JTES: Journal of Technology and Engineering Sciences  

Jul­Dec 2009 Vol­1 No­2 

The Importance of ICT Risk Management in Small to Medium-Sized Enterprises (SMEs) Malaya Kumar Nayak1, Prof. Sanghamitra Mohanty2 1

IT Buzz Ltd, 34 Stanley Road, London E12 6RJ United Kingdom E-mail: [email protected] 2 Department of Computer Science & Application, Utkal University, Bhubaneswar, INDIA E-mail: [email protected]

Abstract: Risk management in ICT can be said to be an integral part of organisational decisionmaking in small and medium enterprises. Risk management usually improves a business’s chance of doing its business and most small companies usually focus on the limited resources they have at their disposal, so as to efficiently and effectively control their risks, whenever a major problem occurs. The identified risks can then be eliminated, which helps to reduce the unproductive hours of employees. The process of risk assessment helps workplace operations to become better understood and hence it both assists in raising awareness of the potential problems and identifies where improvements should be made in the ICT sector. In most small and medium-sized enterprises, there is a strong requirement for an effective risk management tool and this is achieved basically through the use of the ICT sector. The growth of international and national markets is mainly based on dealing with this risk, with special emphasis on projects due to the increased use of ICT technology and also due to the production of networks which usually introduce some complexity into the ICT domain of the SME sector. Whereas the overall ICT risk management of countries takes place at the macro level, there is a need to undertake studies which will evaluate the overall risk management of countries also at the microeconomic level, and this can be further be advanced by the adoption of ICT in SMEs, with a special focus on ICT risk management. Small and medium enterprises are usually companies or businesses whose headcounts or turnovers fall below certain limits. The term is mostly used in the European Union and some international agencies. However, in most of the world’s economies, the smaller enterprises which are mostly referred to as SMEs are more numerous. For example, SMEs in European countries constitute approximately 99% of the total firms operating in this region, and they employ more than 2/3 of the population. But on the global scale, SMEs normally account for approximately 99% of all business numbers and about 40% to 50% of the total world GDP. One advantage of ICT is that it offers many benefits to SMEs and other enterprises, hence the reduction of risks associated with ICT usage in SMEs. By allowing effective business networking, ICTs will henceforth offer small firms an opportunity to overcome stiff competition and the risks they face, and hence give them a competitive advantage. Keywords: Risk management, Information and Communication Technology (ICT), Small and Medium-Enterprises (SMEs), e-Connectivity, Macroeconomics, Microeconomics

1. Introduction: ICT Risk Management in Small and Medium-Sized Enterprises (SME’s) Risk management in ICT is a core component of the successful operating and decision-making in SMEs. ICT risk

management is crucial for a number of reasons. First, ICT risk management seeks to consolidate exposure types, not just across event-driven risk types but also across the wide border between risk and uncertainty—between financial and business risk. Implementing ICT risk management in SMEs thus first requires acknowledgement

 JTES: Journal of Technology and Engineering Sciences   by the corporation and the custodians of its risk management process that a key aspect of risk and exposure management involves what is called selective risk management. In other words, ICT risk management seeks to differentiate those risks in which the firm has some perceived comparative informational advantage from those in which the company perceives itself as no better informed than other market participants (Atkinson, Banker, Kaplan, and Young, 2001). Second, there is a distinction between ICT risk management and less systematic approaches to risk management strategy, which is the attempt to view the risks facing a company through some form of common lens. Often this translates into a common risk measurement framework, but at a more general level ICT risk management implies that a firm has the ability to abandon the terminology of financial instruments. What should matter to a company is not whether a risk is best managed through swaps, insurance, or trading limits, but rather that the resulting net enterprise-wide risk exposure conforms to the risk tolerances of the firm's security holders. In this sense, what might be called a financial instrument—or, for that matter, a balance sheet exposure—is irrelevant. What matters is how it affects the net position of the firm relative to its risk tolerances (Shapiro, 1999). Third, ICT risk management aims to consolidate the risk management process organizationally across internal systems, processes, and people. In other words, the enterprise in risk management in SMEs refers not just to a company's perspective of the risks it is facing, but also to the degree of integration and consolidation with which the enterprises manages those risks. 1.1. Developing an effective risk management tool at SME’s To design and maintain a sound risk management tool consistent with the company's financing and investment strategies, the corporation must first decide

