The Economic Times
English EditionEnglish Editionहिन्दी
| E-Paper

    Managing uncertainties: How to think about and manage business risks


    Knowing how to formally think about risk in an organised manner is the key to anticipating business issues across all functions in MSME businesses.

    Getty Images
    Monitoring involves evaluating the probability and impact on a continuous basis to see what has changed and if the risk ranking needs to be updated.
    By Ujval Nanavati

    Before we come to what risk management means, let us define what 'Risk' means. Risk as defined in ISO 31000 is"the effect of uncertainty on objectives". Put simply, once you have set the objectives for your small business - which could be around any business function like production, sales, finance, Logistics, etc., any adverse event, occurrence, development, or situation that hinders the achievement of these objectives is a risk.

    These risks could be internal to the business, such as breakdown of machinery, strike, fraud, etc. or external to the business, such as regulatory changes, macro-economic shocks, market breakdown, default by a large customer, etc.

    The definition of Risk Management is: the process of identification, evaluation, and prioritisation of risks with a view to minimise, control, and monitor the probability and/or impact of these negative events. What we will look at is to break this technical definition down and look at the practical aspects of the Risk Management framework.

    The Process
    Identification, evaluation, and prioritisation of risks
    The first step in the process is identification of the risk, which involves identifying which specific occurrences put the different objectives of your small business at risk.
    The next step is evaluation. Evaluation consists of determining two elements:
    • Probability: What is the chance that this risk will actually occur? This is scored based on a percentage probability of occurrence.
    • Impact: If it occurs, what will be the impact of this risk? This is usually scored based on the monetary impact.
    Next is prioritisation of risks. This is usually done through a scoring system wherein both Probability and Impact scores are multiplied to arrive at a Risk Score.

    Based on the prioritisation, you determine your Risk Response, which is 'What will I do with the risk I just identified, evaluated, and prioritised?'

    1st graphOthers

    The Objective
    Minimise, control, and monitor the probability and/or impact
    Once you have identified a risk you have accepted you will naturally try and minimise it to the extent possible before putting in risk control or mitigation measures, which have a cost attached to them. For example better locks to protect against theft, or firefighting equipment on site for fire risk. What is left to control then is the Residual Risk, or the risk leftover after all the minimisation measures.

    Control mechanisms then focus on this Residual Risk. These are the mitigants in addition to the minimisation steps above, which can help to reduce or control the either the probability or the impact of the risk, or even both. For the theft or fire example above, the Residual Risk is the risk of theft or fire even after implementing the minimisation measures like locks and fire extinguishers. The control mechanism for this Residual Risk could be theft and fire insurance policies or better security services.

    Monitoring involves evaluating the probability and impact on a continuous basis to see what has changed and if the risk ranking needs to be updated.

    The Framework (bringing it all together):
    Together the 5 risk management process steps above combine to deliver a simple and effective risk management process for any small business, which is effectively

    graph 2Others

    Working Example
    Now let us have a look at an example, which puts all of the above theory in perspective. Every business risk will be detailed in the following format, which effectively serves as the Risk Register of the business.

    graph 3Others
    * Probability scores:
    5: 90-100% risk of occurrence
    4: 75-90% risk of occurrence
    3: 40-75% risk of occurrence
    2: 20-40% risk of occurrence
    1: 0-20% risk of occurrence

    ^ Impact scores:
    5: 75-100% of annual profits
    4: 60-75% of annual profits
    3: 30-60% of annual profits
    2: 15-30% of annual profits
    1: 0-15% of annual profits

    Note: Above percentage impact scoring can be based on annual profits, net worth, asset base, annual sales, or other metric that is vital to the business.

    (Disclaimer: The opinions expressed in this column are that of the writer. The facts and opinions expressed here do not reflect the views of
    Download The Economic Times News App to get Daily Market Updates & Live Business News.
    The Economic Times