We live in a changing, fast and interconnected era. Progress such as the Internet, globalization and the technologies of the Fourth Industrial Revolution are betting on erasing physical and virtual borders, unifying and integrating people and their dynamics; in spite of this, it is notorious the lack of preparation of companies, governments and people to cope with complex events. For example, the abundance of information and access to it was not enough to avoid the economic and social shock caused by the global pandemic, which took everyone by surprise.  

This volatility is far from over, and experts talk about us being in an "era of risk". However, we should not be alarmed or crumble at this idea: it is not that there was no risk in the past, but our tools for identifying, understanding and managing it were far less sophisticated, leaving many outcomes in various areas of life and business to luck (or to the will of the gods). Today, it is in our hands to identify, anticipate and manage risks, regardless of the size or financial capacity of our organizations. 

How can we do this?

First we must understand the concept of risk. A risk is anything that can generate a deviation in the trajectory of a goal, anything that jeopardizes the achievement of an objective or the integrity of an asset of value to our organization. 

Note: a risk is not necessarily a negative concept, it may also occur that, due to changes in the exchange rate, for example, we have higher profits than expected. That is a deviation from our goals, but it is a deviation that benefits us financially! 

Other key concepts when talking about risk are probability and impact.

Probability tells us about the likelihood of an event occurring and the frequency with which it could happen. Impact tells us about the financial cost of the event occurring. 

Now that we know that a risk is anything that could cause things not to go as planned, what do we need to do?

1. Identify the key activities in our company, the objectives and standards we have for each of those activities: For example, if your company manufactures beverages, it will be important that the formula always comes out with clear standards or that the bottling machine is kept well calibrated. It is also important that the inputs you use are kept at prices that allow your operation to be profitable, etc.
2. Identify the key assets in the company, those that, if compromised, could affect the continuity of the business. For example, if someone steals your inventories or hacks into your cash register, this could lead to non-compliance, financial losses and even lawsuits.
3. Identify all the possible sources of risk that could unexpectedly impair or enhance the achievement of objectives. What would put at risk if the bottling machine started to malfunction? Perhaps that the staff skips maintenance, or that the operators handle it improperly, maybe that the materials are not the recommended ones and they begin to damage the machine?
4. Apply appropriate corrective measures to reduce our probability of loss: We must calculate, even roughly, the size of the loss that we would experience if a risk was to materialize. This knowledge is going to be important, as it would not make sense to apply a measure that would cost more than the potential loss we are allegedly preventing. Risk can be assumed, transferred, avoided, prevented or protected. 

Assuming a risk means that we have already identified the risk, but we decide not to take action on it. This can happen when taking action is more expensive than the losses that could be incurred if the risk occurs. 

Transferring a risk means that we have already identified it, and we purchase insurance so that, if it materializes, the costs will be covered by a third party or at least partially covered.

To avoid a risk is to eliminate the probability of the risk occurring completely, or completely diminish its impact. For example, if we have a woodworking shop and we realize that the activity of cutting wood is hazardous, we might decide to stop performing the activity altogether and start buying the wood already cut. Or, if we have a product that has many side effects on people's health, we may decide to avoid the risk of lawsuits by eliminating the product from our portfolio.

Preventing risk is all about what is done before the risk occurs. This is when we establish company policies, standards and controls, and assign those responsible for monitoring and preventing the risk from occurring.

Finally, protection is what we do when we definitely cannot avoid the risky activity, but we seek to reduce the negative impact it could have. For example, if we have a construction firm and our workers work at heights, we make sure to protect them by giving them the equipment so that while they are doing this work, if there is an accident, it will not be fatal. 

Large companies carry out this process of identification, evaluation, quantification and treatment of risks on a constant basis, supported by state-of-the-art technologies. But to start with risk management in your SME it is enough to integrate in the mentality of all your collaborators, from managers to operatives, that awareness and sensitivity to risk, and that we constantly ask ourselves what can affect things going as planned?