Risk Management for Small Businesses
A simple 3-step framework to identify, manage and report risks. Ideal for busy small business owners!
Every business is subject to possible losses from unmanaged risks. Risk management is important to reduce the likelihood and impact of adverse events. Business owners and directors carry fiduciary and stewardship responsibilities which include identifying, responding to, and reporting on any significant risks a company is exposed to.
Good risk management can yield long-term benefits, such as:
Lower insurance premiums
Reduced losses of cash or stock
Reduced business down time
Reduced chance that the business may be the target of legal action
The aim of risk management isn't to eliminate all risk, rather to enable businesses to make smart risk decisions that help improve performance and increase the value of the business.
The key activities of risk management include identifying and prioritising the most significant risks and focusing on general organisational robustness and resilience, as well as specific sources of risk.
In Australia, you are required by law to manage some risks. According to business.gov you must manage or reduce the risk of:
Accidents and injury by making your workplace safe under work health and safety (WHS) laws
Customer complaints by treating customers fairly under Australian Consumer Law
Injury or harm to employees by having workers' compensation insurance
Damaging the environment by meeting the environmental laws that apply to you.
Risk frameworks
There are widely held standard for managing risk, one being the ISO 31000. This is an international standard that offers guidelines and principles for effective risk management. It provides a structured approach that can be customised to fit the needs of any organisation, regardless of its size or industry. ISO 27001 is another widely used international standard that primarily deals with protecting information assets and data from security threats.
While frameworks like ISO 31000 offer robust guidelines for risk management, they require significant time and resources to fully understand and implement.
For most small business owners, however, they want a simpler, more accessible starting point. Here is a simple 3-step approach you can take to risk management:
IDENTIFY → MANAGE → REPORT
Fig 1.0
Identifying Risk
Risk management starts by identifying possible threats and then implements processes to minimise or negate them.
There are main types of risk:
opportunity-based risk from choosing one option over other options (such as buying a new property)
uncertainty-based risk from uncertain or unknown events (such as natural disasters or loss of a key supplier)
hazard-based risk from dangerous materials or actions (such as handling hazardous chemicals or working at heights).
When identifying risks, there are two components to be aware of: sources, which are the origins of potential risks, and symptoms, which are indicators that a risk might be present. For example: a simple analogy is a person with the flu. The source can be a bacteria or virus, and the symptoms are visible signs of coughing or a fever.
Fig 1.1
There are a wide range of potential sources of risk that businesses should consider, such as:
social, cultural, political and regional issues
economic, technology and competitive trends
government policies and law
your business aims, policies and strategies.
Recognising symptoms is also essential, as they serve as warning signs that a risk may be present and indicate underlying issues that require attention. Example of symptoms can include:
Decreased employee morale or productivity
Frequent customer complaints or negative feedback
Unexpected financial discrepancies or losses
Increased operational disruptions or delays
By identifying these symptoms early, businesses can take proactive steps to address potential risks before they escalate.
Evaluating Risk
Once you've identified potential risks, you need to understand their significance. Risks evaluation (also referred to as risk analysis) means prioritising risks according to their severity and likelihood. Many businesses prefer the qualitative risk analysis method because it's easy to follow.
In a qualitative risk assessment process, potential risks are rated according to how serious and likely they are to impact various stakeholders. Ratings are given using a risk matrix, the most common model being the 5x5 Risk Matrix:
Figure 1.2. Click to open full screen.
You will notice on a risk matrix (see above Fig 1.2) are ratings along the top of the grid and ratings along the left-hand side of the grid. These are otherwise known as the x and y axes respectively. The x axis details the consequence a person could face if they encountered the hazard. They are ranked from left to right as such:
Insignificant
Minor
Moderate
Major
Catastrophic
The y axis outlines the likelihood of the risk occurring. They are ranked from top to bottom as such:
Almost certain to occur
Likely to occur frequently
Possibly and likely to occur
Unlikely to occur but could happen
May occur but rare
Managing Risk
To effectively manage risk, the first step is to determine whether a risk is transferable or non-transferable.
Transferable risks are those that can be shifted to another party, typically through mechanisms like insurance or outsourcing. This transfer often involves a cost, such as paying insurance premiums to cover potential losses. i.e. property damage or public liability risks.
Non-transferable risks, however, cannot be shifted to others and must be managed internally. These include strategic risks, reputational and certain operational risks that are integral to the business's core activities.
Managing these requires direct intervention and planning, such as:
Mitigation strategies - such as contingency planning to manage identified risks.
Implement controls - to proportionate to the risks. i.e. cybersecurity measures or financial audits.
Training and communication - to ensure all employees understand risk management processes and their roles in mitigating risks.
Residual and Inherent — what's the difference?
Residual risk and inherent risk are two terms commonly used in risk management. Inherent risk is the natural level of risk that exists in your organisation without (before) implementing any mitigation strategies or controls. Residual risk is the risk your organisation faces after putting these controls in place.
To calculate residual risk: assign an impact score to the mitigation control and minus the total from the inherit risk to give you a new score. For example: If the inherent risk is scored as a 3 and the impact of risk controls is 2, your residual risk is 1.
Reporting Risk
Reporting risk is essential for transparency and informed decision-making. It involves regularly updating stakeholders on potential threats and how they're being managed.
A solid risk report should highlight key risks, their current status, and any actions needed to address them. This keeps your management (and board, if you have one) aligned and ready to tackle any challenges.
In the case of cyber security breaches, reporting is particularly crucial due to legal obligations. Under the Australian Privacy Act 1988, companies must notify affected individuals and the Office of the Australian Information Commissioner (OAIC) if a data breach is likely to cause serious harm. This includes detailing the breach and offering steps to mitigate its impact. To get help managing your cyber security risk, we recommend speaking to the team at ShadowSafe.
Free Resource:
Simple Risk Matrix + Assessment
Requires Google account. You can make a copy to Drive or download as .xls. Leader Guide
You've made it to the end — well done! While risk management might not be the most exciting topic, understanding and addressing risks is essential for your business longevity.
Staying compliant not only protects stakeholders but also reinforces trust, credibility and good will with your customers and your community. That alone is worth protecting.
Written by Lachlan Nicolson.
Further Reading:
Business.gov - Risk Assessment and Planning
Business.gov - Types of business insurance
6clicks.com - Enterprise Risk Management (more advanced holistic risk management approach)
