All businesses face risk. It's important to understand the risks to your business and find ways to minimise them. A risk management plan helps you to do this by detailing how you deal with risks to your business. By spending time and resources developing your strategy for managing risk, you’ll provide a safe workplace and reduce the chances of negative impacts on your business.

Consider these steps to help identify, analyse and evaluate risks in your business.

1. Decide what matters most

Before you create a risk management plan, think about which areas of your business it will refer to. For example, you might only be interested in hazard-based risks. Some of the internal and external things to think about when creating your plan are:

  • social, cultural, political and regional issues
  • economic, technology and competitive trends
  • government policies and law
  • your business aims, policies and strategies.

Find out more about types of risk to your business.

2. Consult with stakeholders

Your risk management plan will be more specific and useful if you ask for feedback from the people, businesses or organisations you deal with.

Stakeholders can include:

  • employees, contractors and sub-contractors
  • clients, customers and suppliers
  • business financiers, investors and insurers
  • your local communities and local media
  • government agencies.

Consulting with stakeholders will help you to:

  • work out what your business considers as high and low risk
  • get support for your risk management plan
  • bring together different views and areas of expertise
  • keep your risk framework up to date
  • respond to unexpected risks.

3. Identify the risks

Working out the risks to your business could be as easy as thinking about what could go wrong, and how and why it could happen. You might also need to do some research into:

  • past events and risks
  • possible future changes to your business environment, such as changes in economic trends
  • social and community issues that could affect your business
  • find out how to conduct market research.

To identify risks, you can also:

  • look at hazard logs, incident reports, customer feedback and complaints, and survey reports
  • review audit reports such as financial audit reports or workplace safety reports
  • do a strength, weaknesses, opportunities and threats (SWOT) check for your business
  • discuss business issues with your staff, customers, suppliers and advisers.

4. Analyse the risks

After identifying the risks to your business, it’s time to work out which ones are urgent. To analyse the risks of an event, you should first look at the:

  • damage that the risk would cause
  • likelihood of the risk happening

Work out a rating system for damage and likelihood. For example, you could have ratings of:

  • 1 to 4 for damage (1 for slight damage, and 4 for severe damage)
  • 1 to 4 for likelihood (1 for not likely, and 4 for extremely likely)

Use these ratings to work out the level of risk.

Calculate risk level

To work out the level of risk for an event, use this formula:

Risk level = damage x likelihood

Based on our example above, the lowest risk level you could get is 1 (1 x 1), and the highest risk level you could get is 16 (4 x 4). You can use the risk levels to rank your risks from least urgent to most urgent.

5. Evaluate the risk

Risk criteria set a standard to assess risks to your business. To set your risk criteria, state the level and nature of risks that are acceptable or unacceptable in your workplace.

To evaluate risk, compare the level of risk for various events against your risk criteria. You should also check if your existing risk management methods are enough to accept the risk.

When to accept risk

Your strategy for managing risk may be more than just deciding whether to accept the risk or not. If your business is part of a bigger supply chain that involves retailers, distributors or primary producers, you can spread the risk across a number of areas.

Sometimes businesses choose to accept risks and not spend any resources on avoiding them. You might decide to accept a level of risk for the following reasons:

  • The cost of treatment is much higher than the potential results of the risk.
  • The risk level works out to be very low.
  • The benefits of taking the risk greatly outweighs the possible damage.

6. Treat risks to your business

Your evaluation will have helped you to identify any risks that need to be treated. Develop your plan to treat risks, including:

  • each risk type and the level of risk to your business
  • suggested strategies to treat each risk
  • timeframes for each strategy
  • who's responsible for specific parts of the plan
  • resources required such as money, staff and external help
  • future action such as regular checking and updating of risks, if needed

7. Commit to reducing risk

Committing to quality risk management can help you create a stable business that prepares for unexpected events.

As a business owner, it's a good idea to:

  • make sure your business aims link to your risk management plan
  • clearly describe your risk management plan to everyone in your business
  • show support for risk management
  • set up a way of measuring the success of your risk management plan
  • regularly check that your way of measuring is giving you useful information
  • make it clear who's responsible for what
  • provide enough resources at all levels of your business
  • ask for feedback from everyone in your business, including customers and suppliers
  • use feedback to update your plan
  • explain risk management to new employees and in training programs

Read next

Find out about the different types of business risk and risks you must manage.

Learn how to prepare an emergency management plan.