Business, Career

How to manage risk in a business

risk in a business - risk management plan

Outlines how to manage risk in a business, identifying risk, analyzing it, organizing risk management, and a Risk Management Plan example matrix.

Find more business guides, tips and advice

How to manage risk in a business: the basics

Companies must recognize threats, dangers and risks in good time and avoid or minimize the resulting damage. This requires effective risk management. In this chapter of the manual you can read which risks may exist, how they are assessed and which risk management measures are necessary.

Examples of risks, dangers, and threats

Anyone who wants to practice risk management must know what to fear. Some risks are known and can even be measured. Others are difficult to grasp. And some remain in the dark because no one had ever thought of it. In this respect, the identification of risks is a process that requires regularity and systematics, but in which creativity and out-of-the-box thinking also play a role. This is to identify potential sources of danger before the damage occurs unexpectedly and surprisingly.

But even if the risks are known as such, for many it is impossible to estimate when they will occur and what consequences they will be associated with. Examples are:

  • A dangerous ingredient is found in one of the company’s products that has entered the product due to a technical defect in the manufacturing process. The company has to laboriously start a recall campaign, the customer’s image suffers and lawsuits may be threatened because some customers have been damaged.
  • An error in a computer program has resulted in a central system in the company no longer working and being unusable for employees for several hours. Hundreds of people cannot do anything. Customer inquiries and orders cannot be processed. Important payments are not processed.
  • A company exports a large part of its products abroad. How successful this is depends to a large extent on the exchange rate. Due to political events, the exchange rate changes very rapidly in a short period of time. It is difficult to predict when exchange rates will change and what effects this will have on the company. But the financial damage can be enormous.
  • A journalist for the local newspaper writes a critical report on the company. This is picked up by other newspapers and the public opinion is influenced by it. Ultimately, this is also reflected in the customer’s trust in the company.

It is important that as many risks as possible should appear on the risk radar and be monitored continuously. This is the only way to plan counter-strategies in advance and implement countermeasures quickly when they occur.

Put risk areas on the risk radar

Risks as in the examples mentioned can be identified as potential sources of danger, but the associated risk can only be reduced to a limited extent. Nevertheless, risk management must do everything that is economically justifiable and legally required to reduce the likelihood of the risk occurring and to limit the damage.

The prerequisite for this is that the risks are recognized and monitored. It is helpful if different risk areas are regularly examined and evaluated on the basis of defined criteria and questions. Possible risk areas and examples are:

  • Market risks: change in customer needs, new trends, socio-demographic change, new competitors.
  • Strategic risks: Unclear company succession, new technologies, entry into new markets.
  • Business risks: wrong information, wrong decisions, legal and contractual risks, loss of important employees (to competitors), fraud.
  • Financial risks: changes in interest rates, exchange rates, raw material prices, share prices.
  • Credit risks: credit and bad debt losses, changes in creditworthiness.
  • Operational risks: breakdowns in information technology, process errors, human error, lost work, illness of employees, breakdowns at suppliers or external service providers, accidents at work, fire.
  • Environmental risks: natural events, political developments.

Individual risks from a risk area can result in a “wave of damage”. If a case of damage occurs that does not directly affect a company, this can result in further damage in other areas, which can then have an impact on a company. Example: A hurricane paralyzes production in a region. Individual companies can no longer be supplied. Production stands still. Deliveries are not made. The share prices are falling. The share prices of other companies in the same segment are also affected. Individual risks can therefore be associated with secondary or tertiary effects.

Methods for a risk identification system

Various methods can be used to identify the risks and to create a risk catalog for the company. There are differences when an initial inventory (inventory) is carried out or the topicality and changes are regularly checked. Here is a selection of methods for risk management and the associated information research:

  • Expert surveys
  • Risk workshops
  • Failure possibility and influence analysis
  • Process analysis
  • Analysis of balance sheets, annual reports and key figures
  • Benchmarking and company comparisons
  • Market analysis, market observation

Analyzing risk in a business

Once risks have been identified for the company, they must be analyzed more precisely in terms of quality and quantity. As much information as possible about the individual risk needs to be gathered. This enables the company to evaluate the respective risk. An assessment of the risk results from two factors:

Probability of occurrence

What is the probability of damage to the company that is associated with a risk?

Amount of damage or impact

How extensive is the damage? What (financial) effects does it have for the company? What negative effects result from this for the achievement of the company’s goals; for example in terms of sales, profit or share price.

Organizing risk management

Risk management and all associated measures can only take effect if they are integrated into the organization from the board level down. This includes:

  • Risk management must be anchored in the organizational structure.
  • Processes for the identification, evaluation and management of risks must be defined.
  • The prerequisite for this is that there is a risk culture in the company.
  • All employees should be aware of risks.

Risk Management Plan example

The risk management plan should be a part of your overall project plan. The risk plan for smaller projects can be as simple as a risk management matrix. Complex projects require more thorough risk analysis and planning. For each risk outlined in the risk matrix you will want to create a thorough analysis for each. The main goal of creating the risk matrix is to prioritize your risks. You will never be able to eliminate all risk, but you can prioritize and document risks to attempt to mitigate or eliminate them. The risk management plan will document the following items:

1. Risk and Consequences

Brainstorm risks before you beginning your project and continue adding to your risk management plan as the project moves throughout it’s life-cycle. What risks can be associated with this project? Will the risks affect the schedule, resourcing or budget?

2. Probability

The table should contain a probability of the risk occurring. This can be a percentage or a number.

3. Impact 

What is the impact to the project if the risk should occur? Build a scale appropriate for the project – smaller projects can use a simple impact of 1-5 (minimal to major) whereas larger projects may want a more formal scale.

4. Priority 

(Probability * Impact) will give you an idea of the priority of the risk. Higher priority items should be mitigated and planned for before lower priority items.

5. Mitigation Response – a brief overview of mitigation steps to eliminate or reduce the risk.

Risk Management Plan matrix

Start by building a six column table. The columns will be named after each of the five items in the previous section. The first column can simply be an ID column in which you designate each aspect of the business (or project) for which you are analyzing the matters under columns 2 to 6.

  1. ID (part of the business or project
  2. Risks and Consequences
  3. Probability
  4. Impact
  5. Priority
  6. Mitigation Response

This 6-column matrix is a basic starting point, and from it you can customize and tailor your Risk Management Plan to suit your particular business.