Part 1: Building Awareness & Risk Management Basics
All business owners need to think about multiple aspects of their business, such as cash flow, sales growth, human resources, etc. These aspects are critical to the business’ health. However, the most neglected aspect of any small-to mid-size business is Risk Management and Security. Most businesses do not consider risk to be a priority until a disaster occurs. Sometimes businesses get lucky and incur little to no losses when disaster strikes. However, that does not mean that risk and security issues do not exist. The probabilities of a loss, (even a fatal one,) do in fact exist; they are real. As a smart business owner, you need to be aware of the risks you are taking and manage those risks properly… which could end up saving your business someday.
The most basic concept around risk management involves how much risk you want to retain and how much you should transfer to insurers. It is true that you can buy insurance for almost anything, yet insurance only makes sense in certain circumstances. Insurance can be expensive. Granted, it usually gets the job done, yet often times it is not used in a cost effective way. In other words, the probability of loss is not in line with the cost of insurance, and/or the risk can be significantly reduced by processes or controls put in place by the business.
In today’s environment, risk management is falling more on the shoulders of company CFOs. As technology advances, many of the risks posed are cyber risks, and more advanced software technology is allowing for careful calculations of probable losses, etc. CFOs can determine whether to use insurance or other risk management tactics in order to find the most cost effective mitigation. In large part, a company’s risk management policies are a direct reflection on the business owner’s willingness to take on risk. Often times a small business can do little to manage some of their key risks. However, that does not mean that they need to ignore them or the potential ways to manage them. All too often, there are material risks to the business that are ignored, even though there are ways to mitigate such risks.
The business owner needs to decide which threats to the business are predictable and which threats are not. Examples of predictable risk might be bad debt expense and employee theft. Both are facts of life and happen often. These are risks that can be fairly predictable, even with limited data. Predictable risks allow more for creative management techniques in order to control them. Business owners need to remember that insurance is not always the answer. More and more, answering the question of how much risk to retain and how much to pay a third party to cover the risk starts from a very basic consideration of the company’s two components: 1) a company’s financial wherewithal to absorb uncertainty, and 2) its willingness to do so. This is called “risk tolerance” and “risk appetite”.
In larger companies, CFOs can analyze statistics and review probability calculations of the occurrence of disasters. With this data, they can pinpoint how much money to put behind various possibilities of losses. They can decide how much risk they are willing to absorb, and manage themselves or self-insure, and how much they will insure with a third party. Smaller companies often times do not have such luxury. But too often, the answer to this is to do nothing! I cannot stress enough what a terrible business decision that is to just do nothing. You should carve out time with your CFO to review all of your company’s risks, both predictable and unpredictable, and map it out on a matrix. Show 1) The risk, 2) The potential negative effects of the risk should something bad happen, and 3) Your strategy for managing the risk. Quite simply, build awareness and then decide how you will attack each risk. Again, the practice of doing nothing is certainly not a smart one. Most business owners pour their hearts and souls into their businesses, and the businesses are their #1 financial assets. Yet, they spend little to no time thinking about things that could destroy it! On the flipside, some business owners are throwing away money by insuring each and every risk they see. Neither of these are sound business practices. Every risk is unique and every risk has different mitigation solutions to it.
This article is written in two parts. The first part is an introduction to this topic in general. The second part is about the mistake most companies make by not assessing their risks. Not only are they doing nothing, they fail to even realize that the risk exists. The risk has to do with electronic information and data security. We are in the infancy of this problem, yet it is a big one. Business owners are being fined, sued, and run out of business because they simply neglected to address the technology age we live in and consider the value of information. Information is becoming increasingly valuable, and this trend will not slow down anytime soon. Yet, most business owners are left behind. Many will sadly be paying the price, due to their ignorance, (and will become examples for risk managers to teach others about the risks).
Part 2 of this article will focus on the information age and how risk management and data security practices are becoming a much more serious area that every business needs to deal with. It can no longer be ignored…