Episode 28: Risk Registers and SME Success

In this episode of the SME Growth Podcast, Dave Parry and Richard Buckle discuss the importance of SMEs completing a risk register. Whilst they are not legally required for every business, a risk register allows for businesses to be proactive on potential pain points and protect a business from potential detrimental problems.

Get the most from this episode in the form that works best for you: watch the episode, read the transcript or access further resources below.

Watch the episode

Want to listen later? Head to Spotify, the episode if also available to listen on Apple Podcast, and click here for all other available platforms.

Download one of our free ebooks

We’ve helped hundreds of businesses grow and have put some of our top insights into our FREE business growth ebook.

Download the ebook

Want to know more about how to drive leads using inbound marketing? Get our FREE “Intro to Inbound” guide today.

Get the guide

REad the transcript

Please note: Whilst all transcripts are double checked for accuracy, they are transcribed via Otter.AI so may contain errors.

David Parry 03:49

Hello, and welcome again to The SME Growth Podcast. I'm Dave Parry from Wellmeadow and this is Richard buckle.

Richard Buckle 04:13

Good morning.

David Parry 04:13

Good morning.

Richard Buckle 04:14

With beers and a squeaky table 

David Parry 04:19

The weather's getting good. We're getting into almost be persuaded that summer is on its way. Met office say we're in for six weeks of warm weather 

Richard Buckle 04:26

warm weather. Beautiful. 

David Parry 04:28

So what's today's podcast all about? Now this could be a dry subject. So as I tell you what it is don't turn off because I promise you there is more value to this than meets the eye. It's about risk registers, and why every company should have one and how to make it actually useful rather than just a form filling. Something to do. A lot of people see it as a bit of governance sort of stuff to get out the way but not and there's been countless occasions in our work, helping with companies during their board meetings where this come in useful.

Richard Buckle 05:00

I think it's one of those things, isn't it that you don't prioritise until it's too late. And then all of a sudden, it's, you know, once it's happened, it's seen as a bit of a kind of overhead to do, it will never happen. And then when it does

David Parry 05:15

It's a bit like do you think insurance that I bet you have a year where you just sign the thing and say yet renew the insurance? And yet do you have and then when something goes wrong, as we know, that has happened a couple of times with clients of ours, they crawl over every word of the policy when they were covered for this, that, on the other hand, why they didn't change it. So this is a bit like that, in a way.

Richard Buckle 05:33

I think there I find having gone through numerous risk registers with people, you can actually, you know, as sad as it sounds, make it a reasonably engaging I think once people engage with with a way of doing it, that actually becomes quite strategic, because it does force you to think about some real big issues or strategic stuff, then people generally tend to think that was a really worthwhile exercise going through

David Parry 05:57

what do you think, as a director, what's your responsibility as a director, you know, a number of them looking after the shareholders and the other stakeholders and the company itself? But how, how else can you be looking after the company if you're not looking for what might go wrong and trying to prevent it happening? So in a board meeting, it shouldn't really be that one minute checkbox thing at the beginning of the agenda, it should be something sometimes you might spend a good proportion of the board meeting worry about because there's some issues that need dealing with.

Richard Buckle 06:25

I mean, it's things like Yeah, even things like, you know, pandemics and things which for years, yeah, whatever, we'd always be, you know, kind of dismissed with a kind of roll of the eyes when you go through it. And then, wow.

David Parry 06:39

Yeah, absolutely true. So, I just wanted to start off by pointing out for anybody that's maybe not been familiar with risk registers in this sense, is not the same as a health and safety risk assessment. And when people talk about them, they sometimes get a bit loose for the language and confuse the two. And they are very different. So the main difference is that clearly a health and safety risk assessment is all about accidents and workplace risks. But it's also legally mandated by the health and safety regulations 99 act. So that's a different thing. risk registers are just a piece of good governance for companies. And it's not actually legally required for small companies. But it is for larger companies. So I looked this up, and it is in the 2006. Act, the Companies Act, although in the the addendum from 2013. And it says it has to be in the strategic report. So for large companies, you have to submit a strategic report, annual submissions, and that has to include a description of the principal risks and uncertainties facing the company. It doesn't say how you do that. It just says you have to include it. But there is an exemption for small companies,

Richard Buckle 07:44

I think as well, just as a side note, I not that I like a bit of Companies House kind of stalking is the wrong word. But yeah, observations. And sometimes when you come across that that section of a company's accounts, you can actually get some really interesting information about what they're thinking about direction of travel. So it's quite a good for me,

David Parry 08:04

do you think that's a good thing from their point of view? Or just good from your point of view to learn about them? 

