Assessing and Managing Your Business Risks

May 23, 2013

“Risk” as defined by is “a probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preemptive action.”

That definition covers the types of “negative occurrences” that businesses face. It also notes that those threats “…may be avoided through preemptive action,” which implies planning.

Large corporations have formal functions assigned to manage—and preempt—risk in many areas. These include operational, financial, legal, security and communications. They’re tied together under the umbrella concepts of “disaster recovery” and “business continuity,” both of which are self-explanatory. Usually they have a person in charge of developing an overall risk management plan, conducting drills against the plan, and coordinating the activities of the key people from each of the functional areas with a stake in the plan’s execution.

Small and medium sized businesses should also take time to consider their vulnerability to risk, such as what their specific risks are, how to minimize exposure to them and how to mitigate them should they occur. Why? Because, as unimaginable as some common risk factors may be, just one can bankrupt a business or weaken it so badly that it must close its doors.

While a “stem-to-stern” risk assessment is beyond the scope of this post, below are some topics owners and management should think about when considering the management of risk:

• Operational threats suggest “can-we-open-our-door” questions like:

o What kind of weather could keep us from operating?

o What other events or conditions could keep us from operating?

o How quickly could we reopen?

o What managers and employees are absolutely critical to operate?

o What impact would the severe injury or death of a key employee have on the business?

o What if we can get supplies? What alternate suppliers do we have?

o How long will our current inventory last? Where is our data stored? How quickly can it be recovered?


• Financial threats suggest “what-are-our-cost” questions like:

o How long can we afford to be closed?

o What would be our cash requirements?

o How would we manage our credit lines if we had to close for longer than a week?

o Could we stretch our payment period for accounts payable?

o Can we pull in our accounts receivable?

You can “de-risk” your cash management and logistics by outsourcing that to professionals like GardaWorld Cash Services. Not only will you save time handling cash, but you’ll also be able to access cash needed in case of disaster even if banks are closed.


• Legal threats suggest “what-does-the-law-mandate” questions like:

o What liabilities would we have if we can serve our customers?

o What if a customer gets hurt on our premises or gets robbed?

o Are we in compliance with all local, state and federal regulations?

o If not, what could happen? What would it cost us to get in compliance?


• Security threats suggest “safekeeping-and-well-being” questions like:

o How quickly can local law enforcement or ambulance get on the scene of an on-premise crime or injury?

o How do we deal with employee thefts? Customer thefts?

o Are we digging deep enough in our employee background checks?

o Do we need uniformed, armed security on-site?

o Is just uniformed security enough?

Outsourcing your physical security can help you address related risks. In Canada, GardaWorld Protective Services provide security professionals in more than 140 cities. Globally, especially in complex and emerging markets, GardaWorld International Services fields 3,500 security and risk professionals, who deliver flexible, discreet, avoidance-based security and protective services for corporate and private clients as well as sovereign diplomatic missions.


• Communications issues are not threats per se, but pertain to providing stakeholders—customers, employees, shareholders and the community—with relevant and timely updates on any company situation that may affect them. Questions you should ask:

o What and how do we tell our customers about a business interruption?

o How critical is it to them? What are our communication requirements to our surrounding communities?

o What news media do we contact and under what conditions and with what messages?

Obviously, you could (and should) ask scores if not hundreds more questions to fully expose all possible risks to your business. The common thread through these is, “What if…?”  Of course, more systematic approaches can be found on the Internet.

But the most important process in managing your risks is first assessing them to learn what they are. The best way to do that is to gather key business stakeholders and conduct a “what-if” brainstorming session. After documenting the results, then list ways to mitigate each vulnerability and, last, compile it all into an action plan with roles and responsibilities clearly identified about who does what should a risk be triggered. Also add a list of stakeholders’ contact information.