potential risk in business plan

This free Notion document contains the best 100+ resources you need for building a successful startup, divided in 4 categories: Fundraising, People, Product, and Growth.

This free eBook goes over the 10 slides every startup pitch deck has to include, based on what we learned from analyzing 500+ pitch decks, including those from Airbnb, Uber and Spotify.

This free sheet contains 100 accelerators and incubators you can apply to today, along with information about the industries they generally invest in.

This free sheet contains 100 VC firms, with information about the countries, cities, stages, and industries they invest in, as well as their contact details.

This free sheet contains all the information about the top 100 unicorns, including their valuation, HQ's location, founded year, name of founders, funding amount and number of employees.

12 Types of Business Risks and How to Manage Them

Description

Everything you need to raise funding for your startup, including 3,500+ investors, 7 tools, 18 templates and 3 learning resources.

Information about the countries, cities, stages, and industries they invest in, as well as their contact details.

List of 250 startup investors in the AI and Machine Learning industries, along with their Twitter, LinkedIn, and email addresses.

List of startup investors in the BioTech, Health, and Medicine industries, along with their Twitter, LinkedIn, and email addresses.

List of startup investors in the FinTech industry, along with their Twitter, LinkedIn, and email addresses.

90% of startups fail .

Thanks to the explosion of the digital economy, business founders have plenty of opportunities that they can tap into to build a winning business.

Unfortunately, there is a myriad of challenges your new business has to navigate through. These risks are inevitable, and they are a part of life in the business world.

However, without the right plan, strategy, and instruments, your business might be drowned by these challenges.

Therefore, we have created this guide to show you how can your business utilize risk management to succeed in 2022.

There are many types of startup and business risks that entrepreneurs can expect to encounter in 2022. Most of these threats are prevalent in the infancy stages of a business.

To know what you’ll be up against, here is a breakdown of the 12 most common threats.

12 Business Risks to Plan For

1) economic risks.

Failure to acquire adequate funding for your business can damage the chances of your business succeeding.

Before a new business starts making profits, it needs to be kept afloat with money. Bills will pile up, suppliers will need payments, and your employees will be expecting their salaries.

To avoid running into financial problems sooner or later, you need to acquire enough funds to shore up your business until it can support itself.

On the side, world and business country's economic situation can change either positively or negatively, leading to a boom in purchases and opportunities or to a reduction in sales and growth.

If your business is up and running, a great way to limit the effect of negative economic changes is to maintain steady cash flow and operate under the lean business method.

Here's an article from a founder explaining how he set up a lean budget on his $400k/year online business.

2) Market Risks

Misjudging market demand is one of the primary reasons businesses fail .

To avoid falling into this trap, conduct detailed research to understand whether you will find a ready market for what you want to sell at the price you have set.

Ensure your business has a unique selling point, and make sure what you offer brings value to the buyers.

To know whether your product will suit the market, do a survey, or get opinions from friends and potential customers.

Building a Minimum Viable Product of that business idea you've had is the recommendations made by most entrepreneurs.

This site, for example, was built in just 3 weeks and launched into the market to see if there was any interest in the type of content we offered.

The site was ugly, had little content and lacked many features. Yet, +7,700 users visited it within the first week, which made us realize we should keep working on this.

90% of startups fail. Learn how to not to with our weekly guides and stories. Join 40,000+ founders.

3) Competitive Risks

Competition is a major business killer that you should be wary of.

Before you even start planning, ask yourself whether you are venturing into an oversaturated market.

Are there gaps in the market that you can exploit and make good money?

If you have an idea that can give you an edge, register it. This will prevent others from copying your product, re-innovating it, and locking you out of what you started.

Competitive risks are also those actions made by competitors that prevent a business from earning more revenue or having higher margins.

4) Execution Risks

Having an idea, a business plan, and an eager market isn’t enough to make your startup successful.

Most new companies put a lot of effort into the initial preparation and forget that the execution phase is equally important.

First, test whether you can develop your products within budget and on time. Also, check whether your product will function as intended and whether it’s possible to distribute it without taking losses.

5) Strategic Risks

Business strategies can lead to the growth or decline of a company.

Every strategy involves some risk, as time & resources are generally involved to put them into practice.

Strategic risk in the chance that an implemented strategy, therefore, results in losses.

If, for example, the Marketing Department of a company implements a content marketing strategy and a lot of months, time & money later the business doesn't see any ROI, this becomes a strategic risk.

6) Compliance Risks

Compliance risks are those losses and penalties that a business suffers for not complying with countries' and states' regulations & laws.

There are some industries that are highly-regulated so the compliance risks of businesses within them are super high.

For example, in May 2018, the EU Commission implemented the General Data Protection Regulation (GDPR), a law in privacy and data protection in the EU, which affected millions of websites.

Those websites that weren't adapted to comply with this new rule, were fined.

7) Operational Risks

Operational risks arise when the day-to-day running of a company fail to perform.

When processes fail or are insufficient, businesses lose customers and revenue and their reputation gets ruined.

One example can be customer service processes. Customers are becoming every day less willing to wait for support (not to mention, receive bad quality one).

If a business customer service team fails or delays to solve customer's issues, these might find their solution in the business competitors.

8) Reputational Risks

Reputational risks arise when a business acts in an immoral and discourteous way.

This led to customer complaints and distrust towards the business, which means for the company a big loss of sales and revenue.

With the rise of social networks, reputational risks have become one of the main concerns for businesses.

Virality is super easy among Twitter so a simple unhappy customer can lead to a huge bad press movement for the company.

A recent example is the Away issue with their toxic work environment, as a former employee reported in The Verge .

The issue brought lots of critics within social networks which eventually led the CEO, Steph Korey, to step aside from the startup ( she seems to be back, anyway 🤷‍♂️! ).

9) Country Risks

When a business invests in a new country, there is a high probability it won't work.

A product that is successful in one market won't necessarily be in another one, especially when people within them are so different in cultures, climates, tastes backgrounds, etc.

Country risk is the existing failure probability businesses investing in new countries have to deal with.

Changes in exchange rates, unstable economic situations and moving politics are three factors that make these country risks be even more delicate.

10) Quality Risks

When a business develops a product or service that fails to meet customers' needs and quality expectations, the chance these customers will ever buy again is low.

In this way, the business loses future sales and revenue. Not to mention that some customers will ask for refunds, increasing business costs, as well as publicly criticize the company's products, leading to bad reputation (and a viral cycle that means even less $$ for the business).

11) Human Risk

Hiring has its benefits but also its risks.

Employees themselves involve a huge risk for a business, as they become to represent the company through how they work, mistakes committed, the public says and interactions with customers & suppliers,

A way to deal with human risk is to train employees and keep a motivated workforce. Yet, the risk will continue to exist.

12) Technology Risk

Security attacks, power outrage, discontinued hardware, and software, among other technology issues, are the events that form part of the technology risk.

These issues can lead to a loss of money, time and data, which has many connections with the previously mentioned risks.

Back-ups, antivirus, control processes, and data breach plans are some of the ways to deal with this risk.

How Businesses Can Use Risk Management To Grow Business

To mitigate any future threats, you need to prepare a comprehensive risk management plan.

This plan should detail the strategy you will use to deal with the specific challenges your business will encounter. Here’s what to do.

1) Identify Risks

Every business encounters a different set of challenges.

Before mapping the risks, analyze your business and note down its key components such as critical resources, important services or products, and top talent.

2) Record Risks

Once risks have been identified, you need to assess and document the threats that can affect each component.

Identify any warning signs or triggers of that recorded risk, also.

3) Anticipate

The best way to beat a threat is to detect and prepare for it in advance.

Once you know your business can be affected by a certain scenario, develop steps that you will take to stop the risk or to blunt its effects.

4) Prioritize Risks

Not all types of business risk have the same effect. Some can bring your startup to its knees, while others will only cause minimal effects.

To keep your business alive, start by putting in place measures that protect the vital functions from the most severe and most probable risks.

5) Have a Backup Plan

For every risk scenario, have at least two plans for countering the threat before it arrives.

The strategy you put in place should be in line with the current technology and trends.

Ensure your communicate these measures with all your team members.

6) Assign Responsibilities

When communicating measures with the team, assign responsibilities for each member in case any of the recorded risks affect the business.

These members should also be responsible for controlling the risks every certain time and maintaining records about them.

What is a Business Risk?

The term "business risk" refers to the exposure businesses have to factors that can prevent them from achieving their set financial goals.

This exposure can come from a variety of situations, but they can be classified into two:

• Internal factors: The risk comes from sources within the company, and they tend to be related to human, technological, physical or operational factors, among others.
• External factors: The risk comes from regulations/changes affecting the whole country/economy.

Any of these factors led to the business being unable to return investors and stakeholders the adequate amounts.

What Is Risk Management?

Risk management is a practice where an entrepreneur looks for potential risks that their business may face, analyzes them, and takes action to counter them.

The steps you take can eliminate the threat, control it, or limit the effects.

A risk is any scenario that harms your business. Risks can emanate from a wide variety of sources such as financial problems, management errors, lawsuits, data loss, cyber-attacks, natural calamities, and theft.

The risk landscape changes constantly, therefore you need to know the latest threats.

By setting up a risk management plan, your business can save money and time, which in some cases can be the determinant to keep your startup in business.

Not to mention, on the side, that risk management plans tend to make managers feel more confident to carry out business decisions, especially the risky ones, which can put their startups in a huge competitive advantage.

Wrapping Up

Becoming your own boss is one of the most rewarding things you can do.

However, launching a business is not a walk in the park; risks and challenges lurk around every corner.

If you are planning to establish a new business come 2022, make sure you secure its future by creating a broad risk management plan.

90% of startups fail. Learn how not to with our weekly guides and stories. Join +40,000 other startup founders!

An all-in-one newsletter for startup founders, ruled by one philosophy: there's more to learn from failures than from successes.

100+ resources you need for building a successful startup, divided into 4 categories: Fundraising, People, Product, and Growth.

What is business risk?

You know about death and taxes. What about risk? Yes, risk is just as much a part of life as the other two inevitabilities. This became all the more apparent during COVID-19, as each of us had to assess and reassess our personal risk calculations as each new wave of the pandemic— and pandemic-related disruptions —washed over us. It’s the same in business: executives and organizations have different comfort levels with risk and ways to prepare against it.

Where does business risk come from? To start with, external factors can wreak havoc on an organization’s best-laid plans. These can include things like inflation , supply chain  disruptions, geopolitical upheavals , unpredictable force majeure events like a global pandemic or climate disaster, competitors, reputational  issues, or even cyberattacks .

But sometimes, the call is coming from inside the house. Companies can be imperiled by their own executives’ decisions or by leaks of privileged information, but most damaging of all, perhaps, is the risk of missed opportunities. We’ve seen it often: when companies choose not to adopt disruptive innovation, they risk losing out to more nimble competitors.

The modern era is rife with increasingly frequent sociopolitical, economic, and climate-related shocks. In 2019 alone, for example, 40 weather disasters caused damages exceeding $1 billion each . To stay competitive, organizations should develop dynamic approaches to risk and resilience. That means predicting new threats, perceiving changes in existing threats, and developing comprehensive response plans. There’s no magic formula that can guarantee safe passage through a crisis. But in situations of threat, sometimes only a robust risk-management plan can protect an organization from interruptions to critical business processes. For more on how to assess and prepare for the inevitability of risk, read on.

Learn more about McKinsey’s Risk and Resilience  Practice.

What is risk control?

Risk controls are measures taken to identify, manage, and eliminate threats. Companies can create these controls through a range of risk management strategies and exercises. Once a risk is identified and analyzed, risk controls can be designed to reduce the potential consequences. Eliminating a risk—always the preferable solution—is one method of risk control. Loss prevention and reduction are other risk controls that accept the risk but seek to minimize the potential loss (insurance is one method of loss prevention). A final method of risk control is duplication (also called redundancy). Backup servers or generators are a common example of duplication, ensuring that if a power outage occurs no data or productivity is lost.

But in order to develop appropriate risk controls, an organization should first understand the potential threats.

What are the three components to a robust risk management strategy?

A dynamic risk management plan can be broken down into three components : detecting potential new risks and weaknesses in existing risk controls, determining the organization’s appetite for risk taking, and deciding on the appropriate risk management approach. Here’s more information about each step and how to undertake them.

1. Detecting risks and controlling weaknesses

A static approach to risk is not an option, since an organization can be caught unprepared when an unlikely event, like a pandemic, strikes. So it pays to always be proactive. To keep pace with changing environments, companies should answer the following three questions for each of the risks that are relevant to their business.

• How will a risk play out over time? Risks can be slow moving or fast moving. They can be cyclical or permanent. Companies should analyze how known risks are likely to play out and reevaluate them on a regular basis.
• Are we prepared to respond to systemic risks? Increasingly, risks have longer-term reputational or regulatory consequences, with broad implications for an industry, the economy, or society at large. A risk management strategy should incorporate all risks, including systemic ones.
• What new risks lurk in the future? Organizations should develop new methods of identifying future risks. Traditional approaches that rely on reviews and assessments of historical realities are no longer sufficient.

2. Assessing risk appetite

How can companies develop a systematic way of deciding which risks to accept and which to avoid? Companies should set appetites for risk that align with their own values, strategies, capabilities, and competitive environments—as well as those of society as a whole. To that end, here are three questions companies should consider.

• How much risk should we take on? Companies should reevaluate their risk profiles frequently according to shifting customer behaviors, digital capabilities, competitive landscapes, and global trends.
• Are there any risks we should avoid entirely? Some risks are clear: companies should not tolerate criminal activity or sexual harassment. Others are murkier. How companies respond to risks like economic turmoil and climate change depend on their particular business, industry, and levels of risk tolerance.
• Does our risk appetite adequately reflect the effectiveness of our controls? Companies are typically more comfortable taking risks for which they have strong controls in place. But the increased threat of severe risks challenges traditional assumptions about risk control effectiveness. For instance, many businesses have relied on automation to increase speed and reduce manual error. But increased data breaches and privacy concerns can increase the risk of large-scale failures. Organizations, therefore, should evolve their risk profiles accordingly.

3. Deciding on a risk management approach

Finally, organizations should decide how they will respond when a new risk is identified. This decision-making  process should be flexible and fast, actively engaging leaders from across the organization and honestly assessing what has and hasn’t worked in past scenarios. Here are three questions organizations should be able to answer.

• How should we mitigate the risks we are taking? Ultimately, people need to make these decisions and assess how their controls are working. But automated control systems should buttress human efforts. Controls guided, for example, by advanced analytics can help guard against quantifiable risks and minimize false positives.
• How would we respond if a risk event or control breakdown happens? If (or more likely, when) a threat occurs, companies should be able to switch to crisis management mode quickly, guided by an established playbook. Companies with well-rehearsed crisis management capabilities weather shocks better, as we saw with the COVID-19 pandemic.
• How can we build true resilience? Resilient companies not only better withstand threats—they emerge stronger. The most resilient firms can turn fallout from crises into a competitive advantage. True resilience stems from a diversity of skills and experience, innovation, creative problem solving, and the basic psychological safety that enables peak performance.

Change is constant. Just because a risk control plan made sense last year doesn’t mean it will next year. In addition to the above points, a good risk management strategy involves not only developing plans based on potential risk scenarios but also evaluating those plans on a regular basis.

Learn more about McKinsey’s  Risk and Resilience  Practice.

What are five actions organizations can take to build dynamic risk management?

In the past, some organizations have viewed risk management as a dull, dreary topic, uninteresting for the executive looking to create competitive advantage. But when the risk is particularly severe or sudden, a good risk strategy is about more than competitiveness—it can mean survival. Here are five actions leaders can take to establish risk management capabilities .

• Reset the aspiration for risk management.  This requires clear objectives and clarity on risk levels and appetite. Risk managers should establish dialogues with business leaders to understand how people across the business think about risk, and share possible strategies to nurture informed risk-versus-return decision making—as well as the capabilities available for implementation.
• Establish agile  risk management practices.  As the risk environment becomes more unpredictable, the need for agile risk management grows. In practice, that means putting in place cross-functional teams empowered to make quick decisions about innovating and managing risk.
• Harness the power of data and analytics.  The tools of the digital revolution  can help companies improve risk management. Data streams from traditional and nontraditional sources can broaden and deepen companies’ understandings of risk, and algorithms can boost error detection and drive more accurate predictions.
• Develop risk talent for the future.  Risk managers who are equipped to meet the challenges of the future will need new capabilities and expanded domain knowledge in model risk management , data, analytics, and technology. This will help support a true understanding of the changing risk landscape , which risk leaders can use to effectively counsel their organizations.
• Fortify risk culture.  Risk culture includes the mindsets and behavioral norms that determine an organization’s relationship with risk. A good risk culture allows an organization to respond quickly when threats emerge.

How do scenarios help business leaders understand uncertainty?

Done properly, scenario planning prompts business leaders to convert abstract hypotheses about uncertainties into narratives about realistic visions of the future. Good scenario planning can help decision makers experience new realities  in ways that are intellectual and sensory, as well as rational and emotional. Scenarios have four main features  that can help organizations navigate uncertain times.

• Scenarios expand your thinking.  By developing a range of possible outcomes, each backed with a sequence of events that could lead to them, it’s possible to broaden our thinking. This helps us become ready for the range of possibilities the future might hold—and accept the possibility that change might come more quickly than we expect.
• Scenarios uncover inevitable or likely futures.  A broad scenario-building effort can also point to powerful drivers of change, which can help to predict potential outcomes. In other words, by illuminating critical events from the past, scenario building can point to outcomes that are very likely to happen in the future.
• Scenarios protect against groupthink.  In some large corporations, employees can feel unsafe offering contrarian points of view for fear that they’ll be penalized by management. Scenarios can help companies break out of this trap by providing a “safe haven” for opinions that differ from those of senior leadership and that may run counter to established strategy.
• Scenarios allow people to challenge conventional wisdom.  In large corporations in particular, there’s frequently a strong bias toward the status quo. Scenarios are a nonthreatening way to lay out alternative futures in which assumptions underpinning today’s strategy can be challenged.

Learn more about McKinsey’s Strategy & Corporate Finance  Practice.

What’s the latest thinking on risk for financial institutions?

In late 2021, McKinsey conducted survey-based research with more than 30 chief risk officers (CROs), asking about the current banking environment, risk management practices, and priorities for the future.

According to CROs, banks in the current environment are especially exposed to accelerating market dynamics, climate change, and cybercrime . Sixty-seven percent of CROs surveyed cited the pandemic as having significant impact on employees and in the area of nonfinancial risk. Most believed that these effects would diminish in three years’ time.

