Guide to risk management

Every business is exposed to risk. Every business decision comes with associated risk, whether low, moderate, major, or significant, and most risks have financial or legal implications.

The more time you invest in risk management as a business strategy, the better you’ll be able to anticipate, analyse, and mitigate risk.

The risk management cycle

It’s important to understand that risk management is an ongoing cycle of identifying, recording, assessing, mitigating, and monitoring; not a ‘set and forget’ exercise. Even if a risk appears to have been eliminated, it’s important to continue monitoring it.

1. Identify

The first step is to identify the risk. Some will be obvious and easy to anticipate while others are harder to identify. The key is to analyse each department, speak to team members, consider external factors, and determine areas of potential risk. Department team leaders should support the CEO or general manager to report identified risks to the directors.

2. Record

Each identified risk should be recorded in a Risk Register with a detailed description, even if it seems to be an insignificant risk. The directors are responsible for ensuring that the Risk Register is updated regularly and recording the risks. Each directors’ meeting should have an agenda item for this task. Smaller businesses that don’t hold directors’ meetings must ensure sufficient time is regularly set aside for this task.

3. Assess

When recording in the Risk Register, you will evaluate the risk based on likelihood and consequence to give an overall assessment out of 25. The higher this assessment, the more significant the risk, and the more critical it is to manage. Some risks may be significant, but the likelihood may be remote, while others may be almost certain, but the consequence insignificant. Assessment allows you to prioritise the risks and focus on implementing mitigation strategies for the most critical risks.

4. Mitigate

The Risk Register will record strategies to mitigate each risk and allocate a person responsible. This plan needs to filter through the business to each department, clarifying actions team members need to take to mitigate the risk. Some of these will appear as key responsibilities in job descriptions and some may have Key Performance Indicators attached to minimise the risk. Processes should be put in place to address identified risks and implement mitigation strategies, with systems to monitor adherence to the process, and regular process reviews scheduled. Failure to adhere to or update processes may be a key risk to manage.

5. Monitor

The final step is ongoing risk monitoring. Firstly, monitoring the implementation of mitigation strategies and then regular monitoring to be able to respond quickly if the risk increases and needs to be reassessed.

Ongoing risk management

A key aspect of ongoing risk management is reporting. The directors will identify, assess, and prioritise risks, recording them in the Risk Register. They’ll determine the risk mitigation strategies and communicate these to leadership – that one person (probably the CEO or GM) who has overall responsibility for implementing the strategies defined by the directors. This leader will support the operational departments to mitigate risks and report regularly on progress and any newly identified risks.

Each department underneath Leadership also needs one overall leader who will glean potential risk indicators from team members’ weekly or monthly reports. It’s likely that team members may not recognise risks, but the leader will gain insight into common themes that may indicate a risk to manage. Department leaders will then report back to the GM/CEO, who will then report back to the directors, who can update the Risk Register and assess and prioritise the risks.

Ongoing support & accountability

No matter the size of your business, to successfully manage and mitigate risk, you need to establish the correct ’10 Hats’ structure. One person can lead more than one department, but each department must only have one leader. Remember, responsibility and doing are not the same. So, that one leader doesn’t have to do all the work; they’re responsible for managing the work. If you’re unclear on your ideal structure, we can help you develop this.

Risk management strategy and planning come from the top, so it’s essential that the directors set aside time regularly to review and assess risk indicators and identify mitigation strategies. Our adviser at KMT Partners can help you set a Governance Framework Plan, Annual Governance Work Schedule, and Board Meeting Agenda, to ensure each meeting addresses risk management.

If you find yourself struggling to identify and manage risk in your business, we can provide ongoing coaching to support you in implementing your risk management plan and hold you accountable for achieving your risk management goals.

About our adviser: Michael Fox is our Managing Director at KMT Partners. He has been dedicated to the success of his clients, devising comprehensive wealth strategies for both personal and business growth for over 30 years. With extensive expertise in business governance and family business succession, Michael specialises in empowering emerging businesses and family enterprises by fostering renewal, enhancing value and smooth transitions to the next generation. Please do not hesitate to reach out if you need assistance with your risk management.

This is general advice only and does not take into account your financial circumstances, needs and objectives. The article should not be relied upon as specific information or advice without obtaining appropriate professional advice after a detailed examination of your particular situation from a qualified KMT adviser.