Jul­Dec 2009 Vol­1 No­2 

who is going to do the designing. More specifically, the company as a collection of different individuals must ascertain where the risk management process will be designed and, once it is designed, who will take ownership of the process. Most importantly, the company must decide who the beneficiaries of the risk management program will be, and thus to whom the risk management process should be accountable (Dibner, Meyers, and Tahir, 2001). At a very basic level, the stakeholders in a risk management process are the principals of a corporation—its equity holders—and their agents. But defining the beneficiaries of the risk management process is not enough. Because those beneficiaries will almost certainly be principals, the agents of the risk management process that act as its stewards on behalf of stakeholder/owners must also be defined. In other words, who will be responsible internally for ensuring an adequate degree of coordination and integration to achieve the benefits of ICT risk management? The roles of various parts of the firm's nexus of contacts are discussed below (Atkinson et al., 2001). For a firm to develop a valueenhancing risk management process, the involvement of shareholders, as represented by their Board of Directors, is essential. Quite a few companies stumble by presuming that shareholders in particular are neither interested in nor capable of articulating the details of a risk management process. Shareholders are thus left out of the process, which is itself designed mainly by management. This is a mistake. If the Board of Directors, as the representatives of shareholders, is not aware of the issues confronting the company, it can and should be made aware. Many of the rationales for realizing gains from risk management, after all, trace directly to shareholder welfare (Langfield-Smith, 1997). Apart from rationales for risk management that are based on the protection of equity, the Board of Directors is the

 JTES: Journal of Technology and Engineering Sciences   custodian of the shareholders—the owners or residual claimants—of the firm and its assets. For pure governance reasons, the involvement of the Board as representative of the firm's owners is critical to ensure that the risk management process is appropriately sanctioned, designed, and backed by adequate levels of seniority in the firm. Shareholder participation is also crucially important as part of the governance process, to ensure that the firm fosters an appropriate risk culture. The shift from a pure risk control business model to an efficiency enhancement is often a subtle move, but the leap into the provision of risk transformation products is more substantial. Shareholders should clearly articulate their objectives in this regard and approve all the associated internal policies, procedures, and controls before a company can make this leap from risk controller or efficiency enhancer to risk transformer. 1.2. The role of ICT in developing competitive risk management tools Involving ICT in the design and articulation of a risk management tool can also make sense, especially for firms whose risk culture is primarily one of risk control. The number of companies that leave their bankers out of the design of a risk management program is surprisingly high. And yet the behaviour of external financiers such as bankers is precisely what motivates ICT risk management in several instances. Stated differently, if risk management is being implemented as a non-dilutive substitute for equity capital to increase the debt capacity and effective leverage of the firm, existing creditors are likely to need a material say in the structuring of that process. Otherwise, risk management can be used as an excuse for asset substitution (Enterprise Risk Management, 2004). Any given corporation, of course, may have a wide variety of creditors. A creditor, after all, is essentially anyone with a fixed claim on the firm. Stretching the definition, this could technically even

Jul­Dec 2009 Vol­1 No­2 

include salaried employees who are owed a fixed compensation payment by the company. At the more traditional level, debt can include junior and senior bondholders, trade and project financiers, and so forth. The involvement of representatives of all creditor groups in the design of a risk management process makes little sense. Apart from being unruly and cumbersome, some of the interests represented are simply not on a par with others and could abuse the opportunity for involvement as a chance at asset substitution toward their own class of claim on the firm (Dibner et al., 2001). Fortunately, there is really no need to involve multiple classes or types of creditors in the design of a risk management process. The involvement of one type is typical— specifically, the lead banker to the corporation. Commercial banks provide a number of important functions to the global economy and capital markets. So important are the roles played by banks that these institutions are often regarded as inherently unique or special. The reasons typically cited for the special treatment of banks are that they offer transaction accounts, serve as liquidity providers of last resort, and act as transmission mechanisms for monetary policy. But none of these functions are inherently unique to banking. None of these roles make banks special. Academic finance suggests an entirely different reason for which banks might be considered special. Specifically, commercial banks serve as delegated monitors of the investment activities of their borrowers. By providing borrowers with monitoring and outside discipline, banks encourage their borrowers to undertake only positive Net Present Value (NPV) projects (Hitt, Ireland, Hoskisson, Rowe, and Sheppard, 2002). In that sense, banks do play a virtually unique role in helping reduce the agency costs of debt, especially for small or growth firms.

2. Methodology: ICT risk management at the microeconomic level

 JTES: Journal of Technology and Engineering Sciences   2.1. Adoption of ICT in risk management on the micro level One of the reasons for the increased extent of ICT risk management application in SMEs is the more sophisticated modern system of production, as well the more intensive linkages between science and technology. The new microeconomic model relies on flexibility through computerization and diversity through new combinations that draw upon a wider range of disciplines. SMEs increase the returns on their own R&D through adapting their underlying capability so that they can absorb and apply the complementary knowledge acquired from other locations or from other firms more intensively in their own internal learning process. This is especially pertinent for SMEs developing technology in more than one location, as potential opportunities for crossborder learning have been enhanced by an increased usage of ICT risk management technologies (Bodnaret al., 1996). ICT specialization seems to enhance the firm's risk management flexibility by enabling it to fuse together a wider range of formerly separate technologies. In this sense, in the current ICT-based model, government intervention is better geared towards the promotion of cross-firm and cross-border knowledge flows, rather than to provisions to protect the monopolistic and separate exploitation of knowledge by those that have independently invested in its creation. Thus, although SMEs in the European Union have shown a greater internationalization of their R&D facilities in recent times, this depends upon the type of technological activity involved. The development of science-based fields of risk management activity and an industry's core technologies appears to require a greater intensity of face-to-face interaction (Bodnaret al., 1996). Nonetheless, it may sometimes still be the case that science-based and firm- and industry-specific core risk management technologies are dispersed internationally. The main factors driving the occasional

Jul­Dec 2009 Vol­1 No­2 

geographical dispersion of the creation of these kinds of otherwise highly localized risk management tools are either locally embedded specialization which cannot be accessed elsewhere, or company-specific global strategies that utilize the development of an organizationally complex international network for technological learning (Culp and Miller, 1995a). The more typical pattern of international specialization in ICT risk management within SMEs is for the development of risk management strategies that are core to the firm's industry. Thus, when ICT-based risk management strategy is dispersed at the macro level, it is most often attributable to technology acquisition by the firms of other industries. 2.2. Characterizing ICT risk management in EU’s SME’s In the European Union, evidence has now emerged that the choice of foreign location for technological development in support of what is done in the home base of the SMEs depends upon whether or not host regions within countries are either major centres for innovation (Culp and Miller, 1995a). Most EU countries are not major centres and tend to be highly specialized in their profile of technological development, and hence attract foreign-owned activity in the same narrow range of fields; in the major EU centres much of the locally-sited innovation of foreign-owned SMEs does not match very well the specific fields of local specialization, but is rather geared towards the development of technologies that are core to the current techno-economic paradigm (notably ICT) or earlier models (notably mechanical technologies) (Denning and Branstad, 1996). The need to develop ICT risk management strategies in EU SMEs is shared by the firms of all industries, and the knowledge-sharing between SMEs and local firms in this case may be inter-industry in character. Thus, ICT development in centres of excellence is not a prerequisite for firms in the ICT industries, but instead involves

 JTES: Journal of Technology and Engineering Sciences   the efforts of the SMEs of other industries in these common locations. It may also be the case that development of the capability to manage a geographically complex international network lies in a firm's specialization in ICT. The opportunities created for the fusion of formerly unrelated types of technology through ICT has made feasible new combinations of activities, the best centres of expertise for which may be geographically distant from one another. The enhanced expertise in ICT seems to provide a company both with greater flexibility in its risk management, and an enhanced ability to combine distant learning processes in formerly separate activities. If this is the case for manufacturing companies in general, it is all the more true for electrical equipment and ICT specialist companies. Affiliate networks are increasingly used to source new technology. Accordingly, global learning has become an important mechanism for corporate technological renewal within SMEs. The key importance of ICT to the now more complex management of innovation in SMEs is that it enables firms to better exploit their risk management capabilities across national boundaries, owing to the role of ICT as a means of combining fields of knowledge creation that were previously kept largely apart (Denning and Branstad, 1996). However, while this use of ICT has led many small firms to extend the breadth of their technological diversification to create new combinations, in some mediumsized firms the extent of risk management diversification has been reduced, so as to better focus on the most promising possible combinations from amongst the broader initial dispersion of innovative activity that such companies have inherited from the past (Culp and Miller, 1995a). Freeman and Perez (1998) argued that, in the latest techno-economic model, ICT has become a crucial factor of innovation across risk management. Company evidence now suggests, more than this, that ICT has also become a core connector of potential

Jul­Dec 2009 Vol­1 No­2 

fields of risk management development within firms, facilitating a fusion of a formerly disparate spread of risk management activity. Thus, while in the past the machine-building industry simply passed knowledge of methods from one field of mechanical application to another, ICT potentially combines the variety of technological fields themselves and so increases the scope for wider innovation. Hence, innovation has become a still more central part of SMEs development in the ICT age. This role of ICT as a promoter of innovation within the SMEs risk management sector is a further key factor in the shift away from SMEs as institutions for risk management transfer between established activities frequently organized along miniature replica lines in different locations, and towards SMEs as developers of international networks for risk management tools creation, combining formerly unconnected streams of innovation. Internationalization through the SMEs, corporate development and the application of ICT have become intertwined in a new era of risk management. With increased volatility in EU financial markets, SMEs have learned that their value has become more subject to the risks occasioned by changes in their financial environment. There are a number of approaches that SMEs have adopted to deal with this risk. Some early commentators report that the overall strategy of many SMEs in ICT risk management is defensive, in that they attempt to minimize the impact of market risk. However, more recent analysis has identified that the key SME objectives when managing risk are cash flow management and the smoothing of earnings fluctuations (Dibner et al., 2001). While both are important for UK and US-based SMEs, smoothing earnings is of particular relevance for medium-sized enterprises, while cash flow management is considered more important for smaller companies. These findings for SMEs are consistent with previous single country studies of domestically domiciled firms in

 JTES: Journal of Technology and Engineering Sciences   the UK and US (Dibner et al., 2001). One avenue for further exploration is the extent to which regional differences can be explained by company characteristics. The central question confronted by an SME director is the extent to which the value of the firm's cash flow or earnings are exposed to changes in financial asset prices. In the context of foreign exchange risk, three classifications are commonly adopted in the literature, namely transaction or contractual exposure, translation exposure, and economic or operating exposure. These are not mutually exclusive; rather they are over-lapping. They are also easily generalized to other sources of market risk. SMEs are normally exposed to more than one type, and there is still no general agreement as to which exposure needs to be emphasized from the financial management perspective, although several authors have taken a strong stance on this issue. Contractual exposure arises from a SMEs fixed contractual obligations: accounts payable/receivable, long-term purchase/sale contracts, and financial positions expressed in foreign currency. If the source of information on contractual exposure is accounting data, then it becomes relatively transparent and easy to quantify for most types of market risk. Moreover, contractual cash flows are fixed either in domestic (reference) currency units or in units of the firm's output. Their nominal value in domestic currency then changes in the same proportion as the change in the exchange rate, foreign currency price, or amount sold, all other things being equal. Alternatively expressed, contractual exposures have an elasticity of one. Empirical studies of SMEs based in the UK, US, and the Asia Pacific suggest that most tend to focus upon the management of contractual rather than translation or economic exposure.

3. Conclusion: ICT and its benefits to SME’s As a concluding thought, it must be stated that there is common ground among

Jul­Dec 2009 Vol­1 No­2 

the different views on ICT risk management in SMEs, which, in essence, deal with the same issues in the organization. The ICT risk management approaches described in this paper argue that the degree to which a firm can utilize and leverage its ICT risk management process to exploit commercial business opportunities depends on several key factors. These factors or generalized business processes include governance, product management, customer management, and knowledge management, and how each of these processes interact with the internal risk management process of the firm in question. The interaction between these generalized business processes and a firm's ICT risk management process characterizes the company's risk culture. Though having dissimilar views on the peculiarities or precise details of ICT implementation in each particular situation, researchers agree that the business process of governance is critical at each stage of ICT risk management. Sound ICT risk management, for example, requires independence of risk management decisions from risk-taking activities in order to preserve the integrity of the risk management process. Apart from the role of governance in the ICT risk management process, however, governance as a more general business process also helps characterize the relationship between that internal risk management process and new business opportunities. A sound governance process for a corporation should provide the proper organizational support for the design, implementation, evaluation, and tuning of a company's risk management strategy. For those firms wishing to limit their risk management activities to internal risk management, the key success factors for a sound governance process will include the following: independence between risktaking and risk-controlling areas of the firm; clear determination of risk tolerances by senior managers and directors; and regular outside reviews of the process.

 JTES: Journal of Technology and Engineering Sciences  

References [1]A Strategy for Incorporating Risk Assessment in the Compliance and Ethics Agenda: Evolution of the Risk Assessment Process as a Compliance and Ethics Tool. Available at: http://www.aon.com/us/busi/risk_manageme nt/risk_consulting/ent_risk_mgmt/ERM_Co mpliance_WP.pdf (Accessed March 09, 2009). [2]Atkinson, A., Banker, R., Kaplan, R. S., and Young, S. M. (2001) Management Accounting. Upper Saddle River, NJ: Prentice-Hall. [3]Berkovitch, E., and Narayanan, M. P. (1993) Motives for Takeover: An Empirical Investigation. Journal of Financial and Quantitative Analysis, vol. 28, pp. 347-62. [4]Bodnar, G. M., Hayt, G. S., and Marston, R. C. (1996) 1995 Wharton Survey of Derivative Usage by US Non-Financial Firms. Financial Management, vol. 25, no. 4, pp. 113-33. [5]Bodnar, G. M., Hayt, G. S., and Marston, R. C. (1998) 1998 Wharton Survey of Derivative Usage by US Non-Financial Firms Financial Management, vol. 27, no. 4, pp. 70-92. [6]Bodnar, G. M., Hayt, G. S., Marston, R. C., and Smithson, C. W. (1995) 1994 Wharton Survey of Derivative Usage by US Non-Financial Firms. Financial Management, vol. 24, no. 2, pp. 104-5. [7]Christensen, J. A. and Demski, J. S. Accounting Theory – An Information Content Perspective, Boston: McGraw-Hill. [8]Collier, P. A. and Davis, E. W. (1985) The Management of Currency Transaction Risk by UK Multi-National Companies. Accounting and Business Research, vol. 16, no. 3, pp. 327-34. [9]Collier, P. A., Davis, E., Coates, J., and Longden, S. (1990). “The Management of Currency Risk: Case Studies of US and UK Multinationals”, Accounting and Business Research, vol. 20, pp. 206-10.

