“How MSMEs can put in place an enterprise risk management framework to identify, assess and manage business uncertainties”

By Hersh Shah

Ease of doing business for MSMEs: The MSME (Micro, Small and Medium Enterprises) sector forms the backbone of India’s economy, providing employment to around 120 million people and accounting for 45% of overall exports. With 20% of these businesses based in rural India, it is also considered a major driver of rural entrepreneurship and economic inclusiveness. The MSME sector is characterized by limited resources, which also makes them vulnerable to risks such as those arising from cyber attacks, shortage of liquidity, lack of succession planning and poor reputation management.

It is essential to understand here that risk is an inevitable part of a business. It is the flip side of every opportunity a business must seize to grow and expand. Ignoring risk management can lead to disastrous consequences, threatening business continuity. ERM offers a holistic approach to managing risk within an organization, enabling companies to identify, assess and manage a wide range of uncertainties. Thus, it helps companies to strengthen their resilience against emerging threats and to develop agility to adapt quickly to an unexpected event, such as the Covid pandemic.

While SEBI mandates the appointment of risk management committees for the top 1,000 listed companies, there are no guidelines in effect when it comes to smaller companies. With limited resources at their disposal, many small businesses may find setting up risk management committees an unnecessary burden. However, this is a short-sighted approach, which leaves them vulnerable to risk and ill-prepared to deal with the challenges that may arise in pursuit of their business goals. On the other hand, adopting ERM can improve their chances of raising capital, as banks and investors are more likely to prefer organizations that have a strong ERM framework. To set up the ERM, small businesses can start with the following steps:

Develop a culture of risk: Risk culture refers to the values, attitudes and behavior of employees and teams within the organization that determine its ability to manage risk. It is the responsibility of the board of directors and its senior management to set the tone by promoting positive behavior and enforcing corporate governance. Establishing clear risk ownership through a well-planned reporting structure will facilitate the timely identification and deployment of risk management policies. However, a culture of risk can only be successful if it is aligned with organizational culture and people management.

Developing risk appetite: Risk appetite is the amount of risk a company can bear in pursuit of its organizational goals. Developing organizational risk appetite is one of the fundamental considerations of ERM, helping companies recognize their risk tolerance, which is the degree of uncertainty an organization is willing to bear. Identifying risk appetite and risk tolerance allows the organization to put triggers in place when these thresholds are crossed, ensuring that risk mitigation tactics are deployed on time.

Subscribe now to the Financial Express SME newsletter: your weekly dose of news, views and updates from the world of micro, small and medium enterprises

Develop a risk escalation matrix: While it is senior management that is responsible for planning risk management policies, it is usually employees in the field or project managers who are usually the first to spot emerging threats. In such cases, an escalation matrix helps managers effectively and quickly communicate these events to upper management. The matrix facilitates the identification of risks in a timely manner and ensures that there is an established procedure to escalate or gradually increase the intensity of the alert if the threat is not addressed in time.

Identify risk champions: Risk Champions are risk-smart professionals in each department who are responsible for periodic risk reporting and implementation of risk management policies. In the absence of such professionals, companies can take the initiative to recruit selective employees from each department to pursue global ERM qualifications or exams. They can encourage these qualifications by making them mandatory for certain positions. Each company should also have a risk expert or risk manager to oversee the overall implementation.

Periodic review: The effectiveness of ERM implementation depends on its periodic review. An organization’s risk appetite can change over time, and it is important to monitor changes in its tolerance to different threats when formulating ERM strategies. These reviews are also essential for keeping track of emerging uncertainties in the field and for evaluating the performance of the internal risk management team, which determines the organization’s response. A comprehensive review will highlight any gaps in ERM implementation, allowing management to correct the company’s course of action.

For many businesses, the pandemic was an event that exposed their lack of risk preparedness, and many small businesses were shut down as well. The economic turmoil of the past two years, driven by the need for rapid digitization, the adoption of remote/hybrid work models and compounded by risks such as climate change, further underscores the need to remain vigilant and proactive to respond to uncertainties and threats. Family businesses and startups have also begun to realize the importance of ERM and the need for entrepreneurs to upskill with ERM qualifications. ERM not only helps small businesses build much-needed resilience, but it also improves the chances of success as they pursue new growth opportunities.

Hersh Shah is CEO of the Institute of Risk Management (IRM), India Affiliate. The opinions expressed are those of the author.