How to identify and manage risk in your business

What does risk management mean in the context of a business, and in particular small business?

The concept of risk management refers to a process of identifying the risks that pertains to a business, assessing the impact of those risks, and coming up with controls to manage those risks. Quite often, small businesses don’t consider these risks which can be detrimental to their business.

Can you provide an example of a risk and a control?

A simple one is a cash flow risk. For example, you can request a deposit upfront from your customers before you do the work, depending on the type of work or service that you render, or you could perform credit assessment on your customers as a control measure to make sure that they will be able to pay you once the work has been completed or the services have been rendered.

What is the difference between strategic risks and operational risks?

Strategic risks are risks that are posing threat to the strategic objectives of the company. Here, we look at the reason why the company exists, as well as the high-level plans that management want the company to achieve. And finally, what may deter the company from achieving these plans?

An example of a strategic risk is technological changes that threaten your business model. In managing this risk, how quickly or swiftly the organisation responds to changes in the technological space including flexing some of its objectives is part of the decisions that management has to take to ensure that this risk is managed.

Another example is one of the business models that a business has chosen to use in delivering its offering. Currently, looking at the restaurant industry – if the restaurant started out with a plan that they will only serve food to sit in patron and not do take ways or any deliveries, with the impact of lock-down and Covid-19 restrictions, a strategic question to be addressed by the its owners would be considering whether should the business shut down completely while the restrictions persists or consider other means of delivering the service such as introducing take away, drive throughs to sustain its business.

Operational risks on the other hand affect an organisation’s ability to execute its strategic plan. For these kinds of risks, the company introduces systems of internal controls to manage these risks.

What would you say are emerging risks?

Emerging risks are risks that are developing that could be material and have significant impact or loss in an entity. The characteristic of these risks is that they are complex compared to your normal operational risks because they are ever-changing and sometimes it’s not easy to quantify them because there isn’t enough historical data to be able to quantify their impact or the sustained loss that the business could suffer as a result of these risks.

Take Covid-19 pandemic for example, it’s an emerging risk that has revealed a lot of other risks and weaknesses that exist for a business – you don’t know the timing, how long it’s going to last if your business can survive this era especially if your business is Covid-19 sensitive like an events company. How do you begin to prepare for such a risk and which areas should you particularly focus on, how much you should invest in it, what is going to be a return for you versus the risk and the benefits for your company having invested in those risk management strategies as a business.

Other than Covid-19, which is a big risk now, are there any other big risks that are emerging globally that we need to be thinking about?

Absolutely, on the top of my list is a fraud risk. It affects the public in general as well as the businesses at large. This risk has increased simply because people are desperate as a result of economic pressures.

Currently an opportunity or an incentive to commit fraud has been exacerbated by laxing of controls that were designed to manage fraud risk in the companies. With a shift from working from office to home, this has in some way compromised the level of approval & authorisation controls that were designed to detect and manage fraud risk as fewer people are now being used in a control process than before and entities have not really revised their operational internal controls to align with the remote working policies.

For us as auditors, when we perform audits, we find that the fraud risk due to fraudulent financial reporting is also heightened because management want to overstate profits that have been suffered because of Covid-19, in order to manage this, we are then required as part of planning the audit to assess the risk of fraud at the planning stage of the audit.

Second to that is the risk of data protection and cybersecurity risk. With several people working from home, the data and information security of companies are exposed and some businesses have not been able to swiftly adopt a remote working model because they do not have controls in place to ensure the security of their information. With the introduction of POPIA, businesses may also find themselves breaching their own policies in how they use and store data, for example, if data is used outside business premises, is using the data outside the premises like at home covered within the POPIA.