Risk Management 101

In business, 'risk' refers to the likelihood of an uncertain deviation (negative or positive) from an expected outcome. In other words, a risk is the uncertainty regarding achieving your objectives. Since risk management is a standardized process that is always applied to some specific context like the individual stages within processes in Marketing, production, a project and so on, 'risks' are specifically defined like a product's 'Marketing Warning defect', a 'Manufacturing defect', a project's completion delay and so on. As discussed in greater detail below, risk is assessed based on 2 characteristics; 1) its probability of occurring, 2) the level of impact and 3) it has a direct impact on objectives. 

Risk management has 6 major stages, each of which represents a stage of risk management, except for the case of 'monitor and review' which is continuous throughout the entire context (project, production stage, etc) and answer the following questions. They are 1) context & objectives, 2) identification, 3) assessment, 4) response, 5) communication and 6) Monitoring.

1.

Context & Objectives.

• What is the context of this risk management process? The context often deals with corporate strategy, operations, a specific department or function. These examples may translate into your business strateg, production operations and Marketing functions. I decided that, for the sake of clarity, each context needs to be divided into sub-contexts called (functional) 'categories'. After all, functions and their subsets are often unique in some meaning ways like how they assess risk (discussed below). For instance, an internally prepared risk assessment may be reviewed by an insurance company and is clearer with the exclusion of irrelevant Marketing - related risk details. After all, brand awareness is unlikely to be of relevance to product liability insurance.  
• What key objectives must your business achieve?
• Do not focus only on obvious. For instance, if managing a project, in addition to top level objectives like project time and spending, also consider smaller objectives like off specification technology and so on. 

2. Identify Risks

This involves identifying the types of risks (aka uncertainties). It is best to brainstorm to effectively complete a list. Other options include site inspections. Aim to list all possible risks. Get ideas from anyone involved in each task, preferably people with different perspectives. Consider this exercise broadly because risks can be internal and external. Internal risks may include issues with branding, human resources, daily operational procedures, technology, financial security and other factors over which you may have some level of control. External risks are often harder to predict and control. Examples include factors related to suppliers, public health (like the Covid-19 pandemic) which was a market disruptor for many industries, changes in the economy or political climate, natural disasters, weather and so on. In addition to these things that are immediately apparent, consider those things that are not. For instance, opportunities, internal or external that can significantly help you meet your objectives (maybe because they will help you lower costs or raise revenue like a supply glut of your raw materials, closure of competing businesses, lower entry barriers into a new market and internally, your improving competencies and so on). Also, you ought to consider those things that may threaten your ability to exploit such opportunities. Common techniques used for streamlining this process include the fishbone diagram (aka cause & effect diagram or Ishikawa diagram) often based on the top-level categorization of causes into the very popular generic 6Ms (Man, Machine, Method, Mother Nature/Milieu, Material, Measurement) and possibly subordiinate-level categorizations that are specific to the functional type of risk under analysis. Some fields may have their own primary categorization also. You can also research the common categories of risk types for your context. For instance, the risk of "occupational diseases" mostly include lung disease, lead poisoning, radiation illness, skin diseases, carpal tunnel syndorme and computer vision syndrome.  

• What are the key risks to meeting objectives? When entering these details into a 'risk registry' (aka 'risk log'), you may have a very short 'title' of a few keywords or a sentence at most, a 'description' and 'effect(s)'. The description and effects fields provide greater detail in non-technical language for the benefit of non-technical readers (like upper management). It is useful to provide links to these descriptive sections in emails and other correspondence who need to be reminded of the reason they may comply with your call to action (CTA).
• What are the different types of risk? Also account for secondary risks, ie risks that arise from resolving primary ones. For instance, while insurance policies promise to transfer the risk to the insurance company, the risk does not disappear and, if for whatever reason the policy fails to provide coverage, your company will be liable. Also consider these types of scenario while brainstorming to establish your list or register of risks.
• What are causes and effects on the objectives?

3. Assess the risk

Assessment allows you to rank risks. In turn, rather than wasting limited resources (time, money, etc) inappropriately, this process allows you to quickly know which risks should be dealt with as priority and their order of importance. The main tool used at this stage is the 'risk register'. 

This stage is the precursor to probability-impact matrices regarding appropriate responses. 

