the necessary steps to protect the firm against them, small companies rarely have that luxury. Instead, the responsibility for risk management is likely to fall on the business owner. The importance of risk management in business can hardly be overstated. Awareness of risk has increased as we currently live in a more competitive and regulated yet less stable economic and political environment. To meet their business objectives, entrepreneurs and business executives are now expected to address emerging and varied forms of business risk. Intense competition is now more than ever, a major factor dominating today’s volatile markets. To remain competitive, business leaders must continuously adapt strategies and operations and introduce new initiatives to meet these competitive business challenges. However, without an appropriate risk management program, these could expose companies to additional and increased risks. For example, new product initiatives can increase exposure to commodity price volatility, market risks, and additional liability lawsuits. Diversification can expose a company to increased business risks. Regulatory and legal compliance requirements also increase risk exposure. The Sarbanes Oxley Act of 2002 in the US (SOX) greatly raised compliance

Entreprise Risk Management; The Next Level

402

Implementing ERM will provide businesses with benefits in that: • • • • • • • •

It Aligns objectives at the different levels in the business. It Increases the opportunity of achieving business objectives. It protects and enhances shareholder’s value. It reduced fraud and risk incidents. It increases operational efficiency. It improves compliance with regulatory requirements. It Improves risk awareness and assessment. It reduces the cost of capital.

Conclusion ERM may have been initially driven by compliance needs; however its development should continue to serve an internal control function for better corporate governance. Moreover, the forces upon which ERM thrives are related to the potential economic values generated by better managing risks under identified objectives. One common objective for the majority of businesses is to maximise shareholders’ value. ERM is designed to provide the framework where businesses can optimise the risk/return relationships. ERM is still at its early stage of development for the most part. Conceptual and practical frameworks are still being constructed through gathered efforts from regulators, industries and academia. More advanced methodologies, techniques and tools are emerging every day. Therefore, some of the aspects— e.g., what ERM really is, the real effect, how it can be best implemented, etc.—described are necessarily vague and debatable due to the lack of consensus regarding exactly what constitute effective ERM and lack of evidences regarding the empirical benefits of different implementation scenarios of ERM. It is my hope that most of the ambiguity will resolve itself as this process goes on and more concrete and analytical discussions can then be carried out.