Assess and manage risk

Before you create a risk management plan, think about which areas of your business it will refer to. For example, you might only be interested in hazard-based risks. Some of the internal and external things to think about when creating your plan are:

• social, cultural, political and regional issues
• economic, technology and competitive trends
• government policies and law
• your business aims, policies and strategies.

Your risk management plan will be more specific and useful if you ask for feedback from the people, businesses or organisations you deal with.

Stakeholders can include:

• employees, contractors and sub-contractors
• clients, customers and suppliers
• business financiers, investors and insurers
• your local communities and local media
• government agencies.

Consulting with stakeholders will help you to:

• work out what your business considers as high and low risk
• get support for your risk management plan
• bring together different views and areas of expertise
• keep your risk framework up to date
• respond to unexpected risks.

Working out the risks to your business could be as easy as thinking about what could go wrong, and how and why it could happen. You might also need to do some research into:

• past events and risks
• possible future changes to your business environment, such as changes in economic trends
• social and community issues that could affect your business
• find out how to conduct market research.

To identify risks, you can also:

• look at hazard logs, incident reports, customer feedback and complaints, and survey reports
• review audit reports such as financial audit reports or workplace safety reports
• do a strength, weaknesses, opportunities and threats (SWOT) check for your business
• discuss business issues with your staff, customers, suppliers and advisers.

After identifying the risks to your business, it’s time to work out which ones are urgent. Our risk analysis template helps you to do this.

To analyse the risks of an event, you should first look at the:

• likelihood of the risk happening
• consequence/damage if the risk happened.

Work out a rating system for likelihood and consequence. For example, you could have ratings of:

• 1 to 4 for likelihood (1 for highly unlikely and 4 for highly likely)
• 1 to 4 for consequence (1 for low and 4 for severe).

Use these ratings to work out the risk level.

Risk criteria set a standard to assess risks to your business. To set your risk criteria, state the level and nature of risks that are acceptable or unacceptable in your workplace. Our risk assessment template provides an example of a risk level guide to help you evaluate risks.

To evaluate risk, compare the level of risk for various events against your risk criteria. You should also check if your existing risk management methods are enough to accept the risk.

When to accept risk

Your strategy for managing risk may be more than just deciding whether to accept the risk or not. If your business is part of a bigger supply chain that involves retailers, distributors or primary producers, you can spread the risk across a number of areas.

Sometimes businesses choose to accept risks and not spend any resources on avoiding them. You might decide to accept a level of risk for the following reasons:

• The cost of treatment is much higher than the potential results of the risk.
• The risk level works out to be very low.
• The benefits of taking the risk greatly outweighs the possible damage.

Your evaluation will have helped you to identify any risks that need to be treated. Develop a plan to treat risks, so you can:

• identify each risk type and the level of risk to your business
• suggest strategies to treat each risk
• create timeframes for each strategy
• decide who's responsible for specific parts of the plan
• work out resources required such as money, staff and external help
• schedule future action such as regular checking and updating of risks, if needed.

Committing to quality risk management can help you create a stable business that prepares for unexpected events.

As a business owner, it's a good idea to:

• make sure your business aims link to your risk management plan
• clearly describe your risk management plan to everyone in your business
• show support for risk management
• set up a way of measuring the success of your risk management plan
• regularly check that your way of measuring is giving you useful information
• make it clear who's responsible for what
• provide enough resources at all levels of your business
• ask for feedback from everyone in your business, including customers and suppliers
• use feedback to update your plan
• explain risk management to new employees and in training programs.