Risk-oriented management and control in SMEs

Un today's dynamic market environment, companies are confronted with complex risks. The management and control of these risks is particularly challenging for SMEs due to their specific characteristics. For example, only limited financial resources are available and human resources are usually limited. Also, a consistent separation of functions cannot be implemented or can only be implemented to a limited extent. A dominant entrepreneurial personality can also lead to sensitive and risky activities being the responsibility of only one person. Finally, internal company regulations are often only implemented informally and are not or only partially documented.

Levels of action with leverage
In order to meet these challenges, there are three fields of action, irrespective of the area of activity, which can form the basis for risk-oriented management and control.

• Risk Awareness: The first step is to positively influence the risk and control awareness of employees and managers. In many cases, responsible persons from SMEs are heavily involved in the operational processes in their specialist area. As a result, managers quickly develop a gut feeling for risks and uncertainties in their area. Due to the aforementioned peculiarities of SMEs, however, there is in some respects a lack of attention to the timely recognition of changed framework conditions and to an appropriate company-wide risk culture.
• Expert knowledge: Success-critical expertise in SMEs is usually concentrated in a few key positions. Other employees have to cope with a relatively broad range of tasks in view of the scarce personnel resources. The variety of tasks leads to employees building up competencies in different sub-areas. This breadth of knowledge is a decisive factor for the economic performance of SMEs. On the other hand, generalism leads to a lack of expert knowledge in certain subject areas or processes. Sometimes this knowledge is also lacking for systematic risk analysis within the individual areas.
• IT skills: Modern IT application systems (ERP or financial software) offer numerous options for managing and controlling business and support processes. With the help of increasingly comprehensive preventive management and control functions, risks can be minimized through the targeted use of the software. In SME practice, such functions are only partially used, as a research project by the Lucerne University of Applied Sciences and Arts shows (see box). SMEs often focus on a few central functions that are unnecessarily supplemented by additional applications. The reasons for this lie on the one hand in the lack of business and technical know-how, and on the other hand the advice of the IT service provider plays a decisive role.

Payroll accounting application example
Due to the repetitive nature of the process, the creation of payrolls as well as the payment and posting belong to the routine activities of a company. From a process perspective, difficulties can arise if the payroll-relevant data changes or the processed data records have to be checked each time they are carried out. As part of a sound risk analysis, the following dangers can basically be identified in the payroll process (cf. Hunziker, Dietiker, Schiltz & Gwerder, 2015, pp. 152-156):

• Master data in the payroll system is not or is not being entered or edited correctly
• Wage and expense payments are made incompletely, incorrectly (recipient, amount, account) or to fictitious or resigned
• Employees
• Wage deductions and/or allowances are not calculated and paid, are not calculated in full or are paid in the wrong amount
• Payment total and payroll total according to payroll accounting do not match
• Wage or expense payments are made without approval
• Performance bonuses/commissions are calculated incorrectly or not approved

The list illustrates the fact that the financial risks in this process are to be classified as relatively high. Based on the above-mentioned fields of action, the following approaches can be used to reduce the risks to an acceptable level.

At the risk awareness level, the general handling of and sensitivity to risks is promoted, including in relation to the payroll process. Written guidelines in the form of a binding code of conduct or process-specific guidelines are a first measure to raise awareness among employees and managers. On the informal level, setting an example, a proactive management style and compliance with rules of conduct on the part of management can have a positive effect on risk behaviour. Furthermore, the most important risks should be regularly discussed, managed and ultimately communicated in the management body.

On the second level of action, incorrect payroll accounting or inadequate control activities can be avoided by calling in expert knowledge. Depending on the structure of one's own organization, external support can be called upon for individual issues (e.g. in the event of a change in the law) or in the form of complete outsourcing to a fiduciary company. In addition, providers of IT application systems usually have the relevant business knowledge to map processes and business transactions with the respective products. Finally, it is also conceivable to build up expert knowledge in a targeted manner in the form of further training. The investment in these measures generally justifies the costs that would be incurred to eliminate the risks that have occurred.

The measures on the third level of action are aimed at increasing IT knowledge with regard to the range of functions and benefits of IT applications and thus reducing the risks of unnecessary interfaces. In the context of the payroll process, the IT functions shown in Fig. 1 also support risk minimization.

In order to be able to decide on the appropriate measures, the employees involved in the process must have knowledge of the IT functions. This knowledge can be built up by IT-savvy employees themselves or, for example, in the form of training visits. Otherwise, IT consultants or product providers also provide the necessary knowledge to be able to optimally use the implemented software solution.

Conclusion
Many SMEs lack a systematic management and control of risks. In addition, the informal handling of risks often only takes place with the managing director or the top management level. Based on the payroll process shown, it is clear that a number of risks remain undetected as a result, which represent a considerable risk potential for SMEs. However, with easy-to-implement measures within the three fields of action, the prerequisites for risk-oriented management and control can be created.