Anything worth having involves some degree of potential risk. Taking a ski vacation includes the risk of injury. Asking someone out on a date carries the risk of rejection. Life is a series of practical lessons in risk management. As Mark Twain said: “You have to go out on a limb. That’s where the fruit is.”
However, apart from gambling, the risks you may encounter in business are unique in that they expose you to the risk of losing money or assets which may have substantial pecuniary value. You can lose the building and furnishings, equipment, product inventory, the money you have invested, the jobs your employees depend on and the plans you have worked hard for years to develop.
A Risk Management Plan is an Important Strategic Responsibility
In order to protect all this value for employees, investors and other stakeholders of a business, one of the most important strategic responsibilities of every business owner or manager is the development of a formal risk management process and a comprehensive risk management plan.
What is a risk management plan?
Put simply, a risk management plan is the organized effort of an organization to identify external and internal risks, evaluate the probability of their occurrence, apply proactive methods to reduce those probabilities and involve the entire company’s team in a risk management process. A complete risk management program also requires commercial insurance coverage for risks that could have the most impact on the business or risks that have legally mandated coverage requirements.
A business risk management plan requires the owner or manager to thoroughly examine the vulnerability of the business to every conceivable hazard, peril, or negative occurrence, including natural disasters, theft, fire, flood, vandalism, cyberattacks, the breakdown of essential equipment, the failure of a supplier to deliver needed materials, the death of a key employee, a workplace safety violation, or a personal injury lawsuit.
Where do potential risks come from?
A comprehensive management plan must envision a wide variety of potential risks, which may come from any direction and strike any part of the business. The literal definition of an entrepreneur is someone who organizes a business, taking on greater than normal financial risks in order to do so. However, business risks are in no way limited to the failure of the financial plan underlying a bold venture. There are many other potential external and internal risks, some of which can be anticipated, but many of which can occur without warning. An effective risk management process requires anticipation of every conceivable risk.
External Risk Management
External risks are forces that originate outside the company but nevertheless may bring financial, strategic, operational or insurable hazard risks. An external risk management plan requires the business owner to analyze the environment in which the business operates.
External Financial Risk Management
A business can be put at financial risk by rising interest rates or reduced availability of credit. The risk management plan must consider how rising interest makes it more expensive to pay bills, purchase inventory, make payroll and have the cash flow needed to operate the business, while a so-called “credit crunch” makes it harder for businesses to finance operations and inventory, as well as for their customers to finance new purchases.
External Strategic Risk Management
Business plans are vulnerable to strategic challenges such as competition, changes in consumer demand and changes in industry technology. In a strategic risk management plan, consider how every new competitor or new promotion by an old competitor can bring risk.
A strategic risk management plan must also consider changing customer demand. Fast food customers who once wanted hamburgers may now want chicken sandwiches. Managing risk also includes anticipating changes in technology. Film-developing locations, once common, are now all gone, along with thousands of video rental stores…and millions of phone booths.
External Operational Risk Management
External risks may also arise from the day-to-day operation of the business. Non-compliance with health and safety, environmental, consumer protection or employment practices can result in a fine or penalty. Regulators can decide to restrict a component or a work practice. Domestic and international suppliers can be cut off by tariffs, conflict or, as we saw with Covid-19, public health crises. Effective external operational risk management programs seek to envision any external factors which can harm company operations or efficiency.
External Insurable Hazard Risk Management
When we consider risk management for the potential risks to a business, we most often think of insurable hazards like natural disasters. A fire can literally put a company out of business. Recently, a tornado destroyed a Pfizer plant in North Carolina, putting hospital supplies at risk all over the country. Businesses across Vermont are recovering from widespread flooding and heavy rains in California have caused millions in losses from landslides. Business risks from insurable hazards are always with us, making property insurance for fire, storm, flooding and earth movement essential elements of business risk management.