Jul­Dec 2009 Vol­1 No­2 

[10]Collier, P. A., Davis, E., Coates, J., and Longden, S. (1992) Policies Employed in the Management of Currency Risk: Case Study Analysis of US and UK. Managerial Finance, vol. 18, no. (13/4), pp. 41-52. [11]Copeland, T. E., and Joshi, Y. (1996) Why Derivatives Don't Reduce FX Risk. Risk Management, vol. 43, no. 7, pp. 76-9. [12]Culp, C.L. and Miller, M.H. (1995a) Metallgesellschaft and the Economics of Synthetic Storage. Journal of Applied Corporate Finance, vol. 7, pp. 6-21. [13]Culp, C.L., and Miller, M.H. (1995b) Auditing the Auditors. Risk, vol. 8, pp. 3639. [14]Cummins, J. D., Phillips, R. D., and Smith, S. D. (1998) The Risk of Risk Management. Economic Review, vol. 83, no. 1, pp. 15-21. [15]Daft, Richard L., & Weick, Karl E. (1984) Toward a model of organizations as interpretation systems. Academy of Management Review, vol. 9, no. 2, pp. 284295. [16]Denning, D. and Branstad, D. (1996) A Taxonomy for Key Escrow Encryption Systems. Communications of the ACM, vol. 39, no. 3, pp. 1-12. [17]Dibner, B., Meyers, D. and Tahir, M. (2001) E-logistics and the 2000 Bulk Supply Chain Survey, New York: Mercer Management Consulting. Enterprise Risk Management – Integrated Framework (2004). Available at: http://www.coso.org/Publications/ERM/CO SO_ERM_ExecutiveSummary.pdf. (Accessed March 08, 2009). [18]Enterprise Risk Management Quantification - An Opportunity (February 2006). Available at: http://www.aon.com/about/publications/pdf/ issues/wp_2006_02_enterprise_risk_manage ment_235.pdf. (Accessed March 08, 2009). [19]Freeman, C. and Perez, C. (1998) Structural Crises of Adjustment, Business Cycles and Investment Behaviour. In: Dosi, G., Freeman, C., Nelson, R. R., Silverberg, G. and Soete, L. L. G. (eds.) Technical

 JTES: Journal of Technology and Engineering Sciences   Change and Economic Theory. London: Frances Pinter. [20]Gordon, L. A., Loeb, M. P. and Lucyshyn, W. (2003) Information Security Expenditures and Real Options: A Wait and See Approach. Computer Security Journal, vol. 19, no. 2, pp. 1-7. [21]Hitt, M., Ireland, R., Hoskisson, R., Rowe, W. G., and Sheppard, J. P. (2002) Strategic Management: Competitiveness and Globalization—Concepts, 1st Canadian ed., Toronto: Nelson Thomson Learning. [22]Joseph, N. (2000) The Choice of Hedging Techniques and the Characteristics of UK Industrial Firms. Journal of Multinational Financial Management, vol. 10, pp. 161-84. [23]Kren, L. (1997) The Role of Accounting Information in Organizational Control. in Arnold, V. and Sutton, S. G. (eds) Behavioral Accounting Research: Foundations and Frontiers, Sarasota, FL: American Accounting Association. [24]Langfield-Smith, K. (1997) Management control systems and strategy: A critical review. Accounting, Organizations and Society, vol. 22, no. 2, pp. 207-232. [25]Moore, K. (2000) The E-volving Organization (strategies for incorporating e-commerce productivity into old and new business). Ivey Business Journal, November 1. [26]Staten, M. (2001) Customer relationship management as a Privacy Enhancer. Available at www.acxiom.com. [27]Sercu, P., and Uppal, R. (1994) International Capital Budgeting Using Options Pricing Theory. Managerial Finance, vol. 20, pp. 3-21. [28]Shapiro, A. C. (1999) Multinational Financial Management, 6th ed. New York: John Wiley.

Jul­Dec 2009 Vol­1 No­2