What are you doing to identify risks and protect your company?

Don’t hide from your company’s risks! By inaction, your business could be extinguished overnight.

I went to an interesting panel discussion earlier this year on Risk Mitigation. While it sounds like an esoteric and potentially uninteresting topic, it isn’t! Risk Mitigation is absolutely essential for all businesses, big and small. Risks surround and permeate your business right now.

What is Risk Mitigation? It is the identification, evaluation, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events and to maximize the realization of opportunities. So, identifying risks and avoiding them in the first place is a major responsibility of all business owners and their leadership.

The problem is that most small to medium businesses don’t take the time to identify and address issues of risk – let alone devise proper risk mitigations plans. This is a mistake that many business owners who have suffered financial ruin wish they had not made.

There are a number of practical things that all business owners need to be mindful of, and more importantly, act upon, in order to protect their business. There are several major risk categories that I will address here (which often overlap).  messages

  • Financial
  • Cyber security risk
  • Operational Risk
  • Human Capital Risk


While folks with 9-5 desk jobs are generally protected from a lack of productivity, business owners see downtime as impacting their top and bottom lines. What else can I be doing to save money? What should I do right now to generate income? These are the questions that are always at the top of every business owner’s mind at all times.

Most business are not very liquid these days and are only a few months’ invoices from going down the tubes. Additionally, most businesses are also only one lawsuit away from going out of business. What is your plan? Who are the first people you call in X emergency?

Tips for managing financial risks:

  • Make sure your accounting books are organized and in place.
  • Get an umbrella insurance policy to protect against lawsuits and other liabilities.
  • Protect your income: Business insurance can cover you as multiple of your income / revenues.
  • Obtain disability insurance for yourself.
  • Get value out of things you’re already paying for. Going out to dinner? Bring a client to get introductions at least (tax write off).
  • Collateralize something. Says Hayden Cassidy of the Bulfinch Group, “My go-to with my clients is to use the life insurance, you can use that to become your bank so you can take advantage of investing and business opportunities that pop up. It also offers downside protection so you can use that avenue if business is slow for a couple of months.”
  • Don’t wait until you’re against a wall before you seek funding.

The biggest mistake business owners make is that they wait until they’re in financial turmoil before they reach out to obtain funding. While we have extensive capabilities, once a business has no cash flow and poor credit, it might be too late for even us to help. This is another reason that risk management is so important. A business without money is like a flower without water. Make sure to tend to your business and protect it since your livelihood could be at stake.


All businesses use email these days, not just large corporations. Whether you run a big or a small operation, you need to be aware of how dangerous email alone can be to your business.

A click of a mouse can be far more destructive to your business than a fire!

96% of data breaches originate from email. Clicking a link or a file sent to you by cyber pirates can take your entire business down in seconds. Let that sink in for a second… This is called a cyberattack that releases malware (spyware, ransomware, viruses, worms) and can propagate through your company’s entire network.

According to Cisco, “A cyberattack is a malicious and deliberate attempt by an individual or organization to breach the information system of another individual or organization. Usually, the attacker seeks some type of benefit from disrupting the victim’s network.”

You may ask yourself, “How do I get secure?” Security is not a “set it and forget it” kind of thing. Truth is, you cannot get 100% secure, as “security” needs to continuously adapt to today’s threats. One element of your business might be secure today but tomorrow, things can change so you must stay ahead of cyber threats. Remember, cyber attackers are like the schoolyard bully – hackers go for the easy targets. To effectively promote the importance of cyber security, organizations should:

1. Develop an Effective Security Strategy

Security should be built into the culture of your organization so that every employee understands the importance of cyber security and how dangerous it can be for your business.

2. Keep Defensive Practices up to date

The security landscape is constantly shifting such that all employees be continually trained to respond appropriately to security threats. Systems should have sophisticated anti-virus and VPN software with multi-factor authentication.

3. Security Awareness Training

Effective security awareness training should be mandatory for all staff every year. Here are some basic tips for all organizations, big and small to avoid being infected with malware and prevent cyber hackers from stealing your data:

Clicking links in an emailCheck out the address/URL first to ensure it’s a legitimate site. If not, do not click it. Don’t just delete the email. Mark it as Junk or Spam.  
Opening email attachmentsMake sure that your email (Gmail is good at this) scans any attachments AND that you have up-to-date anti-virus software on your computer as a double layer of protection.  
Receiving dubious emails out of the blue    Emails that say suspicious things like: “Your package was just delivered!” when you are not expecting a package. Check out the sender’s email address. If unknown, mark as Spam.
Jumping on an open network in publicThis makes you a super easy target for hackers. They can obtain all your personal information from your laptop or phone, including passwords, credit card numbers, home and work addresses, account numbers at your bank, etc. NEVER CONNECT TO AN OPEN NETWORK! Use your data plan instead.  


As a business owner, income is most valuable asset to you and your employees. To your business, you and your staff are you most valuable asset. However, you and employees can also be the weakest link. One basic tool that every company should have is an employee handbook. This helps provide basic guidance and sends the right message to employees that you are a serious organization. Here are some elements employee manuals should contain:

1. Company Culture and History. While not required, a brief section discussing the company’s history and its vision can help set the tone for an employee handbook. It can include the company’s mission statement, what is its reason for being, who are its customers, what is its position in the marketplace, etc.

2. Time-Off Policy. This section spells out the company’s vacation policy, such as how vacation time is earned, and how to schedule time off. It should also spell out which holidays the company observes, including which holidays the company closes for and, if the company is a restaurant or other business that stays open on holidays, how employees will be compensated for working the holiday. You may also want to address sick leave, family medical leave, and other types of leave, such as military spousal leave.

3. Employee Behavior. Under this heading, you can discuss the attendance policy, meal breaks and rest periods, and general expectations of employee conduct. This can include stating a policy against employee harassment discrimination, bans on smoking, a substance abuse policy, how employees may use the Internet or e-mail, and a dress code – if you have the latter. You may want to address how employees should handle conflict resolution. Make this section very general in nature. Don’t get into too much detail as you cannot possibly address everything that might arise between employees.

4. Pay and Promotions. Spell out your methods of payment and let employees know whether they will be paid every week or every two weeks or whatever. This is where you state your overtime policy, define work hours, and discuss your pay grade structure so that people know where they fit in the hierarchy.

5. Benefits. In this section, provide employees with a general overview of the benefits you offer in terms of health care, dental, vision, life insurance, etc. Talk about who is eligible, whether only full-time employees or if part-time employees are offered a pro-rated benefits package, address that, as well. List the criteria for eligibility, when you can enroll in benefits, and what the critical life events are during which you can change benefits – such as a marriage or birth of a child.

6. Protecting the Company. In this section, discuss both physical and cyber security threats to your business. Make sure you address your Security Strategies and what to do in case of different emergencies. Ensure that your employees have all the information and tools they need to protect themselves, as well as your company from all types of threats.

After all the information is assembled into an employee handbook, make sure to vet the document before distributing it to employees. If at all possible, an attorney should be involved in preparing the handbook.

Key Considerations about Human Capital:

Show your employees that you care by:

  • Providing incentives for your employees to stay with you by having good benefit programs including 401k plans, flexibility, time off, etc.
  • Getting disability and/or life insurance for employees. This is also a tax write-off.
  • Providing bonuses
  • Having ESOP (employee stock options)

One last point, implementing solid succession planning (who will replace key employees in the event they leave) is essential. This needs to be constantly looked at an updated.


Operational risk is the prospect of loss resulting from inadequate or failed procedures, systems or policies. Employee errors. Systems failures. Fraud or other criminal activity. Its four major categories of risk are: breakdowns in internal procedures, financial, external / environmental, and reputational.


Remember to work ON your business. When you’re working IN your business every day, don’t forget to work ON it to protect the back end. How are you protecting your business? Can you identify which risk category/ies the following questions fall into?

  1. If X employee(s) go on sick leave tomorrow, what’s my plan?
  2. How am I protecting my income?
  3. What am I doing to retain my employees?
  4. How should I protect my customers’ information?
  5. Who do I call if I get sued?
  6. Who do I call first if my systems get hacked?
  7. If my top three clients went away tomorrow, what would I do?

A lack of organization – with regard to any of the risk categories – is the single biggest threat that businesses face. Having operational processes written down for contingencies is crucial in business. You need easy access to info about your business, payroll, bills, statements, customers, employees, and loans. In some cases, you need SOPs (standard operating procedures) for everyone to follow so that tasks are carried out consistently throughout your organization. And if someone is out sick, someone else can pick up the slack and follow written instructions.

Obviously, there are entire books and courses on all the sub-topics mentioned here. Yet the overarching answer to all these questions and concerns is to plan ahead. Have systems in place with checks and balances. Take steps forward toward your financial and business goals. Get in a position to get the most out of your business. Some final tips:

  • Don’t try to figure everything out yourself. If you don’t understand things — call on people in your network.
  • Take it one step at a time. You can’t achieve all these goals in a day.
  • Plan your work – and work your plan.
  • Set goals every 6 months to a year. While these goals can shift and be reprioritized, you need to set them regularly.

Another easy and basic operational skill for business leadership is: Learn how to DELEGATE! You’re probably doing a number of tasks every day that are a waste of your time. What are the top five things you do every day? Put a dollar figure on each of those things, and then calculate out how much it costs to do per hour to see if it should be delegated to an assistant or outsourced.

In closing, remember:

  • Risk management is a DISCIPLINE that requires constant attention.
  • Understand your goals and work backwards from those goals.
  • And don’t forget: What’s your retirement strategy? Bear that in mind so that all your decisions will lead you toward that.

Knowing your clients and constantly surveying your market are excellent ways to assess your strengths and weaknesses, the first steps toward risk management. And don’t just keep these topics in mind – act on them. Take it one step at a time and enlist help when needed. Your business will be much more robust as a result.