Chapter 10: Understanding Risk in Small Business

Last updated
Save as PDF

Page ID: 163068

Gracie McDonough
College of Southern Nevada

$ \newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} } $

$ \newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}} $

$ \newcommand{\dsum}{\displaystyle\sum\limits} $

$ \newcommand{\dint}{\displaystyle\int\limits} $

$ \newcommand{\dlim}{\displaystyle\lim\limits} $

$ \newcommand{\id}{\mathrm{id}}$ $ \newcommand{\Span}{\mathrm{span}}$

( \newcommand{\kernel}{\mathrm{null}\,}\) $ \newcommand{\range}{\mathrm{range}\,}$

$ \newcommand{\RealPart}{\mathrm{Re}}$ $ \newcommand{\ImaginaryPart}{\mathrm{Im}}$

$ \newcommand{\Argument}{\mathrm{Arg}}$ $ \newcommand{\norm}[1]{\| #1 \|}$

$ \newcommand{\inner}[2]{\langle #1, #2 \rangle}$

$ \newcommand{\Span}{\mathrm{span}}$

$ \newcommand{\id}{\mathrm{id}}$

$ \newcommand{\Span}{\mathrm{span}}$

$ \newcommand{\kernel}{\mathrm{null}\,}$

$ \newcommand{\range}{\mathrm{range}\,}$

$ \newcommand{\RealPart}{\mathrm{Re}}$

$ \newcommand{\ImaginaryPart}{\mathrm{Im}}$

$ \newcommand{\Argument}{\mathrm{Arg}}$

$ \newcommand{\norm}[1]{\| #1 \|}$

$ \newcommand{\inner}[2]{\langle #1, #2 \rangle}$

$ \newcommand{\Span}{\mathrm{span}}$ $ \newcommand{\AA}{\unicode[.8,0]{x212B}}$

$ \newcommand{\vectorA}[1]{\vec{#1}} % arrow$

$ \newcommand{\vectorAt}[1]{\vec{\text{#1}}} % arrow$

$ \newcommand{\vectorB}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} } $

$ \newcommand{\vectorC}[1]{\textbf{#1}} $

$ \newcommand{\vectorD}[1]{\overrightarrow{#1}} $

$ \newcommand{\vectorDt}[1]{\overrightarrow{\text{#1}}} $

$ \newcommand{\vectE}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash{\mathbf {#1}}}} $

