You can’t predict the future, but a risk management plan will help you get there.


  1. Draw a road map. Work out what you want to achieve and how to get there.
  2. Make a list. Identify your potential risks – consult with staff, suppliers and clients.
  3. Think of the consequences. Consider how such a risk might manifest itself, and what parts of the business it might affect.
  4. Know the score. Evaluate the potential impact of a risk, the likelihood of its occurrence and how to mitigate its effect.
  5. Be vigilant. Don’t assume the job is finished at the end of the process – keep monitoring and assessing.

Risk is a simple concept with many meanings. This is a dangerous thing in business because it leads managers to think they have been crystal clear in a meeting, only for an employee, supplier or customer to walk out with a worryingly different understanding. And this is particularly dangerous when it comes to explaining to others how much risk you find acceptable in making your living. The UK’s Institute of Risk Management (IRM) describes risk as “something uncertain – it might happen or it might not”. This is as good a start as any; it is brief but also shows what a wide-ranging task risk management can be. So, before getting started, understand what you want your business to achieve and how you are going to get there. Without this, it is impossible to assess what risks your company faces. Michael Holden FRICS, who runs his own practice, says he started by doing an “environmental analysis”. “I wanted to place myself – in terms of market segmentation – where I would be in terms of my competitors, so I could look at offering something that provides a competitive advantage.” This meant he could work out what risks he was comfortable with. For example, he explains, “the higher risks we avoided initially were things like volume-secured lending work. Now we’ve got enough surveyors to cope, we’ll look at picking up increased numbers of secured lending instructions.” Although this may seem an eminently sensible part of the business planning process, many small firms do not do it. A survey last year by an organisation of insurance brokers did not find any firms with fewer than 10 employees with a formal risk management plan. This, the survey concludes, leaves them “often dangerously exposed to issues that in extreme cases could threaten business continuity”. So it pays to spend time identifying the most likely risks to your business. Running a risk assessment comprises three stages, according to the ISO 31000 risk management standard, the world’s most widely recognised process. These are: identify risks, analyse risks and evaluate risks.

This is the open-ended bit of the process, and the most likely to go wrong. People who run small companies tend to spend a lot more time working “in” the business than “on” the business. They feel they lack the time to map out where they should be in five years time or, indeed, what is most likely to stop them getting there. But if you are head-down in the detail every day, it is likely that you will get surprised by something – one of your clients not paying their bills, for example. While it is impossible to list all the risks the company might face – management consultants caution against “boiling the ocean” to show the futility of being too comprehensive – there is a happy medium. Make sure you consult with colleagues, including those outside the firm, key customers and suppliers, and methodically list what they suggest. The IRM suggests using categories to avoid overlooking any risks, such as “strategic”, “project”, “financial” and “operational”. You could phone or meet with people individually, you could convene a workshoptype meeting to do this, or you could run an online survey – there are numerous websites that let you do so for free.

Once you have your shortlist of the biggest and most worrying risks you face, you need to think about each one methodically. Work out what the most likely consequences are of the risk occurring, and what bits of your business they will most likely affect. For example, if the government raises property taxes, what effect will that have in your area? How much of your business is dependent on this type of activity? By how much will that activity have to decline to make you rethink your cost base? Also, identify the risks that you do not understand well enough, and feel that you need to take advice on, or learn more about.

The easiest way is to score risks. Business advisory firm Gartner suggests three categories. First, score the potential impact of the risk – will it cost less than 5% of annual revenue or could it cost far more?

Will it harm your reputation? And will it stop you from operating the business, or part of the business? Second, how likely is the risk to occur? Third, have you got controls in place to mitigate the effects? This should get you a long way towards working out which risks are the most serious. Finally, remember that an assessment never really ends. Paul Tacey, practice leader at Zurich Risk Engineering UK, says that risk assessments must “be living documents, embedded in the business”. You need to monitor the risks and reassess when needed. Get this right and everyone in the company will be much clearer about what risks you are willing to take to build your company into the one that matches your vision.