Skip to main content

13.7 Mitigating and Managing Risks

LEARNING OBJECTIVES

By the end of this section, you will be able to:

  • Explain Enterprise Risk Management and how a company uses it
  • Describe litigation and financial risks
  • Describe common insurance needs

Risk management is key to operating any business in a profitable fashion. There are many risks facing an entrepreneur when starting and operating a new business venture. The trick is to eliminate risks that will hurt the venture, while taking on risks that will provide for long-term profitability. The risks facing the entrepreneur need to be initially identified as part of developing a business plan and revisited regularly in ongoing operations. Preparation for adverse events affecting a new business venture is necessary, but being too pessimistic or allowing fear of adverse events to stop an entrepreneur from taking any risk will keep a business venture from achieving it greatest potential and profit.

It is important that an entrepreneur develop an understanding of the risks of the business environment. The risks include liability risks stemming from contracts and torts, sometimes referred to as operating risks, regulatory compliance risks, financial risks, and strategic risks, including taxation. Understanding how the business structure is used to operate the business venture allows the entrepreneur to develop a plan to manage business growth and understand business risk.

Enterprise Risk Management

Profitable ventures develop a strong enterprise risk management program, which is an integrated, cross-disciplinary approach to monitoring risk. An organization needs to look at both long-term and short-term risks at all levels of the organization, and these risks need to be evaluated from all stakeholders’ perspectives and developed into an entity-wide program.

Enterprise risk management attempts to address the specific risks discussed in the preceding section by implementing a risk program that enables a business to identify and manage risk. Specifically, a business will go through a process that involves a multistage process of risk identification, risk assessment, and risk abatement. Examples of risks that businesses face include those from natural causes, economic causes, and human causes.

Natural causes of risk include disasters such as hurricanes and flooding, as well as earthquakes or other catastrophes that result in loss of life and property, as well as business interruption. For example, a business in New Orleans could be flooded by a hurricane. This results in damage to facilities and products, and threatens the lives of workers. In order to counter such causes, businesses need to plan ahead for business continuity, take out comprehensive insurance coverage, and have an evacuation/shut-down plan in place.

Economic causes of risk include global events leading to rising prices of raw materials, currency fluctuation, high interest rates, and, of course, competition from other companies in the same industry. An example of this would be unpredictable trade wars with China, leading to tariffs.

Human causes of risk refer to actions by employees, contractors, and those persons over which a company has control. These events can include torts stemming from negligence at work, labor strikes, shortages of qualified trained workers, and corporate mismanagement. An example of this type of risk would include embezzlement of money by an internal financial executive.

The use of a comprehensive approach allows a business entity to review and combine all risks into a functional perspective that allows the entrepreneur to evaluate risks and integrate new risks as different opportunities become more important to the business venture. Businesses sometimes use a risk matrix to assess or characterize the probability and impact of risk (Figure 13.11). The use of such a tool can help a business quantify risk and decide whether to undertake an activity based on its level of risk.

A risk matrix showing impact of a risk from low to high (left to right) and probability of risk from low to high (bottom to top). The matrix has nine blocks: a low impact and low probability results in a low risk; a low impact and moderate probability results in a low risk; a low impact and high probability results in a moderate risk; a moderate impact and low probability results in a low risk; a moderate impact and moderate probability results in a moderate risk; a moderate impact and high probability results in a high risk; a high impact and low probability results in a moderate risk; a high impact and moderate probability results in a high risk; and a high impact and high probability results in a high risk.
Figure 13.11 A risk matrix can be a useful tool to assess the likelihood and severity of risk that a venture may have. (attribution: Copyright Rice University, OpenStax, under CC BY 4.0 license)

Risk appetite is important for a business venture to consider, both when creating its business structure and during ongoing operations. Table 13.1 shows an overview of the considerations a business venture should entertain in both its creation and operation.

