A Small Business Owner’s Guide

to

Risk Management

Insurance

Table of Contents

  1. Introduction 3
  2. Case Study: Corrine’s Cakes 3
  3. Identifying Risk 4
  4. Internal and External Risks 4
  5. Warning Signs 5
  6. Corrine’s Cakes: Identifying Risk 5
  7. Measuring Risk 6
  8. Categories of Risk 6
  9. Assessing Probability of Occurrence v. Cost 7
  10. Mitigating Risk 8
  11. Safety First 8
  12. Employee Training 9
  13. Employee Management 9
  14. Accounting and Cash Control 10
  15. Vendors 11
  16. Business Continuity Plan 11
  17. Business Exit Strategy 12
  18. Information Technology/Cyber Liability 12
  19. Put It in Writing 13
  20. Corrine’s Cakes: Risk Mitigation Plan 13
  21. Insurance 14
  22. The Broker 15
  23. Types of Insurance 16
  24. Insurance Policies for Small Businesses 16
  25. Terms of Insurance 21
  26. Limits on Coverage 23
  27. How Much Should You Spend on Insurance? 24
  28. Other Insurance Issues 25
  29. Conclusion 29
  30. Additional Resources 29

A SmallBusiness Owner’s Guide to Risk Managementand Insurance

  1. Introduction

Risk is part of any business, and whether you are starting a new business or seeking to expand an established one, youcannot completely avoid or eliminate risk. However, it is important for business owners to balance profitseeking withprotection of their company’s assets, employees, and reputation.

Risk management is more than justpurchasing insurance to protect your company against risksfrom outside your business, such as natural disasters. It’s also about identifying, assessing, and minimizingrisks created by vulnerabilities within your company, such as the possibility that a poorly supervised employee steals,or that supply problems put a financial strain on your operations. Both types of risk should be addressed in a comprehensive risk management planthat is createdearly in the life of your business and reviewedat least annually.

This manual will take you through the risk management process, explaining the four fundamental steps any small business should take in creating a plan:

  1. Identifying Risk: Which risks are inherent to all businesses, and which are unique to yours?
  2. Measuring Risk: What is the probability of a given risk occurring, and what is the cost of a given risk?
  3. Mitigating Risk: How can you eliminate a risk or minimize its impact?
  4. Obtaining Insurance: What kind of insurance does your small business need?
  1. Case Study: Corrine’s Cakes

Throughout this booklet, we will follow the case of Corrine’s Cakes as it develops a risk management program. Corrine’s Cakes is a shop and cafe,owned and managed by Corrine Davis,which specializes in customized birthday cakes and other baked goods. On weekends, Corrine’s Cakes also hosts children’s birthday parties at which kids ages 4 to8yearsold help make and decorate their own cupcakes. The company was started 12 years ago and is located in a small commercial strip near a residential neighborhood of moderatelypriced single-family homes.

Corrine’s Cakes leases its space, which includes a kitchen, a shop, a small café area, and a room for hosting birthday parties. It is locatedon the first floor of a building that also rents space to a drugstore and a family-owned grocery and convenience store. In 2013 the company recorded $500,000 in sales. It employs one part-time and two full-time bakers, one full-time cashier, and two part-time staff members, one of whomdelivers cake orders, while the other manages the weekend birthday parties. The company owns a small van that it uses for deliveries.

  1. Identifying Risk

The first step in a risk management plan is to identify risks that your business may face. Brainstorm and make a complete list of anything that could slow or stop the profit of your business, and rank the risks in importance. Consult with managers and staff for additional ideas. Reviewyour list on a regular basis, amending it when necessary.

  1. Internal and External Risks

When identifying risk, it is important to look at both internal risks (risks that originate within your business and,thus, can often be controlled or minimized) and external risks, which originate outside your business and over which you usually have limited control.

