Managing Risks in Smes: a Literature Review and Research Agenda

In times of crisis, companies need to carefully monitor current expenses and forecast potential costs, which could be caused by risky actions. Risk is inherent in all business functions and in every kind of activity. Knowing how to identify risks, attribute a value and a priority scale, design actions and mechanisms to minimize risks, and continuously monitor them, are essential to guarantee companies' survival and create sustainable value. This is especially true for small-and medium-sized businesses that are most exposed to the harmful effects of the risks, due to limited resources and structural features. The objective of this study is to analyze available literature on the subject of risk management for small-and medium-sized enterprises from 1999 to 2009. The analysis derives interesting characteristics from the scientific studies, highlighting gaps and guidelines for future research. 187 The next section is devoted to the theoretical framework, including the definition of risk management, risk classifications and areas of RM application. Section 3 presents the research questions and investigation methodology adopted, followed by the results and conclusion. One of the first definitions of risk is attributed to Bernoulli, who in 1738 proposed measuring risk with the geometric mean and minimizing risk by spreading it across a set of independent events (Bernoulli, 1954). Accordingly, the traditional definition of risk is measured by two combined variables: a) frequency of occurrence (probability) of the " risky " event, i.e., the number of times the risky event is repeated in a predetermined period and b) extent of the consequences (magnitude) that the event generates, i.e., all the results of its occurrence. Following Chapman and Cooper (1983), risk is the possibility of suffering economic and financial losses or physical-material damages, as a result of an inherent uncertainty associated with the action taken. In a later definition developed by management literature, the concept of risk comprises positive and negative consequences of an event, which may affect the achievement of strategic, operational and financial objectives of a company (BBA, et al., 1999). Given the complexity and magnitude of the risks that companies face, scholars recognize a macro classification of risks into two main categories (Mowbray, et al., 1979). First, pure or static risk is the risk that only causes damage without the opportunity of earning from its occurrence. Always negative, it is characteristically unexpected because it is determined by accidental events. This risk falls perfectly under the insurance policy. Second, speculative …


Introduction
Risk can be seen as the possibility of economic or financial losses or gains, as a consequence of the uncertainty associated with pursuing a course of action (Chapman and Cooper, 1983).Risk pervades all human actions (to varying degrees), all kinds of business and every area of management of a company.However, in many cases, risk can be predicted on the basis of experience, trying to better govern the disorder.Risk management (RM) has the task of identifying risks, measuring the probability and the possible impact of events, and treating risks, eliminating or reducing their effect with the minimum investment of resources.RM is being developed and adopted in a lot of fields, such as environment, healthcare, public safety, and within enterprise management.This paper considers RM for small and medium enterprises (SMEs).More so than larger organizations, SMEs require the adoption of a risk management strategy and methodology, because they lack the resources to respond promptly to internal and external threats, leading to potentially huge losses that seriously threaten their survival.
A further motivation to push the implementation of RM in SMEs is to protect innovative projects, which are fundamental to gain competitive advantage and succeed in the market, but necessarily involve risky decisions and activities (Vargas-Hernandez, 2011).The early identification and management of risks is required by innovative SMEs to control the project-related risks.Risk management could enhance the ability to successfully manage all stages of the innovative projects.
It has only been a few years since the management literature started to show an interest in applying RM in SMEs; for this reason, many areas are still understudied.
The choice of this theme is determined first, by the SMEs' fundamental role in society from an economic and social point of view; in Europe they comprise 99.8% of the total number of companies, employ 67.4% of workers and generate 58.1% of the total gross value added (Ecorys, 2012).Despite the SMEs' importance, having less resources and structural features results in a greater vulnerability to risk.Thus, the second motivation is to promote the development of RM for SMEs; till now there have been limited studies to improve these firms' ability to survive and create value over time.
The research objectives are therefore to analyze the existing literature concerning the application of RM in SMEs from 1999 to 2009, synthesize and classify it based on different established categories, and then highlight the current gaps and opportunities for future research.the occurrence of the damage.A threshold of acceptability must be defi ned to proceed to the next stage, depending on the risk appetite of top management and on the resources available for RM.The third stage is the treatment of unacceptable risks, which identifi es the most appropriate actions to reduce the risk; and fi nally the process is supervised.In the literature, the fi rst two phases (identifi cation, evaluation and analysis) are often called risk assessment.The implementation of an RM system is a long-term, dynamic and interactive process that must be continuously improved and integrated into the organization's strategic planning (Di Serio, et al., 2011).

