The main aim of this review is to identify and evaluate existing SME risk-management frameworks that support business continuity and disaster resilience in LMIC. It also examines how these frameworks help SMEs prepare for, respond to and recover from different types of hazards (De Araújo Lima et al. 2020; Kato & Charoenrat 2018).

Primary outcomes of interest include indicators of business continuity and operational resilience, such as downtime duration (hours or days of disruption), time to restore operations, and preparedness or resilience scores derived from validated assessment tools (Sahebjamnia et al. 2015). Secondary outcomes include broader performance and compliance metrics, such as regulatory adherence, financial sustainability and integration of risk management into strategic planning (Ali et al. 2023; Asgary et al. 2020).

The review focuses on the following five main objectives:

Small and medium-sized enterprises are vital to economic growth, job creation and poverty reduction, especially in developing regions (OECD 2020). However, in many LMICs, they operate in informal economies with limited access to finance, weak regulation, and poor institutional support (Kato & Charoenrat 2018). These challenges make SMEs highly vulnerable to hazards like floods, pandemics, and infrastructure failures, which disrupt recovery and weaken resilience. From a DRR perspective, SMEs are both vulnerable and essential for community recovery (Auzzir et al. 2018; UNDRR 2019). Their lack of preparedness and recovery planning often leads to severe business interruptions, affecting local supply chains, jobs and municipal recovery efforts (Ali et al. 2023; Asgary et al. 2020). Therefore, strengthening SME risk management not only poses a business issue but also forms a part of building local resilience and protecting livelihoods.

Despite the central role of SMEs in local recovery, no consolidated and DRR-oriented synthesis maps and risk-management frameworks are used in LMIC SME settings, nor are they adapted to resource constraints and informality, nor is there any evidence on continuity-related outcomes. This leaves policymakers and support agencies without a clear basis for designing proportionate guidance, incentives and capacity-building that can reduce downtime and improve recovery after disruption.

Many SMEs remain informal, uninsured and disconnected from disaster-management systems (Ali et al. 2023; Asgary et al. 2020). This challenge limits municipalities’ ability to integrate SMEs into hazard and continuity planning. Building SME capacity through training, ISO 31000 guidelines, and local business continuity models can bridge these gaps and improve coordination between enterprises and local authorities (ISO 2018; United Nations 2015). This review applies a DRR lens to explore how SME risk-management frameworks address hazard exposure, preparedness and continuity in LMICs. It maps existing approaches, highlights key gaps and provides insights to align SME practices with local disaster-management goals, thus supporting stronger and more coordinated resilience strategies.

Although risk-management frameworks for SMEs are widely discussed, existing research is fragmented and seldom linked to DRR principles (Ali et al. 2023; Asgary et al. 2020; De Araújo Lima et al. 2020). Most studies focus on financial resilience or operational continuity without connecting these outcomes to hazard exposure, preparedness, or community recovery (Sahebjamnia et al. 2015). Resultantly, evidence on how SME risk-management frameworks contribute to broader resilience strategies, especially in LMICs, remains limited.

Three main gaps stand out. First, the existing research lacks methodological consistency, with studies drawing on varied frameworks such as enterprise risk management (ERM), business continuity management (BCM), supply-chain resilience and cyber-risk governance (Auzzir et al. 2018). Some reviews have compared these approaches to identify common or differing indicators and outcomes. Second, a strong regional imbalance exists. The majority of the studies focus on formal SMEs in high-income countries, while evidence from LMICs is sparse and descriptive (Kato & Charoenrat 2018; OECD 2020). This research gap limits proper understanding of how SMEs in informal economies manage overlapping economic, environmental and technological risks.

