The Influence of Combined Assurance Initiatives on the Efficiency of Risk Management in Retail Small and Very Small Enterprises in Bellville, South Africa

Keywordsassurance combined assurance risk risk management risk management strategies small and very small enterprises

JEL Classification G32

Acknowledgements:
The authors of this paper wish to acknowledge the following individuals for their assistance with the collection of data in this research study: Xabisa Hlulani, Robyn September, Jenine Giddion, Oliver Tamo and Mkhanyisi Ncumeza.

Full Article

1. Introduction

Small Medium Micro Enterprises (SMMEs) are formally defined in terms of the South African Small Business Act No. 102 of 1996 as separate and distinct business entities, including cooperative enterprises and non-governmental organisations, managed by one or more owner which, including its branches or subsidiaries, if any, are predominantly carried on in any sector or subsector of the economy (South Africa, 1996). Furthermore, the South African government views SMMEs as important to achieve three main objectives which are: 1) to alleviate poverty, 2) to create employment opportunities, and 3) to promote economic growth (South Africa, 1996). The importance of SMMEs is especially significant in developing economies. In the case of South Africa, these entities contribute between an estimated 27% and 34% towards the national Gross Domestic Product (GDP) (Department of Trade and Industry, 2008). In a global context the importance of SMMEs is substantiated by Shah and Khedkar (2006) who aver that significant contributions, in respect of employment figures, manufacturing and exports statistics and the national GDP, mainly derive from SMME activities (Roberts, 2006).

Notwithstanding the above Giliomee (2004) is of the opinion that more than 80% of South African SMMEs do not ‘survive’ beyond their first five years of existence and therefore, the objectives as imposed on SMMEs, as per their legislative definition, are not being attained with great success. Both macro-economic factors and micro-economic factors, such as uncertain financial prospects, government regulations (law), increases in inflation, increases in interest rates and market instabilities, among others, have been reported to have an adverse influence on the existence-rate of SMMEs (Brink, et al., 2003). The Department of Trade and Industry (2008) make mention that SMME leaders generally do not possess the skills required to manage, maintain and/or develop their respective businesses which results in the ineffective generation of income. Hence it is not surprising that the failure rate of SMMEs in South Africa places a stigma on these entities to be very ‘risky’ (Bizbooks, 2008).

Manu (2005) explains that a “risk” can be viewed as a possibility of an incident happening that will impact upon the objectives of an organisation, be it positive or negative. In turn, the management of such risks is a whole process, effected by an entity’s relevant management (and other personnel), in a strategic setting, to help identify potential events that may affect the business and manage them according to the ‘risk appetite’ of the relevant business (COSO, 2004). The latter should evidently provide reasonable assurance regarding the achievement of a business’ objectives. Furthermore, the Institute of Internal Auditors (2009) explains that risks should be managed by means of utilising preventive, detective and corrective measures – holding strong relevancy to the Enterprise Risk Management (ERM) framework. The ERM framework pertains to the identification, evaluation, controlling, monitoring and reporting of risks – ensuring that risks are managed effectively all together, other than being managed in ‘silos’ (Beasley, et al., 2006).

To aid in the management of risks Simnett, et al. (2009) explain that different assurance providers exist to provide businesses with ‘information’ about their identified risks (hazards and opportunities), and recommends the best way(s) in which these risks need to be managed to provide optimum assurance that businesses’ objectives will be attained. Assurance providers are generally demarcated as ‘internal assurance bodies’ and ‘external assurance bodies’. These assurance providers should find evidence of controls that have been put in place to prevent risks from realising and also recommend ways in which to minimise the related adverse impact in the event of an occurrence of threats. Businesses holistically benefit from assurance related ‘services’ because it improves the efficiency of risk management within a business. Assurance that is provided in a collaborative manner between ‘internal assurance providers’ and ‘external assurance providers’ is better referred to as ‘combined assurance’ (Grant Thornton, 2012).

The crux of the matter, according to KPMG (2009), is that effective risk management and optimum assurance are attained by implementing the “three lines of defence structure”. The first line of defence constitutes of assurance provided by management in their review of daily business processes. The second assurance line is provided by oversight functions within the entity to ensure compliance with organisational policies, procedures, laws and regulations. Independent assurance providers that provide assurance over the mentioned business operations and oversight functions form the final line of assurance (KPMG, 2009). These oversight functions are generally monitored by the audit committee of an organisation which, in turn, oversees the integrated reporting, internal financial control and risk management processes (Institute of Directors, 2009). The role of the audit committee is supported by the internal audit function, external audit function, as well as other assurance providers.

Although most SMMEs do not necessarily have the resources to employ formal audit committees (Ngary, et al., 2014), the owners and/or managers should take up the responsibility of fulfilling the tasks of an audit committee – ultimately taking on sole responsibility for ensuring that assurance activities are ‘on track’. King III corroborates the importance of the audit committee function in SMMEs by encouraging private companies, regardless of size, to voluntarily appoint audit committees if resources allow for it (Institute of Directors, 2009). Hence, it is clear that SMME leaders are placed in a disadvantaged position through the lack of resources to identify imminent risks which their businesses face due to the lack of proper internal controls and assurance activities (Noorvee, 2006).

Stemming from the above it is clear that SMMEs are influenced by the existence of risks and, as such, these risks need to be effectively managed. Due to the fact that a combined assurance initiatives are not ‘mandatory’ for SMMEs (and due to various resource limitations) it is highly probable that these entities are not necessarily managing their risks as effectively as they should. Hence, the authors formulated the perception that SMMEs do not have adequate risk management strategies in place due to the lack of combined assurance initiatives

In order to shed light on the latter research problem, the following questions were asked:

·What type of risks do SMMEs encounter?

·How do SMME leaders identify risks?

·How do SMME leaders manage identified risks?

·What assurance providers do SMMEs make use of?

·What is the value that these assurance providers add to SMMEs?

·To what extent do SMMEs make use of combined assurance?

