Risk Management

Introduction to Risk Management - all firms face business risks that could either create a minor disruption or potentially even threaten their entire existence. Just like in everyday life, business risks are unavoidable and should therefore be understood, controlled and managed. A 'risk' could be defined as the likelihood of a specific and unwanted event occurring that will have a negative impact on a firm. The business impact of a negative risk occurring is proportionately more devastating to a small firm than a large one because small firms have less resources and less people to deal with immediate aftermath. For example, the failure of computers, the cost of litigation, the absenteeism or unexpected movement of important staff can all cripple a small business, if a problem cannot be solved quickly. This article summarises the risk management issues facing small businesses...

What is Risk Management? -'Risk Management' could be defined as the formal identification and analysis of business risk, its impact on a firm and creation of a contingency plan to minimise the impact when they occur. The concept of 'risk management' is usually associated with enterprise wide established organisations dealing with complex processes and a variety of unpredictable threats to its success (particularly related to computer downtime). Risk Management is a good management process which has created a whole series of risk management jobs, particularly in the project consultancy advice and financial risk management sectors. However whether applied to large or small firms the risk management process essentially involves simple logical steps:-

• Identifying specific risks

• Measuring the probability that each identified risk could occur

• Deciding the best way to deal with a risk occurring

• Creating and implementing a plan to cope with the impact the risks identified

• Consistent monitoring of the new controls defined in the risk management plan

Undertaking this process can help prepare for the worst even though things may seem comfortable, stable and manageable. In other words proper preparation prevents poor performance. In addition implementing the risk management plan can help simplify budgeting and scarce resource planning. The British Standard 31100 code of practice helps firms by providing a risk management framework within which more businesses can analyse their current situation. It gives you an understanding on how to develop, implement and maintain effective risk management within your business. Using BS 31100 effectively can help you increase your company's effectiveness. The first step is to understand the risks...

Identifying Types of Business Risks - different businesses face different types of threats depending upon factors such as the level of knowledge-based complexity and the physical environment employees operate under. A sensible method of evaluating each risk is to prioritise it according its financial impact and probability it would ever actually occur. For example a complete computer failure may cost two days of systems downtime during which time sales order processing and credit control systems become redundant (these are areas you can clearly measure numerically by financial loss). With this in mind the main types of business risks are as follows:-

• Financial Risks - one of the biggest threats to most small businesses are cash flow problems created through non payment of invoices from larger customers. Perhaps sales of a particular about service unexpectedly for while the previously reliable customer finds himself in financial difficulties themselves and late paying an important invoice. Similarly if interest rates suddenly rise on business loans firms can suffer from rising variable overheads which can squeeze margins and cash flow accordingly.

• Compliance Risks - there is always a plethora of new laws, regulations planned in United Kingdom and beyond. Most entrepreneurs despise the ever-increasing pointless red tape thrust upon their shoulders. However the rules must be followed and failure to learn about forthcoming compliance standards is no excuse. Most are pre-announced and some may unexpectedly impact a firm's ability to sell, market, manufacture and advise. Without proper authority to trade a non compliant activity may run into legal difficulties.

• Operational Risks - there are many practical operational threats to firms including machine failure, fire, flood, theft of equipment and transportation problems. Less obvious risks may include key staff leaving to work from other competitor unexpectedly, employees suffering workplace injuries and suing their employer and supply chain collapse. The list of operational threats need to be assessed in terms of every internal business process and the political, economic and social and technological external threats facing the firm.

The Risk Management Process - the first step is to identify types of risks that exist facing the enterprise.. This will may involve undertaking a qualitative risk analysis and quantitative risk assessment to produce a Risk Management Plan. It should track the critical path of key processes to see how one event affects another. It should ask the obvious and big questions such as 'what would happen if my largest customer went out of business'?, How can I recover from a major loss of data during my busiest trading period?'. In answering these types of questions it is worth considering:-

• The Associated Costs of Risk Management -having backup plans in place will inevitably cost money both in preparation and the implementation phase. However sometimes the cost of combating a potential risk is simply too much for a firm to bear. For instance having a second location available fully kitted out with computer equipment may be simply too expensive. You will need to measure any existing sunk costs and the opportunity cost of doing nothing when accepting a risk could happen (versus the cost of proactively managing the risk).

• Risk Monitoring and Control - the only way to continually ensure that risks are understood and under control is to put in place some type of event measuring process. A risk management report written for its own sake is worthless if not updated and implemented in full. For smaller businesses a simple checklist of actions may suffice reminding the owner that backup systems are in place should the worst happen.

• Organisational Culture and Responsibility - different business owners will have different attitudes and tolerances towards risk and reward - the controlling owner is either a risk taker naturally risk averse. Some industries are more regulated than others and the necessity of legal compliance means managers must be responsible and behave in a way to protect consumers from harm (such as unnecessarily exposing them to a product defect or providing unqualified financial advice). Conversely many entrepreneurs and sole traders are prepared to risk everything to achieve their financial dreams. In organisations that can achieve enormous commissions and bonuses people tend to take greater risks because the upside is achievable. If a 'Risk Manager' has not appointed it is likely watered-down decisions by committees will create weaker risk control structures within an organisation. In most smaller private firms the business owner is forced to wear many management hats. Most entrepreneurs see little value in investing valuable time in disaster planning as (being naturally optimistic characters) they would much rather spend their time selling or forecasting bumper profits.

How to Combat Risks - firms need to formalise a risk management policy that defines the practical actions and responsibilities should specific events occur. Part of this process will be ensuring:-

• Procuring Business Insurances - in situations where the cost of managing the risk is too great insurance can be used to transfer the risk by mitigating the financial loss of an event. There are many business insurances available to mitigate risk. These include commercial building insurance, product liability insurance, employers liability cover, professional indemnity insurance and legal expenses cover. However financial compensation from an insurance claim will only cover the loss itself and the claim may not be settled in enough time enough to recover the knock on effect of the event occurring. For example the loss of customer goodwill due to transportation problems, or the damage to business reputation a legal case creates or the ability to manufacture or sell should cashflow problems prevent re-stocking. Insurance claims are notoriously slow by which time losses could push small firms into insolvency. Proactive planning needs to supplement risks protected by business insurances...

• Implementing Practical Measures - from the Risk Management Plan a series of practical steps need to be implemented to provide backup processes in case one of the events occurs outlined in the plan. For large enterprises entire business continuity plans are generated outlining detailed actions for specific employees should a major disaster such as the fire occur. For smaller firms sometimes the simplest solutions are the most obvious ones. For example allocating a reserve emergency contingency fund to do with cash flow problems, having a backup and restore process for customer data or providing staff with alternative means of working should office disaster occur.