Risk management involves identifying, analyzing, and taking steps to reduce or eliminate the exposures to loss faced by an organization or individual. The practice utilizes many tools and techniques, including insurance, to manage a wide variety of risks. Every business encounters risks, some of which are predictable and under management's control; others are unpredictable and uncontrollable. Risk management is particularly vital for small businesses, since some common types of losses—such as theft, fire, flood, legal liability, injury, or disability—can destroy in a few minutes what may have taken an entrepreneur years to build. Such losses and liabilities can affect day-to-day operations, reduce profits, and cause financial hardship severe enough to cripple or bankrupt a small business. But while many large companies employ a full-time risk manager to identify risks and take the necessary steps to protect the firm against them, small companies rarely have that luxury. Instead, the responsibility for risk management is likely to fall on the small business owner.

The term is a relatively recent evolution of the term "insurance management." The concept of risk management encompasses a much broader scope of activities and responsibilities than does insurance management. Risk management is now a widely accepted description of a discipline within most large organizations. Basic risks such as fire, windstorm, employee injuries, and automobile accidents, as well as more sophisticated exposures such as product liability, environmental impairment, and employment practices, are the province of the risk management department in a typical corporation. Although risk management has usually pertained to property and casualty exposures to loss, it has recently been expanded to include financial risk management—such as interest rates, foreign exchange rates, and derivatives—as well as the unique threats to businesses engaged in E-commerce. As the role of risk management has increased, some large companies have begun implementing large-scale, organization-wide programs known as enterprise risk management.


Businesses have several alternatives for the management of risk, including avoiding, assuming, reducing, or transferring the risks. Avoiding risks, or loss prevention, involves taking steps to prevent a loss from occurring by such methods as employee safety training. As another example, a pharmaceutical company may decide not to market a drug because of the potential liability. Assuming risks simply means accepting the possibility that a loss may occur and being prepared to pay the consequences. Reducing risks, or loss reduction, involves taking steps to reduce the probability or the severity of a loss, for example by installing fire sprinklers.

Transferring risk refers to the practice of placing responsibility for a loss on another party by contract. The most common example of risk transference is insurance; it allows a company to pay a small monthly premium in exchange for protection against automobile accidents, theft or destruction of property, employee disability, or a variety of other risks. Because of its costs, the insurance option is usually chosen when the other options don't provide sufficient protection. Awareness of, and familiarity with, various types of insurance policies is a necessary part of the risk management process. A final risk management tool is self-retention of risks—sometimes referred to as "self-insurance." Companies that choose this option set up a special account or fund to be used in the event of a loss.

Any combination of these risk management tools may be applied in the last step of the process, implementation. This step, monitoring, involves a regular review of the company's risk management tools to determine if they have obtained the desired result or if they require modification. Tools in that process include maintaining a high quality of work; training employees well and maintaining equipment properly; installing strong locks, smoke detectors, and fire extinguishers; keeping the office clean and free of hazards; backing up computer data often; and storing records securely off-site.


Small businesses encounter a number of risks when they use the Internet. Increased reliance on Web-based operations demands that small business owners decide how much risk to accept and implement security systems to manage the risk associated with online business activities. Conducting business online exposes a company to liability due to infringement on copyrights, patents, or trademarks; charges of defamation due to statements made on a Web site or by e-mail; charges of invasion of privacy due to unauthorized use of personal information or excessive monitoring of employee communications; liability for harassment due to employee behavior online; and legal issues due to accidental noncompliance with foreign laws. In addition, businesses connected to the Internet also face a number of potential threats from computer hackers and viruses, including a loss of business and productivity due to computer system damage, and the theft of customer information or intellectual property. If the small business is publicly traded, the requirements of the Sarbanes-Oxley Act, specifically record retention, including the archiving of computer-based records, apply as well.

In the early 2000s new forms of insurance coverage emerged to cover risks businesses run in cyberspace, and this branch of protection is expected to develop along with new risks as they emerge. In the meanwhile attentive care to e-commerce implementation, the installation of firewalls, and effective disciplines inside the business can largely prevent serious problems. As pointed out elsewhere in this volume (see Computer Crimes) the largest risks most business run these days are from actions of employees inside the company.


In the 1990s, the field of risk management expanded to include managing financial risks as well as those associated with changing technology and Internet commerce. In the early 2000s, the role of risk management began to expand even further to protect entire companies during periods of change and growth. As businesses grow, they experience rapid changes in nearly every aspect of their operations, including production, marketing, distribution, and human resources. Such rapid change also exposes the business to increased risk. In response, risk management professionals created the concept of enterprise risk management, which was intended to implement risk awareness and prevention programs on a company-wide basis.

The main focus of enterprise risk management is to establish a culture of risk management throughout a company to handle the risks associated with growth and a rapidly changing business environment. Writing in Best's Review, Tim Tongson recommended that business owners take the following steps in implementing an enterprise-wide risk management program: 1) incorporate risk management into the core values of the company; 2) support those values with actions; 3) conduct a risk analysis; 4) implement specific strategies to reduce risk; 5) develop monitoring systems to provide early warnings about potential risks; and 6) perform periodic reviews of the program.

Finally, it is important that the small business owner and top managers show their support for employee efforts at managing risk. "To bring together the various disciplines and implement integrated risk management, ensuring the buy-in of top-level executives is vital," Luis Ramiro Hernandez wrote in Risk Management. "These executives can institute the processes that enable people and resources across the company to participate in identifying and assessing risks, and tracking the actions taken to mitigate or eliminate those risks."


Anastasio, Susan. Small Business Insurance and Risk Management Guide. U.S. Small Business Administration. Available from http://www.sba.gov/library/pubs/mp-28.txt. Retrieved on 22 May 2006.

Hernandez, Luis Ramiro. "Integrated Risk Management in the Internet Age." Risk Management. June 2000.

Hommel, Ulrich, Michael Frenkel, and Markus Rudolf. Risk Management: Challenge and Opportunity. Springer, 2005.

Lam, James. Enterprise Risk Management: From Incentives to Controls." John Wiley & Sons, 2003.

O'Neill, David T. "Guard Against Cyber Exposures: New e-commerce risk insurance offers coverages beyond your standard policies." Risk Management. April 2003.

Sandgrove, Kit. The Complete Guide to Business Risk Management. Grower Publishing, 2005.

Tongson, Tim. "Turning Risk into Reward." Best's Review. December 2000.

Williams, Kathy. "How is Your Company Managing Risk?" Strategic Finance. September 2005.