Business Risk management is a subset of risk management used to evaluate the business risks involved if any changes occur in the business operations, systems and process. It identifies, prioritizes and addresses the risk to minimize penalties from unexpected incidents, by keeping them on track. It also enables an integrated response to multiple risks, and facilitates a more informed risk-based decision making capability.
Businesses today are unpredictable, volatile and seem to become more complex every day. By its very nature, it is filled with risk. Businesses have viewed risk as an evil that should be minimized or mitigated, whenever possible. However, risk assessment provides a mechanism for identifying which risks represent opportunities and which represent potential pitfalls. Risks can have negative impact, positive impact, or both. Risks with a negative impact can prevent value creation or erode existing value. Risks with positive impact may offset negative impacts or represent opportunities.
The risk management process involves:
- Identifying risks: Spotting the evolving risks by studying internal and external factors that impact the business objectives
- Analyzing risks: It includes the calibration and, if possible, creation of probability distributions of outcomes for each material risk.
- Responding to risk: After identifying and analyzing the potential risk, appropriate strategy needs to be incorporated. Either by establishing new processes or eliminating, depending on kind and severity of the risk.
- Monitoring risk and opportunities: Continually measuring the risks and opportunities of the business environment. Also keep a check on performance of management strategies.
Types of risks
- Hazard risk: A hazard is anything in the workplace that has the potential to harm people. Hazard risk includes factors which are not under the control of business environment, such as fallout of machinery or dangerous chemical, natural calamities.
- Financial risk: A large number of businesses take risk with their financial assets, quite regularly. Sometimes choosing a wrong supplier or distributor can backfire. Financial risk also includes risk in pricing, currency exchange and during liquidation of any asset. Business risk management should say how much risk is too much in financial relationship.
- Operational risk: Evaluation of risk loss resulting from internal process, system, people or due to any external factor through which a company operates.
- Strategic risks: Might arise from making poor or wrong business plans and losing the competition in the market. Failure to respond to changes in the business environment or inadequate capital allocation also represents strategic risk.
Running a business comes with many different types of risk. Some of these potential hazards can destroy a business while others can cause serious damage that can be costly and time-consuming to repair. Despite the risks implicit in doing business, CEOs and risk management officers can anticipate and prepare for potential risks regardless of the size of the business.
Identifying Risks
If and when a risk becomes a reality, a well-prepared business can minimize the impact on earnings, the lost time and productivity, and the negative impact on customers. For startup businesses and established organizations, the ability to identify which risks pose a threat to successful operations is a key component of strategic business planning. Business risks are identified using various methods, but each identifying strategy relies on a comprehensive analysis of specific business activities that could present challenges to the company. Under most business models, organizations face preventable, strategic, and external threats that can be managed through either acceptance, transfer, reduction, or elimination.
Hiring a risk management consultant is a good investment for most companies. A consultant can analyze a business and determine which risks should be covered by insurance.
Below are the main types of risk that firms face:
Physical Risks
Building risks are the most common type of physical risk. Fire or explosions are the most common risk to a building. To manage building risk, and the risk to employees, it is important that organizations do the following:
- Make sure all employees know the exact street address of the building to give to the 911 operator in case of emergency.
- Make sure all employees know the location of all exits.
- Install fire alarms and smoke detectors.
- Install a sprinkler system to provide additional protection to the physical plant, equipment, documents, and, of course, personnel.
- Inform all employees that in the event of emergency their personal safety takes priority over everything else. Employees should be instructed to leave the building and abandon all work-associated documents, equipment, and/or products.
Location Risks
Among the location hazards facing a business are nearby fires, storm damage, floods, hurricanes or tornados, earthquakes, and other natural disasters. Employees should be familiar with the streets leading in and out of the neighborhood on all sides of the place of business. Individuals should keep sufficient fuel in their vehicles to drive out of and away from the area. Liability or property and casualty insurance are often used to transfer the financial burden of location risks to a third-party or a business insurance company.
Human Risks
Alcohol and drug abuse are major risks to personnel in the workforce. Employees suffering from alcohol or drug abuse should be urged to seek treatment, counseling, and rehabilitation, if necessary. Some insurance policies may provide partial coverage for the cost of treatment.
