This post is a continuation of the risk management concepts that started with the Han and Chewie articles. You may enjoy reading those ones first before jumping into this one. Today we talk about risk management using examples from Archer.
Malory Archer is the CEO of the International Secret Intelligence Service, which provides covert services for government and private clients. During a recent risk assessment she discovered that her top scoring risk in both likelihood and business impact was the possibility of her lead field agent, Sterling, embezzling millions of dollars from his operations fund so he can run away to a tropical honeymoon destination to enjoy an early retirement tending bar for young newlyweds. Because Malory is keen on risk management practices, she knows there are 4 possible ways she can address this risk. She can accept the risk, mitigate the risk, avoid the risk, or transfer the risk.
If Malory accepts the risk it means she will choose to do nothing about it and will live with the consequences of the impact if the risk is realized. In this scenario it seems silly that she would accept the most impactful risk to her organization. However, accepting risk happens every day. Organizations have thousands of known risks but have finite time, budget, and manpower to address them. The risks with the lowest likelihood and/or impact may be accepted because the organization prefers to dedicate resources to addressing higher priority risks. The organization’s overall risk appetite as well as regulatory requirements both play a big factor in deciding which risks get accepted and which are addressed. Given the risk in this scenario is the highest priority for Malory she can’t accept it.
Malory could also choose to mitigate the risk. This means she will take steps to reduce the likelihood and/or impact of the risk being realized. In this example of Sterling’s embezzlement, Malory could enforce a new policy stating all operations fund transactions must be submitted to the company’s accountant, Cyril Figgis, for review and approval. This will reduce the likelihood that Sterling is able to embezzle large amounts of funds as he will be quickly discovered. She may also add to the policy that all operations spending above $3 million will require director approval to reduce the risk of Sterling and Cyril collaborating to embezzle the money.
Another choice Malory has is to avoid the risk. This means she would change her organizational strategy in a way that stops the potential risk from being a valid concern going forward. In this example, she could decide that field agents are no longer allowed to manage their own operations budget. Sterling would lose access to his funds so the risk of him embezzling those funds would be greatly decreased. However, Malory needs to be aware of the risks associated with her change in strategy before deciding whether this is the right approach or not. Field agents not being able to access funds while in the field could present new risks!
The final choice Malory has is to transfer the risk. This means she passes the impact of the risk being realized from her organization to another entity. The most common type of transferring risk is insurance coverage. For example, Malory could upgrade her company’s insurance policy to include coverage for insider fraud and embezzlement. If Sterling does embezzle the money, the insurance company feels the impact instead of Malory’s company.
Note that these options are not mutually exclusive. For example, Malory could mitigate the risk partially, transfer the remaining risk to another agency, and accept any leftover risk that the outside agency won’t cover. Knowing that you could accept, mitigate, avoid, or transfer risk how would you handle the issue if you were in Malory’s shoes?