IES Blog

Risk Management: How Do You Prioritize Risk? – Part 2

Posted on May 14th, 2018 Read time: 3 minutes

two women at desk analyzing data on papers and iPad

By: Tania Fiero, VP of Human Resources

Published By: HR Daily Advisor 

Yesterday we began to learn about enterprise risk management (ERM) and how it influences HR. Today we’ll look at risk appetite, performing a risk assessment, and prioritizing risks.

Determine Risk Appetite

Of all the steps, this one tends to be the most difficult for by-the-book HR professionals, yet no ERM plan is complete without it. When determining your risk tolerance, you’re thinking about how great of a chance you’re willing to take. It’s asking, “Is the risk worth the reward?”

In some situations, this question is simple. At our company, we look at the numbers. If revenues for a potential sale are $10,000 annually but there’s still a 1-in-10 chance of a costly class action lawsuit or emergency audit, we’d probably decline to pursue it. However, the same risk might be worth a much larger reward, like $50 million.

But sometimes, there’s more to it than hard numbers. As HR teams know, a class action lawsuit or discrimination case can cost much more than court fees and fines. Soft costs, like damage to a company’s reputation and recruitment efforts, are part of it, as well.

Perform Risk Assessment

A complete risk assessment pulls together all of the information we’ve discussed so far. Start with the likelihood and impact of the event that you determined with your assessment criteria. Then, consider the ways you can respond to that risk to mitigate each factor. There are essentially four things you can do:

  1. Avoid the risk. You don’t take any part in the risky activity. In a situation where accepting a certain client results in risk, avoiding the risk would mean completely turning down the business.
  2. Reduce the risk. Training employees, hiring more resources, increasing the budget, pushing deadlines, and securing new business can all serve to reduce risk. For example, a company wants a product ready for sale before the holiday season, but it risks a delay in Food and Drug Administration (FDA) approval. To reduce this risk, it might request that employees work overtime to get the product to the FDA earlier.
  3. Share the risk. Sharing risk means securing insurance or contractually dividing risk among partners, vendors, and clients. For example, a 10% increase in earnings comes with the risk of an increase in third-party injury claims due to a new driver delivery model. Securing auto insurance for drivers to cover the cost of litigation and claimant rewards would share that risk.
  4. Accept the risk. Certain risks are worth taking. When you know the level of risk your stakeholders are willing to accept, it becomes easy to determine whether this is the correct choice.

After identifying one or more ways to mitigate a given risk event, measure its likelihood and impact again. Is the level of residual risk acceptable? Sometimes, the answer will be “yes.” As an HR professional who had always tried to avoid risk, this exercise was enlightening for me. Risks don’t always have to be avoided or reduced, assuming the potential reward is sufficient.

Prioritize Risks to Address and Develop Risk Response

This final step consists of reviewing all of the risk assessments and picking the ones that your company is going to move forward with. Basically, risk mitigation steps become your action items. Be careful, though. Risk mitigation itself can create risk. Many risk mitigation processes take a long time to implement, which can be costly or overwhelming.

Implementing an ERM program and culture can take years. Respect the process. Too many businesses abandon ERM programs before they fully mature. Use the concepts of ERM to customize a program that works for your business.

Disasters usually happen when a company isn’t fully aware of the risks it’s taking. Often, clogged communication lines prevent risk information from getting to the people who need to hear it.

We HR professionals are very familiar with risk. Most of our job is to avoid it at all costs. Through ERM, it’s our responsibility to make the rest of the company aware of those risks so we can all choose our business bets together.

Check out this published article on HR Daily Advisor 

Related Articles