Development Paths of Risk Management
In the last decades, we have witnessed an increasing vulnerability of the industrial and social systems (e.g., related to clinical risks, natural risks, safety of workers, etc), leading to a growing social concern about this phenomenon.A proliferation of theoretical and empirical developments of RM has taken place during the same period in many fi elds, with specifi c methodologies, models and techniques, coming from different cultural contexts.After an in-depth study of the literature (Verbano and Venturini, 2011), the RM applications have been classifi ed into nine different streams:

•
Strategic risk management (SRM): an integrated and continuous process of identifi cation and assessment of strategic risks (human, technological, brand, competition, project and stagnation risks), which are considered obstacles that prevent reaching an organization's fi nancial and operational goals (Chatterjee, et al., 2003).

•
Financial risk management (FRM): a process of creating economic value in a fi rm by using fi nancial techniques it in the exercise of its activities, through the use of instruments of various kinds (prevention, retention, insurance, etc.) and in the best cost conditions (Urciuoli and Crenca, 1989).Another defi nition is RM refers to the process of planning, organizing, directing, and controlling resources to achieve given objectives when unexpectedly good or bad events are possible (Head, 2009).
The International Organization for Standardization (ISO 31000, 2009) identifi es the following principles of RM that should: create value; be an integral part of the organizational processes; be part of decision making that explicitly addresses uncertainty; be systematic and structured; be based on the best available information; be tailored; take into account human factors; be transparent and inclusive; be dynamic, iterative and responsive to change; and be capable of continual improvement and enhancement.
The adoption of an RM methodology can lead fi rms to reduce the uncertainty in enterprise management, to ensure continuity in production and trading in the market, to decrease the risk of failure, and to promote the enterprise's external and internal image.Therefore, RM creates business value, maximizing business profi ts by minimizing costs (Urciuoli and Crenca, 1989).
Risk management (Fig. 1) follows a stage-gate process (Henschel, 2009;ISO 31000, 2009;Urciuoli and Crenca, 1989;).A preparatory step requires defi ning the RM plan to be consistent with strategic business objectives, and conducting a context analysis.The fi rst stage aims to identify all the risks to which the enterprise is exposed.The second stage is the assessment and risk analysis, which aims to determine the probability and the expected magnitude associated with control those risks (related to human and organizational factors or technological aspects) (Walshe and Dineen, 1998).The aim is both to improve the safety and quality of care for patients and to reduce the costs of such risks for healthcare organizations (Verbano and Turra, 2010).

Research objectives and methodology
The objective of this paper is to search and analyze all published studies on RM for small and medium firms, written in English between 1999 and early 2009, to map the issues that have been investigated and to suggest guidelines for future research.
According to specific selection criteria, we constructed a database of 33 articles and then interpreted the data with respect to the areas of major interest for the RM field.The following steps have been performed in detail: A.
Selection of databases and identification of papers.To identify the collection of papers for review, we conducted a search of electronic journals in the following databases: Compendex, Ebsco, Emerald, Ingenta Connect, InterScience, JSTOR, Web of Science and Science Direct.The research in electronic databases required the identification of keywords, such as risk management (RM) (in the first string), SMEs (in the second string) or SMEs risk management (in the different strings).

B.
Selection of papers.This led to the rejection of articles not strictly connected with RM in SMEs, which were related to the following topics: clinical risk, disaster risk and engineering risk.