$ \newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} } $

$\newcommand{\longvect}{\overrightarrow}$

$ \newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}} $

$\newcommand{\avec}{\mathbf a}$ $\newcommand{\bvec}{\mathbf b}$ $\newcommand{\cvec}{\mathbf c}$ $\newcommand{\dvec}{\mathbf d}$ $\newcommand{\dtil}{\widetilde{\mathbf d}}$ $\newcommand{\evec}{\mathbf e}$ $\newcommand{\fvec}{\mathbf f}$ $\newcommand{\nvec}{\mathbf n}$ $\newcommand{\pvec}{\mathbf p}$ $\newcommand{\qvec}{\mathbf q}$ $\newcommand{\svec}{\mathbf s}$ $\newcommand{\tvec}{\mathbf t}$ $\newcommand{\uvec}{\mathbf u}$ $\newcommand{\vvec}{\mathbf v}$ $\newcommand{\wvec}{\mathbf w}$ $\newcommand{\xvec}{\mathbf x}$ $\newcommand{\yvec}{\mathbf y}$ $\newcommand{\zvec}{\mathbf z}$ $\newcommand{\rvec}{\mathbf r}$ $\newcommand{\mvec}{\mathbf m}$ $\newcommand{\zerovec}{\mathbf 0}$ $\newcommand{\onevec}{\mathbf 1}$ $\newcommand{\real}{\mathbb R}$ $\newcommand{\twovec}[2]{\left[\begin{array}{r}#1 \\ #2 \end{array}\right]}$ $\newcommand{\ctwovec}[2]{\left[\begin{array}{c}#1 \\ #2 \end{array}\right]}$ $\newcommand{\threevec}[3]{\left[\begin{array}{r}#1 \\ #2 \\ #3 \end{array}\right]}$ $\newcommand{\cthreevec}[3]{\left[\begin{array}{c}#1 \\ #2 \\ #3 \end{array}\right]}$ $\newcommand{\fourvec}[4]{\left[\begin{array}{r}#1 \\ #2 \\ #3 \\ #4 \end{array}\right]}$ $\newcommand{\cfourvec}[4]{\left[\begin{array}{c}#1 \\ #2 \\ #3 \\ #4 \end{array}\right]}$ $\newcommand{\fivevec}[5]{\left[\begin{array}{r}#1 \\ #2 \\ #3 \\ #4 \\ #5 \\ \end{array}\right]}$ $\newcommand{\cfivevec}[5]{\left[\begin{array}{c}#1 \\ #2 \\ #3 \\ #4 \\ #5 \\ \end{array}\right]}$ $\newcommand{\mattwo}[4]{\left[\begin{array}{rr}#1 \amp #2 \\ #3 \amp #4 \\ \end{array}\right]}$ $\newcommand{\laspan}[1]{\text{Span}\{#1\}}$ $\newcommand{\bcal}{\cal B}$ $\newcommand{\ccal}{\cal C}$ $\newcommand{\scal}{\cal S}$ $\newcommand{\wcal}{\cal W}$ $\newcommand{\ecal}{\cal E}$ $\newcommand{\coords}[2]{\left\{#1\right\}_{#2}}$ $\newcommand{\gray}[1]{\color{gray}{#1}}$ $\newcommand{\lgray}[1]{\color{lightgray}{#1}}$ $\newcommand{\rank}{\operatorname{rank}}$ $\newcommand{\row}{\text{Row}}$ $\newcommand{\col}{\text{Col}}$ $\renewcommand{\row}{\text{Row}}$ $\newcommand{\nul}{\text{Nul}}$ $\newcommand{\var}{\text{Var}}$ $\newcommand{\corr}{\text{corr}}$ $\newcommand{\len}[1]{\left|#1\right|}$ $\newcommand{\bbar}{\overline{\bvec}}$ $\newcommand{\bhat}{\widehat{\bvec}}$ $\newcommand{\bperp}{\bvec^\perp}$ $\newcommand{\xhat}{\widehat{\xvec}}$ $\newcommand{\vhat}{\widehat{\vvec}}$ $\newcommand{\uhat}{\widehat{\uvec}}$ $\newcommand{\what}{\widehat{\wvec}}$ $\newcommand{\Sighat}{\widehat{\Sigma}}$ $\newcommand{\lt}{<}$ $\newcommand{\gt}{>}$ $\newcommand{\amp}{&}$ $\definecolor{fillinmathshade}{gray}{0.9}$

Chapter 10

Woman holding a welcome sign

Learning Objectives

After completing this chapter, you will be able to: Define risk and explain why it is a natural part of small business ownership. Identify and describe the major categories of risk that small businesses face. Use a risk assessment matrix to evaluate and prioritize business risks. Describe the four core risk management strategies available to small business owners. Explain the role of insurance and business continuity planning in managing risk.

Starting a business is one of the most exciting decisions a person can make. It is also one of the most uncertain. No matter how strong your idea, how thorough your business plan, or how passionate your commitment, you will face risks. Equipment breaks down. Customers do not always show up. Suppliers miss deadlines. Economic conditions shift. A storm damages your storefront. A key employee resigns the week before your busiest season.

None of this means you should not start a business. It means you should start a business prepared. Risk is not the enemy of small business ownership. Unmanaged risk is. The small business owners who thrive over the long term are not the ones who avoid risk. They are the ones who understand it, plan for it, and make thoughtful decisions about how to respond to it.

This chapter introduces the concept of risk as it applies to small business ownership. You will learn what risk is, how to categorize it, how to assess which risks deserve your greatest attention, and what strategies you can use to protect your business. By the time you finish, risk will feel less like an abstract threat and more like a manageable part of running a business well.

In everyday conversation, the word “risk” often carries a negative connotation, as something to fear or avoid. In business, the concept is more nuanced. Risk is defined as the possibility that an event or decision will result in an outcome different from what was expected, which can mean something worse, but also something better than planned.

The U.S. Small Business Administration (SBA) recognizes that risks do not come only from threats like natural disasters or economic downturns. Risks can also arise from opportunities. Deciding to expand your business, launch a new product, or enter a new market. These are exciting growth moves, and each one carries real risk if not handled carefully (SBA, 2024b).

Understanding this distinction matters for small business owners. If you define risk only as “bad things that might happen,” you will focus all your attention on avoiding loss while potentially missing important opportunities. If you understand risk as “uncertainty in outcomes,” you can make smarter decisions both about what to protect and what to pursue.

