Risk Management


Most discussion of risk management considers it as a separate component in the development and control of the enterprise. For simplicity this is often valuable as it focuses the attention of the business planner on creating systems that will manage the most common failure points within the enterprise or organisation. When one considers that every decision and action that the enterprise takes has an element of risk, any overall review of risk should consider the entirety of processes involved in creating and maintaining progress within the organisation. This approach will achieve a step by step reduction in the overall risk profile of the enterprise or organisation as each component is analysed and appropriate action taken.


In every element of the risk environment the planner needs to answer the following questions:

What are the risks?
Do they currently exist or are they potential?
Who is responsible for their assessment and management?
How potentially serious are they?
Can they be managed or significantly reduced through appropriate planning?
What is best practice for managing the risk and how can it be introduced into the enterprise?
Can the information system identify changes in the risk environment early so that corrective action if necessary can be taken as soon as possible?
Is there a key performance indicator that the information system and management team should concentrate on to identify these changes?
What external advisor or senior manager provides perspective on the choices made?

The role of the knowledge centre

Ibis focuses on the role of the knowledge centre as the core of its bottom up approach to business planning. Including risk assessment as part of the role of the knowledge centre improves understanding of risk (as it comprises individuals with the closest understanding of real market conditions) and control (as they are most likely to be aware of rapid changes in the environment).


Designing out risk

Central to any approach to risk is that best practice suggests that designing out risk is far more cost effective than dealing with the effects of failure. It is probably the most important component of overall contingency planning, once the failure points have been identified. This analysis attempts to provide a reasonably comprehensive view of the major failure points within the typical enterprise and a comment on best practice to reduce the overall level of risk. This web site page is designed to provide the reader with a rough and ready assessment of areas of risk within their enterprise or organisation. It makes no attempt to weight the various components. From an understanding of key risk components will come a focus on how to design it out, share risk, or mitigate it.

Risk indicator and risk profile

By attacking each risk component within the risk universe and understanding the level of risk left at the end of such analysis (the risk indicator) provides the organisation or the enterprise with a quick method of assessing where the enterprise is (the risk profile). The development of a risk profile should be one of the final elements of the business plan, as a review mechanism to ensure that the organisation both understands the risks going forward and accepts the inherent risk within a particular policy. Using a Likert scale ranging from low risk to high risk for each component provides a rapid visual chart of the overall risk status of the enterprise or organisation.

Creating a simple risk chart

Understanding what is important in risk management is vital for any plan as it concentrates effort and resources in effective management rather than dealing with a host of issues that are unlikely to occur or if they occur will have little impact on the business. Combining risk elements into a chart enables the planning team to rapidly review the entire risk environment. There are 9 components that help organize the data:

Risk element;
Responsibility (knowledge centre) – decentralizes risk management to the operating unit;
Benchmark – makes the knowledge centre identify what is best practice for the relevant component;
Benchmark position – identifies how much of an outlier the enterprise is against best practice;
Risk level after designing out, sharing, mitigating on Likert scale from 1 to 10 – highlighting those high risk components;
MIS – is the MIS designed so that trends in risk development will be identified early;
Standard operating procedure – does a standard operating procedure exist so that risk management is standardized within the enterprise;
Contingency plan – does the risk element link to an existing contingency plan, and should one be developed;
Oversight responsibility – what individual or group is responsible for oversight and review of this aspect of risk.

An example would be the first component in alphabetical listing of risk elements – accounting methodology.

Element KC Benchmark Benchmark position Risk level MIS SOP CP RI
Accounting conventions Finance CAT score Good 1 Yes Yes Yes Auditors

A sample full risk management chart is available as part of the model business plan, a summary of which is available as a download, and is used as part of Ibis business plan development or Ibis business plan training.

Backstopping the business model

Many of the components of risk management are similar to those that are identified in the creation of the business model. Leaving the assessment of risk towards the end of the business plan ensures that the options reviewed are not restricted to the third element of De Bono – “because”.

This approach to risk management places it clearly in the third of the key business questions:

Where are we?
Where do we want to be (and when)?
How are we going to get there cost effectively?

Managing risk is a clearly a cost issue within a specific set of strategic and operational goals. In common with the development of a detailed business model, the initial work will be somewhat lengthy and tedious. Once completed both the business model and the risk assessment can be rapidly updated as part of the business plan review within the overall planning cycle.

The components of risk management

To clarify the subjective evaluation of risk management in this on-line quiz, all topics are arranged alphabetically.