• What is the likelihood of occurence of each risk? While risks are related to the effect' end of situations, 'hazards' relate to the 'cause' end. Match hazards (like a lion) with corresponding risks (like injury or death of human beings). Then ask the extent to which hazards are controlled (like separation by moats) or exposed (like the accidental filling of the moat) to the at-risk population? After all, if a hazard is controlled, the probability score that the risk will occur is largely minimized. Conversely, hazards that are poorly controlled and to which there is exposure raise the probability score of the risk occurring considerably. 
• What is the level of impact? Measure the impact on the basis of how great the deviation is from the objective. 
• What is the overall risk aka risk 'rank'? Overall risk may simply be described as being high, medium or low or not acceptable, ALARP (as low as reasonably practicable) or acceptable. This determination occurs from qualitatively plotting the 2 components on a risk matrix. While matrices differ in style and complexity, the determination of overall risk always involves considering 1) likelihood of occurence and 2) level of impact. 
• Simple matrix requires you to answer the first 2 questions above using answers with standardized meanings in order to plot the overall risk based on where the 2 variables meet. Have clear meanings for each answer like 'very likely', 'major', 'minor' and so on. As a general rule of thumb, green tiles represent low risk that can be accepted without any action taken. Red tiles represent high risks for which action must be taken. Yellow tiles represent moderate risks which may mean that such a risk requires routine monitoring or that if kept the risk at that level, it is acceptable and considered similar to green tiles. The meanings should be tailored to your industry. Definition rules.
• Impact, ranked (qualitative measure). Four perspectives are typically used that form the accronym PEAR. They stand for People, Environment, Assets and Reputation. For instance, within the context of product liability regarding consumer packaged goods (CPG), the following might apply. These scores generally do not change while probability scores do. 
• 1 - Low: Unpleasantness without significant recovery cost. 
• 2 - Low: Unpleasantness without significant recovery cost. Example: temporary blurred vision after applying sunblock on the eyelids.
• 3 - Low: Unpleasantness without significant recovery cost. Example: hairline damage from not rinsing soap thoroughly from face.
• 4 - Medium: Non-cosmetic impact with marginal recovery cost. Example: Bruised shin after slipping on sunblock that spilled over floor tiles.
• 5 - Medium: Cosmetic impact with marginal recovery cost. Example: Acne breakout after reapplying fresh sunblock over unclean face after 24 hours of wearing old sunblock application. 
• 6 - Medium: Cosmetic impact creates secondary cosmetic impact with moderate recovery cost. Example: Acne breakout after sunblock was not cleaned off also in turn triggers additional impact like acne-related hyperpigmentation.
• 7 - High: Medical impact with low to moderate recovery cost over short- to medium-term. 
• 8 - High: Medical impact with moderate to high recovery cost over medium- to long-term. 
• 9 - High: individual fatality
• 10 - High: multiple fatalities. Brand failure.
• Probability. If you have a lot of data from your CRM and other tools, consider using them to statistically determine the probability of the risk.
• A scale of low, medium and high or ranging from 1-5, or for more complex, 1-10, is typically used forms of the simple matrix method. The middle scores like 5 in a 1 to 5 range represents 'possible' or middle scores. The end scores represent the extremes. As mentioned above, while the severity of impact scores generally never change, these scores may.
• 1 - : low probability (10 - 19% chance, based on historical frequency)
• 2 - : low (20 - 29%)
• 3 - : low (30 - 39%)
• 4 - : medium (40 - 49%) 
• 5 - : medium (50 - 59%)
• 6 - : medium (60 - 69%)
• 7 - : high (70 - 79%)
• 8 - : high (80 - 89%)
• 9 - : high (90 - 99%)
• 10 - : Always (100%)

Also account for the potential of a 'black swan' risk event. A black swan is a catastrophic risk of whose existence you are completely unaware beforehand. You are therefore unable to even predict its occurrence, let alone provide for it specifically in your risk management plan. 

Its occurrence blindsides you. The saying 'you don't know what you don't know' comes to mind. (The term comes from the fact that European scientists never conceived the idea that swans could be black because swans throughout the entirety of their part of the world were only ever white. Their scientific literature therefore characterized swans as having white feathers. However, it was only when European explorers ventured through Australia in 1967 did they observe the impossible; black swans). In the worst-case scenario, a black swan easily translates into a crisis. A 'crisis' involves intense challenge and danger, as to life for instance.

An event may be called a 'black swan' if it meets the following criteria. 

1. It is an outlier, ie it is highly extraordinary in nature.
2. Its impact is extreme (good or bad)
3. It can be explained only after having occurred. In other words, a black swan could not have been reasonably anticipated beforehand. The logic of its existence and how it was possible can be explained only after its occurrence. 

Black swans examples include the following.

• The 2007 housing crash. Aftert the fact, there are always a small number of ostensibly 'crazy' people who knew. However, the key point to note is that the vast majority, including major institutions of influence continued with a feeling of certainty that everything will continue like business as usual. They never imagined that the ostensibly solid housing market could actually crumble. 

