The process of identifying risks, assessing risks and developing strategies to manage them is known as risk management.
A risk management plan and business impact analysis are important parts of your business continuity plan.
By understanding the potential risks to your business and finding ways to minimize their impacts, you will help your business recover quickly if an incident occurs.
The types of risk vary from company to company, but preparing a risk management plan involves a common process.
Your risk management plan should detail your strategy for addressing risks specific to your business.
It is important to allocate some time, budget, and resources to prepare a risk management plan and business impact analysis.
This will help you meet your legal obligations to provide a safe workplace and can reduce the likelihood of an incident negatively affecting your business.
This guide outlines the steps necessary to prepare a risk management plan and business impact analysis for your business.
Identify risks to your business
The first step in preparing a risk management plan is to identify potential risks to your business.
Understanding the extent of potential risks will help you develop realistic and cost-effective strategies to address them.
It’s important to think broadly when considering the types of risks to your business, rather than considering obvious concerns. (e.g. fire, theft, market competition).
Evaluating your business
Before you start identifying risks, you need to evaluate your business.
Think about your critical business activities, including your key services, resources and staff, and the things that could affect them, such as power failures, natural disasters and illnesses.
Evaluating your business will help you determine what aspects you couldn’t operate without.
Ways to identify risk
Once you have a clear picture of your business, you can begin to identify risks.
check your business plan and think about what you couldn’t do without, and what types of incidents could affect these areas.
Ask yourself:
- When, where, why and how are risks likely to happen in your business?
- Are the risks internal or external?
- Who might be involved or affected if an incident occurs?
The following are some useful techniques for identifying risks.
Ask ‘what if?’ questions
Thoroughly review your business plan and ask everyone “what if?” ask as you can. Ask yourself what happens if:
- Lost power supply?
- Didn’t have internet access?
- Were key documents destroyed?
- Was your premises damaged or unable to access?
- Did one of your best staff members quit?
- Did your suppliers close?
- Has the area where your business is located suffered a natural disaster?
- Have the services you need, such as roads and communications, been closed?
Great idea
Brainstorming with different people, such as your accountant, financial advisor, staff, suppliers and other stakeholders, will help you gain many different perspectives on the risks to your business.
Analyze other events.
Think about other events that have affected or could have affected your business. What were the results of those events? Could they happen again?
Think about possible future events that could affect your business. Discuss the scenarios that could lead to an event and what the outcome could be.
This will help you identify risks that could be external to your business.
Evaluate your processes
Use flowcharts, checklists, and inspections to evaluate your work processes. Identify each step in your processes and think about the associated risks.
Ask yourself what could prevent each step from happening and how that would affect the rest of the process.
Consider the worst case
Thinking about the worst things that could happen to your business can help you deal with smaller risks. The worst case scenario could be the result of several risks occurring at once.
For examplesomeone running a restaurant could lose power, which could cause food to spoil.
If the restaurant owner was unaware of the outage or the chef decided to serve the food anyway, customers could suffer food poisoning and the restaurant could be held liable and suffer financial losses and negative publicity.
Once you have identified the risks related to your business, you will need to analyze their probabilities and consequences and then find options to manage them.
Analyze and evaluate the impact of risks
Once you have identified the risks to your business, you must evaluate the potential impact of those risks.
You must separate minor risks that may be acceptable from major risks that must be managed immediately.
Analyzing the level of risk
To analyze risks, you must determine the likelihood of the risk occurring (frequency or probability) and the consequences it would have (the impact) of the risks you have identified.
This is known as the risk level and can be calculated using this formula:
risk level = consequence x probability
The risk level is often described as low, medium, high or very high. It must be analyzed in relation to what you are currently doing to control it.
Please note that control measures reduce the level of risk, but do not always eliminate it.
A risk analysis can be documented in a matrix, like this:
Probability Scale Example
LevelProbabilityDescription4Very likelyHappens more than once a year in this industry.3LikelyHappens about once a year in this industry.2UnlikelyHappens every 10 years or more in this industry.1Very unlikelyHas only happened once in this industry.
Consequence Scale Example
LevelConsequenceDescription4SevereFinancial losses greater than €50.0003HighFinancial losses between €10,000 and €50.0002ModerateFinancial losses between €1000 and €10.0001LowFinancial losses less than €1000
Note: Rankings vary for different types of companies. The scales above use 4 different levels; however, you can use as many levels as you need.
Also use descriptors that fit your purpose (for example, you can measure consequences in terms of human health, rather than dollar value).
Assessing risks
Once you have established the risk level, you will need to create a rating table to evaluate the risk.
Assessing a risk means making a decision about its severity and ways to manage it.
For example, you may decide that the likelihood of a fire is ‘unlikely’ (a score of 2) but the consequences are ‘serious’ (a score of 4).
Using the tables and formula above, a fire has a risk rating of 8 (i.e. 2 x 4 = 8).
Example of risk rating table
Risk RatingDescriptionAction12-16SevereNeeds immediate corrective action8-12HighNeeds corrective action within 1 month4-8ModerateNeeds corrective action within 3 months1-4LowCurrently requires no corrective action
Your risk assessment should consider:
- the importance of the activity for your business
- the amount of control you have over the risk
- potential losses for your business
- any benefit or opportunity presented by the risk.
Once you have identified, analyzed and evaluated your risks, you must rank them in order of priority. You can then decide what methods you will use to address unacceptable risks.
Address risks to your business
Dealing with risks involves working with options to deal with unacceptable risks to your business. Unacceptable risks vary in severity.
Some risks will require immediate treatment, while others can be monitored and treated later.
Your risk analysis and assessment will help you prioritize which risks need to be addressed.
When you are developing a plan to address risks, consider the following:
- treatment method
- persons responsible for the treatment
- costs involved
- treatment benefits
- probability of success
- ways to measure the success of treatments.
How and why you have chosen to treat risks should be described in your risk management plan. It is important to review your plan regularly to take into account new risks associated with changes in your business or improvements in techniques for dealing with risks.
The following are different options for dealing with risks.
Avoid risk
If possible, you can decide not to continue with an activity that is likely to create risks.
Alternatively, you can think of another way to achieve the same result that does not involve the same risks. This could involve changing your processes, equipment or materials.
Reduce risk
You can reduce a risk by:
- Reducing the likelihood of the risk occurring, for example through quality control processes, auditing, regulatory compliance, staff training, regular maintenance or a change in procedures
- Reduce the impact if the risk occurs, for example through emergency procedures, off-site data backup, minimizing exposure to risk sources or using public relations.
Transfer the risk
You may be able to transfer some or all of the risk responsibility to another party through insurance, outsourcing, joint ventures or partnerships.
You can also transfer risk by:
- Cross-train staff so that more than one person knows how to do a certain task and you don’t risk losing essential skills or knowledge if something happens to one of your staff members
- identify alternative suppliers in case your usual supplier is unable to deliver
- keep old equipment (after it is replaced) and practice doing things manually in case your computer networks or other equipment cannot be used.
Make sure you have adequate insurance
Talk to your insurer to find out if you have the right insurance coverage for your business.
Be sure to clarify whether you are covered for the risks you have identified in your risk management plan.
Please note that insurance policies may have different definitions for certain incidents (for example, flooding).
You should also verify that you:
- have coverage for loss of income that could be incurred if customers affected by the crisis stop ordering your product or service
- have adequate insurance to cover other related issues, such as on-site injuries to staff or visitors, or for loss of your clients’ property or materials
- Have coverage in case your suppliers are affected by a crisis and are unable to deliver the supplies needed for your business
- They are meeting their workers’ compensation obligations in the event that any of their staff are injured in a crisis.