Small and medium businesses rarely fail because of one big dramatic event. Most of the time, it’s the slow burn of overlooked, under-managed, “we’ll get to that later” risks that compound quietly in the background.

This article breaks down 10 risks Small and Medium Enterprises (SMEs) and Not-for-Profits (NFPs) consistently ignore, why they matter, and what practical steps small organisations can take to stay ahead of them.

The 10 Risks SMEs Ignore

1. Key-Person Dependency (The Single Resignation Risk)

When I started as an auditor we used the old ‘what if you were hit by a bus’ analogy to assess this risk. Over time I moved to ‘what if you won the lottery and decided to take 12 months to travel the world’?

Every small organisation has at least one “lynchpin” employee. Someone who carries the process knowledge, the client history, the passwords, the shortcuts, the context. Is it your IT Manager, Operations Manager, Social Media Co-ordinator, someone else?

Why SMEs ignore it:

Because everything seems fine… until it’s not.

Warning signs:

• Only one person knows how to do a core function
• Meetings stop when they’re away
• They say things like “it’s faster if I just do it myself” and are resistant to help

Practical fix: Write down your business critical processes. Cross-train at least one person. Start small, a 30-minute screen-record of a core task is better than nothing. Consider new AI tools for documenting standard operating procedures (e.g. Scribe).

2. Cashflow Shock Risk (The Silent Strategy Killer)

Cashflow is usually the first thing to collapse in a downturn and the last thing to recover.

What catches SMEs out isn’t poor budgeting. It’s surprise fluctuations: a delayed payment from a major customer, a supplier price jump, a funding pause without the resources to manage through.

Why SMEs ignore it:

Most businesses have a day-to-day focus on operations that masks strategic financial exposure, especially in good time when the cash is rolling in! As well as that, there can be a lot of effort involved in setting up meaningful cash flow tracking.

Practical fix:

Model your three worst cashflow scenarios:

1. 20% revenue drop
2. Major customer doesn’t pay
3. Costs increase suddenly

If any scenario breaks the business within 60 days, you have a risk to treat.

3. Compliance Drift

Compliance usually isn’t one big breach, it’s dozens of small misses that compound quietly. It could be expired policies, outdated training, forgotten obligations, or forgotten manual processes.

Why SMEs ignore it:

Often there isn’t a clear owner of compliance. It becomes a side-of-your-desk task or forgotten completely.

Practical fix:

List your top 10 compliance obligations. Assign each one to a specific owner. Review at least quarterly.

If you have a complex regulatory environment I have used (with great success) ComplyOnline which is a simple but very effective tool for identifing and managing compliance obligations.

4. Cyber Incidents (Especially the Small Stuff)

Cyber risk isn’t a corporate-only problem anymore. Most attacks target small organisations because they’re easier to breach.

It’s not always ransomware that catches SMEs out, it’s commonly weak passwords, poor access controls, no Multi Factor Authentication (MFA), or ex-staff still having access to systems.

Why SMEs ignore it:

Often is an attitude of “We’re too small for anyone to target.” or it gets put in the “too hard” basket. The reality is that SMEs make really attractive targets for cybercrime, especially if you hold a lot of data about your customers.

Practical fix:

Turn on MFA. Remove legacy system access. Train staff on phishing patterns. These three actions reduce more risk than any expensive tool.

5. Supplier & Third-Party Dependency

SMEs often rely heavily on one or two key suppliers: a software tool, an IT provider, a manufacturer.

When that supplier fails, you fail.

I remember working in a prior organisation where we had a hardware component produced by one supplier. On a particular order the lead time for the components was 6 months longer than we typically experienced and this caused a massive panic beacuse we had no back-ups and limited stock on hand.

Why SMEs ignore it:

It takes a lot of effort to set up key relationships with suppliers and you’re usually happy with the service or product that you are getting so spending more time planning alternative arrangements doesn’t feel like a great use of time.

Practical fix:

Identify your top 3 to 5 single points of failure. Create an alternative or back up plan, even if it’s imperfect. That way, if the worst happens, you’re not starting from scratch.

6. Poorly Written Risks (Which Means Poor Decisions)

One of the biggest blind spots in small organisations is the inability to describe risks clearly. If staff can’t write a risk, the organisation can’t manage it.

I see risk registers with entries like:

• “Cyber attack”
• “Non-Compliance”
• “HR issues”

These aren’t risks, they’re broad categories and Boards, executives and managers can’t make good decisions with vague information.

Practical fix:

Use the Event → Cause → Impact structure to create clarity and consistency in how risks are documented. Check out this blog post on writing clear risk statements for a more detailed run down!

7. Culture & Burnout Risk

Small teams are resilient, until they’re not. Burnout often hits SMEs harder because they have fewer buffers meaning that the same people wear the impact of challenges in the business like covering shifts, putting out fires or dealing with new systems and processes.

Red flags:

• Key staff working unsustainable hours
• Constant firefighting
• High turnover in similar roles
• “We just need to survive this month”

Practical fix:

Do a regular (e.g. quarterly) workload review and specifically ask: “What work would stop if we had to reduce capacity by 20%?

If your key team members tell you “That’s impossible!” or “Are you crazy!” This surfaces critical pressures that you need to plan for.

8. Board & Leadership Blind Spots

Directors, executive and small business owners often assume they’re seeing “the full picture.” But inconsistent reporting, spreadsheets, ad-hoc assessments and staff capability gaps create blind spots. This can lead to:

• Governance decisions based on the wrong information
• Indecision due to incomplete information
• Focus on operational noise instead of strategic risk
• Late surprises

Why SMEs ignore it:

Many SMEs grow quickly and don’t make or find the time to establish reliable and comprehensive reporting.

As they grow and the Owners or management become more removed from day to day operations they lose connection with the business and become more reliant on reports or meetings with team members to keep their finger on the pulse.

Practical fix:

Invest in good business tooling with inbuilt reporting out of the box. There are great products for pretty much every business industry now! Alternatively, hire an accountant with extensive experience in your industry to help you assess where you are at and recommend improvements (full disclosure, I’m a Chartered Account so I may be biased!)

9. Technology & Data Fragility

A surprising number of SMEs have:

• No backup strategy
• No documented system architecture
• Weak version control
• Single-person admin access
• Legacy tools duct-taped together

Why SMEs ignore it:

Because everything still works and they don’t understand it. Or because investment in IT hasn’t been a priority!

One organisation I work with has a history of limited ongoing investment in IT over many years and a good natured and skilled software developer who had worked magic during that time to turn coal into dimonds. Good intentions aside, they found themselves faced with unsupported legacy software, years of custom development that no longer had value and a massive project to deliver impacting significant parts of the business.

Practical fixes:

• Create a map of your critical systems
• Identify single points of failure and track systems going out of support
• Implement basic backup and recovery testing
• Implement basic access standards (no shared passwords!)
• Have a road map of what needs to happen over the next 3 - 5 years to predict significant challenges

10. Strategy Execution Drift

SMEs rarely fail because of bad strategy, they fail because the strategy quietly slips down the priority list.

What this looks like:

• No line of sight from risk to strategy
• Projects delayed or stopped
• No clear owner for key objectives
• Annual plans created then not monitored or forgotten
• Fires take attention away from direction

Why SMEs ignore it:

Because urgent always beats important. Without clear linking of activities back to

Practical fix:

Pair each strategic objective with:

• A primary risk
• A set of controls
• A simple monthly status check

This keeps the strategy alive.

A Simple Diagnostic: Which of These Risks Apply to You?

Tick any that sound familiar:

• We rely heavily on one or two key staff
• We don't monitor cash flow reporting
• We don’t have a clear picture of cyber risk
• Compliance feels like guesswork
• Our risk register is a spreadsheet
• We don’t have a backup plan for suppliers
• Our board isn’t getting consistent risk data
• We’re always firefighting
• We’ve outgrown some of our systems
• Our strategic plan doesn’t connect to risk

If you ticked three or more, you’re in the zone where SMEs get caught off guard.

What to Do Next

None of these risks require big teams, big budgets or complex enterprise systems.

You need:

• A clear, plain-English view of your risks
• A consistent way to write and assess them
• Visibility of risks outside your appetite
• Lightweight controls that are practicle and actually work
• A simple way to keep everything up to date

This is exactly why StartRisk exists, to give smaller and medium organisations the clarity and capability around risk management that used to only be available to enterprise teams.

---

Try StartRisk!

If you want a simple, modern way to identify, assess, and control these risks without spreadsheets or complexity, you can try StartRisk free at any time. It’s built to help small organisations get ahead of these 10 risks in days, not months.