Accessibility A A A A

Dealing with risk

Why is risk management important?

Things don’t always go according to plan: a company’s sales manager changes employment in the middle of an important project, a packaging machine breaks down, a lathe operator breaks his leg during a skiing holiday, a subcontractor goes bankrupt…life is full of surprises.

When harmful events occur, it is often due to a lack of skill and awareness training to prevent them. Risks are also sometimes taken deliberately. We know taking shortcuts can lead to trouble – but the chance to save time and effort is tempting. Quite often things go well, but occasionally, risk taking leads to accidents. The likelihood of harm occurring and the severity of the consequences is called risk.

Business risks are an integral part of business activities. For example there is always uncertainty about whether customers will buy a new product. On the other hand, taking a business risk may provide an opportunity for success. Good business risk management improves the chances of success and reduces the consequences of failure.

Risks should be assessed and kept under control. In unfavourable circumstances, even a minor disturbance could set off a chain of events that may threaten the existence of a company. In this respect, small companies are more vulnerable than large ones. Sorting out problems can fully occupy key personnel and they may not have the expertise to manage the situation to ensure the company survives. The narrowness of decision making, customer base or product range in a typical small company significantly increases the risk of failing.

Taking part in the identification of hazards and control of risks helps employees gain a better understanding of work tasks and how their work relates to the company as a whole. This can improve job satisfaction.

Risk management is therefore about ensuring the continuity of a business and the well being of its employees and covers all actions that aim to reduce the adverse effects of risk on a company.

The most sensible approach to risk management is to take a close look at all the risks you’re exposed to, then to control all your ‘significant risks’.

Risk management is affected by:

  • the legal requirements in your field of operation
  • any legal requirements that apply to your product in countries you export to
  • the standards and practices your business is committed to
  • the safe and responsible disposal of any chemicals you use
  • the standards required from you by your insurance company
  • record-keeping for accountancy purposes
  • the need for employees to understand quality control requirements.

The law sets minimum standards of risk management for business that you must meet. If you follow the law, the risk of legal consequences is reduced and offers your business protection by placing similar obligations on your customers, suppliers and competitors.

When you meet the basic legal requirements of risk management, co-operating with the authorities is also easier. This establishes a good foundation on which you can continue to develop effective risk management. Meeting the requirements that apply to your operations and products gives out a positive signal to customers, business partners, employees and other stakeholders, and is good for your reputation.

The risk management cycle

Five steps to risk assessment

The HSE outlines the five steps of risk assessment as:

  1. Identify the hazards
  2. Decide who might be harmed and how
  3. Evaluate the risks and decide on controls
  4. Record your findings and implement them
  5. Review your assessment and update if necessary

Identifying hazards

Identifying hazards is the starting point of risk management. If you don’t identify hazards, you can’t manage your risks.

To identify hazards, your managers and employees need to co-operate. You also need to get the views of people who have expertise in, and experience of, your work activities. Even though people are often ‘experts’ in their own work, their experience can sometimes get in the way when they’re identifying hazards, as they can get used to hazards and become complacent about risks. Examining hazards and risks with others often helps to give a fresh insight into how things really are.

Different views might arise about what kinds of issues are critical to your business’s operations. Discussing risks and examining your vulnerability from various angles – by involving different people – helps to achieve mutual understanding and support for future decisions and control measures.

You can improve co-operation by holding well-run meetings. The person in charge of the meeting should know a lot about risk management and the tools that are involved. All the hazards you identify should be written down so that you can plan, implement and monitor the control measures. The Routefinder will help you do this.

Don’t limit your search for hazards to the obvious ones. It’s also important to expose hazards that may not be apparent in everyday work, such as those in maintenance work and emergency situations.

Get into the habit of thinking about and examining problems as they happen, and look for the underlying causes. Accidents are often due to several contributory factors that happen at the same time.

Hazard identification and analysis methods

The Routefinder uses a series of questionnaires to help you identify hazards and risks.

Sometimes you’ll need to use specialist services to carry out complex hazard analyses. Specialists will be familiar with analysis methods and the general principles of risk management, and will know the hazards in their fields. You can get more information about different methods of analysis from insurance companies and health, safety and risk management consultants.

