Business owners who assume that risk management only applies to large corporates couldn’t be more wrong. It’s an area to which large organisations pay a good deal of attention and in which they invest a great deal of money, but in many ways SMEs are more vulnerable to risk than their corporate counterparts.
“The fact is that big corporations are often better able to absorb the effects of risk exposure. Most smaller companies simply do not have the capital to ride out the effects of exposure — one fraud, theft or significant loss of business continuity is often enough to destroy them,” says Wayne Malgas, case manager at Pasco Risk Management.
So while the scale of the risk might be different for corporates and SMEs, the fallout of not managing your business’s risks effectively can be the same or even greater if you’re a small company.
You can only manage what you know and understand, so the first step in proper risk management is to define your business’s risks. Risks can be defined as anything that could cause your business to lose money. While there are industry specific risks, a large percentage of business risks are common to all sectors. These include:
1. Operational risk
Probably the broadest area of risk, operational risk refers to a risk arising from the execution of a company’s business functions. This encompasses people, systems and processes, and includes other risk categories such as fraud, legal and environmental risks. Simply put, it is the risk of loss resulting from inadequate or failed internal processes, people and systems. However, because operational risk is so broad, many of the risk areas that, strictly speaking, fall within operational risk, are managed separately by companies. A good example is IT risk.
2. Credit risk
Bad debt represents a significant risk for SMEs that typically do not have the capital reserves to carry a large debtors’ book. Colin Hill, solution manager – Risk and Financial Crimes, at SAS Institute, points out, “For SMEs, credit risk is often impacted by whether your customers are getting paid by their own customers — if they aren’t, they typically don’t have the cash flow to pay you.”
3. Medical risk
Given the considerable risks associated with having employees who are not covered medically, there is increasing debate about whether companies should make medical cover compulsory. Employees without medical aid are more likely to wait until they are really ill before seeking medical intervention, which leads to more time off work. Their employer is also often the first place they turn to when they need a loan to cover medical expenses.
4. Reputational risk
“It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently,” said Warren Buffett famously. Social media provides consumers with the power to do lasting damage to your brand, and the Consumer Protection Act has placed consumer rights top of mind.
5. IT risk
Typically IT risk includes loss of data and a break in business continuity when IT systems fail, but increasingly it also refers to the threat from cyber attacks. “We’re seeing a big spike in the cyber threat to businesses,” says Wayne Malgas, adding, “You can be sure that as big businesses increase their security and it becomes more difficult to break into their systems, hackers will look for softer targets like SMEs.”
6. Travel risk
Travel risks include health-related risks but also the often unforeseen risk of corporate kidnapping, particularly for companies looking to expand into volatile African and Asian countries.
7. Compliance risk
“In the past year alone businesses have had to deal with the likes of King III, the Property Act and the Consumer Protection Act,” says Colin Hill, pointing out that even SMEs need to familiarise themselves with the legislation that affects them — and make sure they put the necessary systems in place to comply. “There is no blueprint for risk identification — the most important thing is to have a detailed and intimate knowledge of your business and the environment in which you operate,” says Malgas.
Most business owners understand their business well enough to make a start at risk identification, while a risk expert can help you ensure you have included any unforeseen risks. A risk management specialist can also help you to put risk management systems in place but ultimately you need to ensure that the capacity for basic risk management is intrinsic to business processes. “It needs to be fully integrated in the daily running of your business. This will help to reduce dependency and contain costs, and ensure a sustainable risk management system for SMEs,” Malgas comments.
Risk identification needs to be chiefly forward-looking. “Yes you can learn from history but if you’re continually looking behind you, you’ll never see what’s about to hit you,” he says.
“The two biggest mistakes businesses make when it comes to managing risk is they are too complacent, and don’t put early warning systems in place to flag risks when they arise – this means they aren’t managing the risk itself, but rather the fall-out when it’s already occurred,” concludes Malgas.