Richard Buckle 08:10

I suppose you kind of, I suppose everyone's discretion to give away what they want to give away in it, aren't they? But you can learn a reasonable amount about a company and what it's trying to do and where it's gone wrong. And what's what's happened from those strategic reports and risk reports that they have to put into the account. Obviously, companies of a certain size. 

David Parry 08:30

Yeah, big interest if you had the time. And you found companies that maybe were doing really well or perhaps even more interestingly, those that weren't go back through the previous years of reports and see what did they say they highlighted these risks coming and had they got strategies to, to circumnavigate. I wanted to point out as well, that whilst we're talking about SMEs, mainly this being the SME growth podcast, if you're involved in other types of organisations, then different rules apply. So charities have a much lower threshold for where risk registers are required. And I've been amazed, actually, because it's governance is such a thing in charities, you've got a board of trustees, keeping an eye on you all the time. So I found that risk registers are always taken much more seriously in charities, which is a good thing, but have you wanted good examples of them? local charity, you know, talk about it. And the other one is solicitors, and not surprisingly, the solicitors regulatory authority, the SRA. They mandate that there has to be a risk register. And that's looked after by COLP. Do you remember what it stands for?

Richard Buckle 09:30

Compliance Officer Legal Practice

David Parry 09:35

as opposed to the COFA, the financial 

Richard Buckle 09:37

compliance officer for financial a financial something

David Parry 09:43

anyway,

Richard Buckle 09:44

financial adding? 

David Parry 09:45

Oh, yeah. So if you're in a the firm its more important, but just goes to show that these things in different sectors are regarded as essential in some cases, regulatory required, which doesn't mean that you don't do if you don't have to, probably means that this In this to take it seriously. So just good practice, generally.

Richard Buckle 10:05

So how would you go about? What's the?

David Parry 10:08

Well, I'm sure everybody listening has already been to the Resources page on our website, don't you think?

Richard Buckle 10:13

Well, we hope we trust

David Parry 10:16

the first place everybody goes to. So we've put on there a very good resource. It's, it's not ours, it's something we're pointing out that someone else has done. It's the ACCA, which is the accounting body, the Chartered Accountants, the Association of Certified Chartered Accountants, something like that. And they've produced a special version of a risk register template for small companies. It's quite manageable. Yeah, good. And like all other risk assessment risk registry type things, it's a combination of two or three factors, give them a score, you multiply together, and you get an overall risk number. And the only point of that is to help you prioritise the few that you can worry about, from the many that they

Richard Buckle 10:56

I'd say typically, maybe ended up with 50 to 100, risks identified on the long list

David Parry 11:06

on the long list and all prioritised for attention,

Richard Buckle 11:09

and hence the reason that kind of go through and maybe is it worth just sort of talking through what our approach would be or their approach and how we've used it in terms of

David Parry 11:16

yeah, probably a good idea? Well, just in terms of the scoring of that they're quite simplistic, which I think is useful, because otherwise you end up with long debates about what's the score for this and the other. So of the three main things that scoring, it's how likely is it happen? What would be the impact of it, if it did happen? And have we got some sort of control measures in place to control against it, and they score each other about three, it can't be zero, it's either one, two, or three. So it's nice and simple. So 123, and for the likelihood one, a one would be low. So it happens every five years, often, whereas a three is could happen every year. And the impact one, similarly, a three high impact could be a business failure, that one is low impact, you might lose a month's worth of profits, maybe even the middle of a year's worth of profit. So it's that sort of thing. control measures always hard to score. But if you've got good control measures, and you're actually following them, then you score one. If you haven't got any, or you've written them down, but you ignore them, then it's a three. So when you score those three together, the maximum could be three times three times 327. But generally, you get scores around about five to 15. And the guideline they have is that if it scores over six, then you should at least have it on your board agenda. And it gets discussed in a board meeting. So it's quite good. Is there a guideline, which is good, if everybody sticks to that, then because you and I think your time what the thresholds or the scores are. So we ended up, I would say, three, four or five risks in most board meetings, that we're keeping an eye on managing, and someone's being given an action to do something about it.

Richard Buckle 12:42

And some of those will just come out of the normal board meeting agenda anyway, won't they. So if you're talking about sort of financial risks, then normally they would get highlighted as part of a financial section of the agenda. But it's good just to have that record to be able to refer back to

David Parry 12:58

I'd say that that's true in principle, and I'd like to say that, but a lot of financial reporting sections on in a board meeting tend to be very backward looking. These were the results last month, year to date. Maybe they'll mention that. Yes. i Yes, Boss, I have submitted the company's house return for this year. Yeah. Often that gets ignored.

