Share with your friends


Analytics Magazine

Risk Management: The Agile Enterprise

January/February 2010


Integrated business planning for mitigating risk.

Jeff Rice and Stephen Franks Analytics Magazine Stephen Franks
Analytics Magazine

By Jeff Rice and Stephen Franks

Business as usual is a thing of the past. Political transformation, increasing governmental mandates, fluctuating energy prices and increasing competition are just a few of the factors making business anything but usual. Today, virtually all business can be deemed “risky business.” While uncertainty impacts risk, it does not necessarily make business perilous. In fact, risk is critical to any business — for nothing can improve without change — and change requires risk. Conversely, an unwavering commitment to the status quo creates even more risk. Therefore, regardless of a company’s position on risk, it must be understood and managed.

While risk is inherent to any business, its impact can vary according to a number of factors including globalization, competition, input costs, compliance, weather, exchange rates, regulations and competition, just to name a few.

Risk can be segmented into two categories: direct and indirect. (Some companies use the terms internal and external.) Direct risks are those that the company has control over or can impact. Direct risks often pertain to the company’s labor force, supply chain, operations and competitive position. Indirect, or external risks, include factors beyond the company’s control. Interest rates, foreign exchange rates, weather and energy costs are examples of indirect risks.

risk managememt

Another factor affecting risk is efficiency. The age of specialization has introduced heightened levels of efficiency. For example, many manufacturing companies have successfully trimmed excess capacity to the point where production is optimally balanced with demand. While this alignment has reduced inventories and helped supply chains become leaner, it hinders a company’s ability to react when new situations, opportunities and threats occur.

Specialization, combined with functionally based operating departments (sales, operations and finance), can also mask the impact of uncertainty at the enterprise level. For example, the shop foreman might have the correct information needed for accurately estimating the downtime of a particular machine; however, he or she may not understand the machine’s impact on down-stream activities. This creates uncertainty for each person managing downstream processes. In addition to the uncertainty caused by the machine’s downtime, the managers must deal with the uncertainties within their respective silos.

Rarely, if ever, do these situations create isolated yield variances. In fact, typically the opposite is true as statistical variations increase exponentially along the supply line. Consequently, senior management cannot accurately determine which process improvements will yield the highest return, nor can they determine the optimal sequence for executing these improvements. As a result, capital allocations, which are also silo-based, fail to deliver the anticipated return.

React. Reduce. Remove.

Companies, regardless of size or industry, must routinely deal with risk whether through a formal process or an informal, ad hoc process. In other words, business leaders can manage risk or allow risk to manage them. While the levels of risk and related activities vary widely among companies, the foundation for creating effective risk management strategies must include analyses and planning.

Many companies choose to react to undesired outcomes “as they occur.” While this reactive approach is a widespread practice, it is becoming less appealing as business and market volatility continue to escalate. Additionally, the reactive approach to managing risk requires companies to alter their strategies excessively. This can dilute the company’s focus and needlessly increase costs by redefining operational plans each time significant variances occur.

Given sufficient capacity and flexibility, some companies may achieve satisfactory results through reactive risk management. However, in most cases, organizations lack the ability, knowledge and systems needed to continually change courses and re-plan with confidence.

Another approach to managing risk is to reduce the risk itself, as well as its potential impact on the company. While reducing risk decreases uncertainty, it typically requires greater resources than the reactive method.

The third approach to managing risk is to remove the risk itself or its impact. At first, removing risk may appear to be the best approach to risk management. However, removing risk (or its impact) is often too costly and dilutes return on invested capital.

As illustrated in Figure 1, each approach to risk management requires time and resources, most often capital, to determine predictability. The level of investment for each approach is represented by the size of the circles. Reacting to risk as it occurs obviously requires less time and fewer resources than the alternative approaches; however, predictability is proportionately lower.

Figure 1: Three approaches to risk management, three requirements of time and resources (i.e., capital) to determine predictability.

Figure 1: ThrFigure 1: Three approaches to risk management, three requirements of time and resources (i.e., capital) to determine approaches to risk management, three requirements of time and resources (i.e., capital) to determine predictability.

More Risky Business

The most obvious and effective means of dealing with risk is to remove it completely. This may require substantial investments in plant and processes and may be difficult to achieve from a financial perspective. Nevertheless, enhancing a process to the point where risk is eradicated is certainly possible. For example, the Six Sigma business strategy focuses on eliminating risks resulting from product or process defects. Specifically, Six Sigma targets an efficiency rating of 99.9997 percent in terms of DPMO (defects per million opportunities). In other words, risks pertaining to defects are removed.

If the removal of risk is not economically viable, companies may opt to cushion or “buffer” processes from high levels of variance. This is most often achieved by the creation of excess capacity, providing greater flexibility or using inventory as a buffer between successive operations.

The Kanban system, invented by Taiichi Ohno at Toyota in the 1950s, uses a chain of inventory buffers to mitigate risk and variance. While buffering can be effective, managers must understand the statistical fluctuations inherent in the system. Without this insight and understanding manufacturers cannot determine the optimal quantities needed to buffer each process.

