In the first in a series on risk management for SMEs, Steve Giles explains that risk isn't just a negative – you need to assess the company's appetite and grab the opportunities
This article was first published in the February 2017 UK edition of Accounting and Business magazine.
The management of risk has always been an intrinsic part of doing business. In the past, it was largely informal, with directors and managers relying on a combination of experience, instinct and luck. Since the 1990s, though, international best practice has involved taking a more systematic and disciplined approach, with formal processes to identify, assess, prioritise, treat, mitigate and report on risk. This is what risk management looks like in many organisations today for a very powerful reason – it increases the chances of survival and success.
But small and medium-sized enterprises (SMEs) are often resistant to the modern approach. While most adopt some form of loss prevention measures, many do not use a formal risk management process. Many view it as unnecessary – a bureaucratic, box-ticking exercise that costs time and money without adding value. However, failure to engage in risk management techniques may make SMEs vulnerable – and 50% of SMEs fold before completing their fifth year – especially in these times of unprecedented uncertainty.
Effective risk management is not only about preventing loss and protecting reputation, it also enables better decision-making. By ‘thinking risk’, SMEs increase their chances of hitting targets and meeting objectives.
Here are four key ideas to help SMEs and their accountants to think risk.
Opportunity as well as threat
The international standard defines risk as the ‘effect of uncertainty on objectives’. It reflects the reality of an uncertain future that SMEs must navigate if they are to succeed, including events that threaten loss as well as those that promise gain. To succeed, SMEs need to constrain the threats while exploiting the opportunities.
Accountants are ideally placed to identify and evaluate the risks surrounding a business opportunity, providing essential analysis for sound decision-making (for example, whether to open a new retail outlet to take advantage of consumer trends). A risk-based approach enables SMEs to dare to take a chance in pursuing their objectives. This is by no means to advocate being reckless or gambling with resources; it is about taking action when opportunities present themselves, based on a thorough assessment of all the circumstances. This is an integral part of risk management.
Optimise not minimise
SMEs should not look to minimise risk. Although appropriate in certain areas (eg, health and safety, or anti-bribery and corruption), risk minimisation as an overall strategy is limiting and futile. Risk exists and it must be managed.
Like all organisations, SMEs need to take risks if they are to grow and achieve their objectives. Accountants should encourage the business to think beyond simply managing risk and towards trying to optimise the level of risk that they operate with. The reference point here is the risk appetite of each organisation: how much is it prepared to put at risk in the pursuit of value?
Understand risk vs controls
Risk drives controls, not the other way round. The basic equation is simple: the higher the risk, the stronger the controls needed to mitigate it. Conversely, low or medium risk will require modest controls only. For an SME to have an efficient and effective internal control system, it must first have a thorough and ongoing process to assess risk in the business.
This leads to a key observation: a risk-based approach is a proportionate one that makes for efficient use of resources. Accountants should understand this and use it to manage their businesses better. For example, it is poor management to allocate oversight of a major outsourcing contract (high risk) to an inexperienced or junior staff member. Stronger control is needed – for example, ensuring that a senior manager oversees the contract. Conversely, don’t spend valuable time and resources on areas of low risk.
Beware of time-lag
Risk is dynamic – it changes all the time. Internal controls, on the other hand, are not dynamic – they tend to evolve slowly over time and are often historic, anchored in the past. Gaps are accordingly likely to appear between fast-evolving risks and the much more slowly changing control environment.
Nowhere are the dangers of the risk/control time-lag better illustrated than with cybercrime. It barely featured on risk radars five years ago, but today cybercrime is a national security threat and the vulnerabilities are seen everywhere. Some SMEs become victims because their controls (eg, their anti-virus software, the use of effective passwords, raising awareness among staff of malware and fraudulent emails) lag too far behind the ever changing threats.
It poses a real danger to results and reputation for SMEs if control gaps grow too wide. Accountants need to be alert and proactive – another essential aspect of effective risk management.
Steve Giles is an independent consultant, lecturer and author specialising in governance, risk and compliance
"A risk-based approach enables SMEs to dare to take a chance in pursuing their objectives"