Internal Risk Management
Internal risks can be easier to prevent and mitigate because they arise from within the company, its facilities, employees and partners. Risk management for internal risks should also contemplate financial, strategic, operational and insurable hazard losses, although there is more the company management and employees can do, as a risk management team, to prevent internal risks and to manage risk outcomes.
Internal Financial Risk Management
A crisis of liquidity or cash flow can put a business at risk. While a risky balance of assets to cash can only be adjusted by the business owners, both management and employees can strengthen (or weaken) a company’s cash position. Since we all have a household budget, most people know that the best risk management strategy for guarding cash flow is to control overhead. Companies can also shorten receivable terms, stretch payable terms, apply risk management technology to improve processes, restructure debts, sell unproductive assets, utilize vendor or lender financing techniques…and, of course, increase net revenue.
Internal Strategic Risk Management
Manufacturing and technology companies are often powered by unique intellectual property or innovative research and development. The internal strategic risks include the legal costs to defend against infringement or internal theft, lest a court find the company’s property rights unenforceable.
The company may encounter a loss of product revenue or licensing income. It may be necessary to pay a financial settlement or to manage risk by investing in the engineering cost of designing around a conflict. Even when resolved, intellectual property and other strategic risk management conflicts can harm partner relationships, damage the company’s reputation, or reduce the value of the company’s stock.
Internal Operational Risk Management
Internal risks can arise from accounting department operations due to fraud, theft or an innocent but nonetheless costly error. Recruiting risks could come from the legal cost of an unlawful hiring action or harm done to the company by a miscreant employee.
Workplace operational risks can range from exposure to hazardous material to worker safety on the factory floor. Supply chain risks could arise from the delivery of defective materials, purchasing fraud, delayed deliveries or a dockworker strike. Information technology is exposed to a very broad range of risks from cyberattacks, including phishing, ransomware, denial of service, stolen customer data, cyber extortion and intentional employee malfeasance.
Internal Insurable Hazard Risk Management
Internal to every enterprise, many risks originate with factors that are primarily under the control of the organization, such as the safety of company products and services, the actions of employees and company interaction with the public.
Product liability, professional liability, vehicle insurance and general liability insurance protect the company from the risks of negligence, errors, omissions, vehicle accidents and injuries suffered by a customer or visitor.
Elements of an Effective Risk Management Plan
Whether an individual company is a small business or a global enterprise, the development of an effective risk management plan requires five key elements:
- Risk Identification
- Risk Evaluation
- Response Planning
- Risk Mitigation
- Risk Monitoring
The first step in the risk assessment process involves a straightforward consideration of the external and internal risks to the company’s financial, strategic, operational and insurable hazard risks.
Forming Risk Assessment Teams
Company managers and employees are in the best position to identify risks as the risk management plan is initially developed. A financial risk management team can be assigned to look for risks relating to interest rates, credit availability or cash flow.
Marketing and engineering teams know a company’s strengths and weaknesses, as well as industry competition and the vulnerability of company intellectual property to emerging risks. Production managers and line workers can take the lead in raising risk awareness on the shop floor to reduce instances of slips, trips, falls and other injuries.
The company’s legal counsel can help identify risks from hiring, safety and other workplace practices. A trusted insurance advisor can identify risks to the company facilities and operations from risks such as fire, storm, vandalism, vehicle accidents and exposure to liability.
Risk Management Plan Evaluation
Before attempting to develop risk management strategies, the owner or manager must take the time to define the nature of each identified risk, along with the probability, severity and potential cost to recover.
This step should include an evaluation of the organization’s existing efforts to mitigate each risk, with recommendations for new proposals to reduce the risk and identification of the departments and individuals who will be responsible for developing those efforts in the risk management plan.
- Nature of the Risk – Is the risk external or internal? Is risk financial, strategic, operational or an insurable hazard? Is the primary risk to personnel, physical assets, cash flows or income-producing operations?
