Around 98% of businesses in Alberta have fewer than 100 employees.[1] And as all those small business owners know, it can be extremely hard to keep up with all the demands of business ownership.
We spoke to Stacey Mooney, Senior Risk & Business Continuity Analyst at Alberta Central (the central banking facility and trade association for Alberta’s credit unions), to learn about business risk and how small business owners can manage it.
What is risk management?
Just as it sounds, risk management is the process of identifying, assessing and controlling potential threats. Everyone does risk management every day without thinking about it, says Stacey. For example, you drive the speed limit to avoid accidents and you put on your seatbelt to lessen the physical harm if you were to get in an accident. You might have heard the term Enterprise Risk Management, or ERM, which is the same concept applied to an organization.
Risk itself is a broad word that means different things to different people, but from a business perspective you can think of risk as anything that could prevent you from reaching your strategic goal, says Stacey. If you’re more of an example person, here are four basic categories of risk:
- operational risk (people, Information Technology, business processes)
- strategic risk (economic environment, political environment, competitors)
- financial risk (market, pricing, credit)
- hazard risk (natural disaster, legal issues)
ERM helps your business proactively identify potential risks and lessen their effects, but keep in mind that it cannot prevent all risks from occurring. It is also a continual process that must be maintained to be effective.
Do I really need ERM?
We know, resources are tight. The good news is, it can be a team effort and ERM can actually save you money and protect your reputation. There are lots of templates so you can customize it for the size of your organization. If you are small, just start small. Any organization can do it, just make sure your employees are on board as they’ll play an essential role.
How do I do it?
Choose a framework to help you identify risks. Most organizations follow the COSO or ISO 31000 framework. Talk to employees in different departments to find out where the risks are or review any past losses that could happen again.
After identifying risks, the next major step is assessing them. Think about the likelihood that each risk could happen and then think about the severity of the impact if it were to happen. It can help to chart each risk on a matrix like the image below. For example, if a potential risk is information theft and you haven’t trained your employees on digital security, the probability of a privacy breach may be high. Depending on your business, a digital breach might have an extreme impact to your business.
Next think about what you want to do to limit the identified risks. Sometimes you may decide to avoid them, like not pursuing a new business line if you think the impact may be severe. Sometimes you’ll accept the risk, which you might do with low impact risks that would take too much time and money to mitigate. You could also transfer risk in some cases by purchasing insurance or outsourcing certain activities. And often you’ll modify the risk by introducing training or processes to reduce the likelihood or impact. In our digital security example, you might create a policy about using only company-issued USBs or providing training sessions for employees on how to spot a phishing email.
The one big takeaway
You as a business owner cannot be solely responsible for managing risk, says Stacey (in fact, she said it a number of times). You have to look holistically across departments and get employee buy-in for the program to be successful. Set the tone, communicate and coordinate the program so that all employees understand how they can manage risk. You really need everybody to play a role, Stacey says.
Disclaimer
The information in this post is intended to bring awareness of risk management and should not be taken as personalized business advice. If you need personalized advice on risk management, talk to your insurer or an ERM expert. If you need personalized advice on business banking, contact your local credit union here.
[1] https://www.ic.gc.ca/eic/site/061.nsf/eng/h_03126.html#how-SME