In a perilous world of increasing risks, many growing mid-market companies lack sufficient risk mitigation plans. Experts say that mid-market organizations need more consciousness about the risks they face and need to create more effective strategies to address vulnerabilities and strengthen their resiliency.
Rob Kastenschmidt, partner and national leader of risk advisory services at RSM US, LLP, said that many organizations do not fully understand the risks they have assumed, and whether they are monitored, managed and fully aligned with their risk tolerance. He said while regulatory requirements and management priority have historically guided risk management efforts, organizations must now consider additional pressures. “Even if resources may be tight, your organization can experience significant benefits from dedicating more effort to risk management,” said Kastenschmidt.
He recommends that mid-market companies start by leveraging enterprise risk management (ERM) and develop a culture that supports risk management with a “tone at the top.” Organizations also should develop a “defined risk appetite” that helps employees understand the risks their company is willing to take and helps management and the board align views around risk before an incident occurs. “There is no risk management approach that is optimal for every company, but several best practices can be leveraged and customized for your organization,” said Kastenschmidt.
Leaders at the Newport Board Group said that while big companies often have entire departments related to risk management, mid-market companies usually lack the resources and structure. Newport recommends annual reviews of risks along with regular reviews by outsiders who have not been involved in shaping the company’s decisions. They should also identify the top five to 10 risks the company could face, strive to visualize what can go wrong, and think through the cost-benefit analysis of preventative and detective action. “Those that pose the highest risk need to be communicated regularly to the people who need to know and the adequacy of controls, insurance and other risk mitigation measures need to be regularly assessed,” said Newport partner Patrick Worsham.
AIG also noted in a report that as mid-market firms expand internationally, they need a new “holistic” approach to risk management. While risks can vary substantially by industries, threats from natural and non-natural catastrophes, and liabilities, are a broad concern, the firm said. Mid-market companies need to address a growing array of risks, including regulations, business interruption, local supply risks, cybersecurity, and loss of intellectual capital.
AIG also said mid-market companies need to consider a lot of the “simple stuff”, such as teaching employees risk safety measures, transferring backup data to distant locales, having more than one source for items that are critical to operations, and making physical preparations to prepare for catastrophes.
“Mid-market companies need to think bigger and consider more proactive ways to reduce potential setbacks. They must take a holistic approach to risk, ensuring that all elements of the challenges they may face are being considered in a methodical way,” said AIG.