Part I

The Main Types of Business Risk

by Andrew Blackman 8 Dec 2014
Businesses face all kinds of risks, some of which can cause serious loss of profits or
even bankruptcy. But while all large companies have extensive "risk management"
departments, smaller businesses tend not to look at the issue in such a systematic way.

So in this four-part series of tutorials, you’ll learn the basics of risk management and
how you can apply them in your business.

In this first tutorial, we’ll look at the main types of risk your business may face.
You’ll get a rundown of strategic risk, compliance risk, operational risk, financial risk,
and reputational risk, so that you understand what they mean, and how they could
affect your business. Then we’ll get into the specifics of identifying and dealing with
these risks in later tutorials in the series.

1. Strategic Risk
Everyone knows that a successful business needs a comprehensive, well-thought-out
business plan. But it’s also a fact of life that things change, and your best-laid plans
can sometimes come to look very outdated, very quickly.

This is strategic risk. It’s the risk that your company’s strategy becomes less effective
and your company struggles to reach its goals as a result. It could be due to
technological changes, a powerful new competitor entering the market, shifts in
customer demand, spikes in the costs of raw materials, or any number of other large-
scale changes.

History is littered with examples of companies that faced strategic risk. Some
managed to adapt successfully; others didn’t.
A classic example is Kodak, which had such a dominant position in the film
photography market that when one of its own engineers invented a digital camera in
1975, it saw the innovation as a threat to its core business model, and failed to develop
it.

It’s easy to say with hindsight, of course, but if Kodak had analyzed the strategic risk
more carefully, it would have concluded that someone else would start producing
digital cameras eventually, so it was better for Kodak to cannibalize its own business
than for another company to do it.

Failure to adapt to a strategic risk led to bankruptcy for Kodak. It’s now emerged from
bankruptcy as a much smaller company focusing on corporate imaging solutions, but
if it had made that shift sooner, it could have preserved its dominance.

Facing a strategic risk doesn’t have to be disastrous, however. Think of Xerox, which
became synonymous with a single, hugely successful product, the Xerox photocopier.
The development of laser printing was a strategic risk to Xerox’s position, but unlike
Kodak, it was able to adapt to the new technology and change its business model.
Laser printing became a multi-billion-dollar business line for Xerox, and the company
survived the strategic risk.

2. Compliance Risk
Are you complying with all the necessary laws and regulations that apply to your
business?

Of course you are (I hope!). But laws change all the time, and there’s always a risk
that you’ll face additional regulations in the future. And as your own business
expands, you might find yourself needing to comply with new rules that didn’t apply
to you before.
For example, let’s say you run an organic farm in California, and sell your products in
grocery stores across the U.S. Things are going so well that you decide to expand to
Europe and begin selling there.

That’s great, but you’re also incurring significant compliance risk. European countries
have their own food safety rules, labeling rules, and a whole lot more. And if you set
up a European subsidiary to handle it all, you’ll need to comply with local accounting
and tax rules. Meeting all those extra regulatory requirements could end up being a
significant cost for your business.

Even if your business doesn’t expand geographically, you can still incur new
compliance risk just by expanding your product line. Let’s say your California farm
starts producing wine in addition to food. Selling alcohol opens you up to a whole raft
of new, potentially costly regulations.

And finally, even if your business remains unchanged, you could get hit with new
rules at any time. Perhaps a new data protection rule requires you to beef up your
website’s security, for example. Or employee safety regulations mean you need to
invest in new, safer equipment in your factory. Or perhaps you’ve unwittingly been
breaking a rule, and have to pay a fine. All of these things involve costs, and present a
compliance risk to your business.

In extreme cases, a compliance risk can also affect your business’s future, becoming a
strategic risk too. Think of tobacco companies facing new advertising restrictions, for
example, or the late-1990s online music-sharing services that were sued for copyright
infringement and were unable to stay in business. We’re breaking these risks into
different categories, but they often overlap.

3. Operational Risk
So far, we’ve been looking at risks stemming from external events. But your own
company is also a source of risk.
Operational risk refers to an unexpected failure in your company’s day-to-day
operations. It could be a technical failure, like a server outage, or it could be caused
by your people or processes.

In some cases, operational risk has more than one cause. For example, consider the
risk that one of your employees writes the wrong amount on a check, paying out
$100,000 instead of $10,000 from your account.

That’s a “people” failure, but also a “process” failure. It could have been prevented by
having a more secure payment process, for example having a second member of staff
authorize every major payment, or using an electronic system that would flag unusual
amounts for review.

