Thanks to the blue-chips making a hash of their risk management, smaller companies need to pay closer attention than ever to their own processes.
Why are we in such a mess? As hindsight sheds light on the origins of the global financial crash, it’s obvious that large corporations such as AIG, Citibank, RBS and Goldman Sachs failed to assess their exposure to predictable outcomes of the extended credit management. In short, their risk management strategies were either inadequate, overlooked, or non-existent.
Risk management is common sense, says the chief executive of the Institute of Risk Management (IRM), Steve Fowler. IRM’s definition of risk management places it at the centre of any organisation’s strategic management. “It’s the process whereby organisations methodically address the risks attaching to their activities with the goal of achieving sustained benefit within each activity and across the portfolio of all activities,” it states.
Why small businesses need to manage risk
A large company can ride events in ways a small company can’t. “Risk management is a survival issue for small and medium-sized companies,” says professor Patrick Gougeon of ESCP-EAS management school.
“Globalisation, outsourcing, new technologies and increasing competition have all made the business environment more complex, and, therefore, riskier. At the same time, there has been pressure on companies to improve their financial performance.”
Gougeon identifies three types of risk medium-sized businesses tend to neglect:
- Business interaction risk: “If you have a fire at your factory, the insurance may pay for it to be rebuilt, but can you recover from being unable to trade for six months?”
- Crisis management: “When events happen, small companies often focus on fixing them, neglecting other areas that then become new crises.”
- Intangible assets: “Many small and medium-sized companies are not aware of the value of intangibles they have – brands, reputation, human resources and the like.”
More immediately, for smaller businesses the establishment of a risk management system is essential, since it affects their ability to continue to receive credit from banks, according to Dr Thomas Henschel of Napier University in Edinburgh.
“When rating a medium-sized business, the lending bank will always assess the proper implementation of a risk management system,” he points out.
You should frame risk management around your business’ objectives and strategies, says Fowler. “Prioritise, but keep a broad view of what is going on elsewhere in your industry, what is happening in countries you trade with, and what is happening in parallel industries that might affect your own business,” he advises.
Insurance
Your risk assessment will reveal which, out of property, engineering theft, money, credit, goods in transit, business interruption, vehicles, legal, public liability, life, pensions and so on, you might need. Major insurance brokers cover all risk angles, but it may be worth retaining an adviser who knows your business well for tailor-made advice.
About 70% of uninsured or under-insured small businesses that suffer a big loss fail within 12 months, according to brokers Southall Harries. They need a contingency plan to help minimise exposure to severe interruption in the event of a major crisis, such as fire, flooding or systems failure.
Another business benefit from having a risk management plan is that companies can be rewarded with lower insurance premiums while still being adequately covered for a major catastrophe and loss of trading.
‘Engineers, not actuaries’
Insurance relies on a tried and tested model of balancing probabilities and premiums. Mike Wilkinson, a risk specialist at insurance consultancy EMB, understands that risk is a business tool. “Entrepreneurs place a premium on risk,” he says.
“Risk management is about taking that balanced view between how much risk I take, how I understand the risks, and how I keep these within the bounds of the risk I want to accept. Also, how do I manage the bit that I don’t want to accept?”
Consequential risks that you may not fully understand are a danger area, according to Wilkinson.
“Good risk management is about spreading the risk, but that makes life difficult for an entrepreneurial business – there is little you can do about the recession, so it may be time to look at diversification,” he says. “Alternatively, how do you make your business model flexible enough to be able to weather downturns of the sort we’re currently experiencing?”
Other insurance consultancies take a slightly different approach. Stuart Selden, of insurance firm FM European, puts risk management above purely actuarial considerations, because he believes that the majority of losses can be prevented. “We don’t employ actuaries, we employ engineers,” he says.
It all comes down to how good your risk analysis is. Craig Ferri, managing director of risk analysis business Palisade Europe, believes much uncertainty can be removed from the process given the right tools.
“A lot of current decision-making is based on best-case and worst-case scenarios, whereas a mathematical and logical process, that also acts as an ‘audit trail’, is needed to track complex variables,” he says.
Fugitive information
Nothing’s harder to pin down than data. At a time when you can get a terabyte on a USB hard drive, any employee could walk out with the entire company database – its crown jewels – in a briefcase or on a laptop.
“IT policies often look as if they have been lifted from someone else’s policy on the web,” laments Mike Warriner, head of technology at corporate finance lawyers White & Black Legal.
