Financial Risks in SMEs: How Management and the Board Identify, Assess, and Control Risks
Key Takeaways
- Risk management needn't be complex – but it must exist.
- A simple risk register with a traffic-light system suffices for most SMEs.
- The board has a legal obligation to oversee risk (Swiss Code of Obligations Art. 716a).
- Financial risks are often interwoven with operational and strategic risks.
Risk management sounds like a corporate affair. ISO standards, risk officers, and multi-page policies. For an SME with 50 or 100 employees, it feels oversized – and so often nothing is done at all.
This is problematic. Under Swiss law (Code of Obligations Art. 716a), the board has a non-delegable duty of oversight – including risk monitoring. This article shows how SMEs can build pragmatic, lean risk management.
Typical Financial Risks in SMEs
The key risk categories:
- Liquidity risk: Insolvency despite a profitable business (most common risk)
- Concentration risk: Dependency on few major customers or suppliers
- Currency risk: With import/export or international invoicing
- Interest rate risk: With variable-rate loans or upcoming refinancing
- Credit risk: Customer payment default
- Compliance risk: VAT, taxes, regulatory requirements
- Succession risk: Key-person dependency in the finance function
The Risk Register: Simple and Effective
A pragmatic risk register for SMEs contains for each identified risk:
- Description: What exactly is the risk?
- Probability: High / Medium / Low
- Impact: High / Medium / Low
- Risk rating: Combination (traffic light: red/amber/green)
- Measures: What is being done to mitigate?
- Responsible: Who monitors?
- Status: Open / In progress / Controlled
This register is updated quarterly and presented to the board. Format: a single page or table.
Risk Management as a Board Topic
The board doesn't need to manage risks themselves – but must ensure they are managed. Concretely:
- Quarterly risk reporting by management or CFO
- Annual comprehensive risk assessment
- Clear escalation mechanisms for new or changed risks
- Documentation in board minutes
In practice, we at SOKURA see that many boards in Central Switzerland take this duty seriously – but often lack the tools to implement it efficiently.
Practical Example: Identifying and Managing Concentration Risk
A services company in the Lucerne region with 80 employees generated 42% of its revenue from a single customer. This was known – but never formally addressed as a risk.
Within a CFO mandate, the concentration risk was quantified: losing the customer would make liquidity critical within 6 months. Measures: active diversification of the customer base, contractual safeguards with longer terms, and a liquidity buffer as emergency reserve.
Result after 18 months: major customer share reduced to 28%, emergency reserve established, board regularly informed.
From Obligation to Leadership Instrument
Risk management needn't be a burden. Properly implemented, it becomes a leadership instrument:
- It forces structured engagement with uncertainties
- It creates transparency between management and board
- It enables proactive rather than reactive action
- It strengthens credibility with banks and investors
Quick Check
- Does a formal risk register exist in your company?
- Is the board regularly informed about material risks?
- Do you know your top 3 financial risks?
- Are defined measures in place for each identified risk?
- Is the risk assessment updated at least annually?
- Are responsibilities for risk management clearly assigned?
Frequently Asked Questions
Is risk management legally required for SMEs?
How much effort does a risk register require?
Who creates the risk register?
Which risks are most relevant for SMEs?
Is an annual risk assessment sufficient?
Next Step
Want to introduce pragmatic risk management or improve your existing system? We help you set up a lean, board-ready framework.