Every business faces risks that could present threats to its success. Show Risk is defined as the probability of an event and its consequences. Risk management is the practice of using processes, methods and tools for managing these risks. Risk management focuses on identifying what could go wrong, evaluating which risks should be dealt with and implementing strategies to deal with those risks. Businesses that have identified the risks will be better prepared and have a more cost-effective way of dealing with them. This guide sets out how to identify the risks your business may face. It also looks at how to implement an effective risk management policy and program which can increase your business' chances of success and reduce the possibility of failure.
The risk management processBusinesses face many risks, therefore risk management should be a central part of any business' strategic management. Risk management helps you to identify and address the risks facing your business and in doing so increase the likelihood of successfully achieving your businesses objectives. A risk management process involves:
As a result, the process of risk management:
Risk management becomes even more important if your business decides to try something new, for example launch a new product or enter new markets. Competitors following you into these markets, or breakthroughs in technology which make your product redundant, are two risks you may want to consider in cases such as these. The types of risk your business facesThe main categories of risk to consider are:
These categories are not rigid and some parts of your business may fall into more than one category. The risks attached to data protection, for example, could be considered when reviewing your operations or your business' compliance. Other risks include:
Strategic and compliance risksStrategic risks are those risks associated with operating in a particular industry. They include risks arising from:
For example you might consider the strategic risks of the possibility of a US company buying one of your Canadian competitors. This may give the US company a distribution arm in Canada. You may want to consider:
Where there's a strong possibility of this happening, you should prepare some sort of response. Compliance risk Compliance risks are those associated with the need to comply with laws and regulations. They also apply to the need to act in a manner which investors and customers expect, for example, by ensuring proper corporate governance. You may need to consider whether employment or health and safety legislation could add to your overheads or force changes in your established ways of working. You may also want to consider legislative risks to your business. You should ask yourself whether the products or services you offer could be made less marketable by legislation or taxation – as has happened with tobacco and asbestos products. For example, concerns about the increase in obesity may prompt tougher food labelling regulations, which may push up costs or reduce the appeal of certain types of food. Financial and operational risksFinancial risks are associated with the financial structure of your business, the transactions your business makes and the financial systems you already have in place. Identifying financial risk involves examining your daily financial operations, especially cash flow. If your business is too dependent on a single customer and they are unable to pay you, this could have serious implications for your business' viability. You might examine:
Financial risk should take into account external factors such as interest rates and foreign exchange rates. Rate changes will affect your debt repayments and the competitiveness of your goods and services compared with those produced abroad. Operational risks Operational risks are associated with your business' operational and administrative procedures. These include:
You should examine these operations in turn, prioritise the risks and make provisions for such a risk happening. For example, if you are heavily reliant on one supplier for a key component you should consider what could happen if that supplier went out of business and source other suppliers to help you minimise the risk. IT risk and data protection are increasingly important to business. If hackers break into your IT systems, they could steal valuable data and even money from your bank account which at best would be embarrassing and at worst could put you out of business. A secure IT system employing encryption will safeguard commercial and customer information. How to evaluate risksRisk evaluation allows you to determine the significance of risks to the business and decide to accept the specific risk or take action to prevent or minimise it. To evaluate risks, it is worthwhile ranking these risks once you have identified them. This can be done by considering the consequence and probability of each risk. Many businesses find that assessing consequence and probability as high, medium or low is adequate for their needs. These can then be compared to your business plan - to determine which risks may affect your objectives - and evaluated in the light of legal requirements, costs and investor concerns. In some cases, the cost of mitigating a potential risk may be so high that doing nothing makes more business sense. There are some tools you can use to help evaluate risks. You can plot on a risk map the significance and likelihood of the risk occurring. Each risk is rated on a scale of one to ten. If a risk is rated ten this means it is of major importance to the company. One is the least significant. The map allows you to visualise risks in relation to each other, gauge their extent and plan what type of controls should be implemented to mitigate the risks. Prioritising risks, however you do this, allows you to direct time and money toward the most important risks. You can put systems and controls in place to deal with the consequences of an event. This could involve defining a decision process and escalation procedures that your company would follow if an event occurred. Use preventative measures for business continuityRisk management involves putting processes, methods and tools in place to deal with the consequences of events you have identified as significant threats for your business. This could be something as simple as setting aside financial reserves to ease cash flow problems if they arise or ensuring effective computer backup and IT support procedures for dealing with a systems failure. Programs which deal with threats identified during risk assessment are often referred to as business continuity plans. These set out what you should do if a certain event happens, for example, if a fire destroys your office. You can't avoid all risk, but business continuity plans can minimise the disruption to your business. Risk assessments will change as your business grows or as a result of internal or external changes. This means that the processes you have put in place to manage your business risks should be regularly reviewed. Such reviews will identify improvements to the processes and equally they can indicate when a process is no longer necessary. How to manage risksThere are four ways of dealing with, or managing, each risk that you have identified. You can:
For example, you may decide to accept a risk because the cost of eliminating it completely is too high. You might decide to transfer the risk, which is typically done with insurance. Or you may be able to reduce the risk by introducing new safety measures or eliminate it completely by changing the way you produce your product. When you have evaluated and agreed on the actions and procedures to reduce the risk, these measures need to be put in place. Risk management is not a one-off exercise. Continuous monitoring and reviewing are crucial for the success of your risk management approach. Such monitoring ensures that risks have been correctly identified and assessed and appropriate controls put in place. It is also a way to learn from experience and make improvements to your risk management approach. All of this can be formalised in a risk management policy, setting out your business' approach to and appetite for risk and its approach to risk management. Risk management will be even more effective if you clearly assign responsibility for it to chosen employees. It is also a good idea to get commitment to risk management at the board level. Good risk management can improve the quality and returns of your business. Choose the right insurance to protect against lossesInsurance will not reduce your business' risks but you can use it as a financial tool to protect against losses associated with some risks. This means that in the event of a loss you will have some financial compensation. This can be crucial for your business' survival in the event of, say, a fire which destroys a factory. Some costs are uninsurable, such as the damage to a company's reputation. On the other hand, in some areas insurance is mandatory. Insurance companies increasingly want evidence that risk is being managed. Before they will provide cover, they want evidence of the effective operation of processes in place to minimise the likelihood of a claim. You can ask your insurance adviser for advice on appropriate processes. Insurance products You can use a business interruption policy, for example, to insure against loss of profit and higher overheads resulting from, say, damaged machinery. You may also want to consider:
Liability insurance - public and products liability insurance - is designed to pay any compensation and legal costs that arise from negligence or breach of duty. Key man insurance is designed to cover you for the financial costs of losing key personnel. Group life assurance is provided by employers as part of a benefits package and pays out a lump sum to an employee's family should the employee die. Original document, Managing risk, © Crown copyright 2009 Our information is provided free of charge and is intended to be helpful to a large range of UK-based (gov.uk/business) and Québec-based (infoentrepreneurs.org) businesses. Because of its general nature the information cannot be taken as comprehensive and should never be used as a substitute for legal or professional advice. We cannot guarantee that the information applies to the individual circumstances of your business. Despite our best efforts it is possible that some information may be out of date. As a result:
|