Accounting methodology.  The more conservative the accounting system used, the lower the risk.

Risk indicator: The less and less conservative the accounting methodology, the higher the level of risk.

Risk indicator: High and rising CAT score

Administration expense ratio (AER). The administration expense ratio evaluates the percentage of revenue spent on the administration function.

Risk indicator: The administration ratio should fall as the enterprise grows; it should be below the respective benchmark. Variations in either or both of these will increase risk.

Advertising effectiveness. Poor advertising will reduce the generation of new and repeat sales. Evaluating advertising will require the creation of advertising objectives and the measurement of performance against these objectives.

Risk indicator: Poor advertising performance.

Advisor rotation. Long term relationships with advisors have disadvantages. They tend to have a single approach to problem solving, suffer from the effects of capture theory, and will often have conflicts of interest. Medium term fixed contracts without possibility of renewal remove this potential problem.

Risk indicator: Long term advisor relationships suggest a rising risk profile.

Alignment with market drivers. Best practice suggests that the creation of objectives should be consistent with the external and internal forces acting on the enterprise or organisation, dealing with the world as it is, and not as some would wish it to be.

Risk indicator: The further the enterprise is away from what the market is telling it, the greater the level of inherent risk.

Appraisal. An effective appraisal system will do much to improve productivity and reduce labour turnover, both substantial risk components in the enterprise.

Risk indicator: A poorly managed appraisal system will significantly reduce productivity, intrapreneurialism, and increase labour turnover and cost.

Arbitration. A major risk component in many operations will be the potential consequences of litigation, both for management time and overall costs. Using alternative dispute resolution methods will substantially reduce costs and improve operating efficiencies.

Risk indicator: High levels and/ or rising levels of litigation.

Assumptions. Formally identifying and agreeing on the key assumptions that underlie the future progress of the enterprise will do much to clarify major risk elements in the external and internal environments.

Risk indicator: Assumptions that are not rigorously tested and reviewed are often a major cause of enterprise failure.

Audit. The financial audit is part of the enterprise legal obligations, but when properly planned both the external and internal audits can provide further risk management information concerning reductions in the potential for fraud and in operating efficiencies of the financial management system.

Risk indicator: A poorly designed audit will both increase costs and fail to add to enterprise operating efficiencies.

Authority/responsibility. Misalignments of authority and responsibility are a potential source of major risk within the organisation.

Risk indicator: Authority and responsibility not clearly defined within the organisation.

Average sale. The value of the average sale provides a measure of customer satisfaction, product or service range acceptability, sales productivity and costs in servicing the customer base.

Risk indicator: Low and falling average sales compared to benchmark.

Awareness. The enterprise cannot achieve forward momentum in the absence of awareness as the prospective purchaser will not include the product or service offering in the potential purchase portfolio.

Risk indicator: Low and or falling levels of awareness.

Bad debts. High levels of bad debts or rising levels indicate serious levels of risk to cash flow and profitability.

Risk indicator: High/changing BDR.

Barriers to entry. Effective barriers to entry significantly reduce risk – with best practice requiring that enterprises build, maintain and ideally expand such barriers.

Risk indicator: Poor or weakening barriers to entry

Benchmarking. Identifying where the enterprise or organisation is effective or ineffective against its peer group will focus planning on exploiting strengths and attempting to eliminate weaknesses.

Risk indicator: Benchmarks not used; inappropriate benchmarks used.

Bonus systems. The creation of bonus systems that are both broadly based, reflect the relationship between achievement of all components of the balanced scorecard rather than a single component, and have a large deferred compensation element in shares rather than cash for senior employees will be an important component in the management of risk.

Risk indicator: Mismanaged bonus systems will substantially increase costs; fail to produce real productivity or profitability gains, and lead to declining morale.

Break even value (BEV). The lower the cost base, the quicker the enterprise will generate positive cash flows. As the break-even point rises, risk increases.

Risk indicator: A high and/or rising BEV

BS index. Stakeholder belief in management statements is important for organisational cohesion and the implementation of strategy.

Risk indicator: A high and/or rising BS index in all key stakeholders.

Budgeting. Budgeting creates two types of risk. When the budget is too tight profitable risk taking is reduced as the emphasis remains focused on meeting budgetary demands. Where there is no budgetary control, costs will escalate often out of control, draining cash from the enterprise. Best practice suggests that a middle ground between these two extremes needs to be created with clear cost management targets but the possibility of additional expenditure from enterprise free cash flow when expenditure meets investment appraisal hurdle rates.

