Identifying and managing business risk

Risk is a part of doing business. Finding ways to minimise risk, or lessen its impact if realised, ensures business continuity.

On this page

What is business risk?

Business risks are factors that threaten your business's ability to operate, leading it to lose profits, or fail.

When identifying and managing risks, consider:

  • the possible causes and impacts
  • how these risks affect your business objectives
  • how they could be recorded in a risk management plan
  • steps you could take to minimise the risk or the impact.

By considering potential risks and impacts well in advance, procedures can be developed without the added pressure of trying to manage the risk in the moment.

Understanding business risk

Understanding potential risks and their impact, is achieved through analysis and planning.

Types of risk include:

  • direct risk—a threat to the business that is within your control
  • indirect risk—a threat to the business that is out of your control
  • internal risk—risks you have the power to prevent or mitigate within the business
  • external risk—risks you have no control over.

Risks, potential business impacts and resources

Type of risk

  • external
  • direct
  • indirect

Potential impact on business objectives

  • unable to trade
  • premises closed
  • cost of time for cleaning up and rebuilding
  • customers cannot get through
  • suppliers cannot provide stock

Resources to assist

Type of risk

  • external
  • direct

Potential impact on business objectives

  • staff unable to work
  • cleaning and restocking time and costs
  • customer behaviour changes
  • loss of livestock

Resources to assist

Type of risk

  • external
  • direct
  • indirect

Potential impact on business objectives

  • cannot get or send stock through normal import/export channels
  • need to change suppliers or find other markets

Resources to assist

Type of risk

  • external
  • direct
  • indirect

Potential impact on business objectives

  • new policies and procedures to implement
  • changes in trading
  • changes in taxation and financial obligations
  • changes in environmental allowances (e.g. water allocations, waste management)

Resources to assist

Type of risk

  • internal
  • direct

Potential impact on business objectives

  • hazards and injuries to staff
  • failure to provide a safe workplace

Resources to assist

Type of risk

  • internal
  • direct
  • indirect

Potential impact on business objectives

  • climate change
  • chemical spills and failing to protect the environment
  • consumer trends towards desiring sustainability

Resources to assist

Type of risk

  • external
  • direct

Potential impact on business objectives

  • electrical, gas, and water disruption to the business premises
  • access to business premises disrupted including parking, deliveries, and pedestrian traffic

Resources to assist

  • Works with small business — guidelines for agencies to proactively engage with small businesses when undertaking capital works projects.

Type of risk

  • internal
  • direct

Potential impact on business objectives

  • older technology and software failures
  • software does not meet new regulations
  • cyber security compromised causing disruptions and loss of data or intellectual property
  • failure in maintaining privacy of customer data

Resources to assist

Type of risk

  • internal
  • direct

Potential impact on business objectives

  • contractual problems
  • failing to meet legislation, regulations, or obtaining licences and permits
  • disputes

Resources to assist

Type of risk

  • external
  • internal
  • direct

Potential impact on business objectives

  • robbery
  • shoplifting
  • fraud causing loss of equipment
  • stock and cash flow
  • vandalism causing cost of time to replace and repair

Resources to assist

Type of risk

  • internal
  • direct

Potential impact on business objectives

  • negative media coverage
  • social media rumours
  • staff leave the business

Resources to assist

Type of risk

  • internal
  • direct

Potential impact on business objectives

  • difficulty in finding new staff
  • bullying and harassment
  • staff not well trained leading to mistakes and poor customer service.

Resources to assist

Type of risk

  • external
  • internal
  • direct
  • indirect

Potential impact on business objectives

  • a reduction in consumer spending
  • changing market leading to reduced income
  • increasing expense costs, e.g. fuel, transport, energy
  • suppliers may be affected.

Resources to assist

Analysing risk impact

It can be overwhelming to consider all possible risks a business faces. Assessing the impact of each can help prioritise where to invest your time and energy.

Completing this exercise will help you focus on risks with the highest scores and therefore the greatest potential to impact your business.

Risks come in different forms. Some will have a big impact and others a moderate impact. Working out which to focus on can be considered by looking at a 'level of risk' scale.

This scale determines the likelihood of the risk occurring and looks at the impact if the event does occur to determine a level of risk score. The higher the score, the higher the priority to reduce the risk or impact.