Richard Buckle 13:18

I suppose the main forward looking ones cash flow, isn't it? Really, that's where people, that's probably the biggest risk that most SMEs are going to have

David Parry 13:25

Yeah financial reasons are why businesses go bust, because of poor cash forecasting. So I thought be useful use of today's podcast to go through examples and actual risks that we see being talked about, just to make sure that people think about them properly, and maybe a bit more deeply than they're used to doing to think, Oh, am I looking after that risk? Is that a risk for me? Yeah, have I done? Are we at risk of really losing our business, potentially, if we don't manage that. So I came up with a bit of a list to go through, and we'll talk about not put them in any order. They're the ones that came to mind as most commonly talked about by businesses. But actually, as I got to the bottom of the list, I started coming up with almost bigger risks that people aren't dealing with, which means talking about a bit more, yeah, could spend a couple of hours on this. And I promise if you're listening, that we're not going to, but over the next 10/15 minutes or so we're going to rattle off a bunch of these and then just try to prick your conscience a little bit just make you think about your business. 

Richard Buckle 14:25

So I guess top of your list is flight risk people leave, key people in the busiess

David Parry 14:32

So you could look at this either what I do to prevent it, and then what I do if it happens, and all that sort of thing. So preventing it, usually get down to the other pay and rewards competitive. You know, is there any reason why someone might want to leave or they well respected and get enough challenges to they see the career in the business and that sort of thing. But you could tie them in in more systematic ways. You could give people shares that disappear if they need for leave. I've seen, in fact, they talked about it in that book we've talked about before, the

Richard Buckle 15:07

Built to Sell? Where you have the three bonus spread over three years. So

David Parry 15:10

every time you get a bonus, you get a bit of it straightaway a bit of it next year and a bit of the year after, and it accumulates over time. But if you leave, you lose them, they don't get paid out. Some people do that sort of thing.

Richard Buckle 15:21

Another thing of leaving as well, which is maybe a little bit morbid is just people dying as well, isn't it, that we have seen that, you know, sad cases of that happening where key people have passed away? And it's not? Yeah, that's, I suppose there's not much you can do about that in one sense. But it's prevented because that's life, right?

David Parry 15:40

People have accidents or have a nasty illness or something. But you can put things in place. And insurance, for example. Yeah. And we were having this discussion the other day when we were the financial advisor. So the key man insurance or key person insurance insures the company against the costs of losing a key person, which may be for an interim or the recruitment of replacement or even lost income. But you may also want to have some sort of shareholder protection in place if their shareholders with cross cross option guarantees. So you don't end up with the estate of a deceased person owning the company. And put that in place. I think probably worth mentioning restrictive covenants as well. If somebody leaves if they're going to leave, they're going to leave. Yeah. But you are allowed to put something in the contract to stop them competing with you, or soliciting away your staff soliciting clients, but only to reasonably short periods of time. So as you try and lock people in for too much. It's deemed to be unenforceable, isn't it? Yeah, stop. People will speak to a lawyer about that. So yeah, flight risk. The other thing about flight risk of people I've seen this done quite effectively, is rather than putting them on your main risk register, especially if that's reviewed by a broader board or a broader group of people have a kind of second risk register just for the people. And then you can talk about that with a smaller group, right people. It'd be odd, wouldn't it? If you were sat around the boardroom table and said, well, the, the risk of the sales director leaving is quite high, but the impact isn't 

Richard Buckle 15:55

We would quite like him to leave

David Parry 17:07

You probably wouldn't get a very honest discussion about that. So it's worth maybe keeping the flight risk of senior people on a separate list.What else?

Richard Buckle 17:17

Low order intake?

David Parry 17:19

Yep, that's probably the biggest risk that we try to think about naturally, every month, are we getting the orders coming in? Is the revenue okay? Is the forecast okay?

Richard Buckle 17:29

Trying to manage the kind of the levels of order intake as well? Isn't it you don't want something too spiky, hard to manage? How do you keep that kind of steady flow? 

David Parry 17:39

We've seen some clients do this quite well, I send out in their busy season, they send out regular emails saying what the lead time now is, because we're getting busy. So lead times gone out an extra week or two and at least customers are about to be customers are aware,

Richard Buckle 17:53

when you think about seasonality of your business in that as that kind of I mean, that's sort of predictable. There's a bit of there's a bit of knowledge around that isn't that but it's still I suppose,

David Parry 18:02

it doesn't have to be. It's a busy period. Yeah, just telling people, we're getting busy at the moment, for whatever reason, lead times are being pushed out. If you've got projects in the future, think about placing the order a bit sooner than you would have done.

Richard Buckle 18:15

So it's something that we think about quite a lot and talk about what a lot is, and with respect to that is understanding what is it that drives your growth? What is it that's driving those orders?

David Parry 18:23

Have you got a growth engine?

Richard Buckle 18:24

Is it all reliant upon a few key people in the business? Is it a system that can still run if none of the key people are involved?