In some cases, operational risk can also stem from events outside your control, such as
a natural disaster, or a power cut, or a problem with your website host. Anything that
interrupts your company’s core operations comes under the category of operational
risk.

While the events themselves can seem quite small compared with the large strategic
risks we talked about earlier, operational risks can still have a big impact on your
company. Not only is there the cost of fixing the problem, but operational issues can
also prevent customer orders from being delivered or make it impossible to contact
you, resulting in a loss of revenue and damage to your reputation.

4. Financial Risk
Most categories of risk have a financial impact, in terms of extra costs or lost revenue.
But the category of financial risk refers specifically to the money flowing in and out
of your business, and the possibility of a sudden financial loss.
For example, let’s say that a large proportion of your revenue comes from a single
large client, and you extend 60 days credit to that client (for more on extending credit
and dealing with cash flow, see our earlier cash flow tutorial).

In that case, you have a significant financial risk. If that customer is unable to pay, or
delays payment for whatever reason, then your business is in big trouble.

Having a lot of debt also increases your financial risk, particularly if a lot of it is
short-term debt that’s due in the near future. And what if interest rates suddenly go up,
and instead of paying 8% on the loan, you’re now paying 15%? That’s a big extra cost
for your business, and so it’s counted as a financial risk.

Financial risk is increased when you do business internationally. Let’s go back to that
example of the California farm selling its products in Europe. When it makes sales in
France or Germany, its revenue comes in euros, and its UK sales come in pounds. The
exchange rates are always fluctuating, meaning that the amount the company receives
in dollars will change. The company could make more sales next month, for example,
but receive less money in dollars. That’s a big financial risk to take into account.

5. Reputational Risk
There are many different kinds of business, but they all have one thing in common: no
matter which industry you’re in, your reputation is everything.

If your reputation is damaged, you’ll see an immediate loss of revenue, as customers

become wary of doing business with you. But there are other effects, too. Your
employees may get demoralized and even decide to leave. You may find it hard to
hire good replacements, as potential candidates have heard about your bad reputation
and don’t want to join your firm. Suppliers may start to offer you less favorable terms.
Advertisers, sponsors or other partners may decide that they no longer want to be
associated with you.
Reputational risk can take the form of a major lawsuit, an embarrassing product recall,
negative publicity about you or your staff, or high-profile criticism of your products or
services. And these days, it doesn’t even take a major event to cause reputational
damage; it could be a slow death by a thousand negative tweets and online product
reviews.

Next Steps
So now you know about the main risks your business could face. We’ve covered five
types of business risk, and given examples of how they can affect your business.

This is the foundation of a risk management strategy for your business, but of course
there’s much more work to be done. The next step is to look more deeply at each type
of risk, and identify specific things that could go wrong, and the impact they could
have.

It’s not much use, for example, to say, “Our business is subject to operational risk.”
You need to get very granular, and go through every aspect of your operations to
come up with specific things that could go wrong. Then you can come up with a
strategy for dealing with those risks.

We’ll cover all of that in the rest of the tutorials, so stay tuned for the rest of the series
on how to manage risk in your business. Next up is a tutorial on measuring and
evaluating different risks.
Part II
How to Measure Risk in Your
Business
by Andrew Blackman22 Dec 2014

Welcome to part two of our series on risk management. In part one, you
learned about the main types of risk a business can face:

• strategic risk
• compliance risk
• operational risk
• financial risk
• reputational risk

Those general categories are useful, but to have a successful risk

management strategy, you’ll need to get much more specific. You’ll need to
examine your business and identify specific things that could go wrong. And
you’ll also need some way of estimating how likely they are to happen, and
quantifying the impact they would have.

In other words, you need a way of measuring risk in your business. You’ll
learn exactly how to do that in this tutorial. Risk management can be a very
complex area, with very detailed methodologies and formulas for calculating
risk. In this tutorial, however, we’ll use a simple approach that any small
business owner can readily adopt.

1. Look at Everything You Do

The first step in measuring risk in your business is to get a much clearer idea
of what your risks are.

We identified the main areas in the last tutorial, so now it’s time to dive much
deeper into each one. Go over your business plan and all of your business's
activities, and ask yourself a series of tough "What if...?" questions.
As a business owner, it usually pays to be an optimist, but in this case you’ll
need to think of the worst-case scenarios. Put on your pessimist’s hat for a
while, and make a list of everything that could go wrong.

