It is equally important to protect your business as it is to generate a profit. What is the point of investing your life savings and working 100 hours a week to have your hard earned money lost or stolen? Loss is can generally be attributed to poor planning and failing to manage risk. There are five ways to manage risk: Avoidance, Spreading, Transfer, Reduction, Acceptance.
Avoidance is simple, don’t take the risk. In business, and life, it is good practice to evaluate if the risk is worth the reward. You wouldn’t invest your money in a vehicle that would provide a lower return than your savings account, if there was an equal chance that you could lose that investment. Some risk you should just avoid.
When the upside of the risk appears to be worth the investment, however, the criticality of the loss is too great, spreading the risk would be applicable. Practical application of spreading risk would be if you were looking into buying an investment property that has the potential of producing a great return, however, you did not want to invest your entire life savings into the property. Spreading would be getting others to invest with you. Yes, you’d receive a smaller return, but if it goes bad, you will not lose your entire life savings.
Using the same investment property example, there are other threats to the investment besides not getting the anticipated return. Fire, one of the most common threats to property, could destroy your investment. The smart move is to transfer the risk to an insurance company. You pay a premium (yes, further eating into your profits) to an insurance company, who will assume the risk of fire to your property.
Risk reduction is probably the the most comprehensive strategy for addressing risk. It involves identifying threats and implementing countermeasures. Another threat to our imaginary investment property is theft of construction materials. Insurance is available to transfer this risk, however, effectively securing the material may be the more cost effective measure.
If reduction is the most comprehensive, acceptance may be the simplest. Some risk is just worth the reward. If all of the countermeasures to protect a piece of equipment worth $100 cost $1,000, it’s not worth the countermeasure (unless you’re going to lose it 10 times or more). At that point, the most prudent strategy is to just accept the risk.
Avoidance, spreading, transferring, reducing, and accepting are all adequate strategies for addressing risk. Using Enterprise Security Risk Management principles to address threats to your business directly adds to your bottom line. The convergence of physical, cyber, personnel, and information security embedded into your business model will make the risk management seamless in your organization.