David Parry 18:32

I think the perfect growth engine in a business is one where, if you wanted to turn the wick up or down, then you could. So if it looks like you're running short of work, this there's a lever you can pull. Yeah, that may be a pricing lever, it may be that you invest more in marketing or advertising for shorter term result might be taken more salespeople, and similarly in the opposite direction. So yeah, that's it's good to understand what your growth engine is. And don't forget, sometimes your market will take a downturn rather than your market share being the problem. Maybe there's an economic problem in the country. So I think it's worth working out. Who is it that's keeping an eye on the commentators in your industry? Who reads the trade press? Who's looking at the general economic outlook? Yeah, we do our quarterly Roger Martin Fagg economic report. For this reason we're trying to help our clients keep abreast of what's going on.

Richard Buckle 19:23

On the sort of macro level. Yeah. I suppose competitor activity as well, isn't it as another thing is another risk if you 

David Parry 19:32

You know, companies have had this time and again, where competitors appears, they're quite established by the time they start causing problems. And it's almost like a blind spot. You know, companies are so focused on what they're doing. They don't tend to always look around and see they may come across them a bit where they're losing out on bids or tenders or they lose a piece of work. They ask why are we giving it to someone got to be careful that you're properly assessing whether that risk is going to become on much more significant,

Richard Buckle 20:02

I suppose there's a bit of tension here isn't there between doing that analysis to keep keep the sort of competitors on the radar versus constantly looking to see what everybody else is doing and not focusing on your own business. Because that's, that's almost the other side of the risk go going too far. That way.

David Parry 20:16

There's an analogy, you can't win 100 metre sprint, by looking over your shoulder, you're gonna succeed by looking over your shoulder at whatever you're doing, other than by taking inspiration from good ideas that but also keeping an eye on you know, are they at risk of poaching some of your staff, let alone your clients either come up with new products? Or is there pricing different from yours? Have they thought about different ways of bundling things? That's all worth keeping an eye on your competitor?

Richard Buckle 20:39

Looking at LinkedIn? You know, Sales Nav Is a good, a good tool there for mapping out organisations

David Parry 20:40

I use Google Alert quite a lot as well. Yeah, I type in a search term on the various competitors, or even prospects and get Google to send me an email if something comes up within a minute. You mentioned companies house

Richard Buckle 20:57

Yep, do a bit of Company House, looking around, see what people are doing. 

David Parry 21:00

You can set alerts on that too? Have companies interested in and it'll tell you whenever they've submitted their annual report

Richard Buckle 21:06

i'm trying to have a look at and I guess you get more detail. When you've got a large company for you know, it's just a few rules of thumb, isn't it around looking at a balance sheet? Because that's normally all you're gonna get a set of accounts for a smaller company, and just looking at okay, so what the debt is? Okay, what kind of payment terms are typical for that industry? Is that going up or down? You could imply a kind of turnover, figure off the back of that, maybe look at the creditors, same sort of thing, number of employees, you know,

David Parry 21:32

Sometimes you see the cash balance in it or debt generally. Obviously, overall valuation

Richard Buckle 21:37

have if they break out the corporation tax, and you can kind of see the profits. 

David Parry 21:43

Sometimes companies put in way more information than they need. Their accounting is being lazy and hasn't done the whatever they call it these days at bridged accounts or filleted accounts, or whatever it is. Yeah, exactly. So Companies House, Google Alerts, LinkedIn Sales Navigator, just keep an eye on what's going on in need to devote some time to do it, because you won't just wake up one morning and have some spare time and think, What should I do? You've always got to diarise it, or maybe delegate someone else to collect the information. 

Richard Buckle 22:11

Revenue dependency as well as a big risk, isn't it?

David Parry 22:14

Oh, gosh, we've had such it was really sad stories, haven't we, with some of our clients here, where it runs away, it gets too much. And then they, they lost. And it's terrible when you see it, because the effort and the motivation, it's all very positive, and people are trying to do the right things. And they're being successful, you know? And yeah, and there's one customer keeps coming back asking for more and more and more, and you want to grow your business? So you say yes. And we've had one client where it went up to 80%. And in fact, I've spoken to the ex-MD of that this week, and he's gonna come on as a guest in a few weeks time. So stay tuned for that,

Richard Buckle 22:45

That'll be good

David Parry 22:45

It'll be very good to talk about that. But it's very hard to argue to prevent it happening other than to take a very strict rule. So as your business you agree, what's the maximum percentage of our turnover? We want anyone to have? And for us, we say it's, well, we'd like it to be 10%. It's gone up to 20% in the past, but it's lowish, I think we Yeah, back to 10. If you're getting up to those sort of numbers, you can't just carry on hoping it will go down, you've got to start saying no, to the big customer. And putting more effort in winning other customers

Richard Buckle 22:47

It's such a fine balance, though, isn't such a fine balance, because it's so it's so hard to you know, if you've got that kind of, you know, 80 odd percent dependency upon one particular customer, then had, you know,

David Parry 23:33

You don't have the time to look at anyone else. I think you're right is a tipping point. And maybe if it gets to 30%, maybe even 20%. That's where the tipping point starts had that effect. Because you feel as if now you got to keep that client or customer really happy all the time. So you end up potentially over delivering, you do work that isn't in your sweet spot, just because you're a trusted partner, and then you have to do more and more, and you don't do your marketing anymore. Yeah.

