ET Rise
Stock Analysis, IPO, Mutual Funds, Bonds & More

Managing uncertainties: How to think about and manage business risks

Knowing how to formally think about risk in an organised manner is the key to anticipating business issues across all functions in MSME businesses.

Last Updated: Oct 25, 2018, 11.54 AM IST
Getty Images
Monitoring involves evaluating the probability and impact on a continuous basis to see what has changed and if the risk ranking needs to be updated.
Tax Calculator
By Ujval Nanavati

Before we come to what risk management means, let us define what 'Risk' means. Risk as defined in ISO 31000 is"the effect of uncertainty on objectives". Put simply, once you have set the objectives for your small business - which could be around any business function like production, sales, finance, Logistics, etc., any adverse event, occurrence, development, or situation that hinders the achievement of these objectives is a risk.

These risks could be internal to the business, such as breakdown of machinery, strike, fraud, etc. or external to the business, such as regulatory changes, macro-economic shocks, market breakdown, default by a large customer, etc.

The definition of Risk Management is: the process of identification, evaluation, and prioritisation of risks with a view to minimise, control, and monitor the probability and/or impact of these negative events. What we will look at is to break this technical definition down and look at the practical aspects of the Risk Management framework.

The Process
Identification, evaluation, and prioritisation of risks
The first step in the process is identification of the risk, which involves identifying which specific occurrences put the different objectives of your small business at risk.
The next step is evaluation. Evaluation consists of determining two elements:
  • Probability: What is the chance that this risk will actually occur? This is scored based on a percentage probability of occurrence.
  • Impact: If it occurs, what will be the impact of this risk? This is usually scored based on the monetary impact.
Next is prioritisation of risks. This is usually done through a scoring system wherein both Probability and Impact scores are multiplied to arrive at a Risk Score.

Based on the prioritisation, you determine your Risk Response, which is 'What will I do with the risk I just identified, evaluated, and prioritised?'

1st graph

The Objective
Minimise, control, and monitor the probability and/or impact
Once you have identified a risk you have accepted you will naturally try and minimise it to the extent possible before putting in risk control or mitigation measures, which have a cost attached to them. For example better locks to protect against theft, or firefighting equipment on site for fire risk. What is left to control then is the Residual Risk, or the risk leftover after all the minimisation measures.

Control mechanisms then focus on this Residual Risk. These are the mitigants in addition to the minimisation steps above, which can help to reduce or control the either the probability or the impact of the risk, or even both. For the theft or fire example above, the Residual Risk is the risk of theft or fire even after implementing the minimisation measures like locks and fire extinguishers. The control mechanism for this Residual Risk could be theft and fire insurance policies or better security services.

Monitoring involves evaluating the probability and impact on a continuous basis to see what has changed and if the risk ranking needs to be updated.

The Framework (bringing it all together):
Together the 5 risk management process steps above combine to deliver a simple and effective risk management process for any small business, which is effectively

graph 2

Working Example
Now let us have a look at an example, which puts all of the above theory in perspective. Every business risk will be detailed in the following format, which effectively serves as the Risk Register of the business.

graph 3
* Probability scores:
5: 90-100% risk of occurrence
4: 75-90% risk of occurrence
3: 40-75% risk of occurrence
2: 20-40% risk of occurrence
1: 0-20% risk of occurrence

^ Impact scores:
5: 75-100% of annual profits
4: 60-75% of annual profits
3: 30-60% of annual profits
2: 15-30% of annual profits
1: 0-15% of annual profits

Note: Above percentage impact scoring can be based on annual profits, net worth, asset base, annual sales, or other metric that is vital to the business.

Also Read

79 per cent companies see cybersecurity as top 5 business risks; budgets low: KPMG

Cyber security is a business risk, not tech risk: Kelly Bissell, MD of Global Accenture Security

Family-run businesses: Risks and reward at same time

Clients want IT vendors to share business risks, too

Add Your Comments
Commenting feature is disabled in your country/region.

Other useful Links

Copyright © 2020 Bennett, Coleman & Co. Ltd. All rights reserved. For reprint rights: Times Syndication Service