2. Literature Review

2.1. Overview of South African SMMEs

The National Small Business Act No. 102 of 1996, as replaced by The National Small Business Amendment Act 26 of 2003, and enacted by the South African government, refers to SMMEs as separate and specific business entities, which are managed by one or more owner(s) trading in any sector and/or subsector of the national economy (South Africa, 1996). The above-mentioned Act further classifies SMMEs in terms of their size as “micro”, “very small”, “small” and “medium” (South Africa, 2003). The categorisation of SMME sizes are based on one or more of the following criteria: 1) the number of employees employed on a full-time basis, 2) total turnover per annum, 3) total gross asset value (excluding fixed property). A more detailed description of the latter-mentioned is depicted in Table 1 below in terms of retail enterprises:

Table 1. Classification of SMME sizes in the retail industry (Source: South Africa, 1996)

Prior research reveals that SMMEs are significant to any economy, especially in that of developing countries due to the important role they fulfil in terms of job creation and reducing unemployment (SEDA, 2010; Salie, et al. 2014). The latter is further substantiated by the fact that SMMEs contribute approximately 30% towards the South African GDP and are responsible for providing an estimated 80% of all local employment opportunities (National Credit Regulator, 2011). Abor and Quartey (2010) posit that South African SMMEs contribute between approximately 30% and 57% to the national GDP and are responsible for employing an estimated 91% of the national workforce (National Credit Regulator, 2011). In core SMMEs contribute significantly towards the maintaining of millions of households (i.e. of employees and/or business leaders) resulting in poverty alleviation, reducing inequality, maintaining social stability as well as environmental solidity (SEDA, 2010).

In spite all of the significant contributions of SMMEs it is Verduyn (2011) who avers that the failure rate of SMMEs in South Africa, within their first five years of existence, it is estimated at around 80%. To better substantiate the latter, Biyase (2009) found that, in a more recent dispensation, an approximate 10,000 South African SMMEs fail on a monthly basis. Stemming from the latter, South African SMMEs are believed to have one of the weakest business-existence rates in the world (Fatoki, 2014).

2.2. Economic Factors Which South African SMMEs Face

The latter dispensation has generally been pinned on numerous economic ‘challenges’ such as limited funding, poor management skills, lack of inadequate training and education, just to mention but a few (Mogashoa, 2013). Underlying adverse influences like macro-economic factors (e.g. increases in inflation, fluctuating interest rates, excessive ‘red tape’, fluctuations in the supply and demand of goods and/or services, high levels of competition, lack of funding opportunities, electrical power failures, etc.) as well as micro-economic factors (e.g. the lack of business skills, the lack of effective internal controls, low staff morale, the lack of mentoring, etc.) affect the actual existence of South African SMMEs in an adverse manner (Bruwer, et al., 2013; Siwangaza, et al., 2014). As a result, prior research suggests that these economic factors ‘cultivate’ a magnitude of risks which South African SMMEs have to face.

2.3. Risks Influencing South African SMMEs

The Institute of Internal Auditors (2009) defines a risk as the uncertainty of an event occurring that could have an impact on the achievement of objectives, be it positive or negative. According to Jung (2010) the most common risks which SMMEs are likely to face include: 1) decreases in actual successful sale transactions, 2) decreases in cash on hand, 3) severe declines in demand for goods and/or services, 4) diminishing relationships with debtors due to late payments, 5) diminishing relationships with creditors due to late payments, 6) decreases in available working capital, 7) increases in costs of material, labour and/or overheads, 8) increases in the probability of non-compliance with rules, regulations and/or formal policies, and 9) decreases in the integrity of information to make sound business decisions due to a lack of knowledge pertaining to the target market(s). Moreover Bruwer, et al. (2013) aver that risks can be strategic in nature (has a direct influence on the vision and mission of a business), operational in nature (has a direct influence on business operations), reporting related (has a direct influence on the manner in which financial information is reported) and/or compliance related (has a direct influence on the manner in which policies, rules and regulations are adhered to). In fundamental nature it is of paramount importance that these risks are managed to such an extent that they do not realise (preventative controls) and/or that they are adequately identified when realising (detective controls) and/or adequately dealt with (corrective controls) (Smit, 2012). To manage risks effectively the concepts of “probability” (the likelihood of risks occurring) and “materiality” (impact of risks when they occur) need to be taken into account (Coetzee, et al., 2013). Risks can be demarcated into three categories, namely inherent risks, control risks and detection risks (Institute of Internal Auditors, 2009):

·Inherent risks: These risks form an integral part of the organisation’s operations and may occur regardless of the internal controls that are present. Inherent risks are present due to nature of the business and/or industry the organisation operates in.

·Control risks: These risks could materialise amidst the existence of internal controls but are not prevented or detected by these controls before such risks actually materialise. In essence such risks serve as indication that the internal controls of an entity are not operating as effectively as it should.

·Detection risks: These risks include risks of material misstatements not being detected by an assurance provider. Due to inadequate controls, the chances of such risks to realise become greater.

2.4. Risk Management

The evolution of risk management was mooted by the recognition of management as a profession (Kloman, 1984, cited by Valsamakis, et al., 1996, p.13).  Management is generally tasked with the responsibility of protecting and securing the income-generating assets of an organisation (Valsamakis et al., 1996, pp.13-14).  This entails the development of a structured function in terms of which an organisational risk strategy is set, and risk managers partake through a formal mechanism to deal with change.

Risk management, as it relates to a service business, is defined by Hollman and Forrest (1991, pp. 49-50) as: “The protection of a firm’s assets and profits.  It is a systematic method of using a firm’s resources – physical, financial, and human capital – to realise certain objectives concerning pure loss exposures. Pure loss is one where there is a chance of loss, but no chance of gain”. From the above the analogy can be drawn that risk management is a structured approach that utilises various techniques to manage an organisation’s exposure (Smit, 2012).

The increase in global competition and the volatility of international markets have elevated risk management to the forefront of business thinking.  An integrated risk management approach or Enterprise Risk Management (ERM) approach is suggested by Valsamakis, et al. (2000, pp.21), as it is “comprehensive”, “inclusive” and “proactive”. The evolution from ‘risk management’ to ‘ERM’ is intended to transform silo-based risk management practices to a cross-functional risk management activity, where risk identification, evaluation and management impact on the achievement of an organisation’s objectives. Integrated risk management lends itself to a coordinated approach in managing strategic and operational-tactical processes. As a result, the management of risk is not focused purely on the management of negative events, but also on the realisation of opportunities (Henriksen and Uhlenfeldt, 2006, pp.122-126).

