​Understanding and documenting business risks is something that many just fail to do. They view them as a thing "only big businesses do" or a "corporate thing" but that's not the case.

Managing business risks is an important step for any business, no matter how big or small, to consider all the risks to them keeping the doors open.
This is a responsibility any good business owner should take seriously, not only for themselves but also for their staff, customers and the wider community.
Its also a big part of ISO Risk Based Thinking, with there even being a standard just on how to manage you risks – ISO 31000 – Risk Management. Even if you don't intend to get certified to it, this standard is an excellent read, to help guide you on best practices for risk assessment, analysis and management.

1. Identify Your Risks

Sounds easy right? But guarantee you try this one solo and you're bound to miss a trick here and there, so be sure to get your wider leadership team involved in the brainstorming. Remember, risk management is a team sport!

Here's a helpful list of things that could be on your radar:

• Strategic Risk – Things like changes to the market, brand damage (especially in this age of social media), changes in laws/regulations that could impact your ability to run, government policy changes
• Financial Risk – Risk of non-payment by customers, not enough cashflow to pay the bills, changes in market affecting assets (i.e. stock market etc)
• Operational Risk – inefficiencies in process, failures in process, human error causing financial or reputational damage, falling behind in technology / market offering
• Market Risks – economy changes that affect supply and demand, shifts in consumer behaviour that impact profit margins or overall sales volume
• Supply Chain Risks – the risk of relying on sole suppliers for critical raw materials or key services, disruption in transport or distribution channels, fraudulent product supply
• HR Risks – staff retention, lack of succession planning, aging workforce, inability to attract high calibre staff, risks from H&S related concerns, not moving with the changing generational requirements
• IT Risks - IT breakdowns, cyber attacks aimed at disruption of operations, breach of system – information stolen, not keeping up with technology / digital solutions

2. Analyse Your Risks

Business Risk analysis is the same as any other risk analysis – figure out the likelihood of the risk occurring, and then what impact it's going to have on the business. The best way is often to make it visual by creating a risk matrix with appropriate scoring to give you low, medium and high risks, or something similar. Below is an example of what a scoring matrix might look like: 

Be sure to put some detailed context around each option i.e. low likelihood might be "may occur in exceptional circumstances", high likelihood might be "is expected to occur annually". Consequence might be associated with cost, reputation or market share, or a combination of all, at a level that's relevant to your turnover or strategy. Clear guidelines for scoring mean a higher chance of consistency in scoring and understanding of the risk by the wider team.

Once they are scored, look at current controls you already have in place against those risks. That might be stock portfolio selection, training plans, regular reviews of market placing for salaries, company culture surveying, a strong R&D department budget, insurance policies and so on. Re-score those risks based on the controls you already have up and running. 

3. Evaluate Your Risks

Once your scoring is complete, you can then rank the risks based on their overall scoring after controls. Consider your business risk tolerance, i.e. how much risk your business is willing to take, everyone is different. Some teams are very risk-averse and don't like to take chances, others are happy to take a lot of risk to a point, you need to understand your own tolerance. Then decide which risks are acceptable as is, and which would require to do something about (which we call mitigation) to lower to an acceptable level in line with your companies risk appetite.

Within the risk management standard, that also requires recorded detail on what that acceptable level is, and who has the authority to accept a risk at a higher level if that's necessary.

Then you're into the harder part and need to start those good ol' action plans and actually put in place better controls for your risks. Again, team input should be included here, and out of the box thinking will help you put plans in place that will drive improvement in the right direction.

Understanding your risks gives excellent focus on the right areas to keep your business on track and lower the chances of negative outcomes in the future. It can clarify decision-making and remove objections quickly if everyone is on the same page regarding WHY this project or budget is important.

4. Monitor Your Risks

Once you have ranking and action plans in place, you need to regularly review two things:

1. How on target are your action plans – where are you sitting with regard to what needs completion to lower your risk scores? This might be at a monthly or quarterly strategy meeting or similar.
2. Review the risks themselves for changes – regularly review the wider landscape and update your assessments as needed – maybe a new bill has come up in parliament, or a new technology has emerged that needs to be considered, a new competitor has entered the market, or perhaps they left the market! Most companies would likely review these more on an annual basis, but you need to decide the frequency that works for you. Of course ad hoc reviews are also something to consider, when something big happens don't wait to get round the table and review the impact.

Both of these activities should keep your highest business risks up to date, top of mind and at the forefront of your long term planning and projects.

Business Risks in 4 easy steps

Managing your business risks is an important factor for any organisation, not just the big guys.