Do you a have business risk management plan?
Malcolm Gladwell – Canadian author and journalist
Being in business is a risk, and it is a challenge for businesses to manage that risk. Risk varies from business to business, from industry to industry and from country to country. Every business will have inherent risks. A business that handles cash, for example, is more susceptible to theft than a quarrying business with stockpiles of raw materials.
What is business risk?
It is an event or situation that has a negative effect on your business. This can range from additional costs caused by the risk to situations that threaten the business itself. Risks can never be completely eliminated. However, they can be managed and controlled.
There are two broad types of risk:
- internal risks that are primarily related to what happens inside the business
- external risks where events and actions affect the business from the outside.
As business owners and managers, it is our responsibility to manage business risk. For example, workplace safety is a managerial responsibility and a serious incident can have a substantial negative impact on the business.
How can business risks be identified?
- The first step is identifying all the risks that could potentially negatively affect the business. Discuss these initially with the management team, dividing them into internal and external risks. For example, in a mining company, external risks could include country or sovereign risk, weather risk, exchange rate risk and economic risk. Internal risks could include operational risk, safety, people, customers, events such as power outages and fire, and reputational risks.
- The second step, after identifying the risks, is to assess each of the risks. In my experience, the most effective method is to develop a risk matrix where severity or consequence is rated against the likelihood of the event occurring. Effective communication and consultation with the management team and other stakeholders will improve the quality of the risk assessment. For example, involve an expert in IT to help assess the risk of data breaches and system breakdowns.
Risk Management Matrix
- The third step, after assessing and ranking the risks, is to develop a risk management plan. There is an international standard (IEC/ISO 31010for risk management, which covers identification, analysis, evaluation, monitoring and reviewing risk. This process is very detailed and involves other disciplines such as finance, safety and human resources.
The management of risks falls into four main areas:
- Avoidance – eliminate the risk. A good example is decommissioning dangerous machinery.
- Reduce – actions that mitigate the risk. In warehousing, where the risks of manual handling injuries are high, place limits on carton weights and have regular ‘toolbox’ safety meetings to reinforce the importance of using equipment safely and reporting heavy or awkward stock items.
- Share – transfer, insure or outsource. Some obvious examples include insuring against events such as fire and accidents, and outsourcing transport services to a third party who have managerial expertise in this area.
- Retain – accept the risk and have a plan to manage it. In transport, this could include improved selection of drivers, driver training and ensuring vehicles are maintained to the highest standard.
The risk management plan should have the identified risks listed in a risk register. It should include the following:
- Responses – actions to mitigate the risk
- Contingency plan – plan if mitigation strategy fails
- Risk rating – severity, likelihood and residual
- Trigger – what is likely to trigger the risk occurring
- Owner-manager or person responsible.
Although not all risks can be eliminated – and some risks are inherent in the industry or business – having a plan, monitoring and reviewing the risks regularly, and updating the plan when required is good practice. The collapse of McAleese Transport is an example of how poor management of mitigating risks can have severe implications on a business and its employees. In conclusion, the risk management plan should include a crisis management plan.
What are the risks in your business?
Can you categorise the risks easily into consequence and likelihood?
Are they in your risk management plan?