Risk Tolerance

Every business owner brings a different level of risk tolerance, which is the degree of uncertainty or potential loss that a person is willing to accept in pursuit of a goal. Risk tolerance is shaped by financial circumstances, personality, experience, industry, and life stage. A single business owner in their twenties with low overhead may be willing to tolerate more risk than someone supporting a family with a mortgage and employees who depend on them.

There is no “correct” risk tolerance. What matters is that you know your own. Business decisions that exceed your risk tolerance will keep you up at night. Decisions that fall well below it may cause you to be overly cautious and miss real opportunities. Self-awareness about your comfort with uncertainty is one of the most useful assets a business owner can have.

Risk Is Not Optional

One thing is certain: you cannot eliminate risk from business. The FDIC’s Money Smart for Small Business program puts it plainly: risk is present in every business decision, from pricing to hiring to the lease you sign. The goal of risk management is not to eliminate all risk; that is impossible. The goal is to identify the risks that matter most, decide how to respond to them proactively, and reduce your exposure to the ones that could threaten the survival of your business (FDIC & SBA, 2022).

Key Takeaways

Risk is the possibility that an event or decision leads to an outcome different from what was expected. Outcomes can be negative or positive. Risk tolerance refers to the level of uncertainty a business owner is willing to accept. It varies by person and situation. Risk cannot be eliminated, but it can be identified, assessed, and managed. Opportunities as well as threats carry risk. Smart owners plan for both.

Not all risks are the same, and they do not come from the same places. Some threats originate inside your business, from your people, your processes, or your finances. Others come from the external environment, where you have little or no control. Learning to categorize risk helps you think systematically about your vulnerabilities rather than trying to keep a vague mental list of “things that could go wrong.”

The SBA identifies two broad categories, internal and external risks, and most risk frameworks for small businesses further organize these into several specific types (SBA, 2024a; FDIC & SBA, 2022). The following are the categories most relevant to small business owners.

Strategic Risk

Strategic risk arises from decisions about the direction of the business: your market, your competition, your product or service offering, and your long-term goals. Poor strategic decisions can put the entire business at risk even when day-to-day operations are running smoothly.

Example: When the City of Las Vegas raised street parking rates in the Las Vegas Arts District from $2 to $4 per hour in October 2025, small business owners reported an immediate drop in customer traffic. Becky Miller, owner of Main Street Mercantile, stated that her business was already seeing a downturn in its bottom line. Jeff Hwang, owner of Taverna Costera, pointed to several nearby businesses that had closed or changed hands. The Arts District Neighborhood Association called the impact “disproportionate and negative” on the small businesses that anchor the neighborhood (Las Vegas Weekly, 2026).

Financial Risk

Financial risk involves the possibility of monetary loss due to cash flow problems, credit issues, debt, or poor financial management. Financial risk can be existential for small businesses, which often operate with thin margins and limited reserves.

Common sources of financial risk include slow-paying customers, unexpected expenses, over-reliance on a single client or revenue stream, and taking on too much debt. Cash flow problems are one of the leading causes of small business failure; not because the business was not profitable on paper, but because money was not available when bills came due.

Example: The Sphere at Venetian opened in 2023 as one of the most technologically advanced entertainment venues ever built, at a cost of $2.3 billion. Despite its popularity and cultural impact, Sphere Entertainment reported an operating loss of $480 million in its first fiscal year and was carrying $1.5 billion in debt as of early 2025. The venture illustrates a fundamental financial risk: even a high-profile, innovative business can face serious financial strain when construction costs, debt obligations, and operating expenses outpace revenue, regardless of how impressive the product is (KTNV Las Vegas, 2024).

Operational Risk

Operational risk refers to disruptions to the day-to-day processes of the business. These can stem from equipment failures, supply chain disruptions, employee errors, or the sudden loss of a key person. Operational risks are often unpredictable in timing but highly predictable in type. Almost every small business will experience them.

Example: In February 2026, Chet Buchanan departed 98.5 KLUC after 27 years as the station’s morning host. Buchanan was the face of the station’s annual toy drive, which had raised $60 million over 25 years, and was deeply woven into KLUC’s identity and community presence. The station acknowledged his departure with gratitude but had no immediate succession plan in place. Whether a key employee retires, resigns, or simply moves on, the operational risk is the same: when a business depends heavily on one person and has no plan for their departure, that person’s exit creates a significant gap that can be difficult and slow to fill (FOX5 Las Vegas, 2026).

