Congratulations on your growth! You now run a business large enough to be targeted by bad guys and you can become a victim of any material internal oversights. Risk management is now “a thing”.

Not convinced? You’re big enough for someone to target you for a cyber attack but too small to have internal cyber expertise. You have enough money in the bank for someone to embezzle, but not enough people to execute true “double authorization” for payments over a certain amount. You have enough people to have meaningful HR issues but don’t have a full EH&S program or HR leaders in every site/location. You’ve signed contracts with vendors you can’t recall the key terms of, and you don’t have all of your agreements in one place or know all of their triggers or nuances. How often do you change passwords, who has access to personnel data or sensitive files, you get the point.

Welcome to the lower middle market – you’ve punched through the “small business” ceiling but haven’t yet hit “enterprise scale”. While this size range is exciting for many reasons (growth potential, strategic options, growth in profitability, etc.), it clearly has some considerations from a risk management perspective that didn’t matter as much when your business was smaller.

So what are you going to do about it? Here are a few steps to start putting things in places so you (and your investors) can sleep better at night.

1.) What does Cyber Security means to you?

Cyber security is an area full of folks willing to give you advice or sell you software. The real answer lies in educating your employees, understanding what information or systems are truly critical to your business, having reliable and tested backup or fail-over systems where necessary and yes, the right network and device level protection to prevent and/or detect bad guys.

2.) Risk Management and Financial governance

Even if you have an accounting staff of three, you can find ways to ensure that review is given to items that are either substantial or out of the norm. For example, new vendors that are setup should have a distinct process. Payments over a threshold should have secondary review (including a batch of payments that in aggregate exceeds that threshold). Access to online banking tools should be strictly given to those who need it and the permissions within that account access should fit the role of the individual using the system. Don’t go for the “one size fits all” approach here – it can come back to bite you.

3.) Access controls matter

In addition to banking and financial access, information access matters. There are likely key pieces of information within your organization (compensation data, key contracts, HR documents, etc.) that should be carefully monitored to see who has access and who does not. This may not be as simple as it seems either…while someone in accounting may not have access to the details of your HR information systems, the payroll data in the GL platform may “drill down” to the individual level – just make sure you’ve thought through how secondary systems can access primary data and put the right controls in place.

4.) People stuff – it comes from all sides

Employees are the life blood of any organization. From an HR standpoint, you need guidelines, a handbook, compliance with laws etc. You also need to have an escalation path for how you deal with certain instances of misconduct, the health and welfare of your employees (inside and outside of the office) and specific rules that matter to your industry (IP protection, warehouse safety, training courses on specific topics, etc.). Each of these areas must be considered in a risk management program.

5.) Risk Management of Contracts

You’ve heard the phrase “The Devil is in the Details”…contracts epitomize the use case for those words. Make sure you understand the commercial agreement you are signing up for and that in last minute or final round negotiations you didn’t give on something that closed the deal but exposed you to risk. For example, a vendor may give pricing based on some volume commitment but a very different price if that volume is not achieved – those details need to be clear to all and the right commercial decisions should be made before the ink hits paper. The same holds for vendor agreements, real estate leases, etc..

Working with Consultants – a good idea:

To be honest, this is an area where the regulations and areas where you can have “foot faults” likely exceeds the abilities of your organization, or at least the bandwidth of your key people at the moment.

This is a time / area where it makes sense to partner with the right consultants that can give you a playbook rather than have you invent one yourself. They can also do the employee training, they can help you navigate laws that are new or specific to your industry.

The right firm can go soup to nuts on cyber and technology risk management as well, and do it without impairing your bottom line.

Today’s world is such that small companies and large companies are often held to the same standards when it comes to things like protecting customer data and managing internal risk.

Going it alone is a risky path – similar to investing in a new facility or new equipment for your business, think about engaging the right firm as an investment in your growth and long term sustainability.