Introducing McKinsey Explainers : Direct answers to complex questions

Climate change, on the other hand, is expected to become a larger issue over time. Nearly all respondents cited climate regulation as one of the five most important forces in the financial industry in the coming three years. And 75 percent were concerned about climate-related transition risk: financial and other risks arising from the transformation away from carbon-based energy systems.

And finally, cybercrime was assessed as one of the top risks by most executives, both now and in the future.

Learn more about the risk priorities of banking CROs here .

What is cyber risk?

Cyber risk is a form of business risk. More specifically, it’s the potential for business losses of all kinds  in the digital domain—financial, reputational, operational, productivity related, and regulatory related. While cyber risk originates from threats in the digital realm, it can also cause losses in the physical world, such as damage to operational equipment.

Cyber risk is not the same as a cyberthreat. Cyberthreats are the particular dangers that create the potential for cyber risk. These include privilege escalation (the exploitation of a flaw in a system for the purpose of gaining unauthorized access to resources), vulnerability exploitation (an attack that uses detected vulnerabilities to exploit the host system), or phishing. The risk impact of cyberthreats includes loss of confidentiality, integrity, and availability of digital assets, as well as fraud, financial crime, data loss, or loss of system availability.

In the past, organizations have relied on maturity-based cybersecurity approaches to manage cyber risk. These approaches focus on achieving a particular level of cybersecurity maturity by building capabilities, like establishing a security operations center or implementing multifactor authentication across the organization. A maturity-based approach can still be helpful in some situations, such as for brand-new organizations. But for most institutions, a maturity-based approach can turn into an unmanageably large project, demanding that all aspects of an organization be monitored and analyzed. The reality is that, since some applications are more vulnerable than others, organizations would do better to measure and manage only their most critical vulnerabilities.

What is a risk-based cybersecurity approach?

A risk-based approach is a distinct evolution from a maturity-based approach. For one thing, a risk-based approach identifies risk reduction as the primary goal. This means an organization prioritizes investment based on a cybersecurity program’s effectiveness in reducing risk. Also, a risk-based approach breaks down risk-reduction targets into precise implementation programs with clear alignment all the way up and down an organization. Rather than building controls everywhere, a company can focus on building controls for the worst vulnerabilities.

Here are eight actions that comprise a best practice for developing  a risk-based cybersecurity approach:

• fully embed cybersecurity in the enterprise-risk-management framework
• define the sources of enterprise value across teams, processes, and technologies
• understand the organization’s enterprise-wide vulnerabilities—among people, processes, and technology—internally and for third parties
• understand the relevant “threat actors,” their capabilities, and their intent
• link the controls in “run” activities and “change” programs to the vulnerabilities that they address and determine what new efforts are needed
• map the enterprise risks from the enterprise-risk-management framework, accounting for the threat actors and their capabilities, the enterprise vulnerabilities they seek to exploit, and the security controls of the organization’s cybersecurity run activities and change program
• plot risks against the enterprise-risk appetite; report on how cyber efforts have reduced enterprise risk
• monitor risks and cyber efforts against risk appetite, key cyber risk indicators, and key performance indicators

How can leaders make the right investments in risk management?

Ignoring high-consequence, low-likelihood risks can be catastrophic to an organization—but preparing for everything is too costly. In the case of the COVID-19 crisis, the danger of a global pandemic on this scale was foreseeable, if unexpected. Nevertheless, the vast majority of companies were unprepared: among billion-dollar companies in the United States, more than 50 filed for bankruptcy in 2020.

McKinsey has described the decisions to act on these high-consequence, low-likelihood risks as “ big bets .” The number of these risks is far too large for decision makers to make big bets on all of them. To narrow the list down, the first thing a company can do is to determine which risks could hurt the business versus the risks that could destroy the company. Decision makers should prioritize the potential threats that would cause an existential crisis  for their organization.

To identify these risks, McKinsey recommends using a two-by-two risk grid, situating the potential impact of an event on the whole company against the level of certainty about the impact. This way, risks can be measured against each other, rather than on an absolute scale.

Organizations sometimes survive existential crises. But it can’t be ignored that crises—and missed opportunities—can cause organizations to fail. By measuring the impact of high-impact, low-likelihood risks on core business, leaders can identify and mitigate risks that could imperil the company. What’s more, investing in protecting their value propositions can improve an organization’s overall resilience.

Articles referenced:

• “ Seizing the momentum to build resilience for a future of sustainable inclusive growth ,” February 23, 2023, Børge Brende and Bob Sternfels
• “ Data and analytics innovations to address emerging challenges in credit portfolio management ,” December 23, 2022, Abhishek Anand , Arvind Govindarajan , Luis Nario  and Kirtiman Pathak
• “ Risk and resilience priorities, as told by chief risk officers ,” December 8, 2022, Marc Chiapolino , Filippo Mazzetto, Thomas Poppensieker , Cécile Prinsen, and Dan Williams
• “ What matters most? Six priorities for CEOs in turbulent times ,” November 17, 2022, Homayoun Hatami  and Liz Hilton Segel
• “ Model risk management 2.0 evolves to address continued uncertainty of risk-related events ,” March 9, 2022, Pankaj Kumar, Marie-Paule Laurent, Christophe Rougeaux, and Maribel Tejada
• “ The disaster you could have stopped: Preparing for extraordinary risks ,” December 15, 2020, Fritz Nauck , Ophelia Usher, and Leigh Weiss
• “ Meeting the future: Dynamic risk management for uncertain times ,” November 17, 2020, Ritesh Jain, Fritz Nauck , Thomas Poppensieker , and Olivia White
• “ Risk, resilience, and rebalancing in global value chains ,” August 6, 2020, Susan Lund, James Manyika , Jonathan Woetzel , Edward Barriball , Mekala Krishnan , Knut Alicke , Michael Birshan , Katy George , Sven Smit , Daniel Swan , and Kyle Hutzler
• “ The risk-based approach to cybersecurity ,” October 8, 2019, Jim Boehm , Nick Curcio, Peter Merrath, Lucy Shenton, and Tobias Stähle
• “ Value and resilience through better risk management ,” October 1, 2018, Daniela Gius, Jean-Christophe Mieszala , Ernestos Panayiotou, and Thomas Poppensieker

Want to know more about business risk?

Related articles.

What matters most? Six priorities for CEOs in turbulent times

Creating a technology risk and cyber risk appetite framework

Risk and resilience priorities, as told by chief risk officers

• My Account My Account
• Cards Cards
• Banking Banking
• Travel Travel
• Rewards & Benefits Rewards & Benefits
• Business Business

Curated For You

Related content, types of business risks and ideas for managing them.

Published: July 06, 2023

There are several types of business risks that can threaten a company’s ability to achieve its goals. Learn some of the most common risks for businesses and ideas for how to manage them.

Business risks can include financial, cybersecurity, operational, and reputational risks, all of which can seriously impact a company’s strategic plans if business leaders don’t take action to mitigate them.

What’s most important is that business owners are aware of the risks that could shake up their operations. That way, they can take steps to prevent them or minimize their impact if they occur. Here’s a look at some common business risks. 

Financial Risks

Companies must generate sufficient  cash flow  to make interest payments on loans and to meet other debt-related obligations on time. Financial risk refers to the  flow of money  in the business and the possibility of a sudden financial loss. A company may be at  financial risk  if it doesn’t have enough cash to properly manage its debt payments and becomes delinquent on its loans.

Businesses with relatively higher levels of debt financing are considered at higher financial risk, since lenders often see them as having a greater chance of not meeting payment obligations and becoming insolvent. Types of financial risk include:

• Credit risk:  When a company extends credit to customers, there is the possibility that those customers may stop making payments, which reduces revenue and earnings. A company also faces credit risk when a lender extends business credit to make purchases. If the company doesn’t have enough money to pay back those loans, it will default.
• Currency risk:  Currency risk, also known as exchange-rate risk, can arise from the change in price of one currency in relation to another. For example, if a U.S. company agrees to sell its products to a European company for a certain amount of euros, but the value of the euro rises suddenly at the time of delivery and payment, the U.S. business loses money because it takes more dollars to buy euros.
• Liquidity risk:  A company faces  liquidity  risk when it cannot convert its assets into cash. This type of business risk often occurs when a company suddenly needs a substantial amount of cash to meet its short-term debt obligations. For example, a manufacturing company may not be able to sell outdated machines to generate cash if no buyers come forward.

Cybersecurity Risks

As more businesses use online channels for  sales  and e-commerce payments, as well as for collecting and storing customer data, they are exposed to greater opportunities for hacking, creating security risks for companies and their stakeholders. Both employees and customers expect companies to protect their personal and financial information, but despite ongoing efforts to keep this information safe, companies have experienced data breaches, identity theft, and payment fraud incidents.

When these incidents happen, consumer confidence and trust in companies can take a dive.

Not only do security breaches threaten a company’s reputation, but the company is sometimes financially liable for damages.

Ideas for managing security risks: 

• Investing in fraud detection tools and software  security solutions .
• Educating employees about how they can do their part to keep the company’s data safe. Basic guidance includes not clicking suspicious links in emails or sharing sensitive data without encrypting it first.

Operational Risks

A business is considered to have operational risk when its day-to-day activities threaten to decrease profits. Operational risks can result from employee errors, such as undercharging customers. Additionally, a natural disaster like a tornado, hurricane, or flood might damage a company’s buildings or other physical assets, disrupting its daily operations.

Of course, one of the starkest examples of negative impacts to companies' production and supply chain operations is the Coronavirus pandemic. In an April 2022 Small Business Pulse Survey conducted by the U.S. Census Bureau, roughly 65 percent of respondents reported that the pandemic had either a moderate negative effect or a large negative effect on their business. 

• Making time for necessary employee training to minimize internal mistakes.
• Developing contingency plans to shield against external events that may impact operations. For example, a restaurant impacted by a natural disaster might be able to partner with another local restaurant, bar, or coffee shop to use their kitchen and sell to-go items.

Reputational Risks

Reputational risk  can include a product safety recall, negative publicity, and negative reviews online from customers. Companies that suffer reputational damage can even see an immediate loss of revenue, as customers take their business elsewhere. Companies may experience additional impacts, including losing employees, suppliers, and other partners.

Ideas for managing reputational risks: 

• Pay attention to what customers and employees say about the company both online and offline.
• Commit not only to providing a quality product or service, but also to ensuring that workers are trained to deliver excellent customer service and to resolve customer complaints, offer refunds, and issue apologies when necessary.

The Takeaway

Business owners face a variety of business risks, including financial, cybersecurity, operational, and reputational. However, they can take proactive measures to prevent or mitigate risk while continuing to  seize opportunities for growth . To learn more about the benefits of risk management planning read,  "5 Hidden Benefits of Risk Management."

Frequently Asked Questions

1. what are the main types of business risks.

There are several types of business risks: • Financial Risks • Cybersecurity Risks • Operational Risks • Reputational Risks

2. What are common examples of business risks?

• Financial risks can include cash flow problems, inability to meet financial obligations, or taking on too much debt. • Cybersecurity risks are risks associated with data breaches, hacks, or cyber-attacks. • Operational risks include supply chain disruptions, natural disasters, or IT failures. • Reputational risks can occur when a company's reputation is damaged by negative publicity, scandal, or other events.

3. How can you identify a business risk?

There are a few key ways to identify business risks:

• Reviewing financial statements and performance indicators: This can help you identify risks related to cash flow, profitability, or solvency. • Conducting a SWOT analysis: A SWOT analysis (Strengths, Weaknesses, Opportunities, Threats) can also be a helpful tool for identifying risks and brainstorming ways to mitigate them. • Identifying key dependencies: Key dependencies are things that your business relies on to function, and if they were to fail or be disrupted, it could have a serious impact on your business. • Carrying out root cause analysis: Conducting root cause analysis can help you to identify what underlying factors could lead to a problem or issue.

A version of this article was originally published September 01, 2022.

Photo: Getty Images

Trending Content

• Business Essentials
• Leadership & Management
• Credential of Leadership, Impact, and Management in Business (CLIMB)
• Entrepreneurship & Innovation
• Digital Transformation
• Finance & Accounting
• Business in Society
• For Organizations
• Support Portal
• Media Coverage
• Founding Donors
• Leadership Team

• Harvard Business School →
• HBS Online →
• Business Insights →

Business Insights

Harvard Business School Online's Business Insights Blog provides the career insights you need to achieve your goals and gain confidence in your business skills.

• Career Development
• Communication
• Decision-Making
• Earning Your MBA
• Negotiation
• News & Events
• Productivity
• Staff Spotlight
• Student Profiles
• Work-Life Balance
• AI Essentials for Business
• Alternative Investments
• Business Analytics
• Business Strategy
• Business and Climate Change
• Design Thinking and Innovation
• Digital Marketing Strategy
• Disruptive Strategy
• Economics for Managers
• Entrepreneurship Essentials
• Financial Accounting
• Global Business
• Launching Tech Ventures
• Leadership Principles
• Leadership, Ethics, and Corporate Accountability
• Leading Change and Organizational Renewal
• Leading with Finance
• Management Essentials
• Negotiation Mastery
• Organizational Leadership
• Power and Influence for Positive Impact
• Strategy Execution
• Sustainable Business Strategy
• Sustainable Investing
• Winning with Digital Platforms

What Is Risk Management & Why Is It Important?

• 24 Oct 2023

Businesses can’t operate without risk. Economic, technological, environmental, and competitive factors introduce obstacles that companies must not only manage but overcome.

According to PwC’s Global Risk Survey , organizations that embrace strategic risk management are five times more likely to deliver stakeholder confidence and better business outcomes and two times more likely to expect faster revenue growth.

If you want to enhance your job performance and identify and mitigate risk more effectively, here’s a breakdown of what risk management is and why it’s important.

Access your free e-book today.

What Is Risk Management?

Risk management is the systematic process of identifying, assessing, and mitigating threats or uncertainties that can affect your organization. It involves analyzing risks’ likelihood and impact, developing strategies to minimize harm, and monitoring measures’ effectiveness.

“Competing successfully in any industry involves some level of risk,” says Harvard Business School Professor Robert Simons, who teaches the online course Strategy Execution . “But high-performing businesses with high-pressure cultures are especially vulnerable. As a manager, you need to know how and why these risks arise and how to avoid them.”

According to Strategy Execution , strategic risk has three main causes:

• Pressures due to growth: This is often caused by an accelerated rate of expansion that makes staffing or industry knowledge gaps more harmful to your business.
• Pressures due to culture: While entrepreneurial risk-taking can come with rewards, executive resistance and internal competition can cause problems.
• Pressures due to information management: Since information is key to effective leadership , gaps in performance measures can result in decentralized decision-making.

These pressures can lead to several types of risk that you must manage or mitigate to avoid reputational, financial, or strategic failures. However, risks aren’t always obvious.

“I think one of the challenges firms face is the ability to properly identify their risks,” says HBS Professor Eugene Soltes in Strategy Execution .

Therefore, it’s crucial to pinpoint unexpected events or conditions that could significantly impede your organization’s business strategy .

Related: Business Strategy vs. Strategy Execution: Which Course Is Right for Me?

According to Strategy Execution , strategic risk comprises:

• Operations risk: This occurs when internal operational errors interrupt your products or services’ flow. For example, shipping tainted products can negatively affect food distribution companies.
• Asset impairment risk: When your company’s assets lose a significant portion of their current value because of a decreased likelihood of receiving future cash flows . For instance, losing property assets, like a manufacturing plant, due to a natural disaster.
• Competitive risk: Changes in the competitive environment can interrupt your organization’s ability to create value and differentiate its offerings—eventually leading to a significant loss in revenue.
• Franchise risk: When your organization’s value erodes because stakeholders lose confidence in its objectives. This primarily results from failing to control any of the strategic risk sources listed above.

Understanding these risks is essential to ensuring your organization’s long-term success. Here’s a deeper dive into why risk management is important.

4 Reasons Why Risk Management Is Important

1. protects organization’s reputation.

In many cases, effective risk management proactively protects your organization from incidents that can affect its reputation.

“Franchise risk is a concern for all businesses,“ Simons says in Strategy Execution . “However, it's especially pressing for businesses whose reputations depend on the trust of key constituents.”

For example, airlines are particularly susceptible to franchise risk because of unforeseen events, such as flight delays and cancellations caused by weather or mechanical failure. While such incidents are considered operational risks, they can be incredibly damaging.

In 2016, Delta Airlines experienced a national computer outage, resulting in over 2,000 flight cancellations. Delta not only lost an estimated $150 million but took a hit to its reputation as a reliable airline that prided itself on “canceling cancellations.”

While Delta bounced back, the incident illustrates how mitigating operational errors can make or break your organization.

2. Minimizes Losses

Most businesses create risk management teams to avoid major financial losses. Yet, various risks can still impact their bottom lines.

A Vault Platform study found that dealing with workplace misconduct cost U.S. businesses over $20 billion in 2021. In addition, Soltes says in Strategy Execution that corporate fines for misconduct have risen 40-fold in the U.S. over the last 20 years.

One way to mitigate financial losses related to employee misconduct is by implementing internal controls. According to Strategy Execution , internal controls are the policies and procedures designed to ensure reliable accounting information and safeguard company assets.

“Managers use internal controls to limit the opportunities employees have to expose the business to risk,” Simons says in the course.

One company that could have benefited from implementing internal controls is Volkswagen (VW). In 2015, VW whistle-blowers revealed that the company’s engineers deliberately manipulated diesel vehicles’ emissions data to make them appear more environmentally friendly.

This led to severe consequences, including regulatory penalties, expensive vehicle recalls, and legal settlements—all of which resulted in significant financial losses. By 2018, U.S. authorities had extracted $25 billion in fines, penalties, civil damages, and restitution from the company.

Had VW maintained more rigorous internal controls to ensure transparency, compliance, and proper oversight of its engineering practices, perhaps it could have detected—or even averted—the situation.

Related: What Are Business Ethics & Why Are They Important?

3. Encourages Innovation and Growth

Risk management isn’t just about avoiding negative outcomes. It can also be the catalyst that drives your organization’s innovation and growth.

“Risks may not be pleasant to think about, but they’re inevitable if you want to push your business to innovate and remain competitive,” Simons says in Strategy Execution .

According to PwC , 83 percent of companies’ business strategies focus on growth, despite risks and mixed economic signals. In Strategy Execution , Simons notes that competitive risk is a challenge you must constantly monitor and address.