Compliance and Legal Risk

Compliance risk is the risk of penalties, lawsuits, or reputational damage that result from failing to follow laws, regulations, or contractual obligations. For small businesses, compliance obligations may include tax requirements, employment law, licensing, health and safety regulations, environmental standards, and industry-specific rules.

“Federal, state, and local laws are constantly changing, but you must stay up to date so you can remain compliant,” notes the SBA (2024a). Non-compliance can result in fines, forced shutdowns, and lawsuits that drain resources and damage the business’s reputation.

Example: In January 2026, Aloha Specialties, a nearly 40-year-old Hawaiian restaurant in downtown Las Vegas’s California Hotel, was immediately shut down by the Southern Nevada Health District following a routine inspection that found 31 health code violations, including pest control failures, improper handwashing practices, and unsanitary food contact surfaces. The restaurant was forced to close for a week before passing reinspection. Even a long-established business with decades of community loyalty is not exempt from compliance risk; a single failed inspection can shut the doors without warning (Las Vegas Review-Journal, 2026).

Reputational Risk

Reputational risk is the threat of damage to how your business is perceived by customers, partners, and the community. In the age of online reviews and social media, reputational damage can spread quickly and be difficult to reverse.

Reputational risk can arise from a product defect, a customer service failure, an employee’s public behavior, or even being associated with a supplier that behaves badly. The best defense is building a strong culture of quality and service from the start, so that when something goes wrong (and something will), you have a solid foundation to recover from.

Example: In early 2025, FOX5 Las Vegas reported that multiple Las Vegas Valley restaurants received threatening emails from international scammers, warning that 100 fake one-star reviews would be posted on Google, Yelp, and Facebook unless the businesses paid ransoms ranging from $75 to thousands of dollars. Three local restaurants confirmed receiving the threats and an influx of AI-generated negative reviews from newly created accounts. While Yelp flagged and removed many posts, the incident highlighted how quickly and easily a small business’s online reputation can come under attack through no fault of its own (FOX5 Las Vegas, 2025).

Cybersecurity Risk

Cybersecurity risk has become one of the most pressing concerns for businesses of all sizes. Small businesses are frequent targets of cyberattacks because they often lack the security infrastructure of larger companies. Ransomware attacks, phishing scams, and data breaches can compromise customer data, disrupt operations, and result in significant financial losses.

The SBA recommends checking computer security regularly and staying vigilant against digital threats that can “damage your data and cost you a lot of money to repair” (SBA, 2024a). Practical steps include using strong passwords, regularly updating software, backing up data, and training employees to recognize phishing attempts.

Example: In September 2023, hackers targeted MGM Resorts International using a social engineering attack, specifically a phone call impersonating an employee, to gain access to MGM’s systems across multiple Las Vegas properties. Slot machines, digital room keys, reservation systems, and hotel websites were taken offline for nearly ten days. MGM reported losses of approximately $100 million in the third quarter of 2023. While MGM is a large corporation, UNLV cybersecurity professor Gregory Moody noted that the attack should serve as a warning for all Las Vegas businesses: “It’s not a matter of if you’re going to get hit, but when” (Las Vegas Weekly, 2023).

External and Environmental Risk

External risks originate outside the business and are largely beyond your control. They include natural disasters, economic downturns, changes in interest rates, supply chain disruptions, shifts in consumer behavior, and new competitors entering the market. While you cannot prevent these events, you can prepare for them.

Example: In 2025, Las Vegas small businesses reported a significant drop in foot traffic as tourism declined. A Las Vegas pizza shop owner told reporters his business was struggling as fewer visitors meant less spending in neighborhood establishments. The Nevada Retail Association reported a notable increase in customers using buy-now-pay-later programs even for basic purchases, signaling broader financial strain among consumers. For small businesses in a tourism-dependent economy like Las Vegas, external forces such as shifting visitor patterns or broader economic conditions can directly affect revenue with little warning and no local remedy (FOX5 Las Vegas, 2025).

Types of risks facing small businesses

	Risks from decisions about direction, market, or competition	Investing in a technology that becomes obsolete
	Cash flow problems, debt, credit issues, or revenue loss	Customers delay payment, causing inability to meet payroll
	Disruptions to daily business processes	Key employee resigns during your busiest season
	Penalties for failing to follow laws or regulations	Fine for unlicensed contractor work on a renovation project
	Damage to public perception of your business	Negative reviews spread rapidly after a product defect
	Digital threats to data, systems, or operations	Ransomware attack locks access to customer records
	Events outside your control that affect business	Flood damages storefront inventory and forces temporary closure

Key Takeaways

Risk can be internal (within your control) or external (largely outside your control). The major categories of business risk are: strategic, financial, operational, compliance/legal, reputational, cybersecurity, and external/environmental. Most small businesses will encounter multiple types of risk simultaneously. Identifying them by category helps you plan targeted responses. Cybersecurity and reputational risk have become especially significant in today’s digital business environment.

