Corporate planning is one of the most important tasks of the management and serves the presentation and calculation of possible future developments. Making the future plannable depends on a number of variables: one of these variables is risk. Risk always includes opportunities. The higher the risk, the higher the chances. Nevertheless, dealing with risk often causes discomfort or uncertainty in an organization. It can be overcome with a risk management system.
Table of contents
- 1. Identify risk types
- 2. Create a risk matrix
- 3. Planning risk
- 4. Operational risk management – Internal Control System
- 5. Conclusion
Every planning process and every planning usually ends in a calculated future variant. From the infinite possibilities of future developments, the most probable variant (or most relevant entrepreneurial variant) must be found in the planning process. Often only single risks are considered in the planning process. Often the planners try to plan the “least risky” or “safest” variant. The planning process should encourage creativity and spur the organization on to new top performances.
So how should risk be considered in the planning process?
1. Identify risk types
At the beginning of a risk-oriented planning process is the examination of the possible risks. The risks must be identified so that planning methods can respond to the identified risks in a later step.
To determine the risks, it is advisable to consider the risk levels a) cost centers, b) cost types and c) processes and then to assess external and internal risks for the company. The possible risks are presented below, broken down by the so-called value dimensions:
Risks of the value dimension economy are:
Competition risk, customer demand risk, technological innovation risk, interest rate risk, exchange rate risk, equity risk, purchase price risk. Commodity price risk, risk of financial instruments, liquidity risk, concentration risk and dependency risk (dependence on suppliers and customers. Budget and planning risk, risk of incorrect accounting data, defective purchased products, etc.
Risks of the social value dimension:
Qualification risk, risk of inadequate learning, personnel development risks, demographic risk, management risk, remuneration risks, burn-out risks, retirement risks, etc
Risks of the value dimension environment are:
Environmental risks, efficiency risk, capacity risk, production risk, health and safety risks, resource procurement risk, emission risks, etc.
Risks of the value dimension compliance are:
Corruption risk, embezzlement risk, risk of lack of regulation of authority, external access risk – risk of burglary, outsourcing risk, incentive risk. Communication risk, fraud risk by management, fraud risk by employees, risk of illegal activities, risk of damage to reputation, IT risks, etc.
To consider the multitude of risks individually in the planning process leads to long planning processes and will not result in the desired planning quality. How can or should these risks be adequately considered in the planning process and thus minimize the risk of planning errors?
2. Create a risk matrix
With a risk matrix, the essential risks for the company can be presented simply and transparently:
2.1 Traditional risk matrix
The traditional risk matrix shows on the X axis the amount of damage and on the Y axis the probability of occurrence of a risk type. As a rule, only the direct, entrepreneurial risks of a company form the basis of this analysis.
The potential damage is calculated on the basis of the gross risk. From which the so-called security measures (e.g. insurances, etc.) are deducted. The resulting net risks then form the basis of the valuation.
The net risks are plotted on the axis of the amount of damage and the probability of occurrence on the other axis. In addition, the matrix points can be weighted according to a third criterion (e.g. relevance) and displayed as circles of different sizes.
The critical risks (high level of damage and high probability of occurrence) must then be taken into account in the planning.
2.2 Prioritization of risk according to GRI guidelines
While the traditional risk matrix only refers to corporate risks, prioritization according to the guidelines of the Global Reporting Initiative (GRI) makes it possible to include social risks in the analysis. Thus, the X-axis shows the assessments of the company’s economic, environmental and social impact, and the Y-axis shows the relevance for stakeholders, i.e. the influence on the assessments and decisions of stakeholders.
In this view, the view of the stakeholders (interest groups, stakeholders) is included in the risk assessment. This means that the external view (the social impact of the company) is taken into account in the risk assessment. The stakeholder discussion should be conducted with the main groups according to a standardized process. Whether or not a stakeholder is essential for a company should be assessed according to how strongly an organization/group/resource is affected by the company’s impacts and how strongly the stakeholders are dependent on the company. The greater the dependence, the higher the materiality.
The prioritization of risks according to the guidelines of the Global Reporting Initiative leads to a comprehensive assessment of the company’s risks from a business and social perspective.
3. Planning risk
Once the most important risks have been determined, risk can be integrated into planning using the following planning methods:
3.1 Scenario planning
Scenario planning allows the creation of several variants of the future by evaluating the characteristics of critical value drivers differently and condensing them into scenarios. The scenarios thus help to make the future plannable. The process steps for creating the scenarios are:
Definition of the critical drivers
The value drivers that can cause changes are identified. Each driver is evaluated according to the significance of its impact and probability. The drivers with the highest entry risks, which also have the greatest impact, are used for scenario planning.