Here are some examples of specific questions you could ask in each area of
risk. For more ideas, see this useful RBC guide to managing risk.

Strategic risk
1. Is the business highly dependent on a particular technology that could
be superseded?
2. What if the cost of our raw materials doubled?
3. Can people survive without our product/service?
4. What would happen if a powerful competitor entered the market and
started a price war?
5. Is there a chance that what we provide will simply go out of fashion, and
do we have a plan to adapt?

Compliance Risk
1. Are we expanding to any new markets that may expose us to new
regulatory requirements?
2. How sure are we that we’ve been complying with every single rule and
regulation that applies to our business?
3. What if there’s a rule we’ve unwittingly been breaking, and we have to
pay a fine?
4. If we hire more employees, does that expose us to any new
employment regulations?
5. What if the government decided to put new, onerous restrictions on our
core business activity?

Operational Risk
1. How reliable are our systems and technology? How often do they fail?
2. What would happen if we lost power for more than 24 hours?
3. Do we have sufficient controls on the flow of money in and out of the
company? Are we liable to losses either from abuse/scams or from
human error?
4. What natural disasters are possible in our location?
5. Would the loss of a key employee cause serious problems?
Financial Risk
1. What if our biggest client went bust and couldn’t pay its latest bill?
2. Do we have a high debt load? How much of it is at variable rates?
3. What if the interest rate on our loans increased dramatically? Could we
still pay?
4. Are we doing business internationally, or planning to? How vulnerable
are we to changes in exchange rates?
5. How much money do our clients owe us, and what would happen if
many of them were late paying?

Reputational Risk
1. What would happen if we got a negative review from a very influential
magazine or website?
2. What if one of our key employees became involved in a scandal?
3. Is there a chance of a major lawsuit against us from customers or other
businesses?
4. Do we have any effective ways of gauging public sentiment? Do we
have PR people or other staff who are capable of managing a crisis?
5. How would our business be affected by a mass of bad reviews or
negative comments on social media?

Put It Together
Asking these questions and more should help you identify some specific risks
that your business is subject to. List those risks in simple point form for now.
We’ll add more detail later. For example, your list might include:

• Key client XYZ Corp is late paying its invoice.

• Loss of power for more than 24 hours.
• Our Chief Operating Officer, Janet, leaves the company.
• A new competitor undercuts the price of our main product.
• Scathing product review from an influential magazine/website.

2. Estimate the Likelihood

For each risk you've identified, ask yourself how likely it is to happen.
You’re dealing with lots of unknown factors here, of course, so there’s no
need to strive for scientific accuracy and try to calculate the exact percentage
probability of each event. A simple five-point scale will be sufficient for most
businesses. For example:

1. very unlikely
2. quite unlikely
3. medium likelihood
4. quite likely
5. very likely

The idea is simply to give you a way of ranking each risk by the likelihood of it
happening. For example, if one of your key clients has been late paying
invoices before, then you could score that risk as a “4” or “5”.

A natural disaster, on the other hand, would probably score as “1: very
unlikely” for most businesses. The impact would of course be high, but don’t
worry about that for now; we’ll cover impact in the next section. Right now, just
go through the list of risks you identified in Step 1, and assign an approximate
“likelihood” score to each one.

It sounds simple, but actually this can be one of the hardest steps, especially
for less experienced business owners. If most of the things on your list have
never happened before, how can you decide how likely they are to happen in
future?

This is where a good network of contacts can help you. Even if the things on
your list have never happened to you, it’s a sure bet that they’ve happened to
someone else at some time. So talk to other people in your field, particularly
those with a decade or two of experience. Chances are they’ll have seen most
of the things that can go wrong, and can advise you on the likelihood of each
one.

You can also do your own research on particular issues, where useful
statistics may be available. In the case of a technical issue like a server
outage or a problem with your website host, for example, you can contact your
provider and ask how often things like that happen. If your website host
promises 99.9% up time, you can safely mark that as a “low” risk.
If you still need help, you could consider hiring a risk management consultant.
There’ll be a fee, of course, but it may be worth it if they help you identify and
manage your risks more effectively. Insurance companies will sometimes offer
a similar service, but keep in mind that they may have a vested interest in
steering you towards a particular insurance product.

3. Estimate the Impact

Now that you’ve decided how likely each event is, the next step is to estimate
its impact. If this thing happened, how would it affect your business? Would it
be an inconvenience, or a major threat to your survival?

