Risk management involves identifying, analyzing, and taking steps to reduce or eliminate the exposures to loss faced by an organization or individual. The practice of risk management utilizes many tools and techniques, including insurance, to manage a wide variety of risks. Every business encounters risks, some of which are predictable and under management's control, and others which are unpredictable and uncontrollable. Risk management is particularly vital for small businesses, since some common types of losses—such as theft, fire, flood, legal liability, injury, or disability—can destroy in a few minutes what may have taken an entrepreneur years to build. Such losses and liabilities can affect day-to-day operations, reduce profits, and cause financial hardship severe enough to cripple or bankrupt a small business. But while many large companies employ a full-time risk manager to identify risks and take the necessary steps to protect the firm against them, small companies rarely have that luxury. Instead, the responsibility for risk management is likely to fall on the small business owner.
The term risk management is a relatively recent (within the last 20 years) evolution of the term "insurance management." The concept of risk management encompasses a much broader scope of activities and responsibilities than does insurance management. Risk management is now a widely accepted description of a discipline within most large organizations. Basic risks such as fire, windstorm, employee injuries, and automobile accidents, as well as more sophisticated exposures such as product liability, environmental impairment, and employment practices, are the province of the risk management department in a typical corporation. Although risk management has usually pertained to property and casualty exposures to loss, it has recently been expanded to include financial risk management—such as interest rates, foreign exchange rates, and derivatives—as well as the unique threats to businesses engaged in E-commerce. As the role of risk management has increased, some large companies have begun implementing large-scale, organization-wide programs known as enterprise risk management.
STEPS IN THE RISK MANAGEMENT PROCESS
According to C. Arthur Williams Jr. and Richard M. Heins in their book Risk Management and Insurance, the risk management process typically includes six steps. These steps are 1) determining the objectives of the organization, 2) identifying exposures to loss, 3) measuring those same exposures, 4) selecting alternatives, 5) implementing a solution, and 6) monitoring the results. The primary objective of an organization—growth, for example—will determine its strategy for managing various risks. Identification and measurement of risks are relatively straightforward concepts. Earthquake may be identified as a potential exposure to loss, for example, but if the exposed facility is in New York the probability of earthquake is slight and it will have a low priority as a risk to be managed.
Businesses have several alternatives for the management of risk, including avoiding, assuming, reducing, or transferring the risks. Avoiding risks, or loss prevention, involves taking steps to prevent a loss from occurring, via such methods as employee safety training. As another example, a pharmaceutical company may decide not to market a drug because of the potential liability. Assuming risks simply means accepting the possibility that a loss may occur and being prepared to pay the consequences. Reducing risks, or loss reduction, involves taking steps to reduce the probability or the severity of a loss, for example by installing fire sprinklers.
Transferring risk refers to the practice of placing responsibility for a loss on another party via a contract. The most common example of risk transference is insurance, which allows a company to pay a small monthly premium in exchange for protection against automobile accidents, theft or destruction of property, employee disability, or a variety of other risks. Because of its costs, the insurance option is usually chosen when the other options for managing risk do not provide sufficient protection. Awareness of, and familiarity with, various types of insurance policies is a necessary part of the risk management process. A final risk management tool is self-retention of risks—sometimes referred to as "self-insurance." Companies that choose this option set up a special account or fund to be used in the event of a loss.
Any combination of these risk management tools may be applied in the fifth step of the process, implementation. The final step, monitoring, involves a regular review of the company's risk management tools to determine if they have obtained the desired result or if they require modification. Nation's Business outlined some easy risk management tools for small businesses: maintain a high quality of work; train employees well and maintain equipment properly; install strong locks, smoke detectors, and fire extinguishers; keep the office clean and free of hazards; back up computer data often; and store records securely offsite.
RISK MANAGEMENT IN THE INTERNET AGE
Small businesses encounter a number of risks when they use the Internet to establish and maintain relationships with their customers or suppliers. Increased reliance on the Internet demands that small business owners decide how much risk to accept and implement security systems to manage the risk associated with online business activities. "The advent of the Internet has provided for a totally changed communications landscape. We communicate faster, more efficiently, and to a larger number of people," Gary Griffith wrote in the Dallas Business Journal. "Shifting to Web sites and e-mail as forms of communication changes the scope, speed, and cost of advertising, customer/vendor communication, and employee-to-employee communication. Along with the advantages are liability issues which should not be ignored."
Conducting business online exposes a company to a wide range of potential risks, including: liability due to infringement on copyrights, patents, or trademarks; charges of defamation due to statements made on a Web site or via e-mail; charges of invasion of privacy due to unauthorized use of personal information or excessive monitoring of employee communications; liability for harassment due to employee behavior online; and legal issues due to accidental noncompliance with foreign laws. In addition, businesses connected to the Internet also face a number of potential threats from computer hackers and viruses, including a loss of business and productivity due to computer system damage, and the theft of customer information or intellectual property.
As of the early 2000s, the insurance industry had not made policies widely available to protect businesses against the risks of E-commerce. As a result, business owners had to include Internet security among their risk analysis and management activities. As a minimum level of protection, experts recommend that companies conduct a legal review of their Web site content, establish clear policies on employees' Internet and e-mail usage, and install virus protection and security systems on all computers used to access the Internet.
ENTERPRISE RISK MANAGEMENT
In the 1990s, the field of risk management expanded to include managing financial risks as well as those associated with changing technology and Internet commerce. As of 2000, the role of risk management had begun to expand even further to protect entire companies during periods of change and growth. As businesses grow, they experience rapid changes in nearly every aspect of their operations, including production, marketing, distribution, and human resources. Such rapid change also exposes the business to increased risk. In response, risk management professionals created the concept of enterprise risk management, which was intended to implement risk awareness and prevention programs on a company-wide basis. "Enterprise risk management … seeks to identify, assess, and control—sometimes through insurance, more often through other means—all of the risks faced by the business enterprise, especially those created by growth," Griffith explained.
The main focus of enterprise risk management is to establish a culture of risk management throughout a company to handle the risks associated with growth and a rapidly changing business environment. Writing in Best's Review, Tim Tongson recommended that business owners take the following steps in implementing an enterprise-wide risk management program: 1) incorporate risk management into the core values of the company; 2) support those values with actions; 3) conduct a risk analysis; 4) implement specific strategies to reduce risk; 5) develop monitoring systems to provide early warnings about potential risks; and 6) perform periodic reviews of the program.
Finally, it is important that the small business owner and top managers show their support for employee efforts at managing risk. "To bring together the various disciplines and implement integrated risk management, ensuring the buy-in of top-level executives is vital," Luis Ramiro Hernandez wrote in Risk Management. "These executives can institute the processes that enable people and resources across the company to participate in identifying and assessing risks, and tracking the actions taken to mitigate or eliminate those risks."