Strategy-focused integrated risk management frameworks such as DeLoach’s enterprise-wide risk management framework (DeLoach, 2000, pp.213), COSO’s enterprise risk management framework (COSO, 2004), FERMA’s risk management standard (FERMA, 2003) and the Australian/New Zealand risk management framework (AS/NZS 4360, 2004), incorporate a holistic perspective on the management of the total risk portfolio of an organisation (Henriksen and Uhlenfeldt, 2006, pp.111-112). The importance of risk management is highlighted by Smit and Watkins (2012) who posit that regardless of the risk management strategies or framework that are used; these strategies need to provide, to a certain extent, assurance that all risks are effectively managed and that objectives will be attained. It is therefore not surprising that ‘risk management’ and ‘assurance’ are viewed as complementary practices of one another. In essence a collaborative effort of ‘risk management’ and ‘assurance’ will aid in 1) the identification of all material risks, 2) ensuring the evaluation and analysis of risks is done correctly, 3) ensuring the effectiveness and adequacy of main controls are present, and 4) management’s addressing of intolerable risks in a proper manner (Institute of Internal Auditors, 2012a).

2.4.1. Enterprise Risk Management Defined

The Committee of Sponsoring Organisations of the Treadway Commission (COSO, 2004), defines ERM as “a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives”. A simplified definition of ERM is provided by Miccolis, et al. (s.a., p.xxii) when defining ERM as “a rigorous and coordinated approach to assessing and responding to all risks that affect the achievement of an organization’s strategic and financial objectives. This includes both upside and downside risks”.

According to Abrams, et al. (2007, p.221), an evaluation of the numerous ERM definitions show that they share three critical characteristics, namely in that ERM should be:

·Integrated: ERM must span across all functions of an organisation.

·Comprehensive/inclusive: ERM must include all types of risk.

·Strategic: ERM must be aligned with the overall organisational strategy(/ies) and organisational objectives.

As companies begin to manage risk, they realise that they cannot manage it in an isolated manner by activity, process or department alone, but rather in an inclusive, integrated way throughout the organisation.  Such an integrated risk management practice entails the defining of risk (both positive and negative), the establishment of risk tolerances, the formulation of policies and procedures dealing with risk, the inclusion of risk in all decision-making processes, taking into account the interconnectedness of risks, and the reporting of risk in a consistent manner, all within the boundaries of a single business strategy of the organisation (Abrams et al., 2007:222).

A broad definition of ERM focuses on the achievement of business objectives through the participation of all stakeholders at every level of the organisation. It should be noted that ERM constitutes multidirectional, repetitive processes, where activities influence one another with the primary differentiating factor, the focus on strategy.

By embedding an ERM system into an organisation’s strategic and operational processes, risk can be managed from a holistic and systematic perspective. Such an ERM approach would enable organisations to focus on positive risk occurrences that foster sustainable growth through improved decision-making, and proactive risk management.  An integrated risk management practice would enhance the organisation’s flexibility, providing a competitive advantage over competitors who do not utilise such a framework (Schrøder, 2006, pp.65-66). Hence the incorporation of ERM practices within an organisation should provide management with a ‘common language’ to define and manage risk. Furthermore, an effective risk assessment process and framework would support the organisation’s strategies and risk acceptance by creating an optimum balance between risk, control and growth, eliminating unacceptable risks and strategic errors (DeLoach, 2000, p.208).

For large and small organisations alike, ERM entails the development of organisational objectives, the identification of risks which may impact on the defined objectives, and the development of a process to manage the risk in an organisation.  Small organisations have an advantage as far as ERM is concerned in that it is easier for management to be actively involved in ERM processes, than it would be in larger organisations. The development and implementation of an ERM system in a small organisation’s processes would therefore be easier, especially if the following value-adding capabilities (Watt, 2007:33-40) of small organisations’ ERM practices are promoted:

·The organisation’s focus is directed at its mission and vision without straying.

·The organisation complies with best practices.

·A reduction in insurance premiums can be achieved.

·Avoid the over-management of risks, i.e. risk should be managed in a cost-effective manner.

2.4.2. Risk Management for Small Business

Risk and risk management are a major concern for all companies, especially small and medium-sized enterprises, which are particularly sensitive to business risk and competition (Blanc et al., 2006, p.273). A substantial number of larger organisations have developed a risk management culture consisting of complex procedures and executed by teams of experts. In smaller organisations such as SMMEs, such integrated risk management processes do not exist (Ntlhane, 1995, pp.106-107; Dupré, 2009, p.17). In SMMEs the risk management function usually resides with the owner’s assessment of threats and opportunities pertaining to the enterprise (Watt, 2007, pp.33-34). Although risk management principles are common to all types of enterprises, management’s risk perception and their attitude towards risk management influence the adequacy of the enterprise’s risk management actions deployed (Ntlhane, 1995, p.106-107).

Implied in SMME risk management is the core principle that entrepreneurial or management focus should be aimed at recognising future uncertainty, deliberating risks, identifying possible manifestations and effects, and formulating plans to address such risks and reduce or eliminate their impact on the enterprise (Ntlhane, 1995, p.27). One of the skills required of entrepreneurs is the ability to identify and analyse risks to ensure that advantage is taken of calculated risks (Watson, 2004, pp.84-85). This managerial focus is of vital importance for SMMEs, where risk identification and control depend on the risk personality of the entrepreneur (Ntlhane, 1995, p.27). Management, when considering implementing an ERM programme or evaluating existing risk procedures, should take cognisance of the following (Bradford, 2009, p.15):

·Are the largest risks facing the enterprise identified?

·Are risk measures in place to address these risks?

·If losses do occur despite preventative measures implemented, is the enterprise prepared to handle them?

·Is a structured approach available to create opportunities out of risks?

The fact that a risk is beyond the control of management does not absolve them from the need to anticipate the risk, and reducing the impact of the risk occurrence to achieve organisational goals. Management should furthermore take cognisance of managerial risks that arise as a result of management’s own actions when planning and executing business strategies. These risks may arise as a direct or indirect result of managerial actions (Berkeley, et al., 1991, p.5).

South African SMME management should be educated in risk management principles, risk handling techniques available and risk control programmes that can be used, but care should be taken in the application of risk management principles, as although risk principles are common to all types of enterprises, the application thereof differs substantially between small and larger enterprises. However, many SMMEs practise intuitive risk management when they assess the risk involved in decisions (Ntlhane, 1995, pp.106-113; Dupré, 2009, p.17).

