Artificial Intelligence Based Commercial Risk Management Framework for SMEs

Risk management in commercial processes is among the most important procedures affecting the competitiveness of small and medium-sized enterprises (SMEs), their innovativeness and potential contribution to global sustainable development goals (SDGs). The ecosystem of commercial processes is the prerequisite to manage risk faced by SMEs. Commercial risk assessment and management using elements of artificial intelligence, big data, and machine learning technologies could be developed and maintained as external services for a group of SMEs allowing to share costs and benefits. This paper aims to provide a conceptual framework of commercial risk assessment and management solution based on elements of artificial intelligence. This conceptualization is done on the background of scientific literature, policy documents, and risk management standards. Main building blocks of the framework in terms of commercial risk categories, data sources and workflow phases are presented in the article. Business companies, state policy, and academic research focused recommendations on the further development of the framework and its implementation are elaborated.


Introduction
Businesses in demanding environments are constantly looking for a competitive advantage, which often comes from appropriate technological advantages. In the search for a competitive advantage, small and medium-sized enterprises (hereafter-SMEs) could make use of artificial intelligence solutions in managing commercial risk. To do so efficiently, businesses not only need to understand the technology better, but also perceive the framework of risk management and integration of AI solution to their business performance. Companies and financial organizations undoubtedly accumulate various data about clients and their risk. The problem arises in complex processing when data is big or has different dimensions. The concept of artificial intelligence includes advanced technological solutions that can address situations of ambiguity and uncertainty. AI-based solutions complement business decisions by supplementing traditional solutions and analysis. Risk management is particularly beneficial for the use of cognitive solutions based on artificial intelligence because often risk factors are characterized by data uncertainty and variety.
Various initiatives to expand financing of SMEs including partial guarantee schemes, building or improving financial infrastructure, commercial banking models and other private sector initiatives have been developed to directly target SMEs. At the global level, the global partnership for financial inclusion (GPFI) and IFC as an implementing partner of the GPFI have undertaken various studies to improve access to finance by the SME sector, including enhancement of data availability and quality.
The paper is organized in the following way. Section 2 elaborates on motivating factors and provides arguments for the research relevance. The commercial risk and firm in-/ability to assess and control it in an appropriate way is discussed as one of the important factors affecting SMEs' international competitiveness and their ability to achieve sustainable development goals in their business. Then main conceptual definitions are given, risk in general terms, scientific approaches to risk assessment and management are also discussed. Section 2 ends with a broad decomposition of commercial risk factors putting them into an ecosystem-level approach to commercial risk assessment and management.
Section 3 shortly reviews pre-existing AI-based SMEs support solutions that partially cover the proposed commercial risk management framework here. Conceptual risk assessment workflow applying machine learning is defined in the second part of Section 3. Main variable groups and their sources are shown as backgrounds for machine learning and models development phase, which after modes testing phase, turns into the risk assessments employing new data about new potential commercial process partner-buyers and/or suppliers.
Based on the above given theoretical modeling of commercial risk management framework, Section 4 aims to discuss expected implications in policy, further research, and business levels.

Uncontrolled Risk in Commercial Processes as One of the Factors Destroying SMEs Competitiveness and SDG Objectives
Risk is one of the negative factors that decrease and destroy the competitiveness of any business. SMEs lacking resources, capabilities, competencies to manage and control commercial risk are especially vulnerable. Risk in commercial processes as the factor of SMEs' competitiveness is reported in the number of research conclusions [6][7][8][9][10][11][12].
These conclusions, based on previous research, suggest that commercial processes risk management requires systemic solutions, which often are conceptualized by employing the business ecosystem approach.
While considering the Sustainable Development Goals (SDGs) launched by the United Nations in 2015, we normally think about a big business entity with potential and resources to implement SDGs targets. However, recent attention has been drawn to the fact that small and medium businesses, which are an important economic engine and job creator, could also contribute to the development of SDGs, taking in mind the scope of the collective magnitude of the impact of SEMs on SDGs, creating the systemic benefits for the society. The fact that the overwhelming majority of private-sector businesses in the world are SMEs, and that SMEs account for a very large share of world economic activity in both developed and developing countries, proves that SDGs can only be achieved if countries manage to build up strong SMEs [13][14][15][16]. The United Nations Development Programme initiated 'SDG Accelerator for SMEs'-new business solutions with the Sustainable Development Goals. The program is funded by the Danish Industry Foundation and is tested in Denmark in 2018 and 2019 with 30 Danish small and medium-sized industrial companies, after which the aim is to roll out across the Nordics and globally. The SMEs' sector can be an essential and potential part of SDGs solutions, and more and more companies recognize the SDGs as levers for innovation, growth and better competitive performance [17].
OECD also emphasizes SMEs leading role to play in meeting the most "economic" of the SDGs: promoting inclusive and sustainable economic growth, employment, and decent work for all (SDG No. 8) as well as promoting sustainable industrialization and fostering innovation (SDG No. 9). At the same time, the OECD indicates two critical interventions at the firm level, which the SDGs also highlight: access to finance (SDG No. 8.3) and participation in global value chains (SDG No. 9.3). There is not so much evidence in the scientific literature focusing on sustainability criteria related to SMEs risk management. Authors mostly focus on promoting sustainable activities or proposing management systems for sustainable development in SMEs [18]. There are basically several mainstreams of research on sustainability for SMEs: (1) environmental issues and environmental management systems for SMEs [19][20][21][22]; (2) sustainable management systems or management systems enhancing sustainability for SMEs [14,[23][24][25][26]; and (3) sustainable innovations for SMEs [27][28][29][30][31]. We rarely find research on sustainability for risk management. The exemption would be the research on involving sustainability criteria for credit risk assessment: Weber, Scholz, and Michalik [32] suggests sustainability criteria into credit risk management suggesting the use of sustainability criteria to predict the financial performance and to improve the debtor valuation process. Thus, our approach of pointing out the importance of commercial risk management involving AI-based tools, helping to reduce the risk for SMEs together with a better assessment of financial performance alongside with better access to finance would bring the new angle for research and applied systems for SMEs meeting SDG and improving their competitiveness.
Access to finance is a common problem for businesses which disproportionately affects new and small enterprises. Information asymmetries in the credit market, lack of collateral and fixed costs for banks in processing loan applications are some of the well-known problems affecting access to bank finance for SMEs [33].
Strengthening the capacity of SMEs-typically, though not exclusively, through greater access to finance-is identified as a key target in specific SDGs. Small and medium-sized enterprises' financial management and financing is a vital component of economic growth across the globe, and the need for financial management skills and access to capital is especially important [34]. Among the other main reasons why SMEs loans are rejected such as failure to understand credit score, inadequate cash flow, limited collateral, too early-stage start-up, having too much debt and lacking a solid business plan, risky outside conditions-the financial illiteracy plays a significant role. The connection between the failure to financial illiteracy and access to finance as well as financial literacy and probability of loan repayment is proven by the research [35][36][37][38][39]. Joo and Grable (2000) stated that the reasons why businesspeople make inappropriate, inadequate and ineffective financial decisions are because of the lack of financial knowledge, lack of time to learn about personal financial management, complexities in financial transactions and the extensive variety of choices in financial products/services [40]. Lack of business management skills can magnify financial barriers for SMEs. Low degree of financial literacy can prevent the performance level of SMEs from adequately assessing and understanding different financing provision, and for navigating complex loan application procedures [9].
The dearth of financial literacy has been one of the many elements responsible for lacks proper knowledge or information about financial decision making and that these decisions could, in turn, have tremendous unexpected consequences. Subsequently, financial literacy is now globally recognized as a major factor of economic and financial stability and development of SMEs (meeting UN SGA No. 8.3) for performance and there is the complete effect of business owner-manager's financial knowledge, financial awareness and financial attitude in converting financial literacy to increase in firm performance [37]. Dahmen and Rodriguez (2014) surveyed the business owners to determine their level of financial understanding and their use of financial statements in making management decisions. They found a strong association between the small businesses' financial strength and the business owners' habits of mind with regard to their financial statements: in 50% of the businesses, the business owner did not regularly review financial statements, and 86% of those businesses were experiencing financial difficulties; conversely, 50% of the businesses in the study were experiencing financial difficulties, and for 86% of them, the business owner did not regularly review the financial statements [38]. Drexler at al. have also proven the lack of financial literacy required to make important financial decisions [41] for SMEs. Bayrakdaroglu andŞan (2014) found that managers of SMEs with higher financial literacy levels show greater participation in the financial markets by diminishing information constraints [42]. Yang et al. examine the mediating role of competitive advantage between enterprise risk management practices and SME performance and the moderating role of financial literacy between enterprise risk management practices and competitive advantage [7]. The authors claim that competitive advantage partially mediates the relationship between enterprise risk management practices and SME performance. Additionally, financial literacy significantly moderates the relationship between enterprise risk management practices and competitive advantage. Firms are advised to implement formal enterprise risk management practices to gain competitive advantage and superior performance. Top managers need to have enough financial education so that they will be able to perform risk management practices in an efficient way to gain a competitive position in the market [7].
Thus, despite having more business financing options available, such as online lenders, it is still an uphill battle for small business owners to access capital. If that was not bad enough, the increasing amount of financing options currently available may in fact be making matters worse for small business owners. Gibb (2000) focuses upon the value of academic research to policymakers and stakeholders in small and medium enterprise development. He argues that alongside the substantial growth in SME research and publication in the past two decades, there has been a parallel growth of ignorance [43]. Gibb's point here corresponds to our idea that despite the towering consideration on SME's financing starting from European Commission's Green Paper on the long-term financing of the European economy following by SME regional policies supporting SME policy from structural funds, the ability of SMEs to meet SDG No. 8.3 remains uncovered. Thus, while facing various offers form the capital supply side (EU funds, government agencies' support, Business Angels, Venture capital, Crowdfunding platforms) we shall raise the question of whether the demand side is ready to absorb increasing funding alternatives.
It may be the case that the basic problem is being ignored, i.e., that small businesses lack financial literacy, cannot assess the financial performance of their company or the impact of the choice of financial instruments on their future development.
Small and medium-sized enterprises are facing different pressures maintaining their competitiveness. Customers demand better quality and a lower price at the same time, resulting in tighter cost control; suppliers press for quicker payments, but access to finance is a crucial issue.
At the same time, covering risk is higher for a small firm than a large one: usually, the smaller firm will have fewer human resources and competencies for risk management, more restricted finance, and more limited access to information than a larger organization. SMEs face requirements from their customers more often than they address to their own suppliers. While larger firms tend to manage risk collectively, for example, through expert boards of directors, within SMEs this task is more often undertaken by the firm owner-possibly supported by a small management team [6]. Risk management has a meaningful impact on competitiveness and SMEs' ability to face SDG tasks.
SDG Compass [44] and Sustatool [45] are existing attempts to link SMEs' daily activities and SDGs tasks. The SDG compass defines several cyclical steps guiding companies through the process of movements towards SDG defined tasks; however, it is focused more on large companies and MNEs. Sustatool is based on a more theory-driven approach. It anticipates concrete management tools and actions to address certain SDGs, ones that are most likely to be achieved by the SMEs. Commercial Risk Management Framework, as discussed further in this paper, extends the 'process excellence' layer of the Sustatool, proposing solutions that expand beyond single company borders and are implemented at the ecosystem level. We suppose that ecosystem-wide instead of single company focused solutions would help to achieve higher efficiency and help SMEs move faster toward SDG defined qualities of performance.
The approach to SDGs from SMEs' commercial risk management perspective complements existing options focusing on solving the above-stated issues (e.g., lack of financial literacy, lack of adequate human and other resources, difficulties in managing pressures from the external environment) in SMEs daily activities. Simultaneously SMEs confront growing pressure from society, non-governmental organizations on the inclusion of social and environmental principles in their activities [13]. The business risk also increases, where SMEs-especially start-ups-are depending on one product, one market or one customer. Thus, there is a link between the ability to manage risk and remain competitive. Many firms lack the resources and reliable mechanisms to support their risk-management activity and this is particularly notable for small and medium-sized enterprises (SMEs).

General Definitions: Risk, Risk Assessment and Management
Understanding that definitions are never entirely true or false, they provide a useful basis for abstraction and clarification of main points of considered issue. A selection of applicable definitions is discussed in the following with an emphasis on conceptual content and clarity.
Risk: a review of Aven (2010) [46] presents a vast number of risk definitions and serves as an explanatory overview, specifying definitional elements in the form: Risk = (A; C; P; U), where A represents events, C denotes consequences and P and U designate probability and uncertainty.
The most recent international standard on risk management, ISO 31000 (2009, p. 1) [47], defines risk as: risk is the effect of uncertainty on objectives. Risk is in this definition conceived as R = (U). Still, unlike this focus in other definitions, all elements of A, P, C, and U are included and apparently given equal considerations. The risk definition of Kaplan and Garrick (1981) [48] has gained wide acceptance both within the scientific community and among practical risk assessors (Haimes, 2009) [49]. In accordance with the research tracking system Scopus, one of the most cited definitions of risk is the quantitative-, or triplet definition of Kaplan and Garrick (1981, p. 13) [48]. Risk is defined as the answer to three questions focusing on what can go wrong:
How likely is it that it will happen? 3.
If it does happen, what are the consequences?
Wide acceptability of such definition may be explained by its direct relevance to risk assessment. Not only do the three questions offer simple clarification of what the risk concept is, but they also provide procedural guidance for risk assessment and leads to risk management.
Risk assessment and management: in the risk management vocabulary of ISO Guide 73 (2009, p.5) [50], risk assessment is defined as the overall process of risk identification, risk analysis, and risk evaluation. ISO 31000 (2009) [47] adopts this definition and conceptualizes risk assessment.
Risk assessment in this ISO put in the wider context of risk management. ISO Guide 73 (2009, p.2) [50] defines risk management as follows: coordinated activities to direct and control an organization with regard to risk. The figure models the dominant influence of communication and consultation with external and internal stakeholders throughout the entire assessment process. While ISO 31000 (2009) [47] is a generic standard on risk management, there are other concepts of risk management. Risk assessment may differ slightly, reflecting a collective process of risk evaluation and risk analysis, which can consist of hazard identification and risk estimation. It could be agreed that risk analysis is conceived as the process of answering the three questions of Kaplan and Garrick (1981) [48], while risk assessment covers the wider process of both risk analysis and evaluation, as is held by ISO guide 73 (2009) [50].
Depending on the required level of detail, this can be a qualitative, semi-quantitative or quantitative process. The choice of method is affected by the problem at hand (for instance, commercial risk), the availability of resources, risk acceptance criteria, data availability and the risk management strategy possibly related to the national or international standards.
A number of methods are used for risk or safety assessment [51]: Failure Modes, Effects, (and Criticality) Analysis (FMEA/FMECA), Fault Tree (FT) analysis, cause and effect diagrams, Bayesian belief networks, Event Tree (ET) analysis, Reliability Block Diagrams (RBD), etc. It might be recommended [51] to start the risk analysis by constructing FT. In the construction of the FT, all potential causes of specified events (such as accidents) are identified. The construction of FT will give the analyst a better understanding of the potential causes of an unfavorable event. If the analysis is carried out in the design phase, the analyst may rethink the design and operation of the system and take actions to eliminate potential hazards. Combining FT and ET became a usual approach for system reliability and accident sequence analysis in Probabilistic Risk/Safety Assessment (PRA/PSA) [51].
PRA/PSA is used in those areas where undesired events and corresponding consequences in terms of loss of property, profit, human health, and lives are possible. Risk analysis is used in order to identify potential risk, problem areas, and corresponding systems, propose risk reduction measures and choose the most efficient ones. Such, risk analysis supports decision making related to several alternatives.
An integral part of PRA/PSA is Human Reliability Analysis (HRA), which identifies possible human actions or their absence, which could affect the safety of the system being analyzed. Humans influence risk in different ways, such as making important functions unavailable due to errors during maintenance or initiating an abnormal event or making errors during unfavorable events mitigation. HRA task is to identify human actions that are vital for the system safety, adequately evaluate factors that have the highest impact performance of humans, evaluate Human Error Probability (HEP) for each action and include the actions in the PRA/PSA model.
The general ISO risk management standard called "ISO 31000: 2009 Risk management-Principles and guidelines" [47] has three main sections: principles for managing risk (clause 3), a framework for managing risk (clause 4) and the process of managing risk (clause 5). The standard states 11 principles for managing risk (clause 3).
According to the standard, risk management should be an integral part of the organization supported by management. The standard advocates a framework for managing risk (clause 4) by means of a risk management process (clause 5), to be used at different levels and in different contexts. This framework should ensure that risk information is derived from these processes and is adequately reported and used for decision making at the relevant organizational levels. The clause also gives guidelines for designing, implementing and monitoring such a management framework. The following Figure 1 shows the components of the framework and its connection to the risk management process.
The general action/solution related framework of risk management reflects that "for each issue or event requiring a decision, managers can benefit from adopting a systematic approach to identifying the potential risk, looking specifically at the sector in which the proposal falls, but also looking at the intersection with the other sectors. The idea is to try to identify all of the consequences of a particular issue or event, in order to find an optimal decision set to minimize adverse effects and maximize social and business objectives in a cost-efficient manner" [51].
Risk factors, events, and consequences: the risk in commercial processes is defined from the range of different perspectives. In the context of the supply chain or commercial processes, the risk could emerge from supply chain vulnerabilities, which outcome with material or financial losses, delivery delays and a decrease of reputation and competitiveness. "Risk events are incidents whose occurrences result in the disruption of overall supply chain performance" [52], or more generally, that have negative consequences in terms of commercial performance.
The following conceptualization given in this paper and respective expected implications, in short, are based on the risk that is approached as "probability of events that result in loss" [53].
As it is depicted in Figure 2, the risk is expected to be assessed, measured and thus predicted on the basis of the defined list of certain risk factors. Each event (following above considered risk definition [46] denoted by letter A in Figure 2) with negative consequences (denoted by the letter C) as the risk should be defined by certain factors which are perceived as initial, triggering risk event reasons [53]. The event and its factors are observed variables of any certain risk assessment framework. Observed risk factors variables work as independent and risk event prediction outcomes-as dependent variables in risk assessment models. The risk management is conceptualized here as a three-phase process. Theoretical analysis and statistical proof of risk event and its factors association are done in According to the standard, risk management should be an integral part of the organization supported by management. The standard advocates a framework for managing risk (clause 4) by means of a risk management process (clause 5), to be used at different levels and in different contexts. This framework should ensure that risk information is derived from these processes and is adequately reported and used for decision making at the relevant organizational levels. The clause also gives guidelines for designing, implementing and monitoring such a management framework. The following Figure 1 shows the components of the framework and its connection to the risk management process. The general action/solution related framework of risk management reflects that "for each issue or event requiring a decision, managers can benefit from adopting a systematic approach to identifying the potential risk, looking specifically at the sector in which the proposal falls, but also looking at the intersection with the other sectors. The idea is to try to identify all of the consequences of a particular issue or event, in order to find an optimal decision set to minimize adverse effects and maximize social and business objectives in a cost-efficient manner" [51]. Risk factors, events, and consequences: the risk in commercial processes is defined from the range of different perspectives. In the context of the supply chain or commercial processes, the risk could emerge from supply chain vulnerabilities, which outcome with material or financial losses, delivery delays and a decrease of reputation and competitiveness. "Risk events are incidents whose occurrences result in the disruption of overall supply chain performance" [52], or more generally, that have negative consequences in terms of commercial performance.
The following conceptualization given in this paper and respective expected implications, in short, are based on the risk that is approached as "probability of events that result in loss" [53].
As it is depicted in Figure 2, the risk is expected to be assessed, measured and thus predicted on the basis of the defined list of certain risk factors. Each event (following above considered risk definition [46] denoted by letter A in Figure 2) with negative consequences (denoted by the letter C) as the risk should be defined by certain factors which are perceived as initial, triggering risk event reasons [53]. The event and its factors are observed variables of any certain risk assessment framework. Observed risk factors variables work as independent and risk event prediction outcomes-as dependent variables in risk assessment models. The risk management is conceptualized here as a three-phase process. Theoretical analysis and statistical proof of risk event and its factors association are done in Phase 1. Mathematical models for risk prediction are expected to be built in Phase 2. Observed risk factors variables are processed by mathematical models and risk are predicted in Phase 3. SME's financial model is an essential element in a commercial process. Expected SDGs oriented outcomes are based on the sustainability of the financial model. Sustainability of SMEs' financial models or financial sustainability is defined as the state of balance between different finance-related components: revenues and expenses, assets and liabilities, etc. [54,55]. Financial links that connect the company to its external environment-suppliers and buyers-ensure inward and outward flows of resources and business products and thus the robustness of the overall commercial process. Events with negative consequences-commercial risk-harm these relationships cutting either resource of product streams, thus preventing the enterprise from successful movements towards commercial SME's financial model is an essential element in a commercial process. Expected SDGs oriented outcomes are based on the sustainability of the financial model. Sustainability of SMEs' financial models or financial sustainability is defined as the state of balance between different finance-related components: revenues and expenses, assets and liabilities, etc. [54,55]. Financial links that connect the company to its external environment-suppliers and buyers-ensure inward and outward flows of resources and business products and thus the robustness of the overall commercial process. Events with negative consequences-commercial risk-harm these relationships cutting either resource of product streams, thus preventing the enterprise from successful movements towards commercial activity relevant SDGs. The unmanaged commercial risk increases the vulnerability of SMEs financial model, while assessed, evaluated risk increases the sustainability of the financial model.
Manageability of commercial risk is perceived here as a way to ensure the sustainability of SME's financial model and thus empower them to achieve SDGs. SMEs escape commercial risk, when all inputs are sourced as expected with required quality and time, buyers settle their accounts in expected time frames. Then the company is able to develop its business, ensure decent growth (in line with SDG No. 8), invest in innovative production and management processes (meeting SDG No. 9 targets).

Ecosystem Perspective Approach to Commercial Risk Management Framework
Nature of commercial risk. Following Heckmann, Comes, and Nickel [53], risk events and respective negative consequences could be separated into several categories. Events associated with expected negative consequences could be caused by partners' in commercial activities, their business practices, attitudes, objective and subjective, personal, organizational and other characteristics. We could call it an actor/partner-based risk. On the other hand, risk events could emerge based on the market, state, industry and other company invariant characteristics. They could be categorized as market or external factors based on risk. Other categorizations also exist; and it is hardly possible to find any final, covering or potential cases.
For example, Peck [56] suggested the four-level framework for supply chain vulnerability analysis. To be "at risk" means to "to be vulnerable". Four analytical levels include: "value, product or process stream; asset and infrastructure dependencies; inter-organizational networks; and social and natural environment". Such broad conceptualizations cover both supply chain or commercial process internal and external risk sources [53]. Horizontal (single organization approach) and vertical (product line, value stream mapping and analyses) research traditions cover most of the supply chain risk studies. According to Peck [56], the roots of supply chain and respective commercial processes related risk is in the ecology concept, which emphasizes relationships between organisms (here organizations) and their environment. Risk in commercial processes emerges from events caused both by other organizations and the focal company itself as well as complex external market factors. Figure 3 decomposes commercial risk into four analytical categories. The figure and given short description are not intended to present some full and extensive review based final range of possible factors and events associated with commercial risk. Contrary, the aim of this stylized decomposition is to highlight the wide and incompletable range of risk categories meaning that any particular empirical implementation of a suggested conceptual framework will be unique, determined by the interests of participants, trust levels and other cultural characteristics of a society, shared and available data.
Stylized four arrow shape figures represent certain organizations from diverse social and natural environments-different countries-facing commercial risk coming from four above mentioned broad risk categories. Streams of value, products, processes and knowledge are essential in commercial processes. The risk emerges from supplier-buyer links. Hard infrastructure and human related factors are two other sources of risk. Finally, the commercial risk could emerge from social and natural environment-related factors.
Value/product/process stream risk analytical level is associated with the product's logistics and flow of information, credibility, and validity of streaming information, as well as financial payment factors and events. These sources (i.e., respective factors of events and associated risk) emerge from organizations that are partners in commercial-selling and buying-processes.
All mentioned risks ( Figure 3) are perceived here by following the above-given risk definition. The structure of risk concept includes event (e.g., undelivered goods, not received payments, violation of tax regulations), its negative consequences (e.g., financial losses, penalties for the company), theoretically assigned or statistically revealed internal to the organization and external factors behind the event (e.g., seller's/buyer's reliability defined by formal and informal evidence, such as licenses, financial statements, positive and negative news, etc.-risk factors) and these factors based calculated probability of events (i.e., assessed and quantified risk associated with certain company and particular possible event). process internal and external risk sources [53]. Horizontal (single organization approach) and vertical (product line, value stream mapping and analyses) research traditions cover most of the supply chain risk studies. According to Peck [56], the roots of supply chain and respective commercial processes related risk is in the ecology concept, which emphasizes relationships between organisms (here organizations) and their environment. Risk in commercial processes emerges from events caused both by other organizations and the focal company itself as well as complex external market factors. Figure 3 decomposes commercial risk into four analytical categories. The figure and given short description are not intended to present some full and extensive review based final range of possible factors and events associated with commercial risk. Contrary, the aim of this stylized decomposition is to highlight the wide and incompletable range of risk categories meaning that any particular empirical implementation of a suggested conceptual framework will be unique, determined by the interests of participants, trust levels and other cultural characteristics of a society, shared and available data. The assessment and management of the risk in value/products/process stream analytical level depend on the partners' willingness to share their internal data about risk factors, demand, and supply chain process monitoring data. Trust, cooperation and risk-sharing are among other subjective factors that should be considered at this analytical level [56]. This analytical risk' level also covers the so-called "market risk", emerging outside partnering organizations. Market risk is defined by market demand volatility, uncertainty, changing needs of the market [56,57]. Since it is expected to associate potential risk events with certain commercial process partner organizations (buyer or seller/supplier), certain market-relevant factors could be included in assessment models as company invariant and certain market-specific risk factor variables.
The analytical level of inter-organizational networks related to commercial risk ( Figure 3) covers so-called corporate risk, including corporate management, business strategy orientation, social and general business responsibility, and related risk factors. Corporate level internal risk is also common in commercial processes. Both objective and subjective risk factors could be considered at this analytical level.
The social and natural environment covers any certain organization partnering in the supply chain. These factors come from different countries or other any aggregated environments (such as industry) and are common (fixed) for all partners from that particular environment. Traditional political, economic, social and specific technological factors are considered dealing with potential risk sources in diverse macro-level environments. Social and natural environment variables also are company invariant regressors in risk assessment models.
Assets and infrastructure dependencies (Figure 3) are characteristics of a certain organization, active in the supply chain as partners in commercial processes (sellers, buyers or other partners i.e., commercial services providers). Assets and infrastructure (commercial assets, sites or facilities: fields, factories, distribution centers, retail outlets, warehouses, etc.) are those resources in organizations that are needed to produce and stream the goods and information in above-defined value/products and process stream analytical level [56]. The range of assets and infrastructure items, the way of its evaluation is wide and specific of every single context.
Any certain CRMF will consider what assets and infrastructure items should be included and how they will be evaluated to assess their risk in considered commercial activity. On the other hand, the analytical level of infrastructure dependencies also covers country-level factors such as communication networks, roads, railways, and other infrastructure-thus including external fixed factors into the commercial risk assessment model.
Other conceptualizations of commercial risk classes or categories also could be employed [52]. Banks and Dunn [57] define risk framework as "risk limit structure". Risk framework is the way to convey "how much exposure the firm in total-specifically its business units-can take in individual risk classes". Risk framework requires that risk should be quantified. Subjective risk is treated by applying special methods.
In any case, it will be difficult to state that the categorization of risk is final, full and complete. The risk assessment and management framework should be based on a flexible conceptual approach capable to evolve and adapt to context-specific requirements. Evolution and adaptation are done by including, excluding or changing certain observed events or its factors variables.
Each of four supply chain vulnerability analytical levels uses data sources to predict risk categories summarizing respective events [52], which is risky due to potential negative consequences. Both mathematical (objective) and subjective [57] data types are relevant for risk assessment. A Commercial Risk Management Framework (CRMF) based solution is intended to collect all relevant data and deliver risk assessment of supply chain peers: buyers, suppliers, and other business partners.
Ecosystem concept-based approach to commercial risk assessment and management: the idea and respective concept of "artificial intelligence-based risk management ecosystems" have not been established in the scientific literature yet. However, the aim to manage and minimize risk in commercial processes, similarly to other applications of ecosystems' idea, is defined as some intended outcome of interdependency among participants [58]. The expected outcome of ecosystem performance here is the assessed commercial risk of existing or potential commercial partner, certain buying or supplying company.
CRMF is thus defined as the universe of interactions among participants of commercial processes aimed to minimize risk. Such definition is based on the general idea of the ecosystem that emphasizes "actors, their environment and various interactions between them" [58], as main ecosystem components.
CRMF is a special-purpose business ecosystem crossing single enterprise boundaries and extended along and across supply chains. Following Moore's [59] definition, it could be stated, that similarly to the business ecosystem in general, CRMF "covers the company itself, customers, competitors, market intermediaries and companies selling complementary products and suppliers". Besides the general purpose of the business ecosystem where "actors work cooperatively and competitively to create new products, satisfy customer needs, coevolve capabilities around innovation" [59], CRMF aims to uncover, manage and minimize commercial risk, again, by cooperative work of actors focused at the same sustainable business goals.
Commercial processes encompass buying, selling of goods and/or services, transportation, payments, data exchange and any other processes somehow related to those just mentioned. In other words, it could be said that commercial processes include any kind of participation in supply chains. Commercial processes risk covers all supply chain risk (SCR) [60]. A broader term-commercial processes risk (CPR)-is considered in this paper to refer to the overall business in the enterprise instead of some certain products and respective their supply chains.
As it is depicted in Figure 4, CRMF is expected to be implemented outside any certain company. The solution would provide services to all interested and participating (i.e., sharing their own data) companies. The main and primary stakeholders' group is SMEs.
CRMF is considered as a firms' international competitiveness focused tool. A combination of firm internal and country-level external factors in international competitiveness focused solutions is already well-established in science, practice, policy, and research levels [61,62]. Technical support components cover those competencies, capabilities, and resources that are close to internal to the firms by their kind, but not available to be developed and maintained by SMEs themselves. These three basic components are defined in detail in the following chapters. Each of the above discussed ( Figure 3) commercial risk management analytical levels are characterized by a certain risk, i.e., expected events with potentially negative consequences. These events could be observed (and documented) in the company's commercial practices and thus become outcome (i.e., dependent) variables in AI models of risk assessment, which constitute the essential body of here discussed CRMF. Outcome (observed risk events) and factor variables constitute the main CRMF database (Figure 4) used for AI machine learning, risk assessment models development and respective risk assessments.
On the other hand, some foreseen potential events could be learned and forecasted by the AI system itself by exploring risk factor variables databases. These factors are employed as independent variables in the mathematical AI models mentioned above. Finally, each potential risk (possible event with negative consequences) as an outcome variable is associated with the certain mathematical model (e.g., regression) defined by constants and coefficients with the range of factors (Figure 4).
For example: at the value/product/process risk analytical level, negative consequences could be associated with cargo loading and intermediate reloading risk, which could outcome in insufficient loads, product shortages and so on as negative consequences. The assessment of such risk could be done using shared GPS tracking data of transport moving, checking the documents and other evidence which would be requested to upload into the CRMF database to process by AI software.
Delayed or refused payments, non-existing (pretended) buyers/suppliers are also examples of risk at the value/product/process stream risk analytical level. Such potential negative outcomes are expected to be identified, assessed and managed to employ publicly available crediting data or insurance guarantees. In such cases, most of the data and information as risk factors variables required to assess and manage risk in commercial processes comes from the external environment.
Intra-and inter-organizational networks risk are difficult to identify and manage by AI solutions (Figure 3). They cover the company's as well as partners' stuff reliability, the security of used means of communication, skills, and knowledge of employees in a broad range of areas. In most cases, the risk is caused by people and this means that data about factors, used to forecast the risk, are limited, difficult to collect, to structure and input it into AI machines. Expected events with negative Two major CRMF components in terms of data sources are as follows: (1) SMEs and other firms, sharing their commercial data, and (2) external bodies (governmental-public and commercial), gathering various data about companies. Business companies provide a vector of internal data variables I i , range of externally sources data variables is denoted as E j . The third vector of variables F k adds data about clusters of companies, representing a country or other company group (e.g., sector or industry) invariant characteristics of the assessed partner in commercial processes.
First, SMEs themselves, then some macro-level components, and finally technical support-are some of the background conditions needed to be fulfilled for CRMF developments. Firm internal or firm-specific factors, as well as external or country macro level-specific factors, are included since CRMF is considered as a firms' international competitiveness focused tool. A combination of firm internal and country-level external factors in international competitiveness focused solutions is already well-established in science, practice, policy, and research levels [61,62]. Technical support components cover those competencies, capabilities, and resources that are close to internal to the firms by their kind, but not available to be developed and maintained by SMEs themselves. These three basic components are defined in detail in the following chapters.
Each of the above discussed ( Figure 3) commercial risk management analytical levels are characterized by a certain risk, i.e., expected events with potentially negative consequences. These events could be observed (and documented) in the company's commercial practices and thus become outcome (i.e., dependent) variables in AI models of risk assessment, which constitute the essential body of here discussed CRMF. Outcome (observed risk events) and factor variables constitute the main CRMF database (Figure 4) used for AI machine learning, risk assessment models development and respective risk assessments.
On the other hand, some foreseen potential events could be learned and forecasted by the AI system itself by exploring risk factor variables databases. These factors are employed as independent variables in the mathematical AI models mentioned above. Finally, each potential risk (possible event with negative consequences) as an outcome variable is associated with the certain mathematical model (e.g., regression) defined by constants and coefficients with the range of factors (Figure 4).
For example: at the value/product/process risk analytical level, negative consequences could be associated with cargo loading and intermediate reloading risk, which could outcome in insufficient loads, product shortages and so on as negative consequences. The assessment of such risk could be done using shared GPS tracking data of transport moving, checking the documents and other evidence which would be requested to upload into the CRMF database to process by AI software.
Delayed or refused payments, non-existing (pretended) buyers/suppliers are also examples of risk at the value/product/process stream risk analytical level. Such potential negative outcomes are expected to be identified, assessed and managed to employ publicly available crediting data or insurance guarantees. In such cases, most of the data and information as risk factors variables required to assess and manage risk in commercial processes comes from the external environment.
Intra-and inter-organizational networks risk are difficult to identify and manage by AI solutions (Figure 3). They cover the company's as well as partners' stuff reliability, the security of used means of communication, skills, and knowledge of employees in a broad range of areas. In most cases, the risk is caused by people and this means that data about factors, used to forecast the risk, are limited, difficult to collect, to structure and input it into AI machines. Expected events with negative consequences in this analytical level are observed as unfair and/or deceptive behavior of responsible employees.
Two remaining analytical levels ( Figure 3) should be implemented into CRMF ( Figure 5) in the same way. Each expected event with negative consequences is observed (or forecasted) as outcome dependent variables associated with a certain defined list of factor variables employed by AI to forecast or identify potential risk. The broader definition of the structure of such a system is defined conceptually in the following chapters. consequences in this analytical level are observed as unfair and/or deceptive behavior of responsible employees. Two remaining analytical levels ( Figure 3) should be implemented into CRMF ( Figure 5) in the same way. Each expected event with negative consequences is observed (or forecasted) as outcome dependent variables associated with a certain defined list of factor variables employed by AI to forecast or identify potential risk. The broader definition of the structure of such a system is defined conceptually in the following chapters.

Existing AI Solutions, Their Applicability, and Availability
SMEs commonly lack competencies and resources that require substantial investments, which are difficult to cover, and if made they lead to inefficient resource allocations and respective losses.
Risk control and management solutions based on AI and BD analytical techniques are considered as resources and capabilities that should be developed and maintained at the CRMF level by sharing costs and benefits of such assets. Risk assessment, control, and management are based on data and information. This information should be shared among the supply chain (or, broadly speaking, commercial processes) participant, then analyzed to assess the risk of participants, and finally used for risk management decisions [60,63].
In this background, AI-understood as a process for gathering, analyzing, interpreting, and disseminating high-value data and information at the right time to use in the decision-making process-constitutes a framework for action and research for organizations aspiring to improve their competitiveness through the use of high-value data and information in their products/services [64].
When evaluating business financial performance, the rating or credit score methods are commonly used. The main literature and publications focus on SMEs' access to finance are from the perspective of credit institutions. Authors propose various models for assessing SME credit risk using AI. The importance of credit scoring has increased recently because of the financial crisis and increased capital requirements for banks. There are, however, only a few studies that develop credit scoring models for SMEs lending. Li et al. introduced a novel, more accurate credit risk estimation approach for SMEs business lending [65]. A multi-dimensional and multi-level credit risk indicator system was constructed by Zhang et al. who presented an improved sequential minimal optimization learning algorithm-named four-variable SMO-for credit risk classification model [66].
Traditional credit scoring does not serve SMEs well. The method is linear, static and onedimensional. For example, the Altman Z-score, a technique commonly used by lenders in traditional credit scoring, is unsuitable for SMEs because it is based on a highly selective number of fields that

Existing AI Solutions, Their Applicability, and Availability
SMEs commonly lack competencies and resources that require substantial investments, which are difficult to cover, and if made they lead to inefficient resource allocations and respective losses.
Risk control and management solutions based on AI and BD analytical techniques are considered as resources and capabilities that should be developed and maintained at the CRMF level by sharing costs and benefits of such assets. Risk assessment, control, and management are based on data and information. This information should be shared among the supply chain (or, broadly speaking, commercial processes) participant, then analyzed to assess the risk of participants, and finally used for risk management decisions [60,63].
In this background, AI-understood as a process for gathering, analyzing, interpreting, and disseminating high-value data and information at the right time to use in the decision-making process-constitutes a framework for action and research for organizations aspiring to improve their competitiveness through the use of high-value data and information in their products/services [64].
When evaluating business financial performance, the rating or credit score methods are commonly used. The main literature and publications focus on SMEs' access to finance are from the perspective of credit institutions. Authors propose various models for assessing SME credit risk using AI. The importance of credit scoring has increased recently because of the financial crisis and increased capital requirements for banks. There are, however, only a few studies that develop credit scoring models for SMEs lending. Li et al. introduced a novel, more accurate credit risk estimation approach for SMEs business lending [65]. A multi-dimensional and multi-level credit risk indicator system was constructed by Zhang et al. who presented an improved sequential minimal optimization learning algorithm-named four-variable SMO-for credit risk classification model [66].
Traditional credit scoring does not serve SMEs well. The method is linear, static and one-dimensional. For example, the Altman Z-score, a technique commonly used by lenders in traditional credit scoring, is unsuitable for SMEs because it is based on a highly selective number of fields that do not take into consideration other valuable accounting and non-accounting data. However, there is now an increased interest by institutions in using AI and machine learning techniques to enhance credit risk management practices, partially due to evidence of incompleteness in traditional techniques. The evidence is that credit risk management capabilities can be significantly improved through leveraging AI and machine learning techniques due to its ability of semantic understanding of unstructured data [67]. However, the main problem lies not in the sophisticated credit score methods and their development. The survey conducted in 2015 by Nav revealed 45% of small business owners do not know they have a business credit score, and 82% do not know how to interpret their score.
This phenomenon enhanced examples of the creation of credit score start-ups. The founder of CreditVidya was rejected by the bank after the loan application without a clear understanding of how credit scoring works. CreditVidya became a partner to banks and now helps them lend to consumers easier with improved credit scoring models and also developed a scoring mechanism for customers without a credit history. The company uses 10k+ data points from client systems, where it has been deployed, and then uses its AI algorithms for risk assessment of individuals. ZestFinance was founded by a former Chief Information Officer of Google and in 2016 partnered with Baidu, the dominant search engine in China, to improve Baidu's lending decisions in the Chinese market. Baidu was particularly interested in making small loan offers to retail customers buying products from their platform. ZestFinance (with permission) tapped into the huge volume of information on members held by Baidu such as their search or purchase histories to help Baidu decide whether to lend. They use thousands of data points per customer and are still able to make lending decisions on new applications in seconds [67].
Kabbage stands out by using business credit scoring when providing a credit line (up to 100kUSD) for businesses via its automated lending platform. Kabbage uses data generated through business activities such as accounting, online sales, shipping and dozens of other sources to understand the performance of companies. Another business credit scoring solution is IceKredit, which provides both SME and personal credit ratings. The company uses big data technologies and artificial intelligence algorithms to analyze social media and internet news. It provides a public sentiment score that helps to monitor SMEs. Additionally, IceKredit integrates its Knowledge Graph Database for in-depth analysis that helps to produce risk warnings in advance. The owner's credit assessment is one of the four major parts of the SME credit assessment. A business credit scoring company Cortera uses data about $1.3 trillion+ annual B2B transactions for estimating the creditworthiness of businesses [68]. AI in internet media scanning for evaluating company reputation Scoriff is developing credit scoring models, which can be applied globally by using Web data only. Compared to traditional methods (read: using financial data) it allows reducing data acquisition costs ca 100x, delay in credit risk scoring by a year. Company and business scores currently considered "unscorable" and can finally reach the global SME segment of the credit rating market via affordable prices and state-of-the-art usability. Scoriff is a big data era credit scoring company, which applies AI and machine learning at Webscale to predict the likelihood of default events of businesses across the globe [69].
AI can assist institutions at various stages in the risk management process ranging from identifying risk exposure, measuring, estimating, and assessing its effects (Sanford and Moosa 2015). It can also help in opting for an appropriate risk mitigation strategy and finding instruments that can facilitate shifting or trading risk. Thus, the use of AI techniques for risk management is now expanding to new areas involving the analysis of extensive document collections and the performance of repetitive processes, as well as the detection of money laundering that requires analysis of large datasets [67].
Quantitative models: quantitative risk analysis (QRA), in many situations, is considered as a helpful tool for understanding and managing risk [70]. In the following figure (adapted from IEC [71]) the basic steps of a QRA and a simplified relationship between risk analysis, risk assessment, and risk management are presented. These terms are used further within considered research work.
A key merit of QRA is that the procedure provides a structured way to determine the major contributions to the overall risk, which will obviously prove useful in the risk management situation where decisions are to be made regarding efforts to reduce the risk. Knowing the major contributions to the overall risk is a prerequisite for being able to direct efforts towards managing and reducing the risk to those areas where they will have the greatest impact, thus facilitating cost-effectiveness in risk management [72].
Risk management decisions involve numerous assumptions and uncertainties regarding technology, economics, and social factors, which need to be explicitly identified for decision-makers and the public. Unfortunately, risk analysis can seldom be performed based on large statistical databases because they may not exist, and full information may not be available at the time when decisions need to be made. Under those circumstances, the best that can be done is to integrate the information and focus on an accurate representation of uncertainties.
Models used in risk analysis usually provide as their output a single-valued or point estimate of risk. Often, the variability and uncertainty in the data used in the models or the inexact representation of the real world by the models are overlooked. Due to these uncertainties, the use of a single point estimate, a mean, or a median value alone can lead to a less informed decision. This means that when decisions are made using the results of such risk analyses, they are made on the basis of point estimates alone. In reality, these point estimates belong to a risk distribution that reflects the uncertainties in the data and models used in the risk analysis.
There are two main problems using point risk estimates in the decision-making: -First, it is highly desirable for decision-makers to be aware of the full range of the possible risk in order to make informed and balanced decisions. -Second, point risk estimates frequently are very uncertain because of the accumulation of the effects of rare data, expert judgments or/and various conservative assumptions.
For these reasons, it is highly desirable that uncertainty or/and sensitivity analysis be performed as part of every risk and reliability analysis. This will remain true as long as risk analyses rely on sparse data, limited knowledge, and approximate models, as is the case recently.
If done consistently and accurately, the quantification of risk (probability and consequences of different outcome scenarios associated with a hazard) allows ranking risk mitigation solutions and setting priorities among safety procedures. Certainly, this quantification is not always necessary, but it is an important one in a world of limited resources and limited privacy when the acceptable or best option is not obvious. As considered by Soffer and Cohen (2014) [73] privacy is not an absolute but rather subjective and contextual value, and the right to privacy is based on an array of cultural and social practices and understandings of private spheres.
In general, the worst-case analysis accounts for uncertainty by being conservative and it might prove especially useful in screening assessments [70]. If the estimate is conservative, then it is very difficult, or even impossible, to be consistent regarding how conservative different results are, which makes it impossible to compare risk measures (e.g., frequency of worst consequences) from different analyses [70]. There is a chance that the analysis will be hyper-conservative, which makes it impossible to make sound decisions on, for instance, the risk under economic constraints.
The expected outcome of CRMF is computed maximum losses or "to determine a possible worst-case loss" [57] (p. 97). Statistical distribution, regression, modeling, machine learning, etc.

Risk Assessment Workflow Using Machine Learning
Artificial intelligence and machine learning will bring the agility and efficiency that organizations may perhaps not currently have. However, to do that, these developments have to be aligned with the organization type, information requirements, and intelligence implemented models [8]. How well businesses prepare and respond to that development will depend heavily on how prepared it will be.
As mentioned previously, ISO 31000 (2009) [47] adopts the various definitions and conceptualizes risk assessment. This can be expanded by machine learning or artificial intelligence capabilities as shown in Figure 6.  In order to perform a task such as prediction, the methods and models should be also adapted and thus parameters should be estimated. This is not programmed explicitly. Models are trained by presenting a sample (training) dataset. This dataset should contain both input and the expected output of the model. Based on these pairs of input and output, machine learning methods and models could be used to reflect the dependency between input and output, and later can be used to predict the unknown output given the known input.
Normally, the input is reflected by values of variables, which may also be called features, regressors, covariates, independent variables (see below). Correspondingly, the output is called responses, labels (especially if the output is categorical variable), the dependent variable (as it depends on input), etc. Input is usually denoted and sometimes called X's and output is called Y's. In our case, observed transactions etc. are inputs, and risk classes are the output (whose values are labels).
In many applications, for instance, prediction, an additional step should be performed to successfully apply machine learning methods and obtain a good accuracy of results, i.e., predicted the output. This step is called feature engineering or feature construction. For example, observing a variety of financial data it would be a hard problem for machine learning to identify if the analyzed case is risky. However, this task becomes easier one in the finance domain and considering the corresponding frequency features. Almost anybody can recognize the issue of the financial case by a balance data and similarly, the machine learning algorithms can do this as well if the financial balance feature is used as a variable in the method. So, additional feature construction should be used to convert observed raw financial data (transactions), and these financial balance values are used as input to machine learning classifier to classify financial state. Machine learning refers to the technique involving the usage of algorithms and statistical models to solve various specific tasks. The distinct characteristic of these algorithms is that they should be programmed and adjusted to perform a specific task. There is a common (expanding) set of methods and statistical models to be used for data analysis. These methods and models are adjusted to the dataset to solve specific tasks. Usually, this is achieved by the specification of a large number of model parameters. In such a way the methods are used to model the numerous dependencies of observed data and considered variables. The simplest example of a machine learning method could even be a linear regression used in statistical data analysis.
In order to perform a task such as prediction, the methods and models should be also adapted and thus parameters should be estimated. This is not programmed explicitly. Models are trained by presenting a sample (training) dataset. This dataset should contain both input and the expected output of the model. Based on these pairs of input and output, machine learning methods and models could be used to reflect the dependency between input and output, and later can be used to predict the unknown output given the known input.
Normally, the input is reflected by values of variables, which may also be called features, regressors, covariates, independent variables (see below). Correspondingly, the output is called responses, labels (especially if the output is categorical variable), the dependent variable (as it depends on input), etc.
Input is usually denoted and sometimes called X's and output is called Y's. In our case, observed transactions etc. are inputs, and risk classes are the output (whose values are labels).
In many applications, for instance, prediction, an additional step should be performed to successfully apply machine learning methods and obtain a good accuracy of results, i.e., predicted the output. This step is called feature engineering or feature construction. For example, observing a variety of financial data it would be a hard problem for machine learning to identify if the analyzed case is risky. However, this task becomes easier one in the finance domain and considering the corresponding frequency features. Almost anybody can recognize the issue of the financial case by a balance data and similarly, the machine learning algorithms can do this as well if the financial balance feature is used as a variable in the method. So, additional feature construction should be used to convert observed raw financial data (transactions), and these financial balance values are used as input to machine learning classifier to classify financial state.
In addition, the great majority of machine learning methods use a fixed number of inputs. Thus, in some cases, inputs are truncated (or expanded) to have the same number. Some machine learning methods have a huge number of variables or parameters (e.g., tens of millions). These methods are capable to learn and predict even individual records of a sample dataset. If using observed data, we try to estimate the accuracy of such a method, we may get that it is precise for the whole considered dataset, but the method may fail to predict credit risk for new observations since not only this specific sequence of transaction amount indicates the risk. This phenomenon with a too large focus on specific relations or predictions is called overfitting.
It is very important to avoid overfitting and properly estimate the accuracy of the model. Overfitting avoidance techniques are method-specific and are out of the scope of this introduction, however, accuracy estimation can be done by a simple split of the dataset. Dataset is split into two parts called the training set and test set. The method is trained only on the training set. The test set is never used for learning by the method, so the method could not be adapted to individual samples of the test set. Thus, estimating the accuracy of predictions using the test set should give the correct estimate of method performance. A typical proportion of sample splitting is 70% to 90% part for training and 30% to 10% part for testing. Such a sample split can be used to estimate the accuracy of the methods in the analysis. Figure 7 depicts in a conceptual way both machine learning and commercial risk assessment phases of proposed CRMF practical performance. The intermediate phase of model testing is also shown. However, the attention for the testing phase is considerably smaller looking from a business management perspective. Model testing phase itself does not deliver any business management relevant outcomes, nor requires any additional inputs.
The implemented solution of CRMF will measure a range of different commercial risk values associated with exact negative consequence events C a . The assessment of risk is given as a prediction or probability P a of certain event A. The considered CRMF could cover both a company's internal and external (caused by other companies-business partners) risk events. Each of the considered events are defined by sets of theoretically reasoned or statistically revealed factor indicators.
As already discussed in Figures 3 and 4, AI machine is learned to predict events based on observed I i , E j and F k factors. Following above given CRMF conceptual definition, these three factor groups refer to vectors of variables which data is sourced from business companies, sharing their own data in CRMF (variables noted as I i ); externally sourced data about business companies (E j ); and observed factors that are external to companies and invariant in groups which are clusters of companies depending on their origin country, legal status or other relevant characteristic (F k ). Each P a , i.e., probability of event A with negative commercial consequences C a , will be predicted by a distinct set of selected I i , E j and F k observed variables. It means that CRMF should be seen as a structure of equations, predicting events with negative commercial consequences. Machine learning phase: C a = aI i + bE j +cF k + e n + u m . Risk assessment phase: P a = aI i + bE j + cF k + e n + u m . the methods in the analysis. Figure 7 depicts in a conceptual way both machine learning and commercial risk assessment phases of proposed CRMF practical performance. The intermediate phase of model testing is also shown. However, the attention for the testing phase is considerably smaller looking from a business management perspective. Model testing phase itself does not deliver any business management relevant outcomes, nor requires any additional inputs. The implemented solution of CRMF will measure a range of different commercial risk values associated with exact negative consequence events Ca. The assessment of risk is given as a prediction or probability Pa of certain event A. The considered CRMF could cover both a company's internal and external (caused by other companies-business partners) risk events. Each of the considered events are defined by sets of theoretically reasoned or statistically revealed factor indicators.
As already discussed in Figures 3 and 4, AI machine is learned to predict events based on observed Ii, Ej and Fk factors. Following above given CRMF conceptual definition, these three factor groups refer to vectors of variables which data is sourced from business companies, sharing their own data in CRMF (variables noted as Ii); externally sourced data about business companies (Ej); and observed factors that are external to companies and invariant in groups which are clusters of companies depending on their origin country, legal status or other relevant characteristic (Fk). Each Pa, i.e., probability of event A with negative commercial consequences Ca, will be predicted by a distinct set of selected Ii, Ej and Fk observed variables. It means that CRMF should be seen as a Working AI solution will be based on the set of tools, including statistics, analytics, scenarios, value-at-risk (VAR), maximum loss [57]. Statistical measures based on observed events distribution are used to calculate event probability. AI solution could be based on various machine learning techniques, such as neural networks, support vector machines, so-called random forest algorithms, etc. These techniques, compared to the above formalization, are more sophisticated and could be seen as a black-box model M, which deals with a lot of historical data and identify risky cases as a result related to classification or prediction. As there are a variety of models from which to pick, an understandable and effective measure of goodness should be in place. There are four most common measures for forecast errors: RMSE, MAE, MAPE, MASE [74].
The prediction quality could be measured using various criteria, for instance, Akaike's Information Criterion (AIC)-"in general terms, the value of AIC for a model M is defined as AIC(M) = −2 log {l(M)} + 2D, where l(M) is the model likelihood and D is a penalty term, which was originally equal to the number of parameters in the model, p" [75]. Another alternative is Corrected Akaike's Information Criterion (CAIC)-a bias-corrected version of AIC for a small number of observations used for estimation [74].
Finally, the risk assessment phase turns into analysis and management phases. Next, this calculated hazardous event probability is processed by analytics to quantify outcomes of expected negative consequences. The analytics phase could be extended to scenarios development. However, these steps are not expected to be covered by the proposed CRMF, leaving them for certain company management decision-makers. CRMF is intended to support SMEs in decision making, but not to take full responsibility for these decisions.

Discussion on Recommendations for CRMF and AI Applicability
An important issue is the availability of skilled staff to implement these new techniques. A survey of the top 1000 firms in the United States on AI implementation in their firms found that their biggest concern in the implementation of AI was the readiness and ability of staff to understand and work with these new solutions. Training a skilled cohort of staff is something that will take time [67]. World Economic Forum data show that by 2020, machines and algorithms will create 133 million job positions of new functions. However, about 75 million jobs will simply disappear, and the demand for different competencies can lead to greater social exclusion [76] so the policy attention to education and research should be crucial. European Commission is already running initiatives such as "Digital Opportunity Traineeships", supporting internships aimed at acquiring advanced digital skills, and a number of actions of the Digital Skills [77] and Jobs Coalition [78] aim at spreading coding skills increasing the number of experts in digital. The ecosystem of AI development including education, research, promoting innovative startups, SMEs, as well as business-academia collaboration, should be implemented in order to achieve coherent progress in AI adoption.
From a practical perspective, the attention should be driven to the practical application of AI solutions and its accuracy. With a growing number of AI options for the application, there is a need for a skilled workforce when it comes to practical applications. As Aziz and Dowling suggest, firms cannot simply 'apply' a machine learning risk management solution, but it is rather a continuous process requiring a constant evaluation of whether their particular machine learning solution is currently considered best practice. When it comes to AI, where there is some or full automation of processes, from data gathering to decision-making, the need for human oversight will become even more pressing [67].
Another issue of AI for company management solutions refers to data as the main source and prerequisite for machine learning, namely data protection regulations. The use of personal data for risk assessment is subject to the General Data Protection Regulation (GDPR). Businesses using AI are obliged to comply with a new responsibility and should be considering how to conform to the GDPR.
The conceptual solutions of CRMF, proposed in this article, would help companies to address both of these issues. The CRMF, supporting SMEs from the ecosystem perspective, release SMEs from high investments into independent human resource development. Either state-support by covering the costs of human resource development, cost-sharing among SMEs as certain CRMF stakeholders or any other similar strategies-would be supporting SMEs' business development.
The issues of data collection and analyses solved with the help of external CRMF would also improve SMEs' international competitiveness. If any single SME would try to develop its own internal system of commercial risk assessment with the above described CRMF functionality, it will result in high inefficiency too expensive to cover by single SME resources.
Research and Development Agenda Recommendations: This paper is aiming to be a baseline research. Based on the proposed framework and assumptions of, work suggesting specific models and tools for SMEs risk management using AI, the next steps for enhancing SMEs competitiveness and SDG improvement. By its nature, most of the arguments and assertions are still not in place or are at the beginning of their exploration. Hopefully, the present study identifying various themes will attract the interest of the scientific community in the future.

Conclusions
On the one hand, SMEs are being viewed in many quarters as a vital engine for growth; it is necessary to develop and incorporate capabilities associated with intelligence, thereby bringing about integral improvements to the organization. On the other hand, these new capabilities must be quantified to facilitate their incorporation within the organization [11].
Companies show great progress in using large-scale internal and external data for risk prevention. However, the problem appears in traditional analytical methods, which are incapable of processing large business data. Therefore, cognitive analysis or artificial intelligence helps to integrate complex large-scale data to indicate and integrate known and initially unknown risk factors for large business data processing by identifying risk factors for commercial processes. Assumptions for the use of artificial intelligence are the increasing computer computation capacity and the retention of data storage.
The review of EU policy agendas, scientific literature, and management standards let us to conclude that:

1.
Commercial risk is a substantial issue for SMEs, affecting their performance and international competitiveness. Insufficient performance does not allow SMEs to achieve SDG defined state of the business. Unassessed and unmanaged commercial risk results in business shortages.

2.
The given theoretical approach of risk management framework could be extended considering expected implications in policy, further research, and business levels dealing with commercial risk and AI applications.

3.
Though there are many risk definitions, the commercial risk here is perceived as the assessed probability of an event with negative commercial consequences. The factors of risk, i.e., events having negative commercial consequences, are found in a broad range of analytical levels around commercial processes, including product/process/value stream, commercial infrastructure, intraand inter-organizational relationships/networks, social and natural environment. The latter analytical level covers those factors that are certain company invariant and define their groups based on sector, home country, etc. 4.
The calculation of negative event probability is done applying the statistical analysis of selected certain risk event factors. The statistical analysis of selected risk factors is applied to the artificial intelligence development approach, i.e., by learning machines to apply historical patterns for new data evaluation and respective potential risk assessments. 5.
CRMF is conceptualized as external to the certain business ecosystem-level services provider. SMEs as CRMF's services users would get risk assessments of potential and/or existent commercial partners-suppliers or buyers. Such services would help SMEs reduce costs for human resource development, data collection, data processing and AI-based risk assessment solution maintenance. 6.
Observing a variety of financial data, it would be difficult for machine learning techniques to identify the risky case. However, this task becomes easier in the finance domain considering the relevant features. 7.
Proposed CRMF based SME support solutions development is expected to include data from various sources. Internal business data defining selected risk factors are shared by SMEs themselves. External data, collected and structured (maybe analyzed) by private or public bodies, also defining selected risk factors are associated with particular SMEs. State or industry level indicators, whose values are invariant to the certain SME and define their environmental or other fixed characteristics, are also used to assess the probability of events with negative consequences for the business.
Author Contributions: Conceptualization of risk, risk assessment and management, R.A.; impacts of commercial risk on SDG in SMEs, G.Ž.; conceptualization of CRMF, E.R.; existing AI solutions, their applicability, and availability, G.Ž.; risk assessment workflow using machine learning, R.A. and E.R.; discussion and conclusions, G.Ž., R.A., and E.R.
Funding: This research received funding from European Regional Development Fund, EU Structural Funds Investments program for 2014-2020 priority Nr. J05-LVPA-K under grant agreement with Lithuanian Business Support Agency No. J05-LVPA-K-04-0083.