“Any firm operating in a competitive market must focus its attention on changes in the external environment that could impair its ability to create value for its customers,” Simons says.

This requires incorporating boundary systems —explicit statements that define and communicate risks to avoid—to ensure internal controls don’t extinguish innovation.

“Boundary systems are essential levers in businesses to give people freedom,” Simons says. “In such circumstances, you don’t want to stifle innovation or entrepreneurial behavior by telling people how to do their jobs. And if you want to remain competitive, you’ll need to innovate and adapt.”

Netflix is an example of how risk management can inspire innovation. In the early 2000s, the company was primarily known for its DVD-by-mail rental service. With growing competition from video rental stores, Netflix went against the grain and introduced its streaming service. This changed the market, resulting in a booming industry nearly a decade later.

Netflix’s innovation didn’t stop there. Once the steaming services market became highly competitive, the company shifted once again to gain a competitive edge. It ventured into producing original content, which ultimately helped differentiate its platform and attract additional subscribers.

By offering more freedom within internal controls, you can encourage innovation and constant growth.

4. Enhances Decision-Making

Risk management also provides a structured framework for decision-making. This can be beneficial if your business is inclined toward risks that are difficult to manage.

By pulling data from existing control systems to develop hypothetical scenarios, you can discuss and debate strategies’ efficacy before executing them.

“Interactive control systems are the formal information systems managers use to personally involve themselves in the decision activities of subordinates,” Simons says in Strategy Execution . “Decision activities that relate to and impact strategic uncertainties.”

JPMorgan Chase, one of the most prominent financial institutions in the world, is particularly susceptible to cyber risks because it compiles vast amounts of sensitive customer data . According to PwC , cybersecurity is the number one business risk on managers’ minds, with 78 percent worried about more frequent or broader cyber attacks.

Using data science techniques like machine learning algorithms enables JPMorgan Chase’s leadership not only to detect and prevent cyber attacks but address and mitigate risk.

Start Managing Your Organization's Risk

Risk management is essential to business. While some risk is inevitable, your ability to identify and mitigate it can benefit your organization.

But you can’t plan for everything. According to the Harvard Business Review , some risks are so remote that no one could have imagined them. Some result from a perfect storm of incidents, while others materialize rapidly and on enormous scales.

By taking an online strategy course , you can build the knowledge and skills to identify strategic risks and ensure they don’t undermine your business. For example, through an interactive learning experience, Strategy Execution enables you to draw insights from real-world business examples and better understand how to approach risk management.

Do you want to mitigate your organization’s risks? Explore Strategy Execution —one of our online strategy courses —and download our free strategy e-book to gain the insights to build a successful strategy.

About the Author

More From Forbes

14 smart ways to manage business risk.

• Share to Facebook
• Share to Twitter
• Share to Linkedin

It’s impossible to truly eliminate risk when it comes to economic decisions that are best for your business. Decisions have to be made even when we don’t know all the facts and are unsure of the future. For instance, market regulations are an uncertain environment where the stakes are higher and risk-taking isn’t optional if you want to move forward.

So how do you account for those uncertainties when trying to make informed, smart decisions for your business? Below, 14 Forbes Business Development Council members explain how to manage risk in uncertain economic situations.

Forbes Business Development Council members share tips on managing risk in business.

1. Look To Past Situations

In every business decision, you have risks and uncertainties. First, you should try to define all risks. If you have had similar situations and experiences, have a look at the past to look for solutions. Create backup plans for different scenarios and be flexible enough to adjust your decision. - Hendrik Bender , Sovereign Speed GmbH

2. Think Through Multiple Scenarios

You’ll never have 100% of the information you need to make a decision. The goal is to manage the risk and make calculated decisions. I’ve found thinking through at least three different scenarios helps me understand potential risks. Best-case, likely-case and worst-case scenario planning is a good way to flush out possible outcomes. I also try to consider unplanned consequences that could arise. - Julie Thomas , ValueSelling Associates

Best Travel Insurance Companies

Best covid-19 travel insurance plans.

Forbes Business Development Council is an invitation-only community for sales and biz dev executives. Do I qualify?

3. Eliminate Business System Silos

Siloed business systems are too rigid to handle uncertain risk. Signals often exist but in disparate places and forms—such as from regulators or affected customers talking with your sales, support or finance teams. Businesses should feed signals from across functions into a unified view for visibility into cash position, future cash inflow and actions that can influence deals or renewals. - Dan Brown , FinancialForce

4. Control Whatever Variables You Can

Stay informed and analyze past data sets that are similar. Most importantly, control the variables that you can while being sure that you fail fast. Each failure brings you one step closer to success! Just don't make a habit of accepting failure. - Donald O'Sullivan , Pegasystems

5. Trust Your Intuition

This is the exact capability of visionary leaders, who search not only data but facts as well, learn from historical businesses or projects, apply SWOT, calculate risk and determination of mitigations and make a Plan B for consequences. These leaders not only trust their intuition but also never stop learning, taking risks and setting the future. - Majeed Hosseiney , Elements Global Services

6. Be Prepared For A Pivot

I recommend a combination of approaches when managing risk. A SWOT analysis can help steer a company or team in a promising direction. I also recommend a pivot strategy if market regulations drastically change. Start with Plan A, but quickly pivot to Plan B if necessary. Do quarterly or even monthly evaluations to determine if you are staying on track. - Matthew Rolnick , Yaymaker

7. Research And Assess Market Trends

The future is always uncertain. Leaders must research the market and trends and then assess the information at hand today and make a decision. Sometimes, the best decision is to wait until the future is a bit more certain. - Jan Dubauskas , Healthinsurance.com 

8. Engage Regularly

Managing uncertainty requires being engaged and remaining informed so decisions can possess the flexibility needed to accommodate change. Being engaged with customers, regulators and suppliers enables you to help shape their direction in a manner positive to your business. Remaining informed of their leanings enables you to build in the flexibility needed to accommodate their changing positions. - Nathan Ives , DataGlance, Inc.

9. Embrace And Accept Change

Leaders should embrace change as the market will change, in good times or tough times. Accept this change and be able to pivot when needed to adapt to new normals, new regulations and other conditions. No one will ever have 100% of the information needed to make decisions, so thinking through different scenarios that could present themselves is always beneficial. - Michael Hines , Demand Management, Inc (DMI)

10. Make A Risk Management Plan

Apply standard project management and institute best practices for risk management. Make a risk management plan for your business by identifying potential risks and quantifying them the best you can. Plan how to best mitigate those risks based on their likelihood. Create a risk register to track it all and revisit the plan on a regular basis to keep it current as conditions change. - Michael Fritsch , Confoe

11. Break Potential Risks Into Smaller Risks

One strong point in favor of managing risk is to go by experience. Experience does help, but the same experiences will not work for Covid. Depending on the situation, I strongly suggest breaking risks into smaller risks. For smaller risks, identify what impact will be caused. Go back and check if any of the experiences of an individual or an organization will help. If it will, apply it. If not, address the risk. - Ashok Bhat , Acronotics

12. Prioritize Contingency Planning

Contingency planning has to be part of a firm’s armor when it comes to managing uncertainty. Starting early to plan through what-if scenarios and having pseudo-teams focused on contingency and implementation will be essential. Firms can also work with industry peers and industry bodies to ascertain industry assumptions; these will be critical for benchmarking through contingency planning. - Oluchi Ikechi , Accenture

13. Determine If You Can Manage The Risk

Weigh the risk and determine if you can manage it. Start by identifying and evaluating risk, which includes assessing its probability and impact. What do you then do with it? Based on your cost-benefit analysis, you may choose to accept it, take steps to reduce it or transfer it to someone else. A practical analysis will lead to more informed strategic decisions in the face of uncertainty.  - Chor Meng Tan , Wiley

14. Think Through The Worst-Case Scenario

Paralysis by analysis can cause unnecessary indecision. Asking yourself, “What is the worst that could happen,” can put circumstances into perspective and help you be more decisive during times of uncertainty. Oftentimes, the worst-case scenario is manageable. - Brandon Rigoni , Lincoln Industries

• Editorial Standards
• Reprints & Permissions

How to Perform Business Risk Mitigation: Strategies, Types, and Best Practices

By Kate Eby | March 23, 2023

• Share on Facebook
• Share on LinkedIn

Link copied

Successful companies are always identifying, lessening, and eliminating business risks. We’ve gathered tips from industry experts on how they do this. We also provide risk assessment templates and step-by-step guidance on business risk mitigation.

Included on this page, you’ll find the main ways companies should respond to risks , best practices for business risk mitigation , a step-by-step process for performing good risk mitigation, and templates that can help guide you in assessing and dealing with business risks.

What Is Risk Mitigation?

Risks can pose a threat to a project or a business. Risk mitigation is the process of eliminating or lessening the impact of those risks. Teams can use risk mitigation in several ways to help protect a business.

Project leaders might use project risk management and mitigation to ensure the success of a specific project. Business leaders might use business risk mitigation — sometimes as part of overall enterprise risk management or enterprise risk assessment — to protect the long-term health of a company.

Why Is Risk Mitigation Important?

Risk mitigation is important because risks sometimes turn into realities. If your project team or business leaders haven’t figured out ways to deal with and lessen those risks, they can have a hugely negative impact on a project or business.

“Business risk mitigation is important because it helps organizations to identify and address potential risks that could impact their operations, reputation, or bottom line,” says Andrew Lokenauth, a former finance executive with Goldman Sachs and JP Morgan, an adjunct professor at the University of San Francisco School of Management, and the founder of Fluent in Finance . “By proactively managing risks, organizations can minimize disruptions and protect their assets, stakeholders, and long-term viability.”

Here are some of the top reasons that business risk mitigation is important:

• Maintain the Existence and Profitability of a Business: Some risks can torpedo the very existence of a business — especially if they happen when the business hasn’t prepared for them. Business leaders must identify and assess risks and figure out ways to lessen or eliminate high-priority risks.
• Maintain a Business Reputation for Stability: Some risks, when they happen, can  damage a company’s customer relationships. Business leaders want customers to be able to trust the stability of a business. Preparing for risks helps ensure that stability. 
• Keep Internal and External Stakeholders Happy: Both employees and external stakeholders want a business to succeed and be prepared for negative risks. Making sure your team performs good risk management — including risk mitigation — will give internal and external stakeholders confidence that the business is ready for any negative events.

• Keep Your Staff and Others Safe: The mitigation measures you need for weather events will also protect the safety of your staff and others. Mitigation measures against problems such as fire damage can also protect staff and customers. 
• Avoid Negative Societal and Economic Impacts: In some cases, risks to your organization can have large societal and economic impacts. Examples include risks to the operations of utilities, government agencies, or internet companies. Perform solid risk mitigation to prevent these negative risks or lessen their impact.
• Know That No One Else Will Do It for You: Many people believe that certain risks just won’t happen or that some government agency or other group is monitoring the situation and will assist if there is a problem. That is often not true. “This is typical of most Americans — not even just business heads or business leaders — that you don’t think it’s gonna happen to you,” says Andresen. “You think if it does happen, it's not going to be that bad, and that you're going to get help from somewhere else. And all of those things are patently false.”

What Are the Types of Risk Mitigation?

When people talk about the types of risk mitigation, what they’re often referring to are types of risk responses or risk response strategies. Risk mitigation is one possible risk response, but it is not the only one.

Another important thing to remember is that not all risks are negative. There are positive risks — or opportunities — that can happen for your business as well. Experts have outlined five primary ways to respond to negative risks and five primary ways to respond to positive risks, both of which are important to the long-term health of a company.

These are the five primary risk response strategies for dealing with negative risks:

• Mitigate: Risk mitigation involves taking steps to reduce the likelihood or impact of a risk. 
• Transfer: Leaders can choose to transfer a risk to another entity. Buying insurance is a good example of transferring risk. You still take steps to prevent fires at your property, but when you buy fire insurance, the insurance company assumes much of the financial risk if a fire happens.
• Accept: In some cases, it is simply not possible or economically feasible to avoid or mitigate risk. Leaders might choose to accept certain risks that are too costly to try to affect or that are unlikely to happen.“It may not be possible or practical to avoid or reduce a risk,” Lokenauth says. “In these cases, organizations may choose to accept the risk and manage it as it arises.”
• Escalate: In project risk management — though not often in business risk mitigation — leaders choose to escalate certain risks. This response involves providing information on the risk to top organizational leadership, so they can make a decision. This is usually the response to a significant risk that would require significant costs to mitigate.

These are the five primary risk response strategies for positive risks:

• Share:   If your company chooses to share a positive risk, that means it will work with another company or entity to take advantage of an opportunity. Sharing positive risk can increase the likelihood and impact of opportunities. However, they also require that the company split the resulting benefits. 
• Exploit: When a company chooses to exploit a positive risk, it devotes special attention and resources to making sure an event happens.
• Enhance:  Companies can enhance positive risks by improving the likelihood that it will happen. This is different from exploiting a risk, because the possibility still exists that the opportunity will never arise. 
• Accept: If your company understands that a positive risk might happen, it might prepare to act on it without investing resources to try to increase the chances that it will happen.
• Escalate: As with escalating negative risks, your team can escalate positive risks to company leadership to make decisions about which strategy to implement. This is common when teams identify opportunities that could have enormous benefit to the company but might take a large investment to enhance or exploit.

You can learn much more about risk assessments, and the primary ways that project managers and organizations can respond to both negative and positive risks, in this essential guide to project risk assessments .

Risk Mitigation Strategies

Businesses use a number of strategies to help them respond to business risks. These can include overall risk and contingency planning, as well as tactical moves, such as hiring a risk manager or outside risk management consultant.

Here are some overall risk response strategies teams can use:

• Risk Management Planning: Teams will very often produce a risk management plan for individual projects, but they can also create a risk management plan for an entire enterprise. This plan should describe how your team plans to identify, assess, respond to, and mitigate risks to the organization. You can learn much more about risk management plans and planning and can download risk management plan templates .
• Contingency Planning: Contingency planning is usually a part of project risk management, but teams can create contingency plans for their entire organization. Contingency plans include specific actions your team will take if a risk actually happens. The contingency plan might include extra funds or extra staff to respond to a risk.
• Business Continuity Planning: Business continuity planning is the most common risk response strategy that organizations use to deal with risks to the entire enterprise. For specific projects, organizations will more often use strategies such as contingency planning and project risk management planning. The goals of business continuity planning are to identify important risks to the organization and make plans for what the organization will do to lessen or eliminate those risks.

You can learn much more about business continuity plans . You can also download business continuity plan templates .

• Setting Aside Contingency Reserves: These are funds an organization sets aside to help it deal with and mitigate important risks if they happen.
• Employing a Risk Manager: Many organizations choose to employ a full-time risk manager to oversee the organization’s entire risk management program. This role may involve helping with project risk management, or overseeing the more general management of risk and compliance across an organization.
• Contracting with Outside Consultancies: Many organizations contract with outside risk experts to help with risk assessments and business continuity planning.
• Employee Training: Forward-thinking organizations also conduct employee training and drills to bolster their contingency and risk mitigation plans. The training helps employees understand what they should be doing if a risk happens. You can learn more about such training and drills as part of contingency plans. 
• Product Testing: For software and technology companies especially, it’s important to do product testing throughout the development of a product. That testing will lower the risk that your organization will have to spend extra money to fix problems or to repeat development work.
• Following Information Security Best Practices: Information security issues are a huge risk for many organizations. Most organizations understand the importance of good information security practices, such as implementing strict password policies and two-factor authentication requirements.

Risk Mitigation Best Practices

Experts recommend following certain best practices for business risk mitigation. Some best practices include being proactive in identifying and assessing risks and making management policies clear to all stakeholders.

Here are some important best practices for business risk mitigation:

• Create a Strong Culture of Risk Management: It’s important that your organization and its leaders understand the importance of investing in solid risk management. Avoid the temptation to believe that risk management is not important or necessary. “Humans want to avoid risks, so we want to even avoid the discussion of risks,” Contreras says. “Good risk management forces you to have those discussions. You have to face them and look them in the eye, then make some decisions on how you're going to handle them. Don't let it fall by the wayside.”
• Involve Stakeholders: Make sure you communicate with and involve stakeholders in your risk management work. That means asking for their input as you identify and assess risks.
• Create a Clear and Transparent Risk Management Framework and Policy: Your organization should outline the basics of its risk management program in a risk management policy. Everyone in your organization should have access to and understand that policy. “A risk management policy should outline the organization's approach to risk management, including the roles and responsibilities of different stakeholders; the processes for identifying, analyzing, and responding to risks; and the methods for monitoring and reviewing the effectiveness of risk management efforts,” Lokenauth says.
• Be Proactive: It is vital for any organization to be proactive and aggressive in identifying and planning for risks. Lokenauth recalls a time when he worked for a large company in New York that wasn’t prepared for all risks. When Hurricane Sandy hit in October 2012, the firm had no place for its employees to work. “We were home for a week or two getting paid, and we weren't doing any work,” he says. “Things weren't getting done. It took them about a week or two to send us laptops. And then it took another week to try to figure out where to put us, to rent some space in Jersey City. If they had a plan in place for a thing like that, it would have been better. “It's important to be proactive about identifying and addressing potential risks rather than waiting for them to occur,” he says. Contreras adds that a business leader’s perspectives on risks can affect how an entire company approaches risk — either to the company’s benefit or to their detriment. “Small and medium-sized businesses are usually led by one big leader,” he says. “That leader’s perspective can really sway the business — and maybe not in a good way. The leader might be super optimistic, always thinking, ‘Yeah, we can do this.’ But the leadership team really needs to look at things and ask, ‘What if it doesn’t go?’ What would be the downside here? What are the things that can go wrong?’ So you want to get people in a room and start thinking negatively. ‘What are the things that can go wrong? And what can we do about them? What can we do to mitigate them?’”
• Be Comprehensive: It’s important that your organization thinks about risks in all areas. Avoid focusing only on what leaders think might be the most obvious areas for risk. “It's important to develop a comprehensive risk management plan rather than focusing on individual risks in isolation,” Lokenauth says.
• Conduct Employee Training or Drills: Risk mitigation isn’t finished once a company writes a contingency plan. Leaders must also train employees to perform the actions outlined in the plan. They must also determine whether that contingency plan is going to be effective by performing drills. You can learn more about training and drills in contingency planning.
• Continuously Monitor Possible Risks: Too many organizations perform one risk assessment, then believe they are finished — sometimes for a year or two or more, experts say. However, risks are constantly changing, and organizations need to continually identify and assess new risks to avoid costly oversights. That means requiring routine risk assessments and creating a culture that is always monitoring and addressing new risks. “You want to establish policies on how you identify and monitor risks, and you want to monitor them every month,” Lokenauth says. That can be as simple as making sure your risk department works through a monthly checklist of risks that you are tracking and what’s happening with them. It also means watching for new risks or for changing circumstances around current risks, experts say.
• Make Changes Where Needed: When your organization’s continual assessment shows that a new risk has arisen, or that an older risk is changing, it must make changes in its risk response plan. “If you grow as a company, you now have a different footprint in which you need to assess your risk,” Andresen says. “If you shrink — again, you have a different footprint. You might not need the same control measures or countermeasures, and you can put that money somewhere else.”
• Communicate Your Risk Management Plans: It’s vital that your organization communicates often and effectively with organization leaders, employees, and other stakeholders about the organization’s risk management work.