Richard Buckle 23:58

Well, I think there's yeah, there's that point at which you almost go native, isn't it, you become almost an extension of your customers business. And at that point, then it's like you say, requests become more varied. They become more kind of almost as if you're an employee rather than

David Parry 24:16

We have had that case, we had one of our team that was working at one of our clients a day a week, and then the client, and they know who they are if they're listening, asked for them to do two days a week, and we sort of grimaced and went, Okay, then they went for three days a week. And that was the point where we had to have a discussion and we said, look, you might as well employ this person, and we came to an arrangement where that worked for all parties concerned. Because you can't afford to have one of your people just permanently in another firm is just not going to help you focus on what you need to do. 

Richard Buckle 24:47

Discipline, isn't it on that one?

David Parry 24:49

Very much so but please, if you're listening, and you've got a customer with more than 10%, certainly more than 20% Do something about it. Don't let it drip, drip, drip gradually become 30/40/50% Because there's only ever ends in disaster, 

Richard Buckle 25:03

Short term game. Long term pain. So that's the sound bite for this episode, got the short sorted. Bad Debts as well, isn't it? There's another thing.

David Parry 25:16

I'm gonna touch wood when I say this because on the whole, we've been reasonably lucky over the years, I've been trading now for 13 years in, in this limited company, we've had two or three, and even then they've been manageable amounts. But we do have terms which ask people to pay upfront for we do it all the time, short payment terms. And we can just stop working with a client. You know, I think every company needs to remind yourself it has the power to stop. You can put a customer on stop. Now. Okay, maybe they'll go somewhere else. But do you want to fight to keep customers that aren't paying? Yeah, you have to be very alert to it.

Richard Buckle 25:52

There was one time when we tried to negotiate some bikes wasn't there for a debt

David Parry 25:57

Wonder if he's listening it didn't work out Anyway, that didn't work out. But you can get credit insurance. You can do credit checks. It's amazing how many people don't do a credit check on a new client. And it's okay. Even if you're going to deal with a large company, we've done this before, almost get them to apply for a credit account. Oh, yeah you want 30 days credit from us? Well, fill this form in at least, you know, tell us what you did in your accounts last year and that type of thing? So yeah, it's it's an interesting one that because once again, the discipline short term pain, maybe you got to run the risk of that client falling out with you on day one. But better to have that discussion up front

Richard Buckle 26:37

or even. I mean, it's just slightly different. The other side of it, really, but looking at, if you're working with potential supplier, you want to make sure so this week, I had a meeting with a company that, you know, might say they are but wanted

David Parry 26:49

to sell a service to us?

Richard Buckle 26:50

Yeah. And it was all very seemed to interesting. But again, go on Companies House and have a look at the balance sheet and see whether or not that's the type of company that what's the risk there in terms of

David Parry 27:02

and you looked at them?

Richard Buckle 27:03

I looked at them.

David Parry 27:05

And we're not? I don't know

Richard Buckle 27:06

It raises the question then doesn't iy. Are you sure? Well, it just yeah, just ask the question and just see if you get the explanation. If the explanation seems plausible, then yeah. Take it from there, isn't it?

David Parry 27:22

So there's a few there that are on the financial side, I was thinking then in my list, turning to more infrastructure, type things. And maybe when people talk about business continuity type stuff for crisis management, they think about more the infrastructure, and they often use the scenario of the plane landing on the factory and this, you know, every factories got a plane about to land on it. Just like every key person is about to go under a bus, that same bloody bus. So infrastructure stuff, so fire, flood, I guess it comes in two fold this, you've got to do your own precautions, don't rely on someone else. Preventing the problem, clearly, you can have all the smoke alarms and sprinklers as you want. But if you're not as a leader of the business, leading by example, and saying that that's dangerous, that dodgy you shouldn't put that combustible material in that cabinet with some server in it where it gets hot. But you know, you've got to show to everybody else that this is important, because the risk is you see are massive. So prevention is better than cure. But then insurance and a very sad example, where the insurance was the problem, and that caused the company to bust in this case.

