The next logical step, of course, is to put together a plan for dealing with each risk you’ve identified, so that you can manage your risks on an ongoing basis. You’ll learn exactly how to do that in this tutorial.
We’ll start by seeing what a risk management plan might look like, and how you can put one together for your business. Then we’ll look at the options you have in dealing with each individual risk, and how you can decide which strategy to employ. And finally we’ll see how you can monitor risk in your business on a regular basis, and update your plan as necessary.
Putting together a solid risk management plan is one of the most important things you can do for your business. Companies fail all the time, sometimes blaming bad luck, “the economy”, or other unforeseen circumstances. Risk management is about being prepared for as many of these adverse events as possible, so that you can ride out storms that make your competitors go under.
Disaster can still wreck the best-laid plans, of course, but taking risk management seriously will certainly increase your chances of long-term success. So let’s get started.
1. Make a Plan
Every business should have a solid risk management plan. Here's a guide to putting one together.
The format can vary widely, depending on your company’s needs. A risk management plan for a large, complex business could easily run to hundreds of pages, while a small business might just have a small spreadsheet focusing on the main items.
There are a few essential items to include in a risk management plan, however. Here they are:
- a list of individual risks
- a rating of each risk based on likelihood and impact
- an assessment of current controls
- a plan of action
Let’s look at each of those in turn. If you’ve been following the series so far, you’ll notice that we already covered the first two items in the last tutorial. So we’ve got a good head-start on our plan already. Here’s the sample table we put together last time:
|Key client XYZ Corp is late paying its invoice.||5||2||10|
|Loss of power for more than 24 hours.||1||3||3|
|Our COO Janet leaves the company.||4||4||16|
|A new competitor undercuts the price of our main product.||2||5||10|
|Scathing product review from an influential magazine/website.||3||2||6|
Your full plan will of course have a lot more items, but this example at least illustrates the format. You can refer to the other tutorial for more details about what each score means.
So to complete our risk management plan, we just need to add two more columns to our table.
The first new column is an assessment of current controls. For each of the risks you’ve identified, what are you currently doing to control that risk, and how effective is it?
For example, let’s look at the first item on our table: “Key client XYZ Corp is late paying its invoice.” Maybe you are already controlling for that risk by having automated reminders sent out when the invoice is close to its due date, and having one of your staff members responsible for following up personally with phone calls and emails. You’d list those as existing controls on your risk management plan.
So the next step is to consider the effectiveness of those actions. How well are things working right now? If your client almost always pays on time, for example, then your controls are effective. But if XYZ Corp has been late with its payments two or three times already this year, the controls are inadequate. Again, you could use a simple five-point scale here:
- very inadequate, or non-existent
- very strong
Then the final element of your plan details the action you plan to take in order to manage the risk more effectively. What could you do, either to reduce the likelihood of that event happening, or to minimize its impact when it does happen?
This last item is a little more complex, so we’ll look at it in some more detail in the next section of this tutorial.
2. Decide How to Handle Each Risk
So at this point in the series, we’ve identified all the main risks in our business, prioritized them based on likelihood and impact, and assessed the effectiveness of our current controls.
The next step is to decide what to do about each risk, so that we can manage them best. In the world of risk management, there are four main strategies:
- Avoid it.
- Reduce it.
- Transfer it.
- Accept it.
Each strategy has its own advantages and disadvantages, and you’ll probably end up using all four. Sometimes it may be necessary to avoid a risk, and other times you’ll want to reduce it, transfer it, or simply accept it. Let’s look at what those terms mean, and how to decide on the right classification to use for each of your own business risks.
Avoid the Risk
Sometimes, a risk will be so serious that you simply want to eliminate it, for example by avoiding the activity altogether, or using a completely different approach. If a particular type of trading is very risky, you may decide it’s not worth the potential reward, and abandon it.
The advantage of this strategy is that it’s the most effective way of dealing with a risk. By stopping the activity that’s causing the potential problems, you eliminate the chance of incurring losses. But the disadvantage is that you also lose out on any benefits too. Risky activities can be very profitable, or perhaps have other benefits for your company. So this strategy is best used as a last resort, when you’ve tried the other strategies and found that the risk level is still too high.
Reduce the Risk
If you don’t want to abandon the activity altogether, a common approach is to reduce the risk associated with it. Take steps to make the negative outcome less likely to occur, or to minimize its impact when it does occur.
With our earlier case, “Key client XYZ Corp is late paying its invoice”, for example, we could reduce the likelihood by offering an incentive to the client to pay its bills on time. Maybe a 10% discount for early payment, and a penalty for late payment. Dealing with late-paying customers can be tricky, and we covered it more in our tutorial on managing cash flow more efficiently, but these are a couple of options.
In the same example, we could reduce the impact by arranging access to a short-term credit facility. That way, even if the client does pay late, we don’t run out of money. For more on short-term borrowing options like factoring and lines of credit, see our tutorial on borrowing money to fund a business.