Gray swans are less severe because they do not leave you as blind sided. They are the events that we know we do not know about. We can therefore predict that something might happen but we can not predict the likelihood or impact. White swans are catastrophic high-impact risks; they are those events for which we have sufficient data for calculating probability and impact. The Covid-19 was a white swan because its  possibility and even small probability and high impact were predicted. In summary, while all swans are high impact events, they differ based on your level of knowledge about them that can help you to prepare adequately. I will also add that a single event can be ranked differently by organizations with different levels of competencies to gain and analyze knowledge. For instance, Covid-19, 911 and so on could be listed as black swans for some businesses but white swans for others. Billion-dollar trading companies that rely heavily on speculation of fundamentals had fancy bots that predicted 'something huge' just before 911. For them, 911 was a white swan opportunity that made many traders incredibly wealthy. Conversely, the average mom & pop florist shop was likely to have had no clue and got completely blind-sided by the event, making it a black swan disaster to them.

There is a thin line between the concepts of a (black) swan and a 'gray rhino'. When in progress, swans can present gray rhinos. While the existence of a swan may have been partly or completely unknown, a 'gray rhino' is a highly probable, high impact but neglected threat. For instance, regardless of what type of swan you considered the Covid-19 pandemic, once its existence became obvious, it was then necessary to figure the 'gray rhino' risks and take action in the face of the already obvious market disruption - be it a huge threat or opportunity. To do otherwise may be catastrophic and less forgiveable because there would have been time to calculate and resolve the impending risk. In short a gray rhino is a high risk, high impact risk. 

• What is the rank of each risk? This measure allows you to calculate a numerical measurement for each risk which can be used for ranking each among the lot. The rank is typically calculated as probability X impact. Example(s):

• Imagine a risk for which the probability was 3 and Impact was 7. The overall risk factor would be 21 (ie 7 multiplied by 3). When compared another risk with an overall risk of 40, it falls below the other one in priority.

• Basis of assessment (aka 'strategy' or 'strategies').
• Worst case scenario. This is based on the worst possible case scenarios, without consideration for possible barriers to their occurrence.
• What is the status of the risk? Example(s):
• New 
• Planned
• Upcoming
• In progress. A currently ongoing risk.
• Done
• A more complex method involves calculating overall risk as a dollar value.
• Write a non-technical description for the sake of non-technical readers. You may include the effects of the risk, ie the business impact, including effects on the client. This information helps stakeholders to better appreciate the need for their compliance or action. Providing links to this section is useful when trying to convince stakeholders of calls to action (CTAs). As with other parts of this section, this detail will be entered into the risk log.
• Risk owner. Ideally, this should involve someone other than yourself who can take responsibility for managing the risk and response.
• Show the date that the risk log was updated.

Apart from 'ranking' risks by plotting them on the risk matrix, you can also rank them further according to their 'risk rank' score (ie probablity score X impact score. Example the score '35', which derives from a probability score of 7 multiplied by an impact score of 5). Outside of this, the rank based only on the color of tiles on which the risk falls on matrix where red tiles show high risk, which yellow and green show medium and low risk respectively.

4. Risk Response Strategies (Levels of Proactivity VS Passivity)

Risk responses are also called 'control strategies'. This stage involves when, how and if to respond to each risk. The risk matrix provides a quick visual representation of all this information at a glance. While the previous stage ranked risks, this stage allows you to rank or prioritize your response for each type of risk - a saviour of limited resources. Once you configure your industry, your unique risk tolerance and so on, you can customize the distribution of the responses accordingly. In fact, skilled third parties (like project managers, insurance companies and banks) might even be able to review your matrix for a quick insight into your business' approach to risk (like levels of tolerance, your thresholds, and so on).  

Impact-Probability Matrix (simple format) reflecs levels of proactivity vs passivity / reactivity of responses. I like to consider this matrix more as a proactivity - passivity response diagram. For instance, proactivity (the red response region) does not wait for risks to occur, it makes changes beforehand to avoid negative risks. Conversely, passivity (the green region) waits for if or when the risk occurs.

Notice that this version displays the values of overall risk. This is a convenient feature that allows users to easily match a single risk value all of whose cells in which it occurs have a single color that corresponds a specific level of response. Using numbers this way is possible only when all cells with a particular value must always have the same value (unlike other examples before and after this one).   

Impact-Probability Matrix (simple format)

Specifically, when an overall risk falls within the red region of the probability-impact matrix, it warrants a response with 'high' proactivity or urgency. Similarly, risks in the yellow and green regions are considered to be medium and low respectively. In other words, you may consider the colors ranging from high proactivity (red) to high passivity or reactivity (green).

Keep in mind that risk involves not only negative deviations but also positive ones. As above, this stage requires customization to your industry. The typical responses are as follows.

