How do entrepreneurs manage business risk?

When I saw this question pop up in my “People also searched for…” list of a Google search the other day my immediate, somewhat flippant, response was: “very badly”. But the more I thought about it the more I began to feel that the answer was, as any good agile coach or scrum master would say: “it depends”.

It depends on how you evaluate a risk management system.

If you evaluate it by the presence of policies and guidelines, appetite statements, governance forums and reporting, issue and action management frameworks and risk profiles then for the most part, yes, they tend to manage it very badly. But if business is all about managing risk (and it is) and the success of your business depends on how well you manage that risk (which often it does), then the fact that at least some entrepreneurs are successful must mean that there is a degree of success in their risk management approach – even if by accident.

The thing about most entrepreneurs, in my experience anyway, is that they don’t think about risk as a thing – it is entwined in the very fabric of their business because much of the decision making is very closely held by the entrepreneur themselves. This model works for them because they don’t need a widely distributed set of frameworks, policies or appetite statements. They hold all of these in their head – not so much in a specific metric or threshold, but in a gut feel of comfort – and they use this gut feel frequently when making day to day decisions in their business. In reality, they are managing risk in their business without even knowing it.

But… – there’s always a “but” – there are two flaws with this approach – how big they are probably depends on the type of industry or business that the entrepreneur finds themselves.

One of the challenges for (and most frequent criticisms of) entrepreneurs is that they spend an inordinate amount of time working IN their business and insufficient time working ON their business. This is often due to a desire to minimise costs and they do more work themselves rather than employing staff – and that is completely understandable. What that often means, though, is that entrepreneurs often don’t have a particularly long lead time into challenges in their business because they haven’t spent the time to develop or understand the key metrics or indicators that could warn them when things are not fully on track. As a result, many entrepreneurs run their businesses in a state of persistent crisis, lurching from one potential disaster to the next. Sometimes they get it right and sometimes they aren’t so lucky. Subtle indicators that could alert them to problem areas in parts of their business that they aren’t necessarily focused on at that time could allow them to make decisions to correct or solve problems before they become crises. This results in an overall smoother operation as there is more sustained focus and attention on what matters without distraction from the latest crisis.

The second flaw with this approach is that if you are making decisions based on gut feel then your decisions will vary based on how your gut happens to feel at the time – with no clearly articulated or documented parameters. This results in inconsistency in that decision making and what felt like good decision today, may not be tomorrow. You could even end up being presented with the same, or similar, situation at different times and end up with two completely different decisions resulting in two completely different outcomes and have no idea why you did what you did.

Many businesses, small and large, pride themselves on their agility, their ability to be nimble and adapt deftly to the circumstances and obstacles that are presented to them. If you follow the principles of lean six sigma or agile or any number of other efficiency processes, you will know that they all share a dogma around minimising task switching as a pathway to efficiency in the way the brain approaches work.

I recall attending a post incident review meeting at a large organisation I was working with on one occasion and the comment was made that we should be careful to introduce a risk assessment step ahead of a significant change because the engineers were all busy and this would distract them and take up their time. I looked around the room and couldn’t help but draw attention to the number of people sitting around the table and on the phone, their roles in the organisation and what their hourly rate must be for the hour or two that the meeting was scheduled for. Robust risk assessment may be a distraction at the start of the process, but it’s not nearly as distracting, time consuming or expensive as it is to fix the problem afterwards.

The same can be true for entrepreneurs or small businesses in general. Establishing robust risk frameworks and clearly articulated appetite settings (coupled with good and regular reporting and analysis of the same) can all sound very over the top and time consuming, but often not nearly as much as fixing the problems presented after the fact because you didn’t notice a problem in time or because you lost good staff who got tired of the state of constant crisis or the inconsistency within which they were operating as the basis of decisions seemed to change from hour to hour, day to day.

Therein lies the trick to good risk management. You can’t (and shouldn’t) just lift and drop a standard solution from one business to the next. It needs to be tailored to suit the needs, the size and scale of your business and the entrepreneur is pivotal to that process – because NOBODY knows the business as well as you do.


