Identify risks to your business

The first step in preparing a risk management plan is to identify potential risks to your business. Understanding the scope of possible risks will help you develop realistic, cost-effective strategies for dealing with them.

It's important that you think broadly when considering types of risks for your business, rather than just looking at obvious concerns (e.g. fire, theft, market competition).

Assessing your business

Before you begin identifying risks, you need to assess your business. Think about your critical business activities, including your key services, resources and staff, and things that could affect them, such as power failures, natural disaster and illness. Assessing your business will help you work out which aspects you couldn't operate without.

Ways of identifying risk

Once you have a clear picture of your business, you can begin to identify the risks. Review your business plan and think about what you couldn't do without, and what type of incidents could impact on these areas. Ask yourself:

  • when, where, why and how are risks likely to happen in your business?
  • are the risks internal or external?
  • who might be involved or affected if an incident happens?
  • what threats are outside my control but will still have a major impact on my business?

The following are some useful techniques for identifying risks.

Ask 'what if?' questions

Thoroughly review your business plan and ask as many 'what if?' questions as you can. Ask yourself what if:

  • you lost power supply?
  • you had no access to the internet?
  • key documents were destroyed?
  • someone got injured at your business?
  • your premises was damaged or you were unable to access it?
  • one of your best staff members quit?
  • your suppliers went out of business?
  • the area your business is in suffered from a natural disaster?
  • the services you need, such as roads and communications, were closed?


Brainstorming with different people, such as your accountant, financial adviser, staff, suppliers and other interested parties, will help you get many different perspectives on risks to your business.

Analyse other events

Think about other events that have, or could have, affected your business. What were the outcomes of those events? Could they happen again? Think about what possible future events could affect your business. Analyse the scenarios that might lead to an event and what the outcome could be. This will help you identify risks that might be external to your business.

Assess your processes

Use flow charts, checklists and inspections to assess your work processes. Identify each step in your processes and think about the associated risks. Ask yourself what could prevent each step from happening and how that would affect the rest of the process.

Consider the worst case scenario

Thinking about the worst things that could happen to your business can help you deal with smaller risks. The worst case scenario could be the result of several risks happening at once. For example, someone running a restaurant could lose power, which could then cause the food to spoil. If the restaurant owner was unaware of the power outage or the chef decided to serve the food anyway, customers could get food poisoning and the restaurant could be liable and suffer from financial losses and negative publicity.

Once you've identified risks relating to your business, you'll need to analyse their likelihood and consequences and then come up with options for managing them.

Also consider...