ERM for Small and Midsize Business: It’s Just NOT the Same

We’ve all heard it from politicians and the press, but it’s true – small and midsize business (SMB) constitutes the lion’s share of the economy. They account for 64% of new jobs created in the U.S. and over 90% of the “business population” according to this report.

Gartner defines small businesses as those firms with fewer than 100 employees and $50 million in annual revenue while midsize firms have between 100 and 999 employees and $50 million and $1 billion in revenue.

As a small business owner myself, I’m always thinking about how these companies can benefit from integrating risk into their decision-making, especially considering many of the people who read my blog are from these type of firms. Much of the literature on ERM I encounter seems to only apply to large companies, so when I came across this article in RIMS’ Risk Management Magazine, I was delighted that someone was finally addressing the topic.

While it includes some good insights, the article has one major flaw…

Like any organization, developing ERM as a separate process in a SMB will not deliver value and therefore will be cast aside.

Written by Todd Williams (no relation), the article does provide some good insights, such as stating how ERM:

…identifies and prioritizes risks to achieving strategic objectives, breaking the traditional siloed risk approach of managing risk solely by function or business unit.

As I explain in one of my flagship articles, breaking siloes between business units is a key distinction between traditional risk management and ERM. Williams is correct to say the ultimate goal of ERM is to reduce risk and drive performance, but he stops short by not mentioning the importance of informed risk-taking to increase SMBs’ odds of success.

He also explains that the main reason so many SMBs avoid ERM is because of financial and manpower constraints, which is largely true, albeit not the entire reason.

I, along with others like Hans Læssøe, regularly mention that making ERM a separate process can be too bureaucratic to add any real value to strategic decision-making. This is doubly true for small and midsize businesses. Complex topics like risk appetite, risk reporting, and others, which Williams briefly touches on in his article, can make ERM too bureaucratic and more about documentation rather than a tool for helping the company build a strategic advantage.

So where can SMBs begin factoring risk into strategic decision-making in an agile way without creating a new “to-do”?

At the end of the day, ERM must be about achieving objectives, regardless of the size of the organization. This is even more important for SMBs because their margin for error shrinks dramatically –  unless you have a ton of spare cash lying around!

As Norman Marks explains in his book Risk Management in Plain English: A Guide for Executives:

The more we are able to anticipate what might happen, the better we can be prepared and the better we will be able to respond. Informed decisions are far more likely to be the right decisions.”

In my personal experience as an ERM consultant, SMBs spend considerable time putting out fires. Most focus on operations and audit; ERM, or integrating risk into strategic decision-making in a consistent, informed way is simply not top-of-mind.

However, SMBs do not have to embark on some colossal effort as Williams seems to imply…

The first step can be to conduct a risk assessment to help you understand the biggest, most urgent areas of concern in your organization. This helps you establish a baseline and understand who you should be talking to first.

Finding these urgent problem areas and taking steps to address them can be a great first win. Think about what you can achieve in the next 2 or 3 weeks, similar to the agile approach frequently used by IT departments. Small sprints like this instead of a lengthy marathon formalizing a process can demonstrate value early and often, help avoid overwhelm, and win-over skeptical executives, among other benefits.

“But Carol, I have serious budgetary constraints” you ask.

Not to worry. It’s true that formal ERM process can be time-consuming and expensive. Much of the literature out there, including Williams’ article, seems to imply that organizations need to have a dedicated team, which isn’t true. As I explain in a previous article about ERM on a budget, there are several ways SMBs can harness ERM to help their organizations without a huge cash outlay.

In addition to steps mentioned in that article, SMBs can also to reduce time and financial cost of ERM by adopting lean six-sigma principles to streamline as much as possible.

small and midsize business

Once you understand what works and what doesn’t, you can then document any “process” so any future activities will be easy to execute. But most of this should be ingrained into the mindset and culture of the organization.

Your company engages in risk management to one degree or another, at least I hope. But to maintain a competitive edge and grow in this unstable, constantly changing world, companies have to take risks in an informed way.

Are you a small or midsize business who is struggling to integrate risk into strategic decision-making to ensure success?

The topic of ERM for small business is something that I feel is not given the attention it deserves considering the challenges these organizations face in today’s world. Therefore, I invite you to leave a comment below or join the conversation on LinkedIn.

If you are a small or midsize business who is growing frustrated with a lack of progress or results, please don’t hesitate to reach out to me to discuss your specific needs today!

Featured image courtesy of Tim Mossholder via

Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors

Receive Our Weekly Blog Updates

Meet Carol Williams, SDS Founder & Lead Strategist

To our readers:

This blog was launched to provide strategy and risk practitioners with a go-to resource to better guide their efforts within their companies. Thank you for bringing me and my team along to be part of your journey towards better risk management, strategic planning and execution, and overall decision-making. Happy reading!

Find more SDS Insights