Think about it

You just read about seven types of risk that small businesses face: strategic, financial, operational, compliance/legal, reputational, cybersecurity, and external/environmental. Think about the business you are developing in this course. Choose three of the seven categories and describe one specific risk your business could face in each. Which of the three concerns you most, and why?

Knowing the categories of risk is a start. But in practice, small business owners face a long list of potential risks and limited time and resources to address all of them. This is where risk assessment becomes essential. Risk assessment is the process of identifying your specific risks, evaluating their potential impact and likelihood, and prioritizing which ones to address first.

The FDIC’s Money Smart for Small Business curriculum describes this process clearly: begin by listing events or resources that could impact your continued operations and cash flow, then measure each risk by how it would affect those operations if it occurred (FDIC & SBA, 2022). The goal is to move from a vague sense of worry to a specific, prioritized list you can act on.

Step 1: Identify Your Risks

Start by brainstorming all the risks your specific business might face. Use the categories from the previous section as a guide. Be honest. This is not the time for optimism. Think about what could go wrong with your suppliers, your equipment, your staff, your finances, your customers, your technology, and your physical location.

The SBA recommends reviewing your business plan as part of this process and looking carefully at “anything that could halt, slow, or affect the profit of your business” (SBA, 2024a). A practical way to get started is to ask yourself a few pointed questions about your own business:

What would happen if my top supplier could not deliver?

What if a key employee left tomorrow?

What if my revenue dropped by 30% for three months?

What physical, digital, or legal vulnerabilities does my business have?

What external events, such as weather, economic shifts, or new competitors, could disrupt my operations?

Step 2: Evaluate Likelihood and Impact

Once you have a list of risks, evaluate each one along two dimensions:

Likelihood: How probable is it that this risk will actually occur? Consider whether it has happened before in your industry, what conditions might trigger it, and whether warning signs exist.

Impact: If this risk occurs, how severely would it affect your business? Consider financial loss, operational disruption, damage to customer relationships, and time needed to recover.

Both dimensions matter. A risk that is highly likely but low impact may be less urgent than a risk that is less likely but could be catastrophic. Thinking through both factors keeps you from wasting energy on minor inconveniences while leaving major threats unaddressed.

Step 3: Use a Risk Matrix to Prioritize

A risk matrix is a simple visual tool that plots your risks on a grid based on likelihood and impact. It helps you see at a glance which risks deserve immediate attention (high likelihood + high impact), which can be monitored (lower on one dimension), and which are minor enough to accept without active intervention.

The matrix below uses a 3x3 format, an ideal size for small businesses. Each cell is color-coded: red cells represent high-priority risks that require immediate action; yellow cells represent moderate risks that should be monitored and addressed; green cells represent lower-priority risks that can be accepted or managed with minimal intervention.

Risk assessment matrix

Monitor and manage actively.	Immediate action required. Prioritize resources here.	Top priority. Develop immediate mitigation plan.
Accept or monitor with periodic check-ins.	Plan a mitigation response.	Develop contingency plan and monitor closely.
Acknowledge and accept.	Note and revisit periodically.	Prepare a response plan even if unlikely.

Think about it

Imagine you own a small catering company. You have identified four risks: A key employee quits without notice. (Likelihood: High \| Impact: High) → CRITICAL RISK Your refrigerated delivery van breaks down. (Likelihood: Medium \| Impact: High) → HIGH RISK A supplier raises prices. (Likelihood: High \| Impact: Moderate) → MODERATE RISK Your website goes down for a few hours. (Likelihood: Low \| Impact: Low) → LOW RISK This exercise tells you where to spend your time and money. Cross-training employees and building relationships with backup staffing agencies addresses Risk #1. A vehicle maintenance schedule and roadside coverage addresses Risk #2. These rise to the top because they could threaten the business’s ability to fulfill contracts.

Key Takeaways

Risk assessment is the process of identifying, evaluating, and prioritizing risks based on their likelihood and potential impact. A risk matrix is a simple but powerful tool that helps small business owners visualize which risks need immediate attention versus which can be monitored over time. Not all risks are equally urgent. Focus first on risks that are both highly likely and highly impactful. Asking pointed “what if” questions about your own business is a practical first step toward identifying risks you might not otherwise consider.