2.4.3. SME Risk Architecture Model

The SMME risk architecture model, as depicted in Figure 1 below, was created to support SMMEs to effectively manage their risks. As a result, this model is divided into three parts which consist of 1) SMME risk consciousness, 2) SMME risk management process and 3) SMME risk management framework. The aim is to provide for a structured way of dealing with risks facing micro- and small enterprises and from which various benefits can be derived for the business. These organisational benefits include but are not limited to the following; more focus on risks and transparency, emphasis on controlled risk environment, enhancement of achieving organisational goals.

Figure 1. The SME Risk Architecture model

Source: Smit, 2012

The first element of the SMME risk architecture model is defined as the SMME Risk Consciousness (SRC). As opposed to the other generic risk architecture elements the SRC provides a focused approach on risk sources or risk areas most commonly identified in a research study on SMMEs (Smit, 2012) as actual or perceived obstacles to organisational success and survival as measured by the achievement of organisational objectives. SMME management’s attention is hereby directed to the most critical risks faced by the organisation taking cognisance of risk prioritisation, as well as the key business processes and uncertainties embedded in the execution of the business plan.

The second element of the SMME risk architecture model is the Risk Management Process (RMP) (Smit, 2012). The RMP constitutes the steps SMME management should follow in addressing risk elements that impede/can impede on organisational objectives. The RMP consists of numerous organisational risk-driven activities which are grouped into four processes of risk context and strategy, risk decision, risk communication, and monitoring, review and continuous improvement.

The SMME risk management framework (Smit, 2012), also the third element of the SMME risk architecture model, provides SMME management with an approach to effectively deal with risks at all organisational levels, thereby facilitating the achievement of organisational objectives through:

·Effective risk planning encompassing the evaluation of the organisational environment, the formulation of organisational objectives and strategy, the formulation of departmental objectives and policies, defining risk context and strategy, and the identification of risk elements.

·Implementation that entails the execution of the risk management process consisting of the identification of risks that might impede on the achievement of objectives, the evaluation and risk classification of risks in terms of frequency and impact, the development and implementation of appropriate risk responses, communication entailing the development of an internal and external communication and consultation plan along with the development and implementation of a risk information system, and  the monitoring and review of risk management actions to facilitate continuous improvement.

·Actioning of results that may also be termed the ‘risk action consequence’, consisting of identification of key performance indicators indicating the achievement of departmental and organisational objectives as defined in the planning phase.

·Assessing the effectiveness of the planning and risk management actions in meeting the stated objectives.  In measuring the adequacy of the actions taken, management can use any formally defined performance measurement model or framework such as the balanced scorecard; or any informal, in-house designed performance measurement system. 

2.5. Assurance and Assurance Providers

It is clear that risk management should provide assurance that business objectives should be attained in the foreseeable future. In order to attain such assurance, various businesses make use of different assurance providers to help mitigate and/or eliminate risks (Institute of Internal Auditors, 2012b). Assurance services are defined as an engagement in which an independent party expresses a conclusion designed to enhance the degree of confidence of the intended user after evaluating a subject matter against a set criteria. (International Auditing and Assurance Standards Board, 2014) The Institute of Internal Auditors (2009) lists a few examples of assurance providers, namely: 1) line management and employees, 2) senior management, 3) internal- and external auditors, 4) quality assurance teams, 5) risk management teams, 6) environmental auditors, 7) workplace health and safety auditors, 8) government performance auditors, 9) financial reporting review teams, and 10) sub-committees of the board, among other.

According to Vallabhaneni (2005), in a broad business dispensation, the Chief Executive Officer (CEO) is ultimately responsible for the actual attainment of business objectives. As such Teketel and Berhanu (2009) aver that the CEO can be equated to the owner and/or manager within an SMME setup. To assist the CEO (owner and/or manager in a SMME-setup) internal assurance providers and external assurance providers should support business activities, by providing inputs on the effectiveness of these activities, in relation to the attainment of business objectives (Deloitte, 2011). In addition, these assurance providers should also ideally assist management to identify all risks within the organisation and recommend ways in which to manage it soundly.

Holistically speaking, assurance providers are grouped into three levels of defence. This is depicted in Figure 2 below:

Figure 2. The three lines of defence structure

Source: Deloitte, 2011

The first line of defence is illustrated as “management assurance” where emphasis is placed on implementing preventative-, detective- and corrective controls within an organisation. The second line of defence is portrayed as “internal assurance” where focus is placed on managing risks and reviewing the first line of defence with a specific role to confirm compliance while dealing with instances of non-compliance in the organisation. The third line of defence is “external assurance” where importance is placed on the reviewing of the first and the second line of defence in an organisation; ultimately confirming (in an independent manner) compliance and/or recommend improvements within the organisation (Institute of Internal Auditors, 2012b).

It needs to be noted that in the context of SMMEs, SMME leaders are responsible for the first line of defence and the second line of defence – i.e. “management assurance” and “internal assurance” – while only a minority can actually afford to make use of the third line of defence (Siwangaza, 2014; Jiong and Li, 2010). Albeit the latter, KPMG (2009) denotes that the practice of the three lines of defence affords clarity in terms of roles, responsibility and accountability with regards to risk management and assurance – constituting combined assurance.

2.6. Combined Assurance

According to the King III Report combined assurance is deemed as a process to integrate and align assurance practices in a business to help maximise risk and governance oversight and improve control efficiencies, and optimise overall assurance to the audit and risk committee, considering the respective business’ risk appetite (Roos, 2012). Furthermore, combined assurance should assist and enhance the understanding of the overall levels of assurance and how to address and/or mitigate areas of risk (Grant Thornton, 2012).

PwC (2013) suggests that benefits of implementing a combined assurance model include factors such as coordinated and relevant assurance processes focussing on key risks; minimising business operational disruptions, improved reporting and accountability and possible reduction of assurance costs. It was further found that a combined assurance model will provide a better understanding within the organisation of “who” the assurance providers are and “what” the subject matter being assured is. This sentiment is further substantiated by Felix, et al. (2001) who found that coordination of external and internal audit assurance activities has a decreasing effect on external audit fees. This inverse correlation between external audit fees and coordination of only two assurance providers could therefore possibly be enhanced by coordination of all assurance providers, i.e. combined assurance.

