:max_bytes(150000):strip_icc()/wk_headshot_aug_2018_02__william_kenton-5bfc261446e0fb005118afc9.jpg)
:max_bytes(150000):strip_icc()/risk-control.asp-Final-d0dc2b8f24dd401c8cdc8cbd5ee12b33.jpg)
What Is Risk Control?
Risk control is the set of methods by which firms evaluate potential losses and take action to reduce or eliminate such threats. It is a technique that utilizes findings from risk assessments, which involve identifying potential risk factors in a company's operations, such as technical and non-technical aspects of the business, financial policies and other issues that may affect the well-being of the firm.
Risk control also implements proactive changes to reduce risk in these areas. Risk control thus helps companies limit loss. Risk control is a key component of a company's enterprise risk management (ERM) protocol.
Key Takeaways
- Risk control is the set of methods by which firms evaluate potential losses and take action to reduce or eliminate such threats. It is a technique that utilizes findings from risk assessments.
- The goal is to identify and reduce potential risk factors in a company's operations, such as technical and non-technical aspects of the business, financial policies and other issues that may affect the well-being of the firm.
- Risk control methods include avoidance, loss prevention, loss reduction, separation, duplication, and diversification.
How Risk Control Works
Modern businesses face a diverse collection of obstacles, competitors, and potential dangers. Risk control is a plan-based business strategy that aims to identify, assess, and prepare for any dangers, hazards, and other potentials for disaster—both physical and figurative—that may interfere with an organization's operations and objectives. The core concepts of risk control include:
- Avoidance is the best method of loss control. For example, after discovering that a chemical used in manufacturing a company’s goods is dangerous for the workers, a factory owner finds a safe substitute chemical to protect the workers’ health. Avoidance, however, is not always possible.
- Loss prevention accepts a risk but attempts to minimize the loss rather than eliminate it. For example, inventory stored in a warehouse is susceptible to theft. Since there is no way to avoid it, a loss prevention program is put in place. The program includes patrolling security guards, video cameras and secured storage facilities. Insurance is another example of risk prevention that is outsourced to a third party by contract.
- Loss reduction accepts the risk and seeks to limit losses when a threat occurs. For example, a company storing flammable material in a warehouse installs state-of-the-art water sprinklers for minimizing damage in case of fire.
- Separation involves dispersing key assets so that catastrophic events at one location affect the business only at that location. If all assets were in the same place, the business would face more serious issues. For example, a company utilizes a geographically diverse workforce so that production may continue when issues arise at one warehouse.
- Duplication involves creating a backup plan, often by using technology. For example, because information system server failure would stop a company’s operations, a backup server is readily available in case the primary server fails.
- Diversification allocates business resources for creating multiple lines of business offering a variety of products or services in different industries. A significant revenue loss from one line will not result in irreparable harm to the company’s bottom line. For example, in addition to serving food, a restaurant has grocery stores carry its line of salad dressings, marinades, and sauces.
No one risk control technique will be a golden bullet to keep a company free from potential harm. In practice, these techniques are used in tandem with others to varying degrees and will change as the corporation grows, as the economy changes, and as the competitive landscape shifts.
Utilizing a Risk and Control Matrix (RACM) for Effective Risk Management
A Risk and Control Matrix (RACM) is a valuable tool used by organizations to better understand and optimize their risk profiles. It is a structured approach that helps companies identify, assess, and manage risks by mapping the relationships between potential risks and the corresponding control measures implemented to mitigate them. The RACM allows organizations to visualize and evaluate the effectiveness of their risk control strategies and make data-driven decisions to enhance their risk management practices.
The RACM typically includes the following components:
- Risk identification: The matrix lists all the potential risks an organization may face, often categorized by business areas, processes, or functions.
- Risk assessment: Each identified risk is assessed based on its likelihood of occurrence and potential impact on the organization. This assessment helps prioritize risks and focus resources on the most critical areas.
- Control measures: For each risk, the matrix outlines the specific control measures implemented to mitigate or reduce the likelihood and impact of the risk. These measures can include policies, procedures, systems, or other mechanisms designed to manage the risk.