Third, few studies measure DRR outcomes, such as preparedness, downtime reduction, or recovery speed (De Araújo Lima et al. 2020; UNDRR 2019). Many studies rely only on financial indicators, overlooking the multi-dimensional nature of business resilience. To address these gaps, the current review develops a systematic evidence map to consolidate existing studies, highlight dominant frameworks and identify research priorities. The evidence map visually summarises frameworks, geographic focus, methodological quality, and outcomes, thereby helping policymakers and researchers strengthen integrated SME-resilience planning (Miake-Lye et al. 2016; Haddaway et al. 2016). This aligns with Jàmbá’s focus on translating disaster-risk research into actionable, evidence-based policy for sustainable development.

This review is guided by the Preferred Reporting Items for Systematic Reviews and Meta-Analyses (PRISMA) 2020 reporting standards and follows established good practices for evidence-based management reviews. A protocol was registered on an open repository (e.g. Open Science Framework platform or OSF) prior to commencing the review, outlining the research questions, inclusion criteria, data sources and analysis plan to ensure transparency and reproducibility (Page et al. 2021; Tranfield, Denyer & Smart 2003). To support transparency, the search date, databases, screening steps, appraisal tools and synthesis approach were reported in a sequence aligned to PRISMA 2020.

An extensive search was performed across major multidisciplinary and specialist databases commonly used in management research, including Scopus, Web of Science, Elton B. Stephens Company (EBSCO host research databases) Business Source, ProQuest, IEEE Xplore (for cyber-risk tools), and EconLit. To reduce publication bias, grey literature was also screened from organisations such as the World Bank, International Finance Corporation (IFC), OECD, United Nations Industrial Development Organization (UNIDO), International Labour Organization (ILO), UNDRR, African Development Bank (AfDB), Asian Development Bank (ADB), national SME agencies, central banks and standards bodies. The search was complemented with Google Scholar (top ~200 results by relevance), citation tracking from key studies, and manual search of relevant special issues (Tranfield et al. 2003).

Both controlled vocabulary and free-text terms were combined to capture relevant studies on SMEs, RM frameworks, and developing-country contexts, with search strings adjusted for each database. The main Boolean structure included the following:

As qualitative and mixed-method studies are common in LMIC SME research, the SPIDER tool (Sample, Phenomenon of Interest, Design, Evaluation, Research type) was also used to guide supplementary searches (Cooke, Smith & Booth 2012). Full database-specific search, necessary strings are provided in Appendix 1.

All records were imported into a reference manager, and duplicate studies and/or data were removed. Screening took place in two stages: In the first stage, titles and abstracts, and in the second stage, full texts were screened, using the defined eligibility criteria. As this was a desktop review, a single-reviewer process was followed, with a 10% – 20% reliability check by a second reviewer on a random sample; any differences were discussed to ensure consistency. Reasons for excluding studies at the full-text stage were documented, and a PRISMA flow diagram is provided in the Appendix/Results (Page et al. 2021). The screening form is available in Appendix 2 (Page et al. 2021; Tranfield et al. 2003).

A standardised extraction form was used (Appendix 3), with 10% of entries double-checked for accuracy. Data fields captured included the following:

For qualitative studies, thematic codes and broader themes were developed using thematic synthesis methods (Thomas & Harden 2008).

This review employed narrative synthesis because of the heterogeneity of designs and outcomes, consistent with established approaches to synthesising complex and diverse evidence (Ogilvie et al. 2008). Findings were grouped by framework family (ERM, BCM, SCRM, Cyber-RM) and mapped to mechanisms (e.g. leadership, learning, finance, digital controls) and outcomes (continuity, downtime and resilience). Where quantitative comparisons were feasible, vote-counting of effect direction (positive/neutral/negative) was applied, complemented by harvest plots to visualise frequency and quality distribution (eds. Higgins et al. 2020). Heterogeneity was addressed descriptively by sector, region and study design; no meta-analysis was conducted due to incompatible metrics.

To maintain a problem-oriented synthesis, the review applied CIMO (Context–Intervention–Mechanism–Outcome) logic (Denyer, Tranfield & Van Aken 2008) and SPIDER for qualitative evidence (Cooke et al. 2012):

Findings are mapped to CIMO elements in evidence tables and the narrative to make causal assumptions explicit (Cooke et al. 2012; Denyer et al. 2008).

