Risk management

Prevent and reduce business risk

Guide

Managing and reducing risk involves putting processes, methods and tools in place to deal with the outcomes of events you have identified as threats to your business.

Internal controls for risk prevention

Effective internal controls are necessary to mitigate the different types of risks to your business. Two categories of controls exist:

  • preventive controls - help you avoid risk before it occurs
  • detective controls - help you find problems after they occur

To prevent and reduce risks, you should evaluate your current control activities and amend them if necessary. For example, you may want to:

  • set aside financial reserves to ease cashflow problems if they occur
  • use physical control over assets, eg locks
  • put in place data backup and IT support to deal with potential systems failures
  • screen and train employees before you allow them access to critical systems
  • limit the number of employees with access to critical or sensitive data
  • segregate certain types of duties to different employees, eg financial decisions
  • introduce pre-approval of actions and transactions
  • carry out internal audits, inventory counts, etc
  • review organisational performance regularly

Maintaining appropriate and effective internal controls will help you to mitigate some of your risks. Developing a risk management plan will also help you to foresee risks, estimate impacts, and define your responses to address them.

See how to evaluate business risks and use the risk management process to help you detect them.

Risk management and business continuity

Programmes which deal with threats identified during risk assessment are often referred to as business continuity plans. These set out what you should do if a certain event happens - for example if a fire destroys your office.

The foundation of a business continuity plan is typically a business impact analysis. The analysis can help you to:

  • understand how your business would cope during downtime
  • calculate recovery time objectives for your services
  • understand the resources you need to keep critical functions running

Business impact analysis will form the basis of your disaster recovery and help you create a business continuity plan, potentially reducing disruption to your business.

Review your risk mitigation practices

Risk assessments will change as your business grows or under the influence of internal or external factors. This means that the processes you have put in place to manage your business risks should be regularly reviewed. Such reviews will find improvements to the processes and also can indicate when a process is no longer necessary.