C.
Classification of different established categories and analysis.The papers obtained from the research and selection of the literature have been classified, following the procedure suggested by Williams and Oumlil (1987), and adapted for the scope by considering different perspectives: "Hazard risks", comprising fire and other property damages, windstorm and other natural perils, theft and other crimes, personal injury, business interruption, disease and disability (including work-related injuries and diseases), and liability claims.and methodologies to manage exposure to risk (credit, exchange rate, inflation, interest rate, price and liquidity risk) (Crockford, 1986).

•
Enterprise risk management (ERM): a process applied across the enterprise, designed to identify potential events that may affect the organization, and manage risk (strategic, market, financial, human, technological and operational risks) to be within its risk tolerance, to provide reasonable assurance for achieving enterprise objectives (COSO, 2004).

•
Insurance risk management (IRM): a pure risk management process in a firm (where pure risk can be of environmental, social, personal and technological types), based on the observation of damaging events that have already occurred, the application of a premium and the subjective assessment based on the assessor's experiences and competencies (Gahin, 1967).

•
Project risk management (PRM): a process integrated into the project's life cycle, which involves defining objectives, identifying sources of uncertainty, analyzing these uncertainties and formulating managerial responses to develop an acceptable balance between risks and opportunities (Thevendran and Mawdesley, 2004).Project risks can be of technical, operational, organizational, contractual, financial, economic and political types.

•
Engineering risk management (EnRM): a complex and continuous process that involves managing the planning, design, operation and evolution of an engineering system.This is aimed to identify and choose appropriate responses to problems related to different risk factors (technical/operational risks) through the use of a systemic and proactive approach (Regan and Patè-Cornell, 1997).

•
Supply chain risk management (ScRM): a shared RM process, developed in collaboration with the partners in the entire supply chain, to deal with the risks (logistics, financial, information, relationships and innovation risks) and uncertainties resulting from logistic activities and resources (Norman and Lindroth, 2002).With the diffusion of the open innovation phenomenon (Petroni et al., 2012), many companies are building strong supply chain partnerships with business partners, such as manufacturers, distributors, suppliers and customers, and consequently risks deriving from these relationships have to be managed carefully.

•
Disaster risk management (DRM): a holistic and flexible approach in governing any community, involving a series of actions (programs, projects and measures) and tools aimed at reducing disaster risks (deriving from natural phenomena, terrorism, epidemics and industrial accidents) and mitigating the spread of disasters, following the processes, structures and rigour typical of RM (Garatwa and Bollin, 2002).

•
Clinical risk management (CRM): an approach to improve healthcare quality, which identifies circumstances that put patients at risk of harm, and then acts to prevent or To complete the analysis, the data has been integrated with the geographic origin of the articles and the year of publication.

Results: main characteristics of literature analyzed
The database obtained is composed of 33 articles.Table 1 shows the balanced spread of articles across academic journals, conference proceedings and other sources, such as reports, while Figure 2 illustrates each author's country of origin and the article's year of publication.
First, it can be observed that the topic of risk management for SMEs is of interest in various fields of study, from purely business management to new applications of statistical and mathematical models, and computer software design.The Production Planning & Control journal had published more (four articles), while the rest of the journals devoted only one article on this topic during the 1999-2009 period.b.
"Strategic risks", comprising damage to reputation (e.g., trademark/brand erosion, fraud, and unfavourable publicity), competition, customer wants, demographic and social/cultural trends, technological innovation, capital availability, and regulatory and political trends.
• RM process, classified as "total" when all the stages of the process are applied, or as "identification", "evaluation" and "treatment" when a single phase(s) is (are) applied.Business School, Leeds University-UK, École de Mines de Paris, Pôle Cindyniques -France 1 TOT process management.This is followed by articles about financial risks (29%) that mainly involve credit problems, both from the viewpoint of the lenders (banks or credit institutions) and of the SMEs, assuring the credit institutions of their stability and solvency.Strategic risks are considered by 14% of the total papers, where particular attention is paid to innovation aspects, and only one paper discusses hazard risks, specifically personal injuries.
Based on the risk management process (Fig. 4), the total process is studied by 36% of the articles, while as a single phase, evaluation is the most analyzed (42%), followed by identification (15%); less studied are risk treatment (6%) and context analysis (3%).Regarding the risk streams (Fig. 4), the papers cover almost all of them, but the highest interest is in the studies about ERM (43%), followed by FRM (27%), ScRM (15%), PRM (9%) and SRM (6%).