As before, you can use a simple five-point scale:

1. minimal impact
2. low impact
3. medium impact
4. high impact
5. devastating impact

Go through your list of risks from Step 1, and add an impact score next to the
likelihood score you’ve already created. So you’ll end up with two numerical
scores next to each item on your list.

The best way of thinking about impact is in terms of how much money you
would lose. It’s probably not realistic to assign a precise dollar amount to each
risk, but at least try to estimate an approximate range. Take into account both
the direct cost of dealing with the event, and the loss of revenue you can
expect.

For example, let’s say your main retail store gets flooded. You’d need to start
by estimating the cost of cleaning, repairing the building, replacing water-
damaged stock, buying new display shelves, etc.

But you’d also need to take into account the impact of your store being closed
for however long it takes to repair the damage. How much business would you
lose in that time?
If you make $5,000 in an average day, for example, then being closed for ten
days could cost you $50,000 in lost revenue, unless you give your customers
a very clear and easy alternative way of buying from you.

Don’t focus too much on precision with these dollar estimates, because there
are so many unknown factors. And money is, of course, not the only way to
measure impact. It’s just a way to help you rank your risks, and assign each of
them a score from 1 to 5.

4. Create a Risk Scorecard

By this stage, you should have a list of specific risks that could affect your
company, and two scores next to each of them: one for likelihood, and one for
impact.

Now we’ll create a risk scorecard that summarizes these risks and their
relative importance. It’s actually very simple to do this. Just multiply the two
numbers together, to give an overall risk score.

Here’s an example of how it could look:

Risk
Risk Likelihood Impact
Score

Key client XYZ Corp is late paying its

5 2 10
invoice.

Loss of power for more than 24 hours. 1 3 3

Our COO Janet leaves the company. 4 4 16

2 5 10
A new competitor undercuts the price of
our main product.

Scathing product review from an

3 2 6
influential magazine/website.

You’ll have lots more risks than this, of course, but this table at least gives you
an idea of how it works. In this example, I think my key client is very likely (5)
to be late paying its invoice, but the impact won’t be that high (2). It’ll be
inconvenient, but I can survive on the payments from other customers. So 5 x
2 = 10, a medium risk score.

On the other hand, losing my Chief Operating Officer is a big risk. She has
lots of specialized knowledge about the business, as well as contacts with key
clients. If she went to a competitor, it would have a large impact (4). And it
scores a “4” for likelihood too—perhaps she’s told me she’s unhappy in her
role and looking for a new challenge. So 4 x 4 = 16, a high risk score. This is
something to focus on.

Next Steps
In this tutorial you’ve learned how to identify key risks in your business, and
assign scores to them based on their estimated likelihood and impact. Keep in
mind, of course, that these scores are only estimates. They’re designed to
help you prioritize, but you should feel free to use your own judgement as
well.

Also, you can come up with your own scales and measures, perhaps using
letter ratings instead of numbers, or ten categories instead of five. You can
see other examples on this Queensland Government website, or this one
from Northern Ireland Business. The idea is simply to quantify your risks in a
way that makes sense for your business, so that you can try to identify the
most critical ones.

The next step, of course, is to come up with a plan for dealing with each risk.
Which ones will you focus on? What strategies will you use to address them?
Will you try to eliminate them, manage them, accept them, or pass them on to
someone else (for example by buying insurance)?

We’ll cover all of that in the next tutorial in the series. In the meantime, please
leave any comments or questions in the section below.
Part III
Effective Risk Management
Strategies
by Andrew Blackman5 Jan 2015

So far in this series on risk management, we’ve looked at the main types of risk a
business can face, and how to measure risk in your business.

The next logical step, of course, is to put together a plan for dealing with each risk
you’ve identified, so that you can manage your risks on an ongoing basis. You’ll learn
exactly how to do that in this tutorial.

We’ll start by seeing what a risk management plan might look like, and how you can
put one together for your business. Then we’ll look at the options you have in dealing
with each individual risk, and how you can decide which strategy to employ. And
finally we’ll see how you can monitor risk in your business on a regular basis, and
update your plan as necessary.

Putting together a solid risk management plan is one of the most important things you
can do for your business. Companies fail all the time, sometimes blaming bad luck,
“the economy”, or other unforeseen circumstances. Risk management is about being
prepared for as many of these adverse events as possible, so that you can ride out
storms that make your competitors go under.

