How Small and Midsize Companies Can Guard Against Business Risks

One of the largest threats to the viability of any business is the lack of a solid risk management strategy. The challenge for many owners of small to midsize businesses is that they are so busy driving the growth of their companies and hiring the necessary staff that a full-scale risk assessment has been impossible.

If this sounds familiar, it’s time to take stock of your company’s risks. If your firm doesn’t have the resources to hire a dedicated risk department or chief risk officer, here are some steps you can take now to help ensure the smooth operation of your company.

Gather Insights from Your Staff

The first step is to tap into the collective experience and special insights that have been gathered all along by your staff. Set aside time for a brainstorming session with your key managers and top employees to identify the biggest risks. While there are many risk categories, the most common are:

• Supply Chain. Relying on one or two suppliers can result in business interruptions, delays, shortages, or quality issues. The just-in-time inventory management model once offered a convenient way for businesses to limit inventory expenses, but the aftermath of the COVID-19 pandemic exposed the strategy’s vulnerabilities. Many companies stocked up on raw materials in anticipation of tighter supplies. But small and midsize companies, which have limited financial resources, faced the hardship of carrying the costs of that inventory when the economy stalled in 2022.

In addition, companies that historically imported materials from overseas began expanding their supplier network to U.S.-based vendors, which can be more costly. These steps raised important risk questions: Can your business pass those higher costs along to your customers? Are you over reliant on one or two suppliers? How much inventory can you realistically hold if a major slowdown in sales occurs? An interruption in your supply chain might reduce revenue and cause loyal customers to seek out other providers.

• Regulation. New regulations increase the risk of fines, penalties, and reputational damage. Tax laws are constantly changing while new employee benefits are being mandated on a regular basis, and regulators are tightening the rules around waste disposal and other environmental issues, such as restricting the use of fossil fuels.

• Cybersecurity. Sensitive customer data can be compromised by phishing attacks when your staff receives false emails or phone calls, data breaches, and ransomware, in which hackers seize your data and refuse to release it unless you pay. Scammers are creative, and they are becoming more sophisticated every day. They often see smaller businesses as easy targets.

"Many smaller companies continue to be under the misconception that cyberattacks won’t happen to them. But as many large businesses ramp up their cybersecurity investments, the opposite is true," says the 2023 Risk Barometer, a report from insurance firm Allianz. "The reality is that if a small company suffers a significant cyber incident, and it hasn’t adequately managed this risk, there is a chance it may not survive in the long run."

One solution is to enroll in the Fifth Third Security Suite, which provides businesses with the tools to keep sensitive financial information safe and protect your business from ACH and check fraud. The suite includes Positive Pay, which identifies discrepancies between checks cashed and issue information and allows you to specify which individuals or businesses can debit from your account and limit how much they can withdraw.

"In many cases, internal and external fraud can be prevented by setting up a robust system of checks and balances," says Jessika Wood, SVP, Head of Commercial Payment Products at Fifth Third Bank. "Positive Pay allows businesses to approve or decline transactions, automate invoices and payments from vendors, and require two different employees to set up and approve all ACH or wire payments."

Businesses should also be mindful that fraud can originate internally. The Association of Certified Fraud Examiners said in a 2022 report that nearly half of fraud originates in one of four company departments: operations, accounting, sales, and management. Some businesses implement dual controls to divide up responsibility. One employee may set up an ACH or wire, but another employee has to approve it.

• Labor. Unemployment rates are near historic lows, which severely limits the pool of qualified candidates and could hamper your company’s ability to grow. Some states are raising the minimum wage and requiring more paid time off for employees to address health or family issues, which could increase payroll and benefit costs while leaving critical positions unfilled. The loss of a key executive could slow down operations and hurt sales. Do you have a contingency plan, possibly involving a temp agency, or safeguards in place, such as a "key employee" insurance policy?

Some tasks can be automated, which restaurants and foodservice vendors are rapidly implementing. As a tool to mitigate labor risk, consider which tasks can be performed by machine or where artificial intelligence can be implemented to reduce labor costs.

• Environmental. Storms causing floods and blackouts, wildfires, and other natural disasters can be devastating. If disaster strikes, will you have access to an off-site control center? Other environmental risks are buildings that contain asbestos and lead-based paint, landfills that use toxic waste or contaminants like PFAs.