What Is the Risk Mitigation Process?

Experts sometimes use the term risk mitigation process to describe how organizations identify, assess, and prepare to lessen or mitigate risks. More often, experts use the term risk management to describe that work.

Here are the seven basic steps of the risk management process:

• Identify All Possible Risks: Gather a team or multiple teams to offer input on all possible risks to your organization. You might do this through formal meetings or gather input in other ways. “The first thing you would do is have every department do their risk analysis — but not in a silo,” Andresen says. “You do want them talking to each other. Because you’ll get some people being inspired by the others. You’ll get others validating the risk of others. And you get a whole operating picture of the entire company: ‘Where are we weak? Where are we strong?’” Lokenauth suggests using such options as “brainstorming sessions, risk assessments, or reviewing industry data” to identify risks. Ask everyone involved — internally and externally — to think broadly about all possible risks. Your team can use a questionnaire to assess potential risks to your organization and analyze its risk culture.
• Analyze Risk Probability and Impact: After your team identifies all risks, it will need to assess each risk’s probability and the potential impact on your business. “You have to figure out what exactly is the most vital piece of your ability to conduct your business, then figure out the risks to that,” Andresen says. “Then you have to look at internal and external risks. What are the internal risks that you can encounter? And what are your external risks that you could potentially encounter? How do you want to solve for them? ”Contreras notes that your team can also assess the top risks for various departments within your organization, along with various kinds of risks. “If, say, it's a supplier risk, what are the top three suppliers that we should be concerned about?” he says. “And what are the top three infrastructure risks? What are the top three HR staffing risks that we have?”
• Prioritize Risks: Once your team has studied and assessed the probability and potential impact of each risk, it must then prioritize which risks are most important to address. “As the likelihood becomes very high — let's say over 50 percent — then you decide, ‘OK, we need to do something to mitigate that,’” Contreras says. “Then the second determination would be: ‘What's the cost?’ If it’s high likelihood and high dollars, those are the ones you do want to focus on — the more likely it is to happen and the more obvious the cost impact.” For example, a risk that could cost your organization millions of dollars will take priority over a risk that would cost them thousands at most. Similarly, a risk that is almost certain to happen will take priority over a risk that has almost no chance of happening.
• Create Response Plans: Create plans to deal with or lessen the effects of the most important risks. Your organization likely won’t have the resources to mitigate every risk your company identifies. That’s why you prioritize the most important risks to face. “The next step is to develop responses to address the important risks,” Lokenauth says. “This may involve implementing controls or safeguards to prevent the risk from occurring, transferring the risk to a third party, or accepting the risk and managing it as it arises.” Lokenauth adds that your team should consider the costs to your organization of mitigating even the high-priority risks. If mitigating a high-priority risk will be prohibitively expensive, an organization might decide to simply accept that risk, while mitigating lower-priority risks.
• Track and Monitor Risks: Remember that business risk mitigation is an ongoing, evolving process. Continually track risks and potential changes in risk probability or impact. Contreras suggests that risk teams hold regular meetings to assess and monitor risks. “You probably should make it monthly — where you revisit the risks, and you're either changing the probability, or you're taking some out because they didn't happen, or some of them occurred,” he says. “Now, it becomes not a risk, but an issue — a problem that you have to begin to solve.”
• Monitor Mitigation Measures: Your organization should also monitor its mitigation measures. Monitor how and whether your teams are implementing risk mitigation measures. In addition, monitor how the mitigation measures are working and what risks have already occurred.
• Report to Organization Leaders: Regularly report to organizational leaders about ongoing risks and mitigation measures.

Example Risk Response Plan

Download a Sample Business Risk Response Plan for  Excel | Microsoft Word

Download this completed example business risk response plan that can help your team understand how to write a risk response plan for your organization. This plan includes sample data, with components such as include risk, risk severity, description of mitigation plans for that risk, and if and how those mitigation plans are working. Use this template as a starting point, and customize it to create your own business risk response plan.

Risk Mitigation by Departments and Broad Areas

Teams can assess business risks by department, such as operations or sales. They can also assess them by broad categories, such as technical risks or compliance risks. This will help organizations avoid costly oversights during risk mitigation.

Organizations might assess risk in various departments, such as the following:

• Human Resources

They might also assess risks in broader, thematic areas. Those areas might include:

• Compliance Risks: There can be risks in areas where laws or government rules require certain actions and issue penalties for noncompliance.
• Management Risks: There can be risks surrounding a company’s management, such as a key leader leaving the company.
• Operational Risks: Risks can arise based on the operational structure of your organization, such as how it sources materials or hires staff members.
• Overall Costs Risks: Some risks threaten to significantly increase your company’s costs to operate.
• Reputational Risks: Some risks relate to your company’s image and reputation among customers or clients.
• Resources Risks: There can be risks to the resources your company needs to operate.
• Strategic Risks: Some risks involve a company’s overall business strategy.
• Technical Risks: There can be risks related to technology your company is using or producing.

Your team might also consider doing what is called a PESTLE analysis . In this analysis, your team considers the overall business environment and potential risk in six areas: political, economic, social, technological, environmental, and legal. 

Tip: You might see this type of analysis written as a PESTEL analysis . Both acronyms indicate the same six areas but are written in a different order.

PESTLE Analysis Template

Download a PESTLE Analysis Template Excel | Microsoft Word

Download this template to help guide you through a PESTLE analysis. This analysis helps your team focus on and think about risks to the business in six broad areas. Use the empty columns to list potential risks to your organization in each category and summarize your risk mitigation plan.

Risk Mitigation Tools

A variety of tools are available to help your team assess and mitigate risks. These include risk management plans and assessments. Many companies also use risk assessment frameworks (RAFs), which specifically measure IT risks.

These are some tools that can help all companies with risk management and risk mitigation:

• Risk Assessment Matrix: A risk assessment matrix can help your team calibrate risks based on probability and likelihood.
• SWOT Analysis: A SWOT analysis can help your team analyze threats to your organization, along with strengths, weaknesses, and opportunities.
• Root Cause Analysis: A root cause analysis can help your team determine the root cause of an issue or problem affecting your company. 
• Business Impact Analysis: A business impact analysis is a process that teams work through to assess the possible effects of major interruptions to an organization’s operations. Most often, these potential interruptions are events such as natural disasters, major accidents, or other emergencies.

These are some common RAFs that IT experts use:

• Factor Analysis of Information Risk (FAIR)
• Committee of Sponsoring Organizations of the Treadway Commission (COSA) Risk Management Framework
• Control Objectives for Information Technologies (COBIT) from the Information Systems Audit and Control Association
• Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Framework from Carnegie Mellon University
• Risk Management Framework from the National Institute of Standards and Technology (NIST)
• Threat Agent Risk Assessment (TARA), created by Intel

Risk Mitigation vs. Contingency

A risk mitigation plan might include a contingency reserve or contingency. While the risk mitigation plan includes many elements, the contingency is simply a reserve of funds, time, or other resources that can help mitigate certain risks.

Risk Mitigation vs. Risk Management

Risk mitigation is one part of the entire risk management process. When your organization performs risk management, it will perform risk assessments that might call for risk mitigation.

Stay on Top of Business Risks with Real-Time Work Management in Smartsheet

Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change. 

The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed. 

When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time.  Try Smartsheet for free, today.

Discover why over 90% of Fortune 100 companies trust Smartsheet to get work done.

• Twitter icon
• Facebook icon
• LinkedIn icon

7 Steps to Write a Risk Management Plan For Your Next Project (With Free Template!)

🎁 Bonus Material: Free Risk Management Template

5 Steps to Find Your Definition of Done (With Examples and Workflows)

3 Steps to Minimize Workplace Distraction And Take Back Control of your Focus

The Essential Guide to Writing a Project Communication Plan: What It Is and Why You (Actually) Need One

Working with planio, see how our customers use planio.

At the end of your visit today, would you complete a short survey to help improve our services?

Thanks! When you're ready, just click "Start survey".

It looks like you’re about to finish your visit. Are you ready to start the short survey now?

Identifying and managing business risk

Risk is a part of doing business. Find ways to minimise risks and impacts to ensure your business can safely run and grow.

What is business risk

Business risks are factors that threaten your ability to operate, leading to lost profits or business failure.

When identifying and managing risks, consider:

• the possible causes and impacts
• how these risks affect your business objectives
• how they could be recorded in a risk management plan
• steps you could take to minimise the risk or the impact.

By considering potential risks and impacts in advance, you can develop procedures without the added pressure of trying to manage the risk at the time.

Understanding business risk

Types of risks include:

• direct risk—a threat to your business that is within your control
• indirect risk—a threat to your business that is out of your control
• internal risk—risks you have the power to prevent or mitigate within your business
• external risk—risks you have no control over.

Risks, potential business impacts and resources

(e.g. flood, fire, cyclone, storm, drought)

Type of risk

Potential impact on business objectives.

• Unable to trade
• Premises closed
• Cost of time for cleaning up and rebuilding
• Customers cannot get through
• Suppliers cannot provide stock

Resources to assist

• Natural disaster preparation for small businesses
• Business insurance
• Understand your risk – advice from the Queensland Reconstruction Authority

(e.g. COVID-19, swine flu, bird flu)

• Staff unable to work
• Cleaning and restocking time and costs
• Customer behaviour changes
• Loss of livestock
• Pandemic and health event risk management
• Major health event preparation for small business
• Disaster recovery for livestock farms

(e.g. wars, political disruption, supply chain disruption)

• Cannot get or send stock through normal import/export channels
• Need to change suppliers or find other markets
• Market profiles from Trade and Investment Queensland
• IBISWorld industry reports available for free from State Library of Queensland

(e.g. import and export regulations, change in tax obligations)

• New policies and procedures to implement
• Changes in trading
• Changes in taxation and financial obligations
• Changes in environmental allowances (e.g. water allocations, waste management)
• Meeting your legal obligations
• Complying with payroll tax obligations
• Meeting environmental obligations and duties

(e.g. hazards, equipment)

• Hazards and injuries to staff
• Failure to provide a safe workplace
• WorkSafe Queensland

(e.g. sustainable practices, ethical practices)

• Climate change
• Chemical spills and failing to protect the environment
• Consumer trends towards desiring sustainability
• Environment and business
• Adapting to climate change
• Climate change risk management tool for small businesses (PDF, 10.2MB)

(e.g. power outages, transport disruption, road works)

• Electrical, gas, and water disruption to the business premises
• Access to business premises disrupted including parking, deliveries, and pedestrian traffic
• Works with small business — guidelines for agencies to proactively engage with small businesses when undertaking capital works projects.

(e.g. computers, internet, networks, client databases, telecommunications)

• Older technology and software failures
• Software does not meet new regulations
• Cyber security compromised causing disruptions and loss of data or intellectual property
• Failure in maintaining privacy of customer data
• IT risk management
• IT threat preparation for small business
• Cyber security – protect your online business activity

(e.g. supplier agreements, lease agreements, staff contracts)

• Contractual problems
• Failing to meet legislation, regulations, or obtaining licences and permits
• Australian Business Licence and Information Service (ABLIS)
• Resolving business disputes
• Assistance for small businesses from the Queensland Small Business Commissioner

(e.g. shoplifting, internal theft, staff safety)

• Shoplifting
• Fraud causing loss of equipment
• Stock and cash flow
• Vandalism causing cost of time to replace and repair
• Shoplifting, stealing, fraud, and burglary
• Security and crime prevention

(e.g. online reviews, customer feedback)

• Negative media coverage
• Social media rumours
• Staff leave the business
• Reputation incident preparation for small business
• Social media
• Online communication and customer reviews

(e.g. recruitment, staff, training)

• Difficulty in finding new staff
• Bullying and harassment
• Staff not well trained leading to mistakes and poor customer service
• Managing conflict in the workplace
• Staff training, development and mentoring
• Help to hire staff from Workforce Australia.

(e.g. economic downturns, inflation)

• A reduction in consumer spending
• Changing market leading to reduced income
• Increasing expense costs, e.g. fuel, transport, energy
• Suppliers may be affected
• Surviving an economic downturn
• Marketing, advertising and promotion
• IBISWorld industry reports available for free from the State Library of Queensland

Analysing risk impact

It can be overwhelming to consider all possible risks a business faces. Assessing the impact of each can help prioritise where to invest your time and energy.

Completing this exercise will help you focus on risks with the highest scores and therefore the greatest potential to impact your business.

Risks come in different forms. Some will have a big impact and others a moderate impact. Working out which to focus on can be considered by looking at a 'level of risk' scale.

This scale determines the likelihood of the risk occurring and looks at the impact if the event does occur to determine a level of risk score. The higher the score, the higher the priority to reduce the risk or impact.

Likelihood × Impact = Level of risk

Likelihood scale

Impact scale, level of risk (likelihood x impact).

Developing and using risk analysis methods can help to assess the levels of risk within the business and where to focus.

A business in its 5 th year of operation is using a computer to access and record high volumes of sales in a customer database.

Due to rapid growth over the past 2 years, the computer has not been updated in some time, changes to software packages installed have not taken place, and passwords for online accounts have not been changed. Staff are reporting odd phone calls from 'IT officers' seeking account information to prevent 'emergency situations'.

There is some risk this business could be the target of hackers who are interested in customer data, information about sales and other information collected by the business.

The impact of getting hacked is losing sensitive customer data, jeopardising the business's reputation and depending on the nature of the hack, potential compromise of the business's banking information.

The current situation is sitting on the scale as a:

• Likelihood: High (level 3)
• Impact: Very High (level 4)
• Level of risk: Likelihood 3 x Impact 4 = 12 Severe

This presents as a severe risk.

Reducing this risk level immediately is recommended.

Action item

Use this section to help you complete a risk level assessment.

Record this in your business continuity plan template —risk management plan section and business impact analysis section.

Treating risks to your business

Once you have completed the analysis and identified the areas of concern, the next step is to consider how to reduce the level on the scale.

You can treat risks by assessing the factors attached to the risk and identifying areas for improvement.

In the case study above, the level of risk can be reduced by updating software, changing passwords and reminding staff to be very careful with business information and decline requests to provide information over the phone.

While these actions might not remove the risk, they can reduce a highly likely, very high impact situation to a medium likelihood, moderate impact situation.

Often, high-risk situations can be reduced to medium or low risk with some careful planning and action.

Ask yourself

• What is one high risk in your business right now?
• How likely is it?
• What would you rate the impact of this risk occurring?
• How could you reduce the likelihood or the impact for this high-level risk?

Creating a risk management plan and business impact analysis

Once you have identified risks to your own business, manage them by developing a risk management plan to assist:

• avoiding the impact
• eliminating the impact
• reducing the impact.

A risk management plan identifies risk. Business impact analysis considers strategies to manage risks.

Your business continuity plan is key to recording risks to the business and coming up with plans to manage them.

Download the business continuity plan template

This template includes a:

• risk management plan section
• business impact analysis section

Download the business continuity planning template .

Use this page (and other resources provided) to complete the risk management plan and business impact sections of the template.

To prepare:

• identify significant risks to your business
• analyse the potential impact of each risk
• create strategies to treat and reduce the risks
• create or review and update your risk management plan and business impact analysis.

The business continuity plan is a good point of reference to record this information and to refer to in the event of an emergency.

Find out more about writing a business continuity plan .

Reviewing and updating your risk management plan and business impact analysis

Risk management plans and business impact analysis are part of your business continuity plan.

As time goes by, and as the business changes, updating these sections of your business continuity plan will help you consider new risks, downgrade treated risks and highlight areas for improvement.

Conducting tests or trials to see what would happen if risks eventuated can help with this process. A good example of these is an emergency evacuations drill.

By conducting an evacuation drill, you will be able to determine:

• how the business performed
• did the process and systems work effectively
• what areas need to be reviewed or improved.

Upon review, update your risk management plan with revised procedures and communicate these changes to your staff.

By planning for challenges, your business is better prepared to meet them.

Also consider...

• Find out about managing risk with business insurance .
• Read about writing a business continuity plan .
• Explore managing risks when starting up .
• Find out about IT risk management .
• View our Cyber security for small business webinar for information, tips and resources on protecting yourself and your business from cyber security threats.
• Last reviewed: 24 Nov 2022
• Last updated: 24 Nov 2022

• SUGGESTED TOPICS
• The Magazine
• Newsletters
• Managing Yourself
• Managing Teams
• Work-life Balance
• The Big Idea
• Data & Visuals
• Reading Lists
• Case Selections
• HBR Learning
• Topic Feeds
• Account Settings
• Email Preferences

Managing Risks: A New Framework

• Robert S. Kaplan
• Anette Mikes

Risk management is too often treated as a compliance issue that can be solved by drawing up lots of rules and making sure that all employees follow them. Many such rules, of course, are sensible and do reduce some risks that could severely damage a company. But rules-based risk management will not diminish either the likelihood or the impact of a disaster such as Deepwater Horizon, just as it did not prevent the failure of many financial institutions during the 2007–2008 credit crisis.

In this article, Robert S. Kaplan and Anette Mikes present a categorization of risk that allows executives to understand the qualitative distinctions between the types of risks that organizations face. Preventable risks, arising from within the organization, are controllable and ought to be eliminated or avoided. Examples are the risks from employees’ and managers’ unauthorized, unethical, or inappropriate actions and the risks from breakdowns in routine operational processes. Strategy risks are those a company voluntarily assumes in order to generate superior returns from its strategy. External risks arise from events outside the company and are beyond its influence or control. Sources of these risks include natural and political disasters and major macroeconomic shifts. Risk events from any category can be fatal to a company’s strategy and even to its survival.