- Likelihood of Occurrence – If the business is in California, hurricane insurance is probably not needed. If the location is anywhere in the Southeast, the likelihood of damage from a hurricane is much higher. Along with geographic location, consider the nature of the operations. Manufacturing, restaurant, farming and all other business types have risks with a high probability of occurrence.
- Severity of Effects – Some events could cause a moderate delay in business operations or carry a tolerable cost of repair and recovery. Other events carry the risk of severe financial losses or the possibility of ending the viable operation of the business.
- Cost to Recover – Estimates should be developed for the cost to restore operations, whether that be by repair or replacement, for a loss occurrence that is slight, moderate or severe. For example: in a restaurant, the risk management plan might contemplate three fire risk scenarios: one in which a fire is confined to the kitchen, a second scenario in which both the kitchen and dining room are damaged and a third in which the entire business, including furniture and building structure, are severely damaged. Actual estimates should be obtained, including current costs for restoration labor and materials. Likewise, any estimates for losses due to a labor action, a defective product lawsuit or a claim by an injured customer should be based on estimates provided by insurance and legal professionals.
- Stakeholders – Who are the managers, employees and partners who would be impacted by a specific risk? It is important to identify stakeholders and seek their input on the definition of a particular risk, along with involving them in the development of new or improved strategies to mitigate that risk. The team leaders and workers who use equipment, run the processes and produce the revenue in a particular segment of company operation are in the best position to anticipate problems, visualize risks and brainstorm practical solutions.
- Existing risk mitigation – When a company has existing safety and loss control programs or risk mitigation strategies, the task of the risk management team is to take a fresh look at the identified risk, with both a fair evaluation of the legacy program and any new proposals. The objective is to keep what works, discard what doesn’t and create new ideas to fill in any gaps.
Four Fundamentals for Managing Risk
There are four possible responses to any identified risk:
- Avoid the Risk.
- Reduce the Risk
- Accept the Risk
- Share the Risk
Avoid the Risk
When possible, the most straightforward risk management tactic is to change a plan or process to circumvent the potential risk. For example, recently, State Farm Insurance evaluated their level of exposure to California wildfires and decided to suspend business in the state. Farmers Insurance did the same after reviewing their potential exposure to more frequent and more destructive hurricanes in Florida.
While these are extreme examples, they demonstrate that the simple way to take the level of risk from unacceptable to zero is to avoid the identified risk. Risk avoidance tactics can be modest. An online seller with limited security for storing customer credit card numbers can change their sales policies to request the card number for each new transaction. A manufacturer with identified fire risks can avoid storing flammable material on the factory premises. A restaurant concerned about liability for alcohol use can close its bar and reconfigure its dining room to focus on seating more diners.
Reduce the Risk
The second most effective risk management tactic is to mitigate, modify or reduce the likelihood or the impact of the risk. Below are some examples of risk reduction tactics that can be included in a risk management plan:
Fire Risk Management – Ten Ways to Reduce the Risk
- Train employees in fire prevention and response.
- Protect or remove flammable materials in storage.
- Deploy and maintain fire extinguishers.
- Inspect building wiring and electrical panels.
- Maintain HVAC and venting systems.
- Use fire suppression on kitchen equipment.
- Renovate with fire-resistant materials.
- Install alarms that call the fire department.
- Install smoke alarms and test regularly.
- Install a sprinkler fire suppression system.
Theft Risk Management – Ten Ways to Reduce the Risk
- Make the business an uninviting target for burglary.
- Use lights, security cameras, and an alarm system.
- Seek advice from the police and your insurance agent.
- Keep landscaping trimmed around storefronts.
- Keep valuable items in locked cabinets.
- Use best practices for safe cash handling.
- Make sure internal procedures discourage theft.
- Use stringent accounting controls, including audits.
- Help employees report thefts and remain anonymous.
- Guard customer information to prevent identity theft.
Vehicle Accident Risk Management – Ten Ways to Reduce the Risk
- Check driving records in every state where an employee has lived.
- Set mandatory policies for observing posted speeds and using seat belts.
