Reto Bruderer should know: he's close to his customers, as well as being an expert on the subject. As Helvetia's Head Risk Engineering, he answers questions about the top risks for SMEs and how they can best protect themselves.
In the past, the boss of an SME was primarily concerned with the production or distribution of goods or services. If core business was good, you might say, so was everything else. But today, driven by globalization and digitalization, the world is more networked. On top of that, the legal framework is changing rapidly – so whoever's in charge of an SME has completely different questions to answer. Is my IT infrastructure secure if criminals attack it? Are there any changes in the regulations that affect my business? And how dependent am I on supplies from other countries?
A good question, and one that business leaders, experts, researchers and the media are grappling with. So my selection is nothing new, here are my own top five:
The first two in particular are closely related. Business interruption has always been one of the top risks. Just imagine: if a business can't operate for a certain period of time, it runs out of cash to meet running costs – wages, rents, social security contributions. This can be an existential threat to an SME. The causes of business interruption are very diverse, but insurance companies offer solutions for most of them. If production comes to a halt because of fire, flood, theft or vandalism, property insurance pays for the resulting loss of earnings if this is also insured.
The risk of business interruption following a cyber attack, on the other hand, is relatively new. And the extent of this threat becomes apparent when you consider that many production processes, and even services, are digitalized. Almost every day we read media reports of cyberattacks that cause considerable damage and lead to production or service interruptions.
Professional cyberrisk management today rests on three mainstays. Firstly, it requires a secure IT infrastructure that is maintained and supported by professionals. Secondly, the infrastructure is only as strong as the people who operate it, and this depends to a large extent on organizational factors – access or password concepts, for example. In concrete terms, SME managers have to train their employees to ensure that cyber criminals have little chance of attacking the network. At Helvetia, for example, we offer free e-learning courses on the subject of cybersecurity. And last but not least, if the first two mainstays collapse, cyberinsurance is there when it matters. Besides covering the costs of analysing the damage, restoring data and settling liability claims, it also covers loss of earnings due to a business interruption – and the payment of a ransom in the event of blackmail. Another important factor is that Helvetia's network of experts provides support in overcoming the crisis, with expertise in various IT areas – especially incident handling and communication. Situations like this can only be managed by teams, not individuals.
There are, yes, though I admit that I'm no expert on this type of case. There's no such thing as insurance against supply bottlenecks – all I can see in my day-to-day work is that some of my customers plan ahead, or expand their supplier networks to spread the risk. Others expand their storage capacities or switch to local suppliers. In any case there are consulting firms that support SMEs, advising them on risk management in the event of supply bottlenecks. A quick internet search will identify providers of this sort of service.
First and foremost, because you can't insure against them – but I still think it's incumbent on me to draw people's attention to them. On my travels at home and abroad, I see what successful businesses have that others lack: employees who are really good at something. But if trained specialists are missing or knowledge is not passed on, solutions can suddenly no longer be offered to customers – or if they can be, then they're of lower quality. This is also an existential threat to the business.
Successful businesses invest not just in material things, but also in people. They counteract skill shortages by investing time and money in fostering and promoting selected employees. Businesses also need to facilitate dialogue, so that experienced employees can pass their valuable knowledge on to relative neophytes. Here, too, one must bear in mind that this knowledge transfer takes time.
There’s one thing I want to add. In this conversation I've talked a lot about risks and threats – assessing risks is my job, after all. But in my everyday life I also experience a change of perspective. I see how businesses and people recognize not only threats, but also opportunities. That never ceases to fascinate me. It's not the only reason why SMEs are close to my heart.