How do entrepreneurs manage business risk?

When I saw this question pop up in my “People also searched for…” list of a Google search the other day my immediate, somewhat flippant, response was: “very badly”. But the more I thought about it the more I began to feel that the answer was, as any good agile coach or scrum master would say: “it depends”.

It depends on how you evaluate a risk management system.

If you evaluate it by the presence of policies and guidelines, appetite statements, governance forums and reporting, issue and action management frameworks and risk profiles then for the most part, yes, they tend to manage it very badly. But if business is all about managing risk (and it is) and the success of your business depends on how well you manage that risk (which often it does), then the fact that at least some entrepreneurs are successful must mean that there is a degree of success in their risk management approach – even if by accident.

The thing about most entrepreneurs, in my experience anyway, is that they don’t think about risk as a thing – it is entwined in the very fabric of their business because much of the decision making is very closely held by the entrepreneur themselves. This model works for them because they don’t need a widely distributed set of frameworks, policies or appetite statements. They hold all of these in their head – not so much in a specific metric or threshold, but in a gut feel of comfort – and they use this gut feel frequently when making day to day decisions in their business. In reality, they are managing risk in their business without even knowing it.

But… – there’s always a “but” – there are two flaws with this approach – how big they are probably depends on the type of industry or business that the entrepreneur finds themselves.

One of the challenges for (and most frequent criticisms of) entrepreneurs is that they spend an inordinate amount of time working IN their business and insufficient time working ON their business. This is often due to a desire to minimise costs and they do more work themselves rather than employing staff – and that is completely understandable. What that often means, though, is that entrepreneurs often don’t have a particularly long lead time into challenges in their business because they haven’t spent the time to develop or understand the key metrics or indicators that could warn them when things are not fully on track. As a result, many entrepreneurs run their businesses in a state of persistent crisis, lurching from one potential disaster to the next. Sometimes they get it right and sometimes they aren’t so lucky. Subtle indicators that could alert them to problem areas in parts of their business that they aren’t necessarily focused on at that time could allow them to make decisions to correct or solve problems before they become crises. This results in an overall smoother operation as there is more sustained focus and attention on what matters without distraction from the latest crisis.

The second flaw with this approach is that if you are making decisions based on gut feel then your decisions will vary based on how your gut happens to feel at the time – with no clearly articulated or documented parameters. This results in inconsistency in that decision making and what felt like good decision today, may not be tomorrow. You could even end up being presented with the same, or similar, situation at different times and end up with two completely different decisions resulting in two completely different outcomes and have no idea why you did what you did.

Many businesses, small and large, pride themselves on their agility, their ability to be nimble and adapt deftly to the circumstances and obstacles that are presented to them. If you follow the principles of lean six sigma or agile or any number of other efficiency processes, you will know that they all share a dogma around minimising task switching as a pathway to efficiency in the way the brain approaches work.

I recall attending a post incident review meeting at a large organisation I was working with on one occasion and the comment was made that we should be careful to introduce a risk assessment step ahead of a significant change because the engineers were all busy and this would distract them and take up their time. I looked around the room and couldn’t help but draw attention to the number of people sitting around the table and on the phone, their roles in the organisation and what their hourly rate must be for the hour or two that the meeting was scheduled for. Robust risk assessment may be a distraction at the start of the process, but it’s not nearly as distracting, time consuming or expensive as it is to fix the problem afterwards.

The same can be true for entrepreneurs or small businesses in general. Establishing robust risk frameworks and clearly articulated appetite settings (coupled with good and regular reporting and analysis of the same) can all sound very over the top and time consuming, but often not nearly as much as fixing the problems presented after the fact because you didn’t notice a problem in time or because you lost good staff who got tired of the state of constant crisis or the inconsistency within which they were operating as the basis of decisions seemed to change from hour to hour, day to day.

Therein lies the trick to good risk management. You can’t (and shouldn’t) just lift and drop a standard solution from one business to the next. It needs to be tailored to suit the needs, the size and scale of your business and the entrepreneur is pivotal to that process – because NOBODY knows the business as well as you do.


Risk Strata is a sound risk advisor and partner that you can trust to help you work through these complexities and the process to understand your business risk, articulate your risk appetite, build appropriate risk metrics and implement right sized risk policies and processes. We specialise in supporting small and medium businesses with outsourced risk management services. Send us a message from our Contact page if you’d like to have a more detailed discussion in confidence.

5 Fraud tips every business leader should act on

It’s International Fraud Awareness Week – how well do you respond to the risk of fraud in your business?

Understanding the risk and having ideas to act are a good start – we can help you develop a plan to turn those ideas into real actions and controls that can protect your business. Contact us to set up a time for us to talk through your business risk and see how we can help.

Who is my risk?

