Risk is a fact of life. Risk is part of doing business. Business is about change and change involves some degree of risk. While risks in everyday life cannot always be foreseen and forestalled, a good Business Plan will include a section on how to manage identified risks inherent in any organisation’s day-to-day activities.
Risk can be defined as the uncertainty inherent in pursuing a particular outcome or objective. Risk can be
- Positive - Opportunity
- Negative - Threat
Risk Management is about reducing exposure to negative impact and involves keeping any unwanted outcomes to a minimum.
Risk Management requires:
- A thorough knowledge of all aspects of your business activity
- Access to reliable and up to date information about risks
- Decision making processes for risk assessment and management
- Processes to monitor risks
- A contingency plan and supporting budget
Risk Management can be applied across the board. It is equally useful as a method of managing overall Business risk and for controlling Health and Safety issues.
Risk Management Cycle
The risk environment is constantly changing. Business objectives and activities are also subject to change. Any assumptions about identified risks and their impact on business should therefore be regularly reviewed.
A good starting point for identifying risks is to look at your overall business activity. List potential risks and then divide them into categories according to which component of the organisation they belong. The likelihood of any risk resulting in a negative impact can be assessed for each of the risks within each category. All identified risks should be recorded in a Risk Log document which contains
- an assessment of the risk
- the ‘owner’ of the risk ie. person who has to take action against it
- the status of the risk
The Risk Log should be kept up-to-date and reviewed at least monthly.
Assessing the level of Risk
Risk Assessment considers the potential impact, both good and bad, caused by taking a risk, against the probability of that impact arising in the first place. Risk assessment should consider potential impact to all business components such as time, cost, cashflow, quality, staff welfare, scope, and reputation. Risk assessment can be done in any area of business activity, whether it be ensuring that desk cabling is properly secured, or considering entering into a partnership deal with a competitor.
The five main stages to taking action against a risk can be thought of as:
- Prevention – Can action be taken to remove the risk completely?
- Reduction - Take action to control the risk’s negative impact and/or the probability of it happening
- Transference - The management of the risk is passed to a third party e.g. through an insurance policy
- Acceptance - The negative impact can be tolerated or the probability of the risk occurring is extremely low
- Contingency – Actions taken in response to a negative impact
Deciding what to do about a risk can be a trade-off between the cost of managing it, and the probability of it having a negative impact coupled with the costs associated with that impact if it does happen. An example would be to manage risk by spending £5000 on an insurance policy for an outdoor event which would return £8,000 should the event be rained off. Alternatively, take a risk to go without insurance and save on costs, if the event is taking place in the summer or during a predicted spell of dry weather.
Monitoring and reporting
It is important to review risks regularly and to update the Business Plan accordingly. Unforeseen risks can be very costly both financially and in terms of reputation, especially to smaller organisations.