The risk appetite of entrepreneurs and CEO's influences and drives risk management within SMEs. Depending on the stage of business development, the risk appetite is evaluated during the renewal of new strategies. Personal characteristics can have a significant impact on their business strategy and performance. As the company grows, the use of risk analysis and quantitative methods increases, along with the formal internal recognition of the need to implement risk management procedures.
Therefore, SMEs must decide how they want to take risks. None of the available risk management standards adequately explain how risk management can be applied to the specific situations faced by SMEs. This is why, compared to large companies, SMEs prefer intuitive decision-making and often do not implement formalized procedures (Crovini, Santoro, & Ossola, 2021).
Ultimately, it is up to management to decide how to implement internal control regarding risks. To provide some guidance, we first discuss the types of risks organizations face and how SMEs can begin implementing an internal control framework.
Types of Risks
Kaplan & Mikes (2012) distinguish three types of risks:
Preventable risks
Strategic risks
External risks
Preventable risks are internal risks that arise from within the organization, which are manageable and should be eliminated or avoided. Examples include risks from unauthorized, illegal, unethical, incorrect, or inappropriate employee actions, and risks of failures in routine business processes. Organizations should have a tolerance for minor errors or flaws that would not cause significant harm to the company, as complete avoidance may be too costly.
However, organizations should generally strive to eliminate these risks, as taking them does not lead to strategic advantages. This risk category is best managed through active prevention, namely monitoring business processes and guiding the behavior and decisions of people toward desired standards (Kaplan & Mikes, 2012).
Internal Control within Risk Management
An effective internal control system is one of the best defense mechanisms against business failure. Figure 1 shows the relationship between internal control measures as part of risk management processes and as a key element of corporate governance.
Internal control measures are a crucial part of a company's governance system and its ability to manage risks. These measures are fundamental in achieving business objectives and in creating, enhancing, and protecting stakeholder value (Moeller, 2014).
Figure 1: The Importance of Internal Control Measures (Moeller, 2014)
COSO Internal Control Framework 2013
Internal controls help organizations achieve key objectives while maintaining or improving performance. COSO’s Internal Control – Integrated Framework enables organizations to develop an internal control system effectively and efficiently, adaptable to a changing business environment, reducing risks to an acceptable level, and supporting robust management decisions (COSO, 2013).
This framework supports management and external stakeholders in their responsibilities regarding internal control without being overly prescriptive. The framework aims to achieve this by providing an understanding of what an internal control system entails and insight into when internal control is effectively applied (COSO, 2013).
Figure 2: COSO Internal control framework 2013 (COSO, 2013)
The framework supports management in the following aspects:
A method to apply internal control for any organization, regardless of industry or legal structure;
A principle-based approach that provides flexibility and allows for judgment in developing, implementing, and executing internal control;
Conditions for an effective internal control system by assuming how components and principles are present and functioning and how components operate together;
A method to identify and analyze risks and to develop and manage appropriate responses to acceptable risk levels;
An opportunity to extend the application of internal control to other objectives besides financial reporting, such as other forms of reporting, operations, and compliance (COSO, 2013);
A possibility to eliminate ineffective, redundant, or inefficient control measures that add little or no value in reducing risks related to achieving business objectives (COSO, 2013).
Internal control is a dynamic and integrated process. The framework applies to organizations of all sizes. However, each organization can choose to organize internal control differently. For example, the internal control system of a small organization may be less formal and structured, yet still effective (COSO, 2013).
The COSO ICF 2013 distinguishes between three types of objectives/categories:
Operations
Reporting
Compliance
Summary
The risk attitude of entrepreneurs in SMEs largely determines how risks are managed, and personal characteristics can significantly influence their strategies. As the company grows, the use of risk analysis becomes more prominent. SMEs tend to rely on intuitive decision-making because existing risk management standards are often not tailored to their situation. The COSO Internal Control Framework 2013 provides a framework for implementing internal control principles, emphasizing flexibility and adaptability. With this framework, SME entrepreneurs can begin to take a more professional approach to risk management and internal control.
Sources:
COSO. (2013). Internal Control - Integrated Framework. Durham: COSO.
Crovini, C., Santoro, G., & Ossola, G. (2021). Rethinking risk management in entrepreneurial SMEs: towards the integration with the decision-making process. Management Decision Vol. 59 No. 5, 1085-1113.
Kaplan, R. S., & Mikes, A. (2012). Managing Risks: A New Framework. Harvard Business Review, 1-13.
Moeller, R. R. (2014). Executive's Guide to COSO Internal Controls: Understanding and Implementing the New Framework. Hoboken, New Jersey: John Wiley & Sons, Inc.