Useful risk management for SMEs: where it fails

Risk management is a topic that boards of directors and members of executive management must address as a matter of urgency. In many companies, risk management is seen only as a necessary but ultimately useless fulfillment of legal requirements. But at the latest since risks that threaten the global economy were also discussed at the WEF in Davos, managers and the media have been dealing with it more or less intensively. These are a complexly linked network of dangers and threats such as skills shortages, demographic changes, capital imbalance, financial volatility, energy transition, energy shortages, water shortages, global warming and migration [1, 2], to name but a few. It is understandable that managers want to know how these trends affect their business activities.

Legal and industry regulations

The law stipulates (Art. 961 CO) that risk management must be in place for certain legal forms (listed AG) above a certain company size (CHF 40 million turnover/> 250 employees). 3] The existence and functioning must now be confirmed in the management report of the annual report. Several industry-specific regulations are referred to as recognised accounting standards (IFRS for SMEs/Swiss GAAP FER/ IPSAS), but recommendations for corporate governance also specify how reporting must be carried out.

The board of directors may therefore also be required by law to implement and demonstrate a functioning risk management system.

The implementation is usually done by implementing a generally accepted risk management standard (COSO ERM, ISO 31 000, ONR 49 000ff) and the corresponding processes. These processes are then audited once a year by an auditing company and the existence of these processes is confirmed in the audit report. As part of these processes, the Risk Committee of the Board of Directors and the Executive Board generally receive a report 1 to a maximum of 4 times per year with the greatest risks relevant to the company.

Everybody's talking about risk management...

Various global and large-scale studies by the Big 4, including Deloitte [4] and PwC [5], but also by insurance companies [6], show that a clear majority of the managers surveyed consider risk management to be important. Moreover, almost all of them want to invest in optimizing risk management in the future. Interestingly, however, only about one-third of managers still include concrete risk management information in their decisions. They continue to make decisions based on gut instinct.

...but few use it!

So what are the main problems that prevent an SME from making the best use of risk management. There are certainly three main reasons [7]:

1. too few resources ("our workforce is more important elsewhere").

2. too little knowledge ("Risk management requires specialists")

3. too little expectation of benefit ("Nothing changes if I know the risks").

In our view, it is precisely the commonly applied approaches to solving these three acute problems that lead to many smaller problems, which then stand in the way of an optimal solution for an SME. The most important problem areas identified are briefly discussed below. They include (see also the adjacent, presentation of the general problems for SMEs):

• Too many experts: There are many specialists on the market, each one a genius in his or her own field. But there are many areas of expertise in risk management (see box). Since financial resources are often limited and acute problems require a quick, expert solution, the wrong priorities are set.
• Stubborn silo thinkingThere are many areas, departments and functions within the organisation. Each of them has different, individual demands on risk management. In the absence of coordination, the strongest will prevail [8] (see box).
•  Too many standards: There are many standards which are only applied in individual sub-areas of risk management and are used by the relevant experts. In addition, there are standards and sets of rules that are prescribed or customary in the organisational areas and are therefore preferred (see box). Ignorance of their necessity or of higher-level sets of rules and alternative options leads to a dispersal of available resources. In addition, a cost-benefit assessment is too often lacking before their implementation.
•  Too many lawsuits: Driven by the needs of the individual functions and areas, as well as by the use of very specialized standards by the experts called in to help, several independent, parallel risk management processes are introduced, nota bene for the same or very similar processes. This inevitably leads to a high documentation effort and thus ties up resources. An additional, negative aspect is that this can also massively inhibit innovation.
• Too many tools: There is now a confusingly large number of risk management tools, from simple checklists to specific software. These in turn generate various forms of reports. The experts on the one hand often recommend and implement ready-made methods that they know well and use everywhere. The functions and divisions, on the other hand, are usually only familiar with the tools commonly used in their area of expertise; these then also primarily cover their immediate needs. This circumstance leads to a large flood of information and is therefore responsible for a very limited overview. Although the risk management tools currently in use meet the requirements of the special field for which they were developed, it is often questionable whether they can be used optimally for efficient corporate risk management. They often do not meet the criteria of efficiency, diversity and also communication to the extent that would be required for an SME. [8]

An unsatisfactory situation

Experience has shown that these many overlapping and, despite everything, interdependent problem areas lead to risk management being pursued at great expense, but not being assessed as beneficial. This means that the actual advantages that would result from appropriate, efficient and integral risk management are not exploited [9]. However, this should be in the interest of an SME with good corporate governance.