About the Author(s)

Micheline J. Naude Email symbol
School of Management, Information Systems and Public Administration, University of KwaZulu-Natal, South Africa

Nigel Chiweshe symbol
School of Management, Information Systems and Public Administration, University of KwaZulu-Natal, South Africa


Naude, M.J. & Chiweshe, N., 2017, ‘A proposed operational risk management framework for small and medium enterprises’, South African Journal of Economic and Management Sciences 20(1), a1621. https://doi.org/10.4102/sajems.v20i1.1621

Original Research

A proposed operational risk management framework for small and medium enterprises

Micheline J. Naude, Nigel Chiweshe

Received: 16 June 2016; Accepted: 28 Aug. 2017; Published: 04 Dec. 2017

Copyright: © 2017. The Author(s). Licensee: AOSIS.
This is an Open Access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.


Background: The gap between small and medium-sized enterprises (SMEs) and large businesses that perform risk assessment is significant. SMEs continuously face many operational risks and uncertainties in their daily operations, and these risks threaten to reduce productivity, increase costs and reduce profits.

Aim: The purpose of this article was to develop an operational risk management framework that SMEs can use to identify and analyse risks in their operations and take corrective actions to mitigate these risks.

Setting: Small and medium-sized enterprises in South Africa do not view risk management as a key component of organisational success, despite evidence that businesses that adopt risk management strategies are more likely to survive and grow.

Methods: The article is exploratory in nature, and a conceptual analysis approach was used to formulate the framework. This study reviewed relevant literature sources on risk published between 2002 and 2017.

Results: The four process steps of risk management were used as a reference point and form the foundation for the operational risk management framework. The categories of operational; marketing; technical and financial risks were identified from a review of available literature on risk management.

Conclusion: There is a dearth of research that deals with operational risk management frameworks for SMEs. The expected contribution of this article, therefore, is twofold: firstly, it is envisaged that managers or owners of SMEs could use the proposed framework as a tool to appraise and minimise their operational risks; secondly, it will add to the current body of knowledge on risk appraisal for SMEs.


In this current business environment, businesses are required to compete in a global, volatile and dynamic market. As more markets have opened up for products, this has created the potential to increase sales and profits (Cheng & Kam 2008:345; Cocca & Alberti 2010:186; Hoffmann, Schiele & Krabbendam 2012:1; Simchi-Levi, Kaminsky & Simchi-Levy 2008:315). Despite these advantages and opportunities, businesses face tough competition with regard to quality, cost and on-time delivery to market. Consequently, businesses are required to improve their flexibility, quality standards and innovative capacities (Islam, Tedford & Haemmerle 2012:2). To achieve this, businesses need experienced and trained staff, reliable machines, efficient processes, good relationships with suppliers and customers, a supply of quality materials and services and other value-adding processes throughout the operations system. This is rarely achieved and many businesses, especially small and medium-sized enterprises (SMEs), face a number of business risks in their day-to-day operations that threaten to reduce productivity, increase costs and liabilities and reduce profits (Michalski 2009:213; Smit & Watkins 2012:6327).

When businesses find themselves in a position where unexpected events cause disruption to normal operations, resulting in financial loss and damage to their reputation, this presents as a risk. Shareholders expect businesses to identify and mitigate risks that may cause disruption (Hopkins 2017:24). Therefore, risk assessment is a necessary tool for all businesses (Benton 2014:363; Wu & Olson 2009:362). Even though tools for risk assessment like business scorecards are available in the market (Wu & Olson 2009:362), findings indicate that SMEs tend not to formally assess and manage their risks, but instead respond reactively by using risk avoidance and risk transfer techniques (Islam et al. 2012:4; Smit 2012:iii).

The gap between SMEs and large businesses that perform risk assessment is significant. In South Africa, a component of the King III report on governance is risk management. The report states that ‘it is the duty of the board of a trading enterprise to undertake a measure of risk for reward and to try to improve the economic value of a company’ (King 2012:6). However, SMEs in South Africa do not view risk management as a key component of organisational success (Smit & Watkins 2012:4). Islam et al. (2012:4) suggest that risk management is less developed within SMEs, despite evidence that businesses that adopt risk management strategies are more likely to survive and grow. By failing to assess the risks to which they are exposed, SMEs may find their success, reputation and credibility at stake (Dimopoulos et al. 2004:279). Some causes of failure in SMEs include poor management planning and failure to adopt risk assessment (Islam et al. 2012:4; Smit & Watkins 2012:6325).

In many cases, risk can be predicted on the basis of experience, but it can be better managed through a risk management framework. This would include identifying risks, measuring their probable impact, mitigating the risks and eliminating or reducing their effect with the minimum investment of resources (Verbano & Venturini 2013:1). The adoption of risk management is important when considering interruptions that can be caused in operational activities such as timely delivery, global competition and the strict requirements of customers (Servaes, Tamayo & Tufano 2009:94).

Accordingly, the purpose of this article was to present an operational risk management framework which SMEs could use as a tool to identify risks, assess them, take corrective action to mitigate them and thereafter monitor them. For the framework to be relevant it should, according to Cocca and Alberti (2010:187), not merely be a shortened version of a framework developed for large businesses; it should, moreover, remain simple and comprehensive; it should not be too demanding in terms of resources; finally, it must guide the owner-manager towards action or improvement.

The proposed operational risk management framework presented in this study is based on the four process steps of risk management, namely risk identification, risk assessment, risk response and risk monitoring and control (Sharma & Bhat 2014:26; Waters 2009:477; Young 2008:1). These aspects were used as a reference point and formed the foundation for the framework. The various categories of operations risks were identified from academic texts and are embedded in this proposed framework.