1. Act now. Either
1. Avoid (negative risk) or 
2. Exploit (positive risk)
2. Transfer. Either 
1. Transfer (negative risk) or
2. Share (positive risk)
3. Mitigate and 
4. Accept. Either 
1. proactively with a contingency plan or 
2. passively). 

Levels of proactivity vs reactivity. You may have noticed that, while all risk matrices look similar, businesses customize theirs with a different number of red and green tiles. This customization is a matter of how proactive or reactive a company chooses to be in each type of risk profile. It may also arguably also relate to levels of risk aversion. Specifically, businesses with a greater number of red tiles is more proactive to high impact risks, even if the likelihood is low and vice versa. The response to transfer risk to an insurance company is a case in point. While some businesses will buy insurance, regardless of how minute the chance of product liability, there are others that select less proactivity to save the money because they know they are more likely to win that gamble. While the meanings of the colors remain the same, the level of proactivity can change. Considering the extreme risk profiles of each response, ie 1) high impact & low probability and 2) low impact & high probability, ponder the question to determine how to adjust the distribution of red and green tiles on your matrix. Use scenarios of several of your real risks for this exercise. 

• What are your response options? Aditionally, regarding the 'accept' response, what are your levels of proactivity and passivity? The responses and proactivity-reactivity levels are typically as follows.

Response: Avoid (or Exploit)

• Act proactively: Avoid (negative risk) or Exploit (positive risk). This involves either avoiding negative risk or leveraging positive risk (aka 'an opportunity'), especially if the 'overall risk' is high and top priority. This risk was plotted on a red tile on the probability-impact matrix. Poactive responses often require significant investment into alternative business practices. Example(s)
• Avoid an overall high risk. The 'cause' of the risk is that your manufacturing methodology can harm consumers, ie a design defect. You select to invest in alternative product designs, recipes, etc.
• Avoid a gray rhino, ie risk that is overall high with utmost priority because it is a charging animal (no longer a graceful swan). After the Covid-19 pandemic was clear, known risks posed by the aftermath needed to be assessed in preparation for their occurence.
• You avoid the overall high risk that is water damage to your assets whose 'cause' is flooding. You tell your organization to never work whenever it begins to flood.
• You avoid the overall high risk of low productivity whose 'cause' is a toxic team toxic member. You remove that person from the team.
• Avoid high-impact, low-probability risk (NOT an overall high risk). EXTRAORDINARILY PROACTIVE: You simply do not want to endure the loss (perhaps because the product is part of a limited edition and or the cost or proactivity is low), you select a highly proactive response approach by always using the preservative ingredient.
• Avoid low-impact, high probability risk (NOT an overall high risk). EXTRAORDINARILY PROACTIVE: Natural soap is naturally alkaline which stings human eyes. Parents who buy 'extra mild' baby soap complain that the soap stung the eyes of their children. Since refunds and product exchanges for alternatives may not be feasilble, the manufacturer makes clear warning on the packaging label.
• Exploit a realizable opportunity, ie create a positive risk from an opportunity. You recognize an opporutnity in that a particular one of your machines can handle more complex work than the others. You rearrange tasks for all machines, ensuring that the special machine has extra of the workload to achieve an overall higher productivity level. This may apply to product design, people's roles and so on. 
• Enhance a pre-existing opportunity. 
• Using the example above with the machines; if the most efficient machine is already well allocated, you increase its workload when possible.
• Shipping costs from a distance supplier are a nuisance. However, you can avoid them by collecting materials and putting them in your truck whenever you happen to pass through that supplier's town, which is on the way to another meeting. Alternatively, you can also take advantage of seasonal 'free shipping' special offers.
• Checklists. Production staff complete an electronic daily safety checklist from their phones while setting up their workspace. The checklist allows each member not only to register data like temperatures, weights and so on but to provide uploadable evidence like photos. These records may also be used to help inform incident reports. In other cases, checklists may be useful for (safety) training during the new employee onboarding process.  

Response: Transfer

• Transfer the risk to another party. Unlike the norm which determines the response based on the overall risk, this response is common for risks that may not be overall high but with a high-negative-impact, regardless of the type of probability (even low). This response illustrates the need for an industry-specify design.

       Positive risks may be shared with third parties.

        Example(s)

• Transfer high-impact, low-probability risk (NOT an overall high risk). EXTRAORDINARILY PROACTIVE. 
• A manufacturer may buy (product liability) insurance which shifts the risk to the insurance company
• An authorized retailer 'X' may prefer a manufacturer that includes them (X) as an 'additional insured' on the product liability insurance policy. This protects the retailer if his customer, the consumers sues him, the retailer. The manufacturer's insurance company will act on the behalf of the retailer once the product has been left unchanged. Unlike manufacturers who usually transform their suppliers' raw material products into something else, distributors and retailers do not. 
• You may share the impact of a positive risk / opportunity (of saving money) by sharing a shipping container with another business. 

Response: Mitigate

Here are 2 types of mitigation responses.

• Mitigate to reduce the 1) likelihood and or 2) impact of risks. This is a commpn response for risks that are low-impact and high-probability. NB. Also prepare mitigration responses for secondary risks, ie those that arise from other response strategies.

    Example(s).

• Outsource persons who are more competent than you at a particular task. You can also train staff to become competent at the task. For instance, you can hire a project manager who is better able to identify risks and establish an appropriate management response than you. Consequently, this reduces the probability of encountering unforeseen risks and reduces the impact of risks response plans that are faster and better organized than you would have done otherwise.
• Write clear warnings on product labels "for external use only" to reduce the probability (albeit small) of consumers eating a pretty fruit ornament or food-like smelling cosmetics.
• You may reduce the impact and or chance of consumer dissatisfaction by performing exploratory surveys of your target market before launching the product. 
• You may reduce the impact of a secondary risk (illness) that can arise from your 'avoid' response to preliminary risk of death. Providing a high bridge for soldiers to pass over an aligator-infested swamp saves their lives. However, the bridge's movements often cause lower back aches. You teach soldiers how to reduce the potential by crawling over the bridge instead.        
• Horizon scanning (a function of  risk monitoring) for swans, rhinos and other risks: Since you may be unable to avoid swans, establish systems that constantly look out for early signs of impending swans. Despite your limitations regarding data and predictability; 1) establish an action plan that allows you to respond as early as possible. In short, while you can not predict black swans, you can prepare to respond quickly at first warning signs of them. 2) Reconfigure your CRM system to respond directly like to allow you to create new fields for collecting relevant data. 3) Minimize damage to the brand reputation by improving contact. Specifically, since the call volume will have increased beyond the normal volume that you (and your agents) can handle. set up self-service options whenever possible. Additionally, once you will have already identified a problem, reach out to customers (before they have a chance to call you). 4) Respond quickly with sincere apologies to prevent the public from shaping the narrative in ways that encourage distrust. Use social management tools like Voice of the Customer (VOC) to track the reaction, whether positive or not to your message. This will give you the chance to respond accordingly. 5) Continue research to close their knowledge gaps. 
• Brand repositioning requires a brand to change its branding, often after a white swan in the market landscape. See how cases like Old Spice changed its brand personality and image in the face of consumer brand perceptions that had been that the brand was for old men. See other brand repositioning cases that include Starbucks.   
• If customer complaints or incident reports of a certain type occur and exceed a tolerance level, they can be an early sign of a potential crisis. Consider having a CRM system and or social media management system with threshold reporting and real-time alerts. They work by alerting you that an above-average number of negative reports.   
• When health care professionals began to spot earliest cases of Covid-19 (a white swan), the ideal response was to make early plans for stock piling relevant equipment and quarantine preparatedness. 
• Volcanic eruptions are white swans. Consequently, people are hired just to monitor charts every day, even if erruptions do not occur for decades and they spend their days surfing on the nearby beach. The risk and potential destruction require these people.
• Look for swans that are essentially market disruptors, ie macro-environmental changes in your industry and how they affect Porter's Five Forces of competition. Due to the Covid-19 pandemic, logistics for imports have been adversely affected. To what extent is Covid-19 making a new normal? Will this impact on your ability to import key manufacturing inputs? If so, will suitable substitutes remain available? Can a swan provide positive competitive risks, ie opportunities? Other major macro-environmental changes include distribution channels within your country, foreign exchange impacts of cost of inputs, deregulation, changed requirements in technology. If you planned a project based on certain assumptions whose validity might change for you and your compeitition, you should watch for early signs and plan accordingly.

As discussed in greater detail below in the monitoring function, horizon scanning is a matter of your corporate strategy and should therefore be given special attention.  

    

Response: Accept

• Accept response. Despite acknowledging the existence of low ranked risks, you do not expend limited resources (time, money, people, etc) to proactively avoid or mitigate it. Rather, you react to them only when or if they actually occur. On that basis, this response is reactive. Beware that this response does not a failing on your part. It is ideal to show that, at least you recognize the existence of a risk and, by virtue of that fact, have prepared accordingly. It would be more of a faling if you did not mention risks that actually exist. More importantly however, businesses never have unlimited resources with which to tackle every risk. Even if they did, it may be counterproductive, like saving a $10 with an effort that costs $100. 

However, even acceptance responses can be ranked into:

 

1) acceptance with a plan B / contingency, ie a provision of some type for an unforeseen risk. This is approach is commonly used when either the probability or impact is very high while other is very low.

 

2) acceptance with NO action. When taking this approach, analyze whether the risk is in fact a 'gray rhino'.  

