Risk management involves understanding, analysing and addressing risks in order to reduce them to an acceptable level, or fully eliminate them. As a practice, risk management seeks to protect your business from potential hazards without hindering growth.
Risks are implicit in doing business. Many types of risk can affect your business including IT, operational, financial, legal, regulatory, political and strategic risks. Most can present opportunities as well as threats, and affect your ability to achieve your business objectives.
This guide explains the risk management process and the types of risk your business faces. It tells you how to evaluate business risks to identify those that could pose a threat to your successful operations.
It also suggests certain preventative measures for business continuity and tells you why it is important to choose the right insurance to protect against business risk.
Types of risk your business faces
Business risk is a broad category. It applies to any event or circumstance that has the potential to prevent you from achieving your business goals or objectives. Business risk can be internal (such as your strategy) or external (such as the global economy).
You should not manage or treat in the same way all types of risk. You should understand what type of risk you are facing, before you consider how to deal with it.
Types of business risks
The main four types of risk are:
- strategic risk - eg a competitor coming on to the market
- compliance and regulatory risk - eg introduction of new rules or legislation
- financial risk - eg interest rate rise on your business loan or a non-paying customer
- operational risk - eg the breakdown or theft of key equipment
These categories of risks are not rigid and some parts of your business may fall into more than one category. The risks attached to data protection, for example, could be considered when reviewing both your operations and your business' compliance.
Other sources of business risk
Other factors can present certain threats to your business, including:
- environmental risks, such as natural disasters
- political and economic instability in any foreign markets you export goods to
- health and safety risks - see health and safety risk assessment
- commercial risks, including the failure of key suppliers or customers
- workforce risks, eg maintaining sufficient staff numbers and cover, employee safety and up-to-date skills
See how to evaluate business risks.
Importance of understanding risk
Risk is often described by an event, a change in circumstances or a consequence. A common definition of risk suggests that risk is the effect of uncertainty on achieving or surpassing business objectives. This effect may be positive, negative or a deviation from the expected, for example in forecasts and projections.
Without identifying risks, it is difficult to successfully define your objectives and set out strategies for achieving them. It is best practice to integrate business risk management with your strategy formulation and business planning processes.
Understanding and managing risks allows you to control, and often prevent, the financial, organisational, legal and other ramifications associated with risks.
See more on strategic planning for business growth.
As your business attempts to achieve your strategic objectives, internal and external events can deter or prevent you from accomplishing them. This is known as strategic risk.
You can define strategic risks as:
- the potential impact of strategic decisions, or of a defective or inappropriate strategy
- lack of responsiveness to industry changes
- risks related to future plans, eg entering new markets, expanding existing services, etc
Managing strategic risks shouldn't just focus on challenges that might cause a particular strategy to fail, but on any major risks that could affect a company's long-term positioning and performance.
Identifying strategic risks
Sources of strategic risk can be any of the following:
- mergers, acquisitions and other competition
- market or industry changes
- changes among customers or in demand
- change management
- human resource issues, such as staffing
- financial issues with cashflow, capital or cost pressures
- IT disasters and equipment failure
- relationship issues, eg with suppliers
- reputational damage
For example, the possibility of a US company buying one of your European competitors would constitute a strategic risk. Such an acquisition would give the US company a distribution arm in the UK, making them a direct competitor. In this situation, you might want to consider:
- any US companies which have the cash/share price to do this
- any European competitors that are likely takeover targets - eg due to financial problems
- the prospect of the US company cutting prices or launching new products to compete against you
Where there's a strong possibility of this happening, you should prepare some sort of response.
What is strategic risk management?
Strategic risk management (SRM) is a process that can help you to identify, assess and manage the risk in your business strategy. It also allows you to take quick action when risks materialise. It involves evaluating:
- how possible events and scenarios may affect your strategy and its execution
- the ultimate impact of these risks on the company's value
See how to evaluate business risks.
SRM requires you to define tolerable levels of risk as a guide for making strategic decisions. Rather than a one-off effort, SRM is a continual process that you should embed into your strategy setting and execution. See how to develop a strategic plan.
Compliance and regulatory risk
Compliance and regulatory risks arise from laws and regulations that rely on penalties or sanctions to regulate the operations of a business.
What is a regulatory risk?
Regulatory risk is the effect of a change in laws and regulations that could potentially cause losses to your business, sector or market.
Regulatory risks could, for instance:
- increase the costs of running a business - eg costs to achieve compliance
- change the competitive landscape - eg perhaps invalidating your business model
- make your business practices illegal - eg new law changing rules on marketing
- reduce the attractiveness of an investment
For example, your products or services could become less marketable if new laws or taxes are introduced. This was the case with tobacco and asbestos products in the past.
