Identifying and managing business risk
Risk is a part of doing business. Find ways to minimise risks and impacts to ensure your business can safely run and grow.
What is business risk
Business risks are factors that threaten your ability to operate, leading to lost profits or business failure.
When identifying and managing risks, consider:
- the possible causes and impacts
- how these risks affect your business objectives
- how they could be recorded in a risk management plan
- steps you could take to minimise the risk or the impact.
By considering potential risks and impacts in advance, you can develop procedures without the added pressure of trying to manage the risk at the time.
Understanding business risk
Types of risks include:
- direct risk—a threat to your business that is within your control
- indirect risk—a threat to your business that is out of your control
- internal risk—risks you have the power to prevent or mitigate within your business
- external risk—risks you have no control over.
Risks, potential business impacts and resources
Type of risk
- External
- Direct
- Indirect
Potential impact on business objectives
- Unable to trade
- Premises closed
- Cost of time for cleaning up and rebuilding
- Customers cannot get through
- Suppliers cannot provide stock
Resources to assist
- Natural disaster preparation for small businesses
- Business insurance
- Understand your risk – advice from the Queensland Reconstruction Authority
Type of risk
- External
- Direct
Potential impact on business objectives
- Staff unable to work
- Cleaning and restocking time and costs
- Customer behaviour changes
- Loss of livestock
Resources to assist
Type of risk
- External
- Direct
- Indirect
Potential impact on business objectives
- Cannot get or send stock through normal import/export channels
- Need to change suppliers or find other markets
Resources to assist
- Market profiles from Trade and Investment Queensland
Type of risk
- External
- Direct
- Indirect
Potential impact on business objectives
- New policies and procedures to implement
- Changes in trading
- Changes in taxation and financial obligations
- Changes in environmental allowances (e.g. water allocations, waste management)
Resources to assist
Type of risk
- Internal
- Direct
Potential impact on business objectives
- Hazards and injuries to staff
- Failure to provide a safe workplace
Resources to assist
Type of risk
- Internal
- Direct
- Indirect
Potential impact on business objectives
- Climate change
- Chemical spills and failing to protect the environment
- Consumer trends towards desiring sustainability
Resources to assist
- Environment and business
- Adapting to climate change
- Climate change risk management tool for small businesses (PDF, 10.2MB)
- Queensland businesses taking climate action – videos of businesses across Queensland making a difference by acting on climate change
Type of risk
- External
- Direct
Potential impact on business objectives
- Electrical, gas, and water disruption to the business premises
- Access to business premises disrupted including parking, deliveries, and pedestrian traffic
Resources to assist
- Read information about how to reduce business disruption from major infrastructure work.
Type of risk
- Internal
- Direct
Potential impact on business objectives
- Older technology and software failures
- Software does not meet new regulations
- Cyber security compromised causing disruptions and loss of data or intellectual property
- Failure in maintaining privacy of customer data
Resources to assist
Type of risk
- Internal
- Direct
Potential impact on business objectives
- Contractual problems
- Failing to meet legislation, regulations, or obtaining licences and permits
- Disputes
Resources to assist
- Meeting your legal obligations
- Australian Business Licence and Information Service (ABLIS)
- Resolving business disputes
- Assistance for small businesses from the Queensland Small Business Commissioner
Type of risk
- External
- Internal
- Direct
Potential impact on business objectives
- Robbery
- Shoplifting
- Fraud causing loss of equipment
- Stock and cash flow
- Vandalism causing cost of time to replace and repair
Resources to assist
Type of risk
- Internal
- Direct
Potential impact on business objectives
- Negative media coverage
- Social media rumours
- Staff leave the business
Resources to assist
Type of risk
- Internal
- Direct
Potential impact on business objectives
- Difficulty in finding new staff
- Bullying and harassment
- Staff not well trained leading to mistakes and poor customer service
Resources to assist
- Managing conflict in the workplace
- Staff training, development and mentoring
- Help to hire staff from Workforce Australia.
Type of risk
- External
- Internal
- Direct
- Indirect
Potential impact on business objectives
- A reduction in consumer spending
- Changing market leading to reduced income
- Increasing expense costs, e.g. fuel, transport, energy
- Suppliers may be affected
Resources to assist
Analysing risk impact
It can be overwhelming to consider all possible risks a business faces. Assessing the impact of each can help prioritise where to invest your time and energy.
Completing this exercise will help you focus on risks with the highest scores and therefore the greatest potential to impact your business.
Risks come in different forms. Some will have a big impact and others a moderate impact. Working out which to focus on can be considered by looking at a 'level of risk' scale.