Once you have identified and prioritized your risks, the next step is deciding what to do about them. Risk management is the ongoing process of making decisions about how to handle identified risks. There is no single strategy that works for every risk; effective risk management means matching the right strategy to each specific situation.

Four core strategies form the foundation of small business risk management: avoidance, reduction, transfer, and acceptance. In practice, most businesses use a combination of all four.

Strategy 1: Risk Avoidance

Risk avoidance means choosing not to engage in an activity or decision that would expose the business to a particular risk. This is the most straightforward strategy, but it is also the most limiting. If you avoid every risk, you will never take the steps required to grow.

Avoidance is most appropriate when the potential downside far outweighs any possible benefit, or when you lack the resources to manage a risk responsibly.

Example: A Las Vegas wedding photographer with a strong reputation for portrait and ceremony work is approached to provide full audiovisual production services for a 400-person corporate event at the Las Vegas Convention Center. The contract is lucrative, but it would require equipment she does not own, vendors she has never worked with, and deliverables she has no experience producing. She declines. The Las Vegas events industry creates constant opportunities to take on work beyond your current capacity, but the reputational and financial risk of failing to deliver in a market built on referrals and reviews is too high. Choosing not to pursue this contract is risk avoidance: the potential downside significantly outweighs the benefit given her current resources and expertise.

Strategy 2: Risk Reduction

Risk reduction (also called risk mitigation) involves taking steps to decrease either the likelihood of a risk occurring or the severity of its impact if it does occur. This is the most active and proactive of the four strategies.

The SBA recommends a range of best practices for risk reduction, including hiring carefully, training employees well, maintaining safe and well-functioning facilities, keeping software and security systems updated, and staying current with regulatory requirements (SBA, 2024a). Each of these actions directly reduces either the probability or the potential impact of a specific risk.

Other reduction strategies include: diversifying your customer base so no single client represents more than between 20 and 25 percent of revenue, maintaining an emergency fund, cross-training employees so the business can function if someone is absent, and developing a business continuity plan, a written plan describing how your business will continue to operate during and after a disruptive event.

Example: A small restaurant near the Las Vegas Strip knows from experience that the annual Formula 1 Grand Prix weekend will significantly reduce foot traffic and customer access for several weeks. Rather than being caught off guard, the owner proactively reduces inventory orders ahead of race week, schedules fewer staff shifts, and arranges vacation time for employees during the slowest days. Each step reduces the financial impact of a risk the owner cannot eliminate but can prepare for. This is risk reduction: taking deliberate action to lower the severity of a known, recurring risk.

Strategy 3: Risk Transfer

Risk transfer means shifting some or all of the financial consequences of a risk to another party. The most common mechanism for risk transfer is insurance. By paying a premium, the business owner transfers the risk of a large financial loss to an insurance company. Other forms of risk transfer include contracts that shift liability to suppliers, outsourcing functions that carry risk, and forming business entities (like an LLC or corporation) that separate personal assets from business liabilities.

Insurance: A closer look

Insurance is one of the most important risk transfer tools available to small business owners. The SBA identifies several types of coverage that small businesses should understand (SBA, 2024a): Business Owner’s Policy (BOP): A bundled policy that provides property protection and liability coverage. It may also cover employee theft and certain other events. Often the best value for small businesses. Professional Liability Coverage: Protects service providers (accountants, consultants, designers, contractors) from client claims of mistakes, negligence, or incomplete work. Also known as errors and omissions (E&O) insurance. Business Interruption Policy: Provides funds to cover fixed costs and potentially lost profits when an event, such as a fire or natural disaster, forces you to temporarily shut down operations. Workers’ Compensation Insurance: Covers medical costs and lost wages when an employee suffers a work-related injury or illness. Required by law in most states. Employer Practices Liability Insurance (EPLI): Covers claims by current and former employees alleging discrimination, wrongful termination, harassment, or similar workplace violations.

Choosing the right insurance requires understanding your specific industry, location, and operations. Consulting with a licensed insurance professional who works with small businesses is strongly recommended. The right coverage can mean the difference between recovering from a setback and being forced to close permanently.

Example: A Henderson boutique owner carries a Business Owner’s Policy that includes commercial property and business interruption coverage. When a summer flash flood damages her storefront and forces a two-week closure, the insurance policy covers both the cost of repairs and the revenue lost during the closure. Without that coverage, both losses would have come directly out of her own pocket. This is risk transfer: by paying a regular premium, she shifted the financial consequences of an unpredictable event to the insurance company rather than absorbing them personally.

