Compliance

Risks and Mitigation Planning

Avatar Written by Sachin Ghanekar

Preface:

Just the other day, it was raining profusely and I thought of not going to work, as the waters may clog the roads. There was a high risk of this leading to traffic congestion and the waters entering into my car.

Just put simply – I didn’t want to take a risk that would have led me into traffic congestion, not reaching to my office in time, may have missed my morning meeting that I could have managed virtually, would have got frustrated, so on and so forth.  In a nutshell, I could have wasted my time, energy, money and mental stability. All comprised together may have impacted this into a calculative loss!

You read it right, this write up is trying to dwell and touch base on elements that make us think and foresee the risks and plan accordingly not only to extinguish the fire but to not have that fire being a cause to an extent.  The nucleus for the aforesaid are all the organizations that are either suppliers or buyers.

All the planning, strategy frameworks that are built leads to a single focus of reducing costs, increasing efficiencies, calculated investments in disruptive ideas  – all leading to desire a healthier P&L !

Risk:

In a layman’s term, Risk can be defined to be in a situation that involves exposure to danger.

The danger can be anything that leads into a loss of life, property, profits – tangible or intangible.

As an organization, risks fall into three broad categories namely,

  1. Internal risks – People, Infrastructure, production, performance and so on
  2. External risks – Interdependent risks, Geo Political risk and so on
  3. Planning or corporate strategic risks – organizational risks per se

To be more structural – Risk management is the process of identification, analysis and acceptance or mitigation of uncertainties that aid in making future and strategic decisions.

In a sourcing business environment, there is a buyer and a supplier. A buyer can be termed as a client who is looking for a supplier to receive services. Buyers use various tactics to ascertain risk.

Can the risks be assessed?

The direct answer to this is YES.

Nobody can predict the future for someone; therefore, this is not about prediction. However a mechanism and calculations that are used to gauge the wrongs that may impact the operations of a business.

The risks can be assessed and foreseen by applying the right mechanisms and tools to 99.9% accuracy.  Why not 100%? – Because if there isn’t a delta of that 0.1% then everything around us would turn plastic!

And that 0.1% accommodates the unknowns and helps the analysts to adjust the bell curves.

How are risks assessed?

The generic way to go about is to perform the following:

  • Identify hazards
  • Evaluate the likelihood of its occurrence, and severity.
  • Consider normal operational situations as well as non-standard events.
  • Identify actions necessary to eliminate or control the risk.
  • Monitor and evaluate to confirm the risk can be controlled.
  • Keep any documentation or records that may be necessary.
  • Documentation may include detailing the process used to assess the risk, outlining any evaluations, or detailing how conclusions were made.

What does the risk assessment indicate?

There are two broad categories of the output we receive from the risk identification and evaluation activity; Quantitative Risk Assessment and Qualitative Results.

Quantitative Risk Assessment is Use of measurable, objective data to determine asset value, probability of loss, and associated risk/s. Nevertheless in various fields (Environment, Finance, Occupational Health and Safety etc.) and in different countries the meaning attributed to the above differs sometimes significantly.

Quantitative risk assessment method uses numerical measures to estimate the values of frequency of occurrence of incidents and the probability or susceptibility of events.  These values when expressed in numerical figures are then used to calculate the risks associated with any infrastructure or event.  Quantitative method is always best when most of the data are available or when information available can be transformed into numerical figures.  If some data are missing, semi quantitative will be more appropriate and if there is no data at all then qualitative method is the best.

Typically, a QRA can be defined as the formal and systematic approach of identifying potentially hazardous events, estimating the likelihood and consequences of those events, and expressing the results as risk to people, the environment or the business.

The method may include some or all of the following:
• Analysis of the severity/consequence of accident scenarios
• Predicted number of fatalities/casualties for each scenario
• Individual risk
• Group/societal risk
• Potential loss of life
• Location specific risk
• Preventative/mitigation measures
• Sensitivity of results to uncertainties and assumptions.

How do buyers perceive the risk indicators?

From an inter-organizational network perspective, the financial health of companies’ partners could provide additional insight into their own financial health. Specifically, influence can be thought of as directly improving or worsening a company’s health (e.g., investment grade companies are more stable and thereby bring about less volatility to their partners).

The lowering in volatility is likely to bring about a smaller risk premium, and as such, enable a smoother operation of the overall system. Conversely, the system might not be driven by global optimization, but by local optimization instead. Companies are likely to prioritize their own profit maximization (i.e., local optimization) at the expense of ensuring a stable overall ecosystem (i.e., global optimization)

It becomes imperative of whether, and the extent to which, interacting with stable partners is positively or negatively related to financial health of companies.

How do the risks impact to the businesses?

Risk management is important in an organization because without it, businesses cannot possibly define its objectives for the future. If a company defines objectives without taking the risks into consideration, chances are that they will lose direction once any of these risks hit home.

Lastly, what is done to mitigate the risks?

Once the risks have been identified and assessed, all potential options or techniques to manage each risk falls into one or more of these four major categories:

  1. Terminate
    B. Transfer
    C. Treat and Cure
    D. Tolerate and Exploit

Each of these options requires developing a detailed plan that is implemented and monitored for effectiveness.

Case study: how SW event alerts help in managing risks

blr-disruption