Companies should tailor their risk management processes to these different risk categories. A rules-based approach is effective for managing preventable risks, whereas strategy risks require a fundamentally different approach based on open and explicit risk discussions. To anticipate and mitigate the impact of major external risks, companies can call on tools such as war-gaming and scenario analysis.

Smart companies match their approach to the nature of the threats they face.

Editors’ note: Since this issue of HBR went to press, JP Morgan, whose risk management practices are highlighted in this article, revealed significant trading losses at one of its units. The authors provide their commentary on this turn of events in their contribution to HBR’s Insight Center on Managing Risky Behavior.

• Robert S. Kaplan is a senior fellow and the Marvin Bower Professor of Leadership Development emeritus at Harvard Business School. He coauthored the McKinsey Award–winning HBR article “ Accounting for Climate Change ” (November–December 2021).
• Anette Mikes is a fellow at Hertford College, Oxford University, and an associate professor at Oxford’s Saïd Business School.

Partner Center

Not finding what you are looking for?

• Culture and Business Transformation

Key types of business risk every leader should plan for

• June 16, 2021

Preferred partners

Risk Management Intelligence 20 Anson, Road #19-01 Twenty Anson, Singapore 079912 Company Reg No: 201210650Z

• +65 6309 1800
• [email protected]

© RMI - All Rights Reserved 2024. Site by Manning&Co.

Quick links

Get the latest insights.

Risk Management, Risk Analysis, Templates and Advice

• #1 Mind Mapping Tool
• Collaborate Anywhere
• Stunning Presentations
• Simple Project Management
• Innovative Project Planning
• Creative Problem Solving

The Top 50 Business Risks And How To Manage them!

Risk is simply uncertainty of outcome whether positive or negative ( PRINCE2, 2002, p239 ). Business risk is uncertainty around strategy, profits, compliance, environment, health and safety and so on. stakeholdermap.com

The Top 50 Business Risks

Download the full list of business risks, word download - the top 50 business risks (word), pdf download - the top 50 business risks (pdf), 20 common project risks - example risk register, checklist of 30 construction risks, overall project risk assessment template, simple risk register - excel template, business risk - references and further reading, read more on risk management.

• Risk Assessment
• Construction Risk Management
• Risk Management Glossary
• Risk Management Guidelines
• Risk Identification
• NHS Risk Register
• Risk Register template
• Risk Management Report
• Risk Responses
• Prince2 Risk Register
• Prince2 Risk Management Strategy

Share this Image

Enterprises are often defined by how they deal with events that are out of their control. For example, how you react to a disruptive technology or cope with a sudden change in the markets can be the difference between success and failure.

Contingency planning is the art of preparing for the unexpected. But where do you start and how do you separate the threats that could do real harm to your business from the ones that aren’t as critical?

Here are some important definitions, best practices and strong examples to help you build contingency plans for whatever your business faces.

What is a contingency plan?

Business contingency plans, also known as “business continuity plans” or “emergency response plans” are action plans to help organizations resume normal business operations after an unintended interruption. Organizations build contingency plans to help them face a variety of threats, including natural disasters, unplanned downtime, data loss, network breaches and sudden shifts in customer demand.

A good place to start is with a series of “what if” questions that propose various worst-case scenarios you’ll need to have a plan for. For example:

• What if a critical asset breaks down, causing delays in production?
• What if your top three engineers all quit at the same time?
• What if the country where your microprocessors are built was suddenly invaded?

Good contingency plans prioritize the risks an organization faces, delegate responsibility to members of the response teams and increase the likelihood that the company will make a full recovery after a negative event.

Five steps to build a strong contingency plan

1. make a list of risks and prioritize them according to likelihood and severity..

In the first stage of the contingency planning process, stakeholders brainstorm a list of potential risks the company faces and conduct risk analysis on each one. Team members discuss possible risks, analyze the risk impact of each one and propose courses of action to increase their overall preparedness. You don’t need to create a risk management plan for every threat your company faces, just the ones your decision-makers assess as both highly likely and with a potential impact on normal business processes.

2. Create a business impact analysis (BIA) report

Business impact analysis (BIA) is a crucial step in understanding how the different business functions of an enterprise will respond to unexpected events. One way to do this is to look at how much company revenue is being generated by the business unit at risk. If the BIA indicates that it’s a high percentage, the company will most likely want to prioritize creating a contingency plan for this business risk.

3. Make a plan

For each potential threat your company faces that has both a high likelihood of occurring and a high potential impact on business operations, you can follow these three simple steps to create a plan:

• Identify triggers that will set a plan into action: For example, if a hurricane is approaching, when does the storm trigger your course of action? When it’s 50 miles away? 100 miles? Your teams will need clear guidance so they will know when to start executing the actions they’ve been assigned.
• Design an appropriate response: The threat your organization prepared for has arrived and teams are springing into action. Everyone involved will need clear, accessible instructions, protocols that are easy to follow and a way to communicate with other stakeholders.
• Delegate responsibility clearly and fairly: Like any other initiative, contingency planning requires effective project management to succeed. One proven way to address this is to create a RACI chart . RACI stands for responsible, accountable, consulted and informed, and it is widely used in crisis management to help teams and individuals delegate responsibility and react to crises in real time.

4. Get buy-in from the entire organization—and be realistic about cost

Sometimes it can be hard to justify the importance of putting resources into preparing for something that might never happen. But if the events of these past few years have taught us anything, it’s that having strong contingency plans is invaluable.

Think of the supply chain problems and critical shortages wreaked by the pandemic or the chaos to global supply chains brought about by Russia’s invasion of Ukraine. When it comes to convincing business leaders of the value of having a strong Plan B in place, it’s important to look at the big picture—not just the cost of the plan but the potential costs incurred if no plan is put in place.

5. Test and reassess your plans regularly

Markets and industries are constantly shifting, so the reality that a contingency plan faces when it is triggered might be very different than the one it was created for. Plans should be tested at least once annually, and new risk assessments performed.

Contingency plan examples

Here are some model scenarios that demonstrate how different kinds of businesses would prepare to face risks. The three-step process outlined here can be used to create contingency plans templates for whatever threats your organization faces.

A network provider facing a massive outage

What if your core business was so critical to your customers that downtime of even just a few hours could result in millions of dollars in lost revenue? Many internet and cellular networks face this challenge every year. Here’s an example of a contingency plan that would help them prepare to face this problem:

• Assess the severity and likelihood of the risk: A recent study by Open Gear showed that only 9% of global organizations avoid network outages in an average quarter. Coupled with what is known about these attacks—that they can cause millions of dollars in damage and take an immeasurable toll on business reputation—this risk would have to be considered both highly likely and highly severe in terms of the potential damage it could do to the company.
• Identify the trigger that will set your plan in action: In this example, what signs should decision-makers have watched for to know when a likely outage was beginning? These might include security breaches, looming natural disasters or any other event that has preceded outages in the past.
• Create the right response: The organization’s leaders will want to determine a reasonable recovery time objective (RTO) and recovery point objective (RPO) for each service and data category their company faces. RTO is usually measured with a simple time metric, such as days, hours or minutes. RPO is a bit more complicated as it involves determining the minimum/maximum age of files that can be recovered quickly from backup systems in order to restore the network to normal operations.  

A food distribution company coping with an unexpected shortage

If your core business has complex supply chains that run through different regions and countries, monitoring geopolitical conditions in those places will be critical to maintaining the health of your business operations. In this example, we’ll look at a food distributor preparing to face a shortage of a much-needed ingredient due to volatility in a region that’s critical to its supply chain:

• Assess the severity and likelihood of the risk: The company’s leaders have been following the news in the region where they source the ingredient and are concerned about the possibility of political unrest. Since they need this ingredient to make one of their best-selling products, both the likelihood and potential severity of this risk are rated as high.
• Identify the trigger that will set your plan in action: War breaks out in the region, shutting down all ports of entry/exit and severely restricting transport within the country via air, roads and railroads. Transportation of their ingredient will be challenging until stability returns to the region.
• Create the right response: The company’s business leaders create a two-pronged contingency plan to help them face this problem. First, they proactively search for alternate suppliers of this ingredient in regions that aren’t so prone to volatility. These suppliers may cost more and take time to switch to, but when the overall cost of a general production disruption that would come about in the event of war is factored in, the cost is worth it. Second, they look for an alternative to this ingredient that they can use in their product.

A social network experiencing a customer data breach

The managers of a large social network know of a cybersecurity risk in their app that they are working to fix. In the event that they’re hacked before they fix it, they are likely to lose confidential customer data:

• Assess the severity and likelihood of risk: They rate the likelihood of this event as high , since, as a social network, they are a frequent target of attacks. They also rate the potential severity of damage to the company as high since any loss of confidential customer data will expose them to lawsuits.
• Identify the trigger that will set your plan in action: Engineers make the social network’s leadership aware that an attack has been detected and that their customer’s confidential information has been compromised.
• Create the right response: The network contracts with a special response team to come to their aid in the event of an attack and help them secure their information systems and restore app functionality. They also change their IT infrastructure to make customer data more secure. Lastly, they work with a reputable PR firm to prepare a plan for outreach and messaging to reassure customers in the event that their personal information is compromised.

The value of contingency planning 

When business operations are disrupted by a negative event, good contingency planning gives an organization’s response structure and discipline. During a crisis, decision-makers and employees often feel overwhelmed by the pile-up of events beyond their control, and having a thorough backup plan helps reestablish confidence and return operations to normal.  

Here are a few benefits organizations can expect from strong contingency plans:

• Improved recovery times: Businesses with good plans in place recover faster from a disruptive event than companies that haven’t prepared.  
• Reduced costs—financial and reputational: Good contingency plans minimize both financial and reputational damage to a company. For example, while a data breach at a social network that compromises customer information could result in lawsuits, it could also cause long-term damage if customers decide to leave the network because they no longer trust the company to keep their personal information safe.
• Greater confidence and morale: Many organizations use contingency plans to show employees, shareholders and customers that they’ve thought through every possible eventuality that might befall their company, giving them confidence that the company has their interests in mind.

Contingency plan solutions

IBM Maximo Application Suite is an integrated cloud-based solution that helps businesses respond quickly to changing conditions. By combining the power of artificial intelligence (AI) , Internet of Things (IoT) and advanced analytics, it enables organizations to maximize the performance of their most valuable assets, lengthen their lifespans and minimize costs and downtime.

More from IBM Maximo

Ibm and business partner bring intelligent equipment maintenance to automotive company with ibm maximo.

6 min read - IBM® recently announced that it has worked with its business partner, Beijing Shuto Technology Co., Ltd. (hereafter as Shuto Technology) to help a joint venture Original Equipment Manufacturer (OEM) in China to obtain information in an accurate and cost-effective way for on-site technicians. This makes the client's equipment repair work more efficient and improves the reliability of its equipment.  Founded in 2006, Shuto Technology is a leading asset management solution provider in China that focuses on helping industry-leading enterprises build…

IBM Tech Now: October 2, 2023

< 1 min read - ​Welcome IBM Tech Now, our video web series featuring the latest and greatest news and announcements in the world of technology. Make sure you subscribe to our YouTube channel to be notified every time a new IBM Tech Now video is published. IBM Tech Now: Episode 86 On this episode, we're covering the following topics: AI on IBM Z IBM Maximo Application Suite 8.11 IBM NS1 Connect Stay plugged in You can check out the IBM Blog Announcements for a…

Expanding the journey to reliability with Maximo Application Suite 8.11

4 min read - Industrial businesses are at a pivotal time—redefining their strategies to address issues associated with workforce shifts, asset reliability, regulatory considerations, environmental impacts and more. Now more than ever, operations executives, IT leaders, technical staff and maintenance leaders must work together to ensure they can stay competitive in their industries, that their physical infrastructure can drive a strong return on assets, and that productivity continues to increase, all to maximize operational efficiency and reliability. Organizations are challenged by the continued integration…

IBM Newsletters

Why Are Major Risks in the Business Plan?

• Small Business
• Business Planning & Strategy
• Business Risk
• ')" data-event="social share" data-info="Pinterest" aria-label="Share on Pinterest">
• ')" data-event="social share" data-info="Reddit" aria-label="Share on Reddit">
• ')" data-event="social share" data-info="Flipboard" aria-label="Share on Flipboard">

Purpose of Financial Analysis

Strategic analysis of a company, what is 'systems thinking' in business.

• The Purpose of Analytical Business Reports
• Fundamental Principles of Strategic & Business Planning Models

Risk factors are possible events that, should they happen, could cause a company’s revenues or profits to be lower than what the owner had forecast. They are a standard part of a thorough business plan, whether the plan is designed for internal use by the management team or will be presented to outside investors. Risk factors are also called threats, because they threaten the business’s success and in extreme circumstances even its survival.

Encourages Contingency Planning

The risk factors section of the business plan should go beyond simply listing what might go wrong. Being aware of what could negatively impact the company is important, but the real value of including risk factors is the business owner’s thinking process to determine how she would mitigate the risks to minimize the financial damage to her company. The thinking process is referred to as contingency planning, also know as “what if” analysis. The business owner will make changes to her marketing strategies, operations and financial management in response to these risks becoming a reality.

Focus on the Business Environment

A company should have a system in place to gather information about emerging or potential risks. Monitoring competitors on an ongoing basis is one aspect of this system. The decisions a company’s competitors make pose threats, because they are designed to give the competitors a stronger market position by taking potential business away from the company. Risk factors are not just considered at the time the company is preparing its annual business plan -- they are year-round considerations, because new threats emerge throughout the year.

Alert Potential Investors

A venture capital firm or angel investor that is contemplating putting money into a business enterprise must assess the risk that the company’s financial results will be lower than forecast. The value of the company grows as the revenues and profits of the business grow. The risk factors alert the investor to the fact there is always a possibility of losing part or all of the money he puts into the company. If the investor believes the risks could severely hurt the company should they occur, he may decline to make the investment. As a practical matter, sophisticated investors do their own risk analysis prior to putting money in a company, but the fact the management team is aware of, and has strategies for dealing with, the risks can make the investors more confident about the management team’s abilities.

Moving Forward Confidently

Analyzing risk factors allows the management team to be confident it is ready for whatever business environment the company may face in the upcoming year and beyond. The team has strategies in place that can be quickly implemented to minimize the damage caused by threats from competitors or changes in the overall economy. The management team assesses which risks are most likely to become actual threats and which have a very low likelihood of occurring. Owners of companies will always have external threats to worry about, but the risk analysis process helps reduce the number of worries to those that have the potential to negatively impact their revenues or profits.

• Inc.: Managing Risk in a New Venture

Brian Hill is the author of four popular business and finance books: "The Making of a Bestseller," "Inside Secrets to Venture Capital," "Attracting Capital from Angels" and his latest book, published in 2013, "The Pocket Small Business Owner's Guide to Business Plans."

Related Articles

How do changes in the business environment affect the cost and profit analysis, why perform a swot analysis, what happens when businesses have contingency plans, key concepts of financial management, business enterprise planning, what is the business planning process, what are the parts of an effective risk management program, what is the meaning of corporate planning, assessment strategies in business, most popular.

• 1 How Do Changes in the Business Environment Affect the Cost and Profit Analysis?
• 2 Why Perform a SWOT Analysis?
• 3 What Happens When Businesses Have Contingency Plans?
• 4 Key Concepts of Financial Management

5 Consequences of Skipping a Business Plan

9 min. read

Updated May 10, 2024

You’ve got a great business idea, something that could be truly special. 

You’re ready to dive in, ditch the day job, and build it yourself.

But you keep being told you need to write a business plan .

It feels like an unnecessary roadblock when all you want to do is go, and you’re tempted to skip it entirely.

After all, what’s the worst that could happen? 

That’s the question we’re tackling in this article. 

I spoke with seasoned planning experts Tim Berry , Sabrina Parsons , and Noah Parsons to uncover the consequences of starting a business without a plan. 

1. An idea isn’t always a business

That initial rush of excitement when a business idea hits is intoxicating. You imagine the possibilities, the potential…but the journey from concept to reality is where things get tricky.

“Without a business plan, you won’t know if your idea can be turned into a business,” Sabrina cautions. “To transform an idea into an actual business, you need to test if it’s viable .”

The problem? Most people lack a framework for that testing. 

The idea remains trapped in your head. You lack answers to critical questions, like:

• Does it solve a real problem ? Who are your ideal customers, and what pain point are you addressing?
• Is there a market? Are enough people willing to pay for your solution?
• How will you make money? What’s your basic business model for turning a profit?

Creating a one-page plan gives you a structured way to answer these questions. It could save you from wasting time and resources chasing a dream that was never meant to be a business. 

Or it might just reveal that your idea has potential and deserves more research.

Brought to you by

Create a professional business plan

Using ai and step-by-step instructions.

Secure funding

Validate ideas

Build a strategy

2. If you build it, they don’t always come

Even a seemingly good idea may not actually work . 

It could be too expensive to execute, face overwhelming competition, or simply not appeal to enough customers. 

“If you build it, they will come” is one of the biggest myths in business,” says Sabrina. “You need to attract people who actually want to buy what you are selling.”

This means finding product-market fit—the sweet spot where your solution meets a real customer need.

“It’s the single most important factor in the early stages of a business,” explains Noah. “If your product doesn’t solve a problem for your customers, you don’t have a business.”

True product-market fit requires testing. It means getting out there, talking to potential customers, and getting honest feedback:

• Do they truly need what you offer?
• Is the price point appealing?
• Are you even targeting the right audience?

You can’t meaningfully ask these questions without first outlining the assumptions baked into your idea. Who are your customers? What problem do you solve? What’s your basic business model?

Again, creating a one-page plan forces you to address these assumptions from the start. It lays the groundwork for the kind of testing that separates successful startups from those that fizzle out because they misread the market.

3. You won’t know how much money you need

You hear about bootstrapping success stories—entrepreneurs building empires from scratch. But the reality is every business requires some investment, even if it’s your own .

“You need to know how much it will cost to start and keep the business running—and then what it will take to become profitable,” Noah stresses. 

If you lack a business plan, you’ll have no idea of your revenue and expense categories. These are the starting points for creating sales, expense, and cash flow forecasts that help you understand:

• Startup Expenses : How much cash do you need to make your business operational?
• Operating Costs: How much will it take to run your business for the first year?
• Hidden Fees: Have you considered every potential expense, from licenses to marketing?
• Cash Flow : How long will it take for enough money to come in to cover your ongoing expenses?

Trying to figure this out in real-time is a recipe for disaster. 

As Sabrina puts it, “It’s like playing high-stakes poker blindfolded. You’re risking everything without a clear picture of what you’re working with.”

