Skip to main content
Suggested Searches
Risk Management

Why you need a risk management programme and how to get started


The business environment is becoming increasingly complex, with increased competition, globalised markets and supply chains, skill shortages and constant cost pressures being the new normal. Increasing reliance on digital technology has highlighted emerging risks and natural hazard events continue to result in significant economic losses. This operational landscape highlights the need for small and middle market businesses to have a risk management programme. 

If you don’t have a risk management programme in place already, here are some focus areas where your business may be vulnerable and recommendations for certain steps you can begin to take to eliminate or control them. 


  1. Your employees:

    • Train employees on company policies, safety programmes, information management and emergency response. Provide regular refresher training for all employees. Create documented training records. 
    • Develop, review, and test your emergency evacuation plan at least every 12 months. 
    • Include background checks and employment history verification when hiring. 
    • Use a security system that removes access for former employees and contractors. 
    • Establish policies and safeguards to protect against fraud and embezzlement. 
    • Train employees to properly use and maintain personal protective equipment  
    • Make sure you have a suitable ergonomics program in place. 
  2. Your operations and property:

    • Identify all hazardous materials (including flammable or combustible liquids) and ensure that suitable controls are in-place to safely use, store, dispense and dispose of these materials. 
    • Ensure that fire risks have been suitably assessed. Fire control equipment should be maintained in an operable condition and serviced in accordance with applicable standards. Fire detection equipment should be appropriate for the premises and signal to a constantly attended location. 
    • Maintain clear, unobstructed access routes and work spaces. 
    • Ensure electrical systems are installed and inspected in accordance with applicable Regulations. Replace any extension cords with permanent wiring. 
    • Ensure machinery has appropriate guards and documented lockout/tagout procedures. 
    • Provide a suitable, controlled, reception space for visitors.
  3. Severe weather:

    • Implement a Business Continuity Management program and develop Emergency Response Plans. Review the program and exercise the plans annually. 
    • Prepare for natural hazard events. For example in a flood zone move critical assets above the potential flood levels; have appropriate materials available (sandbags, flood barriers, etc.); install controls to prevent pollution.  
  4. Your IT system and technology:

    • Have in place a formal cyber security policy with input from a qualified IT security professional using accepted cyber security standards, such as the ISO27001 or NIST Cyber Security frameworks. The policy should cover all business systems (including, for example, administrative databases, manufacturing software and design systems, CRM & ERP tools), network connections with customers and vendors, cloud storage and back up management systems, and secure product development processes.  
    • Ensure Cyber events and response plans are included in your Business Continuity Management Programme 
    • Create a specific Data Breach Response Plan to assist with the containment of, investigation into and notification requirements following any data security incident. Ensure it is annually reviewed and tested to remain effective and relevant.  
    • Regularly back up critical data and system information, store off site and test its recovery, ensuring the recovery capabilities meet your business needs sufficiently to minimise impact on revenues in the event of system failure/data loss. 
    • Implement robust access management procedures throughout your network, including access to critical systems and sensitive data including personal, health, and confidential business information.  
    • Train your staff at least annually on good cyber hygiene, including strong password management, social engineering/phishing awareness, and the importance of protecting sensitive information. 

    For more information about how we can help you mitigate risk in your business, visit our Property and Casualty Risk Engineering page >

All content in this material is for general information purposes only. It does not constitute personal advice or a recommendation to any individual or business of any product or service. Please refer to the policy documentation issued for full terms and conditions of coverage.
Chubb European Group SE (CEG) is an undertaking governed by the provisions of the French insurance code with registration number 450 327 374 RCS Nanterre. Registered office: La Tour Carpe Diem, 31 Place des Corolles, Esplanade Nord, 92400 Courbevoie, France. CEG has fully paid share capital of €896,176,662. UK business address: 100 Leadenhall Street, London EC3A 3BP. Authorised and supervised by the French Prudential Supervision and Resolution Authority (4, Place de Budapest, CS 92459, 75436 PARIS CEDEX 09) and authorised and subject to limited regulation by the Financial Conduct Authority. Details about the extent of our regulation by the Financial Conduct Authority are available from us on request.

Contact us
Contact us

Have a question?

Talk to an expert.