Almost every industry is in the grip of a seismic shift today, driven largely by technology and immediate challenges such as the COVID pandemic, resulting in the contemporary business environment being affected by the rise of new business models and new market players, with a consequently greater need for agility, flexibility and changing skillsets. Effective risk management is critical to help organizations navigate successfully. This requires improvements in frameworks and processes, using tools more effectively, better trained people with deeper expertise, and better use of data. But, perhaps more than anything, it requires great risk taking managers to make it all happen.
It is not uncommon to be told that one should take more calculated risks if they want to be successful. In fact, some billionaires have built their personal brands on a foundation of risk. One example is Richard Branson (of Virgin Atlantic), who often speaks of the risks he took when he was young and encourages entrepreneurs to do the same.
Taking risks, in fact, can be a useful way to separate yourself from the pack. If the fear of failure is holding back your peers, your willingness to take a risk could give you an open, uncontested opportunity. In addition, risky decisions offer valuable lessons, regardless of whether you succeed or fail.
Definition: Risk taking is the ability to identify, assess and strive to achieve business objectives in the face of substantial odds.
But does risk-taking, in general, lead to success? The answer depends on the following factors:
The importance of "calculated" risk-taking
First, it is important to note that open risk-taking is generally not productive. Instead, successful managers tend to take risks in ways that limit their potential losses. As Leonard C. Green pointed out in Entrepreneur, "Entrepreneurs are not risk-takers. They are calculated risk takers. The difference between risk-takers and calculated risk-takers is the difference between failure and success."
Smart managers find ways to mitigate risks, whether that means purchasing insurance, protecting their websites from hackers or conducting a risk assessment of their businesses.
The importance of "survivorship bias"
Still, what are we to make of all the successful managers who credit at least a portion of their success to taking risks? The evidence they cite often isn’t good enough to illustrate the effects of risk taking, because we are left susceptible to survivorship bias.
Survivorship bias is best illustrated by the historical example of Abraham Wald and the question of whether to coat military planes in armour in World War II. The Allies were seeing too many planes getting shot down and wanted to coat them in armour to protect them, but could not feasibly coat the entire plane.
Some observers suggested studying the planes that returned home and looking at their bullet patterns, then providing armour in the areas of the plane that had been most heavily shot – since these were the areas where a plane was most likely to get hit.
Wald offered a dissenting opinion. He suggested coating the areas of planes that corresponded with untouched areas on returning planes. There was no available sample for planes that had been shot down, and returning planes proved which areas of a plane could be shot without necessarily destroying the plane.
The difference between "risk" vs "uncertainty"
We also need to consider the difference between what we conceive of as constituting a “risk,” versus what we describe as “uncertainty.” Both concepts describe a situation with an unknown outcome, but in the words of economist Frank Knight, “The essential fact is that 'risk' means, in some cases, it is a quantity susceptible of measurement, while at other times it is something distinctly not of this character.” Continued Knight, "There are far-reaching and crucial differences in the bearings of the phenomena depending on which of the two is really present and operating.”
You can think of risk as a distribution of known probabilities. If you shuffle a standard deck of playing cards, you know your chances of drawing the king of hearts will be 1 in 52. The chances of drawing any heart card will be 1 in 4. You can calculate the other probabilities from there, and place bets in a way that aligns with the risk you’re taking.
Where uncertainty comes in is when you’re dealing with unknown probability distributions. Think about watching someone assemble cards randomly, from different decks, until that person has a new deck of 52 cards. There could be 52 kings of hearts in there! Or 51 standard playing cards with an extra 10 of clubs! Or anything in between, for that matter.
By this definition, successful managers tend to be those who seek uncertainty, rather than risk. They aren’t building businesses that have a 25 percent chance of success; they’re building businesses where the chance of success is more ambiguous.
The bottom line here is that risk-taking does have some correlation with success, but there are too many complicating factors to say that risk-taking increases your chances of success. Survivorship bias, meanwhile, distorts our perspective on the role that risk plays in success. Furthermore, we use inconsistent terminology to describe the differences between uncertainty and risk. So, ultimately, even the best and boldest entrepreneurs need to find ways to mitigate the damage from the risks they take. Knowing these factors, you may find it possible to turn the risks you take into advantages, instead of liabilities.
Risk Management Process
Implementing a risk management process is vital for any organization. Good risk management doesn’t have to be resource intensive or difficult for organizations to undertake or for insurance brokers to provide to their clients. With a little formalization, structure, and a strong understanding of the organization, the risk management process can be rewarding.
