Risk Management for Small Business

Every organization’s business plan should include a section on risk management. If your business plan doesn’t address your risks, take a look at the following areas to start.

Equipment: Equipment that needs to be repaired may interrupt your business; insurance or service plans may minimize your costs. For example, if your business is dependent on a high-speed printer or copier, a service plan may be a good way to control the risk of the copier breaking down. Parts for a copier can be expensive and take time to replace. To be prepared, copier vendors will plan for parts and service based on the copiers they have sold to you, and the number of copies you make (service plans for copiers usually require an annual count of copies made). Higher usage may mean more maintenance.

Vendors: Your vendors have risks, too. Relying on only one vendor may be risky for your business. Do not be afraid to investigate the risks your vendor may face. Some of this risk information is provided by business credit reporting agencies or by insurance companies. You may be able to avoid vendor-related problems by:


  • Having more than one supplier for essential products.
  • Shopping for vendors with the best price and service.
  • Maintaining relationships with multiple vendors by buying from each of them.


A multiple-vendor strategy may make vendors push for more of your business, resulting in lower prices. In any event, if one vendor is unable to deliver, you will have backup.

Business Continuity: Your operations manuals should include a business continuity plan. The plan should provide steps to take for short- and long-term situations. For example, if your business is unable to operate in its present location, is it possible to use another? If so, your plan should list the steps to take, by job position, for re-establishing operations at the backup site. Train staff on your continuity plans and alternative strategies. Have trial runs or periodic testing of your manual systems.

Back up your computer systems and keep copies in a secured offsite location. Keeping additional computer capability at another location can mean being down for a few hours, instead of days. Software or operating systems providers may be able to assist in disaster recovery plans. Review or discuss these plans with your vendors.

In your continuity plan, include the following:


  • Staff members’ duties
  • Staff members’ work locations
  • Contact names, such as email addresses and phone numbers
  • Vendor, utility, and emergency phone numbers
  • Employee notification “phone tree” (for example, an owner calls managers and managers call their departments)


Information Technology Systems: Information technology (IT) systems pose special risks. The following tips can help prevent IT-related risks:


  • Safeguard login information such as user names and passwords. Personal login information should not be shared with anyone outside the business, or any other employee. Require employees to sign a statement agreeing that they won’t share passwords.
  • Protect systems with firewalls. Use software to scan for viruses or other irregularities.
  • Institute levels of access within your organization by job duty. Someone who ships out inventory or accepts returns, for example, should have different access than those in accounting where credit is issued. Manager override authority should be reviewed periodically by using system-generated reports. Monitoring reports for out-of-the-ordinary transactions gives an added layer of security.
  • Generate system reports, which might include reports on system access, attempted security breaches, and patterns of usage. Audits of these reports, as well as reviews of changes made by system administrators, should be conducted regularly.
  • Sample transactions or use trial transactions to uncover changes in processing or fraudulent transactions.
  • Conduct scheduled and surprise audits of IT systems.


Employees: Employees and employment costs are often an organization’s biggest expense. You can minimize employment-related risks by:


  • Minimizing turnover by ensuring your pay, benefit and retirement packages are competitive.
  • Provide training to minimize safety risks.
  • Auditing workers’ compensation claims, accident records and “near misses” to identify problem areas.
  • Auditing human resource policies and procedures to ensure your organization complies with EEOC regulations, the Americans with Disabilities Act (ADA) and amendments and other non-discrimination laws. Keep in mind that states often have more stringent anti-discrimination laws or more protected classes than federal law. You’ll also want to ensure your workplace is free of sexual harassment and other harassment. Your employee manuals should outline the organization’s policies and disciplinary procedures.


A written business plan should not only include a list of possible risks, but also include controls and plans to manage risks. Remember—keep your business plan current by readdressing changes in costs and by assessing new risks. For more information on developing a comprehensive risk management plan and insurance to cover those risks, please contact us.