Perhaps the Prussian Marshall Helmuth von Moltke said it best back in the mid-1800s: “First weigh the considerations, then take the risks.” While von Moltke’s succinct quote holds true today, business leaders are ill equipped when attempting to “weigh the considerations.” Businesses with ever-increasing value chains are more complex than in years past. As mentioned earlier, risk is easily managed when compartmentalized. But risk does not adhere to boundaries. Risk that began with a supplier of raw materials may quickly expand onto the shop floor; then into distribution; then the end customer, legal, compliance, and ultimately the bottom line.

Analytics Magazine Sample types of organizational risks
Analytics Magazine • Cost of Finance
Analytics MagazineInterest
Analytics MagazineCredit
Analytics MagazineAvailability
• Foreign Exchange
• Tax
• Regulation
• Political
Analytics MagazineTerrorism
Analytics MagazineWar
Analytics MagazineSanctions
• Weather
• Market
Analytics MagazineGeography
Analytics MagazineDemand
Analytics MagazineVolatility
Analytics MagazineCannibalization
• Competition
Analytics MagazinePricing
Analytics MagazineNew Products
Analytics MagazineChannels
• Management
Analytics MagazineFund
Analytics MagazineRetention
Analytics MagazineRecruitment
• Supply
Analytics MagazineCost
Analytics MagazineAvailability
Analytics MagazineOn-time delivery
• Production
Analytics MagazineQuality
Analytics MagazineSkills
Analytics MagazineReliability
Analytics MagazineAvailability
Analytics MagazineRegulatory
Analytics MagazineDistribution
Analytics MagazineFuel Cost
Analytics Magazine Analytics Magazine

As stated by von Moltke, risk management can be divided into two basic activities: weighing the available options or considerations, then taking the risk. Therefore the challenge resides in understanding the best choices within a portfolio of options. Prior to the age of specialization (and automation) business in general was far less complex. During these times companies could effectively manage risk using simple “if-then-else” logic. But complexity and volatility often work in tandem. As a result, today’s business environment requires new approaches to managing an ever-expanding assortment of risk.

Integrated Business Planning

As previously stated, managing risk is accomplished through one of three approaches: 1. react, 2. reduce or 3. remove. All three approaches or base solutions rely on a foundation of understanding. Each requires a comprehensive understanding of uncertainty. Then the potential impact of the uncertainty must be quantified in financial terms. Next the company must understand and quantify the potential impact of alternative choices, then compare each to determine the optimal course of action.

Before quantifying the risk, decision makers must understand the nature of the risk. This is accomplished through a cyclical process designed for continuous improvement. While many processes for managing risk have been introduced, most are similar to the Plan-Do-Check-Act cycle used by American statistician W. Edwards Deming.

The International Organization for Standardization presents a similar cycle in a draft of its risk management document, “ISO 31000 Risk Management: Principles and Guidelines on Implementation.” (More information is available at

As illustrated in Figure 2, after risks are assessed and evaluated, the appropriate risk treatment can be determined and implemented. Risk Treatment, as defined in ISO 31000, includes the following options:

a) avoiding the risk by deciding not to start or continue with the activity that gives rise to risk;

b) seeking an opportunity by deciding to start or continue with an activity likely to create or maintain the risk;

c) changing the likelihood;

d) changing the consequences;

e) sharing the risk with another party or parties; and

f) retaining the risk, either by choice or by default.

Figure 2: After risks are assessed and evaluated, the appropriate risk treatment can be determined and implemented.

Figure 2: After risks are assessed and evaluated, the appropriate risk treatment can be determined and implemented.

Selecting the right treatment requires proper evaluation of the risk and accurate modeling of alternate choices or activities. In other words, both the existing risk and the alternative actions must be quantified in order to determine if the alternative approach provides greater opportunities compared to the status quo.

Enterprise optimizer risk management solution
• Holistic modeling of risk including financial and operational constraints
• Financial investigation of risk with analytical, simulation and optimization capabilities
• Scenario management and workflow to support executive review and decision-making
• Planning capability to execute strategic and operational decisions

Many solutions may require multiple treatments. For example, process network redesign may include outsourced providers, which changes the likelihood (c) and consequences (d) of the risk, as well as shares the risk with other parties (f). Multiple treatments may be found in a number of risk management activities including capital planning, inventory policy, segmentation and supplier hedging.

Understanding the Nature of Risk

In order to make effective capital planning and business decisions that mitigate the impact of risk, managers must understand the relevant risk factors, their interactions, aggregations and consequences. Obtaining this level of understanding requires managers to:

  • create a comprehensive model of the processes
  • model the risk
  • quantify (predict) the impact of each element of risk
  • analyze the operational and financial consequences of such aggregated risk
  • understand what risk areas are the most critical, then simulate the potential actions as well as the required investments.