Notwithstanding the later, prior research shows that combined assurance initiatives are very rare as assurance providers are performing their activities in ‘silos’ (i.e. independent lines of defence as opposed to interdependent lines of defence); resulting in risk management and assurance activities of organisations to be ineffective (IIA Research Foundation, 2012).

3. Research Design and Methodology

The research design of any research study can be classified in terms of its purpose, process, logic and outcome (Collis and Hussey, 2009). For this research study the following research design was used:

• Purpose: This research study was descriptive in nature as the main intention of this study was to describe a particular phenomenon at hand (see Paragraph 1) through means of empirical observations.

• Process: Quantitative research (positivism) was used to obtain data to solve and/or mitigate an identified research problem. This was done through means of disseminating a questionnaire-tool to a representative sample of a particular population.

• Logic: Deductive reasoning was used throughout this research study as the authors formulated a certain perception (see Paragraph 1) through means of consulting existing literature. Essentially this research study shifts the focus from a general understanding of a phenomenon, to a specific understanding of the related phenomenon, at hand, as authors’ perception was tested through means of empirical observations.

• Outcome: This research study was regarded as basic research. The authors used the findings made in this research study to shed more light on an identified research problem (see Paragraph 1) with the main intention to making it more understandable.

This research study constituted survey research whereby data were gleaned from a representative sample size of a particular population, about a general collective perception, through means of a questionnaire-tool (Leedy and Ormrod, 2010). The questionnaire-tool used consisted of 13 main-questions of a quantitative nature. As the size of the population was unknown, non-probability sampling (a mixture of purposive sampling and convenience sampling) was used to select a total of 50 respondents who had to adhere to strict delineation criteria. In addition, the authors wanted to obtain rich data pertaining to a certain focused area. Only 37 respondents responded positively to the questionnaire-tool and after validating all received responses, only 30 responses were found to be valid. In order for respondents’ responses to be regarded as valid, they had to adhere to the following delineation criteria:

• Respondents had to be part of management (owners and/or managers) of SMMEs.

• Respondents must have been actively involved in their businesses’ operations.

• SMMEs must have conformed to the formal definition of a “Small Medium and Micro Enterprise” as defined by the National Small Business Act of 1996.

• SMMEs must have employed between 0 and 50 full-time employees.

• SMMEs must have been in existence for at least three years.

• SMMEs must have been regarded as “very small enterprises” and/or “small enterprises”.

• SMMEs must have been operating in the retail industry.

• SMMEs must have been located in Bellville (Cape Town).

All respondents were assured that all information provided by them would be treated with the highest levels of confidentiality and that their anonymity were guaranteed. It was also explained to participants that if they would decide to participate in this research study that they could withdraw from the study at any given time as their participation were completely voluntary in nature.

4.      Data Analysis and Discussion of Findings

The findings made from this research study are presented under the following headings: 1) general findings, 2) risks and risk management initiatives of respondents, and 3) assurance providers and combined assurance initiatives of respondents.

4.1. General Findings

As all 30 respondents were actively involved in their businesses’ processes, they were asked to indicate in which industry their respective businesses fell. A collaboration of the responses received can be viewed in Table 2 below:

Table 2. Frequency distribution table of industries in which respondents operated

Source: Authors’ fieldwork (2015)

The “other” industries included that of “food and beverage retail” and “motor retail”. On average, respondents’ respective businesses have been in existence for 19.43 years. When respondents were asked how many full-time employees they employed, 26.67% respondents employed between 6 and 10 full-time employees (“very small enterprises”) while a total of 73.33% of respondents employed between 11 and 50 full-time employees (“small enterprises). On average, respondents employed 19 full-time employees. Also, out of all the responses received, a total of 13.33% of respondents indicated that they were the “owner” of their respective businesses, while another 13.33% of respondents indicated that they were the “manager” of their respective businesses. The remaining 73.34% of respondents indicated that they were both the “owner and manager” of their respective businesses. Hence one can deduce that the average respondent of the applicable questionnaire was a small general retail enterprise owner-manager who employed 19 employees while being operating his/her business from Bellville for an average of 19.43 years.

4.2. Risks and Risk Management Initiatives of Respondents

In order to understand the types of risks which respondents faced in a day-to-day setting, respondents were asked to make use of a five point Likert scale (1 = strongly disagree, 2 = disagree, 3 = neither agree nor disagree, 4 = agree, 5 = strongly agree) to rate statements beginning with the sentence: “My business is negatively influenced by …” In Table 3 below, a summary is provided of the responses:

Table 3. Summary of risks which negatively influenced respondents

Source: Authors’ fieldwork (2015)

From the data in Table 3 above it is evident that the top seven risks which had an adverse influence on respondents’ businesses (in general) were that of general theft and losses (74.6% of the time), competitive business environments (67.4% of the time), unreliable suppliers (66% of the time), limited financial resources (65.4% of the time), weak liquidity levels (62.6% of the time), weak profitability levels (60.6% of the time) and limited supply and demand of products (60% of the time).

Notwithstanding the above, with a global average mean of 2.90 and a global average standard deviation of 1.34, for the question, it is evident that respondents were not really adversely influenced by risks (between a “disagree” and “neither agree nor disagree” rating). This finding is contradictory to popular literature that suggests that SMMEs are adversely influenced by risks.

In order to determine how respondents identify relevant risks, they were asked to make use of a five point Likert scale (1 = strongly disagree, 2 = disagree, 3 = neither agree nor disagree, 4 = agree, 5 = strongly agree) to rate statements beginning with the sentence: “In my business risks are identified through means of…” A summary is provided of their responses in Table 4 below:

Table 4. Summary of Methods Used by Respondents to Identify Risks

Source: Authors’ fieldwork (2015)

From the data in Table 4 above one can deduce that the top three risk identification methods used by respondents were that of comparisons of current and prior year financial statements (used 83.4% of the time) periodic stock taking (78.6% of the time) and financial audits (78% of the time). Albeit the fact that these top three risk identification techniques are semi-formal, a global average mean of 3.61 and a global average standard deviation of 1.15 (for the question) makes is clear that respondents were relatively actively involved in the identification of risks in and around their respective businesses (between a “neither agree nor disagree” and “agree” rating). The ‘activeness’ of respondents in the identification of risks can be justified through the statistic that 73.34% of respondents were owner-managers; with an average SMME existence rate of 19.43 years it is also evident that respondents were very concerned about their respective business’ well-being.

