Practical financial risk management for small businesses
Most small businesses do not fail for lack of ideas; they run out of cash or are hit by predictable, unmanaged risks such as late payments, payment fraud, and rate or currency shocks.
Introduction: Control financial risk with a 90-day plan
I believe you can address the few risks that cause most financial failures with a focused 90-day playbook. The two core tools are a weekly 13-week cash-flow forecast and a one-page risk register with key risk indicators, thresholds, and escalation rules. The guidance aligns with ISO 31000 principles and COSO enterprise risk management concepts but is simplified for busy owner-managers and finance leads.
The lens is UK-first but globally useful, with callouts for U.S. landlord obligations under the Fair Credit Reporting Act and Queensland project trust-account compliance in Australia. Roles are explicit: the owner or managing director sponsors, the finance lead runs cadence and reporting, and the external accountant or adviser provides challenge and specialist input. Within 90 days you should have a 13-week cash model, a simple risk register, a minimum liquidity policy, and a monthly risk huddle cadence with key risk indicators and escalation thresholds.
Why risk management matters now: Cash buffers and fraud pressure are rising
The numbers quantify the urgency. The median U.S. small business holds roughly 27 days of cash buffer, and a quarter have 13 days or fewer, based on JPMorgan Chase Institute analysis of 597,000 firms. This leaves little room for late payments or shocks.
In 2025, 62% of UK small businesses reported being owed money from unpaid invoices averaging £21.4k each, with 11% of invoices more than 30 days overdue. That directly lengthens Days Sales Outstanding and drains runway.
UK payment-fraud risk is rising. The Payment Systems Regulator’s mandatory Authorised Push Payment scam reimbursement regime for Faster Payments took effect on 7 October 2024, sharing reimbursement 50:50 between sending and receiving payment service providers (PSPs). This increases process expectations and scrutiny on your controls.
External finance usage is climbing: the British Business Bank reported record UK asset-finance new deals of £23.5bn in 2023 as firms turned to credit cards, overdrafts, and asset finance to bridge cash pressures. Treat financing decisions as part of financial risk management for small businesses rather than last-ditch fixes.
What “good” looks like for SMEs: Link risk, strategy, and cash decisions
ISO 31000:2018 provides principles and a process for establishing context, assessing risk, selecting treatments, and monitoring; it is guidance, not a certifiable standard. COSO’s 2017 enterprise risk management (ERM) framework emphasises integrating risk with strategy and performance. For SMEs, this means aligning risk appetite and key risk indicators with the 13-week cash model and budgeting decisions.
Adopt a minimal governance cadence: a monthly risk review chaired by the owner or managing director, an assigned owner for each top risk, and quarterly oversight from a non-executive, mentor, or external accountant for challenge and accountability. Key terms you will use include risk appetite (the level of risk you are willing to accept to achieve objectives, such as minimum runway of six weeks), key risk indicator or KRI (a measurable signal that a risk is rising, for example the percentage of invoices over 30 days overdue), and inherent versus residual risk (exposure before controls versus after controls and treatments are applied).
Build your risk register in 60 minutes: Focus on the few risks that matter most
Stand up a one-page risk register quickly, focused on the six to eight financial risks that matter most. Start with these categories: cash flow and liquidity, receivables and credit, payables and supply chain, payment fraud and cyber, interest rate, foreign exchange (FX), and one sector-specific item such as construction trust-account compliance. Use a simple schema: risk, cause, key risk indicator, appetite or limit, trigger threshold, treatment options, owner, due date, and status.
Keep it on one page and review it monthly.
Example KRIs include cash buffer days; Days Sales Outstanding (DSO); percentage of invoices over 30 days overdue; percentage of supplier bank-detail changes independently verified; percentage of next-90-day FX exposure hedged; percentage of payroll covered by cash plus undrawn facilities. Brainstorm risks by scanning the last 12 months’ surprises such as late payers, price hikes, or fraud attempts. Prioritise by financial impact and likelihood, and pick the top six to eight to manage actively.
Select a numeric indicator and a limit for each risk, for example invoices over 30 days overdue less than or equal to 10%. Define a trigger level that forces predefined actions; if the value rises above 15%, pause non-essential spend and start a collections sprint.
