Article by PolicyBee

Let’s be honest: when someone mentions “risk assessment”, your eyes probably glaze over and your mind wanders to think about more interesting things.

But that might be because of how it’s been explained to you. Risk assessment isn’t only a vital part of running a small business, it saves you a lot of money if things go wrong.

And it helps you sleep easy at night, knowing you’re prepared for all the unlikely but disastrous things that could happen.

In this article, we’re going to introduce you to risk assessment. What it is, how to do it, and why it’s important. We’ll also go over ISO 31000, an easy-to-use and effective way of identifying your risks and actually doing something about them.

So, let’s start simple…

What is risk assessment? 

Risk assessment is all about spotting risks and figuring out what to do about them.

When you think about it, we all manage risk every day.

A risk might be pressing the snooze button one too many times and being late for work.

Putting your phone out of arm’s reach, so you’re forced to get up to turn it off? That’s how you mitigate that risk.

We’re all managing micro risks like this in our personal lives – either ploughing on with a carefree “it’ll never happen to me” attitude, or figuring out ways to lower the chances of something going wrong.

When you look at how to risk assess your business, it works in much the same way.

You look at what you’re doing, think about what could go wrong, and how that would affect your business. Then you decide what you can do to stop it from happening – or how you’d protect yourself if it did.

Businesses are complex, though, with lots of moving parts. That’s why it helps to take things step-by-step and use a simple framework that guides you through the process.

How to use ISO 31000 to risk manage

Using a recognised risk management framework makes the whole process easier and less time-consuming, while also giving you confidence that you’ve done it properly.

ISO 31000 is one of the most popular frameworks, used by businesses of all sizes and industries, all over the world.

It sets out principles, a complete framework, and processes for risk management in a clear and simple way.

Here’s a simple summary of how it guides you through identifying and managing your risks:

1. Context:

• • Define as many of your business’s main activities and processes as possible (storing client data, taking online payments, using subcontractors/suppliers, giving advice to clients etc).

2. Identify:

• • • Identify the risks of each of your main activities. Think, “What could happen?” and “What could go wrong?” (bad advice leads to legal claim, data breach leads to an audit by the Information Commissioner’s Office, employee sickness leads to downtime etc.)
    • Focus on what your business does day-to-day and what could go wrong. Be realistic and think about bad outcomes logically.

3. Analyse:

• • • • Consider the likelihood of the risk and how big of an impact it would have.
      • To begin, keep it simple with a ‘low/medium/high’ rating for likelihood and impact of each risk.

4. Evaluate:

• • • • • Decide the risks you have to deal with first.
        • Focus on ones with the highest impact and likelihood first, as these are the ones most likely to affect your business in the near future.

5. Treat:

• • • • • • Put a plan in place to mitigate these risks.
          • Some options that ISO 31000 gives are:
            • Avoid – stop the activity.
            • Retain – accept the risk but have a contingency plan in place.
            • Reduce – lower the likelihood of the risk happening through extra controls, training, safety processes etc.
            • Share – lessen your responsibility for the risk through contracts with clients/suppliers, insurance etc.

6. Monitor:

• Regularly review your risks, especially after changes to your business (new services, new equipment, hiring staff, moving to a new office, new technology etc).

How insurance helps you risk assess your business

Once you’ve mapped out your risks, it’s important to mitigate them where possible.

Insurance is key here, as it helps you reduce the impact of risks you can’t fully mitigate through other means.

An example might be that you store sensitive client and employee data. A risk you’ve identified is that a data breach could lead to financial and reputational damage to your business.

You’ve sensibly put in place stronger cybersecurity processes and more training for your team to avoid social engineering attacks. You’ve even put in a disaster recovery plan for your IT systems.

But you can’t fully remove the risk of a cyber-attack happening, leading to a data breach.

Insurance acts as a backstop for risks you’ve already tried to reduce but can’t eliminate entirely. If the worst happens you’d be protected, whether financially, reputationally, or operationally. In this case, cyber insurance would act as this backstop.

Completing a thorough risk assessment of your business will also make you your broker’s favourite client. It shows you’re a responsible business owner and makes it easier to recommend the right insurance and level of cover for your risks.

Taking the risk out of doing business

Hopefully this basic rundown of risk assessment gives you a solid starting point for how to risk assess your business.

We’ve talked about ISO 31000 in this article, but other risk assessment frameworks and providers are available. Some work for specific types of risk, like the National Cyber Security Centre (NCSC)’s cybersecurity framework, and others work for specific industries, like the Financial Conduct Authority (FCA)’s framework.

If you store sensitive data, you should also consider looking at ISO 27001. It’s a cybersecurity and information security risk management framework that, alongside Cyber Essentials, is perfect for protecting your business against online risks.

It’s worth doing some research on others, to make sure you have the right one for your business.

Looking for small business insurance? Click here to get your personalised quote with PolicyBee today and protect your business with confidence.