Business Risk Management: Why Merchants Should Manage (Not Avoid) Risk

June 9, 2021

Tal Miller


The term “risk” is thrown around a lot in business, which can often lead to misconceptions. We want to set the record straight. In this article, Fibonatix CEO Tal Miller delves into what risk really means, the different types of risk and why they should be managed rather than avoided. Tal discusses how to evaluate risk, outlining some business risk management best practices.

This article is based on insights from a recent episode of our Pay Attention podcast. Listen to the podcast below or scroll down to read the rest of the article.

Demystifying business risk management

Let’s start by busting some myths and revealing common pitfalls with business risk management. Too many organisations focus on avoiding and even eliminating business risks. This is a mistake. It’s impossible to remove all risks, so it’s a fruitless task. The clue is in the title – risk management. Spending too much time trying to eradicate risks wastes resources and breeds fear amongst your organisation. Don’t overcomplicate things. Carrying out a risk assessment is a lot simpler than people think. We’ll discuss risk assessments later in this blog.

It’s vital to break down what risk means and establish the fundamentals of business risk management for merchants and payment service providers.

What is risk and how can your business manage it?

A good dictionary-type definition of risk is “exposure to danger, harm or loss.” When we say exposure, it’s all about possibility. In this context, there are two important elements to understand which are critical to how we assess risk and manage it, likelihood and impact. These are the fundamentals of assessing, predicting and managing business risks.

1. Likelihood of risk

What is the likelihood of something bad happening to your business?

2. Impact of risk

What would the loss or harm be if this bad thing happened to your business?

How should you approach business risk management?

If the likelihood and potential impact of the risk (or unwanted event) are the main focuses of your attention, how should you approach business risk management? You need to ask yourself some key questions and play out the scenario.

How to manage risk in business – three key questions

When approaching business risk management, you need to consider the following three questions:

  1. What is the bad thing that I don’t want to happen?
  2. What is the likelihood of it happening?
  3. What would the impact and implications be for my business?

This applies to merchants and payment service providers (PSPs). Both parties need to do a proper risk assessment and evaluation. 

Before going into the specifics of risks associated with business and payments, let’s take a basic example from everyday life, such as weather. If the risk is rainfall, let’s play it out.

  • The risk – rainfall
  • The likelihood – the weather forecast has given me a 30% chance of rain today
  • The impact – my clothes and belongings getting wet or an event being called off, etc
the risk explained - the likelihood and the impact

What are the main risks for merchants and payment service providers?

Broadly, two main types of risk could affect your business. Within these two categories, there are an array of events that your business could encounter. But focusing on these two pillars will support your approach to business risk management.

Two main categories of merchant and payment risk management

  1. Financial damage – loss of capital as a result of an event/incident, such as fraud, breaches of compliance (which can lead to regulators imposing fines), human error or an ongoing event (like the pandemic) that causes your business to close for a period of time.
  2. Reputational damage – something that creates a negative perception of your business for your key stakeholders (clients, customers, business partners, investors, regulators, your employees, or the industry). This will likely damage your company’s capital but in an indirect way. Examples of this include:
  • Negative publicity – perhaps an incident has caused your product to be deemed poor quality or unsafe, or your company to be perceived as immoral or unethical.
  • A security breach that calls into question customer trust, data protection or the company’s intentions.
  • Customer service/relations – perhaps an incident that causes customers to post bad reviews on sites and channels, calling out poor customer service or communications.
  • An internal incident that causes the company’s employee care to be criticised or the business to be viewed as a bad place to work.

How a payment service provider would treat a risk assessment for merchants

Payment service providers look at a merchant’s offering and business type and analyse the different elements of risk for their particular business and industry. From a financial risk management perspective and the likelihood of financially damaging events, providers assess how likely they are to incur chargebacks or fraudulent activity. They consider the following:

  • What would be the likely rate of chargebacks?
  • How often would there be any fraudulent activity to investigate? 
  • What would be the impact of this?

If a merchant’s chargeback rate exceeds a certain threshold, they can incur fines or be added to a watch list, which could create reputational damage for the merchant and PSP.

