Every business faces risks that could present threats to its success.
Risk is defined as the probability of an event and its consequences. Risk management is the practice of using processes, methods and tools for managing these risks.
Risk management focuses on identifying what could go wrong, evaluating which risks should be dealt with and implementing strategies to deal with those risks. Businesses that have identified the risks will be better prepared and have a more cost-effective way of dealing with them.
This guide sets out how to identify the risks your business may face. It also looks at how to implement an effective risk management policy and program which can increase your business' chances of success and reduce the possibility of failure.
The risk management process
Businesses face many risks, therefore risk management should be a central part of any business' strategic management. Risk management helps you to identify and address the risks facing your business and in doing so increase the likelihood of successfully achieving your businesses objectives.
A risk management process involves:
- methodically identifying the risks surrounding your business activities
- assessing the likelihood of an event occurring
- understanding how to respond to these events
- putting systems in place to deal with the consequences
- monitoring the effectiveness of your risk management approaches and controls
As a result, the process of risk management:
- improves decision-making, planning and prioritisation
- helps you allocate capital and resources more efficiently
- allows you to anticipate what may go wrong, minimising the amount of firefighting you have to do or, in a worst-case scenario, preventing a disaster or serious financial loss
- significantly improves the probability that you will deliver your business plan on time and to budget
Risk management becomes even more important if your business decides to try something new, for example launch a new product or enter new markets. Competitors following you into these markets, or breakthroughs in technology which make your product redundant, are two risks you may want to consider in cases such as these.
The types of risk your business faces
The main categories of risk to consider are:
- strategic, for example a competitor coming on to the market
- compliance, for example the introduction of new health and safety legislation
- financial, for example non-payment by a customer or increased interest charges on a business loan
- operational, for example the breakdown or theft of key equipment
These categories are not rigid and some parts of your business may fall into more than one category. The risks attached to data protection, for example, could be considered when reviewing your operations or your business' compliance.
Other risks include:
- environmental risks, including natural disasters
- employee risk management, such as maintaining sufficient staff numbers and cover, employee safety and up-to-date skills
- political and economic instability in any foreign markets you export goods to
- health and safety risks
Strategic and compliance risks
Strategic risks are those risks associated with operating in a particular industry.
They include risks arising from:
- merger and acquisition activity
- changes among customers or in demand
- industry changes
- research and development
For example you might consider the strategic risks of the possibility of a US company buying one of your Canadian competitors. This may give the US company a distribution arm in Canada. You may want to consider:
- whether there are any US companies which have the cash/share price to do this
- whether there are any Canadian competitors who could be a takeover target, perhaps because of financial difficulties
- whether the US company would lower prices or invest more in research and development
Where there's a strong possibility of this happening, you should prepare some sort of response.
Compliance risks are those associated with the need to comply with laws and regulations. They also apply to the need to act in a manner which investors and customers expect, for example, by ensuring proper corporate governance.
You may need to consider whether employment or health and safety legislation could add to your overheads or force changes in your established ways of working.
You may also want to consider legislative risks to your business. You should ask yourself whether the products or services you offer could be made less marketable by legislation or taxation – as has happened with tobacco and asbestos products. For example, concerns about the increase in obesity may prompt tougher food labelling regulations, which may push up costs or reduce the appeal of certain types of food.
Financial and operational risks
Financial risks are associated with the financial structure of your business, the transactions your business makes and the financial systems you already have in place.
Identifying financial risk involves examining your daily financial operations, especially cash flow. If your business is too dependent on a single customer and they are unable to pay you, this could have serious implications for your business' viability.
You might examine:
- the way you extend credit to new customers
- who owes you money
- the steps you can take to recover it
- insurance that can cover large or doubtful debts
Financial risk should take into account external factors such as interest rates and foreign exchange rates.
Rate changes will affect your debt repayments and the competitiveness of your goods and services compared with those produced abroad.
Operational risks are associated with your business' operational and administrative procedures. These include:
- supply chain
- accounting controls
- IT systems
- board composition
You should examine these operations in turn, prioritise the risks and make provisions for such a risk happening. For example, if you are heavily reliant on one supplier for a key component you should consider what could happen if that supplier went out of business and source other suppliers to help you minimise the risk.
