Risk. It’s inherent in business; an element faced in every decision. Owners of small and medium-sized businesses may feel this even more keenly, as challenges seem to come from every direction and there are few — if any — among us who are expert in everything. Minimizing that risk requires researching and gathering the best intelligence. Technology is increasingly providing tools to help gather and even evaluate the information, but the human mind is still best at applying it. Professionals in our business community share their expertise with In Business Magazine on some of business owners’ key “hot spots.”
“Today’s business world is manifested by a highly regulatory environment,” says Charles A. McLane, senior managing director of the Phoenix office of CBIZ MHM, LLC.. “Thus, business owners are faced with a lot of complexity resulting in risks related to not knowing what they don’t know when it comes to areas like compliance and taxes.” He notes that failures in these areas can have a significant impact on cash flow and the ability to survive.
In the area of compliance, payroll withholdings are an important element to stay on top of. Not only are compliance requirements around payroll withholdings very strict, but making those deposits is a requirement that can ultimately wind up as a personal responsibility of the owner. “The regulatory authorities view these deposits as money belonging to others. This type of liability may not be eliminated even in filing for bankruptcy if the business fails. Having a strong payroll system or outside provider and following the instructions of the provider will keep the owner away from a lot of trouble.”
Tax filings are another area that can seem to be less critical early on, McLane says. “The owner believes that the business is not making much money and thus the tax filings are not very important; they believe they don’t owe anything. However,” he explains, “early tax filings are important to establish appropriate elections, identify non-deductible items and ensure that the corporate structure is appropriate for possible future tax consequences. Failure to file timely can result in penalties and interest that will continue to compound until the filings are appropriately up to date.” When this occurs, there can be a significant impact on the company’s cash flow. In addition to past taxes, which could be 40 percent of profits, the company will need to pay penalties, interest and any taxes due on current operations. All of this together can wipe out the company’s cash flow and prohibit the payment of other necessary operating costs.
“It is important for business owners to surround themselves with seasoned professionals who can educate them on areas like these or provide services to keep the business and owner compliant with the regulatory environment,” McLane says, emphasizing that, as discussed above, regulatory agencies will not accept ignorance as an excuse for failure to stay compliant.
Cybersecurity and Technology
“Hackers do not discriminate based on the size of a business,” says Morey Haber vice president of technology at Beyond Trust. In fact, he adds, some of the smallest businesses contain the most sought after Personally Identifiable Information (PII) — treasure troves about their customers’ homes, cars, boats and financial investments. Even businesses like car washes and restaurants aren’t immune from hacking — after all, they are using customer data for monthly mailers and store promotions to market their services, not to mention having transaction data from point-of-sale systems.
Michael Cocanower, president and CEO of Phoenix-based itSynergy, puts the warning in even stronger terms: “Data breaches are becoming more common in the workplace, no matter the size of the company.” He cites recent studies showing that 71 percent of cyberattacks occur at businesses with fewer than 100 employees. “The consequences can be disastrous,” he notes. “The U.S. National Cybersecurity Alliance reports that 60 percent of small companies are unable to sustain their businesses over six months after a cyberattack.”
Says Haber, “Home-based business all the way up to enterprises need to take note of some very basic security practices to ensure they are not a victim of the next cyber security breach.” Cocanower makes an additional point: “Building a strong cyber defense wall is particularly important in light of the state’s new data breach notification law, which is not something businesses can ignore. In addition to being responsible for restitution to victims, businesses could face civil penalties from the Attorney General’s office that can run as high as $500,000. That would be devastating to a small business.”
Addressing himself to smaller businesses, Haber explains that cyberattack tactics range from phishing and drive-by browser attacks to Web application flaws. “This means that hackers are not specifically targeting your business like a named bank or insurance company, but rather using opportunistic, automated techniques to trick individuals into allowing malware into your environment and informing them that a new compromised asset has been added to their manifest. After one of your assets is compromised, anything from surveillance, data extraction, or ransomware is possible based on the attacker’s motives.” Considering most small to medium-sized businesses do not have full-time information technology staff (let alone part-time security staff), security gaps appear in assets that are not properly identified, documented and remediated in a timely fashion, and this, he points out, leaves them a high risk compared to enterprises simply based on a lack of resources and processes to mitigate evolving threats.
As cybersecurity experts, Cocanower and Haber regularly urge businesses to train employees — often a business’s weakest security link — to recognize and avoid phishing emails and social engineering attacks, with their potentially dangerous links and attachments, and to actively manage passwords.
