Though we've been trying to perfect it for hundreds of years, it appears that the 1983 Tom Cruise film hit the nail on the head: Business is risky. And with the increasing dependency of businesses on technology to maintain and advance their organizations, the risks - and the stakes - are greater than ever.
This begs the question: How should organizations manage their risks?
According to analysts, effective risk management is a multistep process.
"Having a really thorough understanding of what you have is the most important step (in good risk management)," says Dennis Gaughan, an analyst at AMR Research Inc. in Boston. "In a lot of cases, the exposures that come up and bite you are because of things you weren't aware of. So really just understanding what all the different pieces are and how they all fit together is an important component of mitigating risk."
For instance, a company plans to build a data center, but there's a 90 percent chance that the project won't be completed on time.
The company then needs to look at the various costs associated with mitigating that risk. It may choose to spend more money to pay contractors who can get the job done faster. Or, if the risk of completing the project late is deemed too great, the company may decide to push back the deadline. That decision would force the business to estimate potential lost revenue or productivity losses, as well as calculate the costs associated with extending the deadline for the project.
George Vrabel, senior vice president and senior director of technology audits at Charlotte, N.C.-based Bank of America Corp., agrees that self-awareness is key. "You have to recognize what the business is trying to do," he says. "I need to be able to look at that broad picture. I like to think I need to look at the trees and the forest at the same time."
But being self-aware is only the first step in effective risk management for companies. Another crucial component is planning for possible failures. It may sound simple, but analysts say that in the course of operating and maintaining a business, it's an often overlooked task.
"What a lot of people don't do is really plan for the inevitable failure and really take steps in understanding what it's going to take to recover from failure," says Gaughan.
From an information technology perspective, he says, risk management includes minimizing an organization's exposure to downtime or loss of service from its IT systems or processes.
From a business process standpoint, risk management is more about managing a "portfolio of systems and projects" in order to maximize financial returns on those investments and minimize the potential for conflicts and delays, Gaughan says.
Once a business has recognized what its potential risks are, it's equally important to evaluate how costly those risks can be - and, therefore, how much time and money should be invested in mitigating those risks. That process - known as business impact analysis -is another crucial component of effective risk management for companies.
"A business impact analysis really helps define what a company's losses would be," says Chuck Wachter, manager of disaster recovery at Carlson Cos., a Minneapolis-based company focused on travel, hospitality and marketing. "If you were to have a power outage, even as short as 15 minutes, what are your financial impacts, what are your nonfinancial impacts, how are your customers affected, how is your industry image affected?"
Once companies have determined what their risks are and what their losses might be, they must then decide whether or not to address each risk. To do so, companies consider the size of the risk and its consequences to the organization.
"You might choose to accept greater risk of failure because there's greater reward," says Frank Prince, an analyst at Forrester Research Inc. in Cambridge, Mass.
For example, a mail-order gift business evaluates the risks of launching a Web site in time for the holidays. Though there are many risks involved with the project - including the possibility that the Web site might not generate adequate sales volume and may result in a loss on the project investment - the potential rewards of operating an online business during the busy holiday shopping season might be great enough for the company to decide to go forward.
If, on the other hand, a particular risk is relatively unlikely but the potential cost to the company is great, then the organization might choose to address the issue in advance. For example, an Arizona-based IT service provider is unlikely to suffer power outages due to hurricanes or earthquakes. But since the company's financial losses or liability resulting from a power outage could be significant, it might decide to install a backup power system to protect itself.
In the end, many analysts and specialists agree that failing to address risk management is perhaps the greatest risk of all for a company.
"What you wind up doing is fighting a lot of fires," says Leonore Abordo, a product process manager at Redmond, Wash.-based AT&T Wireless Group. "With businesses, time is always of the essence, and it is not uncommon, in my observation, to see the time consciousness shortchange a lot of the planning.
"(People say,) Oh, we'll just figure it out as we go. We'll cross that bridge when we come to it' - not recognizing that there are multiple bridges, and some of them are already falling down," Abordo says.
Wieder is a freelance writer in Boston. Contact her at firstname.lastname@example.org.
Risk management is the process in which potential risks to a business are identified, analyzed and mitigated, along with the process of balancing the cost of protecting the company against a risk vs. the cost of exposure to that risk.