Home > Risks Management and Insurance Magazine > News > Applying Risk Management in SMEs

queralt en agers Gerencia de Riesgos en pymes

Applying Risk Management in SMEs

As we have already seen in the article published last November 21st on the 34th AGERS Congress, in addition to keynote lectures such as Pablo Trueba (Marsh) and panel discussions, four workshops also took place simultaneously. Our expert engineer at MAPFRE Global Risks, María Teresa Queralt, was part of the one that addressed Risk Management for SMEs, led by Gonzalo Iturmendi, General Secretary of AGERS.


The objective of the Workshop entitled How can I implement Risk Management in SMEs? has been to respond to different professional profiles, such as entrepreneurs, managers and risk managers of small- and medium-sized companies (SMEs), when implementing or improving Risk Management within their companies.

AGERS is developing a guide under the same name as the Workshop and, with it, it is intended to also incorporate the observations and conclusions drawn from the meeting.

Definition of Small- or Medium-Sized Enterprise (SME)

Small- or Medium-Sized Enterprise (SME) is defined as companies that occupy less than 250 people and whose annual turnover does not exceed €50 million or its annual balance sheet does not exceed €43 million.

Risk Management

Risk Management is the process of developing a series of sequential steps that are defining scope, context, and criteria; identifying, analyzing, evaluating, and monitoring risks; treating risks; monitoring and continuing review; and recording and reporting.

SMEs are exposed to risks of all kinds. These risks can directly impact day-to-day operations, decrease revenue, or increase expenses. Its impact can be severe enough for the company to go bankrupt. Unidentified and/or inadequately managed risks may result in any company being subject to potential losses that could become catastrophic.

Undesirable events, the likelihood of occurrence, and their potential impact vary considerably from company to company, and from industry to industry.

Good risk management reduces the likelihood of a certain event occurring and, if it occurs, reduces its impact. Moreover, it allows for continuous improvement of decision-making regarding the risks and impacts of a business project within a company in a proactive, anticipated, and non-reactive manner.

Finally, it should be noted that although risk management helps the business owner make decisions, they will be limited depending on how the identification, analytics and assessment of the risk is carried out, the person(s) involved in the risk assessment(s) and the information available throughout the process.

Good quality information is important for identifying risks. For this purpose, it can be taken from, among others, the following:

  • structured interviews
  • group discussions
  • audit results and reports
  • on-site inspections and visits
  • surveys, questionnaires and checklists
  • incident/claim databases
  • customer complaints, accreditation documents and reports, etc.

As for the people who must be involved in the Risk Management process, they must be specialized and experienced, within the scope of the company itself or external companies and, moreover, also have workers from the company who can provide experience and knowledge according to the area and aspect to be discussed.

“The criteria used to make decisions must be consistent with the external and internal context, and take the organization’s objectives into account”

Identification, Analysis and Risk Assessment in SMEs

Risk cannot be managed if, once the scope, context and criteria have been established, it is not adequately identified, analyzed and assessed.

1. Identification of Risks

It aims to identify potential risks that may negatively or positively affect the activity analyzed and the objectives of the company. While some types of risks are common to almost all companies, others may be unique to their industry, or the type of company.

Some of the determining factors when identifying risks in SMEs are the size of the company, type of sector/markets, activity, age, business strategy, experience, type of process, etc.

In this risk identification phase it is very useful to group risks into “categories,” this will also help to better define the identification and analytics methods. Depending on each company, one category or another may be defined. In this case, for small- and medium-sized companies, as an example, the following risk categories are considered:

  • strategic
  • financial
  • operational
  • legal and compliance
  • and reputational.

Among the possible methods for obtaining information, discussed in the previous section, the identification of risks through questionnaires stands out. What can happen? Where and when? Why and how can it happen? What is the source of each risk? What could happen that could affect the company’s profit?, etc.

“Insurance does not imply that, by taking out insurance coverage, we will manage all risks”

2. Risk Analysis

Once risks have been identified, the business owner may have identified many risks and it is often not possible to attempt to address all identified risks. The risk analysis phase will help determine which risks have the greatest consequences or impacts, to act on prioritizing them.

Risk analysis is combining the probability of an event occurring and the possible consequences or impacts of the event. The result obtained is called the “risk level.” (Risk Level = Consequence x Probability).

Types of risk analysis can be:

  • Qualitative
  • Semi-quantitative
  • Quantitative

Not all companies—or even areas within a company—will use the same method of risk analysis.

