Risks pose a financial and reputational threat to organizations that can be disastrous if left unchecked. The good news is that the warning signs of risks are often hiding in plain sight for those careful enough to look.
For example, there were plenty of early warning signs ahead of the Great Recession of 2008, but far too many executives simply assumed that mortgage loans would never default, that banks were immune to failure, and that businesses would continue to grow indefinitely. Even the demise of Bear Stearns early that year was considered an isolated incident that did not portend ongoing damage to the global economy.
Organizations can’t predict the future, but what they can do is anticipate a wide range of possible risk scenarios and develop plans to quickly and effectively address each of them. When a risk becomes reality — whether in the form of a lawsuit, an impending market fluctuation, or a global chokepoint in the supply chain — best-practice organizations act quickly with a plan in place to keep the business moving forward.
This month’s metric is “cycle time in days from risk identification to changes in policy.” Data from APQC’s Open Standards Benchmarking database shows that top performers for this metric respond to a risk with changes in policy within 30 days. That’s twice as fast as median performers and three times faster than bottom (the worst) performers. It is in the best interest of any organization, once a risk is identified, to address it as quickly and as completely as possible — especially if that risk is at the enterprise level and has the potential to damage the entire organization. Ninety days leaves plenty of time for a risk to wreak havoc on an organization that hasn’t prepared in advance.
Not all risks are the same — some might threaten the stability of the entire organization, while others might cause a temporary delay or setback to one area of the business. While it is important to respond to risk in a timely way, it is equally important to take a thoughtful approach based on the nature of the risk and the impact it might have. A rushed response could make things even worse if it is disorganized and haphazard. An organization’s leadership and management should work to thoughtfully understand each risk and its potential impact before developing an effective action plan.
Risk Planning and Analysis
Best-practice organizations ensure that planning teams have the dedicated time and resources to think through risks and develop action plans that can quickly be implemented. For example, APQC’s latest finance planning and analysis research found that top-performing organizations consistently free up time for scenario planning, risk prioritization, and other advanced risk mitigation strategies by eliminating or reducing non-value-added tasks. Whether through automation, eliminating budgets, or investment in new planning tools, these organizations create the needed time and space for planning teams to move beyond forecasting to spend time anticipating and planning for a wide range of scenarios.
Scenario planning for risk should, at minimum, include planning for extreme highs and extreme lows, however implausible they might seem. Planning for both is important: Phases of extreme and explosive growth might lead to missed opportunities if a plan isn’t in place to take advantage of that growth. Planning for worst-case scenarios, meanwhile, ensures that an organization can act fast enough to mitigate the worst impacts of risk and recover more quickly. In this way, scenario planning both protects and helps grow the organization by considering a wide range of possibilities.
As organizations consider the high and low scenarios for each significant risk, they should develop an action plan for each. These plans can be collected into a series of playbooks that the organization can continue to review annually and update as new risks and opportunities present themselves. Even if an organization encounters a risk that it never could have anticipated, it can draw elements from other planned scenarios to formulate a response. As the playbook grows, so does the capacity to respond quickly and effectively to keep the business on track.
Top-performing organizations can act to mitigate risk much more quickly than bottom performers because in many cases they have already considered the scenario at hand and have an effective action plan that can be set in motion quickly. An organization should consider a wide range of possible scenarios and continually build up its playbook so that the resources for responding to a wide range of risks are near at hand in the unfortunate event that they are needed.
Whether in supply chains, human capital management, or anywhere else in an organization, risks carry the potential to bring work to a standstill. When risk becomes reality, having a plan in place ensures that the organization can move to mitigate risks with confidence and in a way that aligns with the organization’s broader strategy. No one can fully see the future, but planning for it is essential to withstand whatever might come.
Perry D. Wiggins, CPA, is CFO, secretary, and treasurer for APQC, a nonprofit benchmarking and best practices research organization based in Houston.