Man and woman working together at a table

Strategy 4: Risk Acceptance

Risk acceptance means acknowledging a risk and deciding to proceed without additional mitigation, typically because the cost of addressing it outweighs the potential downside, or because the risk is low enough that it does not justify significant resources.

Acceptance is a legitimate strategy, but it must be conscious. There is a significant difference between accepting a risk after careful analysis and simply ignoring it. The FDIC notes that business owners must be honest in reviewing their business for risk and should know the warning signs (FDIC & SBA, 2022). Risk acceptance paired with ongoing monitoring is responsible. Risk acceptance through obliviousness is not.

Example: A food truck owner operating in the Las Vegas valley knows that extreme summer heat will slow business significantly for six to eight weeks each year. After reviewing her finances, she determines the revenue dip is predictable and manageable. Rather than spending money on mitigation strategies that would cost more than the losses themselves, she builds the slow season into her annual cash flow plan and sets aside reserves during busier months to cover fixed costs. She monitors the dip each summer but takes no additional action. This is risk acceptance: a conscious, informed decision to absorb a known risk because the cost of addressing it exceeds its impact.

The four core risk management strategies

Choose not to engage in the risky activity	Downside far outweighs any benefit	Decline a contract outside your expertise
Take steps to lower likelihood or impact	Risk is worth taking but can be made safer	Cross-train employees; maintain equipment
Shift the financial impact to another party	Cost of insurance is less than potential loss	Purchase a Business Owner's Policy (BOP)
Acknowledge the risk and proceed without additional action	Risk is low priority and cost to address is high	Accept minor website downtime risk without backup server

Business Continuity Planning

A business continuity plan (BCP) is a documented plan that describes how your business will continue operating during and after a disruptive event, whether that is a natural disaster, a cyberattack, the sudden loss of a key employee, or any other serious disruption. The FDIC emphasizes that “a business continuity plan should be part of your overall business plan” (FDIC & SBA, 2022).

A basic continuity plan addresses several key questions:

What are our most critical business functions, those that if interrupted would most harm the business?

What is our plan to maintain or quickly restore those functions if disrupted?

Who is responsible for executing the plan, and does everyone know their role?

Where are our key records, and how will we access them if our primary location is unavailable?

How will we communicate with employees, customers, and suppliers during a disruption?

You do not need a lengthy document to have a useful continuity plan. A clear one-to-two page summary that addresses these questions, reviewed and updated annually, can make the difference between a recoverable setback and a business-ending crisis.

Key Takeaways

The four core risk management strategies are avoidance, reduction, transfer, and acceptance. Insurance is a primary risk transfer mechanism. Key coverage types include Business Owner’s Policy, professional liability, business interruption, and workers’ compensation. Risk reduction strategies include maintaining an emergency fund, diversifying revenue, cross-training employees, and building strong vendor relationships. Risk acceptance is legitimate, but it must be deliberate, not accidental. A business continuity plan describes how your business will survive and recover from a serious disruption. Every business should have one.

Watch and reflect

Source: The Learning Studio \| YouTube \| Under 3 minutes Link: YouTube This short video uses concrete, relatable examples, including a bicycle rider, an ice cream shop owner whose summer is ruined by rain, and a school picnic planner, to explain what risk management is and why it matters. It also walks through five steps for managing risk in any situation. As you watch, connect what you see to the concepts covered in this chapter. After watching, consider the following reflection questions: The video uses a bicycle rider and an ice cream shop owner to explain risk management. Choose one of those examples and explain, in your own words, how it illustrates the definition of risk management from this chapter. What specific risks does the example identify, and what responses does it suggest? The video outlines five steps of risk management: identify, analyze, evaluate, treat, and monitor. Look back at Section 10.3 of this chapter, which covers risk assessment. How do the video’s five steps connect to what you read? Are there any steps the video covers that the chapter addresses differently or in more depth? The video ends with Benjamin Franklin’s quote: “By failing to prepare, you are preparing to fail.” Apply that idea to the business you are developing in this course. Using the five steps from the video, walk through at least one risk your business faces: what it is, how serious it is, and what you would do about it.

Check Your Understanding

Use the following questions to test your comprehension of this chapter.

In your own words, explain the difference between risk tolerance and risk management. Why does it matter that a business owner understands both?