13-week cash-flow forecast: Turn numbers into concrete funding and spending decisions
Your 13-week cash forecast is the operating system that turns risk data into decisions. Build columns for weeks one to thirteen and rows for opening cash; receipts by customer cohort (contracted, expected, uncertain); disbursements including taxes, payroll, rent, and debt service; ending cash; runway; and variance to the prior week.
Formulas to include are cash buffer days equals average cash balance divided by average daily cash outflows; runway in weeks equals ending cash divided by average weekly cash burn; and a simple debt-service-coverage-ratio (DSCR) proxy equals earnings before interest, tax, depreciation, and amortisation (EBITDA) minus capital expenditure divided by total scheduled debt service.
Where you rely on rental or consumer payments, bake credit-quality assumptions into the model as well as timing, and link expected receipts to specific customers, properties, or contracts so weak accounts do not quietly erode your runway. For landlords or equipment lessors, screening new applicants carefully, especially prospective tenants, with a tenant backgound check gives you more realistic cash-flow forecasts by reducing the odds of arrears, defaults, and legal disputes.
Cadence matters. Roll the forecast forward every week, lock the prior week’s actuals, annotate variances such as a late payer, an FX move, or a rate reset, and document decisions taken so learning compounds. Segment customers by likelihood and require named owners for top-10 accounts.
Separate unavoidable from deferrable outflows, and tie debt-service lines to reset dates and covenants. Forecast dips should trigger actions like collections sprints, negotiating terms, or drawing facilities. Record what you tried and the impact to refine playbooks.
Set a minimum liquidity runway such as six weeks or greater of cash plus committed facility headroom based on risk tolerance and seasonality. Escalation triggers: below four weeks, freeze non-essential capital expenditure and discretionary spend; below three weeks, accelerate collections, draw on committed facilities, consider invoice finance, and throttle inventory purchases. Benchmark against reality: with a median 27 days’ cash among U.S. small businesses, aiming for six weeks gives you margin for late payments, fraud incidents, or one missed payroll cycle while you execute treatments.
Stress-test the policy quarterly by modelling a 20% sales slip, a major late payer, or a 100 to 200 basis-point rate rise to test resilience.
Credit risk policy you can execute: Standardise how you approve customers and tenants
A five-step workflow reduces bad-debt volatility and aligns with regulatory expectations. Step one: identity and fraud checks using official IDs and out-of-band verification to prevent impersonation. Step two: bureau checks and bank or trade references to grade risk; verify key accounts receivable patterns and bank conduct where feasible.
Step three: affordability (for business-to-consumer (B2C) or tenant cases) using income-to-rent or debt-service ratios; set thresholds such as rent less than or equal to 30 to 35% of gross income. Step four: security options including deposits, co-signers or guarantors, or retention of title; define when to use which and required documentation. Step five: decision memo that states risk grade, limits, pricing adjustments, and review date; store with approvals for auditability.
Document adverse decisions and changed terms. In the U.S., if you take adverse action based on a tenant or consumer background report, you must provide an adverse-action notice with dispute rights under the Fair Credit Reporting Act according to Consumer Financial Protection Bureau (CFPB) guidance.
Record-keeping and periodic reviews every six months ensure terms still reflect risk and that any security, such as deposits or guarantees, remains valid and sufficient. Before approving a lease or renewing terms, run thorough tenant screening through MySmartMove to surface identity, credit, and eviction history; use the results to set deposits or co-signers, and issue an adverse-action notice under the Fair Credit Reporting Act if you decline or modify terms based on the report.
Avoid undocumented exceptions, which create bias and legal exposure; use written criteria and stick to them. Implement risk-based terms: shorter terms or higher deposits for weaker credits; milestone billing and staged deliverables to pull cash forward.
Operational controls include e-invoicing with purchase-order match, clean invoice data, disciplined dunning cadence, and a small-claims or escalation playbook including statutory interest or compensation where applicable. Run weekly dunning with escalating tone and channel (email, call, demand letter). Escalate at predefined ages such as day 35 to legal pre-action to avoid drift.
