Managing risk is a key challenge to any business. As companies expand their operations, systems and infrastructure and become more complex, the risks they face also become more sophisticated and difficult to manage. Even for large companies this is a growing issue, but for small and medium sized enterprises (SMEs) the problems are even more pressing as typically SMEs don’t have the resources to address risk management perhaps as well as they should. However, if they were to consider this issue as primarily an outsourcing problem this could be one way of helping them cope.

A survey last month by Deloitte and search consultants Hedley May, on how well companies manage risk, found that corporates lag far behind financial services firms in risk management. Most have dedicated chief risk officers and indicative of how seriously financial services firms treat risk management is that their CROs are paid around four times the pay of their corporate counterparts.

The survey focussed on large companies, but the challenges are greater for SMEs. They simply don’t have the management structure in place to implement the risk practices of large corporates. Also with SMEs, risk management is often left in the hands of the CFO, yet risk is a far broader issue and runs through the whole operational side of a business.

The report identified two particular aspects of risk that corporates are failing to manage: strategic business risks and high-impact ‘Black Swan’ events (Tsunami/Fukushima, eurozone crisis, etc.). There was also criticism that risk management was too focussed on guarding against downside risk rather than looking at potential upside risks of say expanding to new markets or completing a major acquisition. Perhaps the management at Northern Rock and RBS might have benefited from stronger risk analysis of their strategies and acquisition policies.

To augment their risk management, SMEs might benefit by considering the problem as an outsourcing issue. Instead of looking to the CFO to be responsible, they should consider gaining input from strategic business or risk management consultancies, which specialise in assessing risk, conducting scenario analyses, and giving a suite of recommendations for senior management to consider. They can look at a business purely from the perspective of risk and advise on systems, infrastructure and management changes needed to optimise a company’s risk management.

As well as looking to outsourcing to provide support on overall operational risk management, SMEs can also look to specialist consultants to manage specific types of risk. For instance, IT risk is a well recognised threat for businesses. Typically the in-house IT team is focussed on the day-to-day operations and often does not have the time to keep up-to-date with the constant changes in regulation, updates on new viruses and malwares, new network security software etc. In a recent KPMG survey, 45 per cent of SMEs said they were not satisfied with their oversight of IT risk. By outsourcing the management of IT risk, companies can get detailed audits of IT risks, have input from specialists in IT risk and also not have a fixed cost on their books.

Similarly an increasingly recognised category is ‘people risk’. The recent scandal of the UBS rogue trader is probably the most extreme, recent example of this type of risk. And while large corporates may have the HR directors and fully staffed human resources function to, in the main, assess and guard against such risks, often the HR function at SMEs lies with the CEO or CFO. Again, making use of outsourced HR specialist consultancies can help SMEs protect themselves against hazards in this area.

In summary, by using outsourcing as a tool, not just to cut fixed costs or remove non-core functions from a company’s operations, but to help to proactively assist in risk management, SMEs can reap some significant benefits that will help to put their overall business on a much firmer footing.