ERM for Small and Midsize Business: It’s Just NOT the Same

We’ve all heard it from politicians and the press, but it’s true – small and midsize business (SMB) constitutes the lion’s share of the economy. They account for 64% of new jobs created in the U.S. and over 90% of the “business population” according to this report.

Gartner defines small businesses as those firms with fewer than 100 employees and $50 million in annual revenue while midsize firms have between 100 and 999 employees and $50 million and $1 billion in revenue.

As a small business owner myself, I’m always thinking about how these companies can benefit from integrating risk into their decision-making, especially considering many of the people who read my blog are from these type of firms. Much of the literature on ERM I encounter seems to only apply to large companies, so when I came across this article in RIMS’ Risk Management Magazine, I was delighted that someone was finally addressing the topic.

While it includes some good insights, the article has one major flaw…

Like any organization, developing ERM as a separate process in a SMB will not deliver value and therefore will be cast aside.

Written by Todd Williams (no relation), the article does provide some good insights, such as stating how ERM:

…identifies and prioritizes risks to achieving strategic objectives, breaking the traditional siloed risk approach of managing risk solely by function or business unit.

As I explain in one of my flagship articles, breaking siloes between business units is a key distinction between traditional risk management and ERM. Williams is correct to say the ultimate goal of ERM is to reduce risk and drive performance, but he stops short by not mentioning the importance of informed risk-taking to increase SMBs’ odds of success.

He also explains that the main reason so many SMBs avoid ERM is because of financial and manpower constraints, which is largely true, albeit not the entire reason.

I, along with others like Hans Læssøe, regularly mention that making ERM a separate process can be too bureaucratic to add any real value to strategic decision-making. This is doubly true for small and midsize businesses. Complex topics like risk appetite, risk reporting, and others, which Williams briefly touches on in his article, can make ERM too bureaucratic and more about documentation rather than a tool for helping the company build a strategic advantage.

So where can SMBs begin factoring risk into strategic decision-making in an agile way without creating a new “to-do”?

At the end of the day, ERM must be about achieving objectives, regardless of the size of the organization. This is even more important for SMBs because their margin for error shrinks dramatically –  unless you have a ton of spare cash lying around!

As Norman Marks explains in his book Risk Management in Plain English: A Guide for Executives:

The more we are able to anticipate what might happen, the better we can be prepared and the better we will be able to respond. Informed decisions are far more likely to be the right decisions.”

In my personal experience as an ERM consultant, SMBs spend considerable time putting out fires. Most focus on operations and audit; ERM, or integrating risk into strategic decision-making in a consistent, informed way is simply not top-of-mind.

However, SMBs do not have to embark on some colossal effort as Williams seems to imply…

The first step can be to conduct a risk assessment to help you understand the biggest, most urgent areas of concern in your organization. This helps you establish a baseline and understand who you should be talking to first.

Finding these urgent problem areas and taking steps to address them can be a great first win. Think about what you can achieve in the next 2 or 3 weeks, similar to the agile approach frequently used by IT departments. Small sprints like this instead of a lengthy marathon formalizing a process can demonstrate value early and often, help avoid overwhelm, and win-over skeptical executives, among other benefits.

“But Carol, I have serious budgetary constraints” you ask.

Not to worry. It’s true that formal ERM process can be time-consuming and expensive. Much of the literature out there, including Williams’ article, seems to imply that organizations need to have a dedicated team, which isn’t true. As I explain in a previous article about ERM on a budget, there are several ways SMBs can harness ERM to help their organizations without a huge cash outlay.

In addition to steps mentioned in that article, SMBs can also to reduce time and financial cost of ERM by adopting lean six-sigma principles to streamline as much as possible.

small and midsize business

Once you understand what works and what doesn’t, you can then document any “process” so any future activities will be easy to execute. But most of this should be ingrained into the mindset and culture of the organization.

Your company engages in risk management to one degree or another, at least I hope. But to maintain a competitive edge and grow in this unstable, constantly changing world, companies have to take risks in an informed way.

