The Development of a Small and Medium-Sized Business Risk Management Intervention Tool

: Risk is inevitable in business. For large companies, risk management is formalised and structured through compliance with industry standards. However, small and medium-sized businesses (SMEs) rarely have adequate resources to develop their own standards or conform to pre-established criteria. This results in an increased vulnerability to risk, which tends to undermine SMEs’ sustainability. The primary reasons for the low adoption rate of risk management are related to the tremendous initial difﬁculty in orientating the business concerning risk and the signiﬁcant investment of the workforce in developing and implementing a structured managerial process. The objective of this paper is to produce a guided process tool for small and medium-sized businesses with which they can identify, evaluate, and appropriately address risks from an SME perspective. Moreover, this intervention would offer enhancements at no cost beyond the time of its implementation. In order to identify what constitutes holistic risk management, document analysis was applied, which utilised risk management standards, academic articles, books, and regulatory policy and strategy documentation. The identiﬁed elements were integrated with a tool that improves business owners’ capacity to position themselves in context with their daily risk management challenges.


Introduction
Risk, as per definition, is embodied in reducing a business's assets values or forfeited business opportunities and originates from the functions performed in and the environment of a business (Aven and Renn 2009;Marx and de Swardt 2013;Šebestová and Sroka 2020). Moreover, the risk is present when the frequency, exposure, probability, or outcome of risk is unspecified as it relates to a possible risk event (Kaplan and Garrick 1981;Knief 1991;ISO 2018). SMEs do not have the equivalent motivation to comply with risk standards because the size of their operations rarely requires thorough compliance with standards similar to the expectations of larger companies. Additionally, many of the risks identified by these standards require immediate intervention by the business; however, these are often left unmanaged, placing the business in a vulnerable position (King and Lessidrenska 2009;Smit and Watkins 2012;Oláh et al. 2019a). Overall, the smaller the business, the less likely management will be aware of risk management standards or how to implement such protocols (Weissinger 2013) effectively. Krüger (2020) disclosed that SME owners have a conception of risk management; however, their knowledge is generally limited to crisis management when compared to best practice standards. Furthermore, of 332 South African SMEs, 70.3% showed that participants applied no risk management standards whatsoever (Krüger 2020). Conversely, it was discovered that instead of relying on well-structured and thorough standards such as those established by the International Organisation for Standardisation (ISO), the majority of SME owners relied on their personal experiences,