Accomplishing this requires a sophisticated and intelligent modeling environment; one that can utilize powerful simulation and optimization techniques. This enables a simulation process which maps the statistical fluctuations of each area of risk into the model. Once the model is created, managers benefit from the rapid execution of mathematical analysis against the model, as well as creating alternative scenarios. Users can conduct hundreds of scenarios, each using hundreds of constraints and millions of variables, without having to reconstruct the model. Using rapid scenario analysis enables managers to quickly identify which scenarios will deliver the optimal solution under a given set of circumstances. For example, automakers could model and quantify the financial impact resulting from a sudden rise in oil prices. In this example, a single model would be used to simulate market conditions, distribution costs, production costs and related variables. The model, which would provide insight for decision makers across the enterprise, could also be used in determining profitability by model, by customer and by channel.

Scope of International Standard ISO 31000
International Standard ISO 31000 provides principles and generic guidelines on risk management. Any public, private or community enterprise, association, group or individual can use this International Standard. Therefore, this International Standard is not specific to any industry or sector. (Note: For convenience, all the different users of this International Standard are referred to by the general term “organization.”)This International Standard can be applied throughout the life of an organization and to a wide range of activities, including strategies and decisions, operations, processes, functions, projects, products, services and assets. This International Standard can be applied to any type of risk whatever its nature, whether having positive or negative consequences. Although this International Standard provides generic guidelines it is not intended to promote uniformity of risk management across organizations. The design and implementation of risk management plans and frameworks will need to take into account the varying needs of a specific organization, its particular objectives, context, structure, operations, processes, functions, projects, products, services, or assets and specific practices employed.

It is intended that this International Standard be utilized to harmonize risk management processes in existing and future standards. It provides a common approach in support of standards dealing with specific risks and/or sectors and does not replace those standards.

Printed with permissions from the International Organization for Standardization.

About ISO 31000

Organizations of all types and sizes face internal and external factors and influences that make it uncertain whether and when they will achieve their objectives. The effect this uncertainty has on organizations’ objectives is “risk.”

All activities of an organization involve risk. Organizations manage risk by identifying it, analyzing it and then evaluating whether the risk should be modified by risk treatment in order to satisfy their risk criteria. Throughout this process they communicate and consult with stakeholders and monitor and review the risk and the controls that are modifying the risk to ensure that no further risk treatment is required. This International Standard describes this systematic and logical process in detail.

While all organizations manage risk to some degree, this International Standard establishes a number of principles that need to be satisfied to make risk management effective. The standard recommends that organizations develop, implement and continuously improve a framework whose purpose is to integrate the process for managing risk into the organization’s overall governance, strategy and planning, management, reporting processes, policies, values and culture. Risk management can be applied to an entire organization, at its many areas and levels, at any time, as well as to specific functions, projects and activities.

Although the practice of risk management has been developed over time and within many sectors to meet diverse needs, the adoption of consistent processes within a comprehensive framework can help to ensure that risk is managed effectively, efficiently and coherently across an organization. The generic approach described in this International Standard provides the principles and guidelines for managing any form of risk in a systematic, transparent and credible manner and within any scope and context. Each specific sector or application of risk management brings with it individual needs, audiences, perceptions and criteria. Therefore a key feature of this International Standard is the inclusion of “establishing the context” as an activity at the start of this generic risk management process.

Establishing the context will capture the objectives of the organization, the environment in which it pursues those objectives, its stakeholders and the diversity of risk criteria — all of which will help reveal and assess the nature and complexity of its risks.

Jeff Rice ( is the director of communications at River Logic, Inc. (www.riverlogic. com), a Dallas, Texas-based provider of Integrated Business Planning (IBP) and advanced business modeling solutions. Stephen Franks, Ph.D. (sfranks@, provides strategic advisory services within River Logic’s Consumer Packaged Goods and Supply Chain practices.


Analytics Blog

Electoral College put to the math test

With the campaign two months behind us and the inauguration of Donald Trump two days away, isn’t it time to put the 2016 U.S. presidential election to bed and focus on issues that have yet to be decided? Of course not.


What you like in a CEO candidate may not deliver results

Attributes that often get someone hired as CEO may not be the ones that drive success once they are at the helm of the company. That’s one of many provocative insights in a study by consulting firm ghSMART. The study, recently featured in Harvard Business Review, identifies characteristics that differentiate the most effective leaders. Read more →

Paying for online reviews backfires among socially influential

Online user reviews have become an essential tool for consumers who increasingly rely on them to evaluate products and services before purchase. The business models of online review platforms such as Yelp and TripAdvisor and e-commerce sites such as Amazon and Expedia critically depend on them. Should such sites pay users to encourage them to write reviews? Read more →




2017 INFORMS Healthcare Conference
July 26-28, 2017, Rotterdam, the Netherlands


CAP® Exam computer-based testing sites are available in 700 locations worldwide. Take the exam close to home and on your schedule:

For more information, go to