Risk management

8 avril 2022

Every business faces risks that could pose threats to its success.

Risk is defined as the probability of an event and its consequences. Risk management is the use of processes, methods and tools to manage those risks.

Risk management focuses on identifying what could go wrong, evaluating what risks should be addressed, and implementing strategies to deal with those risks. Companies that have identified the risks will be better prepared and will have a more cost effective way of dealing with them. This guide shows how to identify the risks your business may face. It also discusses how to implement an effective risk management policy and program that can increase your business' chances of success and decrease the possibility of failure.

Risk management process
Businesses face a large number of risks, which is why risk management should be a central part of the strategic management of any business. Risk management helps you identify and address the risks facing your business and, in doing so, increases the likelihood of successfully achieving your business objectives.

A risk management process involves:

1. 1- the methodical identification of the risks surrounding your company's activities
2. 2- the assessment of the probability of an event occurring
3. 3- understanding how to respond to these events
4. 4- putting systems in place to deal with the consequences
5. 5- monitoring the effectiveness of your risk management approaches and controls

Accordingly, the risk management process:

1. 1- improves decision making, planning and prioritization
2. 2- helps you allocate capital and resources more efficiently
3. 3- allows you to anticipate what could go wrong, minimize the number of fires you will have to put out or, in the worst case, prevent disaster or serious financial loss
4. 4- significantly improves the likelihood that you will deliver your business plan on time and on budget

Risk management becomes even more important if your business decides to try something new, such as launching a new product or entering new markets. Competitors following you into these markets, or technological breakthroughs making your product redundant, are two risks you might want to consider in such cases.

Types of risks your business faces
The main risk categories to consider are:

1. 1- strategic, for example a competitor entering the market
2. 2- related to compliance, for example the introduction of a new health and safety law
3. 3- financial, such as non-payment from a customer or increased interest charges on a business loan
4. 4- operational, for example, the failure or theft of key equipment

These categories are not rigid and some parts of your business may fall into more than one category. Data protection risks, for example, could be considered when reviewing your operations or corporate compliance.

Other risks include:

1. 1- environmental risks, including natural disasters
2. 2- employee risk management, such as maintaining sufficient numbers of staff and replacements, employee safety and up-to-date skills
3. 3- political and economic instability in any foreign market to which you export goods
4. 4- health and safety risks

Strategic and compliance risks
Strategic risks are the risks associated with operating within a particular industry.

They include risks arising from:

1. 1- merger and acquisition activity
2. 2- change in customers or in demand
3. 3- changes in the industry
4. 4- research and development

For example, you might consider the strategic risks of a US company buying one of your Canadian competitors. This could give the US company a distribution division in Canada. You might want to consider:

1. 1- if there is any US company with the money and/or good enough to do it
2. 2- whether there is any Canadian competitor that could be an acquisition target, perhaps due to financial difficulties
3. 3- if an American company would lower its prices or invest more in research and development
4. 4- When there is a high probability of this happening, you should prepare a response.

Compliance Risk

Compliance risks are those associated with the need to comply with laws and regulations. They also apply to the need to act in a way that investors and customers expect, for example, by ensuring appropriate corporate governance.

You may want to consider that employment or health and safety legislation may add to your overhead costs or force you to change your established ways of working.

You might also want to consider legislative risks to your business. You need to consider whether the products or services you offer might be less marketable due to laws or taxation – as has happened with tobacco and asbestos products. For example, concerns about rising obesity could prompt more stringent food labeling regulations, which could increase costs or reduce the attractiveness of certain types of food.

Financial and operational risks
Financial risks are associated with the financial structure of your business, the transactions your business conducts, and the financial systems you already have in place.

Identifying financial risks involves reviewing your day-to-day financial operations, especially cash. If your business is too dependent on a single customer and they are unable to pay you, it could have serious consequences for the viability of your business. You might consider:

1. 1- how you extend credit to new customers
2. 2- who owes you money
3. 3- the steps you can take to recover it
4. 4- insurance that can cover large or doubtful debts

Financial risk must take into account external factors such as interest rates and exchange rates. Rate changes will affect the repayment of your debts and the competitiveness of your goods and services compared to those produced abroad.

Operational risks

Operational risks are associated with the operational and administrative procedures of your business. These include in particular:

1. 1- recruitment
2. 2- the supply chain
3. 3- accounting controls
4. 4- IT systems
5. 5- regulations
6. 6- the composition of the board of directors

You must examine these operations in turn, prioritize the risks and plan provisions if one of these risks materializes. For example, if you are heavily dependent on a supplier for a key component, you need to consider what might happen if that supplier goes out of business and find other suppliers to help you minimize the risk.