In the last week or two I’ve worked with a company where people presented a real risk and heard about a friend who was approached by their current employer in an effort to manage people risk. There’s an irony in the fact that as much as people often present the biggest threat to our business, they are also often cited as a business’ biggest asset (of course with that trust comes risk in itself, but that’s a whole other topic and not what I want to get into today).

The first situation was a company with a number of staff who had been around for a long time. A new senior leader had been appointed and they were, naturally, wanting to make their mark and introduce change. They found some of the older staff to be quite resistant to some of their changes. They saw them as belligerent, almost as troublemakers. Where the new leader was trying to introduce efficiency and streamline processes, they doggedly hung on to redundant calculations and reporting.

I don’t think this is an uncommon position for many businesses, particularly in situations where there has been a reasonable turnover in senior management and new people come in.

The problem became quite severe, to the point where the older staff were, not threatened (I don’t think that’s fair), but tensions were rising in the direction of disciplinary conversations. After a few conversations it turned out that with the high turnover in the senior leadership of the business, some understanding of context had been lost. The processes that those staff were hanging onto were inefficient and redundant, yes, but they were being done because of an earlier agreement with the regulator, whereby the regulator required that process to be undertaken.

Because so many of the senior team were new, they were not aware of this and whilst they felt they had listened to the protests of the staff, they hadn’t understood the severity of stopping the process. Whilst the actions of those staff had seemed stubborn and difficult, they had actually been protecting the company from a breach and a possible fight with the regulator. Subsequently those processes could be raised with the regulator and renegotiated. The point here is that the staff who had seemed like a risk were actually saving the business.

It’s all well and good to bring new people in – fresh ideas, fresh thinking, etc – particularly when there has been some oversight or problem that has resulted in the incumbent leadership leaving and creating the space for new people. But it’s often a mistake to think that those who have longevity with the business are “part of the problem”. Tarring an entire staff with the mistakes of one or two former leaders is usually a mistake in itself.

The second scenario related to a staff member in a, frankly, bloated and to some extent inefficient team where leadership didn’t really grasp the detail of the work being done. A number of key staff had recently left, and the staff member was one of the few people left who had the background and understanding of what needed to be done to keep the team running…but he was about to take extended parental leave. He received a phone call from a member of the organisation’s C-suite to check he was okay and to ensure he intended to return and to ask what they could do to look after him.

Ultimately, he said nothing, and all was okay – except it wasn’t. The staff member was unhappy. He was unhappy that the leadership wasn’t as strong or as knowledgeable as it had been, but he had seen how they had undermined and mistreated the competent leadership before it had departed (or been restructured out). So, what did he tell the C-suite executive? He told them it was all fine and he was happy and would be back – when in actual fact, he didn’t really want to return, but didn’t have options at the time.

So, now the C-suite is happy thinking they are secure with that staff member, and still blissfully unaware (or not caring) that the current leadership in that space remains alienating to staff (and frankly may not be that competent) all because of historical mistreatment of competent leadership when it had been in place.

So in this case, the staff member’s longevity is working against the business – they appear compliant, but really the things they’ve seen and heard leave them mistrustful and potentially a departure risk where the organisation now believes it is secure.

So, it’s not just about asking a question, but taking the time to listen – really listen. Leaders like to lead, to be in charge and to be seen or perceived to have the answers, but this can be quite alienating and, in the end, the staff you thought were being stubborn and resistant, may have been saving your bacon and the staff you thought were secure actually afraid to speak out.

What you do and say matters and staff have long memories.

Do you have key people with key knowledge in your business? People who perhaps have a deep understanding of why things are done – not just that this is how it’s done? People who have survived extensive and multiple changes in the organisation.

How do you manage key person risks in your business? Not just the risk that they may leave, and their knowledge goes with them, but the risk that they have knowledge that isn’t documented and may get lost in the mists of time. The why is often even more important than the what and the how.


Risk Strata specialise in helping businesses understand their risk profile and implementing processes, controls and frameworks to effectively manage those risks so that you can make informed decisions to keep your business safe and healthy. We can tailor a package of services to meet your needs from basic profiling right through to the design and implementation of control frameworks, reporting metrics and appetites and training for yourself and staff. If you want to understand your business better, “let’s talk”.

Returning to appetite

In a few of these blog posts I’ve referred to a risk appetite. There’s no way I’m going to try to sell you that an appetite of risk is comparable to a tasty morsel of any sort. All businesses carry some degree of risk – the risk appetite is how much you’re prepared to carry in your business. The risk you’re prepared to carry is called the residual risk and the risk that exists assuming you do nothing about it is called the inherent risk. It’s very rare that you would find (or should accept) that the risk in the environment (inherent) is what you’re prepared to accept – because it means you’ve either underestimated that risk or you’re over-exposed. To bring the risk down from inherent to residual requires you to invest time or money in planning or building contingency and controls for your business. The work associated in doing that is often called a “Return to Appetite” plan – because you’re bringing the risk to within your acceptable appetite.

