Enterprise risk management in the small and medium company

Recent “ripped from the headlines” stories about sexual harassment, data breach and reputational damage abound.  The immediate and lasting damage to corporate value from these catastrophic situations can be profound.  Nevertheless, they are now part of the risk exposure of any organisation.  Large companies have made a practice of managing risk for many years, through the discipline of Enterprise Risk Management.

The goal of Enterprise Risk Management is the reduction of uncertainty. Thus, ERM is responsible for the long-term sustainability of the enterprise, protecting a carefully developed brand and reputation from a variety of threats. Most ERM frameworks involve identifying and naming risks impacting a business, understanding those risks, and then deciding what action to take to mitigate them.  Such action might include contractual transfer, risk financing or risk control.

With elements of financial, operational, strategic, and legal/compliance risk in a larger company the ERM process involves a multi-disciplinary team and a significant allocation of resources.  In addition to compliance and risk-impacting events, basic market drivers such as cost management, revenue growth, competition, shareholder investment, and employee satisfaction are encouraging companies to embrace ERM.

In most cases, however, a small or medium-sized business cannot afford that kind of dedicated ERM effort.  Data also shows that relatively small percentages of small and midsize companies have basic plans in place such as crisis-management, business recovery, and others. Given these statistics, it is not surprising that very few smaller companies have set into motion a true enterprise-wide ERM approach.

But the same methodology should be applied in a simpler way to every business.  Every business owner probably has the most critical business risks on his or her radar.  Input from insurance and legal advisors will help identify them.  But some important risks may have been simply overlooked or may not be fully appreciated.  Further, the potential size of the risk may not have been quantified, and steps to mitigate the risk may not have been developed. It is worth carrying out an annual risk review with legal, insurance, and accounting advisors, along with the management team, to clarify the key risks, determine their likelihood of occurrence, and then start to build a risk management plan to alleviate them.

Most large corporations use captive insurance companies as a core aspect of their ERM plan.  The captive – which is essentially an in-house insurance company - helps to coordinate risk financing, customise policies, and reduce overall insurance costs. The captive can also be very useful for a smaller business, especially because it helps owners to identify the truly catastrophic risk that might otherwise be ignored or under-insured.  A competent feasibility analysis will review internal data, existing coverages and financials to identify such risk and then structure a risk financing plan to fund them.  Unsurprisingly, the small captive is often the precursor to a more rigorous enterprise risk management program, as the company owner starts to understand the nature of the “hidden” risks facing them and the potential damage a data breach, a social media flub or a damaging harassment scandal could cause.  The swirling headlines around corporate mis-steps may thus jumpstart the movement to greater use of enterprise risk management tools in the smaller organisation.