Risk Assessment

The purpose of this section of the Business plan is to show that:

  • All the risks involved in the delivery of the business plan have been identified.
  • There is a plan to address them - should they arise - that is based on an assessment of their impact on the plan.

This section of the business plan should outline the result of the risk assessment which can be developed in three steps: 

Identifying risks

All the risks associated with the project should be identified, ideally using a SWOT Analysis (Strengths Weaknesses Opportunities and Threats) or a PESTLE Analysis (Political, economic, social, technological, legal and environmental) with project stakeholders. The risks identified may include the following: 

Potential risks and impacts

Area of risk

Potential impact

Lack of planning, poor decision making

Potential for financial losses
Staff turnover/effectiveness

Poor flow of information
Risk Control, health and safety, contract risks, competition, relationships with suppliers
Poor marketing

Financial losses
Impact on service/sales
Legal action
Staff turnover/effectiveness
Delays to plans

Environmental / External
Government policy/regulation
Commitments of landowners / funders / other partners
Performance of contractors
Lack of planning, systems for disaster planning
Market changes in demand during project implementation.
Technological change

Financial losses
Staff skills

Financial assumptions in budgets and estimates are inaccurate
Timing of income assumptions is inaccurate.
Lack of financial management and control procedures

Financial losses
Cash Flow difficulties
Legal action

Legal compliance
Data protection
Race Relations
Health and Safety
Employment Law
Employee pension provision

Legal action
Fines and penalties
Action by regulator(s)

Download this table at the end of the page

Risk assessment

Once identified the risks to the proposals in the business plan can be assessed against two questions:

  • How likely is the risk?
  • What will happen if it does occur?

A simple scoring system can be used to decide which risks are the most important to address and agree plans for mitigation. Once this has been done, those which score highest (IV in the table below) should be addressed first and then all others addressed in turn. Finally you are left with those which are both unlikely and will have limited impact (I in the table) and you can develop a plan to address them should they arise.

Likelihood of Occurrence (Chance of Happening) ↑


High Likelihood
Low Severity of Impact


High Likelihood
High Severity of Impact


Low Likelihood
Low Severity of Impact


Low Likelihood
High Severity of Impact


Level of Severity of Impact →

Risk control

The risk assessment can be developed into a risk control strategy by considering whether each risk to your plans can be addressed by sharing it, avoiding it, managing it or accepting it. Ideally it should be possible to manage all of them.

For example a risk to a project may be reduced rental income due to a high turnover of small business workspace tenants.

This risk can be avoided by either hoping it will not happen or trying to pass it on to the tenants by increasing notice periods for tenancies in letting and leasing arrangements.

This risk can be managed by having excellent credit control and tenant liaison processes so that problems with payments are quickly identified and by developing active waiting lists for tenancies from good publicity and marketing.

This risk can be accepted - on the basis that small businesses have high levels of failure and that the risk is a feature of the business of providing small business workspace.

Related Resources

Potential Risks and Impacts

A table to help with risk assessment

Microsoft Office document icon Potential Risks and Impacts