Business risk analysis is an essential part of the planning process. It reveals all the hidden hazards, which occupy the business owner’s mind on a subconscious level but which have not been carefully considered and documented on a conscious level.
Conducting and regularly reviewing business risk analysis brings huge benefits to a company. In this article, you will see:
- What are the risks facing your company?
- How to conduct a business risk analysis
- How a part-time CFO will conduct a risk analysis on your business
Not understanding the risks your company faces can bring your company to its knees, as a 2011 report, ‘The Road to Ruin’ from Cass Business School revealed.
Alan Punter, a visiting Professor of Risk Finance at Cass Business School, said the detailed survey of 18 business crises during which enterprises came badly unstuck revealed that in simple terms, directors were often unaware of the risks they faced.¹
This report makes clear that there is a pattern to the apparently disconnected circumstances that cause companies in completely different areas to fail. In simple terms, directors are often too blind to the risks they face.
“Seven of the firms collapsed and three had to be rescued by the state while most of the rest suffered large losses and significant damage to their reputations,” he said.
“About 20 Chief Executives and Chairmen subsequently lost their jobs, and many Non-Executive Directors (NEDs) were removed or resigned in the aftermath of the crises. In almost all cases, the companies and/or board members personally were fined, and executives were given prison sentences in four cases.”
“One of our main goals was to identify whether these failures were random or had elements in common. We studied a wide range of corporate crises, including those suffered by AIG, Arthur Andersen, BP, Cadbury Schweppes, Coca-Cola, EADS Airbus, Enron, Firestone, Independent Insurance, Northern Rock, Railtrack, Shell, and Société Générale.”
“And our conclusion? To quote Paul Hopkin of Airmic, the Risk Management Association that commissioned the research: ‘This report makes clear that there is a pattern to the apparently disconnected circumstances that cause companies in completely different areas to fail. In simple terms, directors are often too blind to the risks they face.’”
A lot of business owners spend an unhealthy amount of their time worrying about what might go wrong but don’t have a formal risk management framework in place.
It is dangerous not knowing what might go wrong:
- When the money might run out.
- Whether a new product launch is viable.
- Whether a competitor has the resource and motivation to drive you out of business.
- What risks are involved in penetrating a new market.
- How the market is changing (and how it will react to your future plans/products/services).
- Whether a recession will change the playing field.
It is also dangerous not knowing your internal risks:
- What products are delivering the greatest profit?
- What happens if key members of your team decide to leave?
- Are you likely to reach market saturation?
What are the risks facing your business?
Business risks can be broken up into the following:
- Strategic risks – risks that are associated with operating in a particular industry.
- Compliance risks – risks that are associated with the need to comply with laws and regulations.
- Financial risks – risks that are associated with the financial structure of your business, the transactions your business makes and the financial systems you already have in place.
- Operational risks – risks that are associated with your business’ operational and administrative procedures.
- Market/Environmental risks – external risks that a company has little control over such as major storms or natural disasters, global financial crisis, changes in government legislation or policies.²
The ‘shoot, fire, aim’ approach favoured by many entrepreneurs is great for making things happen quickly but often jeopardizes the long-term stability of the business.
What is needed is a balance.
Once the business understands the risks, it means that it can move forward decisively and confidently. It’s hard to do this when there is a cloud of confusion hanging over the business.
Where to start…
You need to identify potential risks to your business. Once you understand the extent of possible risks, you will be able to develop cost-effective and realistic strategies for dealing with them.
Categories of risk
- Financial: This category includes cash flow, creditor and debtor management, budgetary requirements, tax obligations, remuneration and other general account management concerns.
- Organizational: This relates to the internal requirements of a business and issues associated with its effective operation.
- Equipment: This covers the equipment used for the conduct and operations of the business. It includes equipment maintenance, general operations, depreciation, safety, upgrades, and general operations.
- Legal & regulatory compliance: This category includes compliance with legal requirements such as legislation, regulations, standards, codes of practice and contractual requirements. It also extends to compliance with additional ‘rules’ such as policies, procedures, or expectations, which may be set by contracts, customers or the social environment.
- Security: This category includes the security of the business premises, assets and people, and extends to the security of technology, information and intellectual property.
- Operational: This covers the planning, operational activities, resources (including people) and support required within the operations of a business that result in the successful development and delivery of a product or service.
- Reputation: This entails the threat to the reputation of the business due to the conduct of the entity as a whole, the viability of product or service, or the conduct of employees or other individuals associated with the business.