Dealing with so-called ‘high-risk businesses’

managing business risk by merchants

With merchants operating in an industry with stricter regulations around who can purchase their goods, such as a business selling alcohol, PSPs must consider the risks specific to these types of businesses. They may have a licence to sell alcohol, but there are restrictions on age limit and sales in certain regions. If a merchant is found selling their products to anyone under the age limit or in breach of a region’s restrictions they can be held accountable, leading to damage, both financially through potential fines and reputational damage. 

With businesses in the high-risk bracket, such as Gambling or Adult Entertainment, there are greater reputational risks. PSPs typically try to avoid it being publicly known that they’re providing payment services to high-risk customers due to perceptions that might deter clients.

PSPs’ approach to business risk management

PSPs evaluate the likelihood of unwanted risks and financially or reputationally damaging events, and the potential impact based on industry, product/service type and business specifics. For example, you might be operating in a perceived high-risk industry, but your credibility and performance is above the industry standard. Alternatively, your company’s reputation could be lower than expected in an industry normally deemed low risk. 

A good PSP will evaluate the types and likelihood of events that could change the situation, like the global pandemic and the impact on industries like Tourism. The likelihood of chargebacks, holiday cancellations, etc, are much higher due to this event and the impact is severe. In other industries, the impact is reduced – the pandemic actually boosted revenue in some businesses due to new demands.

Once this intel is collected, a PSP can evaluate businesses and industries as high, medium or low risk, in terms of the probability and potential impact of certain unwanted events. At Fibonatix, we’re not keen on categorising business in these terms. Instead, PSPs should focus on assessing financial and reputational risk and how high or low individual risks are in each of these categories. Then evaluate whether the likelihood of unwanted events is high and the impact is low, or if the likelihood is low but the impact is high. It’s like a matrix to plot where a business sits from a risk management perspective.

Until a company’s risks have been properly evaluated, we can’t effectively manage or mitigate them. Businesses categorised as high, medium or low risk may not know why. It’s only when you take into account these factors that you can understand the level of risk. Often it’s not directly reflective of your business, but the perception of your industry.

Sourcing data for business risk management analysis

Sourcing data for business risk management analysis

Using statistics and proper analysis helps you assess and manage risk. Taking the earlier example about the risk of rain, if you want to know the likelihood and impact, you can look at weather charts, statistics for the region in a similar time frame in recent years and get percentage probabilities from forecasts. You could go beyond statistics too and talk to locals who know the area. Apply this business risk management, looking at data, sourcing industry reports and getting insights from people in the know. 

When we talk about the risk of financial damage, for merchants and PSPs, you can source historical data and see how often chargebacks and fraud occur and the impact caused. Typically when businesses incur fines, this is made public, as the regulators and government bodies want everyone to know about them to deter similar bad practices.

When looking at chargebacks and fraud, historical data is available based on business types, industries, regions, etc, to understand the likelihood, regularity and level of penalties and impact. This data is usually presented in two different matrices – the percentage of total sales and the number of chargebacks or instances of fraudulent activity. Apply these metrics to your business and better understand the acceptable numbers, thresholds and penalties for exceeding them. If you’re in an industry where the average chargeback ratio is 3% you can estimate the number of chargebacks you’re likely to encounter based on your monthly sales numbers. 

How can you evaluate reputational risk?

Reputational damage is more difficult to evaluate, as there are fewer sources of data available. If there’s a major event that has a big impact on a business or industry, which has changed the perception of customers and key stakeholders, there will be news stories that document the fallout, but it’s harder to quantify. Also, more often than not, companies won’t publish data on reputational damage. Discussing reputational damage can further increase negative perceptions people have about your business, leading to additional financial damage. However, you can gain insights on reputational risks from surveys, customer reviews and social media.

Reports and surveys

Some researchers and analysts create industry reports which might outline the impact of a big event on an industry or certain businesses. For example, how sales were hit as a result of the pandemic, compared to the previous year. And there are reports and qualitative data that come out of surveys that organisations carry out, that can delve deeper into matters of reputation. In these cases, respondents may answer questions related to buying/browsing behaviours or their perception of businesses. These can reveal insights about reputational risk, impact and perception that prove useful for assessing and evaluating business risk and risk management.

Customer reviews and social media

Data around reputational risk and damage can also be gleaned from review sites, social media responses and engagement, customer satisfaction surveys and voice of the customer programmes. Some companies specialise in analysing reputation but it’s less frequent.