Risk Strata is a sound risk advisor and partner that you can trust to help you work through these complexities and the process to understand your business risk, articulate your risk appetite, build appropriate risk metrics and implement right sized risk policies and processes. We specialise in supporting small and medium businesses with outsourced risk management services. Send us a message from our Contact page if you’d like to have a more detailed discussion in confidence.

The Importance of Risk Profile Assessment in Business: Factors to Consider

What is the biggest risk to your business?

Do you know? Do you know how you are currently controlling it or managing it? Do you know how severe it is or what effect it could have on your business if it were to happen?

In today’s dynamic and uncertain business environment, understanding and managing risks effectively is crucial for the success and sustainability of any organization. A risk profile assessment serves as a fundamental tool for businesses to identify, evaluate, and mitigate potential risks. When this is combined with key risk indicators in your risk appetite statement and an evaluation of your control environment you get an effective benchmark of how well you are managing your business and how effective your control environment is. By systematically analyzing risks, organizations can make informed decisions, allocate resources efficiently, and enhance overall risk management strategies.

Importance of a risk profile assessment

A comprehensive risk profile assessment starts with the identification of risks applicable to the business. These may be grouped to create a map of risks in various categories and sub-categories to comprehensively cover the entire scope of the business. When you assess these risks at their most granular level possible and then aggregate up to each level above it, it provides senior managers with a clear understanding of where their greatest vulnerabilities to their operations reside and where the greatest and most important improvements are required.

A good risk profile should include a range of both internal and external risk factors, such as staff theft or data loss, compliance breaches or regulatory changes, technology and cyber disruptions or practice failures and strategic business risks.

Strategic decision making

Understanding the risk landscape is essential for strategic decision-making processes. A risk profile assessment provides critical insights into potential risks associated with new ventures, investments, or expansion plans. By evaluating risks and their potential consequences, businesses can make well-informed decisions, weigh potential rewards against risks, and develop appropriate risk mitigation strategies. This proactive approach enhances the likelihood of successful outcomes and reduces the chances of unexpected setbacks.

Risk appetite

Before you even begin to assess each risk you need to determine your risk appetite. Risk appetite refers to the amount of risk an organization is willing to accept in pursuit of its objectives, while risk tolerance represents the organization’s ability to withstand potential losses. By aligning risk management strategies with the organization’s risk appetite and tolerance, businesses can strike a balance between risk-taking and risk mitigation.

The trick is to simply and effectively articulate a definition for the risk appetite that can be used to assess risks at different levels. At what point does a risk become material or even catastrophic to your business. This is the first step in building the map against which you measure the risks – often called a 5-by-5 (5 x 5) matrix or a heatmap. It maps the likelihood of a risk eventuating within the next 12 months against the impact of the risk, should it eventuate to determine a position on the heatmap. Depending on your appetite these coordinates will determine whether the risk meets your criteria for being either Low, Medium, High or Very High to your business.

The impact of a risk should be assessed against the key factors that are important to your business and what the consequence of the risk may be against them. These could be factors like Financial consequences, Regulatory consequences, Customer impacts, Staff impacts or other factors that could affect your business operations or wider reputation.

By evaluating risks based on their likelihood and potential impact, organizations can prioritize their mitigation efforts and allocate resources accordingly.

Inherent and Residual Risk

For each risk it’s worth evaluating both the inherent and residual risk positions. This helps assess the sufficiency of the control environment that has been put in place to contain the risk. Controls aren’t about stopping bad things from happening in your business, their purpose is to contain those bad things within your appetite.

Inherent risk is the assessment of the likelihood and impact of the risk in the absence of any controls across each of the impact categories. Residual risk is the assessment of the likelihood and impact of the risk once controls have been taken into account. As part of this you should consider whether the state of each individual control and whether collectively they are effective, require improvement or are wholly unsatisfactory. That will help guide the effect they have on reducing the likelihood or impact of the risk should it occur. You should also consider any work underway to fix controls, any incidents and what effects they have on the risk or the controls.

By comparing the inherent and residual risk positions on the heatmap or matrix you can determine whether the risk is sufficiently contained to within your appetite and then focus on measuring it until your next assessment.