Are you a small or midsize business who is struggling to integrate risk into strategic decision-making to ensure success?

The topic of ERM for small business is something that I feel is not given the attention it deserves considering the challenges these organizations face in today’s world. Therefore, I invite you to leave a comment below or join the conversation on LinkedIn.

If you are a small or midsize business who is growing frustrated with a lack of progress or results, please don’t hesitate to reach out to me to discuss your specific needs today!

Featured image courtesy of Tim Mossholder via

Sign Up For Our Newsletter

Sign Up For Our Newsletter


Meet Carol

Helping companies achieve their vision and strategy, and succeeding in today's turbulent world, is something I'm honored to be a part of. Whether you're an occasional blog visitor or a long-term client, thank you for letting us be a part of your journey.

Most Recent Posts

The 12 Days of ERM Christmas

Without a doubt, one of my family’s favorite holidays is Christmas. Part of the fun, especially for our son, is seeing what “Santa” brought, but most importantly, we treasure the spirit of peace and goodwill the season brings. And after what seemed to be a never-ending warm spell, the weather is expected to be good…

Read More

Don’t Let Goals and Initiatives Be Blindsided by External Events

As the end of the year draws near, I think we’d all agree that while it wasn’t without its challenges, this year also wasn’t quite as turbulent as the previous two. While a lot of people are juggling company parties, shopping for friends and family, and special activities for the kids, most companies are putting…

Read More

Going the Distance: Ensuring Successful Execution of Strategic and Annual Initiatives

Strategic planning is a challenge – of all people, I understand… After all the meetings, risk and data analysis, and brainstorming of the preceding months, it’s tempting to think this is the end of the road and you can relax. Contrary to this common perception though, this is exactly not the time to relax, but…

Read More

Avoid Rookie Mistakes and Protect your Internal Reputation

Be honest – have you ever done something that you soon realized was a real rookie mistake? Me raising my hand… Considering the nature of ERM’s role to ask questions and challenge assumptions (often during conversations with executives), it can be argued that, in at least some cases, the expectations bar for risk professionals is…

Read More

ERM at Thanksgiving – An Illustration of Risk Management in Action

On occasion, I like to take some of the concepts we risk professionals think about in our jobs and apply them to different personal situations…take some of the same concepts we use when working with executives to develop corporate strategy and manage risks or uncertainty around that strategy. It’s Thanksgiving week in the U.S. –…

Read More

Why Quantitative Risk Assessment is Not Just the Best But the Only Option – A Conversation

Periodically, I have the pleasure of speaking one-on-one with Hans Læssøe on a variety of topics around ERM, strategic risk, and other issues and trends. As you know from my previous conversations (here, here) and posts featuring his work, Hans was formerly a practitioner at the iconic LEGO Company, but even more notably, is a…

Read More

The Three Lines Model – 3 Reasons Why I Don’t Like It

Everyone likes a clear-cut template that offers an easy way to create or manage something…I mean what’s not to like about a step-by-step process for accomplishing what you want? Sometimes this can work without any issues, such as the case with the Project Management Book of Knowledge (PMBOK), ISO 9001 standard, or a new cooking…

Read More

5 Avenues for Expanding your ERM Knowledge

One thing I was taught to appreciate from a young age was the value of education and knowledge. It didn’t necessarily matter what the subject was, just that I always maintain a learning or growth mindset regardless of my current status in life. This mindset has served me well over the years, and it’s a…

Read More

Storytelling and Risk Management – Developing Skills that Technology Cannot Replace

It’s amazing how technology has developed and changed our working world over time. Imagine trying to run my risk and strategy consulting firm without tools like Zoom, Box, Slack, and other ERM-specific technology tools. There is no way we would be able to serve our clients the way that we do. Just consider how the…

Read More

3 Phases to Creating and Launching an ERM Program Focused on Organizational Success

If you’ve been handed the task of creating an ERM program for your organization, let me first offer my congratulations quickly followed by my empathy for the task ahead of you. I don’t say that to scare you but to provide a small dose of reality. Building, launching, and refining an ERM program that is…

Read More