What Is a Risk Management Process?

There are all sorts of definitions of the word “entrepreneur,” but my favorite is this:

‍

An entrepreneur is a person who takes a risk with money to make money.

‍

It's great because that’s the thing: Risk, risk analysis, and risk control are central to the game. 

‍

Leaving a nice job with a paycheck every two weeks, benefits, and maybe a 401(k) match in order to take on debt (in all likelihood) and start a new, untried business is no easy thing. It takes guts and smarts, along with a healthy dose of risk tolerance.

‍

That said, it is also true that the best entrepreneurs, indeed the best businesses, work to mitigate the risk to the extent possible—they manage risk as opposed to embracing it. Yes, risk is part of being in business, but the smart business looks to reduce it. 

‍

But how, exactly, do you create a strong risk management process?

‍

Here’s a primer on just that.

Understanding Risk Management in Business

Risk management is a four-step project management process that allows a small business to identify, assess, mitigate, and review potential risks. It is used both for overall risks to the company as well as potential risks to particular projects.

‍

According to the Marquette University Risk Unit, there are all sorts of categories of risk that a business might face, including:

‍

• Financial risks, like being held liable for an accident or problem
• Operational risks, like labor strikes
• Perimeter risks, like natural disasters, weather, or political upheaval
• Strategic risks, like management changes or loss of reputation

Risk Management Process

Let’s take a fictional business, SmallBizCo for example, and let’s assume that SmallBizCo is a retail store that handled the pandemic well and now wants to expand into another location. 

‍

Is that a good idea? How big of a risk is it? This four-step risk management process would greatly help SmallBizCo’s management team assess and analyze the risks involved in such a move.

‍

Here’s how a risk management framework might play out for companies like SmallBizCo…and yours!

Step 1: Identify the Risks Facing Your Business

Needless to say, a business cannot avoid—or at least mitigate—a risk until the risk is known. That is where “risk identification” comes into play. 

‍

As indicated, there are all sorts of potential risks that a company might face: legal risks, operational risks, strategic risks, environmental risks, market risks–you name it. The key thing here is to analyze the possible risks to the company (or project) and narrow them down to the one or ones that are, in the assessment of the management team, the most likely and the most dangerous. Those are the risks that need to be managed.

‍

This really is a matter of brainstorming and thinking ahead. The risk identification stage is one where all possible risks are laid out for the team to review and debate. Potential risks must be as specific as possible. 

‍

Aside from the team’s own analysis and perspectives, other risk identification tools can also be deployed:

‍

• Reviewing similar projects to see what issues they faced
• Interviewing stakeholders, employees and customers to see if they noticed any problems 
• Interviewing experts who can predict what might happen based on their experience and knowledge
• Reviewing documents that might reveal errors in your plans, financial calculations, or other processes you need to run your business

‍

Going back to SmallBizCo, there are a variety of risks that might be identified as part of the expansion plan, such as:

‍

• The continuing effects of the pandemic on buying habits
• The cost of expansion
• Potential negative effects on current employees, resources, and management
• Competition in the new arena

Step 2. Do a Risk Assessment

In this stage of the risk management process, all of the possible risks and potential impacts need to be ranked. There are three factors that should go into each risk assessment.

‍

First, the probability of the risk coming to fruition needs to be analyzed. A risk with less probability of occurring probably needs to be ranked lower than one with a high probability of happening. We say “probably” because the likelihood of the event happening is only one factor at this stage of the risk assessment analysis.

‍

The next factor to consider, and why ‘likelihood of occurring’ is not the only game in town, is the potential severity or the impact of the risk upon the organization. A risk with a high probability of occurring but which also has a low impact is of course less important. There may be a recession on the horizon, and that may have a high likelihood of occurring, but it’s potential impact could be negligible. 

‍

Finally, the financial impact of all of the possible listed risks must also be accounted for. 

‍

Back then to SmallBizCo. How would SmallBizCo look at its various risk factors? The biggest, and probably most likely threats are the potential costs of expansion (and cost overruns), the stress upon the organization, and any possible negative effects of the pandemic. 

‍

Expanding into a new locale is not easy, nor is it inexpensive. When you combine that with the continuing uncertainty of the pandemic on retail buying habits, you have some very real risks.

‍

The other two identified risks–the effect of not expanding and competition–while real, are certainly more amorphous and less severe. They should likely be deemed less of a threat.

‍

The good news is that by engaging in this process, SmallBizCo has a much better chance of managing all of these potential risks, which begs the question:

‍

What is, in fact, the best way to mitigate the various identified risks that you and your team may uncover?