    Example(s)

• Accept proactively with  a contingency: high-impact, low probability risk. The only power source fails, thereby stalling the operation. Plan B is a backup generator and plan C is an extension cord that can be quickly connected to an alternative power source.    
• Acceptance Proactively: high-impact, low probability risk with a contingency plan. Other common examples.
• Refund or exchange policies 
• Return Merchandise Authorization (RMA) process. 
• Customer service to resolve complaints according to a prescribed process.
• Acceptance Proactively: low-impact, high- probability risk with a contingency plan. Other common examples.
• Frequent rain in London prevents low-height company van from collecting employees on time from their flood-prone region. When the risk occurs, ie flooding, you call upon an alternative; a minivan that is higher off the road.   
• Accept Passively / REACT: low-impact, low medium-probability risk & do nothing upon identifying the risk. A customer complains that the sunblock blurred his vision after he  had smeared it over his eyes. 
• Accept Passively / REACT: low-impact, medium-probability risk & do nothing upon identifying the risk. One of several customer service workers takes a day off unexpectedly, thereby making the team's overall response rate  to customer requests slightly slower than usual.
• Preparing manuals, procedures, contact forms and other templates (for Customer Service representatives) reduce the impact of risks associated wth handling customers complaints inadequately.

• Getting feedback on prototypes can reduce the likelihood, albeit unavoidable, of customer complaints if you can use the feedback to re-design accordingly.

[The difference between 'Accept' with contingency plans and 'Mitigate' is that the act of 'mitigatation' occurs immediately and BEFORE the risk actually occurs, ie before the business is confronted with the unexpected challenge. Conversely, contingency plans are done ONLY when or if the risk occurs.]

 

• What are the resources required?
• Who will respond to the risk? This person is called the 'owner' of the risk. If you have a team, do not try to do everything. Rather, delegate this role to technical persons with the wherewithal to execute the appropriate response.
• How should outcomes be documented?

5. Risk Communication

Risk management focuses on 3 elements of communication: 1) who communicates, 2) the message and 3) the methodology. 

 

5.1 Who communicates

This element answers the question(s) 'who should be told? ... and by whom?'

a. Start with as complete a list as possible of stakeholders. Then promptly thereafter, segment them according to psychographic differences that will influence how they perceive, assess and respond to the communication. Perception is possibly your best psychological measure. Examples of psychographic considerations may include expected level of understanding (possibly based on job title), reaction to different principles of influence and so on. Also consider subsets within groups with highly specific interests. For instance, during the Covid-19, health officials provided general information like basic information about the airborne nature of transmission and safety guidelines like social distancing. However, other smaller niches customized their communication to meet unique interests of their audiences (in line with the earlier point regarding audience 'segmentation'). Examples include universities communicating with international students needing to return home; immigration agencies with tourists who became stranded within closed borders; hospitals with their first line responders and so on. 

b. Place internal stakeholders at a top priority. After all, external stakeholders generally approach them for advise and action. 

5.2. Message

This element focuses on answering the question; 'What must be communicated?' However, before you consider the finer details to include, be clear of your objective; to respond to a risk. An example as in the Toyota case below is to avoid the risk of death.

a. Consult established procedures. They often involve a formula that includes having an objective and other key discussion points. Example(s): Procedure for a consumer product recall.  

b. Provide the facts clearly and as fully as possible. As mentioned below, feeling knowledgeable about risks reduces the risk of your audience's fearfulness and panic.

 

Example(s) 

Mitigate communication risks of lack of knowledgement and consequent fear and panic. Provide infomercials that provide a sense of empowerment.

5.3 Communication Methodology (for behavioral impact / awareness, etc)

This element focuses on answering the question, 'how must the information be communicated?'

a. Customize the message to the levels of understanding and interest of each audience segment.

b. Meet the emotional needs of your audience. Specifically, be empathetic, encourage trust and give a sense of empowerment. 

Empathy is usually based on 2 elements; 1) level of familiarity with the risk and  2) their perceived level of control over that risk.

 

Empathize with the fact that, when people have a sense of understanding risks, they are generally less fearful - a very powerful emotion. This is the case even when the danger is considerable. It is therefore important to encourage your audience to feel a sense of being in control of the situation whenever possible. This may be achieved through 2-way communication that focuses on listening. 

Trust involves truthfulness and 'authority' (as it relates to being an expert on the discussion point). This may be challenging because the public has grown distrustful of companies and are likely to listen to their circule of influence over management of a business. To gain trust as the expert, anticipate and prepare for the questions of your audience.

A sense of empowerment can be encouraged by the content of your message. See above.  

