Welcome to part two of our series on risk management. In part one, you learned about the main types of risk a business can face:
- strategic risk
- compliance risk
- operational risk
- financial risk
- reputational risk
Those general categories are useful, but to have a successful risk management strategy, you’ll need to get much more specific. You’ll need to examine your business and identify specific things that could go wrong. And you’ll also need some way of estimating how likely they are to happen, and quantifying the impact they would have.
In other words, you need a way of measuring risk in your business. You’ll learn exactly how to do that in this tutorial. Risk management can be a very complex area, with very detailed methodologies and formulas for calculating risk. In this tutorial, however, we’ll use a simple approach that any small business owner can readily adopt.
1. Look at Everything You Do
The first step in measuring risk in your business is to get a much clearer idea of what your risks are.
We identified the main areas in the last tutorial, so now it’s time to dive much deeper into each one. Go over your business plan and all of your business's activities, and ask yourself a series of tough "What if...?" questions.
As a business owner, it usually pays to be an optimist, but in this case you’ll need to think of the worst-case scenarios. Put on your pessimist’s hat for a while, and make a list of everything that could go wrong.
Here are some examples of specific questions you could ask in each area of risk. For more ideas, see this useful RBC guide to managing risk.
- Is the business highly dependent on a particular technology that could be superseded?
- What if the cost of our raw materials doubled?
- Can people survive without our product/service?
- What would happen if a powerful competitor entered the market and started a price war?
- Is there a chance that what we provide will simply go out of fashion, and do we have a plan to adapt?
- Are we expanding to any new markets that may expose us to new regulatory requirements?
- How sure are we that we’ve been complying with every single rule and regulation that applies to our business?
- What if there’s a rule we’ve unwittingly been breaking, and we have to pay a fine?
- If we hire more employees, does that expose us to any new employment regulations?
- What if the government decided to put new, onerous restrictions on our core business activity?
- How reliable are our systems and technology? How often do they fail?
- What would happen if we lost power for more than 24 hours?
- Do we have sufficient controls on the flow of money in and out of the company? Are we liable to losses either from abuse/scams or from human error?
- What natural disasters are possible in our location?
- Would the loss of a key employee cause serious problems?
- What if our biggest client went bust and couldn’t pay its latest bill?
- Do we have a high debt load? How much of it is at variable rates?
- What if the interest rate on our loans increased dramatically? Could we still pay?
- Are we doing business internationally, or planning to? How vulnerable are we to changes in exchange rates?
- How much money do our clients owe us, and what would happen if many of them were late paying?
- What would happen if we got a negative review from a very influential magazine or website?
- What if one of our key employees became involved in a scandal?
- Is there a chance of a major lawsuit against us from customers or other businesses?
- Do we have any effective ways of gauging public sentiment? Do we have PR people or other staff who are capable of managing a crisis?
- How would our business be affected by a mass of bad reviews or negative comments on social media?
Put It Together
Asking these questions and more should help you identify some specific risks that your business is subject to. List those risks in simple point form for now. We’ll add more detail later. For example, your list might include:
- Key client XYZ Corp is late paying its invoice.
- Loss of power for more than 24 hours.
- Our Chief Operating Officer, Janet, leaves the company.
- A new competitor undercuts the price of our main product.
- Scathing product review from an influential magazine/website.
2. Estimate the Likelihood
For each risk you've identified, ask yourself how likely it is to happen.
You’re dealing with lots of unknown factors here, of course, so there’s no need to strive for scientific accuracy and try to calculate the exact percentage probability of each event. A simple five-point scale will be sufficient for most businesses. For example:
- very unlikely
- quite unlikely
- medium likelihood
- quite likely
- very likely
The idea is simply to give you a way of ranking each risk by the likelihood of it happening. For example, if one of your key clients has been late paying invoices before, then you could score that risk as a “4” or “5”.
A natural disaster, on the other hand, would probably score as “1: very unlikely” for most businesses. The impact would of course be high, but don’t worry about that for now; we’ll cover impact in the next section. Right now, just go through the list of risks you identified in Step 1, and assign an approximate “likelihood” score to each one.
It sounds simple, but actually this can be one of the hardest steps, especially for less experienced business owners. If most of the things on your list have never happened before, how can you decide how likely they are to happen in future?
