Risk Management for Small Business Owners, by T.S.

I’m willing to bet that many SurvivalBlog readers own a small business of some sort. Whether you have a brick-and-mortar store, sell homemade goods at a farmer’s market, or have a “side gig” with eBay or Etsy, figuring out how to make your small business resilient (without much expense) is an excellent use of your time.

I own a small and entirely online business that ships products across the USA. This is currently an additional income source. My “day job” is in IT, where I’m certified in risk management and disaster recovery planning. I’m going to present an industry-standard plan to make your small business resilient, peppered with examples derived from my own business owner experience.

A note on terms–the corporate world has created a hodgepodge of concepts related to resilience. Risk management is about proactively identifying, analyzing, and mitigating risks that could cause a disruption. This is related to but distinct from business continuity planning (which builds on risk management and is concerned with keeping the essential functions of your business going during and after a disruption) and disaster recovery planning (which is focused on restoring business functions after a disaster causes your business to halt completely). Today’s article is about risk management. If there’s enough interest, I may write follow-up articles on business continuity and disaster recovery planning.

One more note–a lot of these concepts are intended for large companies with lots of employees and resources to throw at resiliency. Your small business will be at a disadvantage there. But a small business has the advantage of fewer assets and less exposure to risk. As a result, I’ve simplified the industry standard processes to be less time-consuming for a small business owner. If there are any other risk management gurus reading this please forgive me for combining and slimming down a few steps!

Now that those caveats are out of the way, let’s get started. The first steps in risk management are to identify and analyze your risks. This risk assessment, greatly simplified, is “Assets + Hazards + Probability + Impact = Prioritized Risks.”

First, we’ll address assets. Identify the key processes of your business. This could include creating products, managing payments, shipping or delivery, etc. The next step is to identify the assets needed for each process, and assign a value to each. This is somewhat subjective–the value could be the cost to replace the asset, or the value that the asset adds to your business. You can estimate a dollar amount or use broad labels like Low/Medium/High value. Just make sure you stay consistent in how you measure asset value. For this article, we’ll keep it simple and stick to Low/Medium/High. My business sells mostly seasonal items, and I spend a lot of the off-season sourcing products to sell later on. That means I have a sizeable inventory most of the year. Unsurprisingly, when I arrange my business’s assets by value, my inventory is my highest-value asset. Inventory is often a high-value asset for small businesses selling material goods. Vehicles and tools are common high-value assets for businesses providing services.

So at the end of this step, we will say our hypothetical small business has these asset values:

Records (customer contact list, receipts, tax documents, etc)


Shipping supplies (Boxes, tape, etc)
Storage containers

The next step of the risk assessment is to identify hazards and their probability. Hazards can be naturally occurring (like hurricanes or blizzards) or man-made (like theft and civil unrest). If you know your business and your locale well, you can make a common-sense assessment of what your most likely hazards are. If you live in California, wildfires and earthquakes may be high probability hazards. If you live in the mountains, blizzards and landslides may be likely. I live in Texas–a place I love–but I do worry about the stability of the power grid. So an extended power outage is a higher probability hazard for my business than it may be elsewhere. It doesn’t hurt to double check your intuition though, using resources like flood maps, USGS’s earthquake risk maps, or by talking to an insurance agent. Big businesses will calculate the probability of a hazard occurring down to decimal points, but for the small business, it’s enough to assign a broad hazard probability of Low/Medium/High.

Let’s say our hypothetical small business is in east Texas. The hazard assessment could break out like this:

Extreme humidity (mold/mildew)

Extended power outage
Moths and other destructive pests

Civil unrest

The next step is assessing impacts. Again using the Low/Medium/High labels, assign an impact level (taking into account whatever existing protection you may have) to every asset for each identified hazard. In other words, if a fire happened in your business, what would the impact be to your inventory, tools, records, etc? At the end of this process, you should have a two-letter overall hazard rating–the first letter for impact level and the second letter for the hazard probability level.

At this point, our hypothetical small business has a list of assets + hazards + probabilities + impacts, with overall hazard ratings. Here’s how it would look for the inventory asset:

ASSET: Inventory (High value)

Hazard: Extreme humidity (High probability)
Impact with current mitigation: High (mold/mildew will render inventory worthless)
Overall hazard rating: H/H (High Impact/High Probability)

Hazard: Extended power outage (Medium probability)
Impact with current mitigation: Low (inventory stored in non-climate controlled environment)
Overall hazard rating: L/M

Hazard: Theft (Medium probability)
Impact with current mitigation: Medium (many items are bulky, thieves could likely steal some but not all inventory)
Overall hazard rating: M/M

Hazard: Moths and other destructive pests (Medium probability)
Impact with current mitigation: High (moth infestation will render most of inventory worthless)
Overall hazard rating: H/M

Hazard: Flooding (Medium probability)
Impact with current mitigation: Medium (inventory on ground or lower shelves may be ruined)
Overall hazard rating: M/M

Hazard: Earthquake (Low probability)
Impact without mitigation: Low (inventory stored in single-story shed without water or gas lines)
Overall hazard rating: L/L

Hazard: Civil unrest (Low probability)
Impact with current mitigation: Medium (for inventory the impact is essentially the same as Theft hazard)
Overall hazard rating: M/L

Hazard: Fire (Low probability)
Impact without mitigation: High (loss of inventory through burning or smoke damage)
Overall hazard rating: H/L

…and so on, for each asset. Note that a hazard that is low impact for one asset may be high impact (or vice versa) for a different asset. The inventory may be unaffected by an extended power outage, but the impact on the business’s computers would likely be at least medium.

Keeping track of all this information can get messy. If you’d like a ready-to-fill form to help guide your risk assessment, a template can be found at the Ready.gov website.

(Note: The form is decent, just ignore their misspellings like “senario”. That is “good enough for government work”, I guess.)

After you’ve completed your risk assessment, the final step is risk mitigation. Rank your two-letter overall hazard ratings by impact, and focus on finding ways to mitigate the High and Medium impact hazards. I prefer for simplicity’s sake to prioritize hazard ratings in this order: H/H, H/M, H/L, M/H, M/M, M/L. Some people may prefer to prioritize Medium Impact/High Probability and Medium Impact/Medium Probability over High Impact/Low Probability. Either approach works, as long as the top hazards are addressed. Be creative in how you approach risk mitigation. Things as varied as improving physical security, obtaining backup devices, learning a new skill, and purchasing insurance all count as mitigation. Odds are that you will not be able to mitigate every risk, and that’s okay. Some hazards will almost certainly exceed your small business’s resources to mitigate. You are in a better situation by simply being aware of that risk.

For our hypothetical small business, the top risk (High Impact/High Probability) to our inventory is east Texas’s high humidity. A relatively cheap way to harden the inventory against that hazard is to store the inventory in airtight containers with silica gel packs inside. As an added bonus, this also provides mitigation against the hazard posed by moths and other destructive pests, as well as some level of protection against floods and smoke damage. For the fire risk (High Impact/Low Probability) let’s say our business does not have the money to install a sprinkler system in the storage shed. We could install a smoke detector, keep a fire extinguisher nearby, and make sure the surrounding area is clear of flammable items. Moving to the Medium Impact risks, the danger of inventory theft and civil unrest can be mitigated by putting bars across the windows of the storage shed, putting a better lock on the door, and perhaps installing cameras, lights, and alarms.

If you don’t like my risk management methodology, there are dozens of variations that you can search for online. All follow the same basic logic, but some variations may be a better match for you and your business. The important thing is that you, Mister small business owner, have taken the time to understand the risks posed to your business and have identified measures to harden your livelihood against what man and nature may throw at you.