Likelihood × Impact = Level of risk

Likelihood scale

LevelLikelihoodDescription
4 Very high Happens more than once a year
3 High Happens about once a year
2 Medium Happens every 10 years or more
1 Low Has only happened once

Impact scale

LevelImpactDescription
4 Very high Impact likely to cause business to stop trading or experience significant financial losses
3 High Major impact on your business with large financial loss
2 Moderate Moderate impact on your business with some financial loss
1 Low Insignificant impact on your business with minimal financial loss

Level of risk (Likelihood x Impact)

Risk RatingDescriptionAction
12–16 Severe Needs immediate preventative or corrective action
8–12 High Needs preventative or corrective action within 1 month
4–8 Moderate Needs preventative or corrective action within 3 months
1–4 Low Does not currently require preventative or corrective action

Developing and using risk analysis methods can help to assess the levels of risk within the business and where to focus.

Case study

A business in its 5th year of operation is using a computer to access and record high volumes of sales in a customer database.

Due to rapid growth over the past 2 years, the computer has not been updated in some time, changes to software packages installed have not taken place, and passwords for online accounts have not been changed. Staff are reporting odd phone calls from 'IT officers' seeking account information to prevent 'emergency situations'.

There is some risk this business could be the target of hackers who are interested in customer data, information about sales and other information collected by the business.

The impact of getting hacked is losing sensitive customer data, jeopardising the business's reputation and depending on the nature of the hack, potential compromise of the business's banking information.

The current situation is sitting on the scale as a:

  • Likelihood: High (level 3)
  • Impact: Very High (level 4)
  • Level of risk: Likelihood 3 x Impact 4 = 12 Severe

This presents as a severe risk.

Reducing this risk level immediately is recommended.

Action item

Use this section to help you complete a risk level assessment.

Record this in your business continuity plan template—risk management plan section and business impact analysis section.

Treating risks to your business

Once you have completed the analysis and identified the areas of concern, the next step is to consider how to reduce the level on the scale.

You can treat risks by assessing the factors attached to the risk and identifying areas for improvement.

In the case study above, the level of risk can be reduced by updating software, changing passwords and reminding staff to be very careful with business information and decline requests to provide information over the phone.

While these actions might not remove the risk, they can reduce a highly likely, very high impact situation to a medium likelihood, moderate impact situation.

Often, high-risk situations can be reduced to medium or low risk with some careful planning and action.

Ask yourself

  • What is one high risk in your business right now?
  • How likely is it?
  • What would you rate the impact of this risk occurring?
  • How could you reduce the likelihood or the impact for this high-level risk?

Creating a risk management plan and business impact analysis

Once you have identified risks to your own business, manage them by developing a risk management plan to assist:

  • avoiding the impact
  • eliminating the impact
  • and/or
  • reducing the impact.

A risk management plan identifies risk. Business impact analysis considers strategies to manage risks.

Your business continuity plan is key to recording risks to the business and coming up with plans to manage them.

Thumbnail of business continuity planning Word template

Download the business continuity plan template

This template includes a:

  • risk management plan section
  • business impact analysis section

Download the business continuity planning template.

Use this page (and other resources provided) to complete the risk management plan and business impact sections of the template.

To prepare:

  • identify significant risks to your business
  • analyse the potential impact of each risk
  • create strategies to treat and reduce the risks
  • create or review and update your risk management plan and business impact analysis.

The business continuity plan is a good point of reference to record this information and to refer to in the event of an emergency.

Find out more about writing a business continuity plan.

Reviewing and updating your risk management plan and business impact analysis

Risk management plans and business impact analysis are part of your business continuity plan.

As time goes by, and as the business changes, updating these sections of your business continuity plan will help you consider new risks, downgrade treated risks and highlight areas for improvement.

Conducting tests or trials to see what would happen if risks eventuated can help with this process. A good example of these is an emergency evacuations drill.

By conducting an evacuation drill, you will be able to determine:

  • how the business performed
  • did the process and systems work effectively
  • what areas need to be reviewed or improved.

Upon review, update your risk management plan with revised procedures and communicate these changes to your staff.

By planning for challenges, your business is better prepared to meet them.

Also consider...