How to Develop a Risk Management Plan to Ensure Small Business Continuity

There’s a lot to be said for positive thinking. Launching a project with optimism is a great thing to do. But you also need to be realistic. Sometimes, you even need to be a bit pessimistic.

Ideally, every project will sail through to completion without any hitches or issues. But in reality, difficult contingencies arise all the time. If you’re not prepared for these, everything could come to a grinding halt while you run around sorting the problem.

This isn’t just bad for individual projects, it’s also terrible for business consistency. It could cause delays or interruptions in service, likely to annoy your customers. Your business reputation and customer loyalty could suffer as a result.

In order to prevent problems from happening and quickly solve them with minimal downtime when they arise, it’s important to build a risk management strategy.

Here, we’ll take you through the fundamentals of building a simple risk management strategy.

Types and knowability of risk

Image created by the author

Before we dive into the steps of building a risk management strategy, it’s worth running through the types of risk you may encounter, and their ‘knowability’.

There are four main types of risk: Technical, Organizational, Management, and External

• Technical risks concern the technology you use. For example, computer networks, devices, problems connecting with your remote team, wifi etc.
• Organizational risks pertain to things like running out of budget, logistical issues, project dependencies, etc.
• Management risks include any problems that occur with planning or team management, including scheduling, communication, and delegation.
• External risks are a lot less controllable than the other three. External risks come from your customers, your contractors, or the world in general. For example, a downturn in the economy would be an external risk.

Seven steps to create a good risk management strategy

Having covered the kinds of risks you may encounter, and their knowability, let’s dive into the essential steps needed to create a good risk management strategy.

Image created by the author

1 - Risk analysis

Image created by the author

The very first step is to dive deep into risk analysis. Rather than approaching this in a slapdash way, it often helps to identify each risk by category.

So, take the four risk categories (technical, organizational, management, and external) and dig into the various ways these risks could disrupt your project or organization.

For example, risks under the ‘management’ category could include things like internal control deficiencies, breakdown in communication, staff sickness, managerial sickness, human error, and team conflict.

Ultimately, you want to transform all unknown risks into known risks and come up with plans to deal with any of these risks if they occur. So, to make sure that your risk analysis is as complete as possible, talk to as many people as you can. Get many different perspectives from many different departments.

When you feel you’ve come up with every risk you possibly can, it’s time to move on to evaluating their impact.

2 - Impact evaluation

Image created by author

Having established potential risks, now it’s time to evaluate their impact.

Let’s return, for example, to that internal control deficiencies risk we mentioned earlier. What could be the possible impacts of this?

Reach as far as you can, to cover every base from best to worst case scenarios. In this case, smaller impacts could be things like delays in administrative processes. Larger impacts could include things like being unable to provide an audit trail.

If you’re asking ‘what is an audit trail?’ - well, these kinds of vital knowledge gaps are exactly why you need a risk management plan. They uncover deficiencies in what you have, what you know, and what you do, and show you where you need to improve.

At this stage, it’s also important to think about the priority of each risk. Prioritization of risk doesn’t depend entirely on the severity of each impact - although severity should definitely play a part! It also depends on how likely each risk is to occur.

Your highest priority risks should be those which are both likely to occur and will have a serious impact. Some risks may have a more severe impact but be a lot less likely to occur - these should be placed lower on the priority list, and vice versa.

3 - Role assignation

Image created by the author

By this point, you should have a list of possible risks, their potential impact, the severity of that impact, the likelihood of the risk occurring, and the priority each risk needs to take in your risk management strategy. So far, so good.

Now, it’s time to start serious strategizing.

Each risk needs to become somebody’s responsibility. That person will have to take measures to control the risk, prevent it from happening, and take ownership if the risk becomes an issue.

The best person for each risk depends on their skillset and the resources available. You may have to assign new resources in some cases.

4 - Preventative strategizing

Image created by the author

Having assigned risk responsibility, you can now work with your team to come up with preventative strategies for each risk.

Prevention usually takes one or more of these four routes:

• If a risk is looming on the horizon, change what you’re doing in order to avoid the threat.
• Send the risk elsewhere. This doesn’t mean ‘palm off the problem on someone else’. It means ‘flag up the risk to someone with more responsibility or more resources to deal with it’.
• If the risk cannot be avoided, take action to lessen its impact.
• Brace for impact! Accept that there is nothing you can do about the risk, and work out how you are going to deal with any negative impact.

5 - Contingency planning

Image created by the author

This is ‘worst case scenario’ planning. If you can’t avoid, transfer, or mitigate a risk, how can you ensure that the impact isn’t as bad as it could be?

Contingency planning could be anything from planning safe routes out of a building in case of a fire to having a CS manager on standby to solve customer pain points. Ideally, you should make contingency plans in order of risk priority - but risks with very severe impacts should also always have contingency plans, even if the likelihood of them occurring is very low.

Contingency planning often involves things like finding resources that can be used when a risk hits, planning who needs to be notified (and when), creating an action plan, plotting risk triggers, and figuring out how you will monitor risk triggers.

The trick with contingency planning is not to catastrophize. Don’t blow relatively minor risks out of proportion, and create detailed contingency plans for scenarios that are very unlikely to happen.

6 - Measuring risk threshold

Image created by the author

Your risk threshold is the amount of risk you are willing to work with on any given project.

When you do a risk assessment for a new project, you may find that some likely risks with severe impacts crop up. If you can’t adequately plan to avoid these risks, you have to decide whether or not it is worth going ahead with the project. What level of risk is acceptable? What impacts could you weather?

Anything beyond that level of acceptability crosses your ‘risk threshold’.

Risk thresholds are often calculated relative to potential rewards. If the potential reward if things go well is higher, your risk threshold may be lower - i.e. you may be willing to risk more if the potential payoff is bigger.  However, if the risk is more likely and the rewards lesser, your risk threshold may be lower.

Determining your risk threshold isn’t something you should do alone. You need to consult all stakeholders in the project, including partners, contractors, and - if they could be negatively impacted by potential risks - staff.

7 - Monitoring and reporting

Image created by the author

This is the final and perhaps most important step of any risk management strategy. It is no good mapping risks and creating contingency plans if you are not keeping an eye on risk triggers on an ongoing basis.

Risk management isn’t a ‘one and done’ situation. It’s an ongoing project. You need to be constantly tracking, monitoring, and reporting on risks.

Back in Step 3, you assigned responsibility for each risk to an individual or team within your organization. Part of that responsibility involves monitoring known risks and keeping a lookout for unknown ones.

Remember, your project and organization are not static, and they don’t exist in a static world. If the last few years have taught us anything, it’s that everything can change on a dime.

So, as well as watching out for known risks, you need to be alert for unknown risks that crop up as your project progresses. Or for low-probability risks to suddenly become high-probability risks.

If this sounds stressful and depressing, don’t worry! This is why you create a risk management strategy in the first place. When you’re alert and prepared, risks are much, much easier to avoid and/or overcome!

A risk management strategy is essential for any business

Even if you work in an incredibly low-risk industry, it’s still worth putting a risk management strategy in place. From negative reviews to a full-blown disaster, preparation is key for any business.

Back in 2020, the businesses that survived the pandemic were the ones that were prepared for emergencies. Even though nobody could have predicted the Covid-19 pandemic and how quickly it would change everything, businesses that were accustomed to planning and strategizing around risks had the mindset and resources needed to deal with the pandemic’s impact.

So, whether you have a high-risk business or a low-risk one, risk management planning is a must. We hope that these steps will help you to come up with your own risk management strategy.