Richard Buckle 28:33

Yeah. Check the terms, isn't it? Yeah, I think that's the lesson

David Parry 28:38

there are always requirements in insurance policies, even if you think you're covered. There's the conditions attached, and you've got to make sure you know them otherwise, you might as well not have the insurance. And that's what happened in this case. And yet led them to have a problem. So yeah, be aware of all the potential infrastructure problems. Flooding, we're actually on the edge of a floodplain here in the middle of Shrewsbury. Shrewsbury is known for flooding at least once a year. And the height highest flood ever is about two feet away from our front door. But we do have flood cover. And that's okay. Because there's a condition in which says that we have to make sure that all of our IT equipment is at least two feet off the ground. So the most thing to do is replace carpets. Yeah. And maybe wall build decorations. So knowing that that's that risk, and that we've taught everybody about it. You can't put computers on the floor.

Richard Buckle 29:26

I did do a King Canute last time, just stood there, No further. Gandalf YOU SHALL NOT PASS. If anyone's got floods, Rich is available for hire or come sit in his chair I don't guarantee anything. But if your last resort, give it a go. And anyway, IT failure. That's another one that

David Parry 29:52

you know this on a very low level of scale this last week was it this week? I remember when our internet went down fortunately only an hour or two, not the end of the world tell the staff and they can either work from home or they wait and come back up again, was nothing to do with our equipment, it was something in the cabinet in the street. But it's led us to think hang on a minute, if we're solely dependent on wires coming into the building, we do have a 5g dongle that we use when we're on location where we've been streaming before. So we've just pressed that into action. We bought some external antenna so that we can plug that in and have that as a different source of internet. And of course, people can work from home as well. But think about other IT failures server failing. Here, what backups Have you got?

Richard Buckle 30:36

Just yeah, ageing equipment as well. There's a risk potentially related around the kind of productivity risk of having very slow it. 

David Parry 30:46

There's a good point, people don't necessarily see that as a risk, because it's not failure. But imagine if your efficiency of everybody was reduced by 10%

Richard Buckle 30:54

Or if you had, if you had 50, people that were all waiting, you know, two minutes to log on every day, or then blue servers. And then we've got plenty of examples of places where they've not really put the investment into the it that they should have. Or they've cobbled together systems that don't really talk to each other properly, and as a result, the time lost in IT failure and poor productivity is crazy. It's you know, you could be talking an hour a day per person or something.

David Parry 31:22

Well, this very much touches on last week's podcast, isn't it about productivity. So make sure you got your backups and why it's obvious stuff. You hopefully will always work that one out. Yeah. You never know. Worth checking. Physical break in. Well, we may have had a break in a couple of years ago, we weren't quite sure why I've just been so optimistically, walking in while the doors unlocked. And fortunately, the only thing we lost was a coat. So maybe it wasn't a break in? But these days, I think it's true but what tends to get nicked, but anything big and bulky is unlikely to get next monitors. So by everybody. That is something inch 4k monitor, they won't go and anything hard to shift, you know, laptops, these days, whether they're easy to sell or not, by the time they're all encrypted and stuff. But if you've got camera equipment and things that are more desirable, watch for that. And what can you do put locks on the doors. We've made a good example with that client that did the security cameras, we learned quite a lot there about the uselessness of Home Security

Richard Buckle 32:29

because you've got to have 80% of your face. It's got to be on the screen or something. So if someone's wearing a balaclava or cap or whatever, just that will be ruined if your camera doesn't capture. Yeah, it's got to be enough for it to be beyond doubt that that's the person 

David Parry 32:44

That's right, didn't they say that often when they go to court with video footage of the criminal entering the premises that the defence barrister will often say isn't it funny that video footage you've got looks just like my client? But you can't proove he's there, unless apparently they've got a tattoo and becomes an identifier. Much more reliable in evidence. The main point about having security cameras if you're going to go down that route is to alert a person to respond the police or security company, rather than just having to watch while you're crying, seeing somebody nicking your prized possessions. Yeah. Now this next one does give me some sort of sleepless nights, I suppose. Because you're one step away from this triggering, cybersecurity. 

Richard Buckle 33:34

So apparently, turns out that less than 1% or 1%, or less than one person, a very tiny amount of people, small, smaller business. So 1%, less than 1% of businesses have cyber insurance, which is actually pretty crazy, given that the risk is pretty massive. 

David Parry 33:52

Well, we've seen it, we've seen it. We've had clients who you know, maybe only lose only lose 80 grand 100 grand, it's enough that it dents, your pride, if not your balance sheet. Maybe it doesn't kill you. But it's been done very, very cleverly by impersonation and hacking email accounts and writing emails as if they've come from the MD telling the FD to pay someone, people lost their jobs over this. So is really serious. But the amount of phishing attacks we get every day, had a spate of them this week telling us that our office 365 is about to go down on please fill in this form, you know, you just got to hope that everybody remembers their training and remembers all that information you pumped out that they don't click on these attachments.

