Get in touch
Corporate Why Us Services RN Schola Tools Blog Contact Get in touch →
RN Schola — Training

Corporate Risk Management

Most owner-managed businesses run on risk management — they simply do it in their owner's head. You know which customer is slow to pay, which supplier could leave you stranded, which key person holds knowledge no one else has, and which deadline with the CRA you cannot afford to miss. That instinct is real, and it has carried many a British Columbia firm a long way. The trouble is that instinct does not scale, it does not transfer when the owner is away, and it tends to notice only the risks that have already bitten — not the ones quietly waiting.

Corporate risk management turns that private, intuitive judgement into something visible, shared, and repeatable. It is not about adding fear or bureaucracy; it is about making sure the handful of things that could genuinely derail your business are identified before they happen, weighed honestly, and matched to a deliberate response. This RN Schola programme teaches you how.

This programme equips owners, finance leaders, and senior managers of BC small and medium-sized enterprises to build a simple, practical enterprise risk management (ERM) process they will actually use — one that fits a company with limited time and no dedicated risk department, yet brings real discipline to identifying, assessing, and mitigating the risks that matter most.

What the programme teaches

Enterprise risk management has a reputation for being the preserve of banks and listed companies, wrapped in frameworks and jargon. We strip that away. Over the course of the programme you will learn a working method built around a few durable ideas, taught in plain English and applied to businesses the size of yours.

You will start with risk identification — the discipline of surfacing what could go wrong before it does. We work through the five categories that capture nearly everything an SME faces:

  • Financial risk — cash flow shortfalls, customer concentration, foreign-exchange exposure, rising interest costs, and covenant breaches.
  • Operational risk — key-person dependency, supply-chain disruption, equipment failure, and process breakdowns.
  • Strategic risk — losing a major customer, a competitor changing the market, or a business model quietly becoming obsolete.
  • Compliance risk — missed CRA or WorkSafeBC obligations, PST and GST errors, employment-standards breaches, and licensing lapses.
  • Cyber risk — ransomware, phishing, data breaches, and the loss of systems a modern business cannot operate without.

Naming the categories matters, because owners tend to over-focus on whatever last hurt them and under-weight everything else. A structured sweep across all five forces a fuller picture.

Next, you will learn to assess each risk rather than simply list it. The core tool is deliberately simple: score every risk on two axes — likelihood and impact — typically on a one-to-five scale, then multiply them. A risk that is almost certain (5) and severe (5) scores 25 and demands attention now; one that is unlikely (2) and minor (2) scores 4 and can be noted and left alone. This likelihood × impact score is what lets you rank a long, anxious list into a short, actionable one. We teach you how to calibrate the scales for your business so that "high impact" means something concrete — a dollar figure, a number of days down, a regulatory consequence — rather than a vague feeling.

The risk register and risk appetite

The two ideas that turn assessment into management are the risk register and risk appetite, and the programme gives you a usable template for each.

A risk register is nothing more than a living table — a spreadsheet is perfectly adequate for most SMEs — with one row per risk. Each row records the risk, its category, its likelihood and impact scores, the resulting rating, the controls already in place, the further action planned, and the person accountable for it. That last column is the one most businesses forget and the one that makes the difference: a risk without an owner is a risk no one is actually managing. The register is reviewed on a fixed cadence — quarterly works well for most BC SMEs — so it stays current rather than becoming a document written once and never opened again.

Risk appetite is the question the register cannot answer on its own: how much risk are you, the owner, actually willing to accept? Two businesses can face the identical risk and be entirely right to respond differently. A firm with a healthy cash buffer and a patient lender may accept a level of customer concentration that would keep a thinly capitalized competitor awake at night. Defining your appetite — even in plain sentences, such as "we will not let any single customer exceed 20 per cent of revenue" or "we will always hold three months of operating runway" — gives you a line. Risks that breach the line trigger action; risks that sit comfortably inside it are accepted and monitored. Without that line, every risk feels equally urgent, which means none of them get managed well.

For each material risk, the programme teaches the four standard responses, framed for practical use: avoid it (stop doing the risky thing), reduce it (add a control that lowers likelihood or impact), transfer it (insurance, or a contract clause that shifts the exposure), or accept it (consciously, because the cost of mitigation exceeds the benefit). Choosing deliberately among these four — rather than defaulting to worry — is the heart of mature risk management.

Linking risk to internal controls

A risk register that never changes behaviour is just a worry list with a spreadsheet attached. The bridge from awareness to action is internal control — the policies, approvals, segregation of duties, and reconciliations that actually reduce the likelihood or impact of a risk.

This is where risk management and the day-to-day finance function meet. A high financial-fraud risk is mitigated by separating the person who approves payments from the person who enters them. A compliance risk around sales tax is reduced by a month-end reconciliation that catches errors before they reach a return. A cyber risk is lowered by enforced multi-factor authentication and tested backups. Every meaningful entry in your register should connect to a control — existing or planned — and the programme shows you how to map the two together so that your risk work strengthens your operations rather than sitting beside them.

