“The management of risk is often seen as a compliance issue by business owners (do what the law requires) whereas, in reality, it is a fundamental business management issue (do what best practice requires)”, says Rajes Selvanathan from Protecht. A well prepared risk management plan is important to identify potential risks to your business, to quantify their individual importance and their likely impact on your business, and to develop a strategy to deal with specific risks to your business in an appropriate manner.
There are a few essential steps every business needs to undertake in order to develop a risk management plan.
The first step is to identify the main risks your business faces in achieving its objectives. These will be legal obligations such as providing the correct safeguards to ensure your business meets all the health and safety standards required by law; or maintaining appropriate operating licences. Financial risks relating to embezzlement, fraud or credit default should also be considered.
They will also include operational risks affecting people, processes and systems such as supply chain disruption, loss of, or damage to, equipment or documents, loss of power supply or key staff, and even natural disasters.
They may include reputation risks which can be caused by illegal acts committed by your management or staff, false advertising claims, or any activity that could affect your good name.
All these areas of risk and more need to be carefully considered and itemised as the first step in your risk management plan. It is often helpful when developing a “risk register” to canvass the input of other people who will have valuable insights on your potential risks such as your directors, senior management and /or your legal advisor/accountant.
The next step in your plan development is to analyse the probability of each risk you have identified. Obviously, some risks have a very high level of probability of occurring and others have very little chance of occurring. You should classify each risk identified on a scale that is meaningful and relevant to your business. For example using terms such as “very unlikely” or “very likely” may have different interpretations to different people or business units within an organisation. Being more specific by using descriptors such as “once a day” or “once every 10 years” can convey better meaning when doing the probability analysis.
Equally important is to assess the actual impact each risk may have on your business objectives should they occur. The impact of each risk on your business should be classified again using terms that are meaningful and relevant to your business and the type of risk being evaluated. For example, using a statement relating to financial impact may not be relevant when assessing health and safety risks where the impact could be as severe as loss of life.. Armed with this information, you then need to assess which risks are outside of your comfort zone (also known as your risk appetite) and therefore demand immediate attention and which risks can be regarded as minor or tolerable and therefore not in need of current corrective action.
The next step in your risk management plan development is to consider and act upon the treatment of those risks which are outside of your risk appetite and could severely affect achievement of your business objectives. Some questions which need to be addressed in this process are: Which method of treatment is most appropriate for each risk? Which risks are to be covered by insurance, which risks can be mitigated by implementing control procedures to reduce the likelihood of occurring and/or the impact if it does occur? What costs will be incurred by each treatment? Who will be ultimately responsible for each treatment? What are the projected benefits for each treatment? How can the anticipated success of each treatment be assessed and how can it be measured?
Find out about Risk Management training opportunities here.
Get the latest thought leadership on risk, compliance, health and safety and internal audit industry trends, challenges, methodologies, and insights. You will receive notifications directly in your inbox once a month.