Lots of business decisions are risky. Your products might go out of fashion, or a new product line might tank with your customers. Risk mitigation and contingency planning both help you prepare for trouble. Mitigation strategies are things you should be doing now, whereas your risk contingency plan only kicks in if disaster strikes.
Risk mitigation strategies are things you can do now to reduce your company's risk. A risk contingency plan is something you draw up now but don't deploy until the trouble comes to pass.
The first step in mitigating risk is understanding what you know and what you don't know.
- Known knowns are the risks you completely understand. For example, suppose your competition is launching a comparable version of your flagship project. You've done surveys, and there's a chance that 10 to 20 percent of your customers will switch. That's a known known.
- Known unknowns are risks you know but can't quantify. If your business is based on the Gulf Coast, you know there's a risk of a hurricane leveling your operation. Whether a hurricane will hit this year is unknown.
- Unknown knowns are types of information you don't know you have or don't know its significance. A law firm might have information that would enable the company to win a tough lawsuit. If the information is buried in the files, it's of no use to anyone.
- Unknown unknowns are a real problem: You don't know the degree of risk, and you don't realize you don't know. For example, you could open a plant overseas with no idea that the nation is about to erupt into civil war.
Risk mitigation and contingency planning can effectively deal with known knowns and known unknowns. Unknown knowns and unknown unknowns are tougher and are sometimes impossible for which to plan.
The first step to mitigating risk is to identify and evaluate it. The more risk you can class as known knowns, the better. It's also important to know whether there's anything you can do to mitigate or eliminate the danger.
- Internal risks include key personnel quitting, embezzlement and waste. These risks are the ones most under your control. Better fraud and loss prevention policies can reduce employee theft, for instance.
- External risks are outside your control. You can't prevent them. You can only reduce the potential damage.
- Strategic risks are the "no pain, no gain" type. When you launch new products or services, there's a risk you'll lose money, for instance, but it's a necessary gamble to grow your business.
Once you've identified potential risks, you can assess them. Ideally, you can quantify how likely they are to happen and how bad the impact will be. Then, you can develop strategies for the most probable and most damaging risks to either improve the odds or mitigate the damage if they come to pass.
- Risk avoidance. If the risk is high probability and potentially catastrophic, the best strategy is to avoid it. For example, if your property is at high risk for a California wildfire, relocating to somewhere safer might be the best way to not get burned.
- Risk transfer. If the probability is low, but the cost is potentially huge, you should consider transferring the risk elsewhere. Insurance, for example, transfers your financial risk to the insurance company.
- Risk acceptance. If the cost of mitigating the risk is too high, consider doing nothing. With some risks, this more cost effective than avoidance.
- Risk limitation. This is one of the most common strategies. Rather than work to avoid all risk, you try to lower the danger to the point where you can accept the remaining threat.
The difference between risk mitigation and contingency planning is that once you have a risk mitigation plan, you put it into action. A risk contingency plan sits in reserve until it's needed.
Risk contingency measures are the things your business will do if X happens. A risk mitigation plan might, for example, try to reduce the risk of your vendors hiking prices. A risk contingency plan spells out what to do if prices go up anyway. Risks for which you can prepare contingency plans include supply chain problems, fire, flood, data breaches and major network failure.
Begin contingency planning by identifying your worst vulnerabilities. These are the things that would paralyze your organization if anything happened to them, such as your raw materials supply, key personnel or your IT network. Then, pinpoint the key risks to these areas.
Drawing up contingency plans for everything that might go wrong is a herculean task. When you start out, it makes sense to focus on the omega-level threats first. One way to quantify the danger is with a risk contingency matrix.
On one axis, you list the probability of a contingency coming to pass. If, say, your raw material prices are locked in by contract for the next three years, the risk of a price hike this year is nil. On the other axis, you list the damage factor: minor, moderate, major or critical.
Once you've laid out the grid, you place each risk in a section of the matrix. Threats that are highly likely and would have critical impact are the ones that need contingency planning the most.
Once you identify your top contingencies, start planning for them. Risk mitigation tries to reduce the chance of disaster happening. The risk contingency plan gets you up and running if catastrophe does come to pass.
Suppose you're a government contractor, and you know there's a risk of a long government shutdown this year. To keep your business afloat, you may need both risk mitigation and contingency planning strategies:
- Put money into a risk-contingency reserve so that you can pay bills if the government stops paying you.
- Decide whether you'll keep paying employees during the shutdown. It's expensive to do so, but it reduces the risk of them jumping ship for a steady paycheck.
- List anything that has to be done during the shutdown to avoid catastrophe afterward.
It's possible that your business won't need risk contingency measures for every possible contingency. You may be able to group several contingencies together in an overall category, such as a drop in cash flow, a rise in prices or new competition entering the field. That will simplify your contingency planning.
The initial plan for a given contingency should make clear what you'll do, but it doesn't have to go into detail. Your risk contingency measures for a government shutdown might include keeping your key employees working full time. You don't have to sit down and identify the employees until you see the contingency is shifting into the "going to happen soon" category.
Once you've drafted a risk contingency plan, don't just file it away and forget about it until things go south. Let your employees and key stakeholders know that the plan exists. Share it with them and make it easy for them to access and study it.
Whenever anything major changes at your company, pull out the plan and review it. If you've moved to a new building, changed suppliers or changed key personnel, that may change some of your contingencies or render them null and void. Regular review will keep the plan relevant to the contingencies of your current situation.