A ”Return to Appetite” plan (or RTA) usually includes outlining some key measures or metrics that will be tracked to tell you when you have achieved your return and are now within appetite.

In my experience chasing the numbers is a horrible strategy because once you achieve the numbers it can often result in complacency where you linger under the false belief that the numbers are good, so everything is fine – but what if the numbers have missed something. Don’t misunderstand me – you absolutely need the numbers to keep you honest and help you to monitor progress, but it’s a far better strategy to build a good framework, implement discipline and a strong risk culture – start doing the right thing and the numbers will gradually start to improve organically. Chasing numbers for numbers sake means the depth of culture and improvement is not there and your return is superficial. You’ll end up in a constant cycle of being within appetite and then dropping out and then returning and then dropping out again.

Building discipline around frameworks, processes and systems, is a much more enduring strategy and with that increased rigour you’ll see the numbers improve on their own. Manage risk appropriately because you want to manage it well for your business, not because you’re just trying to make some box on a chart turn green.

To be honest, that oversimplifies what’s involved in a good RTA. A good RTA requires a thorough understanding of not only the risks of the business, the appetite settings, but also the controls, the state of those controls and reporting. Essentially an RTA is a litmus test of the entire end to end risk management environment within a business and then on top of that, identifying the work or tasks required to improve the environment. All of this sounds like a lot of work and expense – and it can be – but how much work is up to you. You can adjust the appetite to say do less work, but be prepared to accept more risk, so if an event were to occur, you’d rather absorb the impact of that event on your business. Ultimately the appetite setting is yours and the RTA should be integrated to your business risk profile. So how well do you understand either of those for your business?

Remember it’s quite possible that not all risks will be out of appetite for your business at the same time. The first time you do the exercise, yes, it may be a lot of work and could be expensive. There’s a peace of mind that comes with that and following that initial success, an annual review and minor tweaking should be all that’s required. It’s really only inaction or material change to your business or environment that would lead to a major piece of work like that again.


Risk Strata specialise in helping businesses understand their risk profile and implementing processes, controls and frameworks to effectively manage those risks so that you can make informed decisions to keep your business safe and healthy. We can tailor a package of services to meet your needs from basic profiling right through to the design and implementation of control frameworks, reporting metrics and appetites and training for yourself and staff. If you want to understand your business better, “let’s talk”.

The Risk Onion

Over the last few weeks there have been numerous reports in the news media of ram raids of similar delinquency targeting a range of businesses, including small businesses. It got me to thinking about controls. There was one comment, in particular, from the owner of a chain of shops, with reference to ram raids. He said: “…forget about bollards [in front of shop doors], if they can’t crash through the door with a vehicle, they will take a hammer to the door instead…” [or words to that effect].

My initial reaction was a thought back to an old cyber-security lecturer I had, who suggested that there was no such thing as an infallible cyber-security mechanism. In cyber-security, just as in your own personal house, the determined burglar will find a way in – the best your security arrangements can do is to make the effort unpalatable or slow them down sufficiently for you to take action. As I thought about that, I don’t know why I was surprised, but it resonated with a general concept of risk management that I have reminded people in business of countless times. The purpose and object of controls is not to stop the risk from eventuating, but to contain it within an acceptable appetite.

In reality you wouldn’t just rely on a single control to protect your computer network or your house, but you would have layers of controls for that protection – the same is true for your business – you have layers of controls to protect against risks. In saying that, again, those controls are not designed to stop the risk from happening – you could do that, but it’s likely the controls would be extremely restrictive on your business.

You might have a username and password on your computer. That’s one layer. Perhaps you have a firewall. That’s another layer. Maybe remote access is controlled by a VPN. That’s another layer. You may operate Intrusion Protection Software. That’s another layer. For your house, you likely have locks on your doors. Perhaps you also have locks on your windows. You might have a burglar alarm. You could implement retinal scan, guard dogs, security patrols, electrified fencing and rotating invisible laser beams to detect movement or foreign bodies, but the cost of doing so – and the inconvenience – may well exceed the need for the risk – or outweighs the benefit of simply buying insurance. This is an example where there are a significant number of controls available, but our appetite to defend against the risk doesn’t extend so far as to incur that level of cost or comfort.

So, if you are facing an increase in ram raids, bollards may not stop them, but they do likely represent the first layer in your defensive controls. How far you go to implement additional layers of control depends on your appetite to defend against the robbery.


Risk Strata specialise in helping businesses understand their risk profile and implementing processes, controls and frameworks to effectively manage those risks so that you can make informed decisions to keep your business safe and healthy. We can tailor a package of services to meet your needs from basic profiling right through to the design and implementation of control frameworks, reporting metrics and appetites and training for yourself and staff. If you want to understand your business better, “let’s talk”.