Resource Allocation

Limited resources are a common challenge for businesses. A risk profile assessment helps organizations allocate their resources effectively by identifying risks that require immediate attention and those that can be managed or accepted without significant impact. By focusing resources on critical risks, businesses can enhance their ability to respond to potential threats, minimize losses, and maximize returns on investment.

Stakeholder Engagement

Engaging key stakeholders, such as leaders and employees, is crucial during the risk profile assessment process. Stakeholders often possess valuable insights into potential risks and their consequences. Their involvement not only enhances the accuracy of risk assessments but also improves risk communication and fosters a risk-aware culture within the organization.

A robust risk profile assessment is a vital component of effective risk management in businesses. By identifying and evaluating potential risks, organizations can proactively develop strategies to mitigate risks or exploit opportunities with a deeper understanding of their relative strengths and weaknesses.

Whilst the above taste of a risk profile may sound complex (and it can be), a lot of the groundwork is a one-off effort which, if done well, can be reused every quarter or annual review cycle.


Risk Strata is a sound risk advisor and partner that you can trust to help you work through these complexities and the process to complete a risk profile and understand your business environment better. They can also recommend ways that you can build, enhance and map controls to protect your business and close vulnerabilities. Send us a message from our Contact page if you’d like to have a more detailed discussion in confidence.

Returning to appetite

In a few of these blog posts I’ve referred to a risk appetite. There’s no way I’m going to try to sell you that an appetite of risk is comparable to a tasty morsel of any sort. All businesses carry some degree of risk – the risk appetite is how much you’re prepared to carry in your business. The risk you’re prepared to carry is called the residual risk and the risk that exists assuming you do nothing about it is called the inherent risk. It’s very rare that you would find (or should accept) that the risk in the environment (inherent) is what you’re prepared to accept – because it means you’ve either underestimated that risk or you’re over-exposed. To bring the risk down from inherent to residual requires you to invest time or money in planning or building contingency and controls for your business. The work associated in doing that is often called a “Return to Appetite” plan – because you’re bringing the risk to within your acceptable appetite.

A ”Return to Appetite” plan (or RTA) usually includes outlining some key measures or metrics that will be tracked to tell you when you have achieved your return and are now within appetite.

In my experience chasing the numbers is a horrible strategy because once you achieve the numbers it can often result in complacency where you linger under the false belief that the numbers are good, so everything is fine – but what if the numbers have missed something. Don’t misunderstand me – you absolutely need the numbers to keep you honest and help you to monitor progress, but it’s a far better strategy to build a good framework, implement discipline and a strong risk culture – start doing the right thing and the numbers will gradually start to improve organically. Chasing numbers for numbers sake means the depth of culture and improvement is not there and your return is superficial. You’ll end up in a constant cycle of being within appetite and then dropping out and then returning and then dropping out again.

Building discipline around frameworks, processes and systems, is a much more enduring strategy and with that increased rigour you’ll see the numbers improve on their own. Manage risk appropriately because you want to manage it well for your business, not because you’re just trying to make some box on a chart turn green.

To be honest, that oversimplifies what’s involved in a good RTA. A good RTA requires a thorough understanding of not only the risks of the business, the appetite settings, but also the controls, the state of those controls and reporting. Essentially an RTA is a litmus test of the entire end to end risk management environment within a business and then on top of that, identifying the work or tasks required to improve the environment. All of this sounds like a lot of work and expense – and it can be – but how much work is up to you. You can adjust the appetite to say do less work, but be prepared to accept more risk, so if an event were to occur, you’d rather absorb the impact of that event on your business. Ultimately the appetite setting is yours and the RTA should be integrated to your business risk profile. So how well do you understand either of those for your business?

Remember it’s quite possible that not all risks will be out of appetite for your business at the same time. The first time you do the exercise, yes, it may be a lot of work and could be expensive. There’s a peace of mind that comes with that and following that initial success, an annual review and minor tweaking should be all that’s required. It’s really only inaction or material change to your business or environment that would lead to a major piece of work like that again.