Common internal risks include:

  • Illness or Death of a Key Employee: An important employee must take extended medical leave, disrupting operations.
  • Property Loss: Your premises suffer damage, or property is stolen.
  • Customer Injuries Caused by PoorlyMaintained Premises: A customer is harmed while patronizing your business and files a lawsuit.
  • Cash-FlowProblems:Your monthly expenses unexpectedly outstrip your revenues.
  • Cyber Liability: Inadequate security makes your business vulnerable to data loss or theft.
  • Outdated or PoorlyMaintained Equipment: Your equipment frequently breaks down or works inefficiently, causing business losses.

Common external risks include:

  • Market Risk:The price of supplies increases due to external market forces.
  • Competition: New businesses enter the field or existing ones copy your products.
  • Rent Increases: Changes in the realestate market drive up rental costs.
  • Changing Federal or Local Laws: New regulation forces you to change your business practices, raising costs.
  • Weather: Heavy snowfall or storm damages shuts down or slows business.
  • Disruptions in Your Supply Chain: Bad weather, labor disputes, or a supplier’s bankruptcy impact your ability to obtain needed supplies.
  • Population Changes/Taste Changes: Shifting demographics alter demand for your product or service.
  1. Warning Signs

Some internal risks to your business may become evident through warning signs. Some examples:

  • Periodic audits or spot checks of your accounting system may reveal employee errors or fraud. Similarly, reports from your computer system can highlight weaknesses and potential risks, such as unauthorized changes in user access or records of unusual transactions.These are signs you need to increase employee oversight and/or tighten user access.
  • High employee turnover may indicate problems in your company’s work environment. Your business needs to retain dedicated and well-trained employees, so you should determine why employees are leaving and take steps to deal with any problems.

Some external risks can also be identified by continually taking stock of your customer base, vendors, and products.

  • If you rely too heavily on a small group of customersor vendors, your business may be at risk if an important vendor closes its doors or if you suddenly lose some key customers.
  • If a large percentage of your business comes from sales of a single product or service, you should consider diversifying your revenue stream.
  1. Corrine’s Cakes: Identifying Risk

Among the internal risks that Corrine’s Cakes could face are the following:

  • OwnerIllness:Corrine becomes ill, requiring long-term medical treatment, and cannot manage the shop on a daily basis.
  • Property Loss:Vandals smash a large ceramic planter of flowers that stands outside the front door of the shop when the shop is closed at night, and spraypaint graffiti on the door.
  • Cash Flow:The bakery has trouble paying some of its vendors at the end of the month.
  • BusinessLosses Caused by Faulty Equipment:An oven that has not been regularly serviced breaks down and is unusable for three weeks while it is being repaired.
  • Customer Injury:During a weekend birthday party, several toddlers wander unsupervised into the shop area, where one is injured after attempting to climb onto an unsteady chair.
  • Fire: An early-morning fire starts in the kitchen while one baker is at work, and the fire spreads throughout the shop. The one employee on the premises is slightly injured, and the damage to the shop and kitchen is significant.

External risks to Corrine’s Cakes include:

  • Market Risks: The price of flour increases due to a prolonged drought in the Midwest.
  • Supply-Chain Problems: UPS drivers go on strike, and Corrine cannot get the baking and party supplies she needs to run her business.
  • Changes in Demand: Families are moving out of the neighborhood, and demand for birthday cakes and other party foods drops.
  1. Measuring Risk

The next step in a risk management plan is assessing the probability that a risk will materialize, and assessing its impact on your business. What is your vulnerability for each risk?

  1. Categories of Risk

As a first step, you need to decide into which category the risk falls. There are four risk categories:

Low risk incident will occur/Low cost if incident does occur / High risk incident will occur/low cost if incident does occur
Low risk incident will occur/high cost if incident does occur / High risk incident will occur/high cost if incident does occur

In the case of Corrine’s Cakes, some examples from these risk categories are:

Low Risk/Low Cost:The temperature rises to 70 degrees one day in January.

Low Risk/High Cost: Ahurricanehits Washington, D.C., causing severe damage to the shop—shattered windows, broken equipment, and flooding through the shop and kitchen.

High Risk/Low Cost: Some cookies are broken as they are rapidly removed from trays, rendering them unsaleable.

High Risk/High Cost: The business does not do regular maintenance checks on its ovens, and one of its ovens breaks down and is not repaired for three weeks, forcing the business to delay delivery of several custom birthday cake orders. As a result, the shop gets many negative reviews on consumer review Web sites.

  1. Assessing Probability of Occurrence v. Cost

How you rate the risk of loss to your business will determine how many resources your business should expend trying to lessen the risk. Here is how Corrine’s Cakes considers the risks it faces:

  • Low Risk/Low Cost: If the temperature rises unexpectedly to 70 degrees in the middle of January, the kitchen may become uncomfortably warm because of the additional heat created by the ovens. If the building owner is unwilling to start up the central air conditioning, Corrine can bring fans from home to cool the kitchen.
  • High Risk/Low Cost:A busy baker will typicallybreak a few cookieseach day when removing them rapidly from baking trays. However, the revenue loss of a few broken cookies is not significant, and the cashier can put the broken cookies on a plate at the front counter as “free samples” for customers. The cost of preventing cookie breakage—removing cookies carefully and slowly from the trays—will reduce efficiency and overall output in the kitchen, and is not justified by the loss of a few discarded cookies.
  • High Risk/High Cost: In contrast to the broken cookies, the risk of a poorlymaintained oven breaking down, and the cost to the bakery of reduced capacity and sales, as well as reputational damage suffered by delays or cancellations of custom birthday cakes, justifies expending resources to ensure that the bakery’s ovens operate reliably and well.
  • Low Risk/High Cost:The most difficult events to plan for are the low risk/high cost events, such as hurricanes and other weather-related disasters. Every spring and summer, severe weather occursthat causes substantial loss of life and property damage somewhere in the United States. However, it is highly unlikely that it will strike a specific community. Thus, while the risk of a Category 3hurricane striking the D.C. area is remote, if such a storm occurs, the risk of significant damage is substantial. Therefore, it makes sense for Corrine’s Cakes to make a contingency plan in the event of a hurricane. When a major hurricane is forecast, this plan could include a system for protecting windows and moving furniture and computers into back rooms, where they will be afforded greater shelter from high winds, rain, and hail. However, other steps the business could take may not be cost-effective, given the likelihood of the risk. These include spending large sums of money to retrofit the building so it can withstand a Category 5 hurricane. While such an investment may be sensible in a high-storm-risk area such as coastal Florida or North Carolina, it probably does not make sense in Washington, D.C.

Once you have placed all of the risks into one of the four categories, you should figure out what your business already does to prevent these risks from occurring, and what additional measures you need to take.

  1. Mitigating Risk

A great deal of risk can be mitigated by taking some basic measures. Here are some guidelines that apply to most businesses.

  1. Safety First
  • Inspect and Repair:Ensure that your business’s premises and facilities are safe by conducting a thorough inspection of its physical plant. If you discover potential hazards during the inspection, such as faulty fixtures, loose railings, or poor lighting, arrange for the appropriate maintenance work and make certain it is performed.
  • Monitor Equipment:Check equipmentto be certain it is functioning properly and in good condition. Make sure any potentially dangerous machines or chemicals are secure and inaccessible to any patrons. If you know of conditions that cannot readily be repaired, mark off the area or otherwise isolate the condition and put up warning signs.
  • Put It in Your Calendar:Schedule regular inspections of your premises and equipment, such as once a quarter or twice a year, as needed. Put reminders in your calendar so that you are sure to make the inspections regularly.
  • Know the Law:Protect yourself from liability by complying with local safety regulations, some of which may apply to all businesses and some of which may be specific to your type of business.
  1. Employee Training
  • Talk to Your Staff:Your employees are the first line of defense when developing a risk management plan. Stress to them the importance of ensuring the safety of the business’s customers and employees, as well as the security of the business’s assets.
  • Train Your Staff:A worker can only follow a rule or procedure that has been explained to him or her. If your business requires workers to perform duties that could affect someone’s well-being (e.g., preparing food, treating sick individuals, supervising contact sports, handling funds), you must be certain that workers receive proper training. Provide formal on-site training, or arrange for workers to attend training courses.
  • Put It in Writing:An employee handbook is a good way to distribute important safety information and to ensure that workers have ready access to it.
  1. Employee Management

Your employees are essential to the success of your business, and the care you take in hiring and managing them canprevent many problems in the long run.

  • Screening: Background-check providers can assist you in screening your employees. However, when screening, be sure you comply with D.C. and federal law governing criminal background checks and credit reporting.
  • Clearly Communicate Job Descriptions and Duties: By providing employees with a clear job description and list of duties, you will ensure that employees understand their responsibilities as well as your expectations. Clear communication between managers and employees will help prevent safety and performance lapses. You should also consider training employees in other job functions so that they are able safely tofill in for an absent co-worker.
  • Give Regular Performance Evaluations: Evaluations of employee work will allow employees to improve their performance. Additionally, giving employees the opportunity to comment on their jobs may also give you valuable feedback on ways to improve their work environment and job satisfaction, resulting in better employee retention.
  • Be anInvolved Owner/Manager: Problems are more likely to arise in businesses with absentee owners. Get to know your employees and customers, and be a regular presence at your business.
  • Incentivize Compliance With Safety Procedures: Accidents can cause injuries, productivity losses, and a rise in insurance premiums. If you reward employees for avoiding accidents, you will save money over the long term and help them to become more invested in safety compliance.
  • Educate Your Employees: To prevent discrimination and harassment, make sure your employees understand what constitutes discriminatory and harassing behavior under federal and state laws. Make sure employees feel secure in reporting to you about inappropriate treatment by other employees.
  1. Accounting and Cash Control
  1. Separation of Duties: To minimize the possibility of fraud or theft, create an “audit trail” by ensuring that different employees are responsible for different tasks, such as accepting cash or payments, depositing funds, and reconciling the business’s accounts. Payments should be recorded and verified by two separate people to create accountability and to establish a record. Consider requiring supervisor approval for transactions above a certain dollar amount. Also, have employees who are responsible for finances take regular vacations, so that from time to time, someone else performs the work usually performed by the vacationing employee.
  2. VerifyRegularly, but not Predictably:Conduct regular check-insto ensure that cash inflows are balancing with bank statements. While check-ins should be done regularly, they should not be done on a predictable schedule that an employee can use to his or her advantage. For example, by observing that check-insoccur regularly on the 7th of every month, an employee may steal cash and then return it before the missing funds are detected.
  3. Monitor YourPayroll: Monitoryour payroll systems to check for discrepancies. Compare timecards to payroll ledgers and payroll ledgers to the payroll account.
  4. Check Your Bank: Ensure that your financial institution is FDIC-insured, and calculate your insurance coverage by using the FDIC’s online Electronic Deposit Insurance Estimator at
  5. Keep a Reserve:Many small business fail because they do not have enough capital on hand. Therefore, you should build a reserve fund equal to at least three to six months’ expenses. This will give you a financial cushion against months when your expenses are higher or sales are lower than expected. It can take you a few years to build up an adequate amount, but setting aside funds to add to the reserve should be included in every annual budget.
  6. Create a Contingency Plan: Have a plan in place in the event of a cash-flow problem. If you suddenly lost several of your biggest customers, would your expenses drop as well, or would you need to cut costs?
  1. Vendors

Finding a reliable, price-competitive vendor and establishing a good relationship with that vendoris a key part of your business. But reliance on a single supplier can expose you to business losses if that supplier experiences financial problems of its own or suddenly goes out of business.