Disaster can still wreck the best-laid plans, of course, but taking risk management
seriously will certainly increase your chances of long-term success. So let’s get
started.
1. Make a Plan
Every business should have a solid risk management plan. Here's a guide to putting
one together.

The format can vary widely, depending on your company’s needs. A risk management
plan for a large, complex business could easily run to hundreds of pages, while a
small business might just have a small spreadsheet focusing on the main items.

There are a few essential items to include in a risk management plan, however. Here
they are:

• a list of individual risks

• a rating of each risk based on likelihood and impact
• an assessment of current controls
• a plan of action

Let’s look at each of those in turn. If you’ve been following the series so far, you’ll
notice that we already covered the first two items in the last tutorial. So we’ve got a
good head-start on our plan already. Here’s the sample table we put together last time:

Risk
Risk Likelihood Impact
Score

Key client XYZ Corp is late paying its invoice. 5 2 10

Loss of power for more than 24 hours. 1 3 3

Our COO Janet leaves the company. 4 4 16

A new competitor undercuts the price of our main product. 2 5 10

Scathing product review from an influential
3 2 6
magazine/website.

Your full plan will of course have a lot more items, but this example at least illustrates
the format. You can refer to the other tutorial for more details about what each score
means.

So to complete our risk management plan, we just need to add two more columns to
our table.

The first new column is an assessment of current controls. For each of the risks
you’ve identified, what are you currently doing to control that risk, and how effective
is it?

For example, let’s look at the first item on our table: “Key client XYZ Corp is late
paying its invoice.” Maybe you are already controlling for that risk by having
automated reminders sent out when the invoice is close to its due date, and having one
of your staff members responsible for following up personally with phone calls and
emails. You’d list those as existing controls on your risk management plan.

So the next step is to consider the effectiveness of those actions. How well are things
working right now? If your client almost always pays on time, for example, then your
controls are effective. But if XYZ Corp has been late with its payments two or three
times already this year, the controls are inadequate. Again, you could use a simple
five-point scale here:

1. very inadequate, or non-existent

2. inadequate
3. satisfactory
4. strong
5. very strong
Then the final element of your plan details the action you plan to take in order to
manage the risk more effectively. What could you do, either to reduce the likelihood
of that event happening, or to minimize its impact when it does happen?

This last item is a little more complex, so we’ll look at it in some more detail in the
next section of this tutorial.

2. Decide How to Handle Each Risk

So at this point in the series, we’ve identified all the main risks in our business,
prioritized them based on likelihood and impact, and assessed the effectiveness of our
current controls.

The next step is to decide what to do about each risk, so that we can manage them
best. In the world of risk management, there are four main strategies:

1. Avoid it.
2. Reduce it.
3. Transfer it.
4. Accept it.

Each strategy has its own advantages and disadvantages, and you’ll probably end up
using all four. Sometimes it may be necessary to avoid a risk, and other times you’ll
want to reduce it, transfer it, or simply accept it. Let’s look at what those terms mean,
and how to decide on the right classification to use for each of your own business
risks.

Avoid the Risk

Sometimes, a risk will be so serious that you simply want to eliminate it, for example
by avoiding the activity altogether, or using a completely different approach. If a
particular type of trading is very risky, you may decide it’s not worth the potential
reward, and abandon it.
The advantage of this strategy is that it’s the most effective way of dealing with a risk.
By stopping the activity that’s causing the potential problems, you eliminate the
chance of incurring losses. But the disadvantage is that you also lose out on any
benefits too. Risky activities can be very profitable, or perhaps have other benefits for
your company. So this strategy is best used as a last resort, when you’ve tried the
other strategies and found that the risk level is still too high.

Reduce the Risk

If you don’t want to abandon the activity altogether, a common approach is to reduce
the risk associated with it. Take steps to make the negative outcome less likely to
occur, or to minimize its impact when it does occur.

With our earlier case, “Key client XYZ Corp is late paying its invoice”, for example,
we could reduce the likelihood by offering an incentive to the client to pay its bills on
time. Maybe a 10% discount for early payment, and a penalty for late payment.
Dealing with late-paying customers can be tricky, and we covered it more in our
tutorial on managing cash flow more efficiently, but these are a couple of options.

In the same example, we could reduce the impact by arranging access to a short-term
credit facility. That way, even if the client does pay late, we don’t run out of money.
For more on short-term borrowing options like factoring and lines of credit, see our
tutorial on borrowing money to fund a business.