Risk indicator: A budgeting system that fails to deliver effective control and/or effective intrapreneurialism.

Business model. The simpler the business model, the easier it will be for stakeholders to evaluate and support implementation. The greater the complexity, the greater the potential for confusion. The closer the business model is to meeting the market critical success factors, the lower the risk.

Risk indicator: Confused business models and those that fail to manage the market critical success factors.

Business monitoring. A monitoring system that incorporates regular and formal (monthly, quarterly) team responsibility (ideally within knowledge centers) based around key performance indicators, benchmarks, targets, projects, and budgets will significantly improve the responsiveness of the organisation and integrate with a bottom up planning system.

Risk indicator: Poorly designed, irregular and centralised business monitoring.

Capex. The capital expenditure ratio will measure the investment that the enterprise is making in plant and productive equipment. The failure to regularly update plant ( a low capex ratio) will lead to decreased productivity, often higher costs, poorer quality of goods and services, and lower customer satisfaction. Conversely excessive expenditure on plant can drain cash and management time.

Risk indicator: A capex ratio which varies considerably from benchmark.

Cascade investment. A cascade investment system with highest rates of investment return receiving funds will provide a means of focusing the enterprise on those components which yield the best return, subject to the over-riding requirements of the balanced scorecard.

Risk indicator: Subjective investment decisions.

Cannibalisation. Analysing the impact of new products or services to ensure that any cannibalisation that occurs will generate a net return to the enterprise will reduce potential risk.

Risk indicator: Lack of analysis in new product/ service introduction of potential effects of cannibalisation.

Capacity utilisation. There are risks at both ends of the range of capacity utilisation. Too high and the enterprise faces risks of failure to meet demand and dangers of plant failure due to high levels of activity; too low and profitability and cash flow will be under pressure.

Risk indicator: Poor and/or declining capacity utilization ratio.

Capital allocation. Poor capital allocation will reduce enterprise returns.

Risk indicator: Poor capital allocation ratio.

Capture theory. Too close a relationship between regulators and/or advisors will create an environment where higher levels of risk taking will become acceptable. Independent regulators and/or advisors will limit this tendency.

Risk indicator: Long standing relationships with the same individuals occupying senior regulatory positions and/or advisory positions.

Cash flow. Negative cash flow destroys businesses over the long term.

Risk indicator: Rapidly declining/ poor cash flow, poor CFROI.

Centralisation/decentralisation. High levels of centralisation and decentralisation both create risk. The correct choices of authority/ responsibility within the organisation, coupled with appropriate standard operating procedures and monitoring systems will be necessary to reduce the overall level of risk.

Risk indicator: Poor management of authority/ responsibility within the organisation.

Certification. Product or service certification and/or operating procedure certification stabilises product or service offerings and will reduce the potential for catastrophic failure.

Risk indicator: Systematic lack of product/service certification and or operating procedure certification.

Clustering. Locating the enterprise near other organisations involved in the same activity has many advantages in reducing operational risk.

Risk indicator: Poor location of operations reducing access to cluster benefits

Code of conduct. The creation and continued objective implementation of a comprehensive code of conduct will reduce the risk of major employee malpractice leading to failure.

Risk indicator: Poorly designed code of conduct and/or systemic failures in implementation.

Communicability. One of the six dimensions of product/service success. The more complex the benefits described, the less likely purchase will be. Understanding the key benefits required by the customer and identifying how these can be easily communicated will substantially increase the acceptability of the product/service.

Risk indicator: Poor and or falling product/service communicability.

Communication. Leadership which effectively communicates to all stakeholders their long term vision and short term decisions will reduce conflict, improve motivation and reduce risk. The effectiveness of the communication needs to be checked through KFR.

Risk indicator: Lack of understanding of key objectives, poor KFR.

Compatibility. One of the six dimensions of product/service success. All customers have “sunk” capital in existing methodologies. A failure to ensure that the product or service is not compatible with existing systems will reduce its acceptability.

Risk indicator: Low and or falling compatibility to competitive products or services.

Competitive advantage. A regular review of competitive strengths and weaknesses as part of the business plan development will reduce risk through failure to identify key trends, weaknesses and opportunities.

Risk indicator: Limited competitive analysis, poor POD score.

Complaints policy. Research shows that a well designed and managed complaints system enhances customer loyalty and reduces risk.

Risk indicator: Poorly designed complaints policy and/or one that is poorly implemented.