Determination of the scenarios
The assessed value drivers are combined into scenarios. IdR 3-5 critical drivers are considered in one scenario. In the first step, it is recommended to determine the maximum values of the drivers and then to develop the scenarios from these values.
Description of the scenarios
The scenarios are described and in particular the different characteristic values (market, etc.) and trends are worked out. Afterwards a description of the differences with examples follows.
Definition of the planning horizons
Essential for the senario analysis is also the determination of the temporal relevance. Therefore temporal overlaps of the different scenarios have to be defined and the relevant time periods for the drivers have to be recorded.
Monetary evaluation of the scenarios
Finally, the monetary differences of the scenarios are determined as well as a detailed evaluation of the scenarios (market, sales, etc) and a comparison of the scenarios. Scenario planning thus leads to a presentation of different development possibilities of the company and shows the risks and possibilities in a comprehensive way.
3.2 Planning with probabilities
Probabilities can be attached to the planning values. This can result in planning variants with different probabilities, They can be calculated using a Monte Carlo simulation or other calculation models.
The Monte Carlo simulation calculates probable results on the basis of statistical probability distributions of various value drivers and thus delivers probability results of possible events. There are already several providers who have realized this in MS-Excel.
3.3 Consideration of risk at a higher level (by the management)
Another option is to have the probability of the plan being implemented assessed by top management. The employees plan the most probable variant, and top management then takes the risk components into account. Since the managing directors usually have a good overview of the entire company, risks can be assessed easily and quickly with this variant.
3.4 Explicit planning of individual risks
In addition, risk pools can be created for individual risk types, which are then incorporated into the planning process with an effect on profit: e.g. a separate pool for currency risk, PR risk, etc. The risk pots are considered and evaluated in the planning like provisions. A top-down-bottom-up approach is recommended. In the interaction of the top-down – bottom-up process, the main risks are discussed and evaluated between headquarters and subsidiaries. The discussion process leads to a joint evaluation of the risks.
It can be assumed that this process is more time-consuming. However it leads to a better common understanding and considers opportunities and risks equally.
3.5 Risk reduction by planning financial and non-financial parameters and measures
The planning quality of a budget/forecast/business plan is significantly improved if the planning of financial parameters is based on value drivers of the company. In addition, project-oriented project planning can be achieved by planning measures. This enables corporate management to take better and more explicit care of individual risks and management can, for example, receive ongoing reports on countermeasures.
To plan only financial parameters bears the risk that deviations from the plan cannot be sufficiently analyzed and that it cannot be determined whether or which risks have become relevant.
3.6 Consideration of entrepreneurial and social risks
Risk planning should not only include direct entrepreneurial risks, but also the risks that could arise for the company and fall back on the company. The risk assessment should therefore include internal and external risks and include social risks.
The so-called “licence-to-operate” of a company is nowadays defined not only by legal framework conditions but also by appropriate entrepreneurial behaviour. Which is why the consideration of social impacts in the risk process will play an increasingly important role.
4. Operational risk management – Internal Control System
The risks identified in the planning must subsequently be monitored in day-to-day business and reduced as far as possible. This is usually possible through operational risk management, which can be based on a well-documented ICS. The Internal Control System (ICS) comprises all methods and measures that are implemented in the company according to plan, a) to safeguard the company’s assets b) to increase operational efficiency and thus profitability c) to ensure the reliability of accounting and reporting and d) to ensure compliance with the prescribed business guidelines and legal requirements. The ICS usually describes the following control loops: 1) who is responsible for the control loop, 2) what type of control loop is involved (person-assisted control loop or IT-assisted control loop), 3) how often this control loop is checked and 4) in which area the control loop is applied. The ICS is primarily used for process-oriented risk avoidance.
5. Conclusion
Explicit consideration of risk in planning and consideration of risks in operational risk management makes risk plannable and controllable. The large number of risks always includes a variety of opportunities, which must be considered in a structured way in the planning process. A one-dimensional planning without sufficient consideration of risks/opportunities often leads to a lack of understanding in case of deviations from the plan. Deviations from the plan are natural developments, which can be reacted to more quickly and with a cool head by good preparation in the planning process. The quality of a plan does not normally manifest itself in the smallest possible deviation, but rather in how well risk areas have been identified and how quickly deviations can be reacted to. Contact us to set-up your planning process.
Related Links:
