Risk 360

Managing the risks embedded in business decisions

Decision making is an art only until the person understands the science.” – Pearl Zhu. 


Business is all about making decisions all the time. Business strategy formulation and execution involves making numerous decisions and managing their consequences. Strategy selection is about making choices, evaluating alternate options, and taking a decision on the acceptable trade-offs. Likewise, strategy implementation also actively involves taking decisions. There are risks inherent in every decision and therefore risk management is imperative while taking business decisions. Since decision making is a widely pervasive activity for any business, proactively managing risks in every decision enables the sustainable achievement of business objectives. 


Once the impact of risks embedded in any business decisions is understood, it becomes possible to make an appropriate choice in the given context. A deep understanding of risks also enables opportunity identification in the strategic context. Risk assessed decision making involves the following action steps –


Step 1 – Risk identification

Step 2 – Assessment of the risk severity, and

Step 3 – Implementing an appropriate risk response


I will rely on COSO 2017 ERM framework to illustrate the application of risk-assessed decision-making principles in the context of a project contracting business. 


Step 1 – Risk identification


Principle 10 of the COSO 2017 ERM framework covers the discussion on the identification of new, emerging, and changing risks to the achievement of the entity’s strategic and business objectives. In a project contracting business, risks can arise or change due to changes in the business context such as economic environment and capital expenditure cycles. There could be new risks that might have been previously identified but have since been altered due to a change in the business context. For example, an increase in the customer delinquency risk in case of a change in the customer’s credit profile over the contract execution period could be one such risk. Maintaining an inventory of the operating risks associated with a project contracting business is a useful practice. Some examples of these risks in this kind of business are – business cyclicality, project scoping and design changes, time and cost overruns, credit exposure, receivables management, contract execution, potential frauds, regulatory compliances, safety, and accidents, etc.   


Identification of risks inherent in a project contracting business is generally not static. Emerging risks in these businesses arise when the business context changes. Risk identification at the time of taking decisions on accepting project contracts would have multiple implications. For example, before deciding to bid for a particular project, risks specific to a particular business sector or the risks arising from commercial terms on offer might need to be considered closely.


Inadequate risk identification or a failure to identify risks could result in situations that a binding contract creates onerous exposures for the firm over some time. In the Indian context, there are several examples where contracting firms became financially impaired due to inadequate risk identification at the contract acceptance stage by them. Having time to assess the risk allows the organization to anticipate the risk response, or to review the entity’s strategic and business objectives as necessary.


Good decisions come from experience. Experience comes from making bad decisions.

– Mark Twain


Step 2 – Assessment of risk severity


Risks identified in an entity’s risk inventory are assessed to understand the severity of each risk to the achievement of the strategic and business objectives. The selection of appropriate risk responses is dependent on the depth of risk assessment. Principle 11 of the COSO 2017 ERM Framework suggests that once the risk severity is understood, managers can decide on the resources and investment to deploy for the risk to remain within the acceptable appetite. 


Let us examine the risk severity assessment in the context of our earlier example of the project contracting business. The risk of inaccurate project scoping or estimation and the associated impact on profitability was identified as an important operating risk. In a situation, where the project was offered on a lump sum, fixed price basis, any scope or design change might result in both cost and time overruns. Also, the cost of rework or additional work involved might cause irreparable economic harm to the entity in case the project is of a substantially large value.


The severity of the risk of cost overrun could prove to be catastrophic for the organization and may even erode its net worth. Therefore, at the time of signing up to the tender documents itself or at the time of submitting the project bid, it will be important to assess risk severity and introduce appropriate conditions, exclusions, price variation terms, and protective clauses to cover design or scope changes attributed to the customer, and so on. Risk severity might even influence the decision to go or not to go ahead with the contract bidding itself.


It is important to assess the potential risk severity keeping in context the impact and likelihood of the risk materializing. The impact usually guides the results or effect of risk. The impact of a risk may be positive or negative relative to the strategy or business objectives. Likelihood represents the possibility of a risk occurring. This is usually understood in terms of a probability or frequency of such an occurrence. 


Therefore, identification of inherent risks and the ability to estimate or assess their potential severity are the essential foundational steps that will determine the effectiveness of the third step in this process, which is mitigating the risk.


Sometimes you make the right decision, sometimes you make the decision right.– Phil McGraw


Step 3 – Implementing an appropriate risk response


Principle 13 of the COSO 2017 ERM Framework guides the identification and selection of the appropriate risk response. Once the inherent risks in a business decision have been identified and their severity adequately considered, the management needs to select and deploy a suitable risk response. Identification of the appropriate risk response is a vital element of the risk assessed decision-making process. Risk responses usually fall within the five categories of, accept, avoid, pursue, reduce or share. 


Taking our project contracting business example forward, let us assume that the risk of scoping changes or time overruns in a fixed price contract was identified as risks with high inherent severity. Quantification of potential risk outcomes would enable the selection of the most appropriate risk response. If the project is materially large, then the appropriate risk response could well be to avoid the contract in case the terms are onerous due to uncontrollable elements. Choosing avoidance generally happens if the entity is not able to identify a response that would reduce the risk to an acceptable level of severity.


However, there could be ways of reducing the risk severity in this example. The customer might agree to grant a price escalation claim should the time delay happen due to reasons beyond the contractual control of the service provider. Similarly, design or scope changes triggered by the customer could be carved out as an exception to the contract terms. This way the risk of time or cost overruns in a fixed price contract gets reduced to reasons well within the operating control of the contractor or service provider. By ensuring that those operating controls are adequate and functioning effectively, the entity can significantly reduce the risk arising from such contracts.


This entity might also decide to revise its business objectives given the severity of identified risks and tolerance. In case fixed price contracts of a materially large value are incapable of being mitigated adequately, the entity might consider developing business opportunities across few other customer segments rather than continue to pursue business opportunities across more risky customer segments. 


In conclusion, a structured understanding of risks inherent across all business decisions almost always ensures that an equally well-calibrated risk response can be identified and put into action. It is always advisable to take the risk response as a part of the standard business operating processes to ensure that they get deeply ingrained and integrated with the operating environment.


It’s in your moments of decision that your destiny is shaped.” – Anthony Robbins

Blog Author: Neeraj Basur, FCA, ACS, CMIRM (IRM Level 4 qualified), Chief Financial Officer, Trent Limited


You may also like

Leave a reply

Your email address will not be published. Required fields are marked *

More in Risk 360