- Service delivery: This relates to the delivery of services, including the quality and appropriateness of service provided, or the manner in which a product is delivered, including customer interaction and after-sales service.
- Commercial: This category includes the risks associated with market placement, business growth, diversification and commercial success. This relates to the commercial viability of a product or service and extends through establishment to retention and then the growth of a customer base.
- Project: This includes the management of equipment, finances, resources, technology, timeframes and people associated with the management of projects. It extends to internal operational projects, projects relating to business development, and external projects such as those undertaken for clients.
- Safety: This category includes the safety of everyone associated with the business. It extends from individual safety to workplace safety, public safety and to the safety and appropriateness of products or services delivered by the business.
- Stakeholder management: This category relates to the management of stakeholders (both internal and external) and includes identifying, establishing and maintaining an appropriate relationship.
- Strategic: This includes the planning, scoping and resourcing requirements for the establishment, sustaining and/or growth of the business.
- Technology: This includes the implementation, management, maintenance and upgrades associated with technology. This extends to recognizing the need for and the cost benefit associated with technology as part of a business development strategy.
Before you begin to identify the types of risks you face, you need to assess your business. Consider your critical business activities, including your staff, key services and resources, and the things that could affect them (for example, illness, natural disaster, power failures, etc.).
In particular, consider:
- The records and documents you need every day
- The resources and equipment you need to operate
- The access you need to your premises
- The skills and knowledge your staff have that you need to run your business
- External stakeholders you rely on or who rely on you
- The legal obligations you are required to meet
- The impact of ceasing to perform critical business activities
- How long your business can survive without performing these activities.
Doing this assessment will help you to work out which aspects your business could not operate without.
Identify the risks
Look at your business plan and determine what you could not do without and what type of incidents could have an adverse impact on those areas. Ask yourself whether the risks are internal or external. When, how, why and where are risks likely to occur in your business? Who might be affected or involved if an accident occurs?
Ask ‘What if?’ questions. What if your company’s critical documents were destroyed? What if you lost access to the internet? What if you lost your power supply? What if one of your key staff members resigned? What if your premises were damaged? What if one of your best suppliers went out of business? What if services you rely on, such as communications or roads, were closed?
Think about what possible future events could affect your business. Consider what would lead to such events happening. What would the outcome likely be? This will help you identify risks that could be external to your business.
Assess your processes
Evaluate your work processes (use inspections, checklists, and flow charts). Identify each step in your processes and think about the associated risks. What would stop each step from happening? How would that affect the rest of the process?
Consider the worst case scenario
By thinking of the worst possible things that could affect your company can help you to deal with smaller risks. Once you’ve identified risks relating to your business, you’ll need to analyze their likelihood and consequences and then come up with options for managing them. You need to separate small risks that may be acceptable from significant risks that must be managed immediately.
Analysing the level of risk
To analyse risks, you need to work out the likelihood of it happening (frequency or probability) and the consequences it would have (the impact) of the risks you have identified. This is the level of risk, and you can calculate it using the following formula: Level of risk = consequence x likelihood
Level of risk is often described as low, medium, high or very high. Assign each risk a likelihood rating from 1 (being very unlikely) up to 4 (being very likely). You can use a rating level higher than 4.
You should also assign each risk a consequence rating from 1 (being low) to 4 (being severe). Again, you can use more than four levels.
Once you’ve assigned each risk a likelihood and a consequence rating, calculate the level of risk. You then need to create a rating table for evaluating the risk (which means making a decision about its severity and ways to manage it).
You need to consider:
- How important each activity is to your business
- The amount of control you have over the risk
- Potential losses to your business
- The benefits or opportunities presented by the risk
When you’ve identified, analysed analysed and then evaluated your risks, you need to rank them in order of priority. You can then decide how you will treat unacceptable risks. To do that, you will need to consider.
To do that, you will need to consider:
- The method of treating the risk
- The people responsible for the treatment
- The costs involved
- The benefits of the treatment
- The likelihood of success
- The ways to measure the treatment’s success
To do that, you will need to consider:
- Avoid the risk
- Reduce the risk
- Transfer the risk
- Accept the risk
¹ ‘ The Road to Ruin’, Punter, Alan, Financial Director, www.financialdirector.co.uk, Aug 18, 2011One of our main goals was to identify whether these failures were random or had elements in common.