Risk Management for MSMEs

A quick background on why I know a little about workings in an MSME (although I myself work in an MNC!):

I have led a project in which we had to analyze the workings of about 6500 Small Scale Industrial Units in the Country;
As part of Initiatives of Change, I had the benefit of closely interacting with several SMEs;
I myself was heading a small company start-up before joining the MNC.

Rather than using the word “Risk” which is very often a misunderstood word, I start by first penning down the challenges that are faced by SMEs. This was by a combination of my own experience plus what has come out during discussions at various points in time. MSME risk management is very important at all stages.

There may be more but these are the ones that I have found in multiple SMEs:

Disruption due to technology
Volatility in pricing
Inability to attract talent/skilled manpower
The complexity of legal compliances
Scalability
Access to finance
Lack of knowledge in Financial Management
Vulnerable to economic crises
Overdependence on large companies that have multiple options
Tight margins due to expectations of low cost
Lack of a cash cow
The tough regulatory environment and high cost of compliance
Lack of economies of scale.

Specifically, with respect to risk behavior, most SMEs (including me when I was heading one), had to take decisions mainly based on intuition and would generally have the attitude “let us pick up the order/Win the customer first, then we can look at how to execute”. Getting business was everything, and sometimes SMEs agreed to crazy margins and crazy terms & conditions with no escape net. While this worked in many cases, when it hit the company, it hits really hard.

Rarely would you find them looking at the risks of taking the order, and the obstacles faced during execution? The mitigation measures can be summarized in one word “Jugaad” ( an Indian term for a fast workaround after an issue arises).

Why Enterprise Risk Management (ERM)?

Traditionally, Risk Management has been associated with meeting business objectives, cash flow, and profitability targets for an enterprise. However, these days far more important risks have started emerging i.e. risks to legal compliances, especially in the context of increasing complexity in-laws and regulations, and risks to reputation mainly in the context of social media. In addition, technological advances have added their own challenges with respect to Cyber Security Risks and we now see unexpected events happening more regularly; be it floods, pandemics, ships stuck in Suez Canal, etc. which sometimes threaten business continuity.

In simple English, ERM is the ability of an organization to anticipate and manage risks across the organization be it risks to business objectives, financial solvency, reputation or legal compliance.

How can Enterprise Risk Management help SMEs?

First, let me tell you what Enterprise Risk Management cannot do – it cannot substitute for ethics, entrepreneurship, market understanding, customer focus, technical competence, financial acumen, and execution capability. All these are the minimum requirements for starting and sustaining any venture. If you are unable to take care of these 7 aspects, it is much better not to start a business.

Secondly, there is one step that SMEs need to take before implementing an Enterprise Risk Management Framework – as a start, they should have a framework to continuously identify challenges and issues, document them, and put in place an action plan for addressing them. This documentation helps keep in corporate memory the various lessons learned out of issues addressed in the past.

Now that you have taken care of the first 2 steps, you are ready for step 3 i.e. implementing a risk management system. What differentiates risk management from issue management (enumerated above)? While issue/challenge management deals with closing past topics, risk management is focused on having a culture that anticipates what could go wrong and be ready for it.

How do we implement risk management?

Anticipate risks while taking every key decision; Have a “Black Hat” thinking approach i.e always ask the question “what could go wrong”? However, don’t let this list bog you down, find a way to mitigate the risk.
Ensure that risk management is part of the company culture. Use risk management language in every discussion/conversation. Encourage discussions around “what went wrong” and “what could go wrong”.
Encourage employees to have the attitude of “Look before you leap”.
Have a simplified, documented risk management policy and process that covers the following:
- Risk Identification, Impact assessment, and Mitigation Plan.
- Risk Committee Meeting focused on identifying risks that are not faced in normal day-to-day business e.g. risks of social media, and risks of cyber security would never be discussed in normal day-to-day business decisions. It could constitute the CEO and his direct reporters.
- Defining thresholds for various topics; e.g. zero tolerance to corruption, zero circumvention of safety norms; professionally managed books and records(especially if you are publicly listed), and circumstances under which you are allowed to pick up loss order.
- Go through COSO and ISO standards and implement as felt useful
Continuously read/hear about what is happening in the external environment in all industries. Adapt the learnings on risks faced by large companies/other industries and build safeguards in our own organization.
Develop the clarity, conviction, courage, and willingness to say no to high-risk or unethical business.
Most important, understand that while doing risk management, look out for opportunities e.g. when you manage risks in projects, you will automatically be effective in timeliness and quality. See how you can leverage this in pricing and get more orders.