This is a multipart discussion that will be posted over the next several days.
Over the last 5 years, I have seen a huge surge in the number of companies adopting formal risk management frameworks and methodologies. This is sometimes driven by regulatory requirements and other times by experienced executives that understand the importance of risk management.
I wanted to take a quickly look at risk management in the context of outsourcing.
What is risk?
The definition of risk is intuitive but can be summarized as “an event that may have a material impact on your business and its success or desired outcome”.
How does your company view and measure risk?
Depending on your industry, you can adopt one of the following risk management models:
- Risk as a probability This applies to organizations that measure risk as a likelihood that something may occur (i.e. an insurance company determination your risk of dying early because of lung cancer). Organizations adopting this approach will collect performance data and built likelihood tables to judge risk.
- Risk as a variance This applies to organizations that measure risks as a likelihood that the outcome may differ (delta) from a distribution. This is often the approach used by banks and investment companies. Organizations adopting this approach will base their “risk tolerance” on the expected return. The higher the return, the more volatility they are willing to accept.
- Risk as an expected loss This is the most common risk model adopted by organizations and is a loss function multiplied by a probability function. As an example, the impact that your cash will catch fire in a bank's vault is catastrophic but when multiplied by the likelihood of it actually occurring, it become negligeable.
Types of risks
There are 2 types of risks that your company may be subjected to (each with its own mitigation strategy):
- Exogenous risk is risk on which we have no control. It is risk that is unaffected by our actions. Great examples of this are the revolts in Egypt, the tsunami in Japan or an earthquake.
- Endogenous risk on the other hand is risk that is influenced by our actions or decisions.
When playing Russian roulette in a casino, the actual risk related to a result number other than the one I have chosen is exogenous and out of my control. Risking my capital by playing Russian roulette is an endogenous risk because it is a result of my actions.
Stay tuned for part 2 tomorrow