The administration of business risk is the progression of identifying threats, risk assessments and prevention, and controlling/minimizing the threat of these risks and having action plans in place should these events happen. Developing approaches to manage risks helps maintain a business continuity plan.
Reference BS 31100:2011 Code of Practice and Guidance; This book offers guidance to help management’s strategic understanding of risk and support decision making that ensures best practice. It provides practical and specific recommendations on how to implement key principles of a defined risk management process, which can be tailored to different types of businesses and to varying groups within an organization, helping to increase consistency and improve communication, as per the guidance of the international standard BS ISO 31000. It provides direction on how companies can integrate risk-based decision making into the organisation’s governance, preparation, management, reporting, policies, values and culture. It is an open, principle based system, meaning it allows organisations to apply the principles in the standard to the organisational context.
Risk is a necessary part of undertaking business, and in a world where enormous amounts of data are being processed at increasingly rapid rates, identifying and mitigating risks is a challenge for anyone. Some indemnity companies insist of clear evidence such as ISO 31000 which shows that business risk have been seriously assessed.
Another standard is BS 7799-2 this is regarding Plan to do It check List. I have used this as part of my monitoring of a risk plan. This standard has now been removed, it aligns with ISO/IEC 27001:2005 but you can see the benefit of it, it is a simple four phase model, of plan, do, check and act. Continued cycle. It is a good process for continuous improvement which is all about business risk. On the negative side it is a unhurried progression, so may not be appropriate for an urgent risk.
In the surgery, we have a business continuity plan plus risk assessments that takes place annually. This breaks down multiple areas of different topics, showing potential risks and what can be done to fix/prevent this. Example attached of our BCP which is currently under review.
There are multiple business risk concerns affecting many different topics. Three examples of business risks are as follows;
Employee risk: reference: management Staff health and well-being and the importance of sustaining sufficient staff members. Recently, one member of staff was having significant child care troubles. This greatly affected the staff rota and insufficient cover was unsustainable. It put a lot of pressure and strain on the other members of the reception team who were often lone working and doing more open/closes which is normally shared out amongst the team. Urgent one-to-one meetings were held with the member of staff and myself to try and work out the best way forward. The risk management here is sustainability.
Health & Safety. reference: risk document; As a GP surgery, we already abide by the national guidelines and are compliant with health and safety law and legislation. Actions are taken to ensure correct procedures are followed. This includes employment law and ensuring working conditions, from equality to holidays etc. are in line and complies with the employment law. One example here we have staff who believe in different religions. A Muslim calendar and their special celebrations are not on a bank holiday. To be fair to all staff and have the same equality we have introduced a system where they cover for each other. We plan well in advance and book locums to cover these holidays. This is an environment risk as a cultural.
Commercial risks. A lot of surgery income is based on various types of purchase claims. This includes travel vaccines and enhanced service claims. There are a number of various clinical stock items that we buy in and are then able to claim the money back plus with a profit. If there is a manufacturing shortage of certain items or a company goes into liquidation, this would cause a great loss of income. To minimise this risk, we have standing orders with pharmaceutical companies for minimum stock per month. We can increase the quantity if and when needed. This allows us to ‘tide ourselves over’ should there be a manufactory problem. When items are delivered, we must ensure recent expiry dates are used first avoiding missed expiry dates and again risk of losing stock/profit income.
It is important to understand the influences of any business risk. If you have no sustainability in your workforce then you put your business at risk with no staff, here in the surgery that has dramatic effect of not being able to open and not fit for purpose, unsafe for patient care and breaking agreement with the health authority and could be liable for not having safety net in place. Same with the wellbeing of staff you have processes in place to ensure equality and to consider physiological risk and behaviour risk. The commercial risk is about finance, if you cannot pay your staff and your overheads, then you have no business. These risk management is there to protect you, to guide you and to take heed of all internal, external factors and finances to have a continuing plan. ISO usually cost as they also certified that you are compliant, which is why food factories for example would pay a specialist company in to help with the process.
When you complete a BCP (business continuity plan) it is the risk management which is in the driving seat. It is how we recognise a threat, with a plan to minimise the disruption. The crisis management is the response for example the current COVID19 pandemic. The risk management is a system already in place to reducing risks which was identified as a threat. This could be example a fire, so to reduce the risk you would write in your continuity plan to have annual electric plugs checked and have fire extinguishers situated in your premises. The attached document is regarding a flu pandemic which I reviewed and updated in September 2018. This was created in response to a crisis of the swine flu in 2009, and by having this in place has helped us to react to this new pandemic with a strategic plan.
If you don’t understand all the possible threats and able to identify them, then you could be working in crisis management a lot more. It is wiser to know the likely hood of any threats or risks you can plan in your BCP the possible impact and preventive steps.
Crisis management may mean insignificant preparation. You have to plan for everything before it happens. Another negative to crisis management is that it would be expensive and can be time consuming. There are no promises that when you identify a threat associated with your business you are done, as certain events for example an earth quake or snow that are beyond your control, may happen but you need to prepare the way forward after the disaster. To product your business, your job, your staff and the reason why we are here our patients, it is paramount that our BCP is relevant updated on annually and to learn from any crisis which may have happened during the year. I believe the following statement sums it up.
I think the above quote was an adapt way of my conclusion. Each of the BCP, risk management and crisis management are each all important, but by themselves they are not enough, the risk management I feel is the flour of a cake, where the BCP is the egg which binds it and the crisis is the icing on top and bound together stops the cake falling apart.
One method of scenario planning is a pestle, it helps to reduce the impact and effects of potential threats of our surgery. It is simple to use, as shown.
One disadvantage is that is can be oversimplified and too much information gathered. It is more ideal to use for example with SWOT. We use pestle to make sure that we have identified important effects for the surgery. They are both used to evaluate, where pestle is external and swot is internal, together they can be used to strength your strategic plan with better understanding of your business.
When I analyse business risks, I often use the brainstorming and SWOT identification techniques.
Below, I have explained how I would use both techniques to support me in identifying risks and how I find them useful;
Often involving other team members, each having in-put to a topic discussion. Both positive and negative opinions should be written down. This can also be done solo; however, I believe a team effort can bring more outcomes. All suggestions can be evaluated at a later time.
I believe this technique is useful as it is a fairly quick method that can highlight risks within a change/project quite quickly. Completing with other members also allows different points of views and may produce some risks that you/your team may not have thought of.
This technique helps you set out the strengths and weakness within the implementation of a change. By identifying the weaknesses or barriers to the change it helps me to identify potential risks and consider mitigation. I have previously used the SWOT technique when analysing situations within the surgery, most recently staff issues. See my SWOT table analysis for reference.
I find using this technique useful as it helps identify strengths and weakness; it’s a good tool to look back on and have the risks ‘’jump’’ out on you – identifies the areas requiring further work on to help implement any change. I can see that that the swot can be bias which is something you need to consider.
A crisis management model is Gonzalez-Herrero and Pratt, it has 3 stages = diagnosis of crisis, planning and adjusting to changes. It helps to be focused during a crisis, during on our policy review last year was our flu pandemic management plan, this came out due to the swine flu and now gives guidance for fortune situations. Any crisis plan helps to identify each person’s role helping to reduce the after affects. For example, our chain of command is for receptionist to go to their senior receptionist, that communication line would have to be included for any crisis so not mixed messages are given. During the COVID19 situation, I regular meet with my senior receptionists and feed information and updates so she can implement it with the reception staff.
I have attached a risk plan with migration and actions, the document is separate to this answer as it is a completed piece of work. As mentioned above, here at the surgery the GP partners and myself would brainstorm first before creating any planning and how to move forward with crisis management as this fits in with our business, we have a very good open communication line and more heads which can see risks and who can help to respond to any current crisis with regular team meetings to monitor how it is working.
My opinion since I started this course is that although brainstorming is the way we may do things in the surgery, it may not necessary be the correct process as I can see and understand that all the different models and theories I have learnt that there is a reason why it is recommended. The responsibility of these now lie with myself being the Practice Manager. I will be introducing more tools like using swot and pestle together to manage the business better. Bringing better risk management processes making sure we are not avoiding any risks. I have still got a long way to go with reviewing risks at the surgery, but can start with a plan, being objective.
Impact and probability are two main modules of any risk assessment. For any risk management you would identifying threat and the risk of them occurring. As shown in my document of a risk plan evidence.
Impact can be both good or harmful, and can be defined qualitative and in a quantitative manner.
While probability is the possibility of a risk occurring and again can be defined by a qualitative and in a quantitative way. Activities have a risk and it is finding out the probability which is the likelihood of an event occurring and the consequences, to which extent the project is affected by an event, are the impacts of risk and if this is explained in numerical as in quantity then it is quantitative, but if for example done and shown in a graph or text quality then this would be qualitative.
This example shows us how we can record a risk assessment using this grid as very low is the same definition of 0.1 to words of highly unlikely to occur.
I have used the first scale in my example of risk plan, it was simple to use. I have no preference of which to use, as they are both clear and simple to use, the main point is Identify all or as many as possible potential risks and loss to the surgery by estimating the likelihood of it occurring, assigning a loss amount to the potential risk and calculate total loss to the surgery. You can then decide if the business can withstand the loss and if the risk is worth taking.
One feature of these methods is a risk probability is a refined guess. Because we can identify risk but sometimes it is the experts of the team who assign the risk probability. It can be costly and especially if perception is incorrect. I prefer seeing and reading a text and overall would prefer the graph of the risk impact as to me it is more visual.