A plan brings clarity. It helps you determine whether you have the funds to succeed, how quickly you might become profitable, and how to allocate your cash wisely. 

Without it, you risk running out of money before your business has a fighting chance.

4. You won’t know what is and isn’t working

“Tracking your business performance— reviewing how your actual results measure up to your plan—is the key to running a successful business,” Noah emphasizes. 

Without a business plan and financial forecasts, you’ll lack the foundation to build a business strategy. That ‘blindfold’ that Sabrina mentioned before will stick with you throughout the life of your business.

Here’s what that means:

• Inefficiencies bleed profits: You won’t be able to identify the areas where you’re losing money.
• “Big decisions” are risky: You won’t know when it’s the right time to make critical decisions (like hiring team members or expanding).
• Profitability is a mystery: Without tracking towards specific business goals, “what it will take to be profitable” remains unknown.
• No data for decisions: When do you need to change course? Without the clarity a business plan provides, it’s impossible to say.

“Managing your business against your plan leads to better decisions,” says Sabrina. 

It doesn’t have to be complicated—again, with a simple one-page plan, you’ll have a tool “to better understand your financial drivers and revenue opportunities.” 

This plan becomes your roadmap. It lets you make data-driven decisions, minimize risk, and proactively steer your business toward success. With this knowledge, surprises become fewer, and your understanding of your business will grow deeper.

• 5. You will struggle to raise money

Investors and banks live in the world of business and financial plans . 

As Tim states, “Don’t get caught thinking investors just want pitches and summaries. They expect a plan and will want to go over every detail.” Without these documents, you’ll face serious hurdles in securing funding. Tim adds: “I’ve seen investors reject a startup from just summaries without reading a business plan document. But I’ve never seen them invest without having seen a plan.”  

Think of it this way: If you don’t have a plan, you either scramble to assemble one or walk into investor meetings unprepared. 

“I’ve seen it countless times in actual investor pitches,” Tim recounts. “Things seem promising until investors start digging into specifics like marketing spend or administrative costs. Those without a well-thought-out plan freeze up. Investors can smell that a mile away.”

The very process of creating a business plan primes you for the questions investors will undoubtedly ask. “The planning process forces you to answer questions about your business that you may not have thought to ask yourself,” explains Noah. 

This includes the critical question: How much funding do you truly need?

“Getting the right amount of financing for your business will save you heartache and money,” says Sabrina. “Do yourself a favor and create a full financial forecast to understand exactly how much funding you need.” Otherwise, you risk under or overestimating, damaging your credibility with investors.

TLDR: If you’re seeking outside funding, a formal business plan isn’t just helpful—it’s essential. While a more detailed plan is likely necessary, the one-page plan we’ve discussed will form the foundation.

• Failing to plan is planning to fail

Writing a business plan will make you a better business owner.

It’s not just about avoiding pitfalls; it’s about unlocking your business’s full potential. The planning process forces you to dig deep, examine your ideas, and refine them into a powerful strategy built for long-term success.

The best part? You don’t need a complex, time-consuming document to reap these rewards. 

“We’re talking about a lean one-page plan to run your business,” Tim emphasizes. It’s easy to develop, keep updated, and build on bullet points, lists, and tables. If you know your business, you can do it quickly.”

So, whether you’re a new or existing business—don’t face the consequences caused by skipping out on your business plan.

Download our free one-page business plan template and write it in as little as 30 minutes . You and your business will be glad you did.

What are the consequences of not having a business plan?

Skipping the business planning process can lead to several negative consequences:

• Your idea might not be viable: You risk wasting time and money on a product or service that nobody wants or isn’t profitable.
• You could miss your target market: A plan helps you understand your ideal customer and ensure you’re offering something they truly need.
• You’ll be financially unprepared: You won’t know your true startup and operational costs or how to reach profitability.
• You’ll lack a roadmap: Without a plan, it’s difficult to track progress, identify problems, or make strategic decisions.
• You’ll struggle to get funding: Investors and lenders rely on business plans and financial statements to assess the potential of your venture.

Remember, even a simple one-page plan can help you avoid these pitfalls and set your business up for success.

Can a business survive without a business plan?

Technically, yes, a business can survive without a plan. There are examples of businesses that found success without traditional planning—but they are the outliers.

The reality is that businesses without a plan face significantly greater obstacles. They’re more likely to:

• Make costly mistakes due to a lack of foresight.
• Miss out on opportunities due to a lack of direction.
• Struggle to obtain funding from investors and lenders.
• Fail to understand their full financial picture.

While survival is possible, a business plan dramatically increases the odds of not just surviving but thriving.

Kody Wirth is a content writer and SEO specialist for Palo Alto Software—the creator's of Bplans and LivePlan. He has 3+ years experience covering small business topics and runs a part-time content writing service in his spare time.

Table of Contents

• 1. An idea isn’t always a business
• 2. If you build it, they don’t always come
• 3. You won’t know how much money you need
• 4. You won’t know what is and isn’t working

Related Articles

10 Min. Read

Use This Simple Business Plan Outline to Organize Your Plan

2 Min. Read

How Long Should a Business Plan Be?

3 Min. Read

5 Fundamental Principles of Business Planning

7 Min. Read

8 Business Plan Templates You Can Get for Free

The Bplans Newsletter

The Bplans Weekly

Subscribe now for weekly advice and free downloadable resources to help start and grow your business.

We care about your privacy. See our privacy policy .

The quickest way to turn a business idea into a business plan

Fill-in-the-blanks and automatic financials make it easy.

No thanks, I prefer writing 40-page documents.

Discover the world’s #1 plan building software

Difference Between Fully-Insured vs. Self-Funded Health Plans

Businesses typically choose between fully insured and self-insured (self-funded) plans when evaluating health benefit options. Understanding the difference between self-funded and fully insured plans is crucial for effective health insurance strategy planning. 

Overview of Fully-Insured vs Self-Funded Health Plans

What is a fully insured health plan.

In a fully insured plan, the company pays fixed premiums to an insurance carrier, which handles all healthcare claims. The premiums are determined based on employee count, projected healthcare costs, and benefit levels. This model offers predictable costs and minimal management duties, making it attractive to smaller businesses that favor stability and a hands-off approach.

In 2019, 61% of U.S. workers with employer-sponsored health insurance were enrolled in a self-funded plan , indicating a significant shift towards self-insurance among American companies.

Self-Funded vs Fully Insured Insurance

In contrast, self-insured plans involve employers setting aside funds to pay for employee medical claims directly, offering potential cost savings by avoiding insurer profit margins. This model also allows for greater benefits customization to meet specific needs and goals, providing more control over the plan.

Fully Funded vs Self-Funded Insurance

Deciding between fully funded and self-funded insurance hinges on a company’s financial stability, risk tolerance, and administrative capabilities. While fully insured plans are less risky and simpler to manage, self-insured plans can offer significant cost savings and flexibility but come with greater financial variability and management complexity.

More information about small business health insurance plans: 

Health insurance for small business

Guide to small business health insurance 

What Are Fully-Insured Health Plans?

Fully insured health plans are a traditional model where businesses pay fixed premiums to an insurance provider, assuming all risks and responsibilities for employee healthcare claims. This model is favored by small to medium-sized businesses seeking financial predictability and ease of benefits management. In a fully insured plan, the employer signs a contract with an insurer that agrees to cover all eligible healthcare claims for a set premium. These premiums are calculated monthly based on the number of employees, their risk profiles, and desired coverage levels. Insurers use actuarial data to estimate expected claims and adjust premiums to cover these costs plus a profit margin.

Pros and Cons of Fully-Insured Plans

• Predictability of Costs: Employers can know exactly what they will owe each month, regardless of their employees' actual health care costs. This makes budgeting easier and reduces financial uncertainty.
• Ease of Administration: Because the insurance company handles all claims processing and benefits administration, the employer's administrative burden is significantly reduced.
• Reduced Risk: The insurance company assumes all risks related to health care claims, protecting employers from the financial impact of high or unexpected claims.
• Higher Cost in the Long Term: Premiums include the insurance company's overhead and profit margins, making fully insured plans more expensive over time compared to self-funded plans, where employers might save money in years of lower-than-expected claims.
• Less Flexibility: Employers cannot customize plan options and benefits, as they must choose from the plans the insurance company offers.
• Potential for Premium Increases: Premiums can increase at renewal each year based on overall claim trends within the insured pool, age demographics, and other factors, leading to potential unpredictability in long-term healthcare budgeting.

Understanding Self-Funded Health Plans

As of 2020, 80% of covered workers in larger companies (over 5000 employees) were enrolled in self-funded health plans , demonstrating the scalability and appeal of self-insurance in substantial enterprises.

Self-insured health plans offer an alternative approach where employers assume the financial risk for providing employee health benefits, often favored by larger organizations seeking greater control over plan design and costs. 

In this model, rather than paying fixed premiums to an insurance company, employers allocate a pool of funds to cover employee health claims directly. They commonly work with a third-party administrator (TPA) to manage claims processing and benefits administration. This setup allows employers to pay for claims as they occur, potentially yielding significant cost savings when claims are lower than anticipated.

Pros and Cons of Self-Funded Plans

• Cost Savings: If the health claims are lower than expected, the employer can save significant money, as they are not paying a premium that includes margins for an insurance company’s overhead and profit.
• Flexibility and Customization: Employers can design and adjust the plan according to their needs and preferences. This includes choosing which benefits to offer and structuring copays, deductibles, and other plan features.
• Improved Cash Flow: Since premiums are not paid upfront to an insurance company, employers can retain more cash in the business until it is needed to pay claims. This can improve overall cash flow management.
• Financial Risk: The major downside of self-insuring is the potential for high costs from unexpected claims. If claims are higher than anticipated, the employer must cover these costs, which can be financially challenging.
• Administrative Burden: Although third-party administrators can help, employers still face an increased administrative burden in managing the health plan, negotiating with providers, and ensuring compliance with relevant laws and regulations.
• Stop-Loss Insurance Needed: Most self-insured plans purchase stop-loss insurance, which can be a significant expense. This insurance reimburses the employer for claims that exceed a certain dollar threshold to mitigate the risk of very high claims.  

While self-funded plans offer greater flexibility and potential cost savings, with average monthly premiums reported at $697 for individuals and $2,004 for families in 2020, they require robust risk management strategies, as evidenced by 79% of private sector establishments with such plans having a stop-loss policy.

Comparing Fully-Insured and Self-Insured Plans

The decision between fully insured and self-insured health plans significantly affects a company's finances, risk management, and benefits design. Understanding the difference between self-funded and fully insured plans is vital to align with a company’s goals.

Cost Implications and Savings Potential

Fully insured plans involve fixed premiums, which may result in higher long-term costs due to the inclusion of the insurer's overhead and profit. Conversely, self-insured plans allow companies to reduce costs by eliminating these overheads, although savings depend on actual claim costs, which can be unpredictable.

Risk Management and Liability

In fully insured plans, the insurer manages all claim risks, offering predictability at the cost of higher premiums. In self-insured plans, the employer bears the claims risk, which might lead to substantial financial exposure but can be mitigated by purchasing stop-loss insurance to cover catastrophic claims.

Flexibility and Customization Options

Self-insured plans offer greater flexibility, allowing employers to customize benefits to meet specific workforce needs, including tailored deductibles and copays. Fully insured plans provide less customization, as employers must select from preset options offered by insurers.

Regulatory and Compliance Considerations

Navigating health insurance regulations is essential for maintaining compliant and effective health plans. Understanding the impact of these regulations on different types of plans helps employers make informed decisions.

ERISA and State Regulations

The Employee Retirement Income Security Act (ERISA) sets federal standards for most private industry health plans, applying to both fully insured and self-insured plans. Fully insured plans must also adhere to state insurance laws, which vary by state and influence claims processing and mandated benefits. Conversely, self-insured plans are generally exempt from state insurance regulations under ERISA, offering greater flexibility but requiring strict compliance with federal standards.

Compliance Requirements for Self-Insured Plans

Self-insured plans must comply with several federal regulations, including specific provisions of the Affordable Care Act (ACA), HIPAA privacy rules, and the Mental Health Parity and Addiction Equity Act. These plans must avoid health-based discrimination, provide adequate coverage, and fulfill reporting and disclosure requirements. Effective management of these requirements typically requires either an adept in-house legal team or a partnership with a knowledgeable third-party administrator (TPA).

Important Considerations For Managing Plans

When choosing between self-funded and fully insured health plans, it's crucial to understand the management responsibilities each entails. Self-funded plans offer the flexibility to design and manage health benefits tailored to specific business and employee needs, but this comes with ensuring efficient operation and compliance. Most self-funded plans utilize a Third-Party Administrator (TPA) to handle administrative tasks like claims processing and regulatory compliance, which reduces the administrative load but may limit customization and control over plan operations.

In contrast, fully insured plans provide less flexibility but increase ease of management as the insurance carrier handles most administrative tasks and assumes risk. This arrangement suits businesses looking for simplicity and less direct involvement in plan management.

It may be worth noting that, in 2020, 39% of firms with multiple locations opted for at least one self-funded plan , compared to 28% of single-location firms. This highlights the administrative considerations and the need for experienced third-party administrators (TPAs) to manage these plans effectively.

Making the Decision: Which Is Right For Your Business?

Choosing between fully insured and self-insured health plans is a critical decision that affects your business's finances, risk management, and employee satisfaction. Understanding the difference between self-funded and fully insured plans is essential for informed decision-making.

Key Factors to Consider:

• Financial Stability and Cash Flow: Self-insured plans may offer cost savings but require a stable cash flow to manage high-cost claims, whereas fully insured plans provide a predictable cost model with fixed premiums, with the insurer bearing the risk of high claims.
• Employee Demographics and Healthcare Needs: Younger, healthier employee groups may see more economic benefits from self-funded plans due to fewer health claims, while a diverse or older workforce may find the risk-sharing and stability of fully insured plans more beneficial.
• Administrative Capacity: Self-insured plans demand significant management for compliance, claims processing, and overall plan administration. Fully insured plans reduce this burden by offloading management to the insurer.
• Risk Tolerance: Fully insured plans offer peace of mind with fixed premiums but may come at a higher cost. Conversely, self-insured plans pose more financial risk due to the potential for unexpectedly high claims.
• Regulatory Considerations: Self-funded plans are predominantly governed by federal laws like ERISA, whereas fully insured plans are subject to state regulations, which can vary and include additional mandates.

Balancing these considerations with each plan type's potential benefits and challenges is crucial. The right choice depends on your company's specific circumstances, including financial health, employee needs, and long-term business strategies. Evaluating these factors will help determine your business's most suitable health insurance option.

Let's talk through your HRA questions

Susanne is a copywriter specializing in the health and wellness industry. Before starting her own business, she spent nearly a decade at a marketing agency doing all of the things – advisor, copywriter, SEO strategist, social media specialist, and project manager. That experience gives her a unique understanding of how the consumer-focused content she writes flows into each marketing piece. Susanne lives in Oklahoma City with her husband and two daughters. She loves being outdoors, exercising and reading.

We’re on a mission to create a consumer-centric healthcare system.

(214) 866-7757

©2024 Take Command. All Rights Reserved.

Take Command Health is not a bank. Banking services are provided by Blue Ridge Bank, N.A, Member FDIC. Deposits are FDIC-insured through Blue Ridge Bank, N.A., Member FDIC. The Take Command Health Visa Debit Card is issued by Blue Ridge Bank, N.A., Member FDIC, pursuant to a license from Visa USA Inc. Your funds are FDIC insured up to $250,000 through Blue Ridge Bank; Member FDIC.

Privacy Policy Terms of Use Licensing Sitemap Secured with SSL

• Search Search Please fill out this field.
• Business Essentials

How Companies Can Reduce Internal and External Business Risk

Business risk is an umbrella term for the factors and events that can impact a company's operational performance and income. Business risks can hinder a company's ability to provide its investors and stakeholders with expected returns. However, a company can reduce its exposure to business risk by identifying internal risks and external risks.

Key Takeaways

• Business risk is an umbrella term for the factors and events that can impact a company's operational and financial performance.
• Business risks can hinder a company's ability to provide its investors with expected returns. 
• Internal risks include personnel management, such as labor shortages or poor morale and technology issues, such as outdated software.
• External risks include economic slowdowns, leading to lower revenue as well as political risks from trade wars hurting international sales.

How Business Risk Works

Business risk is the exposure a company faces that could eventually lead to lower revenue, profits, and financial losses. Companies face business risks every day, and those risks are part of operating in the segment or industry in which the company resides.

Although any factor that reduces a company's operational efficiency or its ability to reach its financial goals is a business risk, it's helpful to categorize them when developing a risk management strategy. Of course, there is no single plan that can eliminate risk, but with proper planning, companies can anticipate risks and respond appropriately. Business risks are typically categorized as either internal or external risks.

Internal Risk Factors

Internal risks are faced by a company from within its organization and arise during the normal operations of the company. These risks can be forecasted with some reliability, and therefore, a company has a good chance of reducing internal business risk.

The three types of internal risk factors are human factors, technological factors, and physical factors.

1. Human-factor Risk

Personnel issues may pose operational challenges. Staff who become ill or injured and, as a result, are unable to work can decrease production .

Human-factor risk can include:

• Union strikes
• Dishonesty by employees
• Ineffective management or leadership
• Failure on the part of external producers or suppliers
• Delinquency or outright failure to pay on the part of clients and customers

A company may need to hire or replace personnel key to the company's success. Strikes can force a business to close for the short-term, leading to a loss in sales and revenue.

Improving personnel management can help reduce internal risks by boosting employee morale through effective compensation and empowerment. A motivated and happy employee tends to be more productive.

2. Technological Risk

Technological risk includes unforeseen changes in the manufacturing, delivery, or distribution of a company's product or service.

For example, a technological risk that a business may face includes outdated operating systems that decrease production ability or disruptions in supplies or inventory . Also, a technological risk could include not investing in an IT staff to support the company systems. Server and software problems that lead to equipment downtime can increase the risk of production shortfalls and financial costs due to less revenue and idle workers.

Research and development is often a component of reducing internal risks because it involves keeping current with new technologies. By investing in long-term assets , such as technology, companies can reduce the risk of falling behind the competition and losing market share .

3. Physical Risk

Physical risk is the loss of or damage to the assets of a company. A company can reduce internal risks by hedging the exposure to these three risk types.

For example, companies can obtain credit insurance for their accounts receivable through commercial insurers, providing protection against customers not paying their bills. Credit insurance is usually very comprehensive and provides protection against debt default for a wide range of reasons, covering virtually every conceivable commercial or political reason for non-payment.

