How to understand the new paradigm of risk management
The concept of risk should be viewed in a holistic context offering both negative and positive outcomes
The vibrancy, flexibility and adaptability of local enterprises have helped Hong Kong storm out from wave after wave of economic turbulence over the past decades. Yet, from my over 25 years’ experience in management in various sectors, as well as in related consultancy roles, teaching and research, enterprises with such experiences do not necessarily mean that they can handle risk well. Many local enterprises are still quite conservative, if not outdated, in their risk management approach. To survive keen competition due to globalisation, specialisation and technological advancement, local enterprises need to embrace a new paradigm of risk management.
The term “risk” means both negative risk, such as loss, injury, damage and cost; and positive risk, which represent opportunity. However, many local enterprises perceive risk as mainly or solely negative. The deep-rooted concept has limited enterprises’ choices of the most optimal and efficient risk management strategy for mitigating the probability and/or severity of negative risk, as well as seizing the opportunity brought by positive risk. Moreover, the tendency of reactively rather than proactively managing risk from the prevention stage, and adopting a silo instead of a holistic approach in risk management are also common barriers for business continuity among local enterprises.
The mobile phone industry provides classical examples of the extreme outcomes due to the adoption of different risk management approaches. In 2000, the Philips semi-conductor plant, the sole supplier of radio-frequency chips to Nokia and Ericsson, in Albuquerque, the US, was ravaged by fire, leading to a 3-month production halt. Nokia proactively responded to the negative risk by searching for other worldwide chip suppliers and their redesigning handsets. Eventually, Nokia was able to materialise the opportunity to capture even greater market share. However, Ericsson was slow in responding to the threat, resulting in a loss of US$400 million and diminished market share. Subsequently, it sold its mobile phone business to Sony. Another example is the proactive risk management programme of Apple when it launched its smartphone in 2008. Since then, its iPhone series has been so successful in both technology and market breakthroughs that it has conquered the whole world. On the contrary, Samsung’s reactive approach in risk management has led to its failure, and massive recall of its Galaxy Note 7 in 2016.
To cope with the need for optimal risk management solutions amid the rising complexity of global business, enterprises should take the logical and sequential seven-step approach of DIAMSIE: define; identify; analyse; measure; select; implement; and evaluate.
Local enterprises, which always eye immediate results, usually overlook the first two steps, in the hope of jumping the gun to implement quick-fix actions. Yet, it is of the utmost importance to have clearly defined risk management objectives in line with one’s business objectives. Otherwise, later efforts in risk management will be fragmented and inconsistent, and thus doomed to fail.
In risk identification we need to identify the most significant stakeholders and the associated and inherent risks through all available sources such as internal and external records, benchmarking, consultancy reports, on-site inspections, and stakeholder surveys. A cross-functional risk management team, comprising all the major functions of an enterprise, should be actively involved in the identification process, to come up with a profile of the characteristics, sources and symptoms of all identified risks.
Once the risks have been identified the team can analyse and measure each one purely on probability, or the likelihood or frequency for it to occur; and severity or impact, the size of the loss or gain if it happens. By putting each one onto a four-quadrant risk matrix we can then select from the four basic risk management strategies that match each quadrant to plan the actions and allocate resources accordingly.
For negative risks, the four basic risk management strategies include risk avoidance – eliminate it through various actions, as such risk exposure is not permitted to exist at all; risk mitigation – take actions to reduce its probability and/or severity; risk transfer – transfer the risk to someone specialised in it; risk retention – take no action now, but keep an eye on the risk, and be prepared to gear up and act if the risk increases.
As for positive risks, the corresponding strategies are: risk exploitation – take strong and proactive action to eliminate uncertainty around an opportunity; do everything possible to materialise the opportunity; risk enhancement – analyse the underlying drivers and success factors behind an opportunity; do whatever possible to positively influence each other; (risk sharing – instead of taking an opportunity alone, partnering or merging with others; risk acceptance – take no action now, but monitor and possibly pursue in future when the opportunity becomes more appealing and easier to obtain.
The matching of risk management strategies using the above four-quadrant approach may look simple. Yet, in selecting the strategies, executives must consider both the negative and positive risks for striking a proper balance.
In developing the most appropriate and optimal risk management actions under the selected strategies, executives must ensure that the causes, not just the symptoms are managed. To find out the causes, one can apply the common tool of cause-and-effect diagram focusing on the basic five perspectives of manpower, machine, material, method, measurement and environment. Needless to say, efficient resources allocation and performance measurement systems must be ensured for the actions to achieve the expected results.
Globalisation and specialisation in business have been providing opportunities mixed with dangers. To not only survive, but further develop, enterprises need to embrace a new paradigm of risk management for making business plans and decisions.
Dr Petrus Choy is Professor of Practice (Shipping Finance) of the Department of Logistics and Maritime Studies and Deputy Programme Director of Doctor Business Administration of the Faculty of Business at The Hong Kong Polytechnic University