This is also where the work connects naturally to a formal review of your control environment. Our internal audit and control service exists precisely to test whether the controls you are relying on actually work — and the risk register you build in this programme is the ideal starting point for that conversation, because it tells an auditor exactly where to look first.

A worked BC example

Numbers make the method concrete. Consider Sea-to-Sky Cabinetry Ltd., a fictional 38-person custom millwork manufacturer in Squamish with $6.2 million in annual revenue. The owner attends the programme and, with her controller, builds a first risk register. Four entries rise to the top.

  • Customer concentration. One developer accounts for $2.4 million — roughly 39 per cent of revenue. Likelihood of a slowdown over the next year: 3. Impact if it happens: 5. Score: 15.
  • Key-person dependency. The lead estimator is the only person who prices complex jobs accurately. Likelihood of departure: 2. Impact: 5. Score: 10.
  • Cyber/ransomware. No multi-factor authentication; backups untested. Likelihood: 3. Impact: 4. Score: 12.
  • Rising input costs. Sheet-good prices volatile, with fixed-price contracts signed months ahead. Likelihood: 4. Impact: 3. Score: 12.

The owner's stated risk appetite includes a line she had never written down before: no single customer should exceed 25 per cent of revenue. The concentration risk breaches it outright, which settles the debate about whether it matters. The response is a blend — reduce (a deliberate business-development push to win two mid-sized clients and bring concentration under the line within 18 months) and transfer (trade-credit insurance on the large developer's receivables, costing roughly $9,000 a year against a potential $2.4 million exposure).

The cyber risk, scoring 12, is cheaper still to address: enforced multi-factor authentication and a tested backup regime cost a few thousand dollars and a fortnight of IT effort, dropping the likelihood score from 3 to 1 and the rating from 12 to 4 — the single best return in the register. The key-person risk is met with a documented pricing methodology and a cross-trained junior estimator. Input-cost risk is reduced by adding price-escalation clauses to new contracts.

None of these moves is exotic. What changed is that four serious exposures are now visible, scored, owned, and scheduled for quarterly review — rather than living, unevenly, in the owner's head.

Who should attend, and what you walk away with

The programme is built for business owners, general managers, controllers, and finance managers of established BC SMEs — particularly firms that have grown past the point where one person can hold every risk in mind. No prior risk-management training is assumed.

You leave with a completed first draft of your own risk register, calibrated likelihood and impact scales, a written statement of your risk appetite, a mapping of your top risks to existing and planned controls, and a quarterly review rhythm to keep it all alive. In short, you leave with a working ERM process, not a binder of theory.

Frequently asked questions

Is enterprise risk management not overkill for a small business?

No — it is scaled to fit. The frameworks used by large corporations are heavy because those organizations are heavy. The programme teaches the same underlying logic in a form a 20-to-100-person BC firm can run on a single spreadsheet reviewed four times a year. The cost of the process is modest; the cost of being blindsided by a foreseeable risk rarely is.

How is this different from just buying more insurance?

Insurance is one of four responses, and it only fits certain risks. You cannot insure away a strategic risk such as a business model becoming obsolete, and over-insuring low-impact risks wastes money. The programme teaches you to choose deliberately among avoiding, reducing, transferring, and accepting each risk — so insurance is used where it genuinely fits, and not as a reflex.

How long does it take to build a working risk register?

Most attendees produce a credible first draft during the programme itself and refine it over the following few weeks. The initial sweep across the five risk categories takes a focused half-day with the right people in the room; calibrating scores and assigning owners takes a little longer. The ongoing commitment is light — a quarterly review of an hour or two.

Do we need a dedicated risk officer afterwards?

Almost never, at SME scale. Accountability for the register usually sits with the owner or the controller, with individual risks owned by the managers closest to them. The programme is designed precisely so that risk management becomes a shared habit rather than a new full-time role.

Key takeaways

  • Risk management is already happening in your head — this programme makes it visible, shared, and repeatable so it survives growth and the owner's absence.
  • Identify across five categories — financial, operational, strategic, compliance, and cyber — to avoid over-focusing on whatever last went wrong.
  • Assess with likelihood × impact on a simple one-to-five scale, turning a long, anxious list into a short, ranked, actionable one.
  • The risk register and a written risk appetite are what convert assessment into management — and every risk needs a named owner.
  • Match each risk to a deliberate response — avoid, reduce, transfer, or accept — rather than defaulting to worry.
  • Link risks to internal controls so the work strengthens daily operations and feeds naturally into a formal control review.
  • Review on a fixed quarterly cadence — a register written once and never reopened manages nothing.

The businesses that weather a shock are rarely the ones that saw it coming by luck — they are the ones that had already named it, weighed it, and decided what to do. If you would like to bring that discipline to your own firm, RN Schola runs this Corporate Risk Management programme for BC owners and their teams throughout the year. We would welcome the conversation.

Enquire about this training All RN Schola trainings

Get in touch

Have any question?

Do you have some questions? Contact us immediately.

Contact