RISK THINKING - Every business faces risks that could present threats to its success.

Introduction

1. Risk is defined as the probability of an event and its consequences.
2. Risk management is the practice of using processes, methods and tools for managing these risks.
3. Risk management focuses on identifying what could go wrong, evaluating which risks should be dealt with and implementing strategies to deal with those risks.
4. Businesses that have identified the risks will be better prepared and have a more cost-effective way of dealing with them.

This guide

1. This guide sets out how to identify the risks your business may face.
2. It also looks at how to implement an effective risk management policy and program, which can increase your business' chances of success and reduce the possibility of failure.

What is discussed in this guide

1. The risk management process
2. The types of risk your business faces
3. Strategic and compliance risks
4. Financial and operational risks
5. How to evaluate risks
6. Use preventative measures for business continuity
7. How to manage risks

The risk management process

1. Businesses face many risks; therefore, risk management should be a central part of any business' strategic management.
2. Risk management helps you to identify and address the risks facing your business and in doing so, increase the likelihood of successfully achieving your businesses objectives.

A risk management process involves:

3. methodically identifying the risks surrounding your business activities
4. assessing the likelihood of an event occurring
5. understanding how to respond to these events
6. putting systems in place to deal with the consequences
7. monitoring the effectiveness of your risk management approaches and controls

As a result, the process of risk management:

8. improves decision-making, planning and prioritisation
9. helps you allocate capital and resources more efficiently
10. allows you to anticipate what may go wrong, minimising the amount of firefighting you have to do or, in a worst-case scenario, preventing a disaster or serious financial loss
11. significantly improves the probability that you will deliver your business plan on time and to budget
12. Risk management becomes even more critical if your business decides to try something new, for example, launch a new product or enter new markets. Competitors following you into these markets, or breakthroughs in technology which make your product redundant, are two risks you may want to consider in cases such as these.

The types of risk your business faces

The main categories of risk to consider are:

1. Governance
2. strategic,
3. compliance,
4. financial,
5. operational,
6. IT
7. Info Security (GDPR)
8. HR/employee risk management, such as maintaining sufficient staff numbers and cover, employee safety and up-to-date skills
9. health and safety risks

These categories are not rigid, and some parts of your business may fall into more than one category. Also, the risks are interlinked.  For example; data protection could be considered when reviewing your

1. operations or
2. business' compliance.
3. HR
4. Health and safety

The Main Categories Of Risk To Consider Are Discussed As Follows:

Strategic and compliance risks

1. Strategic risks are those risks associated with operating in a particular industry.

They include risks arising from:

2. merger and acquisition activity
3. changes among customers or in demand
4. industry changes
5. research and development

Compliance risk

1. Compliance risks are those associated with the need to comply with laws and regulations. They also apply to the need to act in a manner which investors and customers expect, for example, by ensuring proper corporate governance.
2. You may need to consider whether employment or health and safety legislation could add to your overheads or force changes in your established ways of working.
3. You may also want to consider legislative risks to your business.

Financial and operational risks

1. Financial risks are associated with the financial structure of your business, the transactions your business makes, and the financial systems you already have in place.
2. Identifying financial risk involves examining your daily financial operations, especially cash flow. If your business is too dependent on a single customer and they are unable to pay you, this could have serious implications for your business' viability.

You might examine:

3. the way you extend credit to new customers
4. who owes you money
5. the steps you can take to recover it
6. insurance that can cover large or doubtful debts
7. Financial risk should take into account external factors such as interest rates and foreign exchange rates.

Operational risks

Operational risks are associated with your business' operational and administrative procedures. These include:

1. recruitment
2. supply chain
3. accounting controls
4. IT systems
5. regulations
6. board composition

You should examine these operations in turn, prioritise the risks and make provisions for such a risk happening. For example,

7. if you are heavily reliant on one supplier for a key component, you should consider what could happen if that supplier went out of business and source other suppliers to help you minimise the risk.
8. IT risk and data protection are increasingly important to a business. If hackers break into your IT systems, they could steal valuable data, and even money from your bank account, which at best would be embarrassing and at worst could put you out of business. A secure IT system employing encryption will safeguard commercial and customer information.

How to evaluate risks

1. Risk evaluation allows you to determine the significance of risks to the business and decide to accept the specific risk or take action to prevent or minimise it.
2. To evaluate risks, it is worthwhile ranking these risks once you have identified them; this can be done by considering the consequence and probability of each risk. Many businesses find that assessing consequence and probability as high, medium or low is adequate for their needs.
3. These can then be compared to your business plan - to determine which risks may affect your objectives - and evaluated in the light of legal requirements, costs and investor concerns. In some cases, the cost of mitigating a potential risk may be so high that doing nothing makes more business sense.
4. There are some tools you can use to help evaluate risks. You can plot on a risk map the significance and likelihood of the risk occurring. Each risk is rated on a scale of one to ten. If a risk is rated ten, this means it is of major importance to the company. One is the least significant. The map allows you to visualise risks in relation to each other, gauge their extent and plan what type of controls should be implemented to mitigate the risks.
5. Prioritising risks, however, you do this, allows you to direct time and money toward the most important risks. You can put systems and controls in place to deal with the consequences of an event. This could involve defining a decision process and escalation procedures that your company would follow if an event occurred.

Use preventative measures for business continuity

7. Risk management involves putting processes, methods and tools in place to deal with the consequences of events you have identified as significant threats for your business. This could be something as simple as setting aside financial reserves to ease cash flow problems if they arise or ensuring effective computer backup and IT support procedures for dealing with a systems failure.
8. Programs which deal with threats identified during risk assessment are often referred to as business continuity plans. These set out what you should do if a certain event happens, for example, if a fire destroys your office. You can't avoid all risk, but business continuity plans can minimise the disruption to your business.
9. Risk assessments will change as your business grows or as a result of internal or external changes. This means that the processes you have put in place to manage your business risks should be regularly reviewed. Such reviews will identify improvements to the processes, and equally, they can indicate when a process is no longer necessary.

How to manage risks

There are four ways of dealing with, or managing, each risk that you have identified. You can:

1. accept it
2. transfer it
3. reduce it
4. eliminate it

For example,

5. you may decide to accept a risk because the cost of eliminating it is too high.
6. You might decide to transfer the risk, which is typically done with insurance.
7. Or you may be able to reduce the risk by introducing new safety measures or eliminate it entirely by changing the way you produce your product.

Close

1. When you have evaluated and agreed on the actions and procedures to reduce the risk, these measures need to be put in place.
2. Risk management is not a one-off exercise. Continuous monitoring and reviewing are crucial for the success of your risk management approach. Such monitoring ensures that risks have been correctly identified and assessed and appropriate controls put in place. It is also a way to learn from experience and make improvements to your risk management approach.
3. All of this can be formalised in a risk management policy, setting out your business' approach to and appetite for risk and its approach to risk management. Risk management will be even more effective if you clearly assign responsibility for it to chosen employees. It is also a good idea to get a commitment to risk management at the board level.
4. Good risk management can improve the quality and returns of your business.