Research methodology

The article is exploratory in nature and a conceptual analysis approach was used to formulate the framework. Conceptual analysis can be defined as a technique that treats concepts as classes of objects, such as words, themes or characters. The technique involves analysing and interpreting text by coding the text into manageable content categories (Sekaran & Bougie 2016:350). Conceptual analysis was deemed appropriate to gain better insight into the risk management processes of SMEs, steps in risk management and the various types of risks. This study reviewed relevant literature sources on risk published in the period between 2002 and 2017. These included journal articles available on Google Scholar and Science Direct, academic texts, theses and reports dealing with SMEs, risk and risk management. In this way, the study examined: (1) the nature of SMEs, (2) risk and risk management, (3) the different categories of risk and (4) the importance of risk management. When this review was completed, a risk management framework was developed, which SMEs can use as management tool.

Ethical consideration

Ethical clearance through University of KwaZulu-Natal was obtained.

Theoretical review

Small and medium enterprises in South Africa

Small and medium-sized enterprises are businesses in the private sector and across all industries employing between 10 and 200 employees. The definitions of SMEs by industry sector or subsector in accordance with the Standard Industrial Classification are presented in Table 1. These definitions are based on the National Small Business Act No. 26, 2003 (South Africa 2003). SMEs are usually independently owned and operated and are closely controlled by their owners. Thus, the owners are responsible for the management of the business on a day-to-day basis, including areas such as marketing, production, human resources and finance (Nieuwenhuizen 2007:2; Smit & Watkins 2012:6325).

TABLE 1: Schedule of size standards for the definition of small and medium-sized enterprises in South Africa.

Small and medium-sized enterprises play an important role in the economies of many countries and therefore governments globally focus on the development of the SME sector to promote economic growth. The contribution to most economies by SMEs is significant as they constitute the largest number of businesses and employ a significant proportion of the labour force (Islam & Tedford 2012:2; Sousa & Aspinwall 2010:476). The role of SMEs in South Africa is no exception. According to the National Development Plan, South Africa’s SMEs play a key role in the creation and promotion of employment, particularly in labour-intensive industries (Davis Tax Committee 2014:5). SMEs are employers of unskilled labour and develop and nurture entrepreneurial skills (Smit & Watkins 2012:6324). However, SMEs are perceived as high-risk enterprises as their entry and exit levels in the market are high. It is estimated that 50% of the small businesses started in South Africa have eventually failed (Islam & Tedford 2012:2). Despite these high failure rates, SMEs continue to be a key part of the economy as they collectively employ a large overall workforce. It is estimated that the SME sector contributes 55% to private sector employment and accounts for approximately 40% of the gross domestic product of the country (Radebe 2014:para. 2; Sanlam Financial Services 2014:para. 7).

Small and medium-sized enterprises thrive on their adaptability, their agility based on their closeness to their customers, their openness to processes that enhance their efficiency and their ability to take risks (Smit & Watkins 2012:6324). Nevertheless, while SMEs operate in the same environment as larger organisations, they do not have the resources of these larger organisations (Sousa & Aspinwall 2010:476). Globalisation, legislation, market expansion and the removal of trade barriers have fuelled an increase in the competition faced by SMEs. Moreover, they, in common with every business, are susceptible to unwanted internal and external setbacks in their daily operations (Islam et al. 2012:2).

The business environment is dynamic and highly competitive. To survive, businesses are under pressure to satisfy all their stakeholders and excel at the same time (Cocca & Alberti 2010:186). Therefore, all enterprises including SMEs need to adopt a formal risk management strategy as a tool to survive and grow. Kagwathi et al. (2014:9) found that, unlike the larger businesses in developing countries, there is a lack of formal risk management in SMEs which can identify and mitigate their risks. Islam and Tedford (2012:3) suggest that risk management is less developed in SMEs. Despite the evidence that businesses that adopt a formal risk management strategy are more likely to survive and grow, SMEs are reluctant to do so as it is viewed as time consuming and entrepreneurs would rather focus their energies on running their businesses based on their known skills and experience. Paradoxically, a formal approach to risk management and risk-mitigation could alert them to the realities of some of the threats and risks.


One of the first definitions of risk can be ascribed to Bernoulli, who in 1738 proposed measuring risk with a geometric mean and minimising risk by spreading it across a set of independent events (Verbano & Venturini 2013:187). Risk is always linked to the uncertainty of the occurrence of a certain event that can cause loss or damage. It combines the probability and severity of a risk (Aven 2016:4; Islam & Tedford 2012:258). The International Organization for Standardization (ISO) defines risk as the effect of uncertainty on objectives. An effect is described as a deviation from the expected objectives and can apply at different levels, that is, financial, health and safety, reputation, natural environment and legal. The uncertainty is related to understanding or knowledge of an event and its consequence or likelihood (ISO 2009). Li and Zeng (2014:45) define risk as the level of exposure to uncertainties that the business must understand and effectively manage as it carries out its strategies to achieve its business objectives and create value. To refine this from an operational point of view, operational risk can be defined as the risk of loss as a direct consequence from inadequate or failed processes, people and systems from external and internal events (GARP 2014:41).