Discussion: Gap analysis and emerging research agenda
To verify if the literature on risk management for SMEs is complete and properly deals with all streams and risk types, a cross-analysis table has been built (Tab.3).
From 1999 to 2005, very few papers were published per year, while a growing trend can be noticed from 2006 (four publications) till 2009 (seven publications); as for the country of the first author cited per article, most of the papers came from China and the United Kingdom (Fig. 2).
Table 2 lists the classification of papers by main characteristics: research type, sector, risks type, RM stream and process.
The majority of papers are not focused on a specific sector, but the sector most analyzed by the literature is manufacturing, while a minority of papers evaluate enterprises that were operated by project (construction, aeronautical and automotive).
Considering the research type (Fig. 3), the majority of studies are empirical (64%), presenting a model or a method application or a theoretical framework tested with empirical case studies, followed by conceptual modelling (30%) and literature review (6%).As for "risk type" (Fig. 3), it shows that the articles mainly deal with operational risks (54%); in particular, the most considered concern information technology management, followed by production planning and  Strategic risks, which follow in terms of the number of studies, include four articles in ERM (the most studied area of interest for SMEs) and one in SRM.
Only one paper is dedicated to hazard risks, highlighting a gap in literature and a possible new area of research.Especially for SMEs, this kind of risk often leads to failure of the enterprise (for example, fire or another catastrophic accident) because of the difficulty in rebuilding or immediately restoring the facilities to restart production, and also for the loss of the warehoused products.It would be more interesting to consider hazard risks across different streams.
It emerges from the analysis of the operational and strategic risks that no study has tackled the human resources problem, particularly regarding key-people who possess exclusive knowledge, competencies and experiences, and are therefore not easy to replace.Often, the entrepreneur of From the analysis of Table 3, some considerations can be made about risks and streams.Regarding risk types, the above table shows that scholars have mainly analyzed operational risks.As expected, the articles dedicated to operational risks in almost all cases belong to the ERM stream, which is the activity responsible for the global risks of an enterprise, such as strategic, market, financial, human, technological and operational risks.The SMEs engaged in manufacturing daily face internal and external disturbances to their operations, which create risks and reduce business performance in terms of production, production capacity, human resources, market share and financial losses.In view of this, it is important for SMEs to adequately manage these potential risks to ensure their survival in the market.
Other studies devoted to operational risks are located in the ScRM stream (five) and the PRM stream (three).In any case, operational risks are those that most of the others are distributed among different streams, partly because they refer to a great number of business activities.
In the second position are the studies on financial risks, nine in FRM and just one in ERM.The limitation of the financial risk type to the FRM stream poses some important ques-

