Risk Management 101: Managing a business, means managing risk

On December 6th, OneGroup hosted its final webinar of 2023 in the 101 Webinar Series. Paul Coderre, ARM, MBA, spoke about risk, risk assessment, and options for managing risk.

Whether you are a business owner trying to manage a business, an employee climbing a ladder at work, or an individual driving in a car to a sports game, we face risk every day of our lives.

The Risk management process consists of making, systemic, changes in order to minimize risk to an acceptable level.

During the 1950’s and 1960’s, Japan had just come out of war and had begun building its industrial complex. During this time, Japanese products were not considered to be the highest of quality. Not until W. Edwards Demming, Peter Drucker, and a few other industrial management ‘gurus’ visited Japan to help business owners develop a complex that today is used to build high quality products such as Honda, Toyota, Subaru, and many other successful electronics companies.

Demming and Drucker broke the basic goals of every business down into three key categories: survival, growth, and profitability.

Survival – The first focus of any organization is survival. Over the past few years – especially with COVID and the present-day economy – we have seen many organizations sell off or close their doors. A businesses’ survival is directly tied to effectively managing everyday risks.

Growth – It is said that if your organization is not growing it is dying. Organizations must focus on the growth of their staff, their management effectiveness, their product and their geography, if they are to survive and thrive.

Profitability – While profitability can be considered more of an outcome rather than a goal, profitability feeds survival and growth. It is vital to an organization’s success in a marketplace.

Success in business requires minimizing anything that threaten survival, growth or profitability. Therefore, success demands effective risk management.

Risk identification can be a long process and may take some time to adjust and fit into your day-to-day tasks. But, if you don’t identify the risk, it will, at some point, identify you.

Risk analysis. After you have identified the possible risks, ask yourself, how bad could it possibly be, and what is the likelihood of that happening? Risk analysis goes beyond simply placing a guard on a machine that does not have one. It involves digging into the risks that you identify and understanding what the threats to your business are, and how they will impact those three pillars of your business: survival, growth, and profitability.

Risk severity. How will this risk affect your business?

When looking at risk severity, businesses should think of both short- and long-term risks.

Paul broke identified risk down into three severity levels:

  1. It’ll shut the business down
  2. It will slow the business down
  3. It will have a low impact.

For example, if your business experiences one back injury, the short-term risk may not be that large. However, if you review the injuries from a long-term point of view and find that you have had 5, 6, or 7 back injuries and your experience modification increases, your insurance costs increase, or your exposure to OSHA goes up, those back injuries may pose a larger risk in the long-term than they do in the short-term.

Risk probability. What are the chances of this happening?

While considering the probability of something happening, also think of the severity of that event and how greatly it would affect your business. If it might happen, how often will it happen? What is the severity of the event? Even if it is unlikely to happen, is there is a very high severity? That may be an event that you should keep your eye on and focus more energy towards.

For example, your business may have a production process that uses some slightly hazardous chemicals. Are they controlled properly? What are the chances of something going wrong? Is it an old system that needs to be upgraded? Or is it a brand-new system that is very well managed?

Below is a chart used to demonstrate how to assess risk, decide what risks to address first, and how to move forward with certain opportunities.

Risk Assessment
 High ProbabilityLow Probability
High SeverityYou may have to tackle these first.You may want to tackle these second, as they can potentially have the biggest impact on your organization. Even though the probability is comparatively lower.
Low SeverityHow you address this will depend on the cumulative effect that this risk will have on your organization.These risks go at the bottom of the list. However, they still need to be monitored. It is very difficult to predict when the low probability or severity will change to high probability or severity.

As you identify present risks and anticipate others, analyze them, assess what could happen, assess the probability of them happening, and then prioritize them for your organization.

Risk management. We can’t escape risk, it is inherent to life. But, what can you do to make risks, “acceptable”? Though we can’t entirely eliminate risks, the goal is to prevent them from threatening your survival, growth, or profitability.

Risk avoidance. Let’s not do that.

Although a situation may have a great opportunity associated with it, it also may have a significant risk, that right now, your company cannot afford to take. Therefore, the best option in this situation may be to avoid the opportunity and risk all together.

Risk transfer. Let someone else take that risk.

When you have identified an event that has a high risk to your company and it is not a risk that you are willing to take, you can have someone else take that risk. The responsibility of the end product or outcome may still fall with your company, but the risk of a part of the operation may be offloaded.

Risk transfer is a common mechanism used often in the construction and manufacturing industry with subcontractors and vendors. Using vendors or purchasing insurance are both examples of risk transfer.

