How to identify and manage risk in your business
Q&A with The Modern Firm MD Lungile Phakathi
Business risks refer to all the factors that may lead to lower profit or even cause a company to close and fail. Lungile Phakathi, a CA(SA) and The Modern Firm MD, gives practical advice on how you can identify and manage risks in your business.
What does risk management mean in the context of a business, and in particular small business?
The concept of risk management refers to a process of identifying the risks that pertain to a business, assessing the impact of those risks, and devising controls to manage those risks. Small businesses don’t consider these risks, which can be detrimental to their business.
Can you provide an example of a risk and a control?
A simple one is a cash flow risk. For example, you can request a deposit upfront from your customers before you do the work, depending on the type of work or service that you render, or you could perform a credit assessment on your customers as a control measure to make sure they will be able to pay you once the work has been completed or the services rendered.
What is the difference between strategic risks and operational risks?
Strategic risks pose a threat to the strategic objectives of the company. Here, we look at the reason the company exists, the high-level plans that management wants the company to achieve, and what might deter the company from achieving these plans.
An example of strategic risk is technological changes that threaten your business model. In managing this risk, how quickly or swiftly the organisation responds to changes in the technology space, including flexing some of its objectives, is part of the decisions management has to take to ensure that this risk is managed.
Another example is one of the models a business has chosen to use in delivering its offering. Let’s say a restaurant starts out with a plan to only serve food to sit-in patrons and not do takeaways or deliveries. Looking at the impact of lockdown and Covid-19 restrictions, a strategic question to be addressed by its owners would be whether to shut down the business while the restrictions persist or consider other means of delivering the service such as introducing takeaway, drive-throughs to sustain its business.
Operational risks, on the other hand, affect an organisation’s ability to execute its strategic plan. For these risks, the company introduces systems of internal controls to manage these risks.
What would you say are emerging risks?
Emerging risks are risks that are developing that could be material and have a significant negative impact on an entity. The characteristic of these risks is that they are complex compared with your normal operational risks because they are ever-changing. Sometimes there isn’t enough historical data to be able to quantify their impact or the sustained loss they could cause the business.
For example, the pandemic is an emerging risk that has revealed a lot of other risks and weaknesses in a business. You don’t know the timing, how long it’s going to last, or if your business can survive especially if it’s Covid-19 sensitive such as an events company. How do you begin to prepare for such a risk and which areas should you focus on? How much you should invest in it? What is the return vs the risk, and what are the benefits for your company having invested in those risk management strategies as a business?
Other than Covid-19, are there any other big risks that are emerging globally we need to be considering?
Fraud risk is on the top of my list. It affects the public as well as businesses. This risk has increased because people are desperate as a result of economic pressures.
Now an opportunity or an incentive to commit fraud has been worsened by relaxing controls that were designed to manage fraud risk in the companies. The shift from working from office to home has compromised the level of approval and authorisation controls designed to detect and manage fraud risk. Fewer people are now being used in a control process than before and entities have not really revised their operational internal controls to align with the remote working policies.
For us as auditors, we find that the risk due to fraudulent financial reporting is also heightened because management wants to overstate profits that have suffered because of Covid-19. To manage this, we are required to assess the risk of fraud at the planning stage of the audit.
Second to that is the risk relating to data protection and cybersecurity. With several people working from home, the data and information security of companies are exposed and some businesses have not been able to swiftly adopt a remote working model because they do not have controls in place to ensure the security of their information.
With the introduction of the Protection of Personal Information Act (Popia), businesses may also find themselves breaching their own policies in how they use and store data. For example, if data is used outside business premises, for example at home, is it covered by Popia.
This article was paid for by Saica.
Would you like to comment on this article or view other readers' comments?
Register (it’s quick and free) or sign in now.
Please read our Comment Policy before commenting.