3. Risk assessment

Finally, the risk assessment will be performed, which involves comparing the level of risk detected during the analytics process with previously established risk criteria. It is then decided whether these risks are acceptable or require treatment and treatment priorities (avoid, reduce, share or transfer, accept) and treatment priorities.

The criteria used to make decisions must be consistent with the external and internal context and take the organization’s objectives into account. Based on these criteria, the business owner will assess an identified risk to determine if it requires treatment or control.

When there is a risk that may cause one of the objectives not to be met, it is considered unacceptable and a treatment strategy must be identified.

SMEs Legal Risk Management

Legal Risk Management is the set of methods that allows the identification, analysis and assessment of the risks of liability and of all the obligations to which the organization is subject by quantifying the losses derived from their occurrence, determining the losses for their elimination and/or reduction, optimizing them in economic terms, in order to preserve and/or maintain its material, personal and immaterial assets in the optimal position for the performance of their objectives.

Financing the risks in SMEs

Once risks are assessed and treatment is decided by risk transfer (external funding, insurance program, other forms of transfer) it is also important to clearly define treatment priorities.

Generally, the most commonly used transfer/funding mechanism is “insurance programs.” However, insurance does not imply that, by taking out insurance coverage, we are going to manage all risks, since, even if we design very complete coverages, there are always uninsurable risks or risks whose premium would be very high. Therefore, we should not think that merely transferring our risks to the insurance industry will be enough to ensure that we achieve our strategic objectives.

Insurance is a strategic tool that provides protection against a significant number of risks and reduces losses that could affect the small- and medium-sized business, but it is essential to have adequate identification, analytics and assessment; an updated inventory and asset valuation that allows the insured sums to be correctly determined; and updated information on the company’s profit.

Having set the appropriate retention thresholds, the transfer of risks to the insurance market is key and requires professional and specialized treatment.

Expert intervention… The medical examiner lands

The main function of the expert is to determine the causes of the claim; assess the damages caused by the claim in accordance with the General, Special and Specific Conditions of the policy; analyze the circumstances that influence the determination of the indemnification and reflect in a Joint Minutes the result of its interventions and the proposal of the liquid amount of the indemnification.

A claimable event is always a problem. Although, in the best of cases, proper insurance would allow 100% of the expenses generated to be recovered, it would generate multiple non-quantifiable damages.

The problem arises when the verification and Risk Management process has been carried out, the claim occurs and the insured party does not receive the compensation that they believe they should receive or, more seriously, the claim does not have a policy guarantee. This may be because the risk verification and management process has not been performed correctly and/or by specialized personnel, or that the assessed risks from the company have not been transferred correctly to the policy.

The most common problem detected in an expert report is:

  • Property Damage

o Lack of assurance for that event (Non-Contracted Guarantee).
o Incorrect Sums Insured (Under-insurance). Inadequate accounting information provided or not up to date, inflation and price increases, inventory spikes, new investments…
o Aggravation of Risk (Rule of Fairness). Activity declared not adjusted to actual, characteristics declared not in accordance with reality.

  • Third-Party Liability

o Declared activity does not correspond to the actual activity.
o Inadequate or insufficient contracted guarantees.
o Insufficient coverage limits.
o Geographic scope of action of the company does not correspond to that of coverage.
o Term.
o Lack of collaboration by the claimant party. We can’t validate what we can’t prove.

  • Machinery breakdown

o Coverage Limits.
o Age of the machines/Sums Insured.

  • Loss of Profit

o Coverage periods in many cases insufficient.
o Declared Gross Profit Capital or Permanent Expenses (based on modality) must be annual. The period that is contracted is actually contracted.
o Updated Insured Sums.

Avoiding Problems at the Time of a Claimable Event:

  • Company Management’s awareness of the importance of correctly identifying and transferring SME risks. Commitment.
  • Implementation of Risk Management (external, adequately trained internal personnel from different departments of the company, etc.).
  • Elimination of risks, corrective measures, etc.
  • Select an insurance advisor specialized in the activity sector.
  • Transfer by the insured party of the company’s actual insurable information.
  • Issuance of the policy and verification of the suitability of the policy to what is intended to be insured.
  • Monitoring, training and continuous improvement of the entire process.

Article author:

Maria Teresa Quealt FAV


María Teresa Queralt, Expert Engineer in the Engineering Department of the MAPFRE Global Risks Unit.

donwload pdf