Skip to ContentGo to accessibility pageKeyboard shortcuts menu
OpenStax Logo

13.7 Mitigating and Managing Risks

Entrepreneurship13.7 Mitigating and Managing Risks

Learning Objectives

By the end of this section, you will be able to:

  • Explain Enterprise Risk Management and how a company uses it
  • Describe litigation and financial risks
  • Describe common insurance needs

Risk management is key to operating any business in a profitable fashion. There are many risks facing an entrepreneur when starting and operating a new business venture. The trick is to eliminate risks that will hurt the venture, while taking on risks that will provide for long-term profitability. The risks facing the entrepreneur need to be initially identified as part of developing a business plan and revisited regularly in ongoing operations. Preparation for adverse events affecting a new business venture is necessary, but being too pessimistic or allowing fear of adverse events to stop an entrepreneur from taking any risk will keep a business venture from achieving it greatest potential and profit.

It is important that an entrepreneur develop an understanding of the risks of the business environment. The risks include liability risks stemming from contracts and torts, sometimes referred to as operating risks, regulatory compliance risks, financial risks, and strategic risks, including taxation. Understanding how the business structure is used to operate the business venture allows the entrepreneur to develop a plan to manage business growth and understand business risk.

Enterprise Risk Management

Profitable ventures develop a strong enterprise risk management program, which is an integrated, cross-disciplinary approach to monitoring risk. An organization needs to look at both long-term and short-term risks at all levels of the organization, and these risks need to be evaluated from all stakeholders’ perspectives and developed into an entity-wide program.

Enterprise risk management attempts to address the specific risks discussed in the preceding section by implementing a risk program that enables a business to identify and manage risk. Specifically, a business will go through a process that involves a multistage process of risk identification, risk assessment, and risk abatement. Examples of risks that businesses face include those from natural causes, economic causes, and human causes.

Natural causes of risk include disasters such as hurricanes and flooding, as well as earthquakes or other catastrophes that result in loss of life and property, as well as business interruption. For example, a business in New Orleans could be flooded by a hurricane. This results in damage to facilities and products, and threatens the lives of workers. In order to counter such causes, businesses need to plan ahead for business continuity, take out comprehensive insurance coverage, and have an evacuation/shut-down plan in place.

Economic causes of risk include global events leading to rising prices of raw materials, currency fluctuation, high interest rates, and, of course, competition from other companies in the same industry. An example of this would be unpredictable trade wars with China, leading to tariffs.

Human causes of risk refer to actions by employees, contractors, and those persons over which a company has control. These events can include torts stemming from negligence at work, labor strikes, shortages of qualified trained workers, and corporate mismanagement. An example of this type of risk would include embezzlement of money by an internal financial executive.

The use of a comprehensive approach allows a business entity to review and combine all risks into a functional perspective that allows the entrepreneur to evaluate risks and integrate new risks as different opportunities become more important to the business venture. Businesses sometimes use a risk matrix to assess or characterize the probability and impact of risk (Figure 13.11). The use of such a tool can help a business quantify risk and decide whether to undertake an activity based on its level of risk.

A risk matrix showing impact of a risk from low to high (left to right) and probability of risk from low to high (bottom to top). The matrix has nine blocks: a low impact and low probability results in a low risk; a low impact and moderate probability results in a low risk; a low impact and high probability results in a moderate risk; a moderate impact and low probability results in a low risk; a moderate impact and moderate probability results in a moderate risk; a moderate impact and high probability results in a high risk; a high impact and low probability results in a moderate risk; a high impact and moderate probability results in a high risk; and a high impact and high probability results in a high risk.
Figure 13.11 A risk matrix can be a useful tool to assess the likelihood and severity of risk that a venture may have. (attribution: Copyright Rice University, OpenStax, under CC BY 4.0 license)

Risk appetite is important for a business venture to consider, both when creating its business structure and during ongoing operations. Table 13.1 shows an overview of the considerations a business venture should entertain in both its creation and operation.

Risk Appetite25
Risk Item Consideration
Existing risk profile Current level and distribution of risks across the business and across risk categories
Risk capacity Amount of risk the business can support while pursuing its objectives
Risk tolerance Amount of variation the business can tolerate while pursuing its objectives
Risk attitude Management’s attitudes toward growth, risk, and return
Table 13.1 COSO’s Enterprise Risk Management, Understanding and Communicating Risk Appetite outlines these considerations for assessing a business’s appetite for risk.

This is the basic approach to evaluating a new venture’s appetite for risk. Determining and understanding the risks facing a new venture should start during the preparation of the business venture’s written business plan and should continue through the operations of the venture.

Legal Risk and Protection

Business operations of any sort need to follow business regulations and laws. The failure to follow business regulations may lead to fines, lawsuits, or even criminal penalties. Legal risk stems primarily from a breach of contract and/or the commission of a tort. Common examples of this type of risk includes product liability lawsuits. These lawsuits are frequently very expensive class action lawsuits or regulatory investigations of dangerous products. There are many famous case examples including automobiles, asbestos, pharmaceutical drugs, breast implants, and airplanes.

Other lawsuits stem from contracts, including borrowing money from a bank. The business has an obligation to pay it back, or it breaches a covenant within a contract. Other common types of contracts are those used in selling services and products, leasing real estate, and other similar contractual obligations.

Due to liability risks, business owners and investors are always looking for ways to limit their personal liability. Incorporation is a standard risk protection strategy for this potential problem, as are the use of other types of limited liability structures such as LLCs. This is one of the main advantages of properly operated corporations and LLCs, which allow for limited personal liability of owners and investors. Partners in GPs and sole proprietors are personally liable for all of the debts of the business, even beyond their own investment in the business.

However, a particular challenge for small business entrepreneurs is that even when they form a corporation or LLC, many lenders, landlords, and other entities providing credit to a small business circumvent the limited liability protection by requiring owners and investors to personally guarantee the debts of the business operations. This means that the owner who personally guarantees the credit will have to pay back the obligation if the business cannot. An owner can obtain insurance or borrow money for such guarantees. LLCs and corporations do protect their owners, shareholders, and members from a number of different tort claims, such as personal injury lawsuits and claims made directly against the organization.

Financial Risk and Protection

An entrepreneur needs money to launch a business, whether that comes in the form of loans from family, their own savings, or investors. The founder will be expected to put their own money at risk, whether in the form of a loan to their own business or equity in their own business. If they do not have any “skin in the game,” then others will not be interested in loaning them money. This means that if the business fails, it will have repercussions for the owner, even if they operate as a corporation or LLC. This is the essence of financial risk: starting a new business with insufficient funds to sustain operations over an extended period of time.

Any new business owner needs to have a sound financial strategy as a part of the overall business plan. This should show income projections, the liquid assets that will be required to break even, and the expected return on investment for all investors in the first five-to-ten-year timeframe. Failure to accurately plan could mean that the entrepreneur risks business closure and bankruptcy, and investors get nothing.

Insurance Protection

Risk management and protection are enhanced with the purchase of different types of insurance, which involves spreading risk over a large number of people (policyholders). If a company is a corporation, it may need directors’ and officers’ liability insurance to indemnify the directors and officers if they get sued. Another insurance policy many companies get is called errors and omissions insurance, and this insurance coverage protects employees in negligence claims and cases if employee theft. Other types of insurance policies that most businesses carry include automobile insurance, health insurance, property insurance, and cyber/data breach insurance. Insurance coverage for a business venture needs to be specific to the business structure and its operations. Keep in mind that not all risks can be insured against—for example, a bad economy that leads to a loss of business or a bad decision by the owner to enter a market that does not work out.

Information Technology/Cybersecurity for Small Businesses

According to the SBA, the risk of hacking, ransomware, and customer privacy are equally as significant for most small businesses as for larger ones. The SBA has set guidelines related to cybersecurity for entrepreneurs. The SBA recommends the ten-step action plan shown in Table 13.2.

Small Business Administration Recommendations for Cybersecurity26
Step Action
1 Protect against viruses, spyware, and other malicious code
2 Secure your networks
3 Establish security practices and policies to protect sensitive information
4 Educate employees about cyber threats and hold them accountable
5 Require employees to use strong passwords and change them often
6 Employ best practices on payment cards
7 Make backup copies of important business data and information
8 Control physical access to computers and network components
9 Create a mobile device action plan
10 Protect all pages on your public-facing websites and apps, not just the checkout and sign-up pages
Table 13.2

The Federal Communications Commission joins the SBA in the preceding recommendations. For more information, see the following website:

What Can You Do?

Managing Payment Data

If you operate a small business, are you prepared to deal with hackers who break into your website and steal credit card data from consumers who bought your products online? Small businesses running an e-commerce site must comply with the Payment Card Industry Data Security Standard ( This is a regulation that could cause severe legal risk for entrepreneurs if your system is compromised, and credit card data are stolen. Consumers rightfully expect and demand a safe online experience when they visit your site. Have you paid an expert to evaluate your system and install the best security system? It may be costly, but perhaps not as expensive as the damages you could be ordered to pay by a court if credit card data are hacked.


  • 25Rittenberg, Larry and Frank Martens. “Committee of Sponsoring Organizations of the Treadway Commission (COSO)”. Enterprise Risk Management, Understanding and Communicating Risk Appetite. January 2012.
  • 26Rebecca Martin. “Protecting Assets from Cyber Threats.” News Tribune. November 7, 2016.
Order a print copy

As an Amazon Associate we earn from qualifying purchases.


This book may not be used in the training of large language models or otherwise be ingested into large language models or generative AI offerings without OpenStax's permission.

Want to cite, share, or modify this book? This book uses the Creative Commons Attribution License and you must attribute OpenStax.

Attribution information
  • If you are redistributing all or part of this book in a print format, then you must include on every physical page the following attribution:
    Access for free at
  • If you are redistributing all or part of this book in a digital format, then you must include on every digital page view the following attribution:
    Access for free at
Citation information

© Jan 4, 2024 OpenStax. Textbook content produced by OpenStax is licensed under a Creative Commons Attribution License . The OpenStax name, OpenStax logo, OpenStax book covers, OpenStax CNX name, and OpenStax CNX logo are not subject to the Creative Commons license and may not be reproduced without the prior and express written consent of Rice University.