Gathering experiences and statistics

Hazardous events have probably already occurred in your business or businesses that are similar to yours, and it’s important to use this information to support your own risk management system. Enforcing authorities, insurance companies, trade associations and so on may be able to give you this information. In your own business, you should record information about incidents that have occurred, including any near misses. You can then learn lessons from these incidents and make sure they don’t happen again.

Many problems, big and small, have the same or similar underlying causes. By monitoring small problems and analysing their causes, it may be possible to find causes for serious problems and hazards, and therefore to prevent them.

Types of risk

Risks can be divided into categories (risk types), based on their character and on the activities they can have an impact on. Many risks belong to more than one category. Using these categories makes it easier to identify hazards and manage the risks. Some risk types are listed in the table below – which of them apply to your business?

Risk type Examples of hazardous events Possible consequences
  • Accident
  • Key person leaves the business
  • Employee suffers stress
  • Loss of work input
  • Loss of expertise
  • Ability to work is reduced
  • Demand for a product decreases
  • Customer can’t make payments
  • Production capacity doesn’t correspond to customers’ needs
  • Strain on finances
  • Anticipated income doesn’t arrive
  • Customers buy from a competitor
  • Fire in a production facility or shop
  • Water leak ruins stocks
  • Machine breaks down
  • Sizeable damage, production interrupted for weeks, possibly several months
  • Production and deliveries slow down or stop
  • Production slows down or stops
  • Computer hard disk breaks down
  • Register of customers is sold without permission
  • Information about the business is accidentally leaked
  • Order data is lost
  • Reputation of the business suffers, and competitor steals your customers
  • Competitiveness suffers
Operational liability
  • Employee makes a mistake with a product or service
  • Delivery to a customer is delayed
  • Liability for damages to a third party
  • Pay a contract penalty
Product liability
  • Product causes damage
  • Faulty product has to be withdrawn from the market
  • Pay compensation
  • Financial loss and reputation suffers
  • Power cut interrupts production
  • Delivery from a subcontractor is delayed
  • Imported raw materials are stopped at a neighbouring country’s customs
  • Operations stop
  • Production is interrupted
  • Capital is tied up and production is interrupted
  • Product is broken during transport
  • Transport vehicle is stolen
  • Financial loss
  • Deliveries aren’t made
  • Oil container breaks
  • Packaging proves to be unsuitable for recycling
  • Damaged reputation and liability for damages

Evaluating the level of risk

Risk = severity of harm x likelihood of harm

When you assess risks, it’s common to find more problems than you can fix at once. That’s why it’s important to prioritise and tackle your biggest risks first.

The level of a risk is determined by its likelihood and how bad the harm would be. Use the table below for estimating risks.

Likelihood of harm Severity of harm
Slight harm Moderate harm Extreme harm
Very unlikely Very low risk Very low risk High risk
Unlikely Very low risk Medium risk Very high risk
Likely Low risk High risk Very high risk
Very likely Low risk Very high risk Very high risk

How do you decide how severe the harm is?

Slight = such as a minor headache, temporary ill health, a minor bruise or eye irritation

Moderate = including partial hearing loss, dermatitis, asthma, work-related upper limb disorder, burn or minor fracture

Extreme = for example a fatal disease, amputations and major fractures, diseases that cause substantial disability

Adapted from BS 8800:2004

When you’re evaluating the level of a risk, you should pay attention to a number of things. For example:

  • How often do situations occur in work where accidents are possible? What contributory factors could be involved, for example rushing a job, poor working conditions, machinery that’s difficult to use?
  • What are the consequences of the accident likely to be? What could happen in the worst case? If an employee slips or falls over, there could be several possible outcomes, for example a minor injury, a serious injury or death. In the business world, a small delayed payment could lead to years of problems when trying to acquire credit.
  • How far would the consequences of the accident reach – how many people, tasks, machines, customers or product batches would be affected?
  • The indirect effects of an accident are often much greater than its immediate effects. If a computer breaks down, for example, repair costs may be relatively small, but the cost of the interruption to your production could be huge.

Risk control methods

There are many ways that risks can be controlled. The main aim should be to prevent loss or minimise the negative consequences. This means preventing accidents or reducing their effects. The control measures you need depend on the level and type of risk. Plan your control measures with the help of the following table.

