This week, ClearRisk presents a guest post by Thomas M. Bragg. Tom, who has specialized in business planning, strategy and business risk management for 20 years, writes a blog about practical risk management for small business.
More and more is being written about risk management for small and medium sized businesses (SMBs). In fact, if you do a little bit of research, you’ll probably find yourself soon overwhelmed with advice, methods, terminology and tools.
Getting started with any new process is tough. It’s hard to get out of the blocks. It’s scary. It seems overwhelming.
Don’t be overwhelmed. I’m here to tell you that establishing an effective risk management process for your business doesn’t have to be difficult.
Craig Rowe, CEO of ClearRisk recently wrote:
Risks faced by SMBs are manageable and the benefits are worthwhile. Even though traditional risk management may not suit the needs of SMBs, scaled solutions that can help SMBs identify, evaluate and manage their risks are available.
So what does a scaled risk management process look like for a small or medium sized business? How do we get out of the blocks? There are ten basic steps.
1. Establish management support and buy-in.
Before you can do anything, there has to be buy-in from the top. The company’s ownership and/or management have to be on board with creating the risk management process and providing resources necessary to execute that process. They will need to have a basic understanding of what risk management is, why it’s important and (especially!) why it’s in their best interest to implement a formalized risk management program. If top management doesn’t see the value in the exercise, stop here. Any work on additional steps will be a waste of time.
2. Learn about the process.
Now that you have the necessary sponsorship and resources, you need to do some research into the specifics. Although there are only three basic steps in risk management, there are many different techniques for accomplishing those steps. Investigate what methods are in use in your industry. Identify the best practices. Think about how your company’s specific culture will come into play for your process.
3. Identify helpful resources.
As you are doing the research in Step 2, start compiling a list of potential resources you can tap into. There are many websites and blogs that focus on risk management. You will also find professional advisors who can help you – consultants, bankers, investors, insurance brokers, directors, etc. This resource pool doesn’t necessarily need to be expensive. Many of the stakeholders in your business will be happy to help you if you ask.
4. Create a plan.
A plan will be critical to successful implementation. Plans provide a means for communication and accountability. They also help pull a team together if the plan is generated with input and agreement from the team members. Your plan should include details on schedule, budget, approach and resources to be used. The plan should also identify your company’s risk management ‘champion’. Don’t forget to include the steps Craig wrote about in his post here: Big Companies Get it, Why Don't SMBs?
5. Identify your risks and opportunities.
It’s time to take the first step in the risk management process itself – identify your risks and opportunities. Don’t worry about creating an exhaustive list. It’s more important to just get started. Hold a brainstorming meeting or a series of meetings. It will be helpful to focus your brainstorming sessions on specific categories – e.g. risks/opportunities to facilities, risks/opportunities to revenue, risks/opportunities to expenses, etc. Remember that identification is an ongoing process.
6. Evaluate your risks.
Risk evaluation can get complex. Start simple. Estimate a probability of occurrence to each risk and opportunity using three levels – high probability, medium probability and low probability. Next, estimate a potential impat of each risk using three levels – high impact, medium impact and low impact. When you are done, sort the list so the ‘high probability/high impact’ items are at the top, followed by the ‘high probability/medium impact’ items and so on. You can always incorporate more complex risk evaluation techniques later.
7. Plan for your risks.
Now that you have a ranked list of risks and opportunities, start putting plans together for the heavy hitters – the high probability/high impact items. Don’t worry about any others at this point. Get your risk mitigation and opportunity exploitation plans created for the first group. A ‘rifle’ approach – focusing on a few key items – will be much more effective than a ‘shotgun’ approach. You can come back to the risks and opportunities farther down the list later.
8. Take action on your plans.
The hard part is done. You’ve got the plans. Now all you have to do is execute them. Go forth and have some fun!
9. Check your progress against your plan.
Don’t forget to monitor your progress against your original plan from step 4. Check on how you did against schedule and budget. Evaluate if your actions were effective. Communicate your progress throughout the company. Leverage your early successes to build support for your continuing effort.
10. Repeat steps 5 through 10.
Risk management is an ongoing process. Review your risks on a regular basis to account for new risks and opportunities, changes in probabilities or impacts and adjustments to mitigation plans. Remember to communicate, communicate, communicate.
That’s it. Ten simple steps. Not too bad, right? Take that first step. Once you are started you will feel the momentum build and the once overwhelming project won’t seem so bad after all. You can do it.
What do you see as the biggest obstacles facing you in implementing a risk management process at your business? Leave a comment and let’s talk about it.
For more from Tom, check out his blog; Thomas M. Bragg on Business Risk Management.
For helpful tools, visit ClearRisk’s library of Risk Management Best Practices.