Concern About Risk Deepens Among Midsize Business Leaders
QBE survey shows financial, digital and business interruption risks continue to weigh on executives
There is no rest for the weary, as they say.
Even after several years of uncertainty and disruption, business leaders’ concern about risks to their organizations rose significantly in 2022, according to a report from QBE North America and the Association for Corporate Growth.
Like its findings last year, the 2022 Mid-Sized Company Risk Report showed that middle-market business leaders continue to rank financial, digital and business interruption as the top-three “macro” risk areas for their organizations.
More than 300 decision-makers at U.S. midsize businesses with revenue between $200 million and $3 billion responded to the survey, which HawkPartners conducted in the summer on behalf of QBE for the third year in a row.
This section of the report is sponsored by QBE North America and originally appeared in the special edition Middle Market Growth 2023 Multiples Report. Read the full story in the archive.
Illustration by Daniel Hertzberg
Meanwhile, organizational risk crept into the fourth spot, up from seventh a year ago. The change reflects growing concern over factors like M&A risk and hiring, retention and teamwork challenges.
Respondents were asked about 12 macro risks in total, and their level of concern across all of them rose significantly from 2021 to 2022.
Christopher McGrath, head of middle-market property and casualty insurance at QBE North America, attributes the increased sense of anxiety to a variety of factors, including labor shortages, competition for talent, supply chain issues and hybrid work. “And when these are coupled with cyclical kinds of geopolitical and economic issues that typically follow a large-scale event like the pandemic, we see greater concern about things like pending recessions and increased inflation, and the impact those can have on their businesses,” he says.
On top of that is the widespread push toward digitization, which exposes companies to greater cyber risks and the potential for data and intellectual property theft. “That adds up to quite a lot for companies to be considering and protecting themselves against,” McGrath says.
The Digital Dilemma
In QBE’s survey, cyberattacks or breaches ranked as the most concerning “micro” risk overall for respondents, while 44% indicated that it’s a top digital risk for their business.
Although cyber incidents at middle-market companies tend not to make headlines, these businesses have become a focus for bad actors seeking targets with less robust security infrastructure, according to a report published by RSM in June. It noted that the number of breaches in the midmarket has declined slightly; still, 22% of middle-market executives surveyed for RSM’s report said their company experienced a data breach in the last year.
Yet only 56% of executives in QBE’s survey reported having a mitigation strategy for digital risk, a category that encompasses cyberattacks and breaches, corporate espionage and data integrity, among others.
One explanation is that midsize businesses tend not to have a dedicated chief information security officer to focus on cyberthreats and enforce good cyber hygiene practices, says Bill Neuman, an operating partner at private equity firm Lovell Minnick Partners, which invests in financial services businesses.
Plus, limited bandwidth often forces midsize business leaders to prioritize the most visible issues, sometimes at the expense of equally serious threats. “If you have a 10- or 15-person open headcount that you’re trying to fill, that’s a current, pressing problem,” Neuman says, “whereas cybersecurity investments are sometimes viewed as insurance against an unlikely future event with few advocates.”
In an effort to outsource some of the security responsibility, many companies are shifting their digital assets to the cloud. InterCool, a Carrollton, Texas-based provider of industrial refrigeration services and solutions, took that step in 2019 to capitalize on the security infrastructure of a third party.
Patrick Riggio, a director at lower middle-market investment firm RF Partners, which made its initial investment in InterCool in June 2019, points to the “strength in numbers” that comes with cloud-based platforms whose services are used by numerous companies. “It behooves us as a partner to work with high-end providers so that we can benefit from the investment security they’ve made and that they provide their customers,” he says.
A complicating factor for businesses looking to protect themselves from cyber risk involves changes to cyber insurance coverage. Many are having difficulty obtaining or renewing cyber insurance policies as carriers become stricter in their requirements and raise the cost of coverage.
Neuman sees a silver lining in the stringent requirements from carriers, such as mandates for multifactor authentication.
“The good news is, when that occurs, it’s driving companies to improve their cybersecurity posture,” he says. “Cyber insurance may have created a false sense of security for some leaders; the tightening of cyber requirements is helping to close the gap between that perception and reality.”
Organizational Risk
Organizational risk didn’t rank as high as digital risk in QBE’s survey, but it did show the sharpest increase, jumping three spots to become the fourth most-concerning macro risk for executives in 2022.
That risk encompasses micro risks such as attracting and retaining talent, the impact of demographic changes to the talent pool and an inability to innovate, among others. It also includes risk around M&A and a failure to realize synergies after a transaction. More than a quarter of executives surveyed said they’re concerned about M&A as an organizational micro risk to their business, while 19% cited it as their most concerning organizational risk.
Whether a deal delivers on its promise hinges heavily on successful integration, a process that many organizations get wrong. “What I see is a lack of focus, deployment of resources and leadership’s interest in integrations,” says Galina Wolinetz, managing director at advisory firm Virtas Partners, where she focuses on M&A integration and separation advisory. “Everybody’s very excited about getting the deal done, and then somebody has to run the combined company, but the focus and resources are gone.”
One misstep she points to is not focusing enough on value creation. Ahead of a deal, the buyer has likely developed a strategic rationale and a financial forecast, Wolinetz notes, but those are often not followed through on after the transaction closes. “A lot of times I see people assume, ‘Well, we just acquired this company, so all this stuff we think was going to happen is just going to happen,’” she says. Instead, she recommends that leadership teams identify owners and specific initiatives related to all aspects of the desired outcomes of the deal, to make sure they’re achieved.
