Five steps to assess and mitigate business risks

This year will regularly expose African businesses to a vast array of risks, both internally and externally. And should the correct risk management policies not be in place, these risks could seriously impact a company’s cash flow, operations, reputation and ultimately the success of the business.

This is according to Annelie Smith, corporate executive at independent insurance and risk specialists, Risk Benefit Solutions (RBS). She says risks range across all components of a business, and don’t just include the obvious threats such as fire and perils, but also issues such as white collar crime, fraud, health and safety risks to name a few. She explains that these risks could change from year to year, and even month to month. Therefore businesses should regularly review how they choose to deal with and manage these risks.

“Risks can range from potential weather impacts, to aspects impacting business operations, such as fraud. For example, while the rain and hail in Johannesburg has always been a risk to some businesses, this is becoming more frequent and repair costs are increasing based on inflation and other factors. And this will have a direct impact on their insurance premiums and deductible levels,” notes Smith.

“More recently, the issue of the electricity and possible water shortages are also hindering business productivity and will have an impact on the availability of insurance covers for these risks.”

She adds that as part of risk management assessments, business need to calculate, evaluate and update their risk management plan regularly as this is essential for identifying new risks, as well as monitoring the effectiveness of risk treatment strategies.

“Risk and insurance policies provide cover for sudden and unforeseen losses, therefore as soon as something becomes foreseen, such as the expected increase in regular power outages, loss as a result of these risks may not be covered by the policy. This can have detrimental consequences for businesses and highlights the need for regular reviews.”

Smith provides advice around reviewing risk management policies in 2015:

1. Identify the risks

Uncover, recognise and assess the risks that might affect your business or its outcomes.

2. Analyse consequences

Once the risks are identified, businesses need to determine the likelihood and consequence of each risk. Businesses need to develop an understanding of the nature of the risk and its potential to affect project goals and objectives.

3. Evaluate/rank potential impact

Businesses then need to evaluate and rank the risk according to its potential impact, which should be determined by combining the possibility of likelihood and the consequence or effect it will have on the business. A decision then needs to be made about whether the risk is acceptable (meaning the business doesn’t view the risk to be high impact or detrimental to business), or whether it is serious enough to warrant treatment.

4. Risk treatment

When treating a specific risk, businesses should assess the highest ranked risks and create a plan to treat these risks to achieve acceptable risk levels. This can be done by creating risk mitigation strategies, preventive or contingency plans with the following risk treatments:

  • Avoidance – eliminate the risk or withdraw from the risk.
  • Reduction – optimise and mitigate the risk. For example, there are two types of risks: high and low. In the case of the manufacturing industry, a high risk would be if the critical part of the plant breaks down and it takes six months to repair, and a low risk would be if the non-critical plant is down for maintenance. Identifying the high risk potential scenario allows a business to manage this risk by implementing a plan to reduce this risk through keeping spare parts for the critical plant. This will reduce the potential downtime of the business as well as optimising the turn-around time to enable the business to continue production levels.
  • Sharing – transfer the threat by outsourcing the risk to a third party such as an insurance company to assist in the incident of loss as a result of the risk.
  • Retention – accept the risk and budget accordingly. For Example, the company should be able to afford to keep the risk on board as there are enough risk control measures in place to manage it and therefore an insurance policy isn’t required.

5. Monitor and review

All identified risks should be regularly monitored, tracked and reviewed by a team of employees, and implementation should be driven from executive and board level, to team leaders, managers and staff.

“A risk management policy protects a business as it ensures that a business knows how to deal with a specific risk promptly and correctly, protecting both the business operations, as well as the business’s reputation,” concludes Smith.