Publication bias was reduced by searching multiple databases and including high-quality grey literature. However, language bias is encountered due to English-only inclusion. The single-reviewer workflow was mitigated through calibration and second reviewer checks on a subset. Anticipated heterogeneity in designs and measures was addressed through transparent reporting, sensitivity analysis and evidence mapping. A reflexivity statement acknowledges the reviewers’ disciplinary backgrounds and potential interpretive biases (Page et al. 2021).

This article followed all ethical standards for research without direct contact with human or animal subjects.

After searching sources published between January 2000 and August 2025, the search process identified 2412 records from major databases (Scopus, Web of Science, EBSCO, ProQuest, IEEE Xplore, EconLit) and a further 228 from supplementary sources such as Google Scholar, backwards and forward citation chasing, and institutional repositories. After removing 612 duplicates, 2028 titles and abstracts were screened, of which 1706 were excluded because they were out of scope, did not focus on SMEs or LMICs, or were conceptual papers without clear methods. This left 322 full-text articles to be assessed for eligibility. Of these, 246 articles were excluded, most commonly because they did not focus on LMICs (n = 104), did not address SMEs or did not provide an SME-specific sub-analysis (n = 62), lacked sufficient methodological detail (n = 35) or were unrelated to organisational RM (n = 45).

In total, 76 articles met the study inclusion criteria and were included in the synthesis: 61 peer-reviewed journal articles and 15 pieces of high-quality grey literature. Figure 1 summarises the selection process, illustrating different stages of identification, screening, eligibility and inclusion. The most common reasons for exclusion were: (1) studies focused solely on large corporations, (2) lack of an explicit risk-management framework, or (3) outcomes unrelated to preparedness, continuity or recovery. This systematic approach ensures methodological transparency and replicability, consistent with PRISMA 2020 guidance (Page et al. 2021).

Table 1 provides a summary of the 76 included studies, categorised by region, framework family, methodological design, and quality appraisal tier. The majority of the studies (68%) employed mixed or qualitative designs, whilst 32% applied quantitative or modelling approaches. Geographically, the evidence base remains skewed towards high-income or upper-middle-income countries, with Asia (35%) and Europe (28%) dominating. Only 22% of studies originate from Africa and 10% from Latin America. This regional imbalance underscores the need for greater LMIC representation in SME-resilience research (Ali et al. 2023; Asgary et al. 2020). Framework distribution shows ERM (25%), BCM (30%), SCRM (20%), and Cyber-Risk frameworks (15%), with hybrid or multi-framework models comprising the remaining 10%. Across regions, BCM approaches were most common in Asia and Europe, while ERM and SCRM approaches featured prominently in manufacturing and logistics sectors. In this review, ‘sector’ is used to denote broad areas of economic activity (e.g. manufacturing, services), whilst ‘industry’ refers to more specific segments within a sector (e.g. food manufacturing).

Quality assessment using the Mixed Methods Appraisal Tool (MMAT) and Critical Appraisal Skills Programme (CASP) tools, alongside established guidance for appraising prevalence and observational studies (Barker et al. 2023), indicated that 42% of studies were rated high, 38% moderate, and 20% low quality. Common weaknesses included insufficient triangulation, lack of DRR-aligned indicators and poor external validity. Few studies explicitly reported ethical review or data-sharing transparency, reflecting a need for stronger methodological rigour across SME-resilience research (De Araújo Lima et al. 2020). Quality assessment using tools such as MMAT and the Critical Appraisal Skills Programme (CASP 2022).