External Risk Factors

External risks often include economic events that arise from outside the corporate structure. External events that lead to external risk cannot be controlled by a company or cannot be forecasted with a high level of reliability. Therefore, it is hard to reduce the associated risks.

The three types of external risks include economic factors, natural factors, and political factors.

1. Economic Risk

Economic risk includes changes in market conditions. As an example, an overall economic downturn could lead to a sudden, unexpected loss of revenue . If a company sells to consumers in the U.S. and consumer confidence is low due to a recession or rising unemployment, consumer spending will suffer.

Companies can respond to economic risks by cutting costs or diversifying their client base so that revenue is not solely reliant on one segment or geographic region.

Increases in interest rates by the Federal Reserve can lead to higher borrowing costs by increasing the interest expense for short-term and long-term debt. For example, if a company issues a bond —which is a debt offering—to raise funds while interest rates are rising, the company will need to pay a higher interest rate to attract investors.

Also, business credit lines issued by banks, are used by companies to tap into for working capital . However, credit lines are typically variable-rate products. As interest rates rise in the overall market, so too, do the rates rise for variable-rate credit products. Rising rates also increase the cost of business credit cards.

2. Natural Risk

Natural risk factors include natural disasters that affect normal business operations. An earthquake, for example, may affect the ability of a retail business to remain open for a number of days or weeks, leading to a sharp decline in overall sales for the month. It could also cause damage to the building and merchandise being sold. Companies often have insurance to help cover some of the financial losses as a result of natural disasters. However, the insurance funds might not be enough to cover the loss of revenue due to being shut down or at a reduced capacity.

3. Political Risk

Political risk is comprised of changes in the political environment or governmental policy that relate to financial affairs. Changes in import and export laws, tariffs , taxes, and other regulations all may affect a business negatively.

Since external risks cannot be foreseen with accuracy, it is difficult for a company to reduce these three risk factors. Some types of credit insurance can protect a company against political events in other countries, such as war, strikes, confiscation, trade embargoes , and changes in import - export regulations.

Managing Business Risk

The best way to manage business risk  is to maintain an adequate level of capital . A company with adequate financial resources can more effectively weather internal storms, such as updating or replacing replace faulty machinery or systems. Also, companies with proper funding can ride out unforeseen risks, such as a recession or political problems. For example, companies can carry credit insurance, which usually costs one-half of 1% of each dollar in sales revenue held on the accounts receivable ledger.

Also, having access to the credit markets and establishing financing in the form of loans, credit lines, or bonds before the risks materialize can help companies stay financially solvent during tough times. Companies with higher levels of business risk should choose a  capital structure that has a lower  debt ratio  to help ensure it can meet its financial obligations at all times.

• Terms of Service
• Editorial Policy
• Privacy Policy
• Your Privacy Choices

An official website of the United States government

Here’s how you know

Official websites use .gov A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

• Explore sell to government
• Ways you can sell to government
• How to access contract opportunities
• Conduct market research
• Register your business
• Certify as a small business
• Become a schedule holder
• Market your business
• Research active solicitations
• Respond to a solicitation
• What to expect during the award process
• Comply with contractual requirements
• Handle contract modifications
• Monitor past performance evaluations
• Explore real estate
• 3D-4D building information modeling
• Art in architecture | Fine arts
• Computer-aided design standards
• Commissioning
• Design excellence
• Engineering
• Project management information system
• Spatial data management
• Facilities operations
• Smart buildings
• Tenant services
• Utility services
• Water quality management
• Explore historic buildings
• Heritage tourism
• Historic preservation policy, tools and resources
• Historic building stewardship
• Videos, pictures, posters and more
• NEPA implementation
• Courthouse program
• Land ports of entry
• Prospectus library
• Regional buildings
• Renting property
• Visiting public buildings
• Real property disposal
• Reimbursable services (RWA)
• Rental policy and procedures
• Site selection and relocation
• For businesses seeking opportunities
• For federal customers
• For workers in federal buildings
• Explore policy and regulations
• Acquisition management policy
• Aviation management policy
• Information technology policy
• Real property management policy
• Relocation management policy
• Travel management policy
• Vehicle management policy
• Federal acquisition regulations
• Federal management regulations
• Federal travel regulations
• GSA acquisition manual
• Managing the federal rulemaking process
• Explore small business
• Explore business models
• Research the federal market
• Forecast of contracting opportunities
• Events and contacts
• Explore travel
• Per diem rates
• Transportation (airfare rates, POV rates, etc.)
• State tax exemption
• Travel charge card
• Conferences and meetings
• E-gov travel service (ETS)
• Travel category schedule
• Federal travel regulation
• Travel policy
• Explore technology
• Cloud computing services
• Cybersecurity products and services
• Data center services
• Hardware products and services
• Professional IT services
• Software products and services
• Telecommunications and network services
• Work with small businesses
• Governmentwide acquisition contracts
• MAS information technology
• Software purchase agreements
• Cybersecurity
• Digital strategy
• Emerging citizen technology
• Federal identity, credentials, and access management
• Mobile government
• Technology modernization fund
• Explore about us
• Annual reports
• Mission and strategic goals
• Role in presidential transitions
• Get an internship
• Launch your career
• Elevate your professional career
• Discover special hiring paths
• Events and training
• Agency blog
• Congressional testimony
• GSA does that podcast
• News releases
• Leadership directory
• Staff directory
• Office of the administrator
• Federal Acquisition Service
• Public Buildings Service
• Staff offices
• Board of Contract Appeals
• Office of Inspector General
• Region 1 | New England
• Region 2 | Northeast and Caribbean
• Region 3 | Mid-Atlantic
• Region 4 | Southeast Sunbelt
• Region 5 | Great Lakes
• Region 6 | Heartland
• Region 7 | Greater Southwest
• Region 8 | Rocky Mountain
• Region 9 | Pacific Rim
• Region 10 | Northwest/Arctic
• Region 11 | National Capital Region
• Per Diem Lookup

Unique Entity Identifier update

About the unique entity identifier.

On April 4, 2022, the federal government stopped using the DUNS number to uniquely identify entities. Now, entities doing business with the federal government use the Unique Entity ID created in SAM.gov. They no longer have to go to a third-party website to obtain their identifier. This transition allows the government to streamline the entity identification and validation process, making it easier and less burdensome for entities to do business with the federal government.

The Integrated Award Environment manages several systems, including SAM.gov, FPDS, eSRS, FSRS, CPARS and FAPIIS. All SAM.gov registrants have been assigned their Unique Entity IDs and can view them in SAM.gov. To learn more about this transition, please see the information below. Join and follow our community on Interact to be notified of the latest news and information about changes happening at IAE.

Action you need to take

If your entity is registered in SAM.gov today, your Unique Entity ID has already been assigned and is viewable in SAM.gov. This includes inactive registrations. The Unique Entity ID is located on your entity registration record. Remember, you must be signed in to your SAM.gov account to view entity records. To learn how to view your Unique Entity ID go to this help article .

Refer to the Guide to Getting a Unique Entity ID if you want to get a Unique Entity ID for your organization without having to complete an entity registration. If you only conduct certain types of transactions, such as reporting as a sub-awardee, you may not need to complete an entity registration. Your entity may only need a Unique Entity ID.

If you operate a system that connects with IAE systems, documentation about using APIs to access SAM.gov is found at is open.GSA.gov . The latest version of FPDS ATOM feed includes the Unique Entity ID.

Agency system owners are encouraged to join the Technical Interface Community (email [email protected] to join).

Do IAE systems require the use of the new Unique Entity ID?

The Unique Entity ID is the official identifier for doing business with the U.S. Government as of April 4, 2022.

• Entities registering in SAM.gov are assigned a Unique Entity ID as a part of the registration process.
• Entity uniqueness continues to be validated by an entity validation service.
• Subcontracting reporting requires the Unique Entity ID obtained in SAM.gov.
• Interfacing systems must use the Unique Entity ID.

Is the Unique Entity ID viewable in IAE systems?

If your entity is registered in SAM.gov today, you already have your Unique Entity ID and it is viewable in SAM.gov. This includes inactive registrations.

All other IAE systems (CPARS, FPDS, FAPIIS, etc.) currently display and accept the Unique Entity ID.

Where do I get more information?

Visit UEI Technical Specifications and API Information page to learn more about UEI/EVS technical specifications for interfacing systems and sample data extracts.

Unique Entity ID transition information

• The process to get a Unique Entity ID to do business with the government changed.
• The definition of entity uniqueness did not change.

Change can be confusing and frustrating. To make the change easier, we shared information about the changes and transition plan.

During the transition, we:

• Phased out the DUNS Number as the official identifier for doing business with the federal government.
• Introduced a new Unique Entity ID, generated in the System for Award Management (SAM.gov), as the official identifier for doing business with the government.
• Made it easier to get a Unique Entity ID to do business with the government.
• Transitioned to a new service provider to validate entity uniqueness.

New process to obtain a Unique Entity ID

• Get your Unique Entity ID and register your entity to do business with the U.S. government.
• Make any updates to your legal business name and physical address associated with the Unique Entity ID.
• Find customer support at a single helpdesk for all Unique Entity ID and entity registration issues.

Definition of unique

• Integrated Award Environment acquires commercial entity validation services to validate entity uniqueness and entity core data.
• Uniqueness is based on an entity being a separate legal entity associated with a separate physical address.
• Based on the uniqueness determination, a Unique Entity ID is assigned to that entity.

Why we changed

The change we made creates predictability for the cost of entity validation services. By separating the government requirement for a Unique Entity ID from the government requirement to validate that the entities are unique, we introduced competitiveness into entity validation services. We then competed and awarded a new contract for entity validation services that is not connected to the identifier itself. We chose to have the new, non-proprietary identifier both requested in and generated by SAM.gov to reduce the burden of change; the transition in identifiers only needs to happen once, even if in the future a different entity validation service provider is selected.

Transition process

• The DUNS Number remains the official identifier for doing business with the U.S. Government.
• Entities continue to register in SAM.gov using the DUNS Number assigned by D&B.
• Entity uniqueness continues to be validated by D&B as part of the DUNS Number assignment process.
• GSA published updated technical specifications, which include the new SAM-generated Unique Entity ID, for interfacing systems in December 2019.
• GSA develops the tools needed to generate Unique Entity IDs.
• GSA develops an interface to new entity validation service provider to determine entity uniqueness.
• GSA supports robust testing of new interfaces with agency systems.
• GSA communicates upcoming changes to stakeholders, sharing more detail as available.

Transition Complete (04/04/2022)

• The SAM-generated Unique Entity ID becomes the official identifier for doing business with the U.S. Government.
• Entities request new Unique Entity IDs through SAM.gov before starting their entity registration.
• Entity uniqueness is determined by the new entity validation service provider.

Transition for Existing Entities

• Your registration was automatically assigned a new Unique Entity ID which is displayed in SAM.gov.
• The purpose of registration, core data, assertions, representations & certifications, points of contacts, etc. in SAM.gov will not change and no one will be required to re-enter this data.

Timeline of activities to open data and competition

• December 2014 - proprietary references removed from 2 CFR.
• On October 31, 2016, the FAR was amended via a final rule to re-designate the terminology for unique identification of entities receiving federal awards. The change to the FAR eliminated references to the proprietary DUNS Number, and provided appropriate references to the website where information on the unique entity identifier used for federal awards would be located. The final rule also established the definition of “unique entity identifier.”
• November 2016 - OMB (OFFM and OFPP) created an interagency working group to zero-base business needs for entity validation and verification requirements.
• February - GSA released a Request For Information and vendor engagement for entity validation services.
• July - the final policy and business outcomes for validation and verification were completed.
• October - GSA released a second RFI and vendor engagement for entity verification services.
• August 2018 - GSA released a Request for Proposal for governmentwide entity validation services inclusive of new government-owned Unique Entity ID approach.
• November 2018 - GSA convened an interagency team to make recommendations on the standards for a government-owned Unique Entity ID to use in federal awarding and management processes.
• In March 2019, GSA awarded a contract for entity validation services.
• June - a working group delivered recommendations on Unique Entity ID standards to IAE governance; governance approved standard for publication.
• July - GSA published a Federal Register notice containing standards for Unique Entity IDs and held a public meeting to review the standards
• October - Convened an interagency, cross-functional working group to identify and resolve policy and IT issues for implementation.
• October 2020 - The Office of Management and Budget directed federal agencies to finalize their transition to using the SAM-generated unique entity identifier by April 2022. GSA contracted with D&B to ensure full continuity of services—including DUNS Number assignment, monitoring, and validation of entity uniqueness—during the extended transition period.

Further questions

Press inquiries should be sent to [email protected] .

PER DIEM LOOK-UP

1 choose a location.

Error, The Per Diem API is not responding. Please try again later.

No results could be found for the location you've entered.

Rates for Alaska, Hawaii, U.S. Territories and Possessions are set by the Department of Defense .

Rates for foreign countries are set by the State Department .

2 Choose a date

Rates are available between 10/1/2021 and 09/30/2024.

The End Date of your trip can not occur before the Start Date.

Traveler reimbursement is based on the location of the work activities and not the accommodations, unless lodging is not available at the work activity, then the agency may authorize the rate where lodging is obtained.

Unless otherwise specified, the per diem locality is defined as "all locations within, or entirely surrounded by, the corporate limits of the key city, including independent entities located within those boundaries."

Per diem localities with county definitions shall include "all locations within, or entirely surrounded by, the corporate limits of the key city as well as the boundaries of the listed counties, including independent entities located within the boundaries of the key city and the listed counties (unless otherwise listed separately)."

When a military installation or Government - related facility(whether or not specifically named) is located partially within more than one city or county boundary, the applicable per diem rate for the entire installation or facility is the higher of the rates which apply to the cities and / or counties, even though part(s) of such activities may be located outside the defined per diem locality.

• Share full article

For more audio journalism and storytelling, download New York Times Audio , a new iOS app available for news subscribers.

Stormy Daniels Takes the Stand

The porn star testified for eight hours at donald trump’s hush-money trial. this is how it went..

This transcript was created using speech recognition software. While it has been reviewed by human transcribers, it may contain errors. Please review the episode audio before quoting from this transcript and email [email protected] with any questions.

It’s 6:41 AM. I’m feeling a little stressed because I’m running late. It’s the fourth week of Donald J. Trump’s criminal trial. It’s a white collar trial. Most of the witnesses we’ve heard from have been, I think, typical white collar witnesses in terms of their professions.

We’ve got a former publisher, a lawyer, accountants. The witness today, a little less typical, Stormy Daniels, porn star in a New York criminal courtroom in front of a jury more accustomed to the types of witnesses they’ve already seen. There’s a lot that could go wrong.

From “The New York Times,” I’m Michael Barbaro. This is “The Daily.”

Today, what happened when Stormy Daniels took the stand for eight hours in the first criminal trial of Donald J. Trump. As before, my colleague Jonah Bromwich was inside the courtroom.

[MUSIC PLAYING]

It’s Friday, May 10th.

So it’s now day 14 of this trial. And I think it’s worth having you briefly, and in broad strokes, catch listeners up on the biggest developments that have occurred since you were last on, which was the day that opening arguments were made by both the defense and the prosecution. So just give us that brief recap.

Sure. It’s all been the prosecution’s case so far. And prosecutors have a saying, which is that the evidence is coming in great. And I think for this prosecution, which is trying to show that Trump falsified business records to cover up a sex scandal, to ease his way into the White House in 2016, the evidence has been coming in pretty well. It’s come in well through David Pecker, former publisher of The National Enquirer, who testified that he entered into a secret plot with Trump and Michael Cohen, his fixer at the time, to suppress negative stories about Trump, the candidate.

It came in pretty well through Keith Davidson, who was a lawyer to Stormy Daniels in 2016 and negotiated the hush money payment. And we’ve seen all these little bits and pieces of evidence that tell the story that prosecutors want to tell. And the case makes sense so far. We can’t tell what the jury is thinking, as we always say.

But we can tell that there’s a narrative that’s coherent and that matches up with the prosecution’s opening statement. Then we come to Tuesday. And that day really marks the first time that the prosecution’s strategy seems a little bit risky because that’s the day that Stormy Daniels gets called to the witness stand.

OK, well, just explain why the prosecution putting Stormy Daniels on the stand would be so risky. And I guess it makes sense to answer that in the context of why the prosecution is calling her as a witness at all.

Well, you can see why it makes sense to have her. The hush money payment was to her. The cover-up of the hush money payment, in some ways, concerns her. And so she’s this character who’s very much at the center of this story. But according to prosecutors, she’s not at the center of the crime. The prosecution is telling a story, and they hope a compelling one. And arguably, that story starts with Stormy Daniels. It starts in 2006, when Stormy Daniels says that she and Trump had sex, which is something that Trump has always denied.

So if prosecutors were to not call Stormy Daniels to the stand, you would have this big hole in the case. It would be like, effect, effect, effect. But where is the cause? Where is the person who set off this chain reaction? But Stormy Daniels is a porn star. She’s there to testify about sex. Sex and pornography are things that the jurors were not asked about during jury selection. And those are subjects that bring up all kinds of different complex reactions in people.

And so, when the prosecutors bring Stormy Daniels to the courtroom, it’s very difficult to know how the jurors will take it, particularly given that she’s about to describe a sexual episode that she says she had with the former president. Will the jurors think that makes sense, as they sit here and try to decide a falsifying business records case, or will they ask themselves, why are we hearing this?

So the reason why this is the first time that the prosecution’s strategy is, for journalists like you, a little bit confusing, is because it’s the first time that the prosecution seems to be taking a genuine risk in what they’re putting before these jurors. Everything else has been kind of cut and dry and a little bit more mechanical. This is just a wild card.

This is like live ammunition, to some extent. Everything else is settled and controlled. And they know what’s going to happen. With Stormy Daniels, that’s not the case.

OK, so walk us through the testimony. When the prosecution brings her to the stand, what actually happens?

It starts, as every witness does, with what’s called direct examination, which is a fancy word for saying prosecutors question Stormy Daniels. And they have her tell her story. First, they have her tell the jury about her education and where she grew up and her professional experience. And because of Stormy Daniels’s biography, that quickly goes into stripping, and then goes into making adult films.

And I thought the prosecutor who questioned her, Susan Hoffinger, had this nice touch in talking about that, because not only did she ask Daniels about acting in adult films. But she asked her about writing and directing them, too, emphasizing the more professional aspects of that work and giving a little more credit to the witness, as if to say, well, you may think this or you may think that. But this is a person with dignity who took what she did seriously. Got it.