Richard Buckle 34:39

Now it we've seen it recently with a client that that did have cyber insurance. And you know, I think probably cost a couple of grand, isn't it cyber insurance?

David Parry 34:49

And yeah, maybe sometimes even cheaper

Richard Buckle 34:52

And the amount I think the bill came to 70 80,000. By the time the PR company had been involved crisis PR the IT specialists that have to do the forensic analysis, informing everybody that's potentially, you know, lost data

David Parry 35:08

Even with these ransomware attacks, apparently the insurance can cover the payment of the the cryptocurrency ransom, as long as you can show that you've done the training and is up to date with the knowledge, even if someone makes a silly mistake, you can still get covered by that. 

Richard Buckle 35:26

And I think with AI, this is only gonna get worse. Because you know, I'm just waiting. I just downloaded an app for voice impersonation. I'm on the waiting list for it just because, you know, 

David Parry 35:34

Who you going to impersonate? And could you just make a payment to this

Richard Buckle 35:35

I could impersonate anyone, couldn't I? But that's the point. I could impersonate anybody and then ring up, you know, imagine, then you think you're having a conversation with the MD or something? You know, we better be careful that we do this podcast actually. Yeah. It could be like it'd be taken our voices and ringing the office, couldn't they? They've got a voice signature. Need to have a safe word don't we?

David Parry 35:46

My mom used to work in a bank. And she had to have a safe question. If we were asked this question by any whoever the police or something? What question can you ask your mom to prove that it's her? You got one of them? I don't know. I'd ask you on that. Bad Leavers, we talked earlier about flight risk. If you have a bad lever, someone who's just for whatever reason really fallen out with you. There is quite a bit of risk that someone wants to create damage. When they leave, they can they can delete files, they can steal files, you wouldn't even necessarily know about that. They could contact your clients and send messages that are not in your favour, reputational damage to all sorts, couldn't you?

Richard Buckle 36:42

Exactly. So limiting people's rights to access on systems, that type of thing?

David Parry 36:47

Well as everybody knows every meeting, we mentioned HubSpot work. And it's amazing how many clients but all of their people as Super Admin. Easier. Yeah, access all areas. But that includes downloading all your data, deleting the file,

Richard Buckle 37:01

Upgrading the subscriptions, accident, someone the other day, might want to review who's who can do what actually, 

David Parry 37:08

Watch the access levels. And I know people feel that, oh, you're not trusting me, then I think it's just a conversation to say that as a company, it's dangerous, if everybody's got access to everything, yeah. But the consequence of that is, that means we have to clamp down access to some people on something. Stuff going wrong with the product, gets out to the customer, that's your worst bet, you're gonna end up with at least the costs of replacing it, you might have a warranty claim that goes beyond just replacement costs, you presumably you've got contracts that don't sign up to consequential losses. But nevertheless, to keep your relationship going with that customer, you're going to bend over backwards, presumably to try and solve the problem. So just to be aware, you can get insurance, again, against warranty claims, or you might decide to self insure, you should certainly make sure that your contracts limit your liability in these situations. So in a service industry like ours, you have to make sure that that's a limit to say a year's worth of the fees or whatever, you covered by at least that amount on your insurance. 

Richard Buckle 38:10

Exactly. And then things like internal quality issues that go wrong

David Parry 38:16

But you catch it internally, but there's a cost of that isn't there, and the amount in our work amount of proofreading, you have to do even at proposal going out, the last thing you want to do is, especially if you've worked on a template, you've left another company's name somewhere in the document or a howling typo on page one.

Richard Buckle 38:35

I would never do that, who would do that

David Parry 38:37

Who would do that? It's actually quite hard to proofread your own work

Richard Buckle 38:42

I can't I can't proofread my own stuff.

David Parry 38:44

And it's funny when you print stuff out, you see more than on the screen. I don't know why that is

Richard Buckle 38:48

I was proofing on Dropbox last night. And that worked actually really well. Because you can comment next to the way you said it just kind of seemed to be very effective way of doing it. That type of thing.

David Parry 38:59

it's just another one of those risks. Have you got procedures in place? This isn't about do I make mistakes or someone else's mistakes? But what are our procedures for making sure that any work that goes to a client or customer gets some sort of checking process?

Richard Buckle 39:13

Four eyes processes something, isn't it? And then I guess serious health and safety incidents? 