Complexity. One of the six dimensions of product/service success. The more complex the product or service, the greater the difficulty that the customer will have in using it effectively, substantially lowering the potential for repeat purchase. An emphasis on design to improve operational efficiency, flexibility, servicing and upgrades will reduce the impact of complexity.

Risk indicator: High and/or rising complexity.

Contingency plan. A well organised contingency plan will allocate responsibility, identify major failure points, attempt to design them out wherever possible, create an information system that can identify problems early and properly fund the necessary actions.

Risk indicator: No contingency plan or one poorly designed

Core competence. Building and maintaining core competence through appropriate recruitment appraisal, recruitment, appraisal, training, disciplinary/ grievance procedures and personal development planning will reduce risk through enhanced employee skills and competitive advantage.

Risk indicator: Lack of clear understanding of the components of enterprise core competence.

Core/non core employee ratio. The relationship between employees directly contributing to profitability and revenue generation and those that exist in staff roles has a direct bearing on the level of risk. Increases in staff roles will mean a steady increase in cost and risk.

Risk indicator: High levels of non-core employees.

Corporate governance. Research shows that the creation of a comprehensive corporate governance system which provides for checks and balances within the organisation means better performance and management of risk.

Risk indicator: Corporate governance concepts not utilised or poorly implemented.

Cost of capital. As the cost of capital rises, the enterprise will find it more and more expensive to finance operations.

Risk indicator: Cost of capital significantly above benchmark, and/or rising.

Covenants. Restrictive covenants pose major risks for the enterprise. They are most common in planning and loan agreements, though they obviously also exist elsewhere such as in brand or technology licencing, where they serve to contain operations within clearly defined parameters.

Risk indicator: Restrictive covenants that pose major operational problems.

Creativity. Enterprises that have single problem solving approaches are likely to face higher risks than those that have a formal system for identifying and analysing problems and opportunities.

Risk indicator: Poor creativity within the enterprise.

Credit management. Well management credit systems to ensure cash flow is maximised and credit risk minimised.

Risk indicator: No systematic planning on credit management, and/or failure to properly implement credit management systems.

Critical success factors. Within each sector there will be a set of critical success factors. Understanding and meeting these critical success factors will reduce the potential for failure and enhance enterprise performance.

Risk indicator: Limited match of enterprise output with critical success factors.

Customer investment review. A customer investment review as part of the planning process will focus attention on the specific needs of major customers, improving retention rates and levels of profitability.

Risk indicator: Customer investment review not included in business plan development.

Customer life value (CLV). The customer life value measures the rate of customer rotation or “churn”. High rates of churn lower the customer life value and significantly reduce the overall rate of return to the enterprise as greater and greater investments have to be made in recruitment of new customers. Increasing the CLV will substantially reduce enterprise risk.

Risk indicator: Poor and/or declining customer life value.

Customer satisfaction. Customer satisfaction surveys (including mystery shopper techniques where relevant) reduce the rate of customer loss, improve profitability and are key source of new product/ service development ideas.

Risk indicator: An unwillingness to carry out systematic and regular customer satisfaction surveys.

Customer spread risk. There are two extremes of customer risk – too few customers or too many. Managing the customer spread ratio will reduce risk and make it understandable.

Risk indicator: Customer spread at extremes.

Data management. Enterprises or organisations that fail to ensure effective data management procedures may face very high levels of risk.

Risk indicator: Easily accessible data, poor data storage.

Debt or gearing (DER) levels. Debt is often a major source of risk as debt has to be continually financed regardless of cash generation within the enterprise. High levels of debt when compared with the industry average will require very careful management to ensure that risk levels are not substantially raised.

Risk indicator: High debt levels and/or rising debt levels.

Debt age. High levels of debt that must be refinanced at the same time may cause increased risk, especially when credit markets are difficult. A phased debt profile achieves reduction in this potential problem.

Risk indicator: All debt of same age and/or all debt short term.

Debt source. A single supplier of debt will potentially raise risk as internal problems with the supplier may demand partial or complete early repayment.

Debt source: All debt from single supplier.

Decision making. The best objectives will be ruined by incoherent decision making. Best practice in decision making is complex, but the basic test will be whether the decision is reasonable in relation to the facts on which the decision was taken.

Risk indicator: A history of poor decision making.

Deferred compensation. Bonus systems that generate short term cash for senior management are generally guaranteed to increase appetite for risk. Deferring the compensation payment until later years during which the success or otherwise of the bonus generating activity will significantly reduce risk.