The business environment constantly changes. In this changing environment, risk taking is a key element of the entrepreneurial function and ultimately crucial in the creation of economic value and innovation (Dempster 2009:151). Changes in factors such as interest hikes, material price increases and strikes influence the business environment and result in uncertainty about the future path of an enterprise. Uncertainty about the future manifests itself as a risk (Hugo & Badenhorst-Weiss 2011:97). Operational risk and uncertainties are important in the academic and practical application. The field of operational risk management materialised as a result of several catastrophes and natural disasters, globalisation, intensified competition and integrated production methods (Cheng & Kam 2008:347). Thus, operational risk management is a developing focus area in supply chain management research (Aven 2016:3; Hoffmann, Schiele & Krabbendam 2012:1).

The sources of risks in operations are many and multifaceted and include strategy misalignment, regulatory requirements, changes in consumer preferences and the impairment of key assets (Lavastre, Gunasekaran & Spalanzani 2012:829). Other risks include skills shortages, unreliable suppliers, as well as economic, technological, social factors and information security (Blome, Schoenherr & Eckstein 2014:309). Consequently, entrepreneurs must be able to identify and mitigate potential risks, as failure to do so could result in reduced productivity or even lead to bankruptcy. For example, an SME may find the costs of enforced responsibilities such as a product recall or a site clean-up could reduce or eliminate expected profits (Sanders 2012:394). Risk management is not well defined, which can give rise to challenges in any organisation and specifically to SMEs (Blanc-Alquier & Lagasse-Tignol 2006:273).

Risk management

Risk management can be described as the process of identifying potential risks, assessing the likelihood of their occurrence, mitigating these risks before they occur or reducing the risk probability and putting contingency plans in place to mitigate the consequences if they do arise (Monczka et al. 2016:259; Waters 2009:277). The four concepts of risk management are illustrated in Figure 1.

FIGURE 1: Four process steps of risk management.

Identification of risks

This is the first step in the risk management process, with the aim of identifying future potential risks so that they can be proactively mitigated. Risk identification can be defined as the process of systematically identifying all potential internal and external risks which can cause loss or damage to the business (Hallikas & Lintukangas 2016:57; Kodithuwakku & Wickramarachchi 2015:122). It is about recognising and understanding possible risk sources (Hoffmann et al. 2012:4). However, these risks might be difficult to identify, as they have not yet happened, but might happen sometime in the future (Turner & Keetelaar 2005:29). Key to the process is that, when they are identified, they should be recorded and monitored (Scarborough, Wilson & Zimmerer 2009:730; Van Weele 2010:175). The methods suggested for identifying risks are through brainstorming with staff and external stakeholders and through researching the political, economic, legislative and operating environment. It must, however, be noted that the identification of risks can be limited by the experiences and perspectives of the person(s) conducting the risk analysis (Islam & Tedford 2012:262; Turner & Keetelaar 2005:29).

Risk assessment

This is the second step in the risk management process and can be described as evaluating or calculating the probability of occurrence of a possible risk and predicting its impact. Risk assessment includes evaluating two variables, namely the likelihood that a risk will occur and the extent of its impact if the risk actually occurs (Ho et al. 2015:132). The impacts can be on the finances, on health and safety, the natural environment or the reputation of the business and may have legal implications (Ho et al. 2015:44; Hoffmann et al. 2012:4; Kannan & Martin 2016:33).

Risk response

The third step in the risk management process is the use of mitigation strategies to eliminate, reduce or counteract risks (Hoffmann et al. 2012:4). There are three commonly used strategies to mitigate risk. These are: (1) risk informed – treatment of risk, avoidance, reduction, transfer and retention; (2) cautionary or precautionary – highlights features like containment, the development of substitutes, safety factors; and (3) discursive strategies – uses measures to build confidence and trustworthiness, through reduction of uncertainties. In most cases the appropriate strategy would be a hybrid of these three strategies (Aven 2016:6; Cucchiella & Gastaldi 2006:4). A business may select and implement a risk response strategy depending on the type of risk it faces (Yoon & Lee 2012:32).

Risk monitoring and control

The last step in the risk management process is regular risk monitoring. For example, indictors can be used to identify risk levels that are within limits but rising. This indicates future problems (Hoffmann et al. 2012:4). Risk management is a dynamic process as the probability of risks can change over time. Therefore, the monitoring of risks is vital as it can provide as an early warning when risk levels are increasing, giving businesses time to react to these changes and to formulate mitigation strategies (Chang et al. 2015:55; Wagner & Bode 2008:311).

Categories of risk

There are many categories of risks that businesses will come across. Some risks may have little impact on the business and can be managed easily, whereas other risks may threaten the survival of the business. Therefore, understanding what the potential risks are and how to effectively manage these risks will help small and medium business owner-managers make the necessary decisions to ensure the best possible outcome for their businesses.

There are various sources of risks in the operations of a business that have been identified by various authors and these can be grouped into various categories as presented in Table 2.

TABLE 2: Categories of risks.

Because the majority of the authors listed in Table 2 categorised the risks into operational, market, technological and financial risks and the proposed framework concerns operational risk management, it is around these four categories of risks that the proposed operational risk management framework is built (Figure 2). Furthermore, to be effective, a risk assessment method needs to help identify potential risks in these four domains (Keizer et al. 2002:214), and these four domains can be adapted for SMEs (Kim & Vonortas 2014:456). Each of these is briefly explained below.

FIGURE 2: Operational risk management framework.

Operational risk

The operational risk deals with the internal organisation and management of the operations team for development, production, supply and distribution. Operational risk encompasses the production, warehousing, distribution, staff challenges, systems and the processes that the company uses (Islam & Tedford 2012:258; Keizer et al. 2002:214; Young 2008:5). It is the uncertainty associated with supplier activities and relationships, poor quality, inventory risks and product demand among others (Jüttner 2005:123; Waters 2009:475).

