So much can go wrong when you’re running an SME that it’s a miracle that anything goes right. Risks that feel like a proverbial molehill for large corporates quickly grow into mountains for small- to medium-sized enterprises, which have neither the size nor the resources to absorb the blows.

At the launch of Allianz’s 2024 Risk Barometer survey, Nikolaus Breitenberger, global head of business solutions and transformation for risk consulting at Allianz Commercial, summed up the challenge. ‘Smaller firms and family-driven companies just do not have the time and the resources to spend on these risks,’ he said.

‘Unlike large companies, they do not have dedicated people or departments working on “what if” scenarios to get an overview of their exposure and prepare. So, when a loss occurs, they are unable to respond quickly and take longer to get the business back up and running.’

Allianz’s survey revealed the top risks facing SMEs, mid-corps and large corporations, with the top three being broadly aligned, and cyber-risk in top spot across the board.

Cybersecurity is an especially urgent risk in SA, where the CSIR estimates the cost of cybercrime to the economy at about R2.2 billion a year. But while many businesses have cyber insurance, Ryan Mer, CEO of know-your-payee platform provider eftsure Africa, warns that businesses must understand its limitations.

‘While a cyber policy can certainly help you recover some losses and minimise the damage incurred, no policy will protect against every instance of cybercrime,’ he says.

‘With regard to business email compromise [BEC], notably, insurance generally does not cover compromise of the email of the third party you are dealing with [leading to manipulation of information received]. Therefore, should the compromise happen outside of the insured’s environment – which is basically every supplier, customer or third party dealt with – leading to a loss, this is likely to not be covered.’

Mer adds that best defence for SMEs is a comprehensive cybercrime strategy that aligns cybersecurity measures with internal controls. ‘A cybercrime strategy brings together elements of your cybersecurity strategy and your financial controls,’ he says. ‘It recognises the importance of information security but also recognises the importance of robust financial controls, like segregation of duties. For example, it’s critical that staff always conduct verification controls when any payment needs to be processed. This should happen even in cases where the accounts team receives a payment request via email from one of the executives – because such emails could be the result of a BEC attack.’

According to Cisco’s 2024 Cybersecurity Readiness Index, SA companies are dangerously unprepared for cyber attacks, with just 5% of businesses in the country ranked at the ‘mature’ level of readiness. Nearly 73% of the SA companies surveyed said that they anticipated a cybersecurity incident could disrupt their business in the next 12 to 24 months.

Business interruption ranks among Allianz’s top three risks for SMEs – and no SA SME needs reminding of the catastrophic impact of the COVID-19 national state of disaster or the July 2021 unrest in KwaZulu-Natal. But it’s not just once-off events that SME owners need to worry about – the threat of power outages and infrastructure failures persists, despite the recent easing in load shedding.

Yolenda Makhathini, a financial risk consultant at Aon South Africa, says planning for worst-case scenarios starts with structuring business insurance covers that are optimised to provide the best outcome following an event that interrupts business operations.

‘Calculating the right amount of insurance cover for your business is not a simple process,’ she warns. ‘It requires a thorough understanding of your risks, assets, liabilities and financial needs. And the bigger and more diverse the business is, the greater the complexity of the exercise becomes. Working with a professional insurance broker and risk adviser can help you make informed decisions when it comes to the right coverage for your business. It is also wise to look beyond the premises owned or occupied by your business to include those of suppliers and/or customers, taking into account the impact of major service providers on the business.’

Those third-party partners and suppliers represent another significant risk, particularly for small businesses that temporarily scale up their capabilities by bringing in external support.

Ryan Boyes, governance, risk and compliance officer at IT security firm Galix, highlights this as another risk red flag for SMEs. He says that as the Protection of Personal Information Act (POPIA) gains traction, compliance is becoming increasingly important. ‘However, while many businesses are working to ensure that they align with relevant laws, it is just as important to ensure that third-party vendors and suppliers too are compliant,’ he says.

‘The reality is that businesses may be held jointly liable if their third parties are not compliant, aside from taking on the unnecessary risks of data breaches, cybersecurity issues, reputational damage and business disruption, among others. Conducting thorough due diligence, including a comprehensive risk assessment, is essential to mitigate risk and ensure compliance throughout the supply chain.’

Again, this third-party risk highlights just how vulnerable SMEs are. Hermanus van der Linde, CEO of IntegriSure Brokers, underlined this in an opinion piece published on SME Day in July 2023.

‘The continued threats of load shedding and crime, coupled with the effects of the rising petrol price and interest rate hikes, as well as severe weather events due to global warming have had immense knock-on effects for small businesses,’ he wrote.

Van der Linde pointed to crime statistics released by the South African Police Services, which found that commercial crime had surged quarter-on-quarter by 10.1%, business burglary by 12.2% and shoplifting by 20.3%. He emphasised that each criminal incident – whether it involves stolen merchandise or cash – directly affects an SME’s bottom line. ‘Crime not only exacts a direct cost through loss of assets and funds but also imposes indirect expenses such as increased security measures, burglary-related repairs, temporary business closures and lost working hours,’ he wrote.

While risks such as commercial crime, load shedding and third-party POPIA compliance may seem like uniquely SA concerns, cybercrime and extreme weather are global concerns that have a real impact on local small businesses.

‘Smaller and mid-size companies are not insulated from global events,’ said Allianz’s Breitenberger. ‘They often have bigger dependencies on external markets than they realise and can still be affected by events in faraway countries. We have seen in the past how companies and supply chains in Europe and the US have been impacted by floods and earthquakes in Asia, or even by a ship being grounded.’

And while those threats affect all businesses, SME owners tend to find that their businesses are more affected than their larger and more robust counterparts.

By Mark van Dijk
Image: iStock