Risk indicator: High levels of short term bonus payments.

Design (DFCA, DFA, DFS, DFC, DFD). The failure to properly design for all eventualities will significantly increase levels of risk. The main components will be designing for fail safe (DFSS), competitive advantage, (DFCA) designing for assembly (DFA), designing for ease of service (DFS), designing for ease of upgrade (DFU), design for contingency (DFC) and design for disassembly (DFD).

Risk indicator: Lack of a systematic approach to design in products or services to ensure maximum productivity.

Design for operational efficiency. Regular reviews of plant and office layout will reduce costs, improve performance, and impact favourably on health and safety problems.

Risk indicator: Poor layout, poor integration.

Directed vs emergent strategy balance. Certain strategies are long term and demand centralised investment such as most international development, and most product development. Others such as consolidation and market penetration can benefit greatly from exploiting short term advantages in the market. Ensuring that the enterprise has the flexibility to exploit these short term advantages reduces risk.

Risk indicator: Too much emphasis on either type of strategy.

Disciplinary code and grievance procedure. An effective disciplinary code and grievance procedure improves decision making, morale, and information flow. Such a disciplinary code should pay particular attention to an independent appeals system and the treatment of whistleblowers.

Risk indicator: Lack of a comprehensive disciplinary code and grievance procedure.

Distant data capture. Many enterprises have operations or equipment that is not regularly supervised. Systems that provide distant data capture reduce the potential for this type of failure.

Risk indicator: The lack of distant data capture.

Diversity index. The more diverse the pool of expertise and opinion, the better in general the level of decision making. Analysing the employee base through the use of a diversity index will help in improving overall variety within the enterprise.

Risk indicator: Low and/or declining diversity within the enterprise/ organisation.

Dividend policy. A well managed dividend policy will ensure a focus on cash generation and improve shareholder relationships, and reduce the risk future funding requirements.

Risk indicator: An inconsistent dividend policy.

Divisibility. One of the six dimensions of product/service success. One of the crucial aspects of product/service sales development is the achievement of trial. The ability of the product or service to be judged on a stand-alone component of the range will reduce purchase risk of the entire product or service offering.

Risk indicator: Poor and/or decreasing ability of the product/service to provide trial opportunities.

Division of executive powers. Separating the chief executive officer powers from those of the president or chairman will reduce the potential impact of leadership psychosis.

Risk indicator: Concentration of power in a single individual.

Due diligence. Any failure to complete appropriate due diligence will substantially increase the level of risk. This will be most extreme in mergers and acquisitions where three types of due diligence (financial, legal, commercial) are usually employed, but should be extended to recruitment, new customers, and new suppliers.

Risk indicator: A continuing failure to apply due diligence in key decisions.

Economies of scale. Enterprises can either benefit from economies of scale (variable production vs fixed costs, experience curve effects) or suffer from diseconomies as large units create further problems.

Risk indicator: Production/ service delivery units disproportionate to market best practice.

E-enablement. The linking of more and more customers and suppliers into an information technology framework should improve service quality and reduce cost, thereby reducing overall enterprise risk. This will include web design components and web based delivery.

Risk indicator: Low levels of customer and supplier integration through information systems.

Employee satisfaction surveys. The ability of the entire enterprise to work together is crucial to the management of risk. The knowledge of whether this is working or not can be best obtained through a regular employee satisfaction review.

Risk indicator: A lack of information on employee attitudes and a lack of concern about these attitudes within management.

Employee suggestion scheme. Employee suggestion schemes reduce risk through identifying key opportunities and risks, while providing profitable cost cutting ideas, and improving motivation.

Risk indicator: Limited scope of employee suggestion schemes

Environmental audit. The environmental audit will reduce potential risks through environmental impact and legislative consequences.

Risk indicator: Poorly conducted environmental audit

Entrants. Preventing entrants or reducing their impact as much as possible will be important in the reduction of risk. Those markets where there is substantial potential for new market entrants will pose a substantially raised level of risk with lower barriers to entry.

Risk indicator: High levels of entrants or potential high level of entrants.

Equity bonus rate. High levels of equity as an element of bonus payments plus a deferred bonus system ensures that employees share risk with other stakeholders.

Risk indicator: High levels of cash in bonus systems.

Exit interviews. Identifying specific individual or group failures will be important in managing risk. This focused view is best achieved through exit interviews with key staff.

Risk indicator: Non-existent or poorly conducted exit interviews.