OneGroup hosted a 101 webinar in April of last year with contractual risk transfer experts Kirsten Shepard and John Schmitt who spoke on the topic of risk transfer and how it can be beneficial to your business. To learn more, please click here.

Risk control. What can you do to make the risk more acceptable?

Risk control is evaluating a situation, process, operation, or a product that your business manufactures, in conjunction with the risk associated with it, and reducing or eliminating that risk as much as possible through engineering, administrative or other means, to a level you are comfortable with and can accept.

For example, a construction site has construction workers working in an eight-to-ten-foot ditch. The risk associated with that situation is that the ditch could cave in and bury the workers in it. There are different risk controls for this situation. These controls can include trench boxes, trench supports, working outside of the trench, having methods of getting in and out of the trench, or even having administrative personnel on site to investigate the soils to assess the risk of the trench caving in and offer alternatives if needed.

Risk acceptance. I can live with that.

Risk acceptance can be the end result of combining the three previous mechanisms. It can also be assessing the risk identified and making the decision that in a certain position and given the present opportunity, your business can sustain that risk with minor, or no disruption.

These four risk management mechanisms can be used on their own, or in combination with one another. Because not all mechanisms will apply to all situations, they are not listed in any order based on priority, importance, etc.

Without risk, there is no opportunity. Many times, we hear about risk as a bad thing. Risk itself isn’t necessarily a bad thing; poorly managed risk is a bad thing.

If as a business you want to survive, grow and profityou have to look for opportunities to do so. However, with those opportunities comes inevitable risk. Sometimes, opportunities that generate more high-value outcomes, higher revenues, more sustainability, more stability in an organization, carry more risk.

Avoid the, “find it, fix it” mentality. To effectively progress as a company, certain losses may be avoidable with proper risk management techniques. The, “find it, fix it” mentality is one where problems are fixed as they arise. However,  if the risk is not managed to prevent reoccurrence it will repeat and eventually instigate loss.The objective of effective risk management is to find a long-term solution to a problem.

Paul gave an example of a guard that continuously falls off of a machine. A company operating under the, “find it, fix it” mentality will put the guard back onto the machine over and over again, without discovering why the guard is being removed. An effectively managed organization will identify why the guard is off the machine and solve that problem.

The issue comes from how that organization is managing the risk associated with having machine operations.

If you want to be successful, you must manage to a solution, not just to a fix. A fix is thought of as a short-term problem solver whereas finding a true solution takes management, organizational, and systemic changes. There is a very direct correlation between companies that dive in and truly manage risks that they have with success and those companies that don’t with failure.

Do it already. The best step is the first step. To have an effective risk management program requires work and can be overwhelming. Start by taking an hour a day to just think about risk, it will become a lot easier once you start.

Integrate safety and risk management into the daily functions of your business. In many organizations, safety and risk management happen outside of the production process.

For example, productivity and quality are embedded in the day-to-day operation for front line workers, while safety and risk management are relegated to once a month safety committee meetings and safety training intended to remind employees of proper safety protocols. Because these measures are not integrated with everyday operations, their effectiveness is compromised.

Organizations that truly succeed have integrated safety and risk management into their day-to-day operations.

Find your comfort zone. When it comes to risk management and decisions, ultimately, it is your decision. 

Risk is inevitable. At any given time, things can change. Maybe your business loses a supplier, maybe the marketplace changes, maybe there is a natural disaster. Whatever the case may be, things are always changing.

Risk is fickle, complex, and interdependent. So, risk should constantly be looked at as it is constantly changing. No matter how many things change on a day-to-day basis, one thing remains the same – risk is inevitable. How you manage that risk determines your success as a business.

At OneGroup, risk management is one of our priorities and expertise. We are here to help you identify, asses, and manage your existing risk. As well as help you prepare for the inevitable risk in the future. If you have questions regarding this webinar or your company’s risk management program, please email Paul Coderre or reach out to one of our experts here.

Thank you to all who have tuned in to OneGroup’s 101 Webinar Series throughout this past year. Keep an eye out for topics and more information regarding OneGroup’s 101 Webinar Series in 2024!


This content is for informational purposes only and not for the purpose of providing professional, financial, medical or legal advice. You should contact your licensed professional to obtain advice with respect to any particular issue or problem. Please refer to your policy contract for any specific information or questions on applicability of coverage.

Please note coverage can not be bound or a claim reported without written acknowledgment from a OneGroup Representative.