Who’s Tara? And what does she have to do with risk management? 

aat comment

When we don’t know the outcome of something, we have uncertainty.  However, when we can substantiate what will happen, then the risk becomes more tangible, and we can make decisions about what to do. This was how I ended a previous article about uncertainty and risk, so the question now is, what can organisations do to manage risks?

Types of risks

Before we think about risk management, let’s clarify the types of risks we are talking about. Business risk can be defined as anything that has the potential to lower an organisation’s profits or make it bankrupt. Risks to businesses can arise from any number of sources, some internal and others external, and an organisation’s ability to manage them varies.  Internal risks are generally easier to do something about than external risks, which reflect uncertainty about external influences on organisations.  Business risks can also be subcategorised into strategic financial and operational risks.

Strategic risk

Strategic risks arise from the fundamental decisions made about an organisation’s objectives.  Let’s imagine I have a client, Aya, who owns a construction company.  She and another director took over the company as a management buyout ten years ago.  After the buyout, they set themselves the goal of repositioning the company in the market as a bespoke builder of properties with high environmentally friendly credentials as standard.  So, for them, strategic risks are the risks of failing to achieve this key business objective.  They have had to invest in equipment, take out bank loans to finance that and restructure the company to ensure that employees not only have the right qualifications, knowledge and experience but also that the organisation has goal congruence.  They have also had to be mindful of developments in the industry, such as improvements in insulation and advances in alternatives to traditional gas central heating.

Financial risk

Over the last few years, the company has seen significant fluctuations in demand and an increasing upward trend in the cost of raw materials. In times of high demand, Aya has been able to pass the increases in the cost of materials onto customers.  However, when business is slow, she has to balance the risk of not securing the contract, with the risk of the company not making its target profit margin.

She has also had to deal with higher repayments on the company’s loans, due to the fact that The Bank of England has put up interest rates in an attempt to slow the rate of inflation.  Whilst this is a financial risk Aya hasn’t been able to do anything about, the company has invested in some credit control software to automatically remind customers about outstanding invoices.  And that has reduced the financial risks associated with both cash flow and irrecoverable debts.

Operational risk

Both strategic and financial risks can be hard to assess and mitigate as they are often influenced by external factors.  However, operational risks, those that threaten the day-to-day running of an organisation, are easier to manage.  The Chartered Institute of Management Accountants (CIMA) states that ‘operational risk relates to activities carried out within an entity, arising from structure, systems, people, products or processes.’

Aya’s company has to ensure it complies with legislation and regulations, of which there are plenty in the construction industry, to safeguard itself against litigation risks.   The company has documented processes and systems to ensure the quality of both its properties and the service it provides to its customers.  It takes care to manage the risks associated with its employees as people make mistakes, usually by accident but some deliberately to damage organisations.  It also has to manage cyber risks and be mindful of anything that could damage its reputation, as well as unpredictable events, which could be political, economic or physical, like extreme weather.

So where does Tara come in?

Risks can be managed in a number of ways depending on the likelihood of them happening and the severity of the consequences or impact if they do.  Often organisations use the following  framework, which can be shortened to TARA to help them manage risks:

Last time we met, Aya told me about a competitor who has been in the news recently as an ex-employee had claimed that the company includes high-specification materials in its tenders but then actually uses lower-grade products in its builds.  The ex-employer had managed to access the competitor’s computer system and copied documents as proof.

Whilst the company in question has nothing to do with Aya’s company, she is aware that reputational damage to an organisation, and the industry as a whole, can be serious and lead to other risks. Potential customers can become wary, and the probability of lost sales is high.  Aya’s, therefore, looking at ways her company can show evidence to its customers of its use of sustainable and ethical products to avoid its reputation being tarnished.

Aya has also decided to undertake a review of the security controls that are in place to protect the company’s information from cyber-attacks and is considering outsourcing the company’s cybersecurity as a way of transferring the risk.


Business risk affects an organisation’s bottom line.  The impact can be due to strategic, financial or operation risks.  Therefore, organisations have to identify, evaluate and manage risks by transferring, accepting, reducing or avoiding them, depending on their likely occurrence and consequences.

Gill Myers is a self-employed accounts consultant. She has taught AAT qualifications since 2005 and written numerous articles and e-learning resources.

Related articles