- Control effectiveness: The RACM evaluates the effectiveness of each control measure, taking into account factors such as the level of compliance, the adequacy of the control design, and the control's ability to detect or prevent the risk from materializing.
- Action plans: Based on the assessment of control effectiveness, the matrix may include action plans for improving risk control measures or addressing identified gaps in the organization's risk management practices.
By creating and maintaining an up-to-date RACM, organizations can gain a comprehensive understanding of their risk landscape and the effectiveness of their risk control measures. This information can inform strategic decision-making, guide resource allocation, and support continuous improvement in risk management practices.
RCAM Example
| Example of a Hypothetical RCAM | |||||||
|---|---|---|---|---|---|---|---|
| Business Area | Risk Description | Likelihood | Impact | Risk Rating | Control Measure | Control Effectiveness | Action Plan |
| Finance | Fraudulent transactions | Medium | High | High | Implement strong access controls | Effective | Regularly review access controls |
| Regular audits and reconciliations | Effective | Increase audit frequency | |||||
| HR | Employee data breach | Low | High | Medium | Secure storage and encryption of data | Effective | Monitor for new security threats |
| Employee training on data privacy practices | Partially effective | Enhance training program | |||||
| Operations | Supply chain disruption | High | High | High | Diversify suppliers and sources | Effective | Expand supplier network |
| Maintain inventory safety stock | Effective | Adjust safety stock levels | |||||
| IT | Cybersecurity attacks | High | High | High | Regular security updates and patches | Effective | Increase frequency of updates |
| Employee training on cybersecurity practices | Partially effective | Improve training content | |||||
This RCAM example outlines different risk categories, such as Finance, HR, Operations, and IT, and includes specific risks within each category. The likelihood and impact of each risk are assessed, leading to an overall risk rating. Control measures are then listed, along with an evaluation of their effectiveness. Finally, action plans are proposed to enhance risk control measures or address identified gaps in risk management.
Keep in mind that this is just a simplified example, and an actual RACM for an organization would likely be more detailed and cover a broader range of risks and controls.
Examples of Risk Control
Sumitomo Electric and Disaster Resilience
As part of Sumitomo Electric’s risk management efforts, the company developed business continuity plans (BCPs) in fiscal 2008 as a means of ensuring that core business activities could continue in the event of a disaster. The BCPs played a role in responding to issues caused by the Great East Japan earthquake that occurred in March 2011. Because the quake caused massive damage on an unprecedented scale, far surpassing the damage assumed in the BCPs, some areas of the plans did not reach their goals.
Based on lessons learned from the company’s response to the earthquake, executives continue promoting practical drills and training programs, confirming the effectiveness of the plans and improving them as needed.
British Petroleum Oil Spill
British Petroleum (BP) has implemented several risk control measures following the Deepwater Horizon oil spill in 2010, which was one of the largest environmental disasters in history. As a result of the spill, BP was subject to a $20.8 billion settlement with the U.S. government and five Gulf states in 2015. The company has since strengthened its risk management approach to prevent similar incidents in the future.
BP has focused on improving its safety culture, including conducting regular safety training and drills for employees, investing in advanced technology for better monitoring and control of drilling operations, and implementing rigorous safety standards across its global operations. The company has also adopted a systematic approach to risk assessment and management, which involves identifying, evaluating, and prioritizing risks and developing tailored risk control strategies to mitigate potential impacts.
Moreover, BP has increased its efforts to promote transparency and stakeholder engagement. The company now publishes an annual sustainability report that provides detailed information on its safety, environmental, and social performance, as well as its progress in implementing risk control measures. This openness allows stakeholders to hold the company accountable for its actions and fosters a culture of continuous improvement in risk management.
Starbucks' Supply Chain
Starbucks, a leading global coffee retailer, has implemented various risk control measures to manage its supply chain risks. The company sources coffee beans from multiple regions worldwide, making it vulnerable to fluctuations in supply and potential disruptions due to weather, political instability, or other unforeseen events.
To address these risks, Starbucks has adopted a diversified sourcing strategy, which involves procuring coffee beans from a wide range of suppliers across different regions. This approach helps the company reduce its reliance on any single supplier or region, ensuring a steady supply of raw materials and minimizing the impact of potential disruptions.