In order to understand how respondents manage identified risks, they were asked to make use of a five point Likert scale (1 = strongly disagree, 2 = disagree, 3 = neither agree nor disagree, 4 = agree, 5 = strongly agree) to rate statements starting with the sentence: “In order to manage risks in my business, I make use of …” In Table 5 a summary of their responses is provided:

Table 5. Summary of Risk Management Methods Used by Respondents

Source: Authors’ fieldwork (2015)

Based on the data in Table 5 above, the top five risk management techniques used by respondents, to manage identified risks, were communicating risks and consequences to staff (84% of the time), establishing and/or maintaining relationships with customers (84% of the time), observations in the form of ‘walk through’ exercises (83.4% of the time), staff training (82.6% of the time) and actively supporting staff members on the job (81.4% of the time). Again, the risk management techniques used by respondents were semi-formal, but with a global average mean of 3.97 and a global average standard deviation of 0.91 (for the question) it is clear that majority of respondents made use of risk management initiatives in their respective businesses (almost an “agree” rating). This finding provides some insight as to why respondents’ relevant SMMEs have been in existence for an average of 19.43 years. In addition, the perceived effectiveness of deployed risk management initiatives, in terms of preventing, detecting and correcting identified risks, were rated by respondents, on average, at 78.6%. Although the term “effective” is viewed differently from one person to the next, it is important to take into account that all SMMEs, for this research study, have been in existence for at least 3 years (19.43 years on average). Therefore one can argue that respondents’ risk management strategies are working for them to keep their respective SMMEs afloat.

4.3. Assurance Providers and Combined Assurance Initiatives of Respondents

Since semi-formal risk identification and risk management initiatives were used by respondents, the authors wanted to discover whether combined assurance initiatives were used by respondents. First off, respondents were asked to indicate which type of assurance providers they make use of. A total of 60% of respondents agreed that they made use of external assurance providers while 60% of respondents also agreed that they made use of internal assurance providers. Of all the responses received, 69.99% of respondents agreed that they make use of quality assurance providers. Since SMMEs do make use of combined assurance initiatives more than 60% of the time, it justifies their 78.6% effectiveness rating of their risk management initiatives – rendering their risk management strategies to be more effective than what popular literature suggests.

To shed more light on the actual value that assurance providers add to their businesses, respondents were also asked whether assurance providers assist in the achievement of relevant business objectives. This was done by asking respondents to make use of a five point Likert scale (1 = strongly disagree, 2 = disagree, 3 = neither agree nor disagree, 4 = agree, 5 = strongly agree) to rate statements beginning with the sentence: “By using these assurance providers, my business experience consistency (or improvements) in terms of …” A summary of responses received is shown in Table 6 below:

Table 6. Summary of the Effectiveness of Assurance Providers

Source: Authors’ fieldwork (2015)

From the statistics in Table 6 above it is apparent that the value which assurance providers provided were quite significant. In core, value is predominantly added through means of the enhancement of the effectiveness of internal controls (81.4% of the time), achieving of business objectives (80.9% of the time) and aiding in up-skilling of employees to attain better customer satisfaction (80% of the time). With a global average mean of 3.86 and a global standard deviation of 0.89, the statistics in Table 6 provide strong evidence that the value of assurance providers, as used by SMMEs, were somewhat significant (between a “neither agree nor disagree” and “agree” rating).

Lastly respondents were asked how they use their relevant assurance providers. From the responses received a total of 50% of respondents indicated that they made use of only one assurance provider at any given time (i.e. either ‘external assurance provider’ or ‘internal assurance provider’), while 36.67% of respondents indicated that they make use of at least two assurance providers at any given time (i.e. both ‘external assurance provider’ and ‘internal assurance provider’). The remaining 13.33% of respondents were unsure about how they use their relevant assurance providers.

5. Conclusion

Stemming from the above, it is evident that SMMEs experience economic and financial strain. Due to these adversities, adequate risk management strategies are deemed very necessary for these entities. The starting point in a sound risk management strategy is to identify risks that are present and/or have the probability to realise in the foreseeable future. From the findings made, it is clearly evident that SMMEs were aware of the risks that threaten their businesses to a great extent. These risks include general theft and losses, competitive business environments, limited financial resources, weak liquidity levels and weak profitability levels, just to mention a few. Albeit the latter, it was found that risks do not really adversely influence SMMEs to a great extent.

In addition, SMME leaders were asked how they identified risks. It was found that SMME leaders made use of comparisons of current and prior year financial statements, periodic stock taking and financial audits. Furthermore respondents indicated that the manner in which they manage their identified risks include communicating risks and consequences to staff, establishing and/or maintaining relationships with customers, observations in the form of ‘walk through’ exercises, staff training and actively supporting staff members on the job. Albeit the fact that the latter risk identification initiatives and risk management initiatives were only semi-formal, it is imperative to note that all SMMEs, on average, have been in existence for an average of 19.43 years; hence SMME leaders must have a ‘working’ risk management strategy with an average self-rated effectiveness, by respondents, of 78.6%.

More light was shed on a probable reason as to why the risk management strategies deployed by SMME leaders were rated so high in terms of efficiency when it was found that SMMEs place reliance on assurance providers to add value to the organisation by enhancing the effectiveness of internal controls, reaching of business objectives as well as improving employee skills in order to improve customer satisfaction. SMMEs therefore see assurance providers as value adding functions which, in turn, assist in the identification and management of risks in and around the organisation.

Although only 36.67% of respondents made use of combined assurance initiatives (and 50% made use of ordinary assurance initiatives) one can deduce that if more SMMEs would utilise a combined assurance model (by making use of ‘internal service providers’ and ‘external service providers’ at the same time) it will lead to more effective risk management strategies; adding value to these entities in terms of sustainability, as well as possibly lowering assurance costs.