Market risk

The market risk refers to the market acceptance of the product, the potential actions of competitors and general market conditions. For example, understanding customer needs, who competitors are, the products they offer, their advantages and any potential and future competitors, the inability to identify future market needs, failure to design new products and retention of market share (Keizer et al. 2002:214; Kim & Vonortas 2014:456; Waters 2009:478).

Technical risk

This type of risk refers to product design, production technology and intellectual property. Under technical risks, the framework includes risks such as failure to identify, launch and design new products, which will result in a lack of growth and possible loss of market share (Keizer et al. 2002:214; Kim & Vonortas 2014:456).

Financial risk

This kind of risk refers to the tangible value investors lose if the business fails and to the financial aspects of a business (Kim & Vonortas 2014:456). It is considered to be the risk associated with commercial and business performance (Islam & Tedford 2012:259). It comprises all financial transactions, including payments, costs, prices, sourcing of funds, profit and loss to the company should legal claims be lodged and when a customer declares insolvency resulting in irrecoverable sales. It should also cover the customers’ debtors’ book (Waters 2009:478).

Importance of risk management

Turner and Keetelaar (2005:13) remark that risk management should be viewed from three perspectives: (1) why businesses would want to implement risk management; (2) why businesses should implement risk management; and (3) why businesses have to implement risk management. Small businesses can expect many benefits from managing their risks such as: an improved understanding of the impact that management practices have on a business; increased competitive advantage; and increased efficiency and productivity (Scarborough et al. 2009:730; Smit 2012:20). Likewise, there are many reasons why a small business should implement risk management, such as protection of assets and the longer-term viability of the small business (Hoffmann et al. 2012:2; Sanders 2012:394). Lastly, there are legislative and regulatory requirements relating to risk management, for example, occupational health and safety legislation and fair-trading legislation (Scarborough et al. 2009:736; Turner & Keetelaar 2005:13).

The responsibility of managing risk requires the development of a framework which is not too cautious or too reckless and which guides the owner-manager towards action or improvement (Cocca & Alberti 2009:187). The framework must focus on the control of risk, the minimising of loss through prevention and avoidance and the exploitation of opportunities (Kim & Vonortas 2014:456). The management of risk offers businesses a sustainable competitive advantage by optimising the risk and return (Andersen 2008:156; Kim & Vonortas 2014:456; Smit & Watkins 2012:6324; Verbano & Venturini 2013:186). Though there are some existing frameworks on risk management, such as the risk management framework, the conceptualisation of risk management must be driven by the values and goals of the business (Kim & Vonortas 2014:455). Dimopoulos et al. (2004) acknowledge that there are tools available to assess risk. However, SMEs generally do not assess risk or, if they do, they do not assess the risks they are exposed to properly, leaving them in a vulnerable position (Islam & Tedford 2012:3; Kagwathi et al. 2014:9).

Small and medium-sized enterprise owner-managers need a good understanding of risk identification and analysis in order to successfully manage risks. The adaption of a risk management framework for SMEs is key as by using this they will be better suited to assess and manage their risks, thus benefiting from their resources and yielding a positive return (Smit & Watkins 2012:6324).

Operational risk management framework

Figure 2 shows the proposed operational risk management framework that SMEs could use. This proposed framework is underpinned by and analysed into the four process steps of risk, namely risk identification, risk assessment, risk response-mitigation strategy and risk monitoring and control. These terms head the four main columns across the top of the proposed framework, and the rows down the left side of the framework detail the four broad risk categories of operational risks, market risks, technical risks and financial risks. The columns listing the four process steps are further analysed into subcategories as are the four risk categories down the left side of the model. The details of the risk process steps, covering the various risk categories, are outlined below, to explain the construct of Figure 2.

Risk identification

This is the first key step for identifying and understanding the possible risk sources. To add depth to this process stage, the risk identification column has been split into three sub-columns of objective, description of risk and responsible person. The objective column will assist in identifying the broad business issue, the description column defines the specific risk and the responsible person column defines the responsibility for managing and mitigating the risk. This feature will be explained in more detail later.

As can be seen in the rows of the framework, each potential risk area of the business, namely operational, market, technical and financial risks, is listed.

The first broad category of risk is operational risks. Operational risks encompass the various operational activities within the SME, including production, warehousing and distribution. The second risk category, after operational risks, is market risks. This includes risks such as understanding customer needs, future market needs, new opportunities and market share. The third risk category is technical risks and includes risks such as the current product range design, which can result in loss of position in the market and failure to identify, launch and design new products, which will result in a lack of growth and possible loss of market share. Finally, the fourth risk category is financial risks. These risks may have legal and other implications for the SME. For example, legal risks could include loss to the company should legal claims be lodged and/or, if a customer declares insolvency, it could result in irrecoverable sales and financial losses.

It must be pointed out that these risk categories are suggestions and that they would differ from SME to SME depending on the size and type of business. It is suggested that a cross-functional team be formed within the SME to discuss the objectives of the SME’s operations and identify potential operational risks. It is for this reason that in this proposed framework some generic risks are presented as examples that SMEs could use.

By way of explaining Figure 2, the category of operational risk has been split into the key operational activities of production, warehousing and distribution. Production risks consist of risks that will impact on the production of the SME. These include supplier risks regarding quality and pricing, inventory risks, process risks, downtime risks and quality risks. Even though the list of production risks is not exhaustive, these risks have the possibility of reducing competitiveness and may have financial implications for the SME. The risks that come under warehousing include sending products from the site to warehouse, holding slow-moving stock and protecting and safeguarding stock. Under distribution are included risks such as accurate stock picking, effective control of stock and the transport of goods.