To visualise distribution of evidence across framework families, regions, and outcomes, an evidence-map heat matrix (Appendix 1 Figure 2-A1) was developed drawing on bibliometric and mapping approaches commonly used to visualise research landscapes (Van Eck & Waltman 2010). The colour intensity represents the density of evidence, whilst the directional arrows (↑ = positive, → = neutral, = no evidence) indicate the reported effect of each framework on continuity, downtime reduction and resilience outcomes. The map shows that BCM frameworks dominate the literature, especially in Asia and Europe, where evidence for positive continuity outcomes is strongest. By contrast, Cyber-Risk Management (Cyber RM) frameworks remain under-represented, with only a few studies assessing digital resilience in LMIC contexts. Supply chain risk management shows moderate global coverage, largely focused on manufacturing and logistics sectors. Overall, the evidence synthesis reveals a significant imbalance, with limited African and Latin-American representation and a few studies assessing preparedness or recovery as explicit DRR outcomes.

Four thematic insights emerge from the evidence synthesis. Firstly, leadership and organisational learning consistently underpin successful implementation across all frameworks. Secondly, financial capacity remains a limiting factor for SME preparedness and recovery, particularly in LMICs. Thirdly, digital controls and cybersecurity are gaining prominence, though they lack systematic integration into traditional RM frameworks. Lastly, contextual adaptation – the tailoring of global frameworks to local hazards and institutional realities – is weak, calling for localisation strategies in future DRR-aligned SME research (OECD 2020; UNDRR 2019).

The findings suggest that SME risk management in LMICs is best understood as pragmatic and incremental. Small and medium-sized enterprises cannot fully adopt formal ISO or COSO models due to limited resources, but instead they adapt simplified practices such as short risk registers, continuity drills and basic cyber hygiene (Brustbauer 2016; De Araújo Lima et al. 2020). Thai SMEs, for instance, often show partial preparedness without full documentation (Kato & Charoenrat 2018). Turkish SMEs report strong awareness of risks but weaker formalisation (Asgary et al. 2020). South African SMEs face growing cyber risks, but adoption is constrained by high cost and inadequate leadership support (Kabanda et al. 2018).

Although global standards such as ISO 31000 and COSO ERM provide valuable principles, SMEs in LMICs only partially align with them. Leadership commitment and basic monitoring practices are present in some cases, particularly export-oriented SMEs tied into international supply chains (Thun, Drüke & Hoenig 2011). Divergence is most visible in governance structures, documentation, and systematic reporting. These are often unrealistic for SMEs. Instead, staged adoption pathways starting with simple tools and moving towards more integrated practices appear most feasible (Bromiley et al. 2015; Oliva 2016).

External support is critical for scaling SME RM. Financial instruments such as credit guarantees and index-based insurance can reduce barriers while bundling RM training (Ali et al. 2023). Small and medium-sized enterprises agencies and associations can help diffuse simplified templates and provide peer-learning opportunities (Kato & Charoenrat 2018; Thun et al. 2011). Municipal involvement in disaster preparedness and recovery, as evident in Thailand and Tanzania, accelerates SME recovery (Pathak & Ahmad 2016; Sakijege 2024). Digital public goods such as open-source RM tools or cyber hygiene modules can also lower costs and spread adoption (Kabanda et al. 2018).

Future research should address key gaps: Conduct longitudinal and quasi-experimental studies, standardise outcome measures, evaluate cost-effectiveness of RM interventions, test integrated frameworks covering multiple risk domains and expand coverage to informal and women-owned SMEs (Ali et al. 2023; De Araújo Lima et al. 2020; Kabanda et al. 2018; Sakijege 2024; Thun et al. 2011).

In sum, SMEs in developing economies demonstrate resilience through context-appropriate and proportionate RM practices rather than wholesale adoption of international standards. International Organization for Standardization 31000 and COSO ERM remain important benchmarks, but their application in LMICs requires tailoring to local realities. Policy ecosystems and digital innovations can enable adoption, whilst research must close evidence gaps to better guide practice. Ultimately, resilience in SMEs is achieved not through replication of corporate RM systems but through adaptive, dynamic capabilities suited to volatile environments (Bromiley et al. 2015; Oliva 2016; Teece 2007).

