There's a myth that risk management is a big-company sport — something you start doing after the IPO, alongside the legal department and the corporate jet. The myth has expensive consequences, because the reality is exactly backwards.
Large corporations survive their risks. They have redundancy, reserves, lawyers, insurers, and the sheer mass to absorb a bad year. A fifty-person company often has none of that. The key customer who leaves, the ransomware attack, the departure of the one developer who understands the core system — events a corporation would file under "challenging quarter" can be existential for an SME. Small companies don't need risk management less than big ones. They need it more, with less margin for error.
The good news: they also need much less apparatus. Here's the whole setup — one afternoon to start, roughly one hour per quarter to keep alive.
What to drop from the corporate playbook
First, permission to ignore things. You do not need: a risk committee, a chief risk officer, a 40-page risk policy, quantitative Monte Carlo modeling, or a register with 300 entries. These exist to coordinate risk work across thousands of people. You have a different advantage — everyone who matters fits in one room — and the lean process below is built on it.
What you keep from the big-company world is the core logic, which is size-independent: write down what could seriously hurt you, judge likelihood and impact honestly, do something about the worst items, and re-check regularly.
Step 1: One afternoon, one room, one question (2–3 hours)
Book three hours with the four to eight people who collectively know the whole business — typically the leadership team plus whoever runs operations, sales, and IT day to day. The framing question, anchored to survival rather than inconvenience:
What events in the next three years could threaten this company's existence or set it back years?
Collect without debating. When the flow slows, sweep these classic SME blind spots — they account for most small-company disasters:
Concentration risks: one customer over 20% of revenue, one supplier without an alternative, one product carrying the company. Key people: the founder, the lead developer, the salesperson who owns the top relationships — anyone whose departure or long illness would hit like a natural disaster. Cash: the payment default or late-paying big client that becomes your liquidity crisis; cash-flow problems are among the most common causes of small-company failure. Digital: ransomware, the untested backup, the online shop that is the business. Legal and compliance: the contract clause never reviewed, the data-protection gap, the certification your key customer suddenly requires. Premises and equipment: fire, water, the machine with the six-month replacement lead time.
Expect 20–40 raw items. That's plenty.
Step 2: Rate and rank (30 minutes)
For each risk, two quick judgments on a 1–5 scale: how likely within the next year or two, and how severe if it happens — where 5 means "threatens the company" and 1 means "annoying." Multiply. Sort.
Don't agonize over precision; you're ranking, not forecasting. The output that matters is the shortlist: the top 5–10 risks. In a small company, managing ten risks well beats cataloguing a hundred — you lack the overhead capacity, and honestly, so do the corporations; they just hide it better.
One rule during rating: the boss speaks last. Founder optimism is the strongest bias in the room, and small companies feel it double.
Step 3: One decision per top risk (60 minutes)
For each shortlisted risk, pick one of the four classic responses — avoid the activity, reduce likelihood or impact, transfer via insurance or contract, or consciously accept — and write down one concrete first measure, one name, and one date.
SME-typical treatments are refreshingly cheap. Key-person risk: documentation sprints, a deputy arrangement, a retention conversation. Customer concentration: a sales push explicitly aimed at the second tier. Ransomware: offline backups plus one restore test — an afternoon and a hard drive. Liquidity: a credit line negotiated before it's needed, invoice terms tightened. Fire and liability: insurance actually matched to today's business, not the one from five years ago.
The realistic constraint: you can seriously work on perhaps three to five measures per quarter. Choose accordingly — a short list that gets done beats a long list that impresses.
Step 4: Write it down — lightly
One page per risk is already generous; one row per risk is enough: description (cause → event → consequence), the two ratings, owner, measure, deadline, status. Ten to fifteen rows total.
The register's job in a small company isn't to satisfy auditors (though it will delight your bank, your insurer, and any certification body that comes asking — often at surprisingly favorable moments). Its job is memory: risk awareness fades under daily business pressure, and the written list is what keeps last quarter's clear-eyed decisions from evaporating by spring. A simple shared tool beats a file on someone's desktop precisely because it stays visible, keeps its history, and reminds people of review dates without anyone playing nag.
Step 5: The quarterly hour
Every quarter — calendared, not "when things calm down," because things never calm down — the same group spends one hour on three questions: Has anything changed? (ratings up or down, and why). Are the measures done? (celebrate the completed, re-date the slipped — but notice patterns of slippage; a measure postponed three times is a silent acceptance nobody decided). Anything new? (new customer dependencies, new systems, new hires and departures, new regulations).
That's the entire maintenance load: four hours a year of joint attention, plus whatever the measures themselves cost. It's less time than most companies spend choosing the office coffee machine, and it compounds: after a few cycles, the questions start being asked reflexively, in daily decisions, long before the quarterly meeting — which is the actual goal.
The quiet payoff
Companies that run this loop report the obvious benefit — fewer nasty surprises, faster recovery when things do go wrong — and a less obvious one: calm. The unspoken worries that circle a founder's head at 3 a.m. have been written down, sized, and assigned. Some turned out smaller than they felt in the dark. The ones that didn't now have someone working on them.
That's the whole promise, fitted to small-company scale: not the elimination of risk — you're an entrepreneur, risk is the job — but the difference between risks you're carrying knowingly and risks that are carrying you. One afternoon to start. There are few better trades available in business.