By Hersh Shah
Ease of Doing Business for MSMEs: The MSME (Micro, Small, and Medium Enterprise) sector forms the backbone of the Indian economy, providing employment to approximately 120 million people and accounting for 45 per cent of overall exports. With 20 per cent of such enterprises being based in rural India, it is also seen as a major driver for rural entrepreneurship and economic inclusivity. The MSME sector is characterised by limited resources, which also makes them vulnerable to risks such as those arising from cyberattacks, liquidity crunch, lack of succession planning, and poor reputation management.
It is critical to understand here that risk is an unavoidable part of a business. It is the flipside of every opportunity that a business must pursue in order to grow and develop. Ignoring risk management can result in disastrous consequences, threatening business continuity. ERM offers a holistic approach to managing risks across an organisation, empowering businesses to identify, assess, and manage a wide range of uncertainties. Thus, it helps businesses to build resilience against emerging threats and develop the agility to quickly adapt to an unexpected event, such as the Covid pandemic.
While SEBI mandates the appointment of risk management committees for the top 1,000 listed companies, there are no guidelines in effect when it comes to small businesses. With limited resources at their disposal, many small businesses may view the setting up of risk management committees as an unnecessary burden. However, this is a shortsighted approach, which leaves them vulnerable to risks and ill-prepared to face the challenges that can arise in pursuit of their business goals. On the other hand, the adoption of ERM can improve their chances of raising capital, as banks and investors are more likely to prefer organisations that have a robust ERM framework in place. To set up ERM, small businesses can start with the following steps:
Develop a risk culture: Risk culture refers to the values, attitudes, and behaviour of employees and teams within the organisation that determine its ability to manage risks. It is the responsibility of the company board and its top management to set the tone by enabling positive behaviour and enforcing adherence to corporate governance. Setting up clear ownership of risk through a well-planned reporting structure will facilitate timely identification and deployment of risk management policies. However, a risk culture can only succeed when it is aligned with the organisational culture and people management.
Building risk appetite: Risk appetite is the amount of risk a business can withstand in pursuit of its organisational objectives. Building organisational risk appetite is one of the core considerations of ERM, helping businesses to recognise their risk tolerance, which is the degree of uncertainty that an organisation is willing to withstand. The identification of risk appetite and risk tolerance enables the organisation to set up triggers for when these thresholds are crossed, ensuring that risk mitigation tactics are deployed on time.
Develop a risk escalation matrix: While it is the senior management that is responsible for planning risk management policies, it is typically the employees on the ground or project managers who are usually the first to spot emerging threats. In such cases, a risk escalation matrix helps managers to communicate such events effectively and promptly to the higher management. The matrix facilitates timely risk identification and ensures that there is an established procedure to escalate or progressively increase the intensity of warning if the threat is not addressed in time.
Identify risk champions: Risk champions are risk intelligent professionals across each department who are responsible for periodic risk reporting and the implementation of risk management policies. In the absence of such professionals, businesses can take the initiative to get selective employees from each department to pursue the global ERM qualifications or examinations. They can incentivise such qualifications by making them mandatory for certain positions. Every business should also have a risk expert or Chief Risk Officer to oversee the overall implementation.
Periodic review: The effectiveness of ERM implementation depends on its periodic review. The risk appetite of an organisation may change with time, and it is important to monitor the changes in its tolerance for different threats when formulating ERM strategies. Such reviews are also critical in keeping track of emerging uncertainties on the ground and in assessing the performance of the internal risk management team, which determines organisational response. A comprehensive review will highlight any gaps in ERM implementation, allowing the leadership to correct the company’s course of action.
For many businesses, the pandemic was an event that exposed their lack of risk-preparedness, and many small businesses also faced closure. The economic turmoil in the last two years, driven by the need for rapid digitalisation, adoption of remote/hybrid work models, and compounded by risks such as climate change, further underscores the need to remain vigilant and proactive in responding to uncertainties and threats. Family-owned businesses and startups too have started realising the importance of ERM and the need for upskilling entrepreneurs with ERM qualifications. ERM not only helps small businesses to develop much-needed resilience, but it also improves the chances of success when pursuing new growth opportunities.
Hersh Shah is CEO of the Institute of Risk Management (IRM), India Affiliate. Views expressed are the author’s own.