There is also growing awareness of risks involved in being tapped into the Internet of Things (IoT). “Hackers could breach the surveillance system in a building to watch and listen to everything that happens,” Cocanower warns. “If the doors in your office building are power-controlled, they could disable the system in the middle of the night or turn off the power so the doors automatically open to comply with fire codes. The list of breach scenarios is endless.”
To help small and medium-sized businesses mitigate the bulk of the risks, Cocanower and Haber offer the following basic security best practices:
- First, educate employees to be “security smart.” Provide them with training on how to recognize a phishing email or social engineering attack. Teach those who handle sensitive information not to make simple mistakes like clicking on unknown links or opening strange files that may contain malware.
- Be password-conscientious. Encourage employees to change their passwords as often as they change the oil in their cars. Enforce two-factor authentication for all corporate systems. Change all default or blank passwords— this stops automated threats that can log in and install malware, which occurs most commonly on infrastructure and IoT devices. Rotate passwords when there is a transition of employees — this helps prevent insider threats and problems from former employees.
- Next, address the issue of encryption. If there is a breach and any stolen data is properly encrypted, the business will not only be exempt from many of the requirements of the new law, but will have also virtually eliminated the risk of the thieves being able to access the data.
- Remove administrative rightsfrom all desktops and servers (when possible) — this prevents the installation of malware and unauthorized applications.
- Pick a good anti-virus solution. Recommendations from VB100 or SC Magazine may be helpful for business owners who are unsure which one is best. Business owners need to make sure they stay licensed (since many of these solutions are subscription-based) and their updates are automatically applied.
- Identify missing security patches and apply themon a regular basis. This helps prevent exploits that target easy, “low hanging fruit,” like Flash and Java. If possible, just turn auto update on for all applications and let the systems remediate themselves — do not ignore when the application wants to install an update.
Cocanower suggests the most important thing a business owner can do is to start with a comprehensive risk analysis. This involves identifying the universe of possible risks, then assigning a probability and impact score to each item. The product of those two numbers represents the business’s exposure to that possible risk. “With that data, you can start to focus where you have the greatest risk and work your way down the list until you have eliminated everything higher than the level of risk you are willing to accept,” he says.
Equally critical to minimize risk are backup and disaster recovery, Cocanower notes. He points out that, last year, 45 percent of unplanned downtime was the result of hardware failure — a percentage that can be reduced by having backup infrastructure as well as a plan to replace old hardware before any issues arise — and data from StorageCraft put companies’ cost of this unplanned downtime at between $926 and $17,244 per minute.
“Many businesses mistakenly think that backing up data or storing their data with a cloud service protects them in a disaster scenario, such as a power outage, a ransomware attack or another unexpected event that destroys or compromises data,” Cocanower says. He offers business owners three key considerations that can be the difference between surviving a major event and losing their business.
Server Access – Having a backup of data on a business’s servers is important, but if those servers are gone and no other server is available to put that data on, it may not be very useful.
Recovery Drills – A backup and recovery plan that is not regularly tested is almost equivalent to no backup at all. Businesses that are not working with their IT staff or company to regularly simulate data loss or equipment loss and prove they are able to function in the event of a disaster are exposing themselves to tremendous risk.
Recovery Point Objective (RPO; how much data a business can afford to recreate if forced to operate from backup) and Recovery Time Objective (RTO: how long a business needs to be up and running from its backup) — The executive team should discuss what the business can actually tolerate for these two values. The business should then design a backup and disaster recovery plan that meets its requirements, and, during testing, ensure it is within the acceptable RPO and RTO windows.
Says Haber, “Information technology professionals recognize that paper-based recommendations are great when a company has resources to implement them (large and enterprise), but when dealing with small to medium-sized businesses, they need some help and the solution needs to be simple, easy, and cost effective. This is where managed service providers, technology partners and consultants can assist and provide a supplemental labor force, with expertise, to scale the best practice recommendations for the business.”
“To any business, but particularly to small businesses, your workforce is your best asset, so investing in the mental and physical well-being of your employees will deliver healthy returns to your business,” says Kim Shepard, Cigna Market President for Arizona.