Furthermore, Starbucks has established a comprehensive set of supply chain standards, known as the Coffee and Farmer Equity (C.A.F.E.) Practices. These standards cover various aspects of coffee production, including quality, environmental sustainability, and social responsibility. By working closely with its suppliers and conducting regular audits, Starbucks can ensure compliance with these standards, thereby minimizing the risk of reputational damage and potential supply chain disruptions.
In addition, Starbucks uses advanced supply chain management software to monitor its global supply chain in real-time, enabling the company to identify potential risks early and take appropriate action to mitigate them. This proactive approach to risk control has helped Starbucks maintain its reputation for high-quality coffee and build a resilient, sustainable supply chain that supports its continued growth.
How Does Risk Control Differ from Risk Management?
Risk control is a subset of risk management. While risk management is the overarching process of identifying, assessing, and prioritizing risks to an organization, risk control focuses specifically on implementing strategies to mitigate or eliminate the identified risks. Risk management typically involves the development of an overall risk management plan, whereas risk control addresses the techniques and tactics employed to minimize potential losses and protect the organization.
Can a Company Eliminate All of Its Risks Through Risk Control?
No, it is not possible to eliminate all risks completely. Risk control aims to minimize and manage risks, but it cannot remove them entirely. Some risks are inherent in the business environment or the nature of the industry, while others may arise from unforeseen circumstances. The goal of risk control is to reduce the likelihood and potential impact of risks on the organization, helping to build resilience and maintain stability in the face of uncertainty.
How Can Companies Identify Emerging Risks?
Emerging risks can be challenging to identify, as they often involve novel or rapidly changing situations. Companies can employ various strategies to detect and monitor emerging risks, such as:
- Keeping up-to-date on industry trends, news, and research to identify potential risks on the horizon.
- Engaging in scenario planning to consider possible future developments and their implications for the organization.
- Utilizing big data analytics and artificial intelligence tools to analyze large datasets and identify patterns or trends that may signal emerging risks.
- Encouraging a culture of open communication and collaboration, enabling employees to share insights and concerns about potential risks.
- Establishing a dedicated risk management team responsible for monitoring and responding to emerging risks.
How Does Risk Control Relate to Corporate Social Responsibility?
Risk control and corporate social responsibility (CSR) are interconnected in several ways. By implementing risk control measures, companies can minimize potential harm to stakeholders, such as employees, customers, and the environment. This proactive approach to risk management aligns with the principles of CSR, which emphasize the importance of ethical and sustainable business practices. Additionally, effective risk control can help protect a company's reputation and maintain public trust, which are crucial aspects of CSR. In short, risk control is an essential component of a comprehensive CSR strategy, as it helps companies meet their social, environmental, and ethical obligations while ensuring long-term success and sustainability.
The Bottom Line
Risk control is a critical part of modern business management, enabling companies to identify, assess, and mitigate potential hazards and threats to their operations and objectives. By implementing a combination of risk control techniques, such as avoidance, loss prevention, loss reduction, separation, duplication, and diversification, businesses can minimize their exposure to risks and enhance their resilience. Real-world examples, such as British Petroleum's post-Deepwater Horizon safety measures and Starbucks' supply chain management strategies, demonstrate the importance and effectiveness of robust risk control measures. As the business environment continues to evolve, companies must remain vigilant and adaptive in their risk control efforts to ensure long-term success and sustainability.
:max_bytes(150000):strip_icc()/GettyImages-941224330-2288e8f44c194b39a45f493aa497bc69.jpg)
:max_bytes(150000):strip_icc()/TypesofInvestmentRisk-5684887a5f9b586a9e0bdf97.jpg)
:max_bytes(150000):strip_icc()/BusinessPlanMeeting-570270145f9b5861953a6732.jpg)
:max_bytes(150000):strip_icc()/operational_risk.asp-Final-4be32b4ee5c74958b22dfddd7262966f.png)
:max_bytes(150000):strip_icc()/Enterprise-risk-management_final-3fb67ffdaafb4d3b879de7a0940f6fe7.png)
:max_bytes(150000):strip_icc()/GettyImages-699097517-b8f6702242014777a4254c4d718e7118.jpg)