In order to explain the risk management process and the use shown in Figure 2, let us assume that a cross-functional team of key employees within the SME is undertaking this risk assessment or identification process. Under the heading of production risk, the team would note the key potential business or operational issues that could negatively affect the production environment. The team would look at these issues from an objective or desired outcome perspective and create a positive statement that the SME would want to achieve in the production area. The idea here is that, if the SME achieved this objective or outcome, then any risk that could negatively impact on the outcome would have been eliminated or at least mitigated against. This becomes the measure against which the risk is gauged. In the example shown above of the operational category of production risk, a positive outcome or objective of source quality materials at competitive prices could be listed. The question to be asked of the cross-functional team is what the likelihood of this objective being achieved is and, if it cannot be achieved, what the issues are leading to its non-achievement. The identification of these issues results in a listing of the negative risks to be detailed under the description of risk column. An example of this risk could be the naming of a particular key raw material which is vital for the SME to produce a quality finished product. If the quality of this raw material from a supplier has in the past been variable, then this is a key risk to the business or, if the supplier has proven to be one that is unreliable from an on-time delivery basis, then again this is a risk. If the supplier is in the habit of increasing his prices based on, for example, a fluctuating exchange rate, meaning that he does not take forward cover for his inputs, then again, the SME could face risk exposure, this time from a cost basis.

For explanatory purposes, let us assume that the issue of risk that will detract from the SME achieving the objective or positive outcome of source quality materials at competitive prices is a key raw material supplier RM Steel who provides a raw material of variable quality 30% of the time. In this example, the actual risk to be listed in column 2, alongside the objective of source quality materials at competitive prices would be ‘variable raw material quality from RM Steel’.

The next and final step in the identification process is the nomination of the responsible person and this detail would be inserted in the third column. As the problem is related to the supply of raw materials, the buyer’s name would be placed in this third column.

In this way, we have the objective or desired outcome listed in column one, the actual risk detailed in column two (there could be a number of risks related to the one objective) and, finally, the name of the individual who is responsible for managing and monitoring the particular risk. In the example of source quality materials at competitive prices, this could be the buyer. This is a key issue as it is important that someone within the SME takes ownership of achieving the positive outcome or objective, and of managing and mitigating the risks, or the risk management exercise will be futile.

The three subheadings of objective, description of risk and responsible person represent the first step of the risk process, namely risk identification. The cross-functional team will now move to the next section, which is risk assessment, or risk priority.

Risk assessment

The first column under the risk framework of risk assessment deals with the severity rating of the identified risk. Here the risks are subcategorised according to the impact that the risk may have on the various aspects of the business, such as finances, health and safety, the natural environment and the reputation of the SME or the possible legal consequences (Ho et al. 2015:44; Hoffmann et al. 2012:4; Kannan & Martin 2016:33). The risks are then ranked on a severity rating scale from 1 to 10, with a 10 being of the highest severity. There could be many risks attached to any one objective. Examples are ‘delayed supply’, ‘current supplier is unable to supply’, ‘quality of materials’, ‘uncompetitive price’ among others. In the example being explained under the first objective, source quality materials at competitive prices, the issue of ‘variable raw material quality from RM’ has been listed. This could have severe financial implications for the SME, as the final product produced by the SME using the materials from RM could be sub-standard, resulting in returns to the SME and financial loss. This issue could also negatively impact on the reputation of the company, which could in turn have financial and legal implications. Further, it could impact on health and safety and the natural environment. However, because the severity rating may not be equally severe on all the business aspects, in our example the following ratings are assigned: financial (8), health and safety (1), natural environment (1), reputation (8) and legal (4). These ratings are then combined as follows:

8 + 1 + 1 + 8 + 4 = 22.

The third column under risk assessment deals with the probability rating given to each risk. The SMEs must determine, on a scale from 1 to 10, the likelihood of this risk occurring. A score of 10 will be relative to a risk being probable. So, with regard to our previous example, what is the risk probability of receiving poor quality materials? It would depend on the supplier, but, for the sake of this example, the probability of this risk occurring might not be that severe. Let us say that the cross-functional team decides that 30% of the time the quality of the raw material receipts is below standard; they could assess that there is a probability of 3 out of 10 chances of it happening.

The last column under risk assessment scores the risk. In our example, the total of the severity risk rating is 22 and the probability of the risk occurring is 3. The severity risk rating is then multiplied by the probability rating as follows:

22 × 3 = 66

Sixty-six is the total score. The higher the score, the higher the perception that the risk is likely to happen and impact on the business. Each risk must be scored accordingly. The scores will highlight the more severe risks. This completes the risk assessment portion of the process.

Risk response (mitigation)

The third step in the risk process framework presents the risk response-mitigation strategy. Once each potential risk is scored, these should be sorted and ranked from top to bottom. The cross-functional team of the SME can then work their way down the list from more severe to less severe risks. It will be the responsibility of the cross-functional team to score all the risks identified and to deal with the highest scoring or most severe risks first.

In our example, let us assume a score of 66 would lift this risk to the top of the value scale, meaning it would be viewed as a key risk requiring attention. The goal of the cross-functional team is to then look at what existing controls are in place and the additional measures needed to be implemented in order to mitigate the more severe risks. In our example, the buyer has been assigned the responsibility for managing the risk. In the open forum of the cross-functional team meeting, a discussion should take place and the buyer would be asked for his input or what his risk-mitigation strategy will actually be.

