Home > Risk > Do smaller companies manage risk better than larger ones?

Do smaller companies manage risk better than larger ones?

January 16, 2022 Leave a comment Go to comments

That seems to be the assertion by my good friend, Alexei Sidorenko, in a 2017 blog post I read for the first time this last week.

Why risk management in SME is better than in large corporations makes a number of good points. Here are some, with my comments.

  • SMEs simply can’t afford to waste time or other resources on an activity that does not generate direct value.
    • Comment: neither can larger companies. The reason (IMHO) that many CROs feel starved of top management attention, let alone budget, is that top management just don’t see the value. They see it as a compliance activity that may satisfy the regulators and the board but doesn’t help them manage the company for success. It consumes management time that is needed in problem-solving and decision-making, rather than helping make their informed and intelligent decisions.
  • Do modern day risk managers in non-financial companies in fact make money for their companies? Very few. Most of the modern day approaches used by the risk managers are so academic and superficial, that management has a tough job buying it.

Alex asks some penetrating questions to build on these points, including:

  • do risk assessments really change the way business processes work, change the manufacturing process, change the way products are sold?
  • do risk assessments change the way executives make decisions and is risk analysis available on time to support every significant decision? do they? really?
  • are risk registers looked at by the CEO before making an important decision?
  • do risk appetite statements in non-financial companies change the way company operates and the way decisions are made?

He continues:

  • SMEs don’t do risk management to mitigate risks, they do it to make better decisions
    • Comment: This should be the case for every organization or any size in any sector.
  • we seem to have created a myth that risk management is about managing risks. Not so. Risk management is not an objective in itself. It’s just another management tool to help them make better decisions and hence achieve the objectives.
  • SMEs do risk analysis when a decision needs to be made, using whatever risk analysis methodology is appropriate for that particular type of decision. Large corporations do risk management when it’s time to do risk management, be it annually, quarterly or some other regular internal. Nothing could be further from the truth. Unless your methodologies, approaches and tools allow risks to be analysed at any moment during the day, when an important decision is being made or at every milestone within the core business processes, you are probably doing something wrong.
  • If there is one thing I learned over the years is that no one in the company and I mean NO ONE, expect the risk manager, cares about risks. Well maybe some about-to-retire audit committee member as well, but most of them wouldn’t have the courage to deal with the real risks if you showed it to them. The rest of the company cares about making money, meeting objectives with the least amount of effort and getting nice bonuses as a result. You can assign risk ownership to them as much as you like, no one cares. SMEs learned it the hard way, unless an activity directly contributes to achieving objectives, it’s not going to be done. Risk management is no different. I find it ridiculous when risk managers talks about high risks and the need to mitigate them. When instead they could be saying things like “the probability of meeting this objective is 10% unless we change things”, “there is a 85% chance your business unit will not get bonuses this year based on our risk analysis” and so on.
    • Comment: Blunt, but there’s a great deal of truth here. It’s not about managing risk, its about managing the business for success with informed and intelligent decisions.

Alex styles himself as outspoken, and he certainly was in this post.

What do you think?

Do you agree with him? If so, what needs to be done? If not, why not?

  1. Jay
    January 16, 2022 at 5:41 PM

    The comment “If there is one thing I learned over the years is that no one in the company and I mean NO ONE, expect the risk manager, cares about risks” is disappointing. Be it the impact on organisational objectives, service delivery, corporate budgets, IT operations or safety, management do care about risk, they deal with them everyday and I think comments like that only create a bigger divide between Risk functions and the broader business.

    • Norman Marks
      January 16, 2022 at 5:45 PM

      Jay, I will let Alexei Sidorenko speak for himself. I believe the point is that, for example, safety managers focus on safety rather than a list risks on a heat map.

    • January 17, 2022 at 9:09 AM

      5 years later it is true as ever, noone cares about risks, business cares about cash flows, covenants, NPVs, IRRs, meeting targets, market share and so on. Risk is just a subset of performance or a decision, it’s not a thing to be managed in it’s own right. Sam Savage said it best, risk is in the eye of the beholder. Risk is never bad or good, risk is always too little or too much for whatever objective is at hand. Which, I am guessing, is what you mean Jay but you just read my sentence literally.