In considering options for healthcare coverage for employees and their families, Shepard suggests business owns look for a plan that encourages or guides them to the highest- performing physicians and facilities (quality outcomes and cost efficiency) for their specific healthcare needs. At the same time, she says, “Ensure that your insurance carrier or administrator has the technology, tools and customer service education and support to help your employees choose the best plan for their circumstances and then use that coverage to their full advantage.”
Shepard also suggests businesses consider alternate funding solutions (versus a traditional fully-insured premium arrangement) that allow the employer to reap the benefits of a healthy and engaged workforce.
Discussing an HR aspect of healthcare, Camille French, founder and principal of AmeriSource HR Consulting Group, points out that, even though the Patient Protection and Affordable Care Act (usually referred to as the “Affordable Care Act,” “ACA” or “Obamacare”) has been cut, fines are still applicable for the years the law was in effect. “We have also seen a trend in PPACA penalties for smaller Applicable Large Employers (ALEs). What we have found is that, within the first year of the ACA, many ALEs transitioned onto full self-funded or even partially self-funded plans without realizing that there are different and more complex reporting requirements for self-funded plans.” And, she says, the government is just now beginning to send letters for incorrect reporting, which may require employers to fix errors or pay a fine.
“All employers face challenges in hiring, managing, and retaining qualified employees and complying with workplace laws. However, those challenges can be especially acute for smaller businesses, which are often focused on survival, growth, and delivering a quality product or service,” observes Jill Chasson, an attorney with Coppersmith Brockelman in Phoenix. Additionally, compliance matters may end up being pushed aside, resulting in potentially costly mistakes.
Says AmeriSource HR’s Camille French, “One of the most frequent business risks we encounter is trouble with HR compliance.” With the passage of Proposition 206, the Fair Wages and Healthy Family Act went into effect on July 1, 2017, and increases Arizona’s minimum wage incrementally until 2020. Pointing to just one of many aspects of the Proposition, she has found many employers have not been aware it also required all employers to offer paid sick leave to their employees — even if there is only one employee — up to a maximum of 24 or 40 hours, depending on the company’s size, and observes, “This has proven to be difficult for service-driven industries because employees can call out sick, leaving their scheduled shifts uncovered.”
The recruitment and onboarding of new employees is another area where French has seen many risky business practices — starting at the very beginning, with the employment application. “Many employers have allowed applicants to submit a résumé in lieu of an application, but this can cause issues in the long run,” she says, explaining that a résumé is typically like a sales pitch in that it embellishes all the great accomplishments and abilities of an applicant, whereas the application process requires applicants to provide factual information and attest that the information is true and accurate. “Both serve a purpose, but they are not mutually exclusive,” she notes. “What we have seen some employers do is require applicants to acknowledge that their resume is accurate and factual, and this provides some peace of mind for the employer. However, applications are still the best way to ensure you are receiving accurate information.”
French itemizes some of the application “no-nos” that employers need to be aware of in utilizing applications: asking the applicant’s Social Security Number, current earnings and whether he or she has been convicted of a felony. Additionally, employers in Arizona are required to have Smoke Free Arizona listed on their application as mandated by proposition 201. “We also commonly find that many small businesses in Arizona do not realize they have been mandated to run all new hires through the E-Verify system since 2008. This is true regardless of the size of the employer,” French says, relating, “Employers are not able to retroactively run their new hires if they have not been compliant with this, but can make a good faith effort to be in compliance by following the mandate moving forward.”
Chasson cautions that one of the most significant mistakes small employers make is misclassifying employees as independent contractors. While this may seem to allow the company to avoid certain employee obligations, such as paying payroll taxes and workers’ compensation insurance premiums, it can prove much costlier later if the government determines employees have been misclassified. Says Chasson, “The company can be liable for back taxes, benefits costs and back wages, plus fines and penalties. As a general rule, the greater the degree of behavioral and financial control the company retains over how work is done, the more likely the worker should be classified as an employee.”
Another classification issue arises over exempt versus non-exempt employees. Under the federal Fair Labor Standards Act, non-exempt employees must be paid overtime pay if they work more than 40 hours in a workweek. Employees who meet minimum-salary and duties-based requirements for exemption — which include those in executive, professional, administrative, outside sales and computer positions — do not have to be paid overtime. “Many businesses believe that paying an employee a regular salary is enough to avoid overtime obligations,” Chasson says. “But overlooking the duties tests can result in costly misclassification mistakes, including liability for double the amount of overtime not paid.”