Business risk management can minimise the risk of reputational damage, and after an event can help mitigate the reputational impact. When predicting reputational risk, it’s commonly about making guesstimates, forecasting the likely impact and understanding the factors at play, and where they can be managed to limit reputational damage.

How do you approach and carry out your risk assessment?

approaching risk assessment

My simple recommendation would be to apply the categorisation and criteria mentioned above to your business and use a chart to document and score the risks. Remember, don’t overcomplicate things. Here are our best practices for carrying out a business risk assessment.

Best practices for carrying out a risk assessment

Make it personal

Your risk assessment should be based on your company’s specific characteristics. The impact of events varies from business to business and different industries. Let’s take the weather example one more time. Some people might not want it to rain, so they evaluate the likelihood of rainfall. They perceive the impact to be bad, whether it’s to do with their wellbeing or the effect on an organised event (like a sports match or wedding). For others, the impact is minimal. Perhaps they enjoy the rain, have rainproof clothing or they’re not attending an event that will be impacted by rainfall. 

Apply this to business risk management. Are you selling its goods in the physical world? Would rainfall mean fewer customers or less time spent browsing/buying your products? Would it cause an event you’re running to be cancelled? The likelihood of rain can vary too. An organisation based in Africa is far less likely to be affected by rainfall than one in England. For one company, a certain event could have a small impact but for another, it could be devastating to their revenue, growth or reputation.

Make it holistic or omnichannel

Consult people from different departments within your business to avoid blind spots. You might not be aware of certain factors or how an event would impact the team, so this can reveal key insights.

We also recommend having someone external involved in the risk assessment. This helps to ensure that you don’t miss something or exaggerate or play down risks. But only do this after you’ve done the work yourself. There will always be things that only someone working within your business would be aware of. The third party’s role should be to review your initial risk assessment and look for things you may have missed or not considered but not as a replacement for you doing it internally. 

Be thorough and organised

Put your risk assessment details in a chart. Using a chart makes it easier to organise and rationalise your thought process. Here are some simple steps:

  • Create a table and populate it with your potential risks.
  • Put a number beside your unwanted events (perhaps between 1 and 10) for the likelihood of them occurring.
  • Add a column for the impact and then another column score on the level of impact. 
  • In another column, multiply the two scores – this will be your overall risk score for each potential event.
  • Rank them in importance, based on their scores.

This is one method, there are other approaches to scoring risks, from colour coding or using different formulas for incorporating additional factors. But this is the simplest approach to documenting your risk assessment. The scoring system and the chart-based approach to business risk assessment will make it easier to create a mitigation plan for each of the risks.

Avoid unlikely scenarios

Businesses should largely focus on things that are common in their industry and related to their particular business offering, rather than unlikely events – they can become disproportionate. Yes, you should have a contingency plan for catastrophic events, preventative measures or a plan B if something like the global pandemic were to occur again, but you should spend most of your time managing and mitigating more common risks. Factoring in likelihood to your risk scoring helps to rationalise your risk assessment and suppress fears around high-impact events that are unlikely to happen.

Listen to our Pay Attention podcast for more insights about risk management and advice for merchants from our payments experts.


Take a measured approach to business risk management. We see too many people in risk management positions trying to reduce risk levels to zero. This is impossible to achieve without dramatically impacting your organisation’s ability to carry out business. Your need to manage risks, not avoid them. Making decisions about risks based on attempting to eliminate them is detrimental to your business.

We advise you to evaluate business risks in a rational, uncomplicated way, utilising the intel at your disposal. Assess the likelihood and impact of unwanted events and split them into financial and reputational risks, scoring them accordingly. Involve all the key people within your organisation in your risk assessment and consider independent support to review your work.

Want to learn more about business risk management? Get in touch. Our payments experts have vast experience supporting merchants with risk management and assessment.


Fibonatix is known as a global payments consultancy and a leading payment service provider. Our offering includes customised payments solutions that contribute to powering and scaling businesses around the world. 

We empower merchants with our expertise and offer effective payments processing tools that drive business growth. Get advice from our experts around risk management, compliance and regulation, and payment technology development and optimisation. Fibonatix is FCA regulated, headquartered in the UK, Germany, and Israel.