So letโs look at risk management and learn how to limit exposure so you can create a more resilient business.
What does ‘risk’ mean in businesses
Risks are the potential for negative consequences to your business. It can either be direct (within your control) or indirect (out of your control). Risk management softens the impact of direct or indirect events on your business.
| Direct Risks | Indirect Risk |
|---|---|
| Financial: Debt and cash flow | Cyber: scams, fraud and crime |
| Operational: Processes & procedures | Natural hazard: floods, cyclones and bush fires |
| Compliance: ATO, Fair Work, etc | Economic: inflation, recession, interest rates |
| Reputation: Customer reviews and branding | Regulatory: New gov laws, policies and regulation |
| Workforce: Staffing, key dependables | Supply chains: Supply disruptions, supplier increases |
Why managing risk is important
Small businesses have less cash, fewer people, and more limited support compared to larger businesses. Minor incidents can prove to be devastating, financially and psychologically, for owners. If your business isnโt prepared, you could no longer have a business.
Risk management helps make sure that when incidents occur, it doesnโt mean business closure. It helps protect staff and keep them safe, and improves relationships with customers and suppliers. It also keeps your business resilient during natural and economic disasters and reduces compliance and insurance costs through low-risk assessments.
Risk Management checklist
To assess risk for a small business, we need to break it down into a step-by-step process:
- Scope: What is the risk? Focus on what most affects your ability to do business, and go from there.
- Consultation: Speak with those involved, like staff, customers, investors, communities and government. This is about who is involved in the risk, not just the risks to the business.
- Identify the risk: What could go wrong and how it could happen. Look at past incidents and possible future incidents. A good exercise is to use the SWOT analysis from business.gov.
- Calculation: Calculate the risk level by rating its likelihood (1 to 4) and severity of consequences (1 to 4). One means the risk is unlikely and low impact, while four means highly likely and severe. Your risk score would then look like this: Risk level = likelihood x consequence. This helps rank your priority.
- Evaluation: This looks at risk tolerance. Running a business inherently involves risks; decide which risks are acceptable and which to avoid.
- Risk planning: Create the risk management policy and outline how to address them. Look at who is responsible and the resources needed to address each risk.
- Refinement: Rarely are businesses constantly exposed to the same risk; adjust your policies as needed to address the most apparent risk today.
Practical risk management tips
At the small-business level, there are simple yet practical steps you can take to reduce your exposure to risk.
Standard Operating Procedures
SOPs reduce risks by documenting repeatable tasks and creating a how-to action list for employees to follow. This helps reduce errors and create systems that run independently of owners, so staff can put out fires as well.
Risk-sharing
Instead of taking on all the risks yourself, share them with others, such as insurance providers for protective policies and financial institutions for loan agreements.
Cash flow control
High business costs can often contribute to small business closure, especially if you also have poor cash flow. To improve them, implement stronger cash flow controls through budgeting, more effective pricing strategies, and revised payment terms.
Cybersecurity protocols
Cyber scams are rampant and cost Australian businesses millions. To reduce your risk of cyber scams, ensure your business implements an internal cybersecurity policy. Consider implementing multifactor authentication on vital accounts, frequent software updates, strong passwords, employee education, and procedures for responding to a data breach.
Risk Action Card
Here is a simple action card to identify and evaluate a risk based on the checklist above:
| Identification: | Risk title:ย | Category: Direct/indirect | Business/area/objective affected: | |
|---|---|---|---|---|
| Description: | Risk description: What could happen? Why does it matter?ย | Cause/trigger: What creates the risk?ย | ||
| Assessment: | Likelihood: Rate 1-4 | Consequence: rate 1-4ย | Risk Score: likelihood x Consequence | Risk level: (low/medium/high/critical) |
| Decision & Action: | Risk decision: accept/treat/monitor/
avoidย |
Action required: how to addressย | ||
| Ownership & Resources: | Owner: who is responsible | Resources: extra money, staff, time, tools & software, third-party | ||
| Timeline & Status: | Due date: When must the action be completed?ย | Review date: When will this be addressed again? | Status: not started/in progress/complete | |
| Additional Notes: | Relevant information, links, or context | |||
Example: Cyber scam at Martyโs cafe
Marty owns a small inner-city cafe. As a busy business owner, he did not double-check an email and ended up paying a scam invoice. It was only when his supplier asked for payment that Marty noticed the scam.
After contacting the bank, Marty found he had no way to recoup the stolen funds. To avoid falling for cyber scams again, he reviewed how exposed his business is to future attacks. By using a risk action card, he found that his business was at high risk:
Risk score: 9 (Likelihood 3 ร Consequence 3)
Risk level: High
Risk decision: Treat (and monitor)
To mitigate the risk, he created an action list from his card.
Action list:
- Multi-factor sign-in for email, banking, and accounting
- Payment checklist: standard operating procedure (invoice match, callโback verification, PO match)
- Staff education and refresher on cyber scams and invoice spoofing
- Set bank alerts for new payees and large transfers.
- Document a quick โwhat to do if it happens againโ step-by-step (call bank, freeze payments, report).
Accepting risk as a small business
Risk management means managing negative outcomes, not eliminating them. Business itself is a risky endeavour. Understanding it and creating systems to respond to it builds risk tolerance and a more resilient small business.