Wolinetz regularly sees poor communication after an acquisition, where employees of the acquired entity are left in the dark about what the transaction means for the business and them personally. That lack of transparency and the uncertainty it creates can result in valuable talent walking out the door. If those employees’ contributions were factored into financial forecasts, the synergies the acquirer was counting on could be compromised.
Safety First
Liability risk continues to weigh on employers’ minds, including through associated micro risks like accidents, health issues and workers’ compensation. Liability was cited as a top-five macro risk by 44% of respondents to QBE’s survey for the third year in a row.
In some cases, that risk can manifest in dangers encountered on the job. Technicians at InterCool, for example, regularly encounter chemicals like ammonia. Riggio points to a rigorous safety program and ongoing training as key components of the company’s risk mitigation strategy.
The company’s training extends beyond safety, too. According to InterCool Executive Vice President Clay Hill, the company strives to promote from within. He adds that it has “appropriate levels of redundancy throughout the management team” as a means of mitigating the risk of a key employee leaving the organization.
Proper safety and training initiatives not only protect employees from injuries and keep them on the job; they can also reduce financial losses stemming from workers’ compensation claims. QBE’s McGrath notes that workers’ compensation coverage is often the costliest component of a property and casualty insurance program.
He recalls a loss control survey that QBE performed for a coffee manufacturer, which revealed that workers were engaged in manual lifting tasks—loading tall plastic silos in a tight space using heavy equipment and moving 150-pound bags of coffee beans—that were a leading cause of sprains and strains among workers.
According to a case study published in 2021 in Middle Market Growth, QBE conducted onsite Job Hazard Analysis supervisory training in response to its findings. The program included a safe lifting program, online courses and ergonomic risk assessments on a variety of tasks. Within about two years, the program cut the coffee manufacturer’s workers’ compensation loss ratio roughly in half, according to QBE.
Riding a Downturn
The risk of a recession or economic downturn emerged as the fourth most-concerning micro risk in QBE’s survey, tied with cash flow and liquidity risk and the loss of a critical supplier or subcontractor.
An economic downturn will likely impact industries differently—some B2B businesses will probably feel the effects less acutely than those that serve end consumers, notes Neuman of Lovell Minnick Partners.
Meanwhile, inflation and rising interest rates are expected to dampen M&A volume and prompt additional scrutiny on borrowing. “Businesses, as far as I can see, are going to be forced to work more on the cash that they can generate,” he says.
Slowing economic growth and rising prices will also influence which M&A transactions move forward. “We always underwrite to a recession case. But at the end of the day, when something is looming over the course of the next 24 months, you really start focusing much more clearly on deals that you think could be resilient,” says Dean D’Angelo, founding partner of Stellus Capital Management, a private credit manager that invests in middle-market companies.
That means focusing on companies that are not selling discretionary, durable goods and services that could be affected by a downturn, he adds. Businesses with a variable cost structure versus one that’s fixed are also likely to become more attractive investment targets in this environment.
In recent years, labor and supply issues posed the greatest challenges to businesses, but D’Angelo expects that will shift. “I think we’re working in an environment where demand is going to be a bigger issue. What you really start thinking about and focusing on is that top-line pressure and margin pressure,” he says. If the cash coming in starts to slow, a business will have a revenue issue, he adds, “so you’re going to try to be as competitive as you can and cut costs.”
Report continues below
Too Many Hats
QBE’s survey revealed that, unsurprisingly, executives tend to be most prepared for risks with the highest level of concern; but aside from the top four macro risks, fewer than half of the respondents’ companies have a risk mitigation plan in place.
QBE’s McGrath attributes this to a lack of capacity and expertise. Midsize companies typically don’t have a dedicated risk management department. In the middle market, it’s likely that the chief financial officer also wears the risk manager hat. Or if there is a dedicated risk manager, they’re often a team of one. As for expertise, they may not have the knowledge for navigating risks in particular areas, or for identifying an insurance solution. Financial resources also tend to be a barrier; midsize companies don’t have the same risk management budgets as their Fortune 100 counterparts.
Regardless of the set of risks facing their organizations, business leaders need not go it alone.
Businesses that have received institutional capital have an extra set of eyes to identify risks, starting with due diligence, and a partner to help manage them. “It’s very rare that we will close a deal recognizing there’s a risk without a plan already in place to manage that risk post-close,” D’Angelo says.
For example, Stellus might close a deal where the business needs to diversify its supplier base, but the firm will want to know what concrete steps will be taken post-close to address this issue, he adds.
Another resource for companies looking for help mitigating risk is their insurance carrier.
QBE’s McGrath notes how a loss control specialist can help businesses address risks, including those tied to inflation. Property loss coverage is one example. As property values rise, failing to update the building’s valuation with the insurance carrier can lead to insufficient insurance coverage in the case of a loss.
Midsize business leaders often find themselves drinking from a firehose and doing as much as they can with limited resources. McGrath sees the role of an insurance partner as someone who can say, “‘Hey, I understand your exposure and I understand where you’re coming from,’ because insurance is something that no one wants until they need it,” he adds. “Understanding is the first step, and then working together in partnership to come up with the right solution is that critical second step.”
Katie Mulligan is ACG’s content director, based in Chicago.