This is probably the most common strategy, and is appropriate for a wide range of
different risks. It lets you continue with the activity, but with measures in place to
make it less dangerous. If done well, you have the best of both worlds. But the danger
is that your controls are ineffective, and you end up still suffering the loss that you
feared.

Transfer the Risk

We’re all familiar with the concept of insurance from our everyday lives, and the
same applies in business. An insurance contract is basically a transfer of risk from one
party to another, with a payment in return.
When you own a home, for example, there’s a big risk of losses from fire, theft, and
other damage. So you can buy a home insurance policy, and transfer that risk to the
insurance company. If anything goes wrong, it’s the insurance company that bears the
loss, and in return for that peace of mind, you pay a premium.

When you own a business, you have the option to transfer many of your risks to an
insurance company as well. You can insure your properties and vehicles, and also take
out various types of liability insurance to protect yourself from lawsuits. We’ll look at
insurance in more detail in the next tutorial in the series, but it’s a good option for
dealing with risks that have a large potential impact, as long as you can find an
affordable policy.

Accept the Risk

As we’ve seen, risk management comes at a price. Avoiding a risk means constricting
your company’s activities and missing out on potential benefits. Reducing a risk can
involve costly new systems or cumbersome processes and controls. And transferring a
risk also has a cost, for example an insurance premium.

So in the case of minor risks, it may be best simply to accept them. There’s no sense
investing in a whole new suite of expensive software just to mitigate a risk that
wouldn’t have had a very big impact anyway. For the risks that received a low score
for impact and likelihood, look for a simple, low-cost solution, and if you can’t find
one, it may be worth simply accepting the risk and continuing with business as usual.

The advantage of accepting a risk is pretty clear: there’s no cost, and it frees up
resources to focus on more serious risks. The downside is also pretty clear: you have
no controls in place. If the impact and likelihood are minor, that may be fine. But
make sure you’ve assessed those things correctly, so that you don’t get a nasty
surprise.

Advertisement
3. Monitor
Putting measures in place isn't enough; you also need to check whether they're
working, and monitor your business on a regular basis to identify and deal with new
risks.

The starting point is the plan you’ve been putting together. You should now have a list
of all the risks in your business, an assessment of their likelihood and impact, an
evaluation of your current controls, and an action plan for dealing with them. Here’s
an example of how it could look when you put it all together (click the Risk
management plan and register button at the bottom of the page).

The danger with a document like this is that you spend lots of time preparing it
initially, but then never go back and update it later. A good risk management plan
must be a living document, constantly referred to and updated to reflect new
situations, new risks, and the effectiveness of your actions.

First of all, each action you define should have a target date for completion, and a
person who’s primarily responsible for it. For example, with our late-paying client, we
could decide that our salesperson, Tina, will be responsible for renegotiating payment
terms with XYZ Corp. to create incentives for timely payment, and that this will be
completed by March 1st.

When Tina’s finished doing this, you’d move that from the “actions” column to the
“current controls” column. Then over the following months, you’d assess how
effective the new payment terms are at reducing the risk. If they’re still not effective,
you could look at the short-term financing option to reduce the impact of the late
payments.

If neither of those options work, then you could look for other alternatives. If you’ve
tried everything and the client still pays late, then you may decide to accept the risk if
the client’s business is really important to you, or you could go for the nuclear option
of eliminating the risk altogether by avoiding doing business with that client.
The situation will evolve constantly over time, as the risks change and your responses
to them have their own effect. Some of the controls you put in place may reduce the
likelihood of the client paying late, making it less important to deal with. Or you may
take on so many other clients that XYZ Corp. accounts for a smaller share of your
revenue, so the impact of late payment is smaller. All of this needs to be accounted
for.

There’s no hard and fast rule about how often to update your risk management plan.
Large companies have whole departments dedicated to full-time risk management,
whereas in a small company the resources you can devote to it will probably be more
limited. The key is to make a commitment to update your plan regularly, whether
that’s on a monthly basis, quarterly, or even annually.

One of the best approaches is to make small changes to individual items on an

ongoing basis, as the changes occur, and then to carry out a more comprehensive
review of the document on a less frequent, but still regular schedule. The
comprehensive review would include going back to the steps we covered in the earlier
parts of this series, brainstorming about all the risks your business is subject to, adding
new items to the list, and ranking them by importance. Then do the same with your
existing risks, noting any changes.

Next Steps
If you take all of the steps outlined in this tutorial and the earlier parts of the series,
you’ll be in a good position to protect your business from many of the pitfalls that will
come your way.