For SME owner–managers, incremental steps are most practical: Develop a simple risk register, conduct scenario drills for common hazards, diversify suppliers, adopt affordable cyber controls, and track continuity metrics such as downtime and restoration time (Ali et al. 2023; Brustbauer 2016; Kabanda et al. 2018; Kato & Charoenrat 2018; Thun et al. 2011). These measures, while modest, strengthen resilience and prepare SMEs for scaling up RM sophistication as resources allow.

Based on the evidence reviewed from LMIC contexts, effective SME risk management is best understood as proportionate, staged and context-sensitive, rather than as a rigid compliance exercise. The recommendations are grouped for SMEs themselves, policymakers and intermediaries, and the research community (Ali et al. 2023; De Araújo Lima et al. 2020).

In the longer term, SMEs can progress towards ‘lite’ ISO-aligned ERM by defining risk appetite in plain terms, conducting scenario analyses, digitising monitoring of risks and incidents and embedding continuous improvement cycles. These practices enable firms to approximate international standards in a proportionate way (Bromiley et al. 2015; Oliva 2016).

Policymakers and ecosystem actors can play a catalytic role by lowering barriers and diffusing simplified RM practices. Key measures include subsidising sector-specific training delivered via chambers or Technical and Vocational Education and Training (TVET) colleges, publishing simplified toolkits and templates in local languages, and expanding access to credit guarantees or parametric insurance linked to basic RM documentation (Ali et al. 2023; Oliva 2016). Governments can also strengthen municipal hazard data and early warning systems, ensuring SMEs receive timely information on floods, outages or restoration schedules (Pathak & Ahmad 2016; Sakijege 2024). Procurement systems can reward suppliers with basic RM maturity, diffusing practices through value chains (Thun et al. 2011). Finally, support should target the ‘last mile’ of informal and micro-SMEs with mobile-first tools, waived fees and delivery through associations and women’s networks (Rehman et al. 2020; Sakijege 2024).

Several research priorities emerge. First, there is a need to develop standardised outcome measures (e.g. downtime, supplier stock-out days, cyber incident rates) and publish open datasets that enable cumulative evidence-building (Ali et al. 2023). Second, longitudinal and quasi-experimental designs are required to move beyond descriptive studies and provide stronger causal evidence on survival and performance impacts (De Araújo Lima et al. 2020). Third, cost-effectiveness analyses should be conducted to show the benefits of low-cost RM controls, guiding both policy and SME investment choices. Fourth, sector-specific RM playbooks should be co-designed and tested in areas such as agrifood, construction and retail (Thun et al. 2011). Fifth, implementation science approaches can be used to understand what works, where, and why in LMIC SME settings, particularly under informality (Rehman et al. 2020). Finally, future studies should integrate multiple risk domains – climate, supply chain, and cyber – while prioritising equity through oversampling of women-owned and informal SMEs (Kabanda et al. 2018; Sakijege 2024).

This study contributes to disaster risk studies by providing a consolidated, DRR-oriented synthesis of how risk management and business continuity frameworks are used and adapted by SMEs in LMICs. By applying PRISMA methods alongside an evidence map, the review moves beyond isolated case-based insights and offers a structured overview of what framework families dominate the literature, where the evidence is concentrated, and which outcomes are most consistently reported. The study also advances conceptual understanding by linking SME risk management to continuity and recovery mechanisms that matter in disaster contexts, while making visible the conditions under which particular approaches appear most practical. Importantly, the review highlights policy-relevant gaps and implementation challenges, including the limited inclusion of informal, micro and women-owned enterprises, the scarcity of causal designs and the uneven measurement of DRR outcomes, such as downtime and recovery speed. In doing so, the article provides a clearer foundation for proportionate guidance, support programmes and future research aimed at strengthening SME-resilience as part of broader community and local economic recovery.