Risk Strata specialise in helping businesses understand their risk profile and implementing processes, controls and frameworks to effectively manage those risks so that you can make informed decisions to keep your business safe and healthy. We can tailor a package of services to meet your needs from basic profiling right through to the design and implementation of control frameworks, reporting metrics and appetites and training for yourself and staff. If you want to understand your business better, “let’s talk”.

Risk reporting and KRIs

At one point or another, either while in business or considering starting a business, I’m sure you’ve all had friends or advisors nod sagely, take on a serious look, lean in towards you and knowingly quote that advice often attributed to Peter Drucker, the renowned management theorist, though usually passed off as their own: “Remember, what gets measured gets done” or “What gets measured gets managed”.

What they’re really advising is that measuring and reporting on things helps gain or maintain focus on key areas in any business. As painful as reporting can sometimes be, it can equally be exceptionally helpful as a lead indicator to help shape strategy and prepare the business for upcoming challenges and opportunities. These challenges and opportunities often contain or are themselves the manifestation of risks in the environment or the business and so they are particularly useful tools for managing risks in your business.

But what should you measure and how often should you measure it? And once you’ve decided on the things you’re measuring how much effort do you need to keep them within the parameters or appetite you’ve set?

There’s a lot to unpack in those two questions and it would be very easy to slip into another adage often quoted with similar sagely attribution – Parkinson’s law – that the amount of work will continue to expand until it consumes the time available to complete it – that is when is enough measurement and reporting enough?

Generally, my sage advice is to build good frameworks and systems. Think about them and build them when you don’t need them and then trust them to get you through in the tough times. When building those systems, think about what they are trying to protect and what are the key metrics that could indicate something is going wrong. These would not necessarily be financial measures or indicators, but specific metrics that tell you about the health of your business or processes in place. They could be anything from a drop in the volume of customer enquiries, to an increase in the number of customer complaints. From an upward trend in debtors’ turnover or unpaid invoices to an increase in the number of days of stock on hand.

Now the first question is, are you even measuring those things, or tracking them, because if you haven’t heard about these sorts of measures you might want to consider that perhaps you don’t know your business as well as you thought you did – or as well as you should. There’s a difference between managing your business with purpose and reacting to the environment (even if that environment sometimes organically brings you new customers).

Once you’ve decided what the important measures are in your business, then think about how nimble you want to be when it comes to “steering the ship” (there’s another analogy for you) – When you drive your car your dashboard presents information to you in real time so that you can make immediate decisions to adjust your driving behaviour to protect yourself and your vehicle from a catastrophe or from enforcement activity (the regulator). The same is true for a business. The reports might not be long paper narratives, they could themselves be simple dashboards that allow you to make decisions to change behaviour to protect yourself and your business from a catastrophe or regulatory activity.

The urgency with which you need to make adjustments balanced against the effort to produce the report/dashboard might mean that you only want a report monthly, or even quarterly, but this reporting is important. It gives you comfort that the frameworks you’ve put in place are working effectively as intended to protect you and informs you so that you can make important decisions to protect your business to, if not prevent a risk from manifesting in the first place, at least minimise the harm if it does.

Ultimately when it comes to risk you can either manage it or pretend it’s not there. If you don’t measure it, you’ll never know how exposed you are or how serious it is and you may continue blissfully unaware, but you also run the risk of missing opportunities to take corrective action to protect your business until it’s too late and the consequences of that can be catastrophic. “What gets measured gets done (or managed)”.

A good risk advisor can help you build those frameworks and identify the key indicators and measures you need to track to tell you what you want to know about your business and how to use them effectively to make good decisions to manage the risk and to keep your business on track.

Of course, on the other hand, you could always just lock the doors and pull out all the plugs and then you won’t have any risk any more. Of course, you also won’t have any business left either…


Risk Strata specialise in helping businesses understand their risk profile and implementing processes, controls and frameworks to effectively manage those risks so that you can make informed decisions to keep your business safe and healthy. We can tailor a package of services to meet your needs from basic profiling right through to the design and implementation of control frameworks, reporting metrics and appetites and training for yourself and staff. If you want to understand your business better, “let’s talk”.