You now have a comprehensive risk management plan that outlines all the risks your
business faces, and ranks them according to how likely they are to occur and how
serious their impact would be.
You’ve evaluated the effectiveness of the controls you currently have in place, and
come up with an action plan for either avoiding, reducing, transferring or accepting
the risk.

Your action plan has a clear timeline and a person responsible for implementing it,
and you’ve made a commitment to monitoring the success of your actions and
updating the plan as necessary.

Congratulations! You’re in a better position than many other business owners. Truly
unforeseeable events can still crop up and pose challenges, but you’ve done your best
to plan for likely risks and to protect yourself as far as possible.

The final tutorial in this series will look in more detail at the option of transferring
risk. There are quite a few different types of business insurance, and the categories are
different from those you might be used to from your personal life. So stay tuned for a
look at the main types of insurance that your business needs.
Part IV
How to Protect Your Business With
the Right Insurance
by Andrew Blackman19 Jan 2015

In the previous sections of this series on risk management, we looked at the main
types of risk a business can face, how to measure risk in your business, and
some effective risk management strategies.

As we saw in the previous tutorial, the main strategies for dealing with a risk in your
business are:

1. Avoid it.
2. Reduce it.
3. Transfer it.
4. Accept it.

In this final tutorial in the series, we’ll take a more detailed look at the third option,
transferring a risk. As we saw, the main way of transferring a risk is by buying
insurance. When you buy an insurance policy, you’re taking some risks off your plate
and transferring them to your insurance company, so that if something goes wrong,
it’s the company that pays. In return for this transfer of risk, of course, you pay an
insurance premium.

But what kinds of insurance do you need for your business? How do they work, and
what do you need to take into account when buying them? We’ll cover all of that in
this tutorial. We’ll look at some of the main types of business insurance in turn, before
wrapping up the key lessons from this tutorial and from the series as a whole.
1. General Liability Insurance
We’ve all heard about those multi-million-dollar lawsuits against coffee shops for
serving hot coffee, fast-food joints for making people fat, and so on.

Claims like this happen all the time, and of course they’re not all frivolous. What
would you do if a customer got seriously injured in your store, and sued you for
damages?

That’s where general liability insurance comes in. It covers your company for legal
expenses and payouts due to accidents, damage, and claims of negligence. They can
also cover you for things like libel and slander.

For a small business, even just paying to defend a protracted lawsuit can be
financially crippling, and if a major ruling goes against you, it will almost certainly
put you out of business. So a good general liability policy is a must for most
businesses.

The more dangerous or risky the business, of course, the more important it is to have
good coverage. If you run a skydiving club, you’ll probably want to pay for very
comprehensive coverage. If you sell soft furnishings, there’s less obvious risk.

But no matter what line of business you’re in, it’s worth considering some form of
general liability coverage. Ask at your trade association or speak to other people in the
industry to get an idea of what level of risk there is, and how much coverage you
need.

2. Product/Professional Liability Insurance

Depending on what type of business you run, you may also want more specific
liability policies.

If you manufacture a toy, for example, you’re responsible for its safety. If it’s covered
with a toxic paint that makes children ill when they play with the toy, you’re facing a
huge financial liability. Or if the design is fine, but just one individual toy has a faulty
electrical connection that causes a fire, you’re also in trouble.

And it’s not only manufacturers who have to worry. Companies at other stages of the
supply chain—wholesalers, distributers, and retailers—can also be held accountable
for faulty or dangerous products.

A good product liability insurance policy will protect you against financial loss as a
result of a defective product that causes injury or bodily harm. The more products you
deal with, and the riskier they are, the more coverage you’ll need.

If you provide services, on the other hand, you have a different kind of risk. You don’t
provide physical products, but you could make errors in your service that cause
serious losses to your customers.

If you’re an accountant, for example, and you give a client bad tax advice, that client
could end up facing massive penalties from the tax authorities, or even going to jail.
In that case, the client will have a good case against you for compensation.

Most service-based businesses can cause similar losses due to errors or negligence, so
it’s worth considering professional liability insurance (also known as errors and
omissions insurance). This will cover you for claims of negligence, just as the product
liability insurance covers you in case of a faulty product.

In some industries, there will be particular policies tailored for you. In the medical
industry, for example, it’s standard practice for doctors to take out malpractice
insurance to cover them if a patient claims they made the wrong diagnosis or provided
the wrong treatment. This malpractice insurance is designed to meet the needs of
doctors and other medical practitioners. In other industries, a more general
professional liability insurance policy may be sufficient.