David Parry 39:20

mentioned risk assessments at the beginning. Yeah, that's whole new world. I don't want to go into all of that. But I think the main message here is leading by example. And one of the things that I often pick up boards on when they get the health and safety report is how many near misses have been awarded, especially by the board. Now there's the health and safety triangle that for every fatality, there's probably 10 Time lost accidents, and every time last accident, there's 10 non time lost accidents. And for every 10 of those has been a first aid injury and for every one of them, there's been 10 near misses. Yeah, so if you can capture the near misses up the pyramid, you you stop a fatality potentially, but it's an attitude thing. And lots of times you'll walk around an office receive a let alone a factory and see hazards. But you're walking along with one of the directors and they will say anything. So you've got to show by leadership that that's not acceptable. Can we please tuck away that trailing cable or not put that in front of the fire exit or whatever hazard

Richard Buckle 40:16

Walk on the designated walkways? What else we got legal and compliance risks?

David Parry 40:25

Yeah, you'd like to think these are relatively low ish in an SME, but you've got to make sure you file your accounts every year for sure. You got to make sure you've got your employee liability insurance in place, you know, certainly, relatively few. But you've got enough requirements. As your company gets bigger, you've got to make sure you've got the right number of First Aiders and those sorts of things, make sure you've got a good system for logging accidents, make sure that you're doing your fire alarm tests and evacuation drills, you know, all these sort of basic things that hopefully someone's looking after both on the health and safety. But also on the financial side. Yeah, you may have covenants that's often missed. But if you're loan with your bank, requires certain covenants to be in place, like your stock to turnover ratio doesn't exceed a certain amount or whatever, it doesn't get a certain amount, then you've got to make sure you're reporting on every month. Yeah. And it's only when you've got caught out that you realise no one was looking after it. So looking at that on your risk register. I think this last one is probably the biggest of the lot. Because no matter how well you're running the company day to day, if the direction you're going in if the strategy your company has isn't on a course for success. Then no matter how well run you are, you could have a very well run business go bust just ran out of customers. And I guess there's countless examples. Look at the top 20 companies in the S&P 500 in America from the year 2000. And last, how many of those are even in existence anymore?

Richard Buckle 41:58

How many? 

David Parry 42:04

Not many. But yeah, so yeah, companies go in cycles. But the ones that are very clever, are those that reinvent themselves, Kodak definitely reinvented itself after the wet film industry looks as if that was on its knees. And other so yeah, strategic risk. And think is Think carefully there, especially if you're a second generation owner, because we see this quite a lot. Founders tend to be very plugged in to the entrepreneurial spirit, they sell the company, and they're good at identifying a gap in the market and, and serving it. Now. Second generation often pick up that business and carry on turning the handle very successfully, maybe even put all sorts of innovations in because they've got different attitudes. But they haven't had that entrepreneurial moment. And they haven't had to identify a gap in the market or work out whether there's a market in the gap, and then serving it. So that's a big risk.

Richard Buckle 42:55

I think as well with, with the strategic risks. So many of these other risks almost feed into that in a way I don't think so. Have we got the right people around to do what we need to do? Have we got the right kind of funding arrangements and cash flow managed? And how are we going to fund all this? And have we got the right infrastructure in and IT to do what we need to do and be able to, you know, either adapt quickly or scale up or whatever? I think so that's that's where I think a lot of these other ones almost kind of was some of them are standalone on their own risks. I think the strategic risk takes into account a lot of these other risks to say, how do we, how do we manage, you've got an almost to analyse your strategy, strategic risks? Well, you have to have a feel for how these other risks are actually being managed?

David Parry 43:41

Well, some of the strategic actions you may take may be more internally focused. But the big ones are, you know, which markets are we playing? Where we want to play? How we going to win? Good. Well, that wraps up those list of examples, we could have gone on for lots more, but I'm hoping that people listening to it might at least be I don't know, just joked a little bit into some different way of thinking about the risks that their business is running daily. And what are they doing about it? Are they devoting time to thinking about it as a board? And are they prioritising which ones need some form of action?

Richard Buckle 44:15

So go to the website, and download the template

David Parry 44:19

on the resources thing, and there'll be a blog accompanying this episode. And we'll put some examples in there as well for for people and I'll even look up the answer as to how many companies in the top 20 in 2018 Okay. Anything else on that?

Richard Buckle 44:34

They were good. 

David Parry 44:35

Good. Well, we've nearly finished our beer as well. I've got through my Shiitake dark lager. 

Richard Buckle 44:39

How was it?

David Parry 44:41

Like a dark lager really. But it's alcohol free? It's great. We'll look forward to seeing what we get next week served up for our refreshments. So thank you once again for watching listening to The SME Growth podcast from Welleadow hope that's been of some use, please. pass on the news of what we're doing to your business, friends and colleagues. And if you can, give us a like, or a follow on whatever service you get your podcasts from. So good luck with your businesses and hopefully Tune in next week for our next episode. Bye now

Further Resources

As discussed in the episode, here is the link to download our free Risk Register template from our resources page. Don't forget to check out our wide range of helpful worksheets to empower your business to grow.