When speaking to your staff, the goal should be to identify any possible risks, from basic workplace safety issues such as OSHA regulations, local fire codes, and evacuation plans to interest rate risk. Then focus on risks that are specific to your industry and your company’s geographic footprint. You’ll get the best advice by allowing team members to express themselves freely without judgment. There’s no such thing as a bad idea when brainstorming to identify risks.

Finally, it is generally more effective to start by taking an enterprise-wide approach, covering a broad range of risks without digging too deep. This will help you identify gaps and really start prioritizing by asking: What are the biggest risks and where do we need to shift resources to address them, either in-house or by outsourcing?

Rank Your Most Expensive Risks

Once you have assembled a comprehensive list of risks, try to prioritize the items by gaining consensus on which issues pose the biggest, immediate, and potentially most costly threat to the firm. Most risks on your inventory can be monitored by switching to other management techniques such as the just-in-case supply chain model or increasing the number of vendors. Other potential risks may require more effort to solve.

Keep in mind that the most concerning threats to your business are not necessarily the most common. "The real damage comes from [the] largest, rarest incidents," the Harvard Business Review wrote in a 2023 article. "Each year, the top 0.3% of incidents cause on average 63% of the total losses." Think about the billion-dollar costs of cleaning up asbestos, which was mostly banned in 1989. Focus on enterprise-wide threats that hold the potential to do the most damage regardless of how frequently they have happened in the past.

When ranking risks, it’s often easier to quantify the potential fallout in terms of the direct financial impact they could have. If your contact management system is hacked, for example, you’ll probably spend a considerable amount of time and energy informing clients and shoring up your network’s firewalls. But the reputational risk to your business could also be significant.

Start Building a Risk Management Framework

Few business executives have the luxury of spending weeks or months drafting a full-scale enterprise risk management (ERM) plan. Here’s where third-party providers can really add value, whether you plan to tackle this project internally, outsource it, or use some combination of the two. In addition to offering expertise in risk management and benchmarks to measure success, consultants provide an objective and impartial view of your firm’s risk exposures, which are not always apparent to executives who are immersed in the firm’s day-to-day operations.

A good starting point is the Enterprise Risk Management—Integrated Framework developed by a group called the Committee of Sponsoring Organizations.

All of the major U.S. consulting firms offer risk management services. Even if you can’t hire a firm, their websites are filled with ERM frameworks, surveys, white papers, and case studies that can serve as a springboard to generate ideas and develop a rough outline of your plan.

Professional organizations and trade groups also offer a wealth of information about managing risk. Some are focused solely on specific industries, such as the Risk Management Association for banks, and the Private Risk Management Association for insurance providers. But whatever market you compete in, industry trade groups and their local chapters are most likely addressing risk in their conferences, publications, training sessions, and certification programs. Even the U.S. Chamber of Commerce has risk management suggestions for businesses.

Fifth Third offers a suite of tools to help businesses reduce risks, including converting their payments to digital transactions rather than unwieldy checks, automating payables and receivables, and implementing dual controls that require two people to make payments or change account information.

Fifth Third Bank can also help you apply for a business line of credit to cover unanticipated expenses, or to meet payroll while waiting for revenues to arrive, help with cash flow issues and protect payments with an array of merchant services, including tools to ensure the credit card fees your customers pay are transparent.

Scan for New Risks

Unfortunately, it’s not enough to understand and address the risks your business faces today. Forward-thinking executives need to always be on the lookout for potential risks that are lurking around the corner (such as new tax laws and regulations). When a problem arises, they should seek guidance and act immediately, before their firms are harmed.

"Enterprise risk management is not a checklist," the Committee of Sponsoring Organizations points out on its website. "It is a set of principles on which processes can be built or integrated for a particular organization, and it is a system of monitoring, learning, and improving performance."

In other words, risk assessment is not a one-and-done exercise. It should be done at least once a year and always evolve with the changing business environment, capturing both hazards that are clearly visible today and those that are just starting to take shape over the horizon. With preparation, vigilance and well-qualified partners, your business can face a brighter, lower-risk tomorrow.

For more information on how Fifth Third can help manage your business risks, including fraud prevention and treasury management tools, as well as lines of credit for unexpected expenses, contact a Fifth Third relationship manager.