3. Commercial Property/Vehicle Insurance

These are the types of insurance that will be most familiar from your personal life.

If you own a home, you likely have a homeowner’s insurance policy to cover the
value of your home and its contents, and if you own a car, you have auto insurance.
The same applies in business. You’ll need to insure your property, buildings and
vehicles for possible losses (and also, in the case of vehicles, for any damage caused
to others).

Your property insurance policy covers all company property, from buildings to
equipment, documents, inventory, and money being held on the premises. Policies
vary, of course, but generally you’ll be covered for losses from a variety of causes,
like fire, storms, theft, vandalism, and so on.

Pay attention to the wording, however. There are often exclusions, for example for
certain types of natural disaster. In those cases, you may need to take out a separate
insurance policy, or purchase extra coverage, to protect yourself.

Vehicle insurance works in a similar way to the auto insurance you’re probably used
to from your personal life: it covers you for damage to the vehicle, and also pays any
costs to other people who are injured or suffer property damage caused by your
vehicle. One thing to be aware of is that if you use your own car extensively for
business purposes, it may not be fully covered by your personal auto insurance policy.
Check with the company to see what the situation is.

4. Workers' Compensation Insurance

In the United States, pretty much any business with employees must have workers’
compensation insurance. Even if you’re not required to have it, it’s still a very good
idea. It protects you and your employees in case of injuries or accidents at work.

When you have a workers’ compensation insurance policy in place, it will pay for
injured workers to get medical care, and will compensate them for some of their lost
income while they’re unable to work. It will also protect you from lawsuits by
employees who were injured while working. And in the worst possible scenario, in
which one of your employees is killed while working, workers’ compensation
insurance provides death benefits for the employee’s dependents.

Workers’ compensation insurance is highly regulated in the U.S., and premiums are
set based on your location and how risky your business is. For more on workers’
compensation insurance, see this Insurance Information Institute guide.

5. Specialist Insurance Policies

So far in this tutorial, we’ve focused on the most common types of business insurance,
the ones that most companies will need. But there are also many different policies that
deal with more specialized cases, which may be useful for particular types of
companies.

For example, if you hold a lot of valuable customer data, you may want to take out
a data breach coverage policy. That way, you’re protected against legal costs or other
expenses if the data you’re holding is stolen or accidentally released.

If you’re running a small business from your home, you may need a special
endorsement to your homeowner’s policy, or a specific in-home business
insurance policy. Many homeowners policies exclude losses resulting from business
activities, and even if they don’t, the policy limits may be too low.
And there are policies tailored for particular types of business. If you run a farm, for
example, you could take out crop insurance to protect you in case of bad weather,
insect infestation or other disasters.

For all of these specialist insurance policies, it’s important to read the wording of your
broader insurance policies first, to make sure you’re not duplicating coverage. There’s
no sense paying for a specific data breach coverage policy, for example, if data
breaches were already covered under your general liability policy. But if those things
are excluded, it’s worth taking out extra coverage in areas where you’re at risk.

Putting It Together
In this final tutorial in our risk management series, you’ve learned about the main
types of business insurance, how they work, and how they can help you protect your
business. The next step, of course, is to decide on which policies you need and how
much coverage you need, and to contact insurance companies and agents for some
quotes.

You may find offerings where several of the options we’ve talked about are rolled
together into a general “business owner’s insurance” policy. These general policies
can be very useful, but just make sure that you know exactly what’s covered and
what’s not; don’t assume that this single policy will automatically give you all the
protection you need.

As we saw in the earlier tutorial on effective risk management strategies, insurance is

just one way of managing risk in your business. In that tutorial, you learned about the
other strategies available to you, and saw how you could put together a
comprehensive risk management plan to deal with any eventuality.

In the earlier parts of the series, we laid the groundwork by covering the main types of
risk a business can face, and how to measure risk in your business. If you’ve finished
the whole series, you now know how to identify all the risks your business faces,
prioritize them based on likelihood and impact, construct a solid risk management
plan, and start taking action to manage each individual risk.

If you need a refresher on any of those lessons, you can refer back to the overall series
page, Managing Risk in Your Business. Otherwise, you’re ready to move forward and
start actively planning for the worst outcomes. You can never foresee every single
problem, of course, but with a well-constructed plan that you regularly review and
update, you’ll be better prepared than many of your competitors to deal with any
curveballs that come your way.