New website upgrades! What’s new

Risky Business

Paula, our resident risk warrior, examines the basic principles of risk management for small businesses.

By Paula Spencer

Updated 15 Apr 202410 Mar 2021

We all know that risk management is an integral part of running any business, but just saying the words can be enough to put people to sleep. Believe us that risk management does not have to be as boring or daunting as it sounds, and it can certainly help you sleep easier at night. Many NDIS audits are uncovering inadequate risk management processes, and we commonly hear, ‘But we are so small, what does this look like for us?’ Paula, our resident risk warrior, examines the basic principles of risk management for small businesses. 

What is Risk Management?

Risk management is the process used to identify and manage or control risks. 

Risk is the product of how likely a business will face an adverse event and the impact of that event.

You may wonder: 

  • What risks does my business face? 
  • Am I missing any?
  • How likely is it that a risk will be realised, and if so, what will the impact be? 
  • What about new risks – how do I keep on top of those? 
  • Are the controls I have put in place adequate? 

As a small business owner, you no doubt want to have a risk management system that is simple and manageable. Although it may be tempting to use generic documents, it will ultimately be more useful if the system is tailored to your organisation and how you do things.

Risk Management toolkit 

The basic tools used in risk management are:

  • Management process 
  • Risk matrix
  • Register(s)


The Risk Management Process

The tool belt of the kit

 The four main steps of a risk management system:

  1. Identify the risk: this could be done through a risk assessment as a result of an incident from a complaint, as part of a strategic review  or through planning a new project, etc.
  2. Assess and prioritise the risk: define how severe a risk it is and if you need to take action to eliminate or control it.
  3. Control the risk: measures should be proportionate to the severity of the risk. 
  4. Evaluate: are the controls working or are new measures required?

Once you decide what your process is for each of these four steps, document it. This should also detail what other risk management tools you will use.  

It is beneficial to link to other related systems, such as auditing, complaints, and incident management.


The Risk Matrix

The measuring tape 

The risk matrix is used to determine the risk rating. This will assist you in prioritising which actions to take. 

The matrix is shown as a table in which the rows and columns are labelled as Likelihood (i.e., probability) and Impact (i.e., consequences). The user selects the most appropriate description of the likelihood and impact, and the risk rating is defined by where these two intersect. 

The matrix can have as many columns and rows as you’d like, but for a small business you probably wouldn’t want any more than four. 

First, you must define what these options are so that the resulting risk rating is in line with the level of risk (the risk appetite) you are willing to accept, and provides relatively consistent results no matter who the user is. 

Some businesses provide detailed descriptions for each option, whereas others only include one or two words. It is important that each description is detailed enough that users can confidently determine which option to select, without being so detailed that the user is overwhelmed.

Definitions of Likelihood

Generic definitions of likelihood can be presented as a range, such as:

The definition may include the percentage chance of an event occurring. For example:

  • Less than 20% chance
  • Over 20% but less than 50% chance
  • 80% chance or higher

Alternatively, it may include an estimated number of times the event is expected to occur: 

  • Once every 100 years
  • Once a month
  • Once a week

Definitions of Impact

Generic definitions of impact can be presented as a range, such as:  

More detailed definitions can be specific to the type of impact that are likely in a specific industry. For example, an international mining company may include impacts such as civil and political uncertainty, environmental impact, or equipment productivity. A highly regulated organisation may include compliance risks. 

As injury and illness to staff and others are potential risks for most business, metrics often include the impact of these. For example:

  • Minor injury requiring first aid treatment
  • Injury or illness requiring medical treatment

You may also list more detailed business-related impacts. For example:

  • Financial impacts, i.e., $100 →  $100,000
  • Reputation impacts, i.e., 1 complaint → widespread negative media coverage 
  • Compliance impacts, i.e., minor procedural breach → breach of law or regulation, significant fines, threat to registration, etc. 


The Registers

The power tools – where the action is

Registers are used to record areas that require ongoing monitoring and action.  Many small businesses use Excel spreadsheets to document their registers.

Examples include:

  • Risk register: used to capture risks, controls you already have in place, and any future planned actions. Risks may be grouped into broader categories, such as safety, reputation, financial viability, compliance etc. 
  • Compliance register: lists the primary legal and regulatory compliance obligations as well as measures in place to ensure compliance and actions planned to address gaps. May include details of how changes to obligations are maintained, i.e., lists of websites, newsletters, and updates to keep aware of. To simplify, some small businesses combine compliance and risk into the one register.
  • Continuous improvement register: used to capture improvements that may arise out of events such as complaints or incidents, as well as from audit results and other improvement actions. 


Monitoring and Reporting

Once your system is developed and implemented, schedule times to monitor what is working and not working. If have an increase in incidents or near misses, this may be a sign that the risk management system is not functioning as well as it could.

Developing reports that summarise the risks you are facing, updates on measures, and if targets are being met is also beneficial, even if they are brief. This will provide you with assurance and written evidence of continuous improvement and assist you when adapting to change. A clear assessment of risk enables informed decision-making, giving peace of mind to any business regardless of size. Who knows, with a few tools and tailored processes, you too could learn to love risk management!

To prove that you don’t have to be a risk expert to manage risk effectively, we asked DSC’s editor, Sara Gingold, to have a crack at it herself. Over to you Sara: 

When reading Paula’s article, I was struck by the idea that I might be far less anxious if I did a risk assessment whenever a worry pops up in daily life. So I decided to do just that. Here’s what I’ve got…  

Step 1: Identify the risk

Risk: My cat will figure out how to feed herself, and consequently I will lose the only leverage I have over her. 

 Step 2: Assess and prioritise the risk 

First, I marked on the diagram below how likely it is that this risk will occur.  

This might seem like a generous assessment of her abilities, but Butter is smarter than your average cat. 

Then I looked at the impact this would have:                                                           

Losing food as a leverage would have a moderate impact, but she is not unreasonable and I should still be able to negotiate with her. 

Step 3: Control the risk

I came up with three ways I could control this risk: 

  1. Keep food under lock and key 
  2. Keep food in a secret location
  3. Do an inventory of remaining food supplies; if they decrease at an alarming rate, re-evaluate. 

I have decided that the third option is probably the most sensible for the time being. 

Step 4: Evaluate

So, is the plan going to work? Ask me again in three months’ time. But in the meantime, I am certainly going to sleep that tiny bit easier – so long as Butter doesn’t wake me wanting her breakfast. 


Paula Spencer

Explore DSC

Subscribe to the newsletter you’ll actually want to read

Learn from the humans obsessed with Australia’s NDIS. 50,000 readers strong.

Explore DSC Learning