SMEs mainly focus on risks that are obvious but unlikely, such as fire. Some risks are less obvious but may have serious consequences.
People are far more empowered today than before. The relationship between employees and employers has changed considerably as a result. Employees are far more prone to fight their dismissal or to lodge a complaint against their managers than before. This new empowerment comes with a price tag. It implies additional legal costs and possibly even penalties.
Companies conveniently assume that fraud is an external threat, but the enemy sometimes comes from within. Moreover, internal fraud is a typical risk for small and medium-sized enterprises, precisely because of the focus on trust. Some employees dare to betray this trust. They have their hands in the till, sell machine parts, or pass on sensitive data to the competition for payment. There are various reasons for susceptibility to fraud. First of all, people today are not as loyal as before. SMEs also have fewer rules and procedures. That freedom opens the door to abuse.
Insolvency among customers and suppliers
Insolvency is and remains a substantial risk, especially after the crisis. Companies do not dwell nearly enough on the fact that customers can go insolvent. Insolvency has dramatic consequences for your profit margin. Suppliers may also be affected, which can seriously threaten your production process. After all, it is not an easy task to quickly find a new raw materials supplier. Companies are well advised to purchase external data about their partners, especially if you do business abroad.
Companies depend on other partners in order to operate. Problems with suppliers may thus impact on their internal functioning. Imagine if an important supplier's machine breaks down, and you are left without raw materials. Companies must assess their full value chain in order to detect possible risks. Bear in mind that your customers may also have problems. For example, a fire at your most important partner can prove to be a major spanner in the works. You can include an additional clause in your business interruption loss policy so as to receive compensation if your supplier is affected by fire.
Like people, companies are fallible and thus occasionally make errors. These errors can cause damage to third parties. The resultant claims can range from several thousand to possibly millions of euros. For example, an engineer could have made a calculation error in the design of a new production line. Apart from material damage to the assembly line itself, there may also be financial losses due to production stoppages.
Caution with contracts
Nearly every contract that companies enter into has a clause on liability. This describes each party's responsibilities. Companies pay scant attention to this, even though the contractual consequences may be significant. An excellent example is a lease for a crane. The lessee is usually responsible for any damage to the crane, which can be very costly. Study the liability clauses thoroughly as they can have a serious effect on your company's financial health.
By political risk, we mean all events that may prevent your foreign customers from being able to pay or your foreign partners from being able to produce. These may be purely political events such as a war or revolution, but may also be natural disasters, economic difficulties, or government decisions that complicate trade. For instance, import permits may suddenly be withdrawn. Belgian companies have a strong international orientation and are thus well-advised to have insurance against political risk.
“The polluter pays” is a well-known principle. Restoring the environment to its original state is a costly business. A few dozen litres of oil can cause hundreds of thousands of euros of damage.
How to reduce your financial risks with hedging techniques
Central banks worldwide are stimulating the economy with cheap money. This leads to a false sense of security in the financial markets.
After all, any news - positive or negative - can trigger severe market fluctuations. Companies run substantial interest rate and exchange rate risks as a result, even though they are not always aware of this. Fortunately, there are financial techniques to hedge these risks.
A recent study by BNP Paribas Fortis and ATEB, the association of corporate treasurers in Belgium, speaks volumes. Barely 51% of the 402 companies interviewed have the same risk tolerance today as in 2008. This is a surprising finding because risk managers are dealing with a complex and therefore more unpredictable economic context in 2015.
“Today, financial risks, especially systemic risks, are more difficult to manage than five years ago,” says Eric Charléty, head of the Business Development department of the dealing room. “What if the interest rates suddenly start to rise? Many companies have taken out loans with a variable interest rate, because they assume that interest rates will remain low. But that choice exposes them to a substantial risk. As soon as rates rise, you have a problem.”
Exchange rate risk is often underestimated
Besides the interest rate risk, most companies are also exposed to a significant exchange rate risk, because they import and export goods or have partnerships with companies outside the Eurozone. According to Eric Charléty, Belgian entrepreneurs often take a very narrow view of financial risks:
“Sometimes they do not look further than what is on paper, for example that their invoice must be paid within 30 days. But if the payment is in Pound Sterling, the profitability of the transaction will largely depend on the conversion into euros. In this case, it is certainly a good idea to hedge yourself against the exchange rate risk in advance.
Even so, very few companies manage to successfully link their risk management to their strategy. They assume all too often that they only run risks if they do business outside the Eurozone. This is incorrect; a broader perspective that takes due account of the competition is needed. Even a company that only does business in the Eurozone has to deal with competition from outside it. Due to fluctuations in foreign exchange markets, a British or Japanese competitor may suddenly be cheaper.
That makes risk management a key factor of the business strategy, on par with target markets, products, and value chains. Good knowledge of the competition, their exposure to risks, and how they manage them is just as essential to the success of the company.”
Hedging = avoiding risks
The good news is that companies can hedge or cover the interest or exchange rate risk of a particular transaction by entering into a separate contract with a third party. In practice, this third party is usually a bank and the contract itself is called a ‘derivative’. Certain risks are placed with the bank through such a contract. Eric Charléty sees two major advantages in this:
“Banks are better informed about exchange rates and interest rate developments than companies. It is their core business. Banks are moreover able to spread the risk better. An individual company cannot beat the law of large numbers.”
Companies have different options for hedging their risks. They can agree in advance on a fixed exchange rate with the bank. By way of example: Company A sells goods for USD 100,000 to company B. A receives payment a month later. The US dollar can fluctuate greatly in the meantime. A can play things safely and agree on a fixed dollar rate with its bank today. A then knows exactly how many euros it will receive. The risk of a fall in the exchange rate then lies fully with the bank. The bank charges a premium for this. Although this sounds attractive, Eric Charléty warns against a possible competitive disadvantage:
“If you fix exchange or interest rates, you are less flexible. You can no longer profit from positive market developments. If your competitors follow the same strategy, there is no problem. However, if they do not fix their exchange rate, they can enjoy and benefit from exchange rate fluctuations.”
Instead of fixing the exchange rate (and thus limiting its flexibility), A may choose to ‘cap’ the rate. A can then profit from any depreciation of the dollar, while any increase is capped. Just as in the case of insurance, you have to pay a premium for such protection. However, this is not necessary. A can also avoid paying a premium by choosing a third option. In that case, you allow the rate to fluctuate between a predetermined lower and upper threshold.
“Every situation is different and so the most appropriate solution is not always the most obvious. You can combine different building blocks with each other. Choosing a derivative is customised by definition,” concludes Eric Charléty.
Do’s and don’ts of hedging
- Evaluate your exchange and interest rate risks and place your risk management in a strategic framework.
- Try to understand market trends and bring your risk management into line with them.
- Speculating is out of the question: do not offset your operational losses against exchange rate gains.
- Make provision for cover, however limited, to stabilise your results and make you less dependent on markets.
- Do not let the complexity of derivatives put you off: the legislator obliges financial institutions to practice transparency.
How to secure your business?
Insurance should be a company's last line of defence. However, many risk managers follow the opposite reasoning. They sign a policy and think that is the end of the story. Bart Cuypers of Aon advises caution and advocates a structured approach.
Many companies act like families in relation to insurance. They insure themselves against standard risks, such as fire, occupational accidents, and liability. There is nothing wrong with this per se. After all, the material damage after an incident is compensated. But as Bart Cuypers of Aon points out, the risk does not stop there:
“If your family home goes up in flames, you live in a hotel temporarily or move in with friends. But what happens if your factory is reduced to ashes? Or if your most important machines break down? Where and how are you going to carry on production? Companies think everything is under control once they sign an insurance policy. But they overlook what is known as consequential damage.”
Expect the unexpected
According to Bart Cuypers, companies all too often cover themselves against low-impact risks, leaving themselves uninsured against larger risks:
“Companies in the food sector, for example, forget that a production error can have serious consequences. They must organise an expensive recall action, there is marketing and reputational damage. Briefly put, an error can cost you a lot of money. Yet the directors' cars all have full comprehensive insurance, even though an accident will only set you back about EUR 40,000. Companies often fixate on minor damage, while you should be considering what can really go wrong if the impossible happens.”
Do not opt for an easy solution
Bart Cuypers also warns against standard insurance policies. While these are excellent for families, they are inadequate for companies because they exclude the real risks of doing business. According to Cuypers, companies frequently opt for an easy solution. They hand over their risk management to an external partner that is then given carte blanche. Not a good idea, it turns out:
“Many SMEs operate in a specific niche or certain countries. That implies certain risks are not obvious. It is not easy for an outsider to identify those risks. The company must take the lead itself and establish its own weaknesses. It can only do that exercise itself.”
Last life buoy
Is a company's only option then to take out a large and expensive insurance package? Bart Cuypers does not think so. On the contrary:
“Insurance is actually a company's last resort. Companies are well-advised to rather work on prevention. By creating procedures, putting alternative plans on paper. You can spend a fortune insuring yourself against cyber fraud, but you can also take preventive measures. Or you can already plan today where you are going to produce if your factory burns down. As an entrepreneur, you need to be forward-thinking, including with regard to any setbacks. But most companies hardly free up any time for this, which is logical because it is unlikely to occur and you still have your routine tasks to complete.”
Risk management is customised by definition. It is practically impossible to use a step-by-step plan that can be applied to every company. Nevertheless, Bart Cuypers gives some good general advice:
“Companies can start by identifying their risks as best as possible. That is a long-term exercise involving many parties. People on the shop floor, for example, can provide valuable information. Then check how likely it is that the risks will actually occur, and estimate the financial impact of each risk. The company can then decide whether and which action is necessary. Focusing on prevention, or taking out more insurance. It may also opt to do nothing. That is a legitimate choice, certainly if it has sufficient reserves and the impact is low.”
These insurance tips will earn you money
- Dare to take a large excess. Many companies opt for an excess of just a few thousand euros for a potential claim of EUR 2 million. This is offset, however, by a very expensive premium.
- Sufficient size? Diversify your own risk. A transport company with 200 lorries does not need full comprehensive insurance on all of them. Smaller players cannot take that risk.
- Pay attention to market trends. Many companies are looking for solutions. Increased interest translates into lower premiums, as insurers are better able to spread their risk. Not long ago, garden company greenhouses were practically uninsurable, while prices are now decreasing.
- Keep an eye on your damage statistics. Otherwise you run the risk of insurance companies charging more expensive premiums. Try to learn lessons from claim incidents.
- Constantly pay attention to risk management. It is simply not enough to review your policies every five years.
Focusing on fraud prevention pays off
Fraudsters are becoming ever more inventive in their attempts to con private individuals and entrepreneurs. A healthy dose of vigilance can prevent a lot of distress.
Six most common fraud techniques
- Fake transfers
Fraudsters send fake transfers to the bank in the name of an organisation. Signatures on payment orders are perfectly forged and can scarcely be distinguished from the original.
- Forged invoices
Fraudsters intercept outgoing invoices from a company. They change the account number of the beneficiary and send the 'adapted' invoice to the customer or bank, which then pays into the fraudulent number.
- Social engineering
This fraud technique is based on manipulation and breach of confidence. Fraudsters firstly gather personal information about their victim on social media or Google. They then contact the victim, posing as a help desk worker, for example, and try to get the victim to reveal sensitive information such as passwords or account numbers.
A specific form of social engineering used by criminals to "fish" for personal data, mainly by e-mail, that enables them to steal money from a bank account at a later stage. The fraudsters often play on the feeling of fear of their victims: they warn them, for example, that there is a threat of their account being closed.
Hackers install a virus on your computer. That program observes what you do and collects all types of data. During an online banking session, the hacker can display a pop-up in which you are asked to insert your PIN code for example.
A new fraud technique by which a fraudster arranges to be hired by a company in order to learn its payment and monitoring procedures. After a few months, the fraudster makes large payments to his own account and then disappears from the scene.
How to teach fraudsters a lesson
Fraud prevention does not have to be expensive or high-tech. Being alert and responding decisively is key.
- Raise your employees' awareness: The best form of fraud prevention is to raise awareness among potential victims. Make your employees aware of the real risk of fraud. Convince them of the need to regard business data as company property. Also encourage your employees to be critical towards everything that differs from the normal state of affairs.
- Be vigilant for suspicious behaviour: Look out for sudden changes among your customers or suppliers. Focus particularly on deviations from payment details. Example: if a supplier asks you to pay into a foreign account. Contact your customer or supplier, preferably people whom you have known for years and trust.
- Do not allow any phishing of your data: Banks never ask your for personal details by e-mail or telephone. You can assume such questions come from fraudsters. Other indications are poor language, an incorrect form of address, or the fact that the e-mail ended up in your spam folder. Mark these as unwanted messages in your e-mail program. Report the misuse to your internet provider, so the sender can be blocked.
Protect your IT systems
- Install an anti-virus program and firewall on your computer(s) and update these systematically.
- Never respond to any questions by telephone. Again: your bank will never ask you by telephone for a code or any confidential information.
- Going to do online banking? Only open the program concerned. Close all other sites.
- Never click on links that refer to the website of a bank, especially if they have been sent by e-mail.
How do fraudsters operate? A summary of the most common techniques
Organised and professional fraud have not only become more common, the approach of fraudsters is also increasingly subtle, bold and sophisticated, particularly if they are targeting organisations' financial transactions.
They mostly use (a combination of) the following techniques:
Fake or forged transfers
This technique means that the fraudsters send fake "manual" transfers, i.e. paper transfer forms, letters or faxes, to their target's bank. The signatures on these payment orders tend to be perfectly recreated and can barely be distinguished from the original.
In this case real invoices are intercepted and forged before they reach the debtor or the bank. This takes place at the postal service or at the organisation itself in cases of internal fraud.
The fraudsters then change the beneficiary's account number. For invoices this is often done with a sticker asking you to make your payment to a new account number from now on – hence the name "sticker fraud" – but nowadays devices or software are also used to create near perfect forgeries.
Social engineering and phishing
This form of fraud is based on manipulation: the fraudsters try to mislead their victims by urging them to perform certain transactions, usually involving the transfer of money. To make their orders seem real, they first collect names, direct telephone numbers, account balances, order or customer lists, etc.
This data is usually gathered from public websites or social media or even by retrieving non-shredded documents from bins. However, sometimes the fraudsters also contact the victim directly. They do this in an exceptionally convincing way, for example by pretending to be a member of the management or a colleague from a foreign branch. This type of fraud often results in heavy losses that are sometimes accompanied by extra damage in terms of solvency and the capacity to pay back loans.
Phishing is a specific sub-form of social engineering used by criminals to "fish" for personal data, mainly by e-mail, that enables them to steal money from a bank account at a later stage. This is often done by inspiring a "feeling of fear": they claim that your PIN code has expired or that your account will be closed if you do not respond immediately. In order to increase the fraud's chances of success, the criminals often call the victims in order to "guide" them (also called "vishing").
Whereas phishing is mainly known through mass mailings – a large group of people will receive the same, often rather amateurish personalised e-mail – we have now also noticed a shift in direction towards "spear phishing". Spear phishing means that the fraudsters focus on a very limited number of victims, after they have gathered as much personal information as possible in order to make their message as plausible as possible. These victims are obviously a "lucrative" target for the fraudsters: with affluent private individuals or companies, the loot is often much greater
Whereas social engineering is mainly based on human shortcomings, hacking focuses on technical or material shortcomings. It all starts with a virus that hackers smuggle into your computer. This program collects your data and observes what you are doing. When you open an online banking session shortly afterwards, the hacker is informed. They can then make a pop-up appear on your screen urging you to confirm a payment order or enter your secret code, for example.
Nowadays hackers also increasingly commit multi-channel fraud, during which they call you during your online banking session to request confidential information.
A number of recent fraud cases show that a new and particularly alarming fraud technique is on the rise. An accomplice of the fraudsters seeks employment with the targeted organisation and becomes familiar with the payment and monitoring procedures. After a few months, this "sleeping fraudster" will carry out one or several large transfers to the fraudsters' account and disappear into thin air.