Chasson also characterizes recordkeeping obligations as an area of risk. Federal and state laws require employers to maintain employee records, including demographic information, tax forms, verification of employment authorization, hours worked, pay data and personnel records the company creates. “Small employers may find it cost-effective to use a professional employer organization or payroll service to manage some of these obligations,” she says. “For other types of records, such as those related to hiring, termination and employee performance, employers should set up a personnel file for each employee. Any medical or health records, such as doctor’s notes and leave of absence forms, should be kept in separate confidential files with restricted access.”
“One of the biggest areas that get employers in trouble is the lack of knowledge of what ‘Protected Concerted Activity’ is,” French says. Protected Concerted Activity falls under the National Labor Relations Act and is monitored by the National Labor Relations Board. The term defines the activities employees may participate in without concern of employer retaliation. “This allows employees to come together with each other in an effort to create a better working condition, fair wages, et cetera,” she says, offering as examples employees sharing their wages with each other and posting about their workplace or boss on social media. “Employees have the right to do these things, and employers cannot prohibit or reprimand employees for participating in these activities. Arizona is a part of Region 28 of the NLRB, which is one of the stricter regions in terms of enforcement.”
Leadership and Management
“For business leaders, not having people they trust who are agenda-free and willing to ask the important and hard questions represents one of the greatest risks to a business,” says executive coach and business consultant Tom Pierce, CEO of TKPierce, Ltd., observing that even in our hyperconnected world — where we measure our “friends” by the hundreds in not thousands of Facebook and LinkedIn connections — the business leader is often alone.
Pierce cites a study conducted at Stanford Graduate School of Business that found nearly two-thirds of CEOs do not receive outside leadership advice, but also notes lack of advice is not necessarily the issue for most business leaders. “They seem to get plenty of advice from their board, their customers, their employees, even their family,” he says. “The issue is that each of these groups has a stake in the outcome.”
Answering his own question, “Where does the business leader turn for the advice they so critically need?” Pierce points out that, for Benjamin Franklin, Andrew Carnegie and Henry Ford, it was a Mastermind of trusted peer advisors. “Each of these men credited much of their success to their group of trusted peers,” he says. In addition to meeting regularly, these groups shared many attributes: Members each led successful businesses, represented a variety of industries, kept strict confidentiality, were committed to each other’s success, and held each other accountable to their commitments. Says Pierce, “In our hyperconnected world with hundreds or thousands of friends and connections, it is easy to lose sight of the value, importance and power of a close group of peer advisors.” In fact, a 2017 study conducted by Dun & Bradstreet for Vistage International showed that leaders who had an agenda-free group of advisors grew 2.2 times faster than average SME companies.
Pierce offers the following steps business owners can take to create their own group of peer advisors.
Select the Right Peers — Based on their goals, business leaders should surround themselves with people who share their aspirations and commitment to success.
Create a Safe Environment — Deep conversations about critical intellectual and emotional issues require an environment where participants never feel judged and where confidentiality is sacrosanct.
Foster Valuable Interaction — While a safe environment provides essential emotional safety, intellectually, group members must also feel secure that there are specific strategies and processes for addressing challenges and identify opportunities.
Be Accountable — It is not up to the group members to tell the business owner what to do, but rather the other way around. And the other members will then expect the business leader to follow through on that action.
Engage a Skilled Facilitator — Maximizing the potential of any group depends on leadership that inspires a high level of group cohesion, trust, vulnerability and a culture of collaboration. A skilled facilitator helps all the group members be active participants of the discussions.
But leadership is not something reserved for just the executive, says Arnold Hickey, president of Accord Consulting Solutions International. Describing leadership simply as an attempt to influence, he points out, “Managers influence workers to produce quality output and to increase the volume of output. Salespeople influence prospects to buy from a given business. Customer service personnel influence customers as they help solve their problems. And so on.” Since in every business, everyone influences someone, Hickey notes, “The skills of leadership are needed in all corners of your organization.”
Hickey enumerates some of the more important methods of leadership: modeling, or setting the example; sharing one’s vision and enlisting others; challenging the process and looking for ways to grow; empowering others to act; giving direction by setting goals and building trust; and encouraging the heart by giving positive reinforcement.
And leadership need not be only top-down. “Organizational leadership,” Hickey says, “is a dual-focused management approach that works, simultaneously, toward what is best for individuals and what is best for a group as a whole. It is also an attitude and a work ethic that empowers an individual in any role to lead from the top, middle or bottom of an organization.”