References

1. Abrams, C., Von Känel, J., Müller, S., Pfitzmann, B. and Ruschka-Taylor, S., 2007. Optimized enterprise risk management. IBM Systems Journal, 46(2), pp.219-232.
2. Australian/New Zealand Standard 4360 (AS/NZS 4360), 2004. Risk Management. [Online]. Available from: http://www/standards.com.au [Accessed 15/5/2014]
3. Beasley, M., Chen, A., Nune, K. and Wright, L., 2006.Working hand in hand; Balance Scorecard and Enterprise Risk Management. Strategic Finance, 87(9), 2006.
4. Berkeley, D., Humphreys, P.C. and Thomas, R.D., 1991. Project risk action management. Construction Management and Economics, 9, pp.3-17.
5. Biyase L., 2009. DTI to look at how crisis hurts small enterprises [Online]. Available from: www.busrep.co.za/index.php?fSectionId=561andfArticleId=4947848 [Accessed 10/06/2014]
6. Bizbooks, 2008. I want my own business. Consider this then? [Online]. Available from: http://bizbooks.co.za/blog/?tag=south-africa-smme [Accessed 10/06/2014]
7. Blanc Alquier, A.M. and Lagasse Tignol, M.H., 2006. Risk management in small- and medium-sized enterprises. Production Planning and Control, 17(3), pp.273-282.
8. Bradford, M., 2009. Sovay turns risk into opportunity. Business Insurance, 43(20), pp.4-28.
9. Brink, A., Cant, M. and Ligthelm, A., 2003.Problems experienced by small businesses is South Africa. Paper presented at the Annual conference of Small Enterprise Association of Australia and New Zealand, University of Ballarat, Australia.
10. Bruwer, J., Masama, B., Mgidi, A., Myezo, M., Nqayi, P., Nzuza N., Phangwa, M., Sibanyoni, S andVa, N., 2013.  The need for a customised risk management framework for small enterprises. International Southern African Accounting Association Conference.
11. Coetzee, P., Du Bruyn, R., Fourie, H. and Plant, K., 2013. Internal Auditing: An Introduction. Johannesburg: LexisNexis.
12. Collis, J. and Hussey, R., 2009. Business Research: A practical guide for undergraduate and post graduate students. Hampshire: Palgrave Macmillan.
13. COSO, 2004. Enterprise Risk Management – Integrated Framework [Online]. Available from http://www.coso.org/publications/erm/coso_erm_executivesummary.pdf [Accessed on 21/05/2014]
14. Deloitte, 2011. Combined Assurance Taking corporations to the next level.  [Online]. Available from: http://www.deloitte.com/assets/Dcom-SouthAfrica/Local%20Assets/Documents/Combined_assurance.pdf [Accessed on 22/03/2014]
15. DeLoach, J.W., 2000. Enterprise-Wide Risk Management. Strategies for linking risk and opportunity. London: Financial Times Prentice Hall.
16. Department of Trade and Industry, 2008. Annual Review of Small Business in South Africa 2005 – 2007. 2008
17. Dupré, A., 2009. Linking risk management to the budgeting process. CMA Management, August/September, pp.16-18.
18. Fatoki, O. 2014.The Causes of the Failure of New Small and Medium Enterprises in South Africa. Mediterranean Journal of Social Sciences, 5(20), pp. 922-927.
19. Felix, W., Grambling, A., and Maletta, M., 2001.The Contribution of Internal Auditas a Determinant of External AuditFees and Factors InfluencingThis Contribution. Journal of Accounting Research, 39(3), pp. 1-27
20. Federation of European Risk Management Association (FERMA), 2003. A Risk Management Standard. [Online]. Available from: http://www.ferma.eu [Accessed 21/11/2010]
21. Giliomee, J., 2004.  The small business environment. Entrepreneurial Business School [Online]. Available from: http://ebschool.com/wpcontent/uploads/2009/07/The_Small_Business_Environment.pdf [Accessed on 05/05/2014]
22. Grant Thornton, 2012. An instinct for growth – Combined Assurance. [Online].  Available from: http://www.gt.co.za/files/grant_thornton_combined_assurance_brochure.pdf [Accessed on 22/03/2014]
23. Henriksen, P. and Uhlenfeldt, T., 2006. Contemporary Enterprise-Wide Risk Management Frameworks: A Comparative Analysis in a Strategic Perspective. [In: Andersen, T.J. (ed.). Perspectives on Strategic Risk Management. Denmark: Copenhagen Business School Press].
24. Hollman, K.W. and Forrest, J.E., 1991. Risk Management in a Service Business. International Journal of Service Industry Management, 2(2), pp.49-65.
25. Institute of Directors, Southern Africa., 2009. King code of governance for South Africa [Online]. Available from: www.iodsa.co.za/?kingIII‎ [Accessed on 10/06/2014]
26. Institute of Internal Auditors, 2009. Conducting the Internal Audit Engagement: identifying and prioritising the potential risks. [Online]. Available from: https://na.theiia.org/standards-guidance/Member Documents/PA_2210-A1-1.pdf [Accessed on 05/05/2014]
27. Institute of Internal Auditors, 2012. Practice Guide, Coordinating Risk Management and Assurance. [Online]. Available from: https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Coordinating-Risk-Management-and-Assurance-Practice-Guide.aspx [Accessed on 10/06/2014]
28. Institute of Internal Auditors, 2012. Public Sector Forum on the importance steps towards an effective combined assurance model. [Online]. Available from: www.nkonki.com/download.php?filename=administrator/media/uploads/idv-3088224-298ffdba282738ac69ce2b38ccced96e.pdf [Accessed on 31/03/2014]
29. International Auditing and Assurance Standards Board, 2014. Handbook of International Quality Control, Auditing, Review and Other Assurance, and Related Services Pronouncements, Volume 1.[Online]. Available from: https://www.ifac.org/sites/default/files/publications/files/2014-IAASB-HANDBOOK-VOLUME-1_0.pdf [Accessed on 3/12/2014]
30. Jiong, L. and Li, X., 2010. Discussions on the Improvement of the Internal Control in SMEs, International Journal of Multidisciplinary Research, 5(9), September 2010.
31. Jung, D., 2010. Risks and Opportunities facing SMEs in the Post-Crisis Era [Online]. Available from: http://www.apecscmc.org/files/training/3_2.pdf [Accessed on 21/09/2014]
