All businesses face risk. It's important to understand those risks and find ways to minimise them.

A risk management plan helps you to do this by detailing how you deal with risks to your business. It helps you provide a safe workplace and reduce the chances of negative impacts on your business.

Consider these steps to identify, analyse and evaluate risks in your business.

1. Decide what matters most

Before you create a risk management plan, think about which areas of your business it will cover. For example, you might only be interested in risks around health and safety hazards. 

Some things to think about when creating your plan:

  • social, cultural, political and regional issues
  • economic, technology and competitive trends
  • government policies and law
  • your business aims, policies and strategies.

2. Consult with stakeholders

Your risk management plan will be more useful if you get feedback from the people, businesses or organisations you deal with.

Stakeholders can include:

  • employees, contractors and sub-contractors
  • clients, customers and suppliers
  • business financiers, investors and insurers
  • your local communities and local media
  • government agencies.

Consulting with stakeholders will help you:

  • work out what your business considers high and low risk
  • get support for your risk management plan
  • bring together different views and areas of expertise
  • keep your risk framework up to date
  • respond to unexpected risks.

3. Identify the risks

Working out the risks to your business could be as easy as thinking about what could go wrong, and how and why it could happen.

You might also need to do some research into:

  • past events and risks
  • possible future changes to your business environment, such as changes in economic trends
  • social and community issues that could affect your business
  • how to conduct market research.

To identify risks, you can also:

  • look at hazard logs, incident reports, customer feedback and survey reports
  • review audit reports such as financial audit reports or workplace safety reports
  • do a strength, weaknesses, opportunities and threats (SWOT) check for your business
  • discuss business issues with your staff, customers, suppliers and advisers.

Download our risk analysis template

Use our template to identify the risks your business might face and how you can control or minimise them.

4. Analyse the risks

After identifying the risks to your business, work out which ones are urgent. Our risk analysis template helps you to do this.

To analyse the risks of an event, you should first look at the:

  • likelihood of the event happening
  • consequence or damage if it happens.

Work out a rating system for likelihood and consequence. For example, you could have ratings of:

  • 1 to 4 for likelihood (1 for highly unlikely and 4 for highly likely)
  • 1 to 4 for consequence (1 for low and 4 for severe).

Use these ratings to work out the risk level for each risk.

Calculate risk level

To work out the level of risk for an event, use this formula:

Risk level = likelihood × consequence

Based on our example above, the lowest risk level you could get is 1 (1 × 1), and the highest risk level is 16 (4 × 4). You can use the risk levels to rank your risks from least urgent to most urgent.

5. Evaluate the risk

Risk criteria are a standard to assess risks to your business. They set the level and type of risks that are acceptable or unacceptable in your workplace. Our risk assessment template has an example risk level guide.

To evaluate risk, compare the level of risk for various events against your risk criteria. You should also check if your existing risk management methods are enough to accept the risk.

When to accept risk

Your strategy for managing risk may be more than just deciding whether to accept the risk or not. If your business is part of a bigger supply chain that involves retailers, distributors or primary producers, you can spread the risk across a number of areas.

Sometimes businesses choose to accept risks and not spend any resources on avoiding them. You might decide to accept a level of risk for one of these reasons:

  • The cost of treatment is much higher than the potential results of the risk.
  • The risk level is very low.
  • The benefits of taking the risk greatly outweigh the possible damage.

6. Treat risks to your business

Now you've identified any risks that need to be treated, develop a plan to treat them:

  • Suggest strategies to treat each risk.
  • Create timeframes for each strategy.
  • Decide who's responsible for each part of the plan.
  • Work out any resources required, such as money, staff and external help
  • Schedule any future actions, such as regularly checking and updating risks.

7. Commit to reducing risk

Committing to quality risk management can help you create a stable business that prepares for unexpected events.

It's a good idea to:

  • make sure your business goals link to your risk management plan
  • clearly describe your risk management plan to everyone in your business
  • support staff to manage risks    
  • set up a way of measuring the success of your risk management plan
  • regularly check that your way of measuring is giving you useful information
  • make it clear who's responsible for what
  • provide enough resources at all levels of your business
  • ask for feedback from everyone in your business, including customers and suppliers
  • use feedback to update your plan
  • explain risk management to new employees and in training programs.
Was this page helpful?