An obvious point would be for the buyer to contact RM and to raise the SME’s concern with this supplier. This would be risk-mitigation step one. Step two of the risk-mitigation strategy would be for the buyer to visit the RM with the SME’s quality controller to undertake a quality process audit on the production process to ensure that RM’s processes and procedures are under control and to check for consistency and repeatability, which is obviously lacking as problems arise 30% of the time. Such an audit could identify system or process weaknesses, which the SME would insist that RM addresses. Step three could be for the buyer to instruct the quality controller to conduct incoming quality checks of the incoming raw material from the supplier RM and to reject any product that does not conform. Key to the success of the process is for the cross-functional team to be satisfied that the steps identified by the buyer will mitigate against the identified risks.

Risk monitoring and control

Using this process in relation to various production objectives, identifying risk types and scoring these risks will complete the final column of the risk framework. This is the fourth and final step. Chang et al. (2015:55) and Wagner and Bode (2008:311) maintain that the monitoring of risks is important, because it can provide an early warning of increasing risk levels, thus giving the SME time to react to these changes and to formulate and/or adapt mitigation strategies.

In the example shown in Figure 2, the results of the actions taken against risk-mitigation strategy steps 1 to 3 as identified above would be written up in this column. This is done once the various actions have been completed and provides feedback to the cross-functional team, evidence that positive mitigating action steps have been taken. It is recommended that the risk management cross-functional team meets at least twice a year, which gives the various responsible individuals time to complete the mitigating action steps. At the next meeting of this team, a follow-up review of the risks should take place, and the team will be asked to re-evaluate the revised risk and rescore each identified risk, overwriting the original rating values. In our example, the original score of 66 will also be noted in the risk monitoring and control column, in order that the progress on the risk strategies can be monitored and progress confirmed. This may be compared with the new revised risk assessment score. This process is key to closing the risk management ‘loop’ and to ensure forward progress and momentum.

It should be noted that the example outlined to explain Figure 2 has assumed an SME with a number of employees and functional responsibilities, hence the possibility of a cross-functional team. The model could equally apply to a smaller operation with, for example, the cross-functional team comprising the owner and just one or two employees, such as the production supervisor and the bookkeeper. The benefit of the process of using cross-functionality is not relative to there being highly skilled functional department heads but is rather about individuals who know the SME and its functioning and who understand the risks that such an operation actually faces.

Figure 2 presents the proposed operataional risk management framework.

It is suggested that the proposed framework complies with the requirements of scholars who specify that a risk management framework must focus on identifying risks, measuring the probability of the impact of risks, mitigating the risks and monitoring and controlling the risks (Chang et al. 2015:55; Sharma and Bhat 2014:26; Wagner and Bode 2008:311; Waters 2009:477). The proposed framework differs from the standard risk management process in that it includes the categories of risks and also includes the responsible person and a severity and probability rating to score each risk.


Operational risk can be defined as the risk of loss as a direct consequence of inadequate or failed processes, people and systems because of external events (GARP 2014:41). The business environment is dynamic and competitive, and businesses face a number of risks that threaten to reduce productivity and to increase costs and liabilities, thus negatively impacting the bottom line. Therefore, risk assessment is necessary for all businesses, including SMEs. It is vital that entrepreneurs can identify and mitigate potential risks as failure to do so could result in reduced productivity or even bankruptcy. Within this context, the aim of this article has been to present an operational risk management framework that SMEs can use to assess and manage their risks. The various types of operational risks were explored and are embedded in this proposed framework.

The limitation of this study is that even though the proposed framework can be used as a tool to identify, assess, mitigate and manage or control the risks of SMEs, the framework has not been tested. It is proposed that it be tested in a future study to determine whether the model is valuable and useful for SMEs.

There is a lack of research dealing with operational risk frameworks for SMEs (Verbano & Venturine 2013:8); therefore, the expected contribution of this article is twofold. Firstly, it is envisaged that managers or owners of SMEs could use the proposed framework as a tool to appraise and minimise their operational risks. Secondly, it adds to the current body of knowledge of risk appraisal for SMEs. As stated by Theodore Roosevelt, ‘Risk is like fire: if controlled it will help you; if uncontrolled it will rise up and destroy you’.


We acknowledge that this is our own work and all sources we have used or quoted have been indicated and acknowledged by means of complete references.

Competing interests

The authors declare that they have no financial or personal relationship(s) which may have inappropriately influenced them in writing this article.

Authors’ contributions

M.J.N. was the project leader, made conceptual contributions and finalised the article. N.C. collected and analysed the secondary data and wrote up the literature review.


Andersen, T.J., 2008, ‘The performance relationship of effective risk management: Exploring the firm-specific investment rationale’, Long Range Plan 41(2), 155–176. https://doi.org/10.1016/j.lrp.2008.01.002

Aven, T., 2016, ‘Risk assessment and risk management: Review of recent advances on their foundation’, European Journal of Operational Research 253, 1–13. https://doi.org/10.1016/j.ejor.2015.12.023

Benton, W.C., 2014, Supply chain focused manufacturing planning and control, Cengage Learning, Melbourne.

Blanc-Alquier, A.M. & Lagasse-Tignol, M.H., 2006, ‘Risk management in small- and medium-sized enterprises’, Production Planning and Control: The Management of Operations 17(3), 273–282. https://doi.org/10.1080/09537280500285334

Blome, C., Schoenherr, T. & Eckstein, D., 2014, ‘The impact of knowledge transfer and complexity on supply chain flexibility: A knowledge-based view’, International Journal of Production Economics 147, 307–316. https://doi.org/10.1016/j.ijpe.2013.02.028

Chang, C.H., Jingjing Xu, J. & Song, D.P., 2015, ‘Risk analysis for container shipping: From a logistics perspective’, The International Journal of Logistics Management 26(1), 147–171. https://doi.org/10.1108/IJLM-07-2012-0068

Cheng, S.K. & Kam, B.H., 2008, ‘A conceptual framework for analysing risk in supply networks’, Journal of Enterprise Information 22(4), 345–360. https://doi.org/10.1108/17410390810888642

Chopra, S. & Meindl, P., 2013, Supply chain management: Strategy planning and operation, 5th edn., Pearson, Boston, MA.

