Risk Management for Small-to-Mid-Sized Businesses

By Timothy S. Avery, President CEO, Scott Valley Bank

When the economy was running at a feverish pitch in 2005-2006, many small business owners felt that their biggest risk-management issues were the ability to meet demand, handle expansion planning, and the financial implications associated with both. Seemingly good problems to have . . .  

In actuality, the biggest risk was the cooling of the very “fever” that described the times then, and the possibility that it would end abruptly, which we all know is exactly what happened.

Risk Management, while it may sound like a “big business” concept, is truly a very real issue for all businesses, big or small, to prepare for the future and continued viability. As we navigate this “new normal” version of an economy, it is more important than ever to take the time to create, reconsider, or update your risk management plan for the possible activities or conditions that may challenge your business in the future.

In our business (banking), risk management is a daily activity because banking, like insurance, is truly a “calculated risk” business. However, this multifaceted set of issues present in so many more ways than even 20-years ago, and due to the nature of our lending activities we see a wide variety of businesses, each with significant risks of their own. We also see how owners and managers of those businesses address these risks and respond when activities arise that call for decisions related thereto.

Every business has its own set of unique risks to consider and every owner should consider these unique risks as a part of his/her business plan and fold them into a Risk Management Plan that is, likewise, unique to his/her business.

However, as unique as risks can be, several commonalities are found in most businesses at the macro level. Let’s talk about the ongoing types of risks that most businesses must consider:

Strategic Risks

  • Assumptions are at the center of most business plans:  customer needs/wants, product pricing, costs, and the financial considerations that go along with fueling your business. Strategic risk is rooted in the possibility that one or more of your assumptions, and hence your business plan, turns out to be wrong. “What if the newest widget doesn’t sell like we hope it will?” Surprisingly, this form of risk can be one of over-abundance, as well as shortfall, relative to your assumptions. “What if demand exceeds your ability to deliver?”    

Environmental Risks

  • I’m not talking about “the environment”, although if you are in a natural resources business, that too would be a part of assessing your risks. Rather, the environment in which you do business. Competitors, new and old, legislative change related to your industry and the economy – local, regional, national and global – can create environmental risk. Location of your building, relative to hazards and natural disasters can also be a consideration.
  • The legal structure, or design, of your business, as well as any industry and regulatory compliance, also makes up a part of the environment in which you do business and should be considered. Contractual risk, whether it is with vendors or clients, can present restrictions or over-commitment should there be a meaningful change in your business activity.

Operational Risks

  • Because most businesses rely upon, and incur a high percentage of expense related to people, consider the human risks. What is the makeup of your workforce? How available are the skills that drive your business’s performance? Do your workplace activities and your employment culture protect you from, or expose you to, on-the-job injuries, harassment claims or other employer-employee related exposures? Do they produce an environment for ease of hiring, promotions, etc. to respond to growth in the business?
  • Theft, fraud and other forms of misconduct from inside of the business can present significant risks.
  • Technology is embedded in virtually every business in existence today. Are there back-up plans in place for both your information and the operational abilities associated with the technology that drives your company? From computers to telecommunications to electrical utilities, these items can threaten your business if not included in your risk assessments.
  • Worthy of separate consideration is the Internet. Not only can it be a gateway for growing your business, but also a potential avenue for fraud and embezzlement, including cyber-attacks. Additionally, the increasing presence of social networking and even a simple presence on the world-wide-web can produce tremendous opportunity for improved marketing as well as overall reputational risk. Software to safeguard against malicious cyber-attacks is a required step in all forms of business today. Even small businesses need anti-malware and virus protection, but what if it fails you? As use of the Internet can produce risks that must be addressed, determining the proper use of the Internet as a part of your business activity should be a part of business planning.

The references above are but a fraction of the potential risks that should be considered in business risk management. The hard work is in formulating and maintaining a method for assessment and mitigation of these risks.
To manage the multitude of business risks, there are steps that every business owner should take to reduce the likelihood that any one or more of these risks might take your business to its figurative knees. Here are some items to consider when building a framework for successful preparation to deal with the unplanned event which may challenge the survival of your business.


  • First and foremost, commit to formulating a plan to address your business risks. In doing so, you should take steps to establish a list of the general risks associated with your business, as well as the specific ones that are unique to your business.
  • Prioritize the risk by determining the likelihood (risk-rating) of each risk. A simple “High, Medium, Low” scale is sufficient.
  • Once your risks are identified and prioritized, detail the action items that you intend to execute if and when the risk scenario has been realized. This is where demand-bubble management in production areas, disaster recovery plans and business continuity plans come into effect. Be sure to have off-site copies of the plans related to extreme circumstances and make it a habit to review them periodically so that all key personnel understand their respective duties should you have to put a recovery plan into action.
  • In establishing your plans, consider what resources are available to mitigate the risk. Certain vendors, contracting firms and temporary staffing resources may be necessary, depending upon your specific needs. In some situations, the only immediate reaction to an environmental risk is to take steps to “right-size” your business to fit the new environment. Proper planning will help the business owner to take appropriate steps to “size up” or “size down” to restore viable operations and profits.
  • Oftentimes, insurance is the best and most readily available solution for items you determine to be risks to your business. However, failing to recognize the risk in the first place can also lead to uninsured losses that can cripple a business. Understanding your insurance coverage well is very important, as is the relationship you have established with your broker/agent.


  • The best form of risk management is prevention by exercising a meaningful degree of internal control.
  • Employee training, proper hiring practices, physical inspections of your premises and proper maintenance of equipment play a major role in preventing business risk from being realized.
  • When reviewing your risk management plans, always have these prevention elements at the forefront of your mind to determine areas for improvement.
The fact is, a business owner must look to all areas of his/her business model and assess the potential for interruption or shift in each assumption, as well as assessing the elements you believe to be static or a given part of how you do business. Business risks are a part of everyday life for the small and large business operator. Change is assured and planning for the changes that disrupt your plan is what risk management is all about. These changes can be rewarding or devastating under certain circumstances. However, with a modicum of planning and a commitment to review and refine that plan, the business owner is far better prepared to deal with the risks that abound on a daily basis.

View Scott Valley Bank - The Vault - February 2013