Added value for SMEs !

In many companies, risk management is seen only as a necessary but ultimately useless fulfilment of legal requirements. In an earlier article, the possible reasons were already explored.

In the following article, we will now explain possible solutions as to how SMEs can benefit from appropriate, cost-efficient risk management that goes beyond the purely legally required financial security. With these partly unconventional recommendations, we are deliberately moving in a different direction, away from the usual process- and tool-dominated approaches.

Objectives?

First and foremost, these quintessential questions should be answered: What are the expectations of an SME for effective and useful risk management? Assuming, of course, that the legal and industry-specific regulations must be met. The central objectives of integral risk management are:

• Ensuring the long-term existence and positive development of the company,
• Preventing down-rating and liquidity shortages,
• Integral and uniform recording and evaluation of the truly relevant risks for the entire company,
• Timely creation of all, different report forms, for a need-based reporting to the different risk owners and stakeholders.

As additional advantages the following points should be mentioned:

• Provide active support for intelligent decision making, whether strategic, financial or operational, and,
• Promotion of promising innovations and projects.

Here, the focus is on the important insight that financial risks are often just the effects of strategic, operational and technical risks for many companies. Or, to put it another way - the root causes of most financial problems almost always lie in prior, flawed decisions in the area of strategic development and operational implementation [1]. Far be it from us to negate financial risks, but effective risk management should not stop there. In order to obtain a pronounced benefit, it must include the many other aspects as well, and ultimately, risk management insights must be incorporated into early decision-making.

Requirements?

The second important question before introducing risk management concerns the necessary requirements. An SME usually has limited resources and insufficient expertise at its disposal. In addition, they must focus on their "daily business". This leads to the following requirements for efficient risk management:

The process must:

•  correspond to the existing corporate and process culture,
• meet the function-specific different needs,
• can be largely adapted to the already existing document systematics,
• only include one, clear, ongoing process over the year,
• be tradable with either internal or external resources,
• at every level/function time efficient and 
• be cost-effective overall.

Reporting should:

• be clear, simple and understandable for the different recipients, 
• can be clearly visualized,
• can be tracked in "real time" if required,
• correspond to the predefined report forms of higher-level, organizational units 
• and, of course, meet the legal and regulatory requirements.

This results in the most striking feature of effective risk management. It must be flexible! This avoids every function in the company having its own risk management system in accordance with its own requirements and needs.

Should the risk management process be integrated into the existing process and document management system?

The risk management system implemented by these companies is highly specialized and is usually based on a standard that is only recognized in their area. This reduces the problem of having several non-congruent isolated solutions with processes running in parallel and disproportionately high costs. In practice, therefore, functions and departments whose requirements differ with regard to the risk analysis method used or the form of reporting must be integrated into the integrated risk management system.

Another aspect is the possible integration into already existing processes. It is a fact that the existence and functioning of a risk management system in a company must be confirmed by the audit [Art. 961c CO] if it meets the criteria for an ordinary audit (listed AG, > 40 million turnover, > 250 employees) [2]. At present, however, no standard explicitly requires auditing or certification of the risk management system.

It therefore makes sense to manage the risk management process separately from the systems to be audited, such as GMP, ISO 9001, etc. However, according to the current standards (ISO 31000, ONR 49000ff., COSO ERM), the existence of a management system is required [3]. Documentation, training, time and event driven reviews as well as continuous improvement are also required in risk management.

Our recommendation is therefore to use the existing system for risk management tasks, but to manage it formally separately, in a different "vessel" as it were. As an example, we would like to mention the efficient use of the ICS as risk controlling also for non-financial processes, especially for the continuous monitoring of strategic projects and real-time alerting in case of process deviations. This is because ICS already performs many of the necessary tasks. See Table 3, Tasks of ICS.

For various reasons, risk management is denied recognition. This is mainly due to the following conditions: One may have invested too much time in the processes and therefore leaves out the success message. A lack of feedback, however, leads to the fact that one is not perceived as part of the success. Another aspect is the lack of measurability that is attributed to risk management. This is often due to a lack of data prior to the implementation of the system.

Positive effects

Therefore, the question of risk-relevant KPIs (Key Performance Indices) or concrete RPIs (Risk Performance Indices) must be asked in good time. Clear RPIs should also be defined for risk management and the KPIs that are to be influenced by it. If risk management can be implemented integrally and communicated well, it already shows positive sides in the short term, such as:

• Increased satisfaction of risk report recipients > Better individual understanding
• Better identification with risks > Increased feedback, implementation of measures
• Simpler control, faster reaction > Prompt reporting of deviations
• Reduced effort for risk reporters and risk owners > More efficient process

Successful, integral risk management also shows improvements in the medium term:

• Increased safety better motivation > Delivery reliability - Customer satisfaction
• Qualitatively better decisions > Optimal perception of opportunities
• Increased risk awareness > Formation of a company's own risk culture
• Positive reputation with stakeholders, community and shareholders

Thus, finally, the achievement of risk management objectives should also be enabled in the long term if KPIs are taken into account. See Table 2, which KPIs can be.

An important prerequisite for this: The desired KPIs must be defined before the introduction of risk management - and must have already been recorded over a longer period of time in order to identify trends.

Effective, integral risk management has a significant influence on the success of an SME. In particular, medium-term and long-term results can be positively controlled with effective risk management.

The central question posed at the outset regarding the direct benefit of risk management can thus be clearly endorsed.