Cocca, P. & Alberti, M., 2010, ‘A framework to assess performance measurements systems in SMEs’, International Journal of Productivity and Performance Management 59(2), 186–200. https://doi.org/10.1108/17410401011014258

Cucchiell, A.F. & Gastaldi, M., 2006, ‘Risk management in supply chain: A real option approach’, Journal of Manufacturing Technology Management 17(6), 700–720. https://doi.org/10.1108/17410380610678756

Davis Tax Committee, 2014, Small and medium enterprises: Taxation considerations, Interim report, viewed 27 October 2014, from http://www.taxcom.org.za/docs/DTC%20SME%20Report%20for%20Public%20Comment%20by%2011%20July%202014.pdf

Dempster, A.M., 2009, ‘An operational risk framework for the performing arts and creative industries’, Creative Industries Journal 12, 151–170. https://doi.org/10.1386/cij.1.2.151_1

Dimopoulos, V., Furnell, S., Barlow, I. & Lines, B., 2004, ‘Factors affecting the adoption of IT risk analysis’, in Proceedings of the 3rd European Conference on Information Warfare and Security, University of London, London, June 28–29, 2004, pp. 267–283.

Global Association of Risk Professionals (GARP), 2014, ‘Chapter 12 – Operational risk’, in The GARP risk series operational risk management, viewed 05 September 2014, from http://www.garp.org/media/673303/operational%20risk%20slides.pdf

Hallikas, J. & Lintukangas, K., 2016, ‘Purchasing and supply: An investigation of risk management performance’, International Journal of Production Economics 171, 487–494. https://doi.org/10.1016/j.ijpe.2015.09.013

Harland, C., Brenchely, R. & Walker, H., 2003, ‘Risk in supply networks’, Journal of Purchasing & Supply Management 9, 51–62. https://doi.org/10.1016/S1478-4092(03)00004-9

Ho, W., Zheng, T., Yildiz, H. & Talluri, S., 2015, ‘Supply chain risk management: A literature review’, International Journal of Production Research 53, 5031–5069. https://doi.org/10.1080/00207543.2015.1030467

Hoffmann, P., Schiele, H. & Krabbendam, K.J., 2012, ‘Uncertainty, supply risk management principles and the impact on performance’, in 21st Annual IPSERA Conference, Naples, Italy, April 1–4, pp. 1–16.

Hopkins, P., 2017, The fundamentals of risk management, 4th edn., Logan Page, London.

Hugo, W.M.J. & Badenhorst-Weiss, J.A., 2011, Purchasing and supply management, 6th edn., Van Schaik, Pretoria.

International Organization for Standardization (ISO), 2009. Risk management – Vocabulary, Guide 73-2009, viewed 04 August 2017, from https://www.iso.org/standard/44651.html

Islam, A. & Tedford, D., 2012, ‘Risk determinants of small and medium-sized manufacturing enterprises (SMEs) – An exploratory study in New Zealand’, Journal of Industrial Engineering International 8, 12. https://doi.org/10.1186/2251-712X-8-12

Islam, A., Tedford, D. & Haemmerle, E., 2012, ‘Risk determinants of small and medium-sized manufacturing enterprises (SMEs) – An empirical investigation in New Zealand’, viewed 03 August 2017, from http://www.anzam.org/wp-content/uploads/pdf-manager/1874_ISLAMMD_235.PDF

Johnson, P.F & Flynn, A.E., 2015, Purchasing and supply management, 15th edn., McGraw-Hill, Boston, MA.

Jüttner, U., 2005, ‘Supply chain risk management: Understanding the business requirements from a practitioner perspective’, The International Journal of Logistics Management 16(1), 120–141. https://doi.org/10.1108/09574090510617385

Kagwathi, G.S., Kamau, J.N., Njau, M.M. & Kamau, S.M., 2014, ‘Risks faced and mitigation strategies employed by small and medium enterprises in Nairobi, Kenya’, Journal of Business and Management 16(4), 1–11.

Kannan, G. & Martin, B.J., 2016, ‘Supplier risk assessment based on trapezoidal intuitionistic fuzzy numbers and Electre Tri-C: A case illustration involving service suppliers’, Journal of the Operational Research Society 67, 339–376. https://doi.org/10.1057/jors.2015.51

Keizer, J., Halman, J.I.M. & Song, M., 2002, ‘From experience: Applying the risk diagnosing methodology’, Journal of Product Innovation Management 19, 213–232. https://doi.org/10.1111/1540-5885.1930213

Kim, Y. & Vonortas, N.S., 2014, ‘Managing risk in the formative years: Evidence in the formative years: Evidence from young enterprises in Europe’, Technovation 34, 454–465. https://doi.org/10.1016/j.technovation.2014.05.004

King, K., 2012, ‘Institute of directors Southern Africa’, viewed 03 August 2017, from http://c.ymcdn.com/sites/www.iodsa.co.za/resource/resmgr/king_iii/King_Report_on_Governance_fo.pdf

Kodithuwakku, C.E. & Wickramarachchi, D.N., 2015, ‘Identifying the risk dynamics of supply chain operations in large scale apparel industry in Sri Lanka’, International Journal of Innovation, Management and Technology 6, 272–277.

