Smaller-Sized Risk Management

Andrew Clark, Vice President, Department Manager, Small/Medium Enterprise (SME) Insurance and Risk Solutions, Marsh Canada Limited

“Risk management” can mean different things to different organizations. By virtue of their size, large organizations are often thought to be more interested and engaged in risk management.  As a result, little attention has been paid to delivering risk management advice and expertise to small- and medium-sized enterprises (SMEs) in Canada. This segment can be defined as companies with fewer than 100 employees. More than 98% of Canadian registered companies fall into the SME segment under this definition, according to 2008 data compiled by Statistics Canada.

Risk Management for Large Companies

For some organizations, risk management includes incorporating risk management strategies into aspects of their business planning, strategy, corporate vision and/or mission. Professional risk management departments might deliver the services. The full-time role of these individuals or their departments is to focus on opportunities to mitigate, transfer or avoid risks facing their organizations. Some organizations even consider effective risk management as a key to their success and profitability; consequently, they actively promote a risk management culture within their organizations.

Organizations with this level of risk management maturity often have more than 100 employees, multi-provincial or international operations, a significant geographic spread of assets and in some cases are publicly traded. They probably incorporate risk management as part of their corporate governance. They intentionally source and hire third-party consultants and an insurance broker with a depth of risk management experience. They are also likely to engage experts to assist with business continuity planning, product recall, etc. to contribute towards their risk management program and advise on risk management strategies in their specific areas. Historically, these types of organizations have comprised the target market for providers of risk management advice and solutions.

Risk Management for SMEs

In contrast to the above, for some companies, risk management may simply mean making a decision to buy insurance from a broker to transfer risk. These companies often do little to change their operations to mitigate or avoid risks and likely don’t see the value in investing in improving risk management practices, since they don’t often receive a direct and immediate premium savings on the insurance they purchase. Organizations viewing risk management this way typically have local or regional operations with fewer than 100 employees. The organizations’ founders often manage them, and they may or may not have a controller or chief financial officer in place. If they do have a controller or CFO in place, his or her role is likely incredibly broad: it might include anything and everything from handling accounts payable and receivable to making decisions about the organization’s insurance program.

These companies are commonly known as SMEs. Due to their size, they often cannot afford to have dedicated resources focused on risk management. And yet, these organizations need risk management as much as or more than the larger organizations described above for the following three reasons:

Attitudes and behaviours

Attitudes and behaviours become more difficult to change with time. As organizations age, they reflect certain attitudes and behaviours that become entrenched as standard operating procedures or generally accepted ways of doing business. Once entrenched, it becomes more difficult to change or adjust an organization’s culture to become more risk aware or adverse.

This can be particularly problematic for an SME that has grown to a point where it is beginning to do business with larger organizations. These larger companies may conduct audits of their business partners [i.e. SMEs], and evaluate everything from their internal accounting controls to their risk management practices.  Examination of similar factors may also be part of the due diligence process when an SME is being considered as a potential acquisition. If an SME does not have appropriate risk management and controls already in place, the larger company may rule it out as a candidate for acquisition or reduce the valuation.

SMEs and large losses

Small organizations are susceptible to large losses. Some might think big organizations have big losses and small organizations have small losses, but this is not necessarily true. In most instances, the size of two organizations with identical operations has little or no bearing on the severity of a single loss if neither has a history of losses. For example, one contractor could have 100 service vans on the road on any given day. A smaller contractor with identical operations might have only 10 service vans on any given day. If both organizations have only one accident that year, it is nearly impossible to predict which organization is more likely to have the larger loss. The chance of a large loss makes incorporating risk management strategies as important for SMEs as it is for large organizations.

Skin in the game

SME owners have a lot of “skin in the game.” Intuitively, most people would think larger organizations take risk management more seriously because they have more to lose. However, when large, publicly traded, widely held companies take on risk, its potential financial impact is ultimately spread across all shareholders, which can be hundreds – and possibly thousands – of individual or institutional investors.  The implications here are that shareholders might experience a dip in share price or reduction or elimination of a dividend. This stock, however, is probably only a small portion of an employee’s or investor’s widely diversified portfolio, and the financial loss isn’t actually realized unless the stock is sold. Also, revenue from share appreciation isn’t likely the investors’s sole source of income.

In contrast, for SMEs, the same risk and the impact of any subsequent financial loss are typically concentrated with the one or two people who have equity in the company. In addition, those holding equity in an SME typically have the majority of their personal assets invested in their organization and draw an annual salary directly from the profits of the company. Now consider the implications for the SME owners and their families of not being able to pull a salary from the organization to pay for their car, home or food.

Insolvency Risk

SMEs face greater risk of insolvency from an unexpected loss than larger companies. This is because SMEs typically have fewer assets available, less cash flow and generally thinner balance sheets than large organizations. The absence of cash flow or assets directly affects risk management decisions. In theory, this might result in an organization not being able to afford to purchase appropriate insurance coverage, thereby causing them to be uninsured or underinsured. As a result of having an inadequate insurance program, SMEs might have less money available for defence costs, settlements and/or judgements that would help them cover unexpected costs and sustain operations instead of being forced into bankruptcy or receivership.  

Risk Management Big and Small

Ultimately the applicability and value of risk management is not about big-versus-small or private-versus-publicly-traded organizations. Risk management is a valuable part of running any organization. These differences have been presented to highlight the fact that the SME market segment in Canada could benefit as much or more from the risk management strategies, processes and programs that are typically thought of as exclusively for – or more applicable to – larger or publicly traded organizations.  

Given this fact, the property and casualty insurance industry needs to consider carefully how we meet the “real” needs of the SME segment of the Canadian economy. If insurers and brokers are focusing on developing commoditized products, minimizing client interaction through online portals and failing to take the time to properly identify risks and develop strategies to address them, the best interests of the average SME are not being served.

SMEs that do not receive or value professional advice and fail to incorporate appropriate risk management now  might never realize their potential to become the large organizations of tomorrow.