The introduction of tougher food labelling regulations has similarly disrupted the food industry, pushing up costs and reducing the appeal of certain types of food.
New and emerging regulations can have a wide-ranging impact on your strategic direction, business model and compliance system. It is, therefore, important to consider regulatory requirements when you evaluate business risks.
What is the difference between compliance and regulatory risk?
Compliance risk relates to the potential of your business to violate a law or regulation. Often, compliance risk results from:
- insufficient control systems
- lack of training
- lack of due diligence
- human error
Compliance risks can potentially expose your business to a range of consequences, including:
- legal penalties
- voided contracts
- financial forfeiture
- material loss
- loss of business opportunities
- damaged reputation
While compliance risks mainly involve the need to comply with laws and regulations, they can also relate to the need to act in a way that investors and customers expect. For example, by ensuring proper corporate governance.
Financial risk refers to your business' ability to manage your debt and fulfil your financial obligations. This type of risk typically arises due to instabilities, losses in the financial market or movements in stock prices, currencies, interest rates, etc.
Difference between business risk and financial risk
Business risk relates to the basic viability of a business. It refers to your ability to turn a profit and cover your operating expenses, such as salaries, rent, production costs and office expenses.
Financial risk, on the other hand, is concerned with the costs of financing and the amount of debt you incur to finance your operations.
Types of financial risk
Common categories of financial risk include:
- market risk
- credit risk
- liquidity risk
- operational risk
Market risk relates to the probability of incurring a loss due to things like market volatility, hikes in interest rates or raw material costs, fluctuation in foreign currency values, etc. For example, exchange rate changes will affect your debt repayments and the competitiveness of your goods and services compared with those produced abroad.
Credit risk is the probability of failing to pay to a creditor (such as a bank or a lender) or another party (eg a supplier). You may also incur credit risk by extending credit to customers, due to the possibility of them defaulting on payment.
Liquidity risk affects your ability to meet short-term financial demands to execute your business transactions. Key sources of risk are potential cashflow problems, because of things like the seasonal downturn in revenue, lack of buyers for your assets or inefficient market.
Operational risk is the likelihood of incurring a loss due to the negative effects of procedures, systems or policies you have in your business. Common sources include technical failures, fraud activity, employee errors, etc. Find out more about operational risk.
Financial risk management
Managing financial risks is a high priority for businesses, irrespective of their size or industry. In order to take control of the financial risks, you need to:
- identify and measure the risks
- decide on the level of risk you are willing to accept
- consider insurance to protect against business risk
- identify potential issues with cashflow
- review your financial arrangements with creditors
- be careful if extending credit to customers
- diversify your income sources
- regularly reassess your risks
Make sure to consider the various factors affecting financial risk. Broadly, these fall under two categories:
- external factors - including economic downturns, market rates, industry changes, law changes, etc
- internal factors - including underperformance, poor cashflow management, bad investments, new competition, staff issues, etc
Take into account both external and internal factors when carrying out a financial risk assessment. Find out how to evaluate business risks.
Read about other strategies to manage business risk.
Operational risk is the possibility of business operations failing due to inefficiencies or breakdown in your internal processes, people and systems. Human error and external events (such as regulatory changes) are a few of the common sources of such risk.
Types of operational risk
Operational risk focuses on how you accomplish things in your businesses. It is typically associated with how your business functions internally and broadly covers the following categories:
- fraud - eg bribery, misuse of assets and tax evasion
- other criminal activity - eg data theft, hacking, etc
- workplace policies and safety - eg discrimination, staff health and safety
- products and business practice - eg product defects or market manipulation
- physical assets - eg vandalism, natural disasters, equipment maintenance, etc
- business disruption - eg utility downtimes, IT system failures, etc
- process management - eg accounting errors, data entry errors, non-reporting
These risks present varying levels of threat to business - from minor inconvenience to potentially putting its very existence in jeopardy. You should not underestimate the potential impact of operational risk.
Impact of operational risk
If operational risks materialise, they can cause significant damage to your business, including:
- outright loss - eg costs of dealing with system failure or processing error
- regulatory overhead - eg costs of audits or mandated investigations
- reputational damage - eg as a consequence of fraudulent activity or unfair practices
Contrary to other types of business risks, operational risks are not typically revenue driven or willingly incurred. Some organisations accept them as an unavoidable cost of doing business.
However, you can reduce risk exposure and your operating costs by developing an operational risk management strategy for your business.
What is operational risk management?
Operational risk management is a continual process of assessing risks and implementing relevant controls that lead to either acceptance, mitigation or avoidance of risk.
To manage operational risk, you must first understand the nature of your business and the particular risks associated with it. This understanding will help you to identify, assess, monitor and adequately control or mitigate the risks.