This scale determines the likelihood of the risk occurring and looks at the impact if the event does occur to determine a level of risk score. The higher the score, the higher the priority to reduce the risk or impact.
Likelihood × Impact = Level of risk
Likelihood scale
| Level | Likelihood | Description |
|---|---|---|
| 4 | Very high | Happens more than once a year |
| 3 | High | Happens about once a year |
| 2 | Medium | Happens every 10 years or more |
| 1 | Low | Has only happened once |
Impact scale
| Level | Impact | Description |
|---|---|---|
| 4 | Very high | Impact likely to cause business to stop trading or experience significant financial losses |
| 3 | High | Major impact on your business with large financial loss |
| 2 | Moderate | Moderate impact on your business with some financial loss |
| 1 | Low | Insignificant impact on your business with minimal financial loss |
Level of risk (Likelihood x Impact)
| Risk Rating | Description | Action |
|---|---|---|
| 12–16 | Severe | Needs immediate preventative or corrective action |
| 8–12 | High | Needs preventative or corrective action within 1 month |
| 4–8 | Moderate | Needs preventative or corrective action within 3 months |
| 1–4 | Low | Does not currently require preventative or corrective action |
Developing and using risk analysis methods can help to assess the levels of risk within the business and where to focus.
Case study
A business in its 5th year of operation is using a computer to access and record high volumes of sales in a customer database.
Due to rapid growth over the past 2 years, the computer has not been updated in some time, changes to software packages installed have not taken place, and passwords for online accounts have not been changed. Staff are reporting odd phone calls from 'IT officers' seeking account information to prevent 'emergency situations'.
There is some risk this business could be the target of hackers who are interested in customer data, information about sales and other information collected by the business.
The impact of getting hacked is losing sensitive customer data, jeopardising the business's reputation and depending on the nature of the hack, potential compromise of the business's banking information.
The current situation is sitting on the scale as a:
- Likelihood: High (level 3)
- Impact: Very High (level 4)
- Level of risk: Likelihood 3 x Impact 4 = 12 Severe
This presents as a severe risk.
Reducing this risk level immediately is recommended.
Action item
Use this section to help you complete a risk level assessment.
Record this in your business continuity plan template—risk management plan section and business impact analysis section.
Treating risks to your business
Once you have completed the analysis and identified the areas of concern, the next step is to consider how to reduce the level on the scale.
You can treat risks by assessing the factors attached to the risk and identifying areas for improvement.
In the case study above, the level of risk can be reduced by updating software, changing passwords and reminding staff to be very careful with business information and decline requests to provide information over the phone.
While these actions might not remove the risk, they can reduce a highly likely, very high impact situation to a medium likelihood, moderate impact situation.
Often, high-risk situations can be reduced to medium or low risk with some careful planning and action.
Ask yourself
- What is one high risk in your business right now?
- How likely is it?
- What would you rate the impact of this risk occurring?
- How could you reduce the likelihood or the impact for this high-level risk?
Creating a risk management plan and business impact analysis
Once you have identified risks to your own business, manage them by developing a risk management plan to assist:
- avoiding the impact
- eliminating the impact
- and/or
- reducing the impact.
A risk management plan identifies risk. Business impact analysis considers strategies to manage risks.
Your business continuity plan is key to recording risks to the business and coming up with plans to manage them.
Download the business continuity plan template
This template includes a:
- risk management plan section
- business impact analysis section
Download the business continuity planning template.
Use this page (and other resources provided) to complete the risk management plan and business impact sections of the template.
To prepare:
- identify significant risks to your business
- analyse the potential impact of each risk
- create strategies to treat and reduce the risks
- create or review and update your risk management plan and business impact analysis.
The business continuity plan is a good point of reference to record this information and to refer to in the event of an emergency.
Find out more about writing a business continuity plan.
Reviewing and updating your risk management plan and business impact analysis
Risk management plans and business impact analysis are part of your business continuity plan.
As time goes by, and as the business changes, updating these sections of your business continuity plan will help you consider new risks, downgrade treated risks and highlight areas for improvement.
Conducting tests or trials to see what would happen if risks eventuated can help with this process. A good example of these is an emergency evacuations drill.
By conducting an evacuation drill, you will be able to determine:
- how the business performed
- did the process and systems work effectively
- what areas need to be reviewed or improved.
Upon review, update your risk management plan with revised procedures and communicate these changes to your staff.
By planning for challenges, your business is better prepared to meet them.
Also consider...
- Find out about managing risk with business insurance.
- Read about writing a business continuity plan.
- Explore managing risks when starting up.
- Find out about IT risk management.
- View our Cyber security for small business webinar for information, tips and resources on protecting yourself and your business from cyber security threats.