Why Informal Processes Become Operational Risks

Business process control Kenya IT governance SMEs Operational risk Managed IT Nairobi

Many Kenyan businesses run smoothly — until they don’t. Approvals happen over WhatsApp. Financial sign-offs are verbal. Onboarding relies on whoever is available that week. These informal shortcuts feel efficient in the moment, but beneath the surface they are quietly building operational risk.

In 2026, as Kenyan businesses face increasing pressure from KRA’s digital compliance systems, Data Protection Commissioner (ODPC) audits, and rising cyber threats, the cost of undocumented, personality-dependent processes has never been higher. This article explains what informal processes are, why they become risks, and what business owners in Nairobi and across Kenya can do about them.

“In 2025, supply chain delays cost Kenyan SMEs millions. Personality-dependent approvals and undefined workflows were a key contributing factor — and the problem is getting worse in 2026.”— Business continuity research, East Africa, December 2025

1. What Are Informal Business Processes?

An informal business process is any workflow, approval, or decision that happens outside a documented or controlled system. Common examples in Kenyan SMEs and mid-sized businesses include:

Purchase approvals made via WhatsApp group chats
Staff onboarding handled differently each time, depending on who is available
IT access granted verbally, with no record of who has permission to what
Financial authorisations based on “the director is in today”
Customer complaints resolved by individual staff, with no central log

These processes are not necessarily malicious. They often start as practical workarounds — fast, flexible, and familiar. The problem is that they scale poorly and leave your business exposed.

2. Why Informal Processes Become Operational Risks

2.1 No audit trail, no accountability

When decisions are made verbally or over messaging apps, there is no reliable record. If a financial discrepancy is discovered, or a customer dispute arises, your business cannot demonstrate what happened, who approved it, or when. This is not just an internal problem — it can become a regulatory and legal liability.

With the ODPC now conducting routine audits of how Kenyan businesses handle personal data, an undocumented process is an automatic red flag. Similarly, KRA’s e-invoicing enforcement means that informal financial workflows that were tolerated in the past are increasingly untenable.

2.2 Key-person dependency

Informal processes almost always depend on specific individuals. When that person is on leave, resigns, or becomes unavailable, the process breaks down. Research consistently shows this is one of the leading causes of operational disruption in Kenyan SMEs — not technology failure, but the loss of