Risk management does require some investment of time and money, but it does not need to be substantial to be effective. In fact, it will be more likely to be employed and maintained if it is implemented gradually over time.
The key is to have a basic understanding of the process and to move towards its implementation.
The 5 Step of a Risk Management Process
Identify potential risks
What can possibly go wrong? The four main categories of risk are: hazard risks, such as fires or injuries; operational risks, including turnover and supplier failure; financial risks, such as economic recession; and strategic risks, which include new competitors and brand reputation. Being able to identify what type of risk you have is vital to the risk management process. An organization can identify their risks through experience and internal history, consulting with industry professionals, and external research. It is important to remember that the risk environment is always changing, so this step should be revisited regularly.
Measure frequency and severity
What is the likelihood of a risk occurring and, if it did, what would be the impact? Many organizations use a heat map to measure their risks on this scale. A risk map is a visual tool that deals with risks that are frequent and severe (and thus require the most resources). This will help you identify which are very unlikely or would have a low impact, and which are very likely and would have a significant impact. Knowing the frequency and severity of your risks will show you where to spend your time and money, and allow your team to prioritize their resources.
Examine alternative solutions
What are the potential ways to treat the risk and, of these, which strikes the best balance between being affordable and effective? Organizations usually have the options to accept, avoid, control, or transfer a risk. Accepting the risk means deciding that some risks are inherent in doing business and that the benefits of an activity outweigh the potential risks. To avoid a risk, the organization simply has to not participate in that activity. Risk control involves prevention (reducing the likelihood that the risk will occur) or mitigation, which is reducing the impact it will have if it does occur. Risk transfer involves giving responsibility for any negative outcomes to another party, as is the case when an organization purchases insurance.
Decide which solution to use and implement it
Once all reasonable potential solutions are listed, pick the one that is most likely to achieve the desired outcomes. Find the needed resources, such as personnel and funding, and get the necessary buy-in. Senior management will likely have to approve the plan, and team members will have to be informed and trained if necessary. Set up a formal process to implement the solution logically and consistently across the organization, and encourage employees every step of the way.
Monitor results
Risk management is a process, not a project that can be “finished” and then forgotten about. The organization, its environment, and its risks are constantly changing, so the process should be consistently revisited. Determine whether the initiatives are effective and whether changes or updates are required. Sometimes, the team may have to start over with a new process if the implemented strategy is not effective.
If an organization gradually formalizes its risk management process and develops a risk culture, it will become more resilient and adaptable in the face of change. This will also mean making more informed decisions, based on a complete picture of the organization’s operating environment and creating a stronger bottom line over the long-term.
Level of Competency
Risk taking competency is defined at 3 levels of proficiency based on the organisation’s need assessment. The three levels are defined as: 1. Beginner, 2. Intermediate, and 3. Expert. The beginner level indicates an entry level mastery of the competency, with more experience needed to fully develop the required competency. The intermediate level indicates an employee who shows more mastery of the competency, and has progressed from an entry level understanding of the competency. The expert level includes employees who have significantly mastered the competency and anticipate the need to use the competency.
Level 1 Personally takes risks and supports risk taking by others
Publicly supports responsible risk taking by others.
Anticipates, identifies and effectively deals with problems or risks.
Plans for contingencies.
Takes calculated risks with minor, but nontrivial, consequences of error (e.g., risks involving potential loss of some time or money which can be rectified).
Makes decisions based on cost-benefit analysis (ROI).
Makes decisions in the absence of complete information.
Level 2 Personally takes significant risks and leads high-risk initiatives
Personally takes calculated risks with significant consequences (e.g., significant loss of time or money which can be rectified).
Conducts ongoing risk analysis, looking ahead for contingent liabilities and opportunities and astutely identifying the risks involved.
Implements initiatives with high potential for payoff to the organization, where errors cannot be rectified, or only rectified at significant cost.
Conducts risk assessment when identifying or recommending strategic and tactical options.
Encourages responsible risk taking, recognizing that every risk will not pay off.
Level 3 Provides organizational guidance on risk
Provides an environment that supports responsible risk taking (e.g., by supporting decisions of others).
Oversees the development of guidelines, principles and approaches to assist decision-making when risk is a factor.
Provides guidance on the organizational tolerance for risk.
Develops broad strategies that reflect in-depth understanding and assessment of operational, organizational, and political realities and risks.
At a time when the business ecosystems are dynamically changing and organizations are looking upon their managers to achieve the short and long-term organizational goals, risk taking as a competency becomes vital. Hence it is incumbent for organizations to build this capability in order to handle the current challenges as well as be future ready.