IT and data protection risks are increasingly important to business. If hackers break into your IT systems, they could steal valuable data and even money from your bank account, which at best would be inconvenient and at worst could lead to bankruptcy. A secure IT system employing encryption will protect business and customer information.

How to assess the risks
Risk assessment allows you to determine what the risks mean to the business and decide whether to accept the specific risk or take action to prevent or minimize it.

In order to assess the risks, it is interesting to classify these risks when you have identified them.

This can be done by considering the consequences and likelihood of each risk. Many companies find that rating consequences and likelihood based on criteria such as high, medium, or low is appropriate for their needs.

They can then be compared to your business plan to determine any risks that could impact your goals, and assessed against legal requirements, costs and investor concerns. In some cases, the cost of mitigating a potential risk may be so high that doing nothing makes more business sense.

There are tools you can use to help you assess risk. You can plot on a risk map the significance and likelihood of the risk occurring. Each risk is ranked on a scale of one to ten. If a risk obtains the score of ten, it means that it is of major importance for the company. One is the least significant. The map allows you to visualize the risks in relation to each other, judge their extent, and plan the sorts of controls that need to be implemented to mitigate the risks.

Risk prioritization, whichever way you do it, allows you to direct time and money to the most important risks. You can put systems and controls in place to deal with the consequences of an event. This could involve defining a decision-making process as well as escalation procedures that your company should follow should an event occur.

Use preventive measures for business continuity
Risk management involves putting processes, methods and tools in place to deal with the consequences of events that you have identified as representing significant threats to your business. This could be as simple as setting aside financial reserves to ease cash flow problems should they arise or ensuring effective computer backup and IT support procedures to deal with a systems failure.

Programs addressing the threats identified during the risk assessment are often referred to as business continuity plans. They indicate what you should do if a certain event occurs, for example if a fire destroys your office. You can't avoid all risks, but business continuity plans can minimize disruption to your business.

Risk assessments will change as your business grows or due to internal or external changes. This means that the processes you have in place to manage your business risks need to be reviewed periodically. Such reviews will identify process improvements and may also indicate that a process is no longer needed.

How to manage risk
There are four ways to address or manage each risk you have identified. You can :

1. 1- accept it
2. 2- transfer it
3. 3- decrease it
4. 4- eliminate it

For example, you might decide to accept a risk because the cost of eliminating it completely is too high. You may decide to transfer the risk, which is usually done with insurance. Or you might be able to decrease the risk by introducing new safety measures or eliminate it altogether by changing the way you produce the product.

Once you have assessed and accepted the measures and procedures to reduce the risk, these measures must be put in place.

Risk management is not a one-time exercise. Constant monitoring and review is crucial to the success of your approach to risk management. Such monitoring ensures that risks have been identified and assessed correctly and that appropriate controls have been put in place. It is also a way to learn from experience and make improvements to your risk management approach.

All of this can be formalized in a risk management policy, setting out your company's risk approach and appetite as well as its approach to risk management. Risk management will be even more effective if you clearly assign responsibility to selected employees. It's also best to get a board-wide commitment to risk management.

Good risk management can improve the quality and performance of your business.

Choosing the right insurance to protect you against losses
Insurance will not reduce your business risk, but you can use it as a financial tool to protect against losses associated with certain risks. This means that in case of loss, you will get some financial compensation. This can be crucial for the survival of your business, for example, in the event of a fire that destroys a factory.

Some costs cannot be insured, such as damage to a company's reputation. On the other hand, insurance is compulsory in certain areas.

Insurance companies increasingly want proof that risk is being managed. Before providing cover, they want proof that the processes in place are working effectively to minimize the likelihood of a claim. You can ask your insurance services advisor for advice on the appropriate processes.

Insurance products

You can use a business interruption policy, for example, to be insured against loss of profits and higher overhead resulting from, for example, a damaged machine. You might also want to consider:

1. 1- product liability insurance
2. 2- employee insurance
3. 3- group life insurance

Liability insurance - product and liability insurance - is intended to pay any compensation and legal costs arising from negligence or breach of duty.

Employee insurance is intended to cover you for the financial costs resulting from the loss of key personnel.

Group life insurance is provided by employers as part of a benefits package and provides a lump sum payment to an employee's family in the event of the employee's death.