32. KPMG, 2009. The Audit Committee Institute. [Online]. Available from: https://www.kpmg.com/RU/en/IssuesAndInsights//ArticlesPublications//Audit-Committee-Journal/The-three-lines-of-defence-en.pdf [Accessed on 05/05/2014]
33. Leedy, P. and Omrod, J., 2010.  Practical Research: Planning and Design, 9th ed. New Jersey: Pearson Education.
34. Manu, C., 2005.  Risk management in the context of public sector reforms. [Online] Available from: http://www.modernghana.com/news/116837/1/riskmanagement-in-the-context-ofpublic-sector-re.html [Accessed 05/05/14]
35. Miccolis, J.A., Hively, K. and Merkley, B.W. S.a. Enterprise Risk Management: Trends and Emerging Practices. S.l.:Tillinghast – Towers Perrin.
36. Mogashoa, T., 2013. Shocking ‘Missing Middle’ SMMEs in South Africa revealed. [Online]. Available from: http://tebogomogashoa.com/shocking-missing-middle-smme-in-south-africa-revealed/ [Accessed on 21/09/2014]
37. National Credit Regulator, 2011. Literature Review on Small and Medium Enterprises’ Access to Credit and Support in South Africa
38. Ngary, C., Smit, Y., Ukpere, W. and Bruwer, J-P., 2014. Financial Performance Measures and Business Objectives Attainment in Fast Food SMMEs in the Cape Metropolis: A preliminary Liability and Suitability analysis. Mediterranean Journal of Social Sciences, 5(20), pp.909-921. September, 2014.
39. Noorvee, L., 2006. Evaluation of the Effectiveness of Internal Controls over Financial Reporting. Master’s Thesis, University of Tartu, Tartu.
40. Ntlhane, K.E., 1995. The application of risk management principles to smaller enterprises. A research report submitted in partial fulfilment of the requirements for the degree of Masters of Business Administration in the Faculty of Management at the University of the Witwatersrand.
41. PwC, 2014. National Treasury: Combined Assurance Practical Approach and Reporting Key Learning’s [Online]. Available from: http://oag.treasury.gov.za/Event%20Documentation/20130228%20Public%20Entities%20Risk%20Management%20Forum/2.%20System%20of%20Combined%20Assurance%20and%20Institutional%20performance%20-%20A%20Moosa%20and%20JC%20Heyns.pdf [Accessed on 04/12/2014].
42. Roberts, S., 2006. Sustainable Manufacturing: The Case of South Africa and Ekurhuleni. Durban, Juta Company Ltd.
43. Roos, A., 2012. Audit committees and combined assurance. [Online]. Available from: http://www.saiga.co.za/home_htm_files/8%20Roos.pdf [Accessed on 05/05/2014]
44. Salie, M., Strauss, N., Davids, M., Smit, Y., Boshoff, S. and Bruwer, J-P., 2014. The effects of sin tax on the profitability of SMME convenience stores in the Cape Metropole. Topclass Journal of Business Management, 1(2), pp. pp. 25-36, 26 June 2014.
45. Schrøder, P.W., 2006. Impediments to Effective Risk Management. Perspectives on Strategic Risk Management. [In: Andersen, T.J. (ed.). Perspectives on Strategic Risk Management. Denmark: Copenhagen Business School Press].
46. SEDA, 2010. The small business monitor [Online].  Available from: http://www.seda.org.za/Publications/Publications/SEDA%20SBM%20Vol.6%20Issue%201%202010.pdf [Accessed on 22/03/2014]
47. Shah, T. and Khedkar, A., 2006. Case on successful SME financing – SIDBI.Indian Institute of Planning and Management (IIPM). Ahmedabad.
48. Simnett, R., Vanstraelen, A., and Chua, W. F., 2009. Assurance on sustainability reports: An international comparison. The Accounting Review, 84(1), pp. 937-67, 26 October 2007.
49. Siwangaza, L., 2014. The status of internal controls in fast moving consumer goods SMMEs in the Cape Peninsula. Dissertation submitted for the fulfilment for aMTech: Internal Auditing. Cape Peninsula University of Technology.
50. Siwangaza, L., Ukpere, W., Smit, Y. and Bruwer, J., 2014.  The Status of Internal Controls in Fast Moving Small Medium and Micro Consumer Goods Enterprises within the Cape Peninsula. Mediterranean Journal of Social Sciences, 5(10), pp.163-175
51. Smit, Y., 2012. A structured approach to risk management for South African SMEs. Thesis submitted in full fulfilment for a DTech: Internal Auditing. Cape Peninsula University of Technology, Cape Town.
52. Smit, Y. and Watkins, A., 2012.A literature review of small and medium enterprises (SME) risk management practices in South Africa. African Journal of Business Management, 6(21), pp. 6324-6330, 30 May 2012.
53. South Africa, 1996. National Small Business Enabling Act No, 102 of 1996. Pretoria: Government Printer.
54. South Africa, 2003. National Small Business Amendment Act No. 26 of 2003. Pretoria: Government Printers
55. Teketel, T. and Berhanu, Z., 2009. Internal Controls in Swedish Small and Medium Size enterprises. A dissertation submitted in full fulfilment of the requirement for the degree of Masters in Business Administration at the University of Umea.
56. Vallabhaneni, S.R., 2005. Wiley CIA Exam Review, Internal Audit Activity’s Role in Governance, Risk. John Wiley and Sons.
57. Valsamakis, A.C., Vivian, R.W., and Du Toit, G.S., 1996. The Theory and Principles of Risk Management. Isando: Heinemann.
58. Valsamakis, A.C., Vivian, R.W. and Du Toit, G.S., 2000. Risk Management 2^nd Edition. Sandton: Heinemann Higher and Further Education.
59. Verduyn M., 2011. Step back to move ahead. [Online]. Available from: http://www.rubeus.co.za/index.php?option=com_content&view=article&id=43:step-back-to-moveahead&catid=16:articles&Itemid=5 [Accessed on 05/05/2014]
60. Watson, G.E.H., 2004. A situational analysis of entrepreneurship mentors in South Africa. A dissertation submitted in fulfilment of the requirements for the degree Masters of Commerce in Business Management at the University of South Africa.
61. Watt, J., 2007. Strategic risk management for small businesses. [In: Reuvid, J. (ed.). Managing Business Risk 2^nd Edition – a practical guide to protecting your business. London – Philadelphia: Kogan Page].

Article Rights and License

Corresponding Author