It is well understood that risk management forms a critical part of the overall governance framework in the larger businesses but in my view, it may be even more important in the small business enterprise (“SME”) and the not for profit (“NFP”) sector.
Larger business has, as a function of size, more inbuilt capacity resulting directly from the skill set that comes with a larger team. This extra capacity means they have inherently more capacity to recognise sources of risk and put in place risk management strategies.
The typical SME and NFP does not have this inherent capacity and is therefore more exposed to risk. In the fraud risk area this has been borne out in surveys by the Association of Certified Fraud Examiners where small businesses not only had the most frauds, but the average value of those frauds was higher than average for all organisations. This can be attributed to lack of internal controls and inherent knowledge and skills available.
This same additional risk profile for SME’s and NFP’s applies to areas of risk other than fraud in my experience. The SME and NFP sectors face a full range of risks including OSH, strategy, employment, business viability, disaster recovery, information technology, reputation, and fraud to name a few categories. Risk is a key matter for SME’s and NFP’s to address and manage. These smaller enterprises don’t have the inbuilt resilience that larger organisations have so risk management is actually more important to ensure survival.
Developing a risk management framework need not be a difficult exercise, but it is an exercise where obtaining professional assistance initially will pay big dividends. A business needs to develop a consistent framework that will cover all categories of risk across the business. The framework needs to document
- the nature of those risks;
- the mitigating controls in place, the continuing effectiveness of those mitigations;
- the likelihood of the risk occurring given the mitigation in place; and
- the impact of the risk if it occurs to develop a full understanding of the residual risk remaining.
It is this residual risk that needs to be the focus of governance and management understanding. It is only when governance and management fully understand the residual risks in the business that they can make reasoned decisions on managing those residual risks in a cost-effective manner.
It is important that organisations can be upskilled to self-manage the risk identification and management processes. It is not healthy to create a dependency on professional assistance on a continuing basis as risk can’t be outsourced. When it strikes and organisation it becomes very personal to management and governance of that organisation.
The framework documentation and processes needs to focus the governance and management function on the key risks that are most likely to occur and will have the biggest potential impacts.
In the NFP sector, having good documentation allows new senior management and board members to quickly understand the risk position. This eases role transitions as senior roles tend to rotate, particularly in governance.
It is key to risk management strategies that there is continual review of the risks and strategies over time to ensure that they are updated, current and relevant. By categorising the risks into wider categories, this update review of risks can be carried out on a rotational basis where one category is reviewed and reassessed each month, or quarter, to make the overall process manageable.
For the small subset of identified risks that are critical, I recommend that they are considered, reviewed and reported on every month. It is these critical risks that could be gamebreakers, that is life or death for the organisation and therefore deserve attention on a continual basis until such time the risk is managed down to a more acceptable level.
In summary, risk is a vital consideration for small enterprises and simply can’t be ignored. A simple, consistent but robust framework is required to manage the wider spectrum of risk across the entire enterprise.
The risk framework needs to be able to assign weightings to the different risks identified and consider the mitigations that are in place for each of those risks. The framework needs to document the action plan where further mitigation or management is required. Importantly the framework needs to document who owns the required action and by when the action will be completed.
The initial development of a risk framework for a business will likely require professional assistance. The assistance should be aimed at developing capacity and understanding in the enterprise so as not to create a dependency situation that becomes a gravy train for the advisor. It is only when management and governance take total ownership for risk management that risk management will be truly effective.
About McGlinn Consulting Group Limited
Graeme McGlinn is the director of McGlinn Consulting Group Limited. Graeme is a Chartered Director, Chartered Accountant and Certified Fraud Examiner at McGlinn Consulting Group Limited. He has over 35 years’ experience in accounting, auditing, governance, litigation support and risk identification and management in New Zealand and overseas. He can be contacted via his website www.mcglinnconsulting.com or by email at firstname.lastname@example.org