Lavastre, O., Gunasekaran, A. & Spalanzani, A., 2012, ‘Supply chain risk management in French companies’, Decision Support Systems 52(4), 828–838. https://doi.org/10.1016/j.dss.2011.11.017

Li, S. & Zeng, W., 2014, ‘Risk analysis for the supplier selection problem using failure modes and effects analysis (FMEA)’, Journal of Intelligent Manufacturing 27(6), 1309–1321. https://doi.org/10.1007/s10845-014-0953-0

Lysons, K. & Farrington, B., 2016, Procurement and supply chain management, 9th edn., Pearson, Boston, MA.

Michalski, G., 2009, ‘Inventory management optimisation as part of operational risk management’, Economic Computation and Economic Cybernetics Studies and Research 43(4), 213–222.

Monczka, R.M., Handfield, R.B, Giunipero, L.C. & Patterson, J.L., 2016, Purchasing & supply chain management, 6th edn., Cengage Learning, Melbourne.

Nieuwenhuizen, C., 2007, Business management for entrepreneurs, Juta, Cape Town.

Radebe, P., 2014, Small business is the missing middle in banks’ service target, viewed 27 October 2014, from http://www.finmark.org.za/finscope/publication/small-business-is-the-missing-middle-in-banks-service-target

Sanders, N.R., 2012, Supply chain management: A global perspective, John Wiley & Sons, Hoboken, NJ.

Sanlam Financial Services, 2014, Economic overview April 2014: Pravin Gordhan promotes SME development, viewed 27 October 2014, from http://southafrica.smetoolkit.org/sa/en/content/en/56030/Economic-Overview-April-2014-%E2%94%80-Pravin-Gordhan-promotes-SME-development

Scarborough, N.M., Wilson, D.L. & Zimmerer, T.W., 2009, Effective small business management: An entrepreneurial approach, 9th edn., Pearson Education, London.

Sekaran, U. & Bougie, P., 2016, Research methods for business: A skill building approach, 7th edn., Wiley, Chichester.

Servaes, H., Tamayo, A. & Tufano, P., 2009, ‘The theory and practice of corporate risk management’, Journal of Applied Corporate Finance 21(4), 60–78. https://doi.org/10.1111/j.1745-6622.2009.00250.x

Sharma, S.K. & Bhat, A., 2014, ‘Supply chain risk management dimensions in Indian automobile industry’, Benchmarking: An International Journal 21(6), 1023–1040. https://doi.org/10.1108/BIJ-02-2013-0023

Simchi-Levi, D., Kaminsky, P. & Simchi-Levi, E., 2008, Designing and managing the supply chain: Concepts, strategies and case studies, 3rd edn., McGraw-Hill, Boston, MA.

Smit, Y., 2012, ‘A structured approach to risk management for South African SMEs’, Doctoral thesis, Cape Peninsula University of Technology.

Smit, Y. & Watkins, J.A., 2012, ‘A literature review of small and medium enterprises (SME) risk management practices in South Africa’, African Journal of Business Management 6(21), 6324–6330. https://doi.org/10.5897/AJBM11.2709

Sousa, S. & Aspinwall, E., 2010, ‘Development of a performance measurement framework for SMEs’, Total Quality Management & Business Excellence 21(5), 475–501. https://doi.org/10.1080/14783363.2010.481510

South Africa, 2003, National Small Business Act 26, 2003, Government Gazette No. 25763, 26 November 2003.

Tang, O. & Musa, N., 2011 ‘Identifying risk issues and research advancements in supply chain risk management’, International Journal of Production Economics 133(1), 25–34. https://doi.org/10.1016/j.ijpe.2010.06.013

Turner, K. & Keetelaar, D., 2005, Risk management guide for small businesses, Risk Management Institute of Australia, Australia, pp. 1–68, viewed 06 September 2014, from http://www.significanceinternational.com/Portals/0/Documents/2005-sme-risk-management-guide-global-risk-alliance-nsw-dsrd.pdf

Van Weele, A.J., 2010, Purchasing and supply chain management, 5th edn., Cengage Learning South-Western, Melbourne.

Van Wyk, J., Dahmer, W. & Custy, M.C., 2004, ‘Risk management and the business environment in South Africa’, Long Range Planning 37, 269–276. https://doi.org/10.1016/j.lrp.2004.03.001

Verbano, C. & Venturini, K., 2013, ‘Managing risk in SMEs: A literature review and research agenda’, Journal of Technology Management and Innovation 8(3), 186–197. https://doi.org/10.4067/S0718-27242013000400017

Wagner, S.M. & Bode, C., 2008, ‘An empirical examination of supply chain performance along several dimensions of risk’, Journal of Business Logistics 29, 307–325. https://doi.org/10.1002/j.2158-1592.2008.tb00081.x

Waters, D., 2009, Supply chain management: An introduction to logistics, 2nd edn., Palgrave MacMillan, London.

Wu, D.D. & Olson, D.L., 2009, ‘Enterprise risk management: Small business scorecard analysis’, Production Planning and Control: The Management of Operations 20(4), 362–369. https://doi.org/10.1080/09537280902843706

Yoon, S.O. & Lee, C.H., 2012, ‘A study on paradigm shift of supply chain risk management for SMEs’, Journal of the Korea Safety Management and Science 14, 71–77. https://doi.org/10.12812/ksms.2012.14.4.071

Young, J., 2008, Operational risk management: The practical application of a qualitative approach, Van Schaik, Pretoria.

Crossref Citations

No related citations found.