Literature Review
Enterprises are encouraged to adopt the most appropriate business strategies predicated on the highly dynamic and intense changes in the business ecosystem and the necessity to achieve and sustain a competitive position (Borocki et al. 2019). In utilising these strategies, the business places itself into varying positions that expose it to diverse risks. Overall, risk is intrinsically connected to business, since the ultimate frequency, exposure, probability, or outcome of a business initiative is unknown until ultimately realised (Knief 1991;Hopkin 2018). Moreover, a business will assume risks only if the expectations for a potentially profitable outcome is considered as being a viable option (Investment Management Consultants Association 2003;Marx and de Swardt 2013;. However, it is the experience of small business owners that often results in this consideration as opposed to them conducting a thorough examination of the risks that the business action could engender. Such decision-making activities may lead to a failure in managing critical risks or a combination of smaller risks, which could result in business failure. SMEs, which are considered the backbone of the world economy, are thus especially vulnerable (Šebestová and Sroka 2020). It should also be noted that the majority of SMEs exist as service (28.9%) or trade businesses (16.57%). When analysing the sample from Krüger (2020), the distribution of SMEs, according to the Standard Industrial Classification of all Economic Activities (StatsSA 2012), are as follows: Production (10.24%), Financial services (7.23%), Manufacturing (6.63%), Health and safety (5.42%), Education (5.12%), Transport and distribution, Construction (3.01%), Agriculture (3.01%), and Other (6.02%). SMEs are primarily involved in trading goods, providing services, or are involved with various other intangible products. This is of particular importance when considering the transitory nature from which SMEs may arise, especially when undertaken in response to unemployment. Due to the fact that most SMEs aggregate in retail, this sector must be protected in order to ensure sustainability amongst new SME entrants as well as established SMEs.
The most common risks SMEs experience are related to business risk, managerial risk, reputational risk, operational risk, moral risk, and legal risk (Krüger 2017). The primary risk focus of SMEs involves their business and operational risks (Krüger 2017). However, unlike large enterprises that can assign a team of qualified risk personnel to ensure that Enterprise-Wide Risk Management (ERM) is applied through comprehensive systems such as ISO 31000, SMEs mainly focus their hiring protocols towards staff that is capable of addressing their business or operational needs directly. At the same time, the higher cognitive and strategic business functions are conducted by the business owner or managers until there are sufficient resources available to outsource those tasks to professionals (Krüger 2020). If the aforementioned tasks impair operational or business functions, it results in a tendency to react to risk events as they occur instead of formulating a holistic approach to risk or proactively managing risks throughout the enterprise (Krüger 2017).
The conceptual landscape of SME failure is pervaded by challenges such as insolvency resulting from a lack of liquidity, inconsistent and declining performance, revenue shortfalls, limited growth, and liability-dominant balance sheets (Lussier 1996;Henderson 1999;April 2005;Cannon and Edmondson 2005;Probst and Raisch 2005;SEDA 2018). Moreover, SMEs tend to have poor managerial processes that prove insufficient in moderating and conducting their business activities, human resources, and technical industry-specific considerations (Ritchie and Richardson 2004). Additionally, poor management in small businesses has been posited to be the result of a lack of skills training, limited experience, and impaired financial and technical capacities, which often include a number of management decisions controlled by only a few managers or perhaps, in many cases, one individual (Scarborough and Zimmerer 2002;Gitman 2009). It also seems that small businesses struggle to fully apply management considerations in that they tend to plan their activities only in the short to medium term and rarely reposition themselves strategically, which increases vulnerability to external events (Honjo 2000). Growth management is another aspect with which SMEs struggle, especially since growth inevitably leads to increasing levels of business complexity, thus requiring further managerial development, which provides management with the appropriate expertise to cope with the increased operational complexity of the business (Coelho and McClure 2005). Moreover, growth management can be dramatically aided through developing a strong corporate culture that includes predefined stakeholder considerations. In turn, this will enhance business-wide awareness of where the distribution of growth is disproportionate concerning specific areas of the business (Zacharakis et al. 1999;Lussier and Pfeifer 2001;. Although the challenges appear disaggregated, risk management can be utilised to effectively abate the intensity of losses and aid the business by proactively addressing the risk considerations that inhibit business growth. Risk management can serve to bridge these difficulties by providing a structured process by which to identify, evaluate, prioritise, and treat risk while incorporating strategic and technical considerations that evolve as the SME experiences growth and complexity (Smit and Watkins 2012;Gwangwava et al. 2014). By incorporating risk management strategies, SME resources can be utilised more efficiently and effectively, creating a reserve from which the business can draw to quickly address other vulnerabilities (Gwangwava et al. 2014). The ideal objective of risk management is to minimise excessive risks in the pursuit of more favourable outcomes, which are highly beneficial to established businesses and especially critical for SMEs, particularly in the first five years of their operation (Knight 2012;Hopkin 2018). However, SMEs do not have formal processes by which they identify, classify, or manage their risks; thus, they choose to address risks as they appear in practice (Krüger 2017). Consequently, this causes SMEs to focus on factors that are currently producing losses while neglecting other vulnerabilities until these, in turn, produce losses that quickly redirect the managerial focus (Smit and Watkins 2012). The primary impediment in applying risk management in SMEs continues to be the substantial initial investment of time and resources in establishing and implementing the risk management process in their business. Large businesses are driven towards risk standards as a matter of compliance, in which the required standards are designated and for which there is an assigned team to ensure implementation and integration within the business operations (King and Lessidrenska 2009;Smit and Watkins 2012;Oláh et al. 2019b). Small businesses are often unaware of these standards until an operational or business advantage is attached to the cost of compliance.
The asymmetrical distribution of resources and perceived relevance of risk management between small and large businesses create a distinct advantage for larger businesses. This advantage exists, even though there is a potential for small businesses to rapidly integrate and systematically develop their risk management procedures based on their more egalitarian and less bureaucratic business structures. In order to determine why risk management is deficient in small businesses relative to big businesses, an evaluation of the relationship between small business owners and risk management had to be conducted. Next, having determined the relationship between them, an intervention could be developed to supplement the weak points and, thereby, amplify survivability and loss reduction.

Materials and Methods
To accomplish the task of developing an intervention risk management tool, a document analysis was conducted to determine the main factors that should be included in the tool. Document analysis facilitated a critical examination of the content collected from trustworthy, respected, and reliable sources. Bowen (2009) referenced using document analysis since it allows for a systematic technique where various sources are studied and evaluated to extract significant and relative information regarding the research topic. Moreover, Corbin and Strauss (2008) proffered that this method can assist in developing a more systematic understanding of the topic under discussion. Document analysis is perceived as a social research method, with the rationale behind it as being the triangulation of information. It is unobtrusive; therefore, it eliminates possible bias from interactions with the sample audience. This method also promotes conceptual and contextual analysis (Huysamen 1994;Webb et al. 1999;Babbie 2001;Berryman 2019). Verifying findings and data from various sources can create a synergy amongst information, which could also reinforce the credibility of such findings (Bowen 2009). Using this particular methodology has numerous advantages-cost and time savings, easy access to documents, unbiased regarding human interaction-and such documents may be deemed reliable, accessible, and non-reactive, allowing for extensive examination (Bowen 2009). This study specifically made use of risk management standards, academic articles, books, and regulatory policy as well as strategy documentation. The primary standards were gathered from the International Organisation for Standardisation, The Committee of Sponsoring Organisation, and The South African Bureau of Standardisation. The academic articles and books were accessed through university library resources and Google Scholar. Policies and strategy documentation referenced in the study are those applicable to all businesses under South African law; however, the role of the latter was minimised to ensure international applicability. These documents were selected as they contributed significantly to the contents used to compile the SBRMIT. Moreover, these documents were considered to be credible, authentic, complete, and representative, while also allowing for the identification of the source material (Bowen 2009).

Results
Having identified that risk management has a positive and pervasive effect on all aspects of business management, the particularities that surround SMEs, and their charac-teristic challenges that they must face on a day-to-day basis, two studies were run by the author to confirm the particularities as they relate to South African SMEs. Krüger (2017) concluded that SME owners loosely described employee risk, business risk, managerial risk, reputational risk, operational risk, moral and legal risk, and personal risk when queried about their risk concerns. However, these risks were merely addressed with regard to a practical operational capacity. Business risk was contextualised as the potential losses that could be experienced based primarily on a lack of sufficient business presence or availability in relation to the competitive dynamics within the marketplace. Despite SME owners' concern with business risk, their awareness of business risk appeared to be unsophisticated in that their concerns only accounted for a very limited portion of what comprises business risk, which was generally reactionary in its application. SME owners do not appear to have a structured method to identify, classify, or manage their risks reactively and, thus, they tend to focus on risks that are obvious. Despite the need for liquidity growth in order to cope with economic downturns, SMEs generally remained risk-averse and preferred to raise capital themselves in a debt-free manner. Older and more established SMEs articulated a greater willingness to assume opportunity risk; however, ambiguity was present in the answers provided by SMEs when questioned on how they would finance this type of risk.
The primary risk focus of SME owners appeared to be related to their business and operational risks. Many of the risk references derived from the research conducted by Krüger (2020) can be categorised as being part of operational risk. Although this would be technically correct, it would forego an understanding of SME owners' risk management perspective, as it would distance our structured approach to risk and its management to the more informal protocols pursued by most SME owners. SMEs become aware of risks based on their interaction with diverse environments, which represents a process that is organic and less meticulous than that which is applied in formal business strategies and risk frameworks. However, this exposes SMEs to risks in which they have no awareness or discernment. Thus, SMEs unfamiliarity with such risks creates a lack of knowledge regarding the possibility of failure and, therefore, contributes to their willingness to take risks.
As derived from the qualitative results of Krüger (2017) and the quantitative results of Krüger (2020), the theme of SME risk management systems addresses those actions taken by SMEs in an attempt to improve their business viability and reduce the risks they face on a continuous basis. All of the strategies can be categorised under one of six sub-classifications. These classifications are as follows: marketing; loss prevention; business strategies; staff development; financial strategies; and novel strategies applied by the individual SME. Marketing includes activities such as branding and advertising. Loss of prevention represents a broad classification that is related to preventative risk management and includes concepts such as maintenance or micromanagement. Business strategies consist of the collection of documentation and attempt to compete in relation to product or service quality. The strategies that the SMEs followed cannot be classified as a risk management system, since there is a sustained absence of a significant number of risk management principles. However, this theme provides insight into what is perceived as risk management by SME owners. In addition to the strategies outlined, the SME owners identified specific actions as their risk management strategy; however, this was based on personal judgement calls and personalised relations with their clientele. The closest to a risk management system that the SME owners developed was to conduct a quality check on work after completion, which can be classified as an operational risk management endeavour. A systematic, fundamental, and systemic risk awareness was not present beyond the knowledge that market events and the state of the economy as a whole could impact the interests of the SME. The risks identified were operational and unsystematic risks, in the strictest sense, but relating only to events and experiences previously encountered within the business. This left certain key aspects of specific operational and unsystematic risks completely untouched and unnoticed.
The approach of the SME owner was consistently confirmed to be reactionary and not precautionary. For example, the actions taken to minimise risks always occurred after a risk was already experienced. Therefore, risk management in the case of SMEs was thoroughly lacking in that the owners did not incorporate aspects involving strategic business orientation, did not account for vital success or failure conditions, and did not rate risks on a scale of effectuality nor differentiate between the scope of risks that were present within the business. Moreover, controls were resourced, and reactions were planned at the moment a risk occurred; thus, in the absence of a large cash flow reserve, such an occurrence could result in bankruptcy.
Risk reporting was also shown to rarely be in a written form and often not recorded; therefore, the details surrounding risks are soon forgotten. As a result, risk management continues to remain underdeveloped. In short, risk management in an SME has become fully dependant on the experience of the SME owner which is, in itself, a risk. Within the risk management model of an SME, it would be assumed that the SME owner would ensure the central processes or inventory needed to continue business in the event of a loss. However, many SMEs cannot always meet the cost of insurance due to their limited size and inability to adequately produce a source of income for the SME owner that justifies opportunity cost.

Discussion
Given the challenges faced by SMEs, the natural progression was to develop an easy to understand and affordable intervention to guide SMEs in assigning priority to risks and developing business strategies that align to the internal capabilities and external conditions as they relate to SMEs. The SBRMIT structures the risk management process to integrate risk feedback and reporting naturally with business processes. This creates a basis for any successive applicable standards to be integrated into the SME without requiring an overhaul with regard to their entire risk management system and, thus, it provides the business with the ability to rapidly respond to compliance requirements.
The small business risk management intervention tool (SBRMIT) is created with the intention of serving as an initial contact point with risk management, amplifying efforts already present to manage risks, as well as augmenting the approach that small and medium businesses use to incorporate fundamental risk principles, the processes associated with risk management, and related strategic concerns. The outline of the processes followed in this tool can be observed in the visual overview presented in Figure 1, which denotes the most important considerations. In addition, various challenges to SMEs' risk management were identified by drawing from theoretical aspects and data garnered from several small and medium-sized business owners.
By establishing a clear comprehension of these businesses' limitations and the requirements that need to be adhered to, an appropriate risk management system can be developed and put into place. Consequently, a middle ground can be developed that allows for the early adoption of risk management. Through applying the fundamental principles of risk management, the strategic management tool, and the easy risk identification tool, businesses can adequately identify risks as well as the risk context in which it operates. This will enable businesses to orientate or adjust their operations to address relevant exposures to risk (Chicken 1996;Marx and de Swardt 2013). Risk identification is followed by risk assessment, which will, in turn, allow the business to identify treatment protocols, contingency concerns, and reporting requirements. Through the application of this tool, the risks and changes in risk exposure can be tracked and monitored to ascertain whether risk exposure is increasing or decreasing and whether the intervention measures are effective. Once these steps have been taken by the business, it should have managed any prior risks. The following section will discuss the eight steps in SBRMIT (Figure 1).
Step 1: Fundamental risk management principles. For risk management to be implemented in SMEs, its value must be apparent to the business owner (CICA 1995). To overcome this problem, the owner must be familiar with fundamental risk management principles. These include the following:

•
Maximising the shareholder's value by protecting and creating value; • Comprehending the proportional risk management to risk exposure; • The business must be tailored to adequately address risks relevant to its activities; • The business must be structured to transparently and completely represent its entire risk exposure and managerial practices; • Risk management must be embedded within its business culture, operational protocols, and decision-making processes; • The risk management process must be iterative and proactive; • Be able to explicitly address uncertainty promptly; • Should be orientated to continuously develop the business utilising the latest, most reliable and relevant information; and lastly, • Be inclusive of current relevant societal and cultural sensitivities.
Based on these principles, the owner should be asked a variety of key questions, in conjunction with a discussion involving the processes and outcomes that the business will attain if the principles are incorporated. This step will allow the business to focus on risk management instead of risk avoidance. It will also steer the business towards a strategically integrated, iterative, proactive, timely, and relevant process that offers value maximisation and proportional risk aversion. This process will also be tailored as being fully risk inclusive, culturally encompassing, and operationally safe (COSO 2016; ISO 2018).
Step 2: Risk identification. Risk identification constitutes the second step within the tool and reveals the various risks to which the business is exposed. It is executed by searching for loss and gain scenarios relevant to the business context (Aven 2014). The identification process begins by first determining which political factors, technical indicators, performance standards, or opportunities for co-operation are relevant to the business (Borghesi and Audenzi 2013; Aven 2014). When identifying risk, it requires a thorough understanding of all the activities undertaken by the business entity and includes concerns such as technical standards and legal limitations (Chicken 1996;Aven 2014). A risk audit of the business aims to pinpoint risks pertinent to the business, its scope, and possible losses (Borghesi and Audenzi 2013).
Since risk exposures to various risk types differ among industries, the process of identifying risks can be challenging, especially when the goal is to do so comprehensively. For risk identification to be meaningful, it must address the risks associated with its industry and make the business aware of risks it had not previously identified as possible threats. Thus, this process can be divided into primary two stages: an exploratory stage where the business educates itself on possible risks it had not yet faced, and a developmental stage where it determines which identified risks take precedence. To aid small businesses in identifying these risks, a typography of risks was developed by Krüger (2020), who aggregated and discussed the diverse risks classified in theory over the past 80 years.
Essentially, this offers a reflective tool that the business can utilise to analyse the full scale of preconceived risks from literature. To further simplify this overarching process, a tool called the easy risk identification checklist was developed that allows the small business owner to determine whether they face possible risk exposure. This is simply achieved by answering yes or no to a few questions, which then guides them to the location in the risk typography that educates and informs them regarding a particular the risk (Krüger 2020).
Once the overarching risks have been identified, these risks can be grouped into two major risk categories through their origin: external or internal. For the sake of discussion, the risks will be classified as either Type 1 or Type 2, respectively (illustrated in Figure 2). Type 1 risks are generated in an external risk environment. Consequently, Type 1 risks pose a threat to a business regardless of whether their internal risk management processes are conceptually flawless; a PESTLE analysis could aid the business greatly in this regard. Type 1 risks cannot be eliminated; however, the business can position itself in a way that minimises the risk and, thereby, decrease its possibility of failure. If this consideration is not explicitly supported during risk identification, it cannot be considered comprehensive. Type 2 risks constitute risks that the business can manage internally as they relate to the day-to-day operations of the business, and it is generally those risks with which the business occupies its time. Thus, it is highly likely that small businesses already have a firm grasp of their Type 2 risks.
Since risk exposures to various risk types differ among industries, the process of identifying risks can be challenging, especially when the goal is to do so comprehensively. For risk identification to be meaningful, it must address the risks associated with its industry and make the business aware of risks it had not previously identified as possible threats. Thus, this process can be divided into primary two stages: an exploratory stage where the business educates itself on possible risks it had not yet faced, and a developmental stage where it determines which identified risks take precedence. To aid small businesses in identifying these risks, a typography of risks was developed by Krüger (2020), who aggregated and discussed the diverse risks classified in theory over the past 80 years. Essentially, this offers a reflective tool that the business can utilise to analyse the full scale of preconceived risks from literature. To further simplify this overarching process, a tool called the easy risk identification checklist was developed that allows the small business owner to determine whether they face possible risk exposure. This is simply achieved by answering yes or no to a few questions, which then guides them to the location in the risk typography that educates and informs them regarding a particular the risk (Krüger 2020).
Once the overarching risks have been identified, these risks can be grouped into two major risk categories through their origin: external or internal. For the sake of discussion, the risks will be classified as either Type 1 or Type 2, respectively (illustrated in Figure 2). Type 1 risks are generated in an external risk environment. Consequently, Type 1 risks pose a threat to a business regardless of whether their internal risk management processes are conceptually flawless; a PESTLE analysis could aid the business greatly in this regard. Type 1 risks cannot be eliminated; however, the business can position itself in a way that minimises the risk and, thereby, decrease its possibility of failure. If this consideration is not explicitly supported during risk identification, it cannot be considered comprehensive. Type 2 risks constitute risks that the business can manage internally as they relate to the day-to-day operations of the business, and it is generally those risks with which the business occupies its time. Thus, it is highly likely that small businesses already have a firm grasp of their Type 2 risks. Step 3: Strategic audit. As mentioned earlier, Type 1 risks cannot be eliminated, but an effort can be made to minimise risk exposure. This requires that a strategic audit be done. Strategic management divides a strategic audit into three parts: a strategy formula- Step 3: Strategic audit. As mentioned earlier, Type 1 risks cannot be eliminated, but an effort can be made to minimise risk exposure. This requires that a strategic audit be done. Strategic management divides a strategic audit into three parts: a strategy formulation step, a strategic implementation step, and a strategic evaluation step (David and David 2015). The complexity of a strategic audit should match the capacity of the business. To aid small businesses, it is suggested that a comprehensive SWOT analysis (strengths, weaknesses, opportunities, and threats), strategic position and action plan (SPACE) matrix analysis, the Boston Consulting Group matrix, the grand strategy matrix, and the quantitative strategic planning matrix or a variety of these be conducted (David and David 2015). Consequently, the strategic audit will allow the business to address these identified risks by creating pragmatic strategies to overcome them. It will also offer the business owner a clear picture of which risks they are not indemnified against or prepared for, meaning they are given the opportunity to overcome this hurdle.
As a matching tool, the SWOT matrix facilitates a means whereby one can produce four strategies that exist as a combination (a matching) of strengths (S), weaknesses (W), opportunities (O), and threats (T) that consolidate into strength-opportunity (SO), strengththreat (ST), weakness-opportunity (WO), and weakness-threat (WT) strategies. This is quite often the most difficult aspect of the strategic process, as it requires an in-depth understanding of the various business processes and is limited by the awareness that the business has garnered in the internal and external factor evaluation processes.
Step 4: Risk assessment. Risk analysis, evaluation, and estimation are cumulatively referred to as risk assessment (Verbano and Venturini 2013). Risk analysis investigates the cause and effect of risks and risk events and, subsequently, acts as a descriptor of risk in a business context (Aven 2014). Thus, risk analysis is an aspect that, under the process described above, is already addressed. Risk, once determined by analysis, is followed by risk evaluation, which involves a process of comparing analyses results with predefined reference levels or criteria (Tchankova 2002;Aven 2014). During this evaluation, the business can track its performance (determining a decline or increase of risks) and re-contextualise its position regarding its risks. Risks can be qualitatively, quantitatively, or jointly evaluated, having the potential to result in a gain or a loss (IRM 2002). Risk assessment involves a three-part process of analysis, evaluation, and estimation of risk. Risk analysis considers the cause and effect of risk events as it relates to the business. It further determines the details of how particular identified risks interact with each other in the business and the business itself. This is important when determining how risks flow from one to the other. It is at this point that the business should develop performance indicators. Risk analysis begins by determining the probability of a risk event occurring (Hopkin 2018). Once the probability of an event has been determined, loss estimations need to be established (Mulcahy 2010;Marx and de Swardt 2013;Valsamakis et al. 2013;Verbano and Venturini 2013). Loss estimations and the probability of an event occurring can be confirmed from historical data or through the estimations of the small business owners.
Evaluation is the process of comparing analysis results with predefined or historical reference levels. The performance indicators can be utilised in this step to compare the business's current performance with historical values to ascertain whether the business is improving or worsening (Tchankova 2002;Aven 2014). Additionally, an evaluation can be performed by using a metric and then comparing historical performance records using that metric (Verbano and Venturini 2013). Once an evaluation has been completed, the business can ascertain how well their risks have been managed in the past. However, estimations need to be performed to determine which risks should be managed and the amount of resources required to be allocated to these risks.
Estimation is the process of determining the rand value of potential risk. To make a reasonable estimation of the possible overall losses, the probability that risk might occur and the possible loss attached to a risk event must be calculated. This is called a loss estimation and is utilised to generate a reference point for potential losses. In order to estimate potential losses, the first step is to calculate the average loss that can be experienced by the business. The average of historical losses can be used, since there will always be variations in the particularities of a risk event; however, the average normally tends to remain rather consistent (Krüger 2020). Knowing how much can be lost is only the first stage of estimation. The second part of the process involves establishing how likely the business is to suffer such losses. Determining the probability of a risk event can be accomplished by tracking historical occurrences to ascertain how often over a given period a particular risk event is likely to manifest itself. Once the probability and the loss figures are known, a probability adjusted average loss can be estimated over a period by multiplying the probability with the expected loss for a weighted loss estimate (Hopkin 2018). Analysis, evaluation, and estimation are important in this sense as well, as the business can be provided with a reasonable cost to cover that risk.
Step 5: Risk treatment. By Step 5, the small business should have completed its risk assessment. Next is the process of adequately addressing that risk by avoiding, reducing, transferring, or retaining it. While risk treatment is applied, the business must keep in mind the insights gleaned from the risk assessment; moreover, the risk treatment must fall within the resources of the business and the risk appetite of the stakeholders. To aid businesses in locating a middle ground where risks are in line with returns, certain strategies can be applied based on their particularities (Valsamakis et al. 2013). The strategies are as follows:

•
Where the probability of a risk event is low and the possible losses fall within the capacity of a business to absorb it, the risk is to be tolerated.

•
When the occurrence of a risk has a high probability, regardless of the possible losses, the risk is to be treated. • When a risk event has a low probability of occurring but has a large possible loss, the preferred strategy is a risk transfer. • When a risk event has a high probability and a high possible loss, it is in the best interest of the business to avoid it.
Step 6: Reaction planning. Reaction planning follows risk treatment as some risks cannot be avoided, reduced, transferred, or retained yet must still be managed. Reaction planning is the process of developing contingencies and establishing reserves for disaster recovery, pure risk, and to engage with potential business community alliances outside of the business' immediate concerns (Hopkin 2018). Ultimately, reaction planning begins with identifying which risks and opportunities are outside the scope of business as compared to the internal risks. What follows is selecting the primary threats and opportunities and systematically assigning resources towards the selection.
Step 7: Risk reporting and communicating. Even though an outline has been presented about thorough risk intervention, it cannot be deemed a process, as it requires that it becomes frequent, iterative, and continuous. What separates reaction planning from a risk management system is how the information and experiences that have been gathered through the risk management process are incorporated and integrated into the managerial risk consciousness of a business (Hopkin 2018). Reporting constitutes a process of capturing relevant information by appropriate means and aggregating it for analysis. However, risk reporting will vary from industry to industry as per the complexity of their operations. Furthermore, communication is the process of ensuring that reported information is provided to the appropriate staff within the business to elicit a rapid response and ensure a reduction of losses (Valsamakis et al. 2013).
Step 8: Monitoring risk. Reporting and communicating deal with risks that are realised within a certain reporting period; however, it does not address other identified risks (Hopkin 2018). Hence, monitoring is required to ensure that all the risks identified and classified as pertinent to the business are observed and incorporated into cyclical reports. Additionally, monitoring forms part of a process that utilises indicators to determine whether risks are growing or subsiding. Moreover, monitoring links the last steps of the risk management process to the first (Borghesi and Audenzi 2013). By continuously monitoring risks, the more pertinent ones are emphasised, while those included out of emotional responses are brought in line with the real threat they pose. This is how a risk management system maintains itself and how it becomes integrated into the business.

Conclusions
The objective of this paper was to produce a guided process tool for small and mediumsized businesses with which they can identify, evaluate, and appropriately address risks from an SME perspective. The importance of this study is in its focus on SMEs and their needs. Although many standards exist, their application can be problematic for smaller businesses, and this impedes SME sustainability, as it leads to a misappropriation of resources and increased vulnerability to risk events. The advantages to the business are clear and as follows: The risk management of a business that applies this intervention would be guided only in regard to the essential components as a starting point and could thus be tailored to the scale, scope, and context of the business and thus be a comprehensive and representative of the business and industry in which it operates. The risk management of the business will be open for simplified customisation and improvement as it will be written in the language of the entity and not through a third-party consultant, permitting systematic and meaningful improvement over time that eases the administrative burden of risk management and allows it to scale with business growth. Consequently, as risk management is an integrated management function, business owners will also continue to improve their businesses' strategic management and general management and aid the interdisciplinary synergetic reinforcement and business-specific contextualisation of management functions and activities. Since the intervention tool is based in best practice theory and principles, it serves as a basis to include other advanced management standards such as those of the South African Bureau of Standardisation that bases much of its work of ISO standardisation. The only disadvantage of this system to the SME is that it requires a bit of time to implement; however, this disadvantage is miniscule in comparison to larger standards. As such, the benefits to the business in applying the SBRMIT outweigh the initial and reduced cost of time to apply it. However, due to the effects of Covid-19, this model could not be tested in practice yet. Therefore, it is recommended that this tool be tested and be further developed and tailored to the various sectors in which the businesses operate. What remains now is that the SBRMIT be tested in practice and developed into a governmentally acknowledged standard. It should be noted that the contents presented in this paper are only a summary of the full tool, while more detailed information can be ascertained from Krüger's (2020) study.

Study Limitations and Future Study Opportunities
The SBRMIT still only exists as a theoretical structure through which risk management can be applied to SMEs. Thus, it is essential that an additional study be run with a sample of SMEs to determine the efficacy and weak points of the SBRMIT on a practical level. To provide more consistency, this tool should be tested on real firms after which the authors should receive feedback from the representatives of such firms. Then, this feedback should be administered to a controlled sample of SMEs for further development, which would enable researchers to gather relative information regarding the various aspects necessary to ensure sound and effective risk management within SMEs. This section is not mandatory but may be added to the manuscript if the discussion is unusually long or complex.
Author Contributions: Conceptualisation, methodology, formal analysis, investigation, resources, data curation, writing-original draft preparation, and visualisation were conducted by N.A.K. Writing-review and editing; supervision, project administration, and funding acquisition, was conducted by N.M. All authors have read and agreed to the published version of the manuscript.

Funding:
The APC was funded by the University of Johannesburg.

Institutional Review Board Statement:
The study was conducted according to ethical guidelines and approved by the relevant Research Ethics Committee (clearance code: ECONIT-ACC-2015-005).

Informed Consent Statement:
Informed consent was obtained from all subjects involved in the study.

Data Availability Statement:
The data that support the findings in this article can be found in Krüger, N.A. 2020. A risk management tool for SMMEs: the case of Sedibeng District Municipality. PhD. North West University.