- Prohibit the use of alcohol, drugs and mobile phones while driving.
- Identify aggressive personalities who may need behavioral training.
- Require drivers to report off-duty citations or accidents to the company.
- Prohibit the use of company vehicles for any non-business purpose.
- Schedule regular inspection and maintenance of all company vehicles.
- Reward drivers who remain citation-free and accident-free.
- Do not pressure drivers to rush, take calls or do paperwork in a vehicle.
- Investigate accidents and use the findings for driver training.
Liability Risk Management – Ten Ways to Reduce the Risk
- Maintain a safe environment for customers.
- Investigate any complaint of harassment or discrimination.
- Document compliance with employment policies, particularly those concerning hiring and termination.
- Have equipment serviced by certified professionals.
- Evaluate walkways and parking lots for customer safety.
- Evaluate interiors for obstructions or loose carpeting.
- Use doormats to absorb rain and snow.
- Ensure that exits are well-marked and clear.
- Keep stairwells and handrails in good condition.
- Use posted warnings and disclaimers as needed.
Accept the Risk
When risk cannot be avoided or reduced, it is sometimes necessary to move forward despite the high probability of a particular occurrence.
For example, according to the National Oceanic and Atmospheric Administration, the southeast coast of Florida, which includes major cities such as Fort Lauderdale and Miami, can expect to be visited by a hurricane every six years – and by a major hurricane every 14 years. Unless they want to avoid the risk by moving, a business located in this region may wish to accept the risk, budgeting for the potential cost of responding to an occurrence and investing in appropriate insurance coverage for damages such as minor water damage or destruction due to high winds.
Many businesses located in this region have detailed hurricane procedures which are activated when a tropical storm is on track toward their location. Windows are protected with steel hurricane shutters. Computers and other equipment are raised from the floors in case of flooding. Generators are fueled to enable the facility to operate after a loss of power, which can last days or weeks after a storm. Vehicles or other high-value assets may be stored or moved out of the area.
Hurricane plans may specify who is responsible for each preparation task and precisely what actions are to be taken before, during and after a storm. Similar action plans are developed for businesses located in areas that are prone to earthquakes, river flooding and other natural disasters.
Risk Management Includes Disaster Response and Recovery
Is disaster response in risk management important? According to the Federal Emergency Management Agency (FEMA) about 25 percent of businesses do not reopen after a major disaster. To withstand the impact of a natural disaster and give the business a chance of recovery, every business needs a disaster response and recovery plan.
The business owner, manager and key employees should be included in writing the plan, and every employee should be trained in their roles and responsibilities. Here are some other steps for disaster planning success:
Ten Steps for Disaster Response and Recovery Planning
- Develop backup suppliers in case local suppliers are out of commission.
- Store computer backups and contact records off-site.
- Use mock disaster drills to reinforce employee training.
- Build a stock of flashlights, batteries and other emergency supplies.
- Consider backup for facility power and communication systems.
- Provide for the security of the building and contents.
- Make temporary repairs to mitigate further damage.
- If necessary, relocate equipment or inventory to safety.
- Make written and photo records of damage to property.
- Use protective gear and extreme caution during cleanup activities.
Share the Risk
Even when a business can avoid, reduce or accept risk, it is wise to share the financial aspects of the risk with an insurer, who can help the business transfer some of the insurable risk to a package of targeted coverage. A well-considered insurance plan can provide timely cash benefits to help the business rebuild and recover after a small loss or a full-scale disaster.
Making Risk Management a Priority
Successful risk management planning starts at the top. If the business owner and the leadership team emphasize workplace safety, ethical practices and compliance with the law, the rest of the team will get the message that support for risk management is a priority. Even a small business faces exposures that make having a strong risk management plan important, including managing safety, quality and loss control, as well as how to avoid, reduce, accept and share the many different types of risk which they may encounter.
To learn more about risk management and how to protect your business, talk with one of Higginbotham’s business insurance professionals and discover the Higginbotham difference.