Effective operational risk management can also help to:
- prevent unexpected operational loss
- cut compliance or auditing costs
- detect unlawful activities
- minimise exposure to future risks
You can insure against certain operational risks to help provide additional protection against the cost of operational events. Find out how to choose the right insurance to protect against business risk.
Risk management process
Risk management helps you to detect and address the risks facing your business. It is a key part of the strategic management of any organisation.
Steps in the risk management process
Risk management process typically involves six core components:
- recognition or identification of risks
- evaluation and assessment of risks (and how likely they are to occur)
- responding to significant risks
- reporting and monitoring risk performance
- contingency and recovery planning
- reviewing risk management approach and controls
Identification and evaluation of risks are generally known as risk assessment. This activity is critical to determining suitable risk responses. It can also be legally required in some business areas, eg health and safety. See how to evaluate business risks.
Risk responses can include tolerance, treatment, transfer or termination of risks. If a risk presents an opportunity, a suitable response may be to exploit it. Discover strategies to manage business risk.
Risks are incredibly diverse. They can affect any aspect of your business and have short, medium or long term impact. To manage risks effectively, it is crucial to fully understand the types of risk your business faces.
Benefits of risk management
Risk management process helps you in achieving your business success. It also allows you to:
- make informed decisions, plan and prioritise
- allocate capital and resources appropriately
- prevent wastage of time and effort in fire-fighting potential problems
- foresee what may go wrong, pre-empt, prevent or react promptly to risks
- improve outcomes for your business
- discover opportunities
- reduce business liability
Risk management gives you the strategic basis and the operational framework for handling a crisis within your business. It is a cornerstone of business continuity and crisis management.
Risk management standards
A number of standards exist to help organisations implement risk management systematically and effectively. Commonly used risk management standards include:
- ISO 31000, risk management guidelines
- IEC 31010, supporting standard for ISO 31000
- COSO enterprise risk management - integrated framework
- GRD Capability Model, also known as OCEG 'Red Book'
Standards are normally voluntary, although adherence to a standard may be required by regulators or by contract. See more on quality management standards .
Enterprise risk management
You should manage risk proportionately to the complexity and type of your business. If you run a large company, you may want to consider an integrated, enterprise risk management approach to managing risk across the whole organisation and its networks.
Evaluate business risks
Risk evaluation allows you to determine the importance of risks to the business. You can then decide to accept the specific risk or take action to prevent or minimise it.
How to evaluate risks to your business
First, you should consider all the types of risks your business may face - from strategic and compliance risks to financial and operational threats. Identify these risks and rank them in order to evaluate them.
You should rank the risks by considering the consequence and the likelihood of each. For many businesses, assessing consequence and likelihood as high, medium or low will suffice.
Evaluate these risks alongside:
- your business plan - to determine which risks may affect your company's objectives
- any legal requirements, costs and investor concerns - sometimes, the cost of reducing a potential risk may be so high that doing nothing makes more business sense
Tools to evaluate business risk
You can use several business tools to help evaluate risks. For example, you can create a risk map by plotting on it the significance and likelihood of the risk occurring. Each risk is rated on a scale of one to ten. If a risk is rated ten, this means a major concern to the company. One is the least important.
The map allows you to visualise risks in relation to each other and gauge their extent. This lets you plan what type of controls you should put in place to reduce the risks.
Importance of prioritising risks
Prioritising risks allows you to direct time and money toward the most important risks - those with the greatest potential to disrupt your business. By identifying which risks to focus on, you can put systems and controls in place to deal with any fallout. For example, define a decision process and escalation procedures that your company would follow if an event occurred.
Prevent and reduce business risk
Managing and reducing risk involves putting processes, methods and tools in place to deal with the outcomes of events you have identified as threats to your business.
Internal controls for risk prevention
Effective internal controls are necessary to mitigate different types of risks to your business. Two categories of controls exist:
- preventive controls - help you avoid risk before it occurs
- detective controls - help you find problems after they occur
To prevent and reduce risks, you should evaluate your current control activities and amend them if necessary. For example, you may want to:
- set aside financial reservesto ease cashflow problems if they occur
- use physical control over assets, eg locks
- put in place data backup and IT support to deal with potential systems failures
- screen and train employees before you allow them access to critical systems
- limit the number of employees with access to critical or sensitive data
- segregate certain types of duties to different employees, eg financial decisions
- introduce pre-approval of actions and transactions
- carry out internal audits, inventory counts, etc
- review organisational performance regularly
Maintaining appropriate and effective internal controls will help you to mitigate some of your risks. Developing a risk management plan will also help you to foresee risks, estimate impacts, and define your responses to address them.
Risk management and business continuity
Programmes which deal with threats identified during risk assessment are often referred to as business continuity plans.