  2. Davai
    January 16, 2022 at 7:05 PM

    I see a lot of his risk management advices focus on decision-making. But what about decision execution where many things can go wrong? After top management makes an important decision, the employees are responsible for tasks to realize the results of the decision – isn’t it just as important as making the right decision?
    Maybe I’m missing something but ‘decision-making focused’ risk management advices assume that if an organization makes the right, risk-informed decisions/choices, then the results magically appear and the organization thrives.

    • Norman Marks
      January 16, 2022 at 7:15 PM

      Excellent question! First, management has to be monitoring the effects of their decision and, secondly, if things are not going as expected they need to make another decision. What are they going to do about it? As ISO 31000 says, risk management is iterative.

    • January 17, 2022 at 9:12 AM

      What about decision execution? It is somehow mutually exclusive? I tackle one problem at the time. My experience tells me that ignoring risks when making decisions is number one problem we need to tackle as a profession. Get that right, will move onto execution :))

  3. January 17, 2022 at 3:11 AM

    Norman. I agree with a lot of your comments. But I think both you and Alex is missing a point.

    To me, there is a very distinct difference between large corporations (LC) and small/medium enterprises (SME). LC’s are like supertankers. Leadership is a team of hired executives who at best have a minor piece of skin in the game. This team needs to discuss and make political decisions on what to do and when. Hence, they cannot change direction easily. It takes time and a lot of effort. As such, they have the need for and resource to ascertain they choose well every time.

    SME’s are more like speedboats which can change direction very fast as they have not tied up a lot of assets in going the way they have chosen. In many SME’s the entire leadership team is one person – who often is the owner of the company and hence has much more than his skin in the game.

    On risk taking, SME’s more often make life or death decisions which are almost unseen in LC’s. Hence, the inclination to think things through is stronger. However, I don’t believe they (except a very few) do data based, statistical risk analyses (which some/many LC’s actually do), but they make sure they can change course fast if a decision proves to be “bad”.

    Basically, I think comparing the risk management (or any other managerial approach) between LC’s and SME’s is comparing entities with little in common and hence flawed or irrelevant.

    • January 17, 2022 at 9:16 AM

      Good news then, SME was just a metaphor and the article was actually about something else entirely :)) It most certainly wasn’t about comparing LC and SME. It was a sarcasm about LC doing RM1 and having noone call out the bs

  4. January 17, 2022 at 9:05 AM

    The context of the article is important. I wrote it as a sarcastic metaphor for the FERMA conference in Malta in 2017 where I hosted a roundtable. The message of the article is not about small business, it was just a metaphor, the message of the article is that large corporations are so slow and bureaucratic that RM1 can happen unnoticed and unchallenged for years with no value for the business what so ever.

  5. January 17, 2022 at 10:55 AM

    “Do smaller companies manage risk better than larger ones?”
    Answer =it depends .

    In my experience many manage risk for compliance sake only and don’t operate in an integrated fashion.
    Optimum input and evaluation is core to good decision making.

    LCs can be slow, SMEs can be too fast looking at short term opportunities and ignoring threats.

    I agree with this sentiment

    “unless an activity directly contributes to achieving objectives, it’s not going to be done.”

  6. Mike
    January 17, 2022 at 7:32 PM

    There are other activities a business performs that doesn’t bring direct value eg compliance, safety nspections or backoffice admin. If the thought is risk management has no value, should only focus on profits or NPV or other objectives etc… then why conduct it? Personally I think it is up to each risk manager to workout their space how they can benefit the business in decision making, execution and monitoring. It is also for senior executives to open up the space for those benefits to be realized.

    • January 24, 2022 at 2:39 AM

      You are incorrect in thinking that those activities have no direct impact on value. I also disagree that it should be left to each risk manager to figure out their unique approach to risk management and value creation. That’s why we consider risk management a profession and have associations. The value proposition should be consistent across the globe

  1. January 16, 2022 at 5:14 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: