How do you start a risk assessment process? The basics here are to get a cross-functional, knowledgeable group of colleagues together. Start with your functional managers, who may need to prepare for the meeting by having a similar meeting with their own teams. However you dont want to make this into a large, multi­level layered process, as you will end up with too many risks and not enough focus on the big ones.

Your group will want to categorize the risks in some meaningful way; for example, in categories such as supply risks, customer/market risks, financial risks, health, safety, and environmental risks, geopolitical risks, and people risks. There may be other categories that are appropriate for your business, too.

You also need to estimate the potential impact of each risk in financial terms. This is of course hard to do, but broad estimates are sufficient for this purpose. You dont need precision, you simply want to identify whether the risk is a $1 million risk, a $10 million risk, a $100 million risk, etc. Or pick numbers that are more suited to your business. Basically, you will be applying a high/medium/low rating to each risk, according to its potential impact.

In addition to estimating the size of the impact, you want to rate the likelihood of the risk happening. Here is where it gets tricky in my experience, and quite subjective. History may help you; for example, if the risk has never affected your business in the last 100 years, you could rate it very low, while if it has actually happened in the last five years you might rate it as high. Again, this is about creating a scale of high/medium/low which will help you to prioritize your action plans.

The final thing that your group may want to discuss and agree on is the velocity associated with each risk. How fast would it happen, if indeed it happens? As an example, the risk associated with a manufacturing plant explosion is fast in velocity, while the risk associated with a shutdown of a critical supplier facility may be much slower if it is tempered by inventory, by ability to switch suppliers, etc. As a practical matter you may want to ignore really unlikely risks such as eco-terrorism, plane crashes and the like – unless your business focus makes you more vulnerable to these for some reason (for example, if you are right next to an airport where a crash has occurred).

Once you have categorized the risks, estimated their impact and likelihood, and determined their velocity, it is worth plotting this on a four-square grid or graph, with likelihood on the x axis and impact on the y axis. This will give you a clear overview, so you can focus your efforts first on the risks in the high/high quadrant, and then progressively on the other quadrants over time.

Once this picture comes into focus, your group can move on to the real work: What can or should be done to reduce each risk, in either likelihood or impact? Here you need to decide on which of the four Ts you will do: Take, Treat, Transfer or Terminate the risk.

Take means you will continue to live with the risk, perhaps because it is very expensive (or impossible) to do anything about. Perhaps you have a plant with fencing and security cameras, but still have residual risk of someone scaling the fence and doing damage. You might evaluate the options for increasing security (full-time guards? a higher fence?) but decide the risk is worth taking.

Treat means you will do something yourself to reduce the risk. This may require you to evaluate various options which would have different costs and different levels of risk mitigation. A lube blender on the hurricane-prone Gulf Coast might store some finished product offsite on higher ground, and seek multiple qualified suppliers for the components needed to make its highest-value products, for a cushion of safety.

Transfer means you will try to push all or part of the risk onto another party, be it a supplier, a customer, a business partner, an insurer or some other party. For example, if youre exposed to too much currency risk in a country to which you export, you might seek a distributor to take that risk for you. Or, if a suppliers performance has been a problem, you might ask that supplier to hold more inventory and do so closer to your plant location.

Terminate means you will eliminate the risk because the business potential just isnt worth it. You will change how you do business in some way, or stop the risky operation, or perhaps invest in a safer process altogether.

It is important to assign specific risk-related actions to specific individuals, and then to monitor on a regular basis the progress being made on the action. Furthermore it is worthwhile to review and update the risk matrix at least annually, and whenever there is a significant change in the business environment. For example, if you sell product to a foreign country, and that country experiences a shift in business climate or political regime, you should reevaluate the risk in

the light of this new information.

Another thing to keep in mind is that you may find that you need to start asking your suppliers, customers and other business partners more questions, as you may not really understand the risks up and down the entire chain. You may never be able to understand these fully – but your questions may spur action on others parts if they perceive it is important to the relationship.

Good luck with assessing and mitigating your risks. This process may cost you some money, but it is likely to save you more over the longer term.

Guest columnist Sara Lefcourt is an industry consultant who specializes in helping companies to improve profits, reduce risk and step up their operations. Her experience includes many years in marketing, sales and procurement, first for Exxon and then at Infineum, where she was vice president, supply. E-mail her at saralefcourt@gmail.com or phone (908) 400-5210.