Example(s)

• Transfer communication risk of losing trust. Hire an expert to speak about technical matters about which management is incapable. Your team will never feel forced to speak when they lack sufficient expertise and risk appearing like liars or incompetent. 
• Mitigate risk that your audience feels they lack control / disempowerment (which creates fear). Create a 24-hour hotline, live chat or other platform that provides real time one-on-one communication. The platform accommodates conversational rather than top-down (teaching) communication in which you can listen to the audience provide more facts.

c. Keep the communication going. Never go silent. When your audience can not get information from you, they tend to fear that they are somehow missing out.

 

Example(s)

• Provide updates as proactively as possible and at frequent intervals.
• Repeat yourself as often as needed.    

d. Create workflows using a format that your target understands. A workflow is a sequence of tasks along paths that describe how an objective is converted from being undone to done. Formats include diagrams (as the one pictured immediately below), hyperlinks to follow through tasks and autoresponder email campaigns. The more automated you make them, like autoresponder email campaigns, the easier.

 

Create a generic 'black swan' workflow for crisis communications. For instance, I created black swan workflows for the risk of consumer deaths and product recall. This was necessary despite best efforts to otherwise provide 'Avoid' responses for all known issues that could cause consumer death.

Adapt workflows appropriately to the type of risk being communicated. For instance, risks that involve crises may require a more humanized, more quickly accessible format like one-on-one telephone calls  if possible, social media videos and so on. Conversely, lesser risks may be effective with emails or other forms of correspondence. Here are examples of risk communication involving  a 'black swan'. How Toyota's Quality Management Team works behind the scenes is unknown. However, having responded before a single case occurred with their brand, Toyota's case below illustrates such a high level of proactivity that they very likely already had a well designed risk management plan that was sufficiently robust to even handle black swans. 

 

See Toyota's response to the high-impact, high-probability risk of death because of a design defect (arguably the riskiest type of defect in product liability). 

OBJECTIVE(S): To save lives. 

WHO:

· The Chief Quality Officer for North America addressed customer 

· Several customer Experience  Center Agents [familiar faces that interact with consumers] addressed the segment that usually approaches or will approach the center.

· A Product Quality & Service Support agent addressed the segment of customers that will not approach the center.

 

MESSAGE:

· [by Chief quality officer] Provides clear and full disclosure about "dangerous airbag inflators. He verbally explains the nature of the risk as well as used visual illustration to overcommunicates and simplify the technical message when he mentions that the inflators "can rupture when the airbag deploys, spraying sharp metal objects inside the cabin". He explains the impact of the risk by saying that " ... they have tragically claimed over a dozen lives". He suggests the probability by mentioning that it was a design defect. He stated the objective when he mentioned that "it is a public safety crisis". He also quickly mentioned the defect was made by another company used by 19 car manufacturers and that no deaths were related to Toyota to safeguarded Toyota's reputation.

· [by Customer experience officer] Actually hiding the fact that he was subtly giving the audience instructions on how to avoid the risk, he suggests how customers can avoid the risk - by getting a repair. However, the instructions are repeated several times that include when the chief quality officer stresses that customers "can change [the danger they put themselves and loved ones into] by scheduling a repair". They explain what customers can expect when following the instructions. This makes the appeal more attractive as it eliminates any sense of personal risk within their customers. This was most evident the second customer experience center representative explains the easy, free, convenient and transparent arrangement. By showing the types of people with which customers usually interact, following the instructions can be easily visualized.  

HOW:

Chief quality officer's message meets emotional needs of the audience:

by displaying empathy with words like 'tragically claimed over a dozen lives"  and "this is not just a recall, it's a public safety crisis", ie the customer's versus management's perspective. He also reassures audience of Toyota's commitment to resolving the problem when he says "we are not standing still". The Product Quality & Service Support representative reiterates Toyota's committment when she mentions that they will call and write customers "repeatedly [...] and may even knock on your door".

 

by encouraging feelings of empowerment and trust through full disclosure along with the solution that consumers can do (ie request a repair) when they say "you can change all that [ie your putting the lives of yourself and others in danger] by scheduling a repair today". The information allows customers to understand the situation and feel more in control of the fearsome situation.

· The use of the 2 front end persons who are the brand's human faces, Toyota subtly recommunicates the instructions to customers by letting customers know from whom they request the repair.

They used a type of urgency - and scarcity driven emotional marketing in which the audience is prompted to retain something of value by following the Call to Action / CTA. By stressing that the thing of value can become scarce, they enhanced its perceived value. Toyota listed the significant relationships that customers can lose; "yourself, your spouce, your child or whoever is in your vehicle". In short, the CTA encourages customers to avoid the risk of loss of life.

Incident reports are a form of internal communication. Provide forms that help for the most accurate and detailed reporting. For instance, encourage persons to answer the 5Ws, ie who, where, when, what, why (beware re the 'why' as reports should only be factual). Read more about best practices for incident reporting.