Protecting against embezzlement, theft, and fraud may be difficult, but these are common crimes in the workplace. A system of double-signature requirements for checks, invoices, and payables verification can help prevent embezzlement and fraud. Stringent accounting procedures may discover embezzlement or fraud. A thorough background check before hiring personnel can uncover previous offenses in an applicant’s past. While this may not be grounds for refusing to hire an applicant, it would help HR to avoid placing the new hire in a critical position where the employee is open to temptation.
Illness or injury among the workforce is inevitable and a persistent problem. To prevent loss of productivity, assign and train backup personnel to handle the work of critical employees when they are absent due to a health-related concern.
Technology Risks
A power outage is perhaps the most common technology risk. Auxiliary gas-driven power generators are a reliable back-up system to provide electrical energy for lighting and other functions. Manufacturing plants use several large auxiliary generators to keep a factory operational until utility power is restored.
Computers may be kept up and running with high-performance back-up batteries. Power surges may occur during a lightning storm (or randomly), so organizations should furnish critical business systems with surge-protection devices to avoid loss of documents and destruction of equipment. Establish offline and online data back-up systems to protect critical documents.
Although telephone and communications failure are relatively uncommon, risk managers may consider providing emergency-use-only company cell phones to personnel whose use of the phone or internet is critical to their business.
Strategic Risks
Strategy risks are not altogether undesirable. Financial institutions such as banks or credit unions take on strategy risk when lending to consumers while pharmaceutical companies are exposed to strategy risk through research and development for a new drug. Each of these strategy-related risks is inherent in an organization’s business objectives. When structured efficiently, the acceptance of strategy risks can create highly profitable operations.
Companies exposed to substantial strategy risk can mitigate the potential for negative consequences by creating and maintaining infrastructures that support high-risk projects. A system established to control the financial hardship that occurs when a risky venture fails often includes diversification of current projects, healthy cash flow, or the ability to finance new projects in an affordable way, and a comprehensive process to review and analyze potential ventures based on future return on investment.
Making a Risk Assessment
After the risks have been identified, they must be prioritized in accordance with an assessment of their probability.
Establish a probability scale for purposes of risk assessment.
For example, risks may be:
- Very likely to occur
- Have some chance of occurring
- Have a small chance of occurring
- Have very little chance of occurring
Other risks must be prioritized and managed in accordance with their likelihood of occurring. Actuarial tables—statistical analysis of the probability of any risk occurring and the potential financial damage ensuing from the occurrence of those risks—may be accessed online and can provide guidance in prioritizing risk.
Insuring Against Risks
Insurance is a principle safeguard in managing risk, and many risks are insurable. Fire insurance is a necessity for any business that occupies a physical space, whether owned outright or rented, and should be a top priority. Product liability insurance, as an obvious example, is not necessary for a service business.
Some risks are an inarguably high priority, for example, the risk of fraud or embezzlement where employees handle money or perform accounting duties in accounts payable and receivable. Specialized insurance companies will underwrite a cash bond to provide financial coverage in the event of embezzlement, theft, or fraud.
When insuring against potential risks, never assume a best-case scenario. Even if employees have worked for years with no problems and their service has been exemplary, insurance against employee error may be a necessity. The extent of insurance coverage against injury will depend on the nature of your business. A heavy manufacturing plant will, of course, require more extensive coverage for employees. Product liability insurance is also a necessity in this context.]
If a business relies heavily on computerized data—customer lists and accounting data, for example—exterior backup and insurance coverage are mandatory. Finally, hiring a risk management consultant may be a prudent step in the prevention and management of risks.
Risk Prevention
The best risk insurance is prevention. Preventing the many risks from occurring in your business is best achieved through employee training, background checks, safety checks, equipment maintenance, and maintenance of the physical premises. A single, accountable staff member with managerial authority should be appointed to handle risk management responsibilities. A risk management committee may also be formed with members assigned specific tasks with a requirement to report to the risk manager.
The risk manager, in conjunction with a committee, should formulate plans for emergency situations such as:
- Fire
- Explosion
- Hazardous materials accidents or the occurrence of other emergencies
Employees must know what to do and where to exit the building or office space in an emergency. A plan for the safety inspection of the physical premises and equipment should be developed and implemented regularly including the training and education of personnel when necessary. A periodic, stringent review of all potential risks should be conducted. Any problems should be immediately addressed. Insurance coverage should also be periodically reviewed and upgraded or downgraded as needed.