Sector focus – Australian construction: Use trust accounts and WIP controls to stay solvent
Queensland’s Project Trust Account (PTA) framework under the Building Industry Fairness (Security of Payment) Act 2017 requires eligible projects to use project and retention trust accounts to secure subcontractor payments and retentions; misuse can trigger enforcement. In 2025, the Queensland Building and Construction Commission publicised the first prosecution related to PTAs, with a developer fined AU$150,000 for offences; compliance failures now carry visible consequences.
Integrate PTA inflows and outflows into the 13-week forecast: separate trust balances from operating cash, align subcontractor payment timing with PTA funds, and model retention releases. Combine with work-in-progress (WIP) controls including earned value tracking, scope-change approvals, and margin checks to prevent payroll shocks. Queensland builders can reduce forecasting errors and meet trust-account obligations by working with a construction accountant Brisbane who can align job-costing with cash forecasting so you spot shortfalls before they hit payroll.
Model PTA and Retention Trust Account (RTA) balances separately from operating cash; reconcile weekly to avoid unlawful use. Track earned value and subcontractor commitments so shortfalls are visible at least three weeks ahead; tie to procurement and draw schedules.
Understand thresholds and project categories that trigger PTAs and Retention Trust Accounts and the record-keeping obligations. Non-compliance risks include fines, licence implications, and reputational damage that limits bonding and tendering options.
Payment fraud and cyber controls: A few routines can prevent large, irreversible losses
According to the UK Cyber Security Breaches Survey 2025, 43% of businesses experienced a cyber breach or attack in the past 12 months, affecting an estimated 612,000 businesses; social engineering remains a dominant vector. The new Authorised Push Payment (APP) scam reimbursement regime for Faster Payments, effective 7 October 2024, increases expectations for firms to act prudently; while reimbursement is between payment service providers, your evidence of due diligence, such as verification calls and dual approvals, will matter during investigations.
Core controls include independent callback to verify supplier bank changes; dual approvals above limits; Confirmation of Payee; positive pay and bank velocity limits; quarterly staff simulations; and segregation of duties in accounting software. For incident response in the first 24 hours, freeze payments, contact your bank to initiate recall and fraud flags, and notify counterparties as needed.
Document the timeline, gather evidence such as emails and logs, and report to authorities where applicable; review control failures within a week. Run quarterly simulations and targeted refreshers for high-risk roles including accounts payable (AP), accounts receivable (AR), and executives. Track a key risk indicator of 100% verification on bank-detail changes and strong completion rates for training.
Tools and next steps: Ship working templates in 7 Days, then improve them monthly
Use these ready-to-use structures to accelerate execution. For your 13-week cash-flow columns: Week, Opening Cash, Receipts (Contracted, Expected, Uncertain), Disbursements (Payroll, Taxes, Rent, Debt, Other), Ending Cash, Runway (weeks), Variance versus Prior Week. For your risk-register CSV headers: Risk, Cause, key risk indicator, Appetite or Limit, Trigger, Treatments, Owner, Due Date, Status, Notes; include examples for liquidity, receivables, payables, fraud, rates, FX, and sector-specific items.
Glossary: a key risk indicator is a leading indicator of risk; risk appetite is tolerable exposure; Days Sales Outstanding is average days to collect invoices; debt-service coverage ratio is earnings available to service debt divided by debt service; Confirmation of Payee is name-check for bank transfers; PTA or RTA are Queensland project or retention trust accounts. Your 7-day plan: draft the risk register; build week one of the 13-week forecast; agree key risk indicators and limits; run the first cash and credit stand-up; audit vendor bank-change controls; map FX and rate resets; book a 30-day review to test and adjust limits.
Document decisions and store evidence; your future self and your lender will expect a clean trail of what was decided, why, and with what results. Owner or managing director sponsors; finance lead runs the model and key risk indicator pack; external accountant provides challenge and specialist input.
Set calendar invites now for weekly cash reviews and monthly risk huddles. Stand up the cash model and risk register in a shared sheet with edit controls and versioning. Schedule the first risk huddle, assign owners, and start weekly variance notes to build the habit.
In month one, prove the cadence and hit your first key risk indicator targets; in month two, tighten limits and add sector-specific controls; in month three, renegotiate terms and optimise financing based on improved evidence. Keep iterating, because risk management is a habit that compounds results over time.