Growing wooden bricks


How to Plan for Operational Risk as an SME Expanding Internationally

28 July 2020

Operational risk for SMEs are the day to day challenges a small or medium sized enterprise may face when conducting business. These risks include harming of physical assets, systems failures, failed products, data theft or fraud. 

Although you may have a risk management plan for your own country, moving into new, overseas markets opens your business up to a myriad of additional risk. Taking the time to update your plan with how you manage expected risk, and cope with the unexpected, provides your SME with the best chance of successful expansion.

When it comes to managing operational risk, there are three key stakeholders:

1. Customer Need 

Consumer need is at the heart of any business. To offer your customers the best possible experience with your business it is critical your operations are efficient and trustworthy. 

2. Regulatory Requirements

Regulators set operating rules in the public interest within their jurisdiction. For all businesses, compliance with regulatory rules is essential. This should be a particular area of focus when expanding internationally because requirements can vary from one country to another. 

3. Business Assets

This includes everything your company needs to run on a day to day basis from employees, physical equipment, and technology to supporting vendors. Most operational risk lies in this area. It is key to your SME’s success that you consider all three stakeholders when it comes to operational risk management.

There are so many scenarios in which the day to day operation of your business may be impacted. Some of the most common include:

A data breach is a breakdown in security resulting in the accidental or unlawful disclosure, access to or use of sensitive or personal information belonging to your business. This is particularly relevant to SMEs. Data from the EU Agency for Network and Information Security Report showed 61% of data breaches affected organisations with 1,000 employees or less. Although this includes incidences of cybercrime, many data breaches are as a result of human error. This is also known as insider risk.
In addition to growing cybercrime rates, research is showing SME employees are a significant operational risk. A study of American SME’s found that 47% of data breaches were as a result of employee error. From device loss to phishing scams, there are a variety of ways in which sensitive data is disclosed. 

Business Continuity Planning is critical for SMEs. It is a roadmap that enables your company to continue trading, even in challenging times. Although the COVID-19 pandemic may be top of your list when it comes to thinking about business continuity, there are many other times when SMEs need to rely on a backup plan.

Cyber-attack, floods, fire, or storms may mean your SME cannot operate in the way it usually would. Without the financial reserves of large or enterprise level business, even a relatively short pause in trading may be detrimental to your business. 

If your business has an operational risk management plan for your home country, it may only be a case of expanding this to include the additional risk you are exposed to as you begin to do business overseas. There are four key steps to adding to your existing operational risk management plan when growing your SME:

1. Identify risk

Review your expansion plans and identify any additional potential risk:

  • If you are moving manufacturing overseas, does your new location suffer from weather events?
  • Review any previous issues that have occurred in your home country.
  • Are there additional risks to employee health and safety because of your expansion?

The question ‘what if’ is powerful when it comes to identifying potential issues:

  • What if a key expat employee had to return from assignment early?
  • What if your premises was flooded?
  • What if stock was damaged?
  • What if your systems were subject to cyber-attack?

2. Assess the risk

Work out the level of risk using the following formula:

                Level of risk = likelihood x consequence

Give each potential risk a number that corresponds to both and work out those that are the greatest risk to your business. Do not forget to include potential controls you have in place to mitigate each risk. Controls include:

  • Training
  • Personal Protection Equipment
  • Administrative Controls
  • Engineering Controls  

3. Manage the risk

Your business must then work out a plan to manage the risk through:

  • Avoiding 
  • Reducing
  • Transferring
  • Accepting

As an SME, you may choose to avoid certain risks by changing your business practice. Reduce the probability of risks that cannot be avoided entirely, like data breaches by:

  • Educating employees
  • Complying with legislation
  • Encrypting sensitive data

It may be possible to transfer some risk, for example SME international health insurance plans protect your business from medical costs should an expat employee become unwell on assignment. Finally, there may be some risk you will have to accept as part of your business. 


4. Monitor and review

It is important to monitor, review and update your operational risk management plan regularly as your business and the world it operates in changes. Update it with additional challenges that may arise and remove those that may be eliminated by changes in technology.  

Find more information on planning for SMEs in our post on developing an international value strategy for your SME.