Responsibility for preparing for these risks ultimately falls to the CEO and board of directors, but in a large corporation there is often a risk manager or risk management department who deals with the practical tasks of identifying risks, figuring out how to mitigate them and devising a plan to ensure the business is resilient should the worst happen.
But making sure these issues are dealt with is just as, if not more, important for a small or medium private company.
Richard Waterer is MD of Marsh Risk Consulting. He says: Just because a business is unable to have a dedicated risk management function owing to its size, it doesn’t make the threat any less significant. In fact, for companies that have less capacity to deal with volatility than a large multinational would have, it’s arguably more important.
Whilst the board is ultimately accountable on issues of risk, its members don’t need to be responsible for every element of it all the time.
Waterer says he would advice businesses that once they have identified and are comfortable with the key risks they face, the risks should be divided between senior people in the firm who are responsible for monitoring that risk on a day-to-day basis and coming up with plans to deal with any problems that occur.
For instance it could make sense to place your FD in charge of managing cashflow risk, your CEO in charge of strategic risk, and your head of HR in charge of managing risks associated with employment law.
One more piece of advice from Waterer: Risk management shouldn’t be a one-off process. For some companies a risk review is something they carry out for their annual report, but then it gets put to the side while the day to day running of the business is carried out.
He says: “This sort of work, although you don’t want it to be become labour-intensive or costly – because that sort of defeats the object – equally it shouldn’t be considered a one-off exercise. If there’s a change in the risk profile of the business, the board must be aware of that.”