Risk Appetite25
Risk ItemConsideration
Existing risk profileCurrent level and distribution of risks across the business and across risk categories
Risk capacityAmount of risk the business can support while pursuing its objectives
Risk toleranceAmount of variation the business can tolerate while pursuing its objectives
Risk attitudeManagement’s attitudes toward growth, risk, and return
Table 13.1 COSO’s Enterprise Risk Management, Understanding and Communicating Risk Appetite outlines these considerations for assessing a business’s appetite for risk.

This is the basic approach to evaluating a new venture’s appetite for risk. Determining and understanding the risks facing a new venture should start during the preparation of the business venture’s written business plan and should continue through the operations of the venture.

Financial Risk and Protection

An entrepreneur needs money to launch a business, whether that comes in the form of loans from family, their own savings, or investors. The founder will be expected to put their own money at risk, whether in the form of a loan to their own business or equity in their own business. If they do not have any “skin in the game,” then others will not be interested in loaning them money. This means that if the business fails, it will have repercussions for the owner, even if they operate as a corporation or LLC. This is the essence of financial risk: starting a new business with insufficient funds to sustain operations over an extended period of time.

Any new business owner needs to have a sound financial strategy as a part of the overall business plan. This should show income projections, the liquid assets that will be required to break even, and the expected return on investment for all investors in the first five-to-ten-year timeframe. Failure to accurately plan could mean that the entrepreneur risks business closure and bankruptcy, and investors get nothing.

Insurance Protection

Risk management and protection are enhanced with the purchase of different types of insurance, which involves spreading risk over a large number of people (policyholders). If a company is a corporation, it may need directors’ and officers’ liability insurance to indemnify the directors and officers if they get sued. Another insurance policy many companies get is called errors and omissions insurance, and this insurance coverage protects employees in negligence claims and cases if employee theft. Other types of insurance policies that most businesses carry include automobile insurance, health insurance, property insurance, and cyber/data breach insurance. Insurance coverage for a business venture needs to be specific to the business structure and its operations. Keep in mind that not all risks can be insured against—for example, a bad economy that leads to a loss of business or a bad decision by the owner to enter a market that does not work out.

Information Technology/Cybersecurity for Small Businesses

According to the SBA, the risk of hacking, ransomware, and customer privacy are equally as significant for most small businesses as for larger ones. The SBA has set guidelines related to cybersecurity for entrepreneurs. The SBA recommends the ten-step action plan shown in Table 13.2.

Small Business Administration Recommendations for Cybersecurity26
StepAction
1Protect against viruses, spyware, and other malicious code
2Secure your networks
3Establish security practices and policies to protect sensitive information
4Educate employees about cyber threats and hold them accountable
5Require employees to use strong passwords and change them often
6Employ best practices on payment cards
7Make backup copies of important business data and information
8Control physical access to computers and network components
9Create a mobile device action plan
10Protect all pages on your public-facing websites and apps, not just the checkout and sign-up pages
Table 13.2

The Federal Communications Commission joins the SBA in the preceding recommendations. For more information, see the following website: https://www.fcc.gov/general/cybersecurity-small-business.

WHAT CAN YOU DO?

Managing Payment Data

If you operate a small business, are you prepared to deal with hackers who break into your website and steal credit card data from consumers who bought your products online? Small businesses running an e-commerce site must comply with the Payment Card Industry Data Security Standard (https://www.pcisecuritystandards.org/). This is a regulation that could cause severe legal risk for entrepreneurs if your system is compromised, and credit card data are stolen. Consumers rightfully expect and demand a safe online experience when they visit your site. Have you paid an expert to evaluate your system and install the best security system? It may be costly, but perhaps not as expensive as the damages you could be ordered to pay by a court if credit card data are hacked.

Footnotes

  • 25Rittenberg, Larry and Frank Martens. “Committee of Sponsoring Organizations of the Treadway Commission (COSO)”. Enterprise Risk Management, Understanding and Communicating Risk Appetite. January 2012. https://www.coso.org/Documents/ERM-Understanding-and-Communicating-Risk-Appetite.pdf
  • 26Rebecca Martin. “Protecting Assets from Cyber Threats.” News Tribune. November 7, 2016. https://www.newstribune.com/news/business/story/2016/nov/08/protecting-assets-cyber-threats/647637/