 

6. Monitor & Review

The diagram that explains risk management places this stage around all of the others. As seen above when discussing 'horizon scanning' in the 'mitigation' responses section above, this stage should be continuously integrated into all of the other stages. In turn, your risk management process can be more adaptive to changes in other key variables.

Risk-based Monitoring (RBM) and horizon scanning have gained preference over the alternative generalized form of monitoring because of its relatively greater efficiency.

Horizon scanning is a method of identifying early signs of potentially significant developments by systematically analyzing opportunities and threats. It investigates novel and unexpected issues, including drivers that maintain or can disrupt current mainstream thinking and assumptions. It therefore considers what is likely to continue or change. More importantly as seen below in the video introduction into Bill Sharpe's 'Three Horizons Framework', horizon scanning is ideal for riding and creating waves of change towards longevity, innovative growth and transformation. 

 

Another simpler & shorter introductory explanation of the Three Horizons Framework. 

• What newly identified risks should be added to the risk register? Other risks may no longer need to be in the register or may be assigned a lower risk rank. Incident reports may inform changes like this. For instance, a near miss shows that a hazard was exposed. Consequently, you may need to create or improve a risk response to reduce or prevent exposure to that hazard.
• Are the reserves sufficient for handling risks?
• How often should you review the process?
• How effective is the risk management process?
• How effectively has the risk identification process worked?
• How accurate is the risk assessment?
• How effective have risk responses been?
• What records should be kept?
• Are safety procedures being followed?
• See discussions about how an adapted 3 horizons framework helps a business's innovation.

OVERWHELMED? WHERE TO START? 

• The risk registry provides input details for all project or operational processes. Once you are already clear about your objectives, start by creating and sharing a risk log aka 'risk register' with all stakeholders. Risk logs usually provide finer details associated with each risk. It is placed either at the end of the document or separately. It is ideal if you have the document in a sharable electronic format which can be accessed by all stakeholders online, like via a bookmark to a cloud storage. Brainstorm through each of the stages above. You do not need any special software. Rather, a multi-column table on a landscape oriented page in MS Excel. Although the font might need to be a bit smaller than usual and the cells need to be tall and narrow, the format allows viewers to review the details for each risk from left to right. Prepare this as soon as, even if you can only enter the risk titles and nothing else before beginning to share the document, that is fine. Keep the risk register close at hand to continuously update it as ideas develop.   
• Use MS Excel to create a risk response plan. 
• Creating the rows and colums for probability and impact.
• Enter formating rules for all of the cells that will be colored. Example:
• Highlight all cells, click 'Conditional formating' (in top level menu bar)
• Enter all the conditional format rules so that, upon entering the response word, the cell will turn to the corresponding color: red - avoid, orange - ....., green - accept. 
• Manage rules > new rule ... > Format cells that contain > Specific text (in the dropdown menu in 'format only cells with' section) > [type the response name, like 'Avoid'] > 'Format' > Fill > [select the red tile] > OK > [to add a new rule, for 'accept', click] New Rule, etc ....
• Type the names of the response into each cell. Review the definitions on the scale of impacts (above in the 'Assessment' stage or 'Risk Register'). 
• Start from the end of the high impact end of the impact scale. For instance, if your industry is in medicine or cosmetology, you have likely determined that fatality must be avoided at all costs, ie regardless of the probability of that risk. Consequently, enter the word 'Avoid' in all rows or columns that correspond with that level of intolerable impact, regardless of the probability level (because that applies in your business). 
• Repeat this for all the possible ways in which 'Avoid' response applies.
• ...
• Aim to have a plan in place from as early as possible, especially if your business faces significant risks.

CONTENT RELATED TO RISK MANAGEMENT

• Project management. When defining your project, identify your assumptions. Since your assumptions represent some element of uncertainty, they are the basis from which you can identify project risks.
• Product Liability Insurance is a planned risk response that proactively transfers risk to a third party. Read about it to find ways to improve production and risk management plan accordingly.
• Risk management is an essential part of a Research & Development (R&D) project.
• Third party resources templates and articles for risk project management.
• Root cause analysis
• Fishbone diagram are used for identifying the root cause of risks.
• Incident Reports not only help in spotting new risks but are used primarily to help in the root cause analysis of events. 
• Hazards 101
• Risk managemeent in marketing strategy. The Ansoff Matrix offers marketers a systematic way of easily identifying, assessing and assigning appropriate responses to risk for different forms new market &/ product development growth strategies.
• Porter's 5 Forces
• Read "Communication for Behavioural Impact (COMBI): A toolkit for behavioural and social communication in outbreak response" the World Health Organization
• Risk management is an integral part of any well thought out business plan