Risk management strategy
|Risk management strategy|
Risk management strategy is a way in which the company or project team decides to treat the risks. In some publications the RM strategy is understood as risk management process (e.g. PRINCE2) or even whole risk management system. The main strategies are:
- Risk avoidance,
- Risk mitigation (reduction, control),
- Risk transfer,
- Loss reduction,
- Spreading the risk,
- Risk acceptance.
Selecting appropriate risk management strategy
The organization should create a model for risk related decisions. This model should describe which strategies are recommended in different situations. Example (very simplistic) model can include:
- High risk: avoidance, transfer, acceptance.
- Medium risk: avoidance, mitigation, loss reduction, transfer, redundancy, spreading.
- Low risk: loss reduction, acceptance.
The model can include different types of risks and determine level of consequences and likelihood.
Description of the strategies
Avoidance allows to eliminate the risk, however it requires stopping the activity that can cause problems. E.g. to eliminate the risk of buying low quality office equipment we don't buy this equipment at all. This shows the main drawback of this strategy: using it can stop any progress in the company or project.
If we want to continue the project, we have to replace the activity with another one. This will lead to identification of another, maybe even higher risks. Therefore, risk avoidance is limited to only those activities that are not critical or can be replaced. It can be the best strategy if the risks as far beyond control and cannot be managed by the company.
As there are two factors which impact the severity of the risk: consequences and likelihood, there are also two strategies of risk mitigation, which can be mixed: Reduction of likelihood is a set of activities that lead to decreasing probability of risk occurrence. E.g. and incentive to supplier can reduce probability of late or low quality supply. It is important to ensure supplier that he will get the incentive only if certain conditions will be met.
Reduction of consequences is related to solutions that enable some redundancy, increase the security, or lead to other actions that will reduce the exposure to risk. E.g. the risk of burn can be reduced by another layer of fire proof material.
Both strategies can be mixed to obtain the best result.
Some of risks can be transferred to other organizations or persons. There are three main causes of this strategy:
- Law requirements, e.g. employer's liability, occupier's liability,
- Written agreement between two or more parties (contractual transfer),
- Insurance policy.
The insurance increases the real costs, however it can reduce highly uncertain risks. The insurance agreement should be analysed to check whether all possible occurrences of the risk are covered. Reduction of insurer liability in some cases can make the insurance cheaper, but also useless.
If there is not possible to prevent risk, the plan for risk response should be prepared. The plan should lead to reduction of losses. The most common example is a fire drill, which leads to reduction of fatalities in case of fire.
Spreading the risk
Some try to gather all the risk-related resources and keep them in one place. This can be effective e.g. in case of weapon kept in shelter. However, in case of other resources this strategy can lead to total disaster. Keeping all chemicals in one place can lead to uncontrolled reaction. Combustive materials should be kept away from electrical wires and equipment. The data backups should be kept in other place than original data.
Information systems should have some redundancy and be decentralised to prevent losing data in case of single problem. Duplication can be effective also in case of fire extinguishers. If the safety rules require us to keep only one fire extinguisher what will happen if it will break or the fire will appear too close to it? In hospitals two or more energy sources should be available in case of technical problems.
Risk acceptance is equal to full exposure to the risk. Therefore, it should be limited to low importance risks only. There are however highly probable and severe risk factors which are uninsurable. They can be accepted only if the company is willing and able to pay for them.
The accepted risk is called residual risk.
- Mu, J., Peng, G., & MacLachlan, D. L. (2009). Effect of risk management strategy on NPD performance. Technovation, 29(3), 170-180.
- De Meyer, A., Loch, C. H., & Pich, M. T. (2002). Managing project uncertainty: from variation to chaos. MIT Sloan Management Review, 43(2), 60.
- Froot, K. A., Scharfstein, D. S., & Stein, J. C. (1993). Risk management: Coordinating corporate investment and financing policies. the Journal of Finance, 48(5), 1629-1658.
Author: Slawomir Wawak