Risk Management Strategies for Small and Medium Enterprises (SMEs) to Survive in the COVID-19 Economy

6 min read


The coronavirus or COVID-19 presents a significant threat to all kinds of business and more to SMEs. Among the many other problems, the moves of the government to contain the public health risk may have caused a sudden fall in demand for your products or services, staff shortage and supply chain disruption.

Your business may be more fragile or cash-strapped due to lowered demand. Nobody knows how long the COVID-19 crisis will last. If the crisis is going to be a prolonged one, either the consumers will consume less or change the way they purchase. Now’s the time to activate a robust action plan to position your business to navigate the COVID–19 crisis and be ready for a rapid recovery when things show positive signs. Your risk management strategies will come in handy to help you sail through the disruption and lift you through the coming hardship.

Here are the key steps to success:


he first step is to identify and understand risks which are very unique to your business. The best way to do it is to use the existing risk management principles to make improvements as per your current needs so that you will not only weather the present COVID-19 crisis, but also get back to high performance quickly. 

What are the Risks to Identify?

The biggest risk is COVID- 19. Infection to those who may be at risk may include your staff, visitors to your business facility, cleaners, contractors, etc.

Other risks may include disruption due to social distancing, plummeting employee productivity, tensed supply chains, recession, unemployment, investment pull-back and civil unrest.

Apply the principles of Risk Management to identify the risks

If you already have a risk management practice in place, you can use its principles as shown below as ready reckoners, or you can start following the tried and tested practices.

Enterprise Risk Management (ERM):  Systematically helps identify, assess and monitor a wide range of risks (e.g. strategic, financial and legal risks) and the need to find mitigation strategies.

Operational risk management (ORM): Provides insights on how to catalog operational risks and associated details in a common risk repository called a risk register, and link risk appetites to business objectives which can enable assessments of risk to calculate inherent and residual risks and help in creating risk mitigation strategies.

Digital Risks: These can occur due to risks associated with enterprise technologies and third parties. During this time of COVID-19 Crises, risks can come even from social engineering scams.

Business continuity management: Covershow to plan and execute a centralized approach to business continuity and disaster recovery (DR) management across organizational functions, to improve response time during critical events, and more.

Internal Audit management:  Provides insights onrisks including risk assessments and defines action plans to remediate issues and monitor them to closure.

How to Assess Risks

Steps to follow are:

  • Risk identification which follows event identification and precedes risk response
  • Develop assessment criteria
  • Assess risk interactions
  • Prioritize risks as per their probability, vulnerability and speed of onset. You can define these under 4 criteria like high/some/small/very little probability.

The next steps in risk assessment steps include risk analysis, risk evaluation, risk communication, and risk response.

Risk assessment helps in reducing operational risks, improving safety and performance, and achieving objectives.


Depending on your industry, company size, location, and other factors, you can make a wide range of preparations. Your risk response should be driven by the decision of risk acceptance, reduction, sharing, avoidance or complete elimination of each risk.

Below are some common areas that will help you plan your risk mitigation:

  • You can consider moving your budget from fixed cost to variable spending. Reconsider the rent on office space as more employees will be working remotely.
  • Cash is king for businesses – it is wise to cut down unnecessary spending or expansion plans to conserve the cash.
  • While focusing on the operational elements of risk management such as taking care of people, having them work from home, it is also critical to think from the viewpoint of compliance by publishing clear HR policies, data security policies, confidentiality and other policies.   
  • You may choose to shift toward the localization of your supply chain so that you can be immune to the increasing protectionism and risk aversion due to a recessionary climate.
  • Digitization: More than ever before, digitization is getting a real push, and everybody is on a fast forward mode to experiment with digital channels into every aspect of their business. But this calls for more investment in the cloud, data, cybersecurity, and digital risk management.
  • Increase supply chain resilience: While it is good to localize supply chains, it is required to build capabilities in your supply chain to respond to unexpected events quickly or return to the earlier supply chain as soon as possible or innovate to get to a better state.
  • Be sure to connect and maintain repositories of all risk mitigation activities, procedures, and controls in one place to make it easily accessible when needed.
  • Put internal controls in place to mitigate risks. For example, in the context of COVID-19, simple controls may include hand washing, cleaning, social distancing, etc.


After you have put all risk mitigation strategies and controls in place, you need to do auditing to check if all is working well. But during this restrictive time, you will have to adapt to remote auditing as it is a quick and efficient way to assess and minimize errors, and enable significant savings on time and effort. The use of audit functionalities on smart devices has been greatly transforming the changing audit landscape.

  • Replicate face-to-face working environments with virtual environments including phones, computers, and services.
  • Capture organizational communication processes when defining remote auditing
  • Virtual storage of records (shared or isolated)
  • Broadcast messages – video conferencing, teleconferencing, email or group meetings
  • Prepare well before virtual meetings to ensure every dialogue for decision making is covered and before concluding the meeting, clarify action items, owners, and deadlines.
  • Have a central location that contains an up-to-date contact list with email, phone numbers with work time or work shifts.
  • Set up online audit scheduling, format, and checklist.
  • Use desktop sharing features extensively as necessary for reviewing records, procedures, documents, audit trails, procedure reviews, recording meetings, video conferencing, and audio conferencing.
  • Use Asynchronous communication such as SharePoint offices.


Whether you already have a business continuity plan or are putting a plan in place now, consider addressing COVID-19 in the plan. A continuity plan calls out the critical and time sensitive applications, vital records, processes, and functions to be maintained, as well as the personnel and procedures necessary to do so, while the entity is being recovered. It needs to have six major components: data critical analysis and data back-up plan ( DCA & DBP ), Business Continuity Plan (BCP), Emergency Response Plan (ERP), Contingency Testing Plan (CTP) and Disaster Response Plan (DRP)

Here are a few important steps to follow while creating a plan:

  • Find and analyze Business Continuity Strategy requirements and document them.
  • Review issues related to business recovery, technology and non-tech recovery issues for each support service.
  • Identify, analyze, and document alternative recovery strategies.
  • Compare internal and external solutions assessments of risk associated with each optional recovery strategy.
  • Assess suitability of alternative strategies against the results of a business impact analysis.
  • Effectively analyze business needs criteria, and the objective of planning and evaluation method.
  • Senior management must be aware of the Cost/Benefit Analysis of Recovery Strategies and recommendations from experts.

Despite the uncertain times we’re living in right now, with a risk management and business continuity plan in place, you won’t miss a beat. One thing that’s special about businesses that have a robust risk management plan is that they will get through the difficult COVID-19 crisis, will have a V-shaped recovery curve and bounce back faster than others.

Stay Safe & Stay Alert

Blog Image

Priyabrata Sahoo Associate Vice President

Priyabrata Manages MetricStream University & ComplianceOnline functions for MetricStream which enable partners and customers through training, content and expert services.