Business risk comes from having imperfect information. The potential consequences of risk are mainly financial loss due to investments in products, growth, acquisitions, or stocks that fail. However, the existence of risk is also what creates profit, and higher risk and higher potential rewards go hand in hand. Risk equals the probability of failure times the consequences of failure, which allows us to take a quantitative approach in measuring risk. Perform a risk assessment before making those investments so that you understand the potential down sides and can put mitigation strategies to work.
Create a Risk Analysis matrix. This is a spreadsheet that include rows for the areas of risk, including Products, Markets, Finance, and Execution or Operations, and columns for each component of the analysis, including Activities or Aspects of those activities, Threat, Unmitigated Risk Level, Probability of Threat Occurrence, Mitigation Strategy, and Mitigated Risk Level.
List the specific activities in each of the risk areas that you will analyze. For instance, in the Product risk area, the activity might be New Product Development, and the Operations risk might be contracting a new supplier for one of your critical components. You might have multiple activities for each risk area.
For each activity, determine the threat, probability it will occur, and outcome if it is unmitigated. For example, if your activity is deploying a new piece of software company-wide, one threat might be that it fails while you’re in the midst of switching from the old software. The likelihood of this failure according to the manufacturer is 5 percent, and the consequences, assuming that you have no mitigation strategies in place, is 2 hours of lost work for everyone in the company while you put the old software back online. Calculate that 2 hours in terms of its total financial impact on the company, and multiply it times the 5 percent probability. List that number as the Unmitigated Risk Level. (If there is no quantifiable dollar figure, use a 1 to 5 scale, with 1 being incidental and 5 being disastrous.)
Describe the Mitigation Strategy for each activity and calculate its impact on the risk level. In the above example, you might have your IT department create an automated backup system that can restore the old software within 5 minutes rather than 2 hours. Or, you might purchase an additional support package that decreases the probability of catastrophic failure to 0.1 percent. Calculate the cost to the organization of that 5 minutes plus the cost of creating the automated backup, or the support package plus the new value of 2 hours times 0.01 percent. This is your Mitigated Risk Level.
Once you have calculated the Mitigated Risk Levels for each of your activities, add the risk levels for each activity within a risk area to arrive at the risk for that area of the business. You should then be able to see whether your risk is highest in Product, Finances, Operations, and so on. This should allow you to determine which area of your business needs the most attention to alleviate and/or lessen risk.