Step 3. Come up with a Risk Management Plan

After risks have been identified, analyzed, and prioritized, the next step in this risk assessment process is for a company to come up with a “risk treatment plan," also known as a "risk management plan." Whatever term you use, the plan is two-fold:

‍

1. First and best, it is intended to reduce the probability of the risk happening in the first place (to the extent possible), 
2. Second, it is to mitigate, or reduce, the impact of the risk should it indeed come to pass

‍

There are all sorts of ways a business may decide to handle identified potential risks and create a risk management strategy as part of its risk response.

‍

If your risks are something insurance can take care of, that's just about the best, smartest way to handle them. Why? Because you're transferring your risk elsewhere–to the insurance company–and while you might still have premiums and a deductible to pay (and limits on how much the policy will cover), that’s still a big weight off your shoulders.

‍

(And, if you need help with your workers' comp insurance, let me suggest that there is no better place to go than with our friends at Hourly!)

‍

But what is SmallBizCo going to do? They could, for instance, actually choose to do nothing and continue to monitor the situation. They may decide there really is very little an individual small business could do to change overall consumer buying habits in the face of the pandemic. 

‍

Sure, they can offer the public assurances that theirs is a safe place to shop, but they are likely doing that already. As such, a smart and cost-effective way to manage that risk might be to stay aware of it, keep tabs on it, account for it, and carry on.

‍

But what about the other two risks SmallBizCo faces—potential cost overruns and stress on the organization? These can either be avoided or mitigated. 

‍

Insofar as costs go, sure there are expenses that may occur that cannot be anticipated, but for the most part, good management can almost completely obviate this risk. SmallBizCo might, for example, choose one senior manager to oversee costs for the project with ‘avoiding cost overruns’ as their marching orders. 

‍

Similarly, while stress upon the organization can probably not be eliminated, good management can again be employed to reduce (mitigate) the effects of that stress.

‍

Making SmallBizCo’s staff aware of the expansion plans and their roles in that plan, anticipating staffing needs and shortages, and rewarding the team for any extra work that may result from the expansion can all be employed to lessen the impact of the risk upon the business and team.

‍

So this is the type of analysis you and your team must do.

Step 4. Regularly Review Your Risk Management Plan

Your risk assessment and mitigation plan cannot just be an academic exercise wherein your team members create a document but nothing really happens. 

‍

For this process to work and truly have a chance to help and protect your small business, it needs to be an action plan that is implemented and reviewed on a regular basis; after all, what is the purpose of prioritizing risks and devoting so much effort to mitigation strategies if you do not combine that with an action plan?

‍

Accountability is key in your risk management strategy.

‍

Your plan should include specific steps that will be taken to monitor risks and specific duties that will be assigned to the appropriate managers to help mitigate those identified risks. 

‍

Those managers should then be given benchmarks and timelines to meet. Finally, as these steps of the risk management process are in fact met, the entire risk-reduction team must be kept in the loop. They need to analyze actions taken and make any adjustments as necessary. 

‍

No, SmallBizCo cannot avoid the risks inherent in its expansion plan, but it certainly can reduce those risks as part of its decision making and make them manageable with proper analysis, planning, oversight, contingency planning, and action. 

One More Example: The Risk of Misclassifying Your Employees

Here’s one final example of risk assessment and mitigation: Say that you have both full-time employees as well as part-time freelance contractors working for your business. 

‍

The risk is that your company may misclassify one or the other, and the penalties for doing so are not insubstantial, as they include back payment and penalties.

‍

So, how would you identify, assess, manage, and mitigate this risk?

‍

• For starters, you would need to be sure that your HR department properly classifies all workers. You may even want to have an HR consultant audit job responsibilities, titles, and applicable state laws for their employees.
• Consider having all workers take a “quiz” that asks them about their hours worked, ability to act independently, tools used to perform the job, where the work is done, etc.–you know, all of the things that distinguish a contractor from an employee.
• Next, be sure to implement a clear time tracking process for all hourly/non-exempt employees, as well as similar forms for all contractors—time spent on the project, deliverables met, hourly rate, and so on.
• Additionally, you might want to double-check your payroll process, including timesheet processes, like when and how they are reviewed, when they are paid, and so on—to make sure everything is accurate.

Take (and Manage) Risks like an Entrepreneur

If you wanted a safe career, you would not have chosen a life as an entrepreneur. Risk is indeed part of the job description. In fact, for many small business owners, taking a risk is the fun part of the job (although maybe not a high risk). 

‍

But great entrepreneurs are also smart about risk. By reviewing potential risks and planning to negate them, you can go a long way in mitigating risk and being the type of business that others emulate.

‍

In fact, you can become the risk they want to avoid!