These set out what you should do if a certain event happens - for example, if a fire destroys your office. The foundation of a business continuity plan is typically a business impact analysis. The analysis can help you to:
- understand how your business would cope during downtime
- calculate recovery time objectives for your services
- understand the resources you need to keep critical functions running
Business impact analysis will form the basis of your disaster recovery and help you create a business continuity plan, potentially reducing disruption to your business.
Review your risk mitigation practices
Risk assessments will change as your business grows or under the influence of internal or external factors. This means that the processes you have put in place to manage your business risks should be regularly reviewed. Such reviews will find improvements to the processes and also can indicate when a process is no longer necessary.
Discover more strategies to help you manage business risk.
Strategies to help you manage business risk
To determine the most effective risk mitigation strategy for your business, you must first identify the risks, analyse them and evaluate their potential likelihood and impact. When you fully understand all the possible risks and their severity, you can begin to treat them.
Most common strategies for treating the risk are:
- transfer (sharing)
Risk transfer strategy
Risk transfer or sharing helps you redistribute the impact of an adverse event over multiple parties. This could include partners or company members, an outsourced entity or purchasing an insurance policy. Sharing works best for risks that are unlikely to occur but could potentially have a big financial impact. For Contracts with suppliers or contractors may provide a means to move risk away from your organisation, but keep in mind that this approach may not always suit. For example, if your product is faulty due to a supplier's error, customers may still associate it with you even if your supplier pays for damages.
Risk reduction strategy
Reducing risks involves taking measures to minimise the probability and the impact of the risk occurring. The aim is to reduce the risk to an acceptable level, sometimes called a residual risk level. Most businesses should try to reduce the risk whenever possible and economically advantageous. For example, you could introduce new safety measures, strengthen internal control or diversify your operations in order to mitigate the worst risks.
Risk avoidance strategy
If the probability and the impact of the risk are too high, it may be best to remove it altogether. This might involve changing the way you produce your product or deciding to avoid certain activities - for example, the launch of a new product or entering a new contract. Whether this is a viable option depends on your particular circumstances. Bear in mind that by stopping activities that carry the risk, you may also forfeit associated potential return and opportunity.
Risk acceptance (risk retention)
Accepting the risk assumes not taking any action to mitigate its impact and probability. This 'do nothing' approach accepts that some level of loss is likely to occur - usually the type of loss that can be easily absorbed within the business, at least at the beginning. However, if risk events occur regularly, business disruption and the costs for addressing it, will likely mount. It's important to assess risk retention options alongside other possible mitigation approaches, to determine suitable approach in the long term.
Choosing your risk management strategy
The best way of dealing with risk will depend on the situation, as well as the probability and impact of a particular risk. It is unlikely that you will be able to completely eliminate all risk, so your task will mainly be to determine whether the risk is acceptable and, if not, decide how you want to deal with it.
Business risk insurance
Purchasing risk protection insurance is a way of reducing the financial impact of a business interruption, loss or damage to a facility or equipment.
Insurance doesn't actually reduce your business' risks. It simply provides coverage and protection against the losses associated with some risks. Typical risks you can insure against could be: fire, theft, vandalism, workers compensation, legal costs, protection from injury or property damage to a third party, or business disruption.
Types of business risk insurance
Commercial business risk insurance typically covers five basic areas:
- property insurance
- crime insurance (including data breach cover)
- business interruption (or business continuity) insurance
- liability insurance
- equipment breakdown insurance
Some business insurance you must have by law, such as employers' liability insurance, commercial motor insurance and professional indemnity insurance for certain professions.
Liability insurance is designed to pay any compensation and legal costs that arise from neglect or breach of duty. For more information, see liability insurance.
Business interruption policy can help insure against loss of profit and higher overheads resulting from, say, damaged machinery.
Other types of business insurance exist, such as key man insurance, credit insurance, money policies, legal expenses, etc. Employers can even buy life insurance or private medical insurance for a whole group of employees. See detailed guidance on the different types of insurance.
How do insurance companies mitigate risk?
Risk insurance provides a level of financial compensation in the event of a loss. Insurers only pay the compensation if the loss is insured by a valid policy.
Insurance companies increasingly want evidence that business risk is being managed. Before they provide cover, they may want proof that you have processes in place to minimise the likelihood of a claim. You can ask your insurance adviser for advice on appropriate processes - see how to choose an insurance adviser for your business.
It is important to review your policies regularly to determine if they adequately cover your potential losses. To review your policy, you should:
- carry out regular risk assessments to identify potential hazards to your business
- use business impact analysis to quantify potential impacts
- examine the level of policy and the coverage you currently have
- consider all the risks and their outcomes to determine the required level of insurance
Having the right policy in place can be crucial for your business' survival, but keep in mind that some costs may be uninsurable, such as the damage to a company's reputation.