IT risk and data protection are increasingly important to business. If hackers break into your IT systems, they could steal valuable data and even money from your bank account which at best would be embarrassing and at worst could put you out of business. A secure IT system employing encryption will safeguard commercial and customer information.
How to evaluate risks
Risk evaluation allows you to determine the significance of risks to the business and decide to accept the specific risk or take action to prevent or minimise it.
To evaluate risks, it is worthwhile ranking these risks once you have identified them.
This can be done by considering the consequence and probability of each risk. Many businesses find that assessing consequence and probability as high, medium or low is adequate for their needs.
These can then be compared to your business plan - to determine which risks may affect your objectives - and evaluated in the light of legal requirements, costs and investor concerns. In some cases, the cost of mitigating a potential risk may be so high that doing nothing makes more business sense.
There are some tools you can use to help evaluate risks. You can plot on a risk map the significance and likelihood of the risk occurring. Each risk is rated on a scale of one to ten. If a risk is rated ten this means it is of major importance to the company. One is the least significant. The map allows you to visualise risks in relation to each other, gauge their extent and plan what type of controls should be implemented to mitigate the risks.
Prioritising risks, however you do this, allows you to direct time and money toward the most important risks. You can put systems and controls in place to deal with the consequences of an event. This could involve defining a decision process and escalation procedures that your company would follow if an event occurred.
Use preventative measures for business continuity
Risk management involves putting processes, methods and tools in place to deal with the consequences of events you have identified as significant threats for your business. This could be something as simple as setting aside financial reserves to ease cash flow problems if they arise or ensuring effective computer backup and IT support procedures for dealing with a systems failure.
Programs which deal with threats identified during risk assessment are often referred to as business continuity plans. These set out what you should do if a certain event happens, for example, if a fire destroys your office. You can't avoid all risk, but business continuity plans can minimise the disruption to your business.
Risk assessments will change as your business grows or as a result of internal or external changes. This means that the processes you have put in place to manage your business risks should be regularly reviewed. Such reviews will identify improvements to the processes and equally they can indicate when a process is no longer necessary.
How to manage risks
There are four ways of dealing with, or managing, each risk that you have identified. You can:
- accept it
- transfer it
- reduce it
- eliminate it
For example, you may decide to accept a risk because the cost of eliminating it completely is too high. You might decide to transfer the risk, which is typically done with insurance. Or you may be able to reduce the risk by introducing new safety measures or eliminate it completely by changing the way you produce your product. When you have evaluated and agreed on the actions and procedures to reduce the risk, these measures need to be put in place.
Risk management is not a one-off exercise. Continuous monitoring and reviewing are crucial for the success of your risk management approach. Such monitoring ensures that risks have been correctly identified and assessed and appropriate controls put in place. It is also a way to learn from experience and make improvements to your risk management approach.
All of this can be formalised in a risk management policy, setting out your business' approach to and appetite for risk and its approach to risk management. Risk management will be even more effective if you clearly assign responsibility for it to chosen employees. It is also a good idea to get commitment to risk management at the board level.
Good risk management can improve the quality and returns of your business.
Choose the right insurance to protect against losses
Insurance will not reduce your business' risks but you can use it as a financial tool to protect against losses associated with some risks. This means that in the event of a loss you will have some financial compensation. This can be crucial for your business' survival in the event of, say, a fire which destroys a factory.
Some costs are uninsurable, such as the damage to a company's reputation. On the other hand, in some areas insurance is mandatory.
Insurance companies increasingly want evidence that risk is being managed. Before they will provide cover, they want evidence of the effective operation of processes in place to minimise the likelihood of a claim. You can ask your insurance adviser for advice on appropriate processes.
You can use a business interruption policy, for example, to insure against loss of profit and higher overheads resulting from, say, damaged machinery.
You may also want to consider:
- products liability insurance
- key man insurance
- group life assurance
Liability insurance - public and products liability insurance - is designed to pay any compensation and legal costs that arise from negligence or breach of duty.
Key man insurance is designed to cover you for the financial costs of losing key personnel.
Group life assurance is provided by employers as part of a benefits package and pays out a lump sum to an employee's family should the employee die.
Original document, Managing risk, © Crown copyright 2009
Source: Business Link UK (now GOV.UK/Business)
Adapted for Québec by Info entrepreneurs