Risk and risk management explained

November 2022

Karen Groves explains what is meant by risk and risk management in a business scenario, which is now assessed in the AAT Level 3 Business Awareness unit.

What is the difference between risk and uncertainty? Risk in a business is things not going to plan, for example, sales not being as high as expected or costs higher than expected. A risk to a business could also include losses from theft or fraud.

Risk is inherent if an outcome is not guaranteed, for example, a business launching a new product that might fail.

Uncertainty is whereby there are several possible outcomes to a situation, and the outcomes are very difficult to predict. For example, a new product launch has uncertainty regarding the volume of unit sales.

If a situation is uncertain, then a business can’t predict what the likely outcome will be as there is insufficient information, or past experience to draw on. Uncertainty can be reduced by the business obtaining as much information as possible before any decisions are made.

With risk, there can be a number of possible outcomes, however the probability of each of the outcomes is known, whereas with uncertainty, there are a number of possible outcomes, however the probability of each outcome is unknown.

Types of risk:

• Business risk – relates to the industry the business operates in. This risk is there due to the nature of goods or services the business sells. Some industries are inherently riskier than others.

• Financial risk – relates to a financial situation, for example, a change in interest rates, which impact on the business financial circumstances, or the risk of non-payment by customers.

• Strategic risk – relates to the risk that the business strategies will fail, for example, expanding in a new market involves risks.

• Operation risk – relates to the risk of business operations failing, and losses occurring due to this.

• Cyber risk – relates to the risk of disruption, damage, or financial loss due to the information technology systems in use. As digital systems are increasing, so are the cyber risks which can include malware, trojans, viruses and spyware.

• Reputational risk – relates to the risk of damage to the business’s reputation, which can be caused by environmental damage or pollution by the business, company behaviour/ attitude overall, mis-selling of products or incompetence. If a business has a good reputation, this can easily be damaged by adverse posts on social media.

Risk management

Risk management involves identifying the risk and then evaluating the risk further. A business will assess the likelihood of the risk and what the impact of the risk will be. For example, how likely is it that a new product will fail and what is the impact to the business of this.

Risks can be managed as follows:

• Transfer – the risk can be transferred to a third party, for example, an insurer to cover possible business losses.

• Accept – the business will accept the risk and deal with any consequences of such. This approach should only be taken on risks that have a low impact if they did occur.

• Reduce – the business will aim to reduce the risk, for example, by regular servicing of the delivery vehicles to avoid breakdowns and delays of goods being sent to customers.

• Avoid – the business may opt to avoid the risk altogether as they deem the risk as highly likely and would have a high impact on the business if it were to occur.

Question 1: Which of the following statements is true?

• Risk can never be reduced.
• Uncertainty can never be reduced.
• Risk can be reduced in some situations

Question 2: A loss of a major customer is what type of risk?

• Business risk.
• Financial risk.
• Strategic risk.
• Operational risk.

Question 1 answer: risk can be reduced in some situations.
Question 2 answer: business risk.

• Karen Groves is an AAT tutor and AAT Course Director at e-Careers