This is where a good network of contacts can help you. Even if the things on your list have never happened to you, it’s a sure bet that they’ve happened to someone else at some time. So talk to other people in your field, particularly those with a decade or two of experience. Chances are they’ll have seen most of the things that can go wrong, and can advise you on the likelihood of each one.
You can also do your own research on particular issues, where useful statistics may be available. In the case of a technical issue like a server outage or a problem with your website host, for example, you can contact your provider and ask how often things like that happen. If your website host promises 99.9% up time, you can safely mark that as a “low” risk.
If you still need help, you could consider hiring a risk management consultant. There’ll be a fee, of course, but it may be worth it if they help you identify and manage your risks more effectively. Insurance companies will sometimes offer a similar service, but keep in mind that they may have a vested interest in steering you towards a particular insurance product.
3. Estimate the Impact
Now that you’ve decided how likely each event is, the next step is to estimate its impact. If this thing happened, how would it affect your business? Would it be an inconvenience, or a major threat to your survival?
As before, you can use a simple five-point scale:
- minimal impact
- low impact
- medium impact
- high impact
- devastating impact
Go through your list of risks from Step 1, and add an impact score next to the likelihood score you’ve already created. So you’ll end up with two numerical scores next to each item on your list.
The best way of thinking about impact is in terms of how much money you would lose. It’s probably not realistic to assign a precise dollar amount to each risk, but at least try to estimate an approximate range. Take into account both the direct cost of dealing with the event, and the loss of revenue you can expect.
For example, let’s say your main retail store gets flooded. You’d need to start by estimating the cost of cleaning, repairing the building, replacing water-damaged stock, buying new display shelves, etc.
But you’d also need to take into account the impact of your store being closed for however long it takes to repair the damage. How much business would you lose in that time?
If you make $5,000 in an average day, for example, then being closed for ten days could cost you $50,000 in lost revenue, unless you give your customers a very clear and easy alternative way of buying from you.
Don’t focus too much on precision with these dollar estimates, because there are so many unknown factors. And money is, of course, not the only way to measure impact. It’s just a way to help you rank your risks, and assign each of them a score from 1 to 5.
4. Create a Risk Scorecard
By this stage, you should have a list of specific risks that could affect your company, and two scores next to each of them: one for likelihood, and one for impact.
Now we’ll create a risk scorecard that summarizes these risks and their relative importance. It’s actually very simple to do this. Just multiply the two numbers together, to give an overall risk score.
Here’s an example of how it could look:
|Key client XYZ Corp is late paying its invoice.||5||2||10|
|Loss of power for more than 24 hours.||1||3||3|
|Our COO Janet leaves the company.||4||4||16|
|A new competitor undercuts the price of our main product.||2||5||10|
|Scathing product review from an influential magazine/website.||3||2||6|
You’ll have lots more risks than this, of course, but this table at least gives you an idea of how it works. In this example, I think my key client is very likely (5) to be late paying its invoice, but the impact won’t be that high (2). It’ll be inconvenient, but I can survive on the payments from other customers. So 5 x 2 = 10, a medium risk score.
On the other hand, losing my Chief Operating Officer is a big risk. She has lots of specialized knowledge about the business, as well as contacts with key clients. If she went to a competitor, it would have a large impact (4). And it scores a “4” for likelihood too—perhaps she’s told me she’s unhappy in her role and looking for a new challenge. So 4 x 4 = 16, a high risk score. This is something to focus on.
In this tutorial you’ve learned how to identify key risks in your business, and assign scores to them based on their estimated likelihood and impact. Keep in mind, of course, that these scores are only estimates. They’re designed to help you prioritize, but you should feel free to use your own judgement as well.
Also, you can come up with your own scales and measures, perhaps using letter ratings instead of numbers, or ten categories instead of five. You can see other examples on this Queensland Government website, or this one from Northern Ireland Business. The idea is simply to quantify your risks in a way that makes sense for your business, so that you can try to identify the most critical ones.
The next step, of course, is to come up with a plan for dealing with each risk. Which ones will you focus on? What strategies will you use to address them? Will you try to eliminate them, manage them, accept them, or pass them on to someone else (for example by buying insurance)?
We’ll cover all of that in the next tutorial in the series.
In the meantime, please leave any comments or questions in the section below.