The small to medium enterprise may not have a chief risk officer at the helm but there are other ways to manage risk right now.

By Henk Olivier, MD of Ozone Information Technology Distribution

Risk. It’s become the buzzword of 2020 thanks to a global pandemic, a rising tide of cybercrime, a growing wave of work from home trends, and the endless complexity that surrounds diversified business in a locked down world.

For many organisations, risk is handed carefully over to a dedicated chief risk officer (CRO) who then ensures that the right technology, process and system is in place to mitigate the endless onslaught of risk.

But for the small to medium enterprise (SME), the CRO is a role that’s rarely possible to fill. Tighter budgets, smaller companies and limited access to skills makes it a challenge for any SME to have one person dedicated to risk.

In today’s modern world, it’s critical for the business to have a risk management plan in place, no matter how big or small they may be.

Technology has the ability to make the organisation endlessly efficient and productive, but it can also bring everything to a crashing halt if something fails due to a hack, a break-in, or a simple system failure.

This is an easy strategy to create. Any company of any size can invest into a basic risk management plan that can support a team of as few as five members. The first step for any company that can’t afford a CRO is to put this basic plan into place.

 

Understanding the risks

Most companies rely on their employees, expecting that they will be available for work so if one is ill or can’t work for several weeks, it can have a dramatic impact on business process.

So make sure that your plan includes alternatives if a key staff member is unavailable for any length of time.

The second step is to be aware of the requirements around your IT infrastructure. This can be from IT policies to IT security.

Many of these policies are required as part of regulation and some are industry specific – all are compulsory for any business to have and for every SME to inform its staff.

Employees must be aware of their responsibilities and recognise that they are a critical part of risk management within the business.

This is not just the remit of the CEO or the executive, it is a key performance indicator for every individual. Companies are only as strong as the weakest link in their business process or employee chain.

The regulations and compliance laws that SMEs have to put in place are rigorous. Business owners can be held personally liable for damages if something happens with client data or if information is leaked or compromised.

So, as part of your risk management plan, make sure that your business is aware of the compliance and regulatory requirements it has to follow and get these in place.

Educate your employees and ensure that the risk of non-compliance is made clear to every individual in the organisation.

 

The challenging landscape of risk for the SME

For most SMEs, the process of identifying risk and planning around it is one of the biggest challenges.

Most don’t have any formal business processes and policies in place so this makes it difficult to create a business risk management process that takes all these variables into account.

It’s a complex web of knock-on effects that expects the SME to create a litre of paperwork in order to ensure compliance. It’s tedious, time consuming and often left on the back burner.

The problem is that the other side of this challenge is the one where a risk management audit reveals gaping holes in process, employee behaviour and compliance. If this is done internally to find these gaps, brilliant. If not, it can lose the SME reputation and clients.

If your business isn’t sure where to begin with risk management, this audit is an effective way to formalise business processes and to develop solutions that will fill the gaps and ensure compliance.

But all is not lost. SMEs without CROs can make use of software tools that are designed specifically to help them evaluate their risk profiles and create risk management plans.

There are also numerous guidelines and basic templates available online for companies to do an evaluation from a checklist. They can also get advice from their accountants, legal companies and other reputable bodies that can help them to define their risk and their process.

This is not a step that can be avoided.

The SME is at as great a risk of a hack or ransomware as the larger enterprise. The cybercriminal isn’t discriminating by size, but by risk profile. An easy target is an easy target, no matter how big it may be.

So put basic IT policies and procedures in place that can serve as a basic guideline to minimise risk and support the growth of the organisation until it reaches the point when it can adopt the services of a dedicated CRO.