Risk level Control measures to reduce the risk
Very low risk
  • The risk is so small that no control measures or records are needed – these risks are acceptable
Low risk
  • Control measures are not necessarily needed
  • Consider better solutions that don’t involve extra costs
  • Monitor the situation to keep the risk under control
Medium risk
  • Introduce control measures to reduce the risk – produce a timescale for implementing the controls
  • Consider the cost-effectiveness of the control measures
  • If very harmful consequences are foreseeable (such as serious injury, or fire in a production facility), re-examine the probability of the event
High risk
  • You may have to delay work or restrict activities until you’ve reduced the risk
  • You may need considerable resources to reduce the risk
  • Where work is in progress, take urgent action to reduce the risk
Very high risk
  • Don’t start work or continue working until you’ve reduced the risk, regardless of the cost of the control measures. If it’s not possible to reduce the risk, don’t start work

Controlling risk should start with a cost-effective control of the greatest risks to your organisation. But how much can you reasonably afford to invest in different loss prevention measures and insurance? Here, you have to estimate risk costs as a whole – consider how much risk management costs and what kind of benefits it can achieve.

Control measures that eliminate or reduce risks are referred to as ‘accident or loss prevention’. Typical risk management methods are listed below.

Methods Examples
Avoid the risk
  • Carefully vet potential business partners
  • Avoid driving when roads are icy – postpone non-essential journeys until it’s safer to drive
Reduce the risk
  • Install a fire alarm system and fire doors in a warehouse
  • Improve security against break-ins
  • Keep machines in good working order
  • Make regular back-up copies of data
  • Maintain good housekeeping in the workplace
  • Develop safe working procedures and give employees training
  • Arrange for back-up staff in case of illness
Transfer the risk
  • Subcontract potentially hazardous work to a trustworthy and skilled contractor
  • Buy insurance against fire
Keep the risk
  • Risks are a part of business – keep some risks and absorb any losses (this can also happen if you don’t fully identify your risks)


Principles of risk prevention

  • Accidents attributed to human error are often caused by job factors (such as poorly designed or maintained equipment), individual factors (for example low levels of competence) and organisational factors (including poor management and work planning). Because human beings make mistakes, you should anticipate them and minimise the consequences if they happen.
  • Accidents are often due to a chain of events. It’s best to influence the beginning of the chain by eliminating the cause or causes of the problem.
  • You should eliminate hazards in advance by ‘designing them out’. Make sure you assess hazards when you’re planning new things, such as building a new factory – correcting defects later on is always expensive.
  • Introducing control measures can positively influence both the likelihood of harm and its severity.
  • Different risks, and different levels of risk, require different approaches. You should always insure against high risks that can affect your operations.


Complete protection against losses isn’t possible. However, it’s possible to share the financial impact of many risks through insurance. Insurance is sensible when a risk is too big to be carried by your business alone and can’t be sufficiently reduced in any other way. Employers are legally obliged to have employers’ liability insurance. Depending on the nature of your business, you should also consider buying other types of insurance, such as product liability, public liability, property, transport, engineering.

Not all risks are worth insuring against, and you can deliberately choose to carry small risks, for example minor vandalism. It may be worth consulting a registered insurance broker, who can often offer an insurance package to cover all your needs.

Insurance doesn’t prevent hazards and can’t sort out all the damaging consequences. However, compensation from insurance and the services related to it can help smooth the way through a crisis.


  • Analyse the risks before insuring!
  • Try to eliminate hazards and reduce their effects before taking out insurance
  • Make sure that the insurance cover is tailored to your needs
  • Beware of the dangers of under-insurance
  • Use ‘combination insurance’ for property, liability and interruption risks – they’re usually more expensive if purchased separately
  • ’Shop around’ for good quality, competitive quotes
  • Renewal time is not the only time when you should consider insurance – project launches and planning significant changes, for example, are other good opportunities
  • The expertise of insurance companies is worth exploiting – familiarise yourself with their services and use them
  • Remember your personal insurance cover, both in work and leisure time
HomeHow to useStarting PointDirect routeStep-by-step routeResources