Conclusions
In the debate among managers, there seems to be a fruitful interest in RM applied to SMEs.However, this is not accompanied by a substantial body of studies in the literature.
The impression is that RM for SMEs is still a "spot" subject, despite their wide diffusion and importance from an economic and social perspective, and the fact that they are structurally weaker and exposed to the danger of failure when facing unexpected risks.
From the analysis of the years of publication, the increasing trend in the number of studies demonstrates the growing interest in this topic.The majority of the articles are empirical, adopting a case study methodology typical of the explorative investigation, according to the novelty of this research field.
Moreover, there is a significant concern about the financial aspect.The problem most dealt with is not obtaining a bank credit, but developing an instrument to evaluate the financial solidity of the small enterprise and therefore avoiding the problem of insolvency.
Another emerging pattern from this study is that scholars mainly designed instruments for the identification and evaluation of risks.This is in line with Keizer et al.'s definition (2002): ''Risk processes do not require a strategy of risk avoidance but an early diagnosis and management''.At the same time, there is a lack of focus on risk treatment as a general principle, as well as for the specific industrial sector.Only 6% of the papers highlight risk treatment; while many articles consider the total process, the treatment phase typically lists only the four possible types of solutions (i.e., retention, avoidance, sharing and reduction), without suggesting how to select and apply the best combination of techniques.
Particularly important for SMEs, there is a lack of interest in the risk connected with the presence of the key person in personnel management.
a small firm is an extremely important key person, whose role is crucial for the positive and regular performance of an enterprise and even more for its continuous growth.
However, considering not the risk type but the area of study, ERM is the most studied stream.It is also evident that ERM covers almost all risk types, although the most important one is the operational aspect, which ensures the continuity of operations.
The fact that ERM and FRM are the streams most discussed is quite expected.Small firms suffer in the management of operational risks and financial conditions.In these times of crisis, banks are much more cautious in lending money to SMEs and set up stricter evaluation mechanisms to avoid risks.
Project RM is less studied, an area that also covers the risks of innovative projects.Considering the strategic need to invest in innovation and adopt practices that help facilitate ground-breaking processes, it seems appropriate that scholars develop models and procedures to manage risks in innovative activities.Another evident gap is that the IRM stream seems to be a neglected topic for a research study; this may be because enterprises usually insure their assets, but often without applying any kind of RM process.
The research agenda would like to analyze why IRM and hazard risks have been disregarded, and in a second phase, propose specific instruments for RM in SMEs.The research agenda would also consider evaluating (perhaps by using a qualitative perspective) the importance of key people within an enterprise, to understand the degree of risk in the event they abandon the firm, and to prevent this occurrence with adequate measures (for example, knowledge sharing and personnel retention).
*Some articles have considered more than one risk type though in the same research stream.Other possible future research topics emerging from the gap analysis include more considerations on hazard risks and insurance risk management, as well as strategic and financial risks in the context of project management and supply chain management.As has been observed from analyzing the RM literature for all companies, the most recent challenge is the drive towards an integrated management of all risk types (ERM), where it is hoped that the experience gained in different paths can be pooled (Verbano and Venturini, 2011).This paper's contribution is to emphasize a new research stream that studies the implementation of RM in the context of smaller companies, detailing the first contributions and suggesting future directions.Although the current study provides an input to the field, knowledge of the issues is inadequate at this early stage, and practical and academic studies are still very limited.Many useful implications are expected in the future from this emerging stream, especially in this period of economic recession, where the companies' survival is so threatened and important.

Figure 1 .
Figure 1.The Risk Management Process.

FigureFigure 3 :
Figure 2: Countries and years of publications

Table 1 .
The different sources for the literature research Australian Computer Society, Business Process Management J., Engineering Letters, Information & Management, Int.J. of Risk Assessment and Management, J. of Issues in Informing Science and Information technology education, J. of Small Business Management, Management Decision, Organisation studies, Supply Chain Management: An Int.J., The J. of Business Perspective 1 Conferences The 4th SME Int.Conference, IEMC 2004 Int.Engineering Management Conf., ICMIT 2006 IEEE Int.Conf.On Management and Innovation Technology, DEST 2007: Inaugural IEEE Int.l Conf.onDigital Ecosystems and Technologies, ECIW 2007: 6th Eur.Conf.On Information Welfare & Security, 2007 Int.l Conf. on Service Systems and Service Management, WiCOM 2007: 3rd Int.Conf. on Wireless Communications, Networking, and Mobile Computing, ISBIM 2008 Int.l Seminar on Business and Information Management, WICOM 2008: 4th Int.Conf.

Table 2 :
Paper classification