This is probably the most common strategy, and is appropriate for a wide range of different risks. It lets you continue with the activity, but with measures in place to make it less dangerous. If done well, you have the best of both worlds. But the danger is that your controls are ineffective, and you end up still suffering the loss that you feared.
Transfer the Risk
We’re all familiar with the concept of insurance from our everyday lives, and the same applies in business. An insurance contract is basically a transfer of risk from one party to another, with a payment in return.
When you own a home, for example, there’s a big risk of losses from fire, theft, and other damage. So you can buy a home insurance policy, and transfer that risk to the insurance company. If anything goes wrong, it’s the insurance company that bears the loss, and in return for that peace of mind, you pay a premium.
When you own a business, you have the option to transfer many of your risks to an insurance company as well. You can insure your properties and vehicles, and also take out various types of liability insurance to protect yourself from lawsuits. We’ll look at insurance in more detail in the next tutorial in the series, but it’s a good option for dealing with risks that have a large potential impact, as long as you can find an affordable policy.
Accept the Risk
As we’ve seen, risk management comes at a price. Avoiding a risk means constricting your company’s activities and missing out on potential benefits. Reducing a risk can involve costly new systems or cumbersome processes and controls. And transferring a risk also has a cost, for example an insurance premium.
So in the case of minor risks, it may be best simply to accept them. There’s no sense investing in a whole new suite of expensive software just to mitigate a risk that wouldn’t have had a very big impact anyway. For the risks that received a low score for impact and likelihood, look for a simple, low-cost solution, and if you can’t find one, it may be worth simply accepting the risk and continuing with business as usual.
The advantage of accepting a risk is pretty clear: there’s no cost, and it frees up resources to focus on more serious risks. The downside is also pretty clear: you have no controls in place. If the impact and likelihood are minor, that may be fine. But make sure you’ve assessed those things correctly, so that you don’t get a nasty surprise.
Putting measures in place isn't enough; you also need to check whether they're working, and monitor your business on a regular basis to identify and deal with new risks.
The starting point is the plan you’ve been putting together. You should now have a list of all the risks in your business, an assessment of their likelihood and impact, an evaluation of your current controls, and an action plan for dealing with them.
The danger with a document like this is that you spend lots of time preparing it initially, but then never go back and update it later. A good risk management plan must be a living document, constantly referred to and updated to reflect new situations, new risks, and the effectiveness of your actions.
First of all, each action you define should have a target date for completion, and a person who’s primarily responsible for it. For example, with our late-paying client, we could decide that our salesperson, Tina, will be responsible for renegotiating payment terms with XYZ Corp. to create incentives for timely payment, and that this will be completed by March 1st.
When Tina’s finished doing this, you’d move that from the “actions” column to the “current controls” column. Then over the following months, you’d assess how effective the new payment terms are at reducing the risk. If they’re still not effective, you could look at the short-term financing option to reduce the impact of the late payments.
If neither of those options work, then you could look for other alternatives. If you’ve tried everything and the client still pays late, then you may decide to accept the risk if the client’s business is really important to you, or you could go for the nuclear option of eliminating the risk altogether by avoiding doing business with that client.
The situation will evolve constantly over time, as the risks change and your responses to them have their own effect. Some of the controls you put in place may reduce the likelihood of the client paying late, making it less important to deal with. Or you may take on so many other clients that XYZ Corp. accounts for a smaller share of your revenue, so the impact of late payment is smaller. All of this needs to be accounted for.
There’s no hard and fast rule about how often to update your risk management plan. Large companies have whole departments dedicated to full-time risk management, whereas in a small company the resources you can devote to it will probably be more limited. The key is to make a commitment to update your plan regularly, whether that’s on a monthly basis, quarterly, or even annually.
One of the best approaches is to make small changes to individual items on an ongoing basis, as the changes occur, and then to carry out a more comprehensive review of the document on a less frequent, but still regular schedule. The comprehensive review would include going back to the steps we covered in the earlier parts of this series, brainstorming about all the risks your business is subject to, adding new items to the list, and ranking them by importance. Then do the same with your existing risks, noting any changes.
If you take all of the steps outlined in this tutorial and the earlier parts of the series, you’ll be in a good position to protect your business from many of the pitfalls that will come your way.
You now have a comprehensive risk management plan that outlines all the risks your business faces, and ranks them according to how likely they are to occur and how serious their impact would be.
You’ve evaluated the effectiveness of the controls you currently have in place, and come up with an action plan for either avoiding, reducing, transferring or accepting the risk.
Your action plan has a clear timeline and a person responsible for implementing it, and you’ve made a commitment to monitoring the success of your actions and updating the plan as necessary.
Congratulations! You’re in a better position than many other business owners. Truly unforeseeable events can still crop up and pose challenges, but you’ve done your best to plan for likely risks and to protect yourself as far as possible.
The final tutorial in this series will look in more detail at the option of transferring risk. There are quite a few different types of business insurance, and the categories are different from those you might be used to from your personal life. So stay tuned for a look at the main types of insurance that your business needs.
Editorial Note: This content was originally published in 2015. We're sharing it again because our editors have determined that this information is still accurate and relevant.