What’s your first impression of Daniels as a witness?

It’s very clear that she’s nervous. She’s speaking fast. She’s laughing to herself and making small jokes. But the tension in the room is so serious from the beginning, from the moment she enters, that those jokes aren’t landing. So it just feels, like, really heavy and still and almost oppressive in there. So Daniels talking quickly, seeming nervous, giving more answers than are being asked of her by the prosecution, even before we get to the sexual encounter that she’s about to describe, all of that presents a really discomfiting impression, I would say.

And how does this move towards the encounter that Daniels ultimately has?

It starts at a golf tournament in 2006, in Lake Tahoe, Nevada. Daniels meets Trump there. There are other celebrities there, too. They chatted very briefly. And then she received a dinner invitation from him. She thought it over, she says. And she goes to have dinner with Trump, not at a restaurant, by the way. But she’s invited to join him in the hotel suite.

So she gets to the hotel suite. And his bodyguard is there. And the hotel door is cracked open. And the bodyguard greets her and says she looks nice, this and that. And she goes in. And there’s Donald Trump, just as expected. But what’s not expected, she says, is that he’s not wearing what you would wear to a dinner with a stranger, but instead, she says, silk or satin pajamas. She asked him to change, she says. And he obliges.

He goes, and he puts on a dress shirt and dress pants. And they sit down at the hotel suite’s dining room table. And they have a kind of bizarre dinner. Trump is asking her very personal questions about pornography and safe sex. And she testifies that she teased him about vain and pompous he is. And then at some point, she goes to the bathroom. And she sees that he has got his toiletries in there, his Old Spice, his gold tweezers.

Very specific details.

Yeah, we’re getting a ton of detail in this scene. And the reason we’re getting those is because prosecutors are trying to elicit those details to establish that this is a credible person, that this thing did happen, despite what Donald Trump and his lawyers say. And the reason you can know it happened, prosecutors seem to be saying, is because, look at all these details she can still summon up.

She comes out of the bathroom. And she says that Donald Trump is on the hotel bed. And what stands out to me there is what she describes as a very intense physical reaction. She says that she blacked out. And she quickly clarifies, she doesn’t mean from drugs or alcohol. She means that, she says, that the intensity of this experience was such that, suddenly, she can’t remember every detail. The prosecution asks a question that cuts directly to the sex. Essentially, did you start having sex with him? And Daniels says that she did. And she continues to provide more details than even, I think, the prosecution wanted.

And I think we don’t want to go chapter and verse through this claimed sexual encounter. But I wonder what details stand out and which details feel important, given the prosecution’s strategy here.

All the details stand out because it’s a story about having had sex with a former president. And the more salacious and more private the details feel, the more you’re going to remember them. So we’ll remember that Stormy Daniels said what position they had sex in. We’ll remember that she said he didn’t use a condom. Whether that’s important to the prosecution’s case, now, that’s a much harder question to answer, as we’ve been saying.

But what I can tell you is, as she’s describing having had sex with Donald Trump, and Donald Trump is sitting right there, and Eric Trump, his son, is sitting behind him, seeming to turn a different color as he hears this embarrassment of his father being described to a courtroom full of reporters at this trial, it’s hard to even describe the energy in that room. It was like nothing I had ever experienced. And it was just Daniels’s testimony and, seemingly, the former President’s emotions. And you almost felt like you were trapped in there with both of them as this description was happening.

Well, I think it’s important to try to understand why the prosecution is getting these details, these salacious, carnal, pick your word, graphic details about sex with Donald Trump. What is the value, if other details are clearly making the point that she’s recollecting something?

Well, I think, at this point, we can only speculate. But one thing we can say is, this was uncomfortable. This felt bad. And remember, prosecutor’s story is not about the sex. It’s about trying to hide the sex. So if you’re trying to show a jury why it might be worthwhile to hide a story, it might be worth —

Providing lots of salacious details that a person would want to hide.

— exposing them to how bad that story feels and reminding them that if they had been voters and they had heard that story, and, in fact, they asked Daniels this very question, if you hadn’t accepted hush money, if you hadn’t signed that NDA, is this the story you would have told? And she said, yes. And so where I think they’re going with this, but we can’t really be sure yet, is that they’re going to tell the jurors, hey, that story, you can see why he wanted to cover that up, can’t you?

You mentioned the hush money payments. What testimony does Daniels offer about that? And how does it advance the prosecution’s case of business fraud related to the hush money payments?

So little evidence that it’s almost laughable. She says that she received the hush money. But we actually already heard another witness, her lawyer at the time, Keith Davidson, testify that he had received the hush money payment on her behalf. And she testified about feeling as if she had to sell this story because the election was fast approaching, almost as if her leverage was slipping away because she knew this would be bad for Trump.

That feels important. But just help me understand why it’s important.

Well, what the prosecution has been arguing is that Trump covered up this hush money payment in order to conceal a different crime. And that crime, they say, was to promote his election to the presidency by illegal means.

Right, we’ve talked about this in the past.

So when Daniels ties her side of the payment into the election, it just reminds the jurors maybe, oh, right, this is what they’re arguing.

So how does the prosecution end this very dramatic, and from everything you’re saying, very tense questioning of Stormy Daniels about this encounter?

Well, before they can even end, the defense lawyers go and they consult among themselves. And then, with the jury out of the room, one of them stands up. And he says that the defense is moving for a mistrial.

On what terms?

He says that the testimony offered by Daniels that morning is so prejudicial, so damning to Trump in the eyes of the jury, that the trial can no longer be fair. Like, how could these jurors have heard these details and still be fair when they render their verdict? And he says a memorable expression. He says, you can’t un-ring that bell, meaning they heard it. They can’t un-hear it. It’s over. Throw out this trial. It should be done.

Wow. And what is the response from the judge?

So the judge, Juan Merchan, he hears them out. And he really hears them out. But at the end of their arguments, he says, I do think she went a little too far. He says that. He said, there were things that were better left unsaid.

By Stormy Daniels?

By Stormy Daniels. And he acknowledges that she is a difficult witness. But, he says, the remedy for that is not a mistrial, is not stopping the whole thing right now. The remedy for that is cross-examination. If the defense feels that there are issues with her story, issues with her credibility, they can ask her whatever they want. They can try to win the jury back over. If they think this jury has been poisoned by this witness, well, this is their time to provide the antidote. The antidote is cross-examination. And soon enough, cross-examination starts. And it is exactly as intense and combative as we expected.

We’ll be right back.

So, Jonah, how would you characterize the defense’s overall strategy in this intense cross-examination of Stormy Daniels?

People know the word impeach from presidential impeachments. But it has a meaning in law, too. You impeach a witness, and, specifically, their credibility. And that’s what the defense is going for here. They are going to try to make Stormy Daniels look like a liar, a fraud, an extortionist, a money-grubbing opportunist who wanted to take advantage of Trump and sought to do so by any means necessary.

And what did that impeachment strategy look like in the courtroom?

The defense lawyer who questions Stormy Daniels is a woman named Susan Necheles. She’s defended Trump before. And she’s a bit of a cross-examination specialist. We even saw her during jury selection bring up these past details to confront jurors who had said nasty things about Trump on social media with. And she wants to do the same thing with Daniels. She wants to bring up old interviews and old tweets and things that Daniels has said in the past that don’t match what Daniels is saying from the stand.

What’s a specific example? And do they land?

Some of them land. And some of them don’t. One specific example is that Necheles confronts Daniels with this old tweet, where Daniels says that she’s going to dance down the street if Trump goes to jail. And what she’s trying to show there is that Daniels is out for revenge, that she hates Trump, and that she wants to see him go to jail. And that’s why she’s testifying against him.

And Daniels is very interesting during the cross-examination. It’s almost as if she’s a different person. She kind of squares her shoulders. And she sits up a little straighter. And she leans forward. Daniels is ready to fight. But it doesn’t quite land. The tweet actually says, I’ll dance down the street when he’s selected to go to jail.

And Daniels goes off on this digression about how she knows that people don’t get selected to go to jail. That’s not how it works. But she can’t really unseat this argument, that she’s a political enemy of Donald Trump. So that one kind of sticks, I would say. But there are other moves that Necheles tries to pull that don’t stick.

So unlike the prosecution, which typically used words like adult, adult film, Necheles seems to be taking every chance she can get to say porn, or pornography, or porn star, to make it sound base or dirty. And so when she starts to ask Daniels about actually being in pornography, writing, acting, and directing sex films, she tries to land a punch line, Necheles does. She says, so you have a lot of experience making phony stories about sex appear to be real, right?

As if to say, perhaps this story you have told about entering Trump’s suite in Lake Tahoe and having sex with him was made up.

Just another one of your fictional stories about sex. But Daniels comes back and says, the sex in the films, it’s very much real, just like what happened to me in that room. And so, when you have this kind of combat of a lawyer cross-examining very aggressively and the witness fighting back, you can feel the energy in the room shift as one lands a blow or the other does. But here, Daniels lands one back. And the other issue that I think Susan Necheles runs into is, she tries to draw out disparities from interviews that Daniels gave, particularly to N-TOUCH, very early on once the story was out.

It’s kind of like a tabloid magazine?

But some of the disparities don’t seem to be landing quite like Necheles would want. So she tries to do this complicated thing about where the bodyguard was in the room when Daniels walked into the room, as described in an interview in a magazine. But in that magazine interview, as it turns out, Daniels mentioned that Trump was wearing pajamas. And so, if I’m a juror, I don’t care where the bodyguard is. I’m thinking about, oh, yeah, I remember that Stormy Daniels said now in 2024 that Trump was wearing pajamas.

I’m curious if, as somebody in the room, you felt that the defense was effective in undermining Stormy Daniels’s credibility? Because what I took from the earlier part of our conversation was that Stormy Daniels is in this courtroom on behalf of the prosecution to tell a story that’s uncomfortable and has the kind of details that Donald Trump would be motivated to try to hide. And therefore, this defense strategy is to say, those details about what Trump might want to hide, you can’t trust them. So does this back and forth effectively hurt Stormy Daniels’s credibility, in your estimation?

I don’t think that Stormy Daniels came off as perfectly credible about everything she testified about. There are incidents that were unclear or confusing. There were things she talked about that I found hard to believe, when she, for instance, denied that she had attacked Trump in a tweet or talked about her motivations. But about what prosecutors need, that central story, the story of having had sex with him, we can’t know whether it happened.

But there weren’t that many disparities in these accounts over the years. In terms of things that would make me doubt the story that Daniels was telling, details that don’t add up, those weren’t present. And you don’t have to take my word for that, nor should you. But the judge is in the room. And he says something very, very similar.

What does he say? And why does he say it?

Well, he does it when the defense, again, at the end of the day on Thursday, calls for a mistrial.

With a similar argument as before?

Not only with a similar argument as before, but, like, almost the exact same argument. And I would say that I was astonished to see them do this. But I wasn’t because I’ve covered other trials where Trump is the client. And in those trials, the lawyers, again and again, called for a mistrial.

And what does Judge Marchan say in response to this second effort to seek a mistrial?

Let me say, to this one, he seems a little less patient. He says that after the first mistrial ruling, two days before, he went into his chambers. And he read every decision he had made about the case. He took this moment to reflect on the first decision. And he found that he had, in his own estimation, which is all he has, been fair and not allowed evidence that was prejudicial to Trump into this trial. It could continue. And so he said that again. And then he really almost turned on the defense. And he said that the things that the defense was objecting to were things that the defense had made happen.

He says that in their opening statement, the defense could have taken issue with many elements of the case, about whether there were falsified business records, about any of the other things that prosecutors are saying happened. But instead, he says, they focused their energy on denying that Trump ever had sex with Daniels.

And so that was essentially an invitation to the prosecution to call Stormy Daniels as a witness and have her say from the stand, yes, I had this sexual encounter. The upshot of it is that the judge not only takes the defense to task. But he also just says that he finds Stormy Daniels’s narrative credible. He doesn’t see it as having changed so much from year to year.

Interesting. So in thinking back to our original question here, Jonah, about the idea that putting Stormy Daniels on the stand was risky, I wonder if, by the end of this entire journey, you’re reevaluating that idea because it doesn’t sound like it ended up being super risky. It sounded like it ended up working reasonably well for the prosecution.

Well, let me just assert that it doesn’t really matter what I think. The jury is going to decide this. There’s 12 people. And we can’t know what they’re thinking. But my impression was that, while she was being questioned by the prosecution for the prosecution’s case, Stormy Daniels was a real liability. She was a difficult witness for them.

And the judge said as much. But when the defense cross-examined her, Stormy Daniels became a better witness, in part because their struggles to discredit her may have actually ended up making her story look more credible and stronger. And the reason that matters is because, remember, we said that prosecutors are trying to fill this hole in their case. Well, now, they have. The jury has met Stormy Daniels. They’ve heard her account. They’ve made of it what they will. And now, the sequence of events that prosecutors are trying to line up as they seek prison time for the former President really makes a lot of sense.

It starts with what Stormy Daniels says with sex in a hotel suite in 2006. It picks up years later, as Donald Trump is trying to win an election and, prosecutors say, suppressing negative stories, including Stormy Daniels’s very negative story. And the story that prosecutors are telling ends with Donald Trump orchestrating the falsification of business records to keep that story concealed.

Well, Jonah, thank you very much. We appreciate it.

Of course, thanks for having me.

The prosecution’s next major witness will be Michael Cohen, the former Trump fixer who arranged for the hush money payment to Stormy Daniels. Cohen is expected to take the stand on Monday.

Here’s what else you need to know today. On Thursday, Israeli Prime Minister Benjamin Netanyahu issued a defiant response to warnings from the United States that it would stop supplying weapons to Israel if Israel invades the Southern Gaza City of Rafah. So far, Israel has carried out a limited incursion into the city where a million civilians are sheltering, but has threatened a full invasion. In a statement, Netanyahu said, quote, “if we need to stand alone, we will stand alone.”

Meanwhile, high level ceasefire negotiations between Israel and Hamas have been put on hold in part because of anger over Israel’s incursion into Rafah.

A reminder, tomorrow, we’ll be sharing the latest episode of our colleague’s new show, “The Interview” This week on “The Interview,” Lulu Garcia-Navarro talks with radio host Charlamagne Tha God about his frustrations with how Americans talk about politics.

If me as a Black man, if I criticize Democrats, then I’m supporting MAGA. But if I criticize, you know, Donald Trump and Republicans, then I’m a Democratic shill. Why can’t I just be a person who deals in nuance?

Today’s episode was produced by Olivia Natt and Michael Simon Johnson. It was edited by Lexie Diao, with help from Paige Cowett, contains original music by Will Reid and Marion Lozano, and was engineered by Alyssa Moxley. Our theme music is by Jim Brunberg and Ben Landsverk of Wonderly.

That’s it for “The Daily.” I’m Michael Barbaro. See you on Monday.

• May 17, 2024   •   51:10 The Campus Protesters Explain Themselves
• May 16, 2024   •   30:47 The Make-or-Break Testimony of Michael Cohen
• May 15, 2024   •   27:03 The Possible Collapse of the U.S. Home Insurance System
• May 14, 2024   •   35:20 Voters Want Change. In Our Poll, They See It in Trump.
• May 13, 2024   •   27:46 How Biden Adopted Trump’s Trade War With China
• May 10, 2024   •   27:42 Stormy Daniels Takes the Stand
• May 9, 2024   •   34:42 One Strongman, One Billion Voters, and the Future of India
• May 8, 2024   •   28:28 A Plan to Remake the Middle East
• May 7, 2024   •   27:43 How Changing Ocean Temperatures Could Upend Life on Earth
• May 6, 2024   •   29:23 R.F.K. Jr.’s Battle to Get on the Ballot
• May 3, 2024   •   25:33 The Protesters and the President
• May 2, 2024   •   29:13 Biden Loosens Up on Weed

Hosted by Michael Barbaro

Featuring Jonah E. Bromwich

Produced by Olivia Natt and Michael Simon Johnson

Edited by Lexie Diao

With Paige Cowett

Original music by Will Reid and Marion Lozano

Engineered by Alyssa Moxley

Listen and follow The Daily Apple Podcasts | Spotify | Amazon Music | YouTube

This episode contains descriptions of an alleged sexual liaison.

What happened when Stormy Daniels took the stand for eight hours in the first criminal trial of former President Donald J. Trump?

Jonah Bromwich, one of the lead reporters covering the trial for The Times, was in the room.

On today’s episode

Jonah E. Bromwich , who covers criminal justice in New York for The New York Times.

Background reading

In a second day of cross-examination, Stormy Daniels resisted the implication she had tried to shake down Donald J. Trump by selling her story of a sexual liaison.

Here are six takeaways from Ms. Daniels’s earlier testimony.

There are a lot of ways to listen to The Daily. Here’s how.

We aim to make transcripts available the next workday after an episode’s publication. You can find them at the top of the page.

The Daily is made by Rachel Quester, Lynsea Garrison, Clare Toeniskoetter, Paige Cowett, Michael Simon Johnson, Brad Fisher, Chris Wood, Jessica Cheung, Stella Tan, Alexandra Leigh Young, Lisa Chow, Eric Krupke, Marc Georges, Luke Vander Ploeg, M.J. Davis Lin, Dan Powell, Sydney Harper, Mike Benoist, Liz O. Baylen, Asthaa Chaturvedi, Rachelle Bonja, Diana Nguyen, Marion Lozano, Corey Schreppel, Rob Szypko, Elisheba Ittoop, Mooj Zadie, Patricia Willens, Rowan Niemisto, Jody Becker, Rikki Novetsky, John Ketchum, Nina Feldman, Will Reid, Carlos Prieto, Ben Calhoun, Susan Lee, Lexie Diao, Mary Wilson, Alex Stern, Dan Farrell, Sophia Lanman, Shannon Lin, Diane Wong, Devon Taylor, Alyssa Moxley, Summer Thomad, Olivia Natt, Daniel Ramirez and Brendan Klinkenberg.

Our theme music is by Jim Brunberg and Ben Landsverk of Wonderly. Special thanks to Sam Dolnick, Paula Szuchman, Lisa Tobin, Larissa Anderson, Julia Simon, Sofia Milan, Mahima Chablani, Elizabeth Davis-Moorer, Jeffrey Miranda, Renan Borelli, Maddy Masiello, Isabella Anderson and Nina Lassam.

Jonah E. Bromwich covers criminal justice in New York, with a focus on the Manhattan district attorney’s office and state criminal courts in Manhattan. More about Jonah E. Bromwich

Advertisement