How to Use a Corporate Risk Management Framework to Manage Your Business Risks

Managing a business is tough. Besides generating sales, you also have to deal with lots of uncertainty. Some of these uncertainties might even break your business.

All businesses face some risks. A savvy business owner will know how to deal with them.

But you have no risk management experience or knowledge. How do you get started?

A simple way to start is to use a framework.

In this article, we will share the risk management framework which we use to advise our clients. Using this decision-making framework, you will be able to manage your business risks.

Overview of Risk Management

Risk management is a process that identifies and treats loss exposures. A loss exposure is a situation where a loss is possible.

There are various reasons why you should manage your business risk. Some of the common reasons are:

  • Preparing for potential losses in the most cost-effective ways;
  • Reducing your anxiety so that you can focus on the business;
  • Meeting legal obligations;
  • Ensuring survival of the business when loss event occurred;
  • Continuing operations and growth of the business; and
  • Maintaining stability of earnings.

An important part of risk management process is how do you deal with the risks that you have identified.

Ways to Deal With Risk

There are 2 types of risk management techniques:

  • Risk control: Techniques that prevent or reduce the frequency or severity of losses.
  • Risk financing: Techniques that indemnify or compensate you for the losses occurred.

Most businesses use both risk control and risk financing techniques to manage risk.

Risk Control

There are 3 risk control techniques:

  • Avoidance
  • Prevention
  • Reduction


The simplest way to manage a risk is to avoid it. For example, if you are afraid of being in a car accident, simply stay at home.

By avoiding the risk, you will reduce the frequency of losses to zero.

But, there are 2 problems with avoiding risk. First, you might not be able to avoid all losses. Some losses just cannot be avoided. For example, you would not be able to avoid epidemic diseases from affecting your restaurant business.

Another problem with risk avoidance is that it might not be practical. For example, the bigger risk any business face is not able to get customers. Avoiding this risk means closing down your business. This is not something any risk management professional will advise.


Prevention refers to measures that reduce the frequency of loss events. For example, to prevent defective products, you can implement quality-control checks.

Note that it is not possible to reduce the frequency to zero in most cases.

Using Prevention to Manage Risk Events

The costs of prevention will start to increase exponentially beyond a certain point.


Reduction refers to measures that reduce the severity of losses if the loss event occurs. A popular example is the installation of a sprinkler system that activates automatically.

Risk Financing

There are 2 risk financing techniques:

  • Retention
  • Transfer


Retention means that you have decided to accept the risk. You can either retain part of all of the losses that can result from the risk event.

There are 2 types of retention:

One is you are aware of the risk and choose to accept them. The other is you are not aware of the risk and have unknowingly accept them.

The latter is more dangerous to your business. We have written several articles about common business risks in our blog. You should be able to relate some of them to your business. If you need any advise, feel free to comment below or contact us.

Retention can be a great risk management technique provided:

  • There are no other methods available. For example, no insurers are willing to extend coverage.
  • The worst-case scenario is not serious. For example, you have millions of customers. One customer default will not result in bankruptcy.
  • You have use prevention or reduction techniques. Prevention techniques can never reduce the risk to zero. But sometimes, it is fine to accept the residual risk.


The second method of risk financing is to transfer the risk to a third-party. A common way to transfer your risk is to use insurance.

In exchange for a premium, insurance company will indemnify your losses if the risk event occurred. Insurance is best used for risks that have a low probability of occurrence, but high severity of losses.

If you are using insurance to manage your risk, you have to consider the 3 factors:

  • What are the coverages that you need? The coverages should be appropriate for insuring the risk events.
  • Who should you insure with? No insurance companies will offer the same contract. When choosing an insurance company, you should take account of reputation, financial strengths, and coverages.
  • Should you approach an insurance agent or should you approach the insurer directly? An insurance agent will be able to advise on your specific business needs and negotiate better terms. The insurance agent would tailor the needs of your business and specify what type of insurance you should be having, with the right recommendation.

Choosing Your Risk Management Techniques

A useful way in choosing your risk management techniques is to use a risk matrix to classify your risks.

A risk matrix separated your risks into 4 categories:

  1. Low frequency, low loss severity
  2. High loss frequency, low loss severity
  3. Low loss frequency, high loss severity
  4. High loss frequency, high loss severity

The recommended techniques for each category are as follows:

Risk Matrix

Low Loss Frequency, Low Loss Severity

The first type of risk is low frequency and low loss severity events. One example is theft of office stationery. The best way to deal with such risk is to retain them in full.

The costs of managing them usually outweigh the cost of retaining them.

High Loss Frequency, Low Loss Severity

The second type of risk is high loss frequency and low loss severity events. This type of risk is more serious. Examples of such risks include workers’ injuries and shoplifting.

The most common way to manage this type of risk is through prevention. For example, by installing security cameras and sensors, you can prevent shoplifting.

If these losses occur frequently, you can also consider accepting these risks as part of your business.

Finally, do note that these small losses might accumulate to a big sum at the end of the year. So you may consider insuring these risks as well.

Low Loss Frequency, High Loss Severity

Insurance is the best technique to deal with risks that have low loss frequency, and high loss severity. These types of risk are usually catastrophic that might bankrupt your business.

The low probability of these losses makes the insurance affordable despite the severity.

Some examples of these type of risks are:

  • Fires and explosions of your business premise
  • Liability lawsuits
  • Natural disasters

High Loss Frequency, High Loss Severity

The last type of risk is high loss frequency and severity events. The first thing to consider is whether can you avoid it. For example, if you develop a product that you know will have a high chance of a lawsuit, you should not launch that product.

Consider using a both prevention and insurance techniques if avoidance is not possible.

Prevention techniques can reduce the frequency of losses to low loss frequency. You can also try reducing the loss through reduction techniques. Then you can use insurance to transfer the residual risks as the premiums are now more affordable.


This article provides a high-level framework for dealing with risks that you have identified for your business. We use the same framework to advise our clients on their insurance needs.

If you need a professional consultant to advise on your risk management program, feel free to contact us for a no-obligation discussion. We love to speak to you!