Review the seven types of business risk described in this chapter. For the business idea you are developing, identify at least one specific risk that falls into each type. Which risk concerns you most, and why?

Plot three of your identified risks on the risk matrix (Figure 10.2). Based on their placement, which risk management strategy (avoidance, reduction, transfer, or acceptance) would be most appropriate for each? Explain your reasoning.

Risk acceptance must be conscious rather than accidental, a deliberate decision to absorb a risk, not simply ignoring it. What does this distinction mean in practice? Can you think of an example where a small business owner might be unknowingly accepting a serious risk?

What is a business continuity plan, and why does the FDIC suggest it should be part of a business plan from the start? Think about a real business in your community. What disruption event would threaten that business most, and what would a basic continuity plan for that event look like?

Key Terms

Business continuity plan — A documented plan describing how a business will continue operating during and after a disruptive event, such as a natural disaster, cyberattack, or the sudden loss of a key employee.

Compliance risk — The risk of penalties, lawsuits, or reputational damage resulting from failing to follow laws, regulations, or contractual obligations.

Cybersecurity risk — The threat of digital attacks such as ransomware, phishing scams, and data breaches that can compromise customer data, disrupt operations, and result in significant financial losses.

External risks — Risks that originate outside the business and are largely beyond the owner’s control, including natural disasters, economic downturns, supply chain disruptions, and shifts in consumer behavior.

Financial risk — The possibility of monetary loss due to cash flow problems, credit issues, debt, or poor financial management.

Impact — The severity of harm a risk would cause to the business if it occurred, considering financial loss, operational disruption, damage to customer relationships, and recovery time.

Insurance — A risk transfer mechanism through which a business owner pays a premium to shift the financial consequences of a potential loss to an insurance company.

Likelihood — The probability that a specific risk will actually occur, based on factors such as industry history, triggering conditions, and warning signs.

Operational risk — The risk of disruptions to the day-to-day processes of a business, stemming from equipment failures, supply chain disruptions, employee errors, or the sudden loss of a key person.

Reputational risk — The threat of damage to how a business is perceived by customers, partners, and the community, which can spread quickly and be difficult to reverse.

Risk — The possibility that an event or decision will result in an outcome different from what was expected, which can mean something worse or something better than planned.

Risk acceptance — A risk management strategy in which a business owner acknowledges a risk and decides to proceed without additional mitigation, typically because the cost of addressing it outweighs the potential downside.

Risk assessment — The process of identifying specific business risks, evaluating their potential impact and likelihood, and prioritizing which ones to address first.

Risk avoidance — A risk management strategy in which a business owner chooses not to engage in an activity or decision that would expose the business to a particular risk.

Risk management — The ongoing process of making decisions about how to handle identified risks by matching the appropriate strategy to each specific situation.

Risk matrix — A visual tool that plots identified risks on a grid based on likelihood and impact, helping business owners prioritize which risks require immediate attention.

Risk reduction — A risk management strategy that involves taking steps to decrease either the likelihood of a risk occurring or the severity of its impact if it does occur. Also called risk mitigation.

Risk tolerance — The degree of uncertainty or potential loss that a person is willing to accept in pursuit of a goal, shaped by financial circumstances, personality, experience, industry, and life stage.

Strategic risk — Risk that arises from decisions about the direction of a business, including choices about markets, competition, products or services, and long-term goals.

References

Federal Deposit Insurance Corporation (FDIC) & U.S. Small Business Administration (SBA). (2022). Risk management for a small business: Participant guide. Money Smart for Small Business.

FOX5 Las Vegas. (2025, April 5). Las Vegas restaurants targeted by international scammers, threatening one-star reviews.

FOX5 Las Vegas. (2025, October 13). Las Vegas small businesses struggle as tourism decline hurts foot traffic.

FOX5 Las Vegas. (2026, February 13). Radio host Chet Buchanan confirms departure from 98.5 KLUC.

KTNV Las Vegas. (2024, November 13). Sphere posts operating losses of more than $500 million in first fiscal year.

Las Vegas Review-Journal. (2026, January 21). Aloha Specialties in downtown Las Vegas reopens after health closure.

Las Vegas Weekly. (2023, October 12). After cyberattacks crippled casino companies, how vulnerable is Las Vegas?

Las Vegas Weekly. (2026, January 15). Feeding the meter: Business owners push back on paid parking in the Arts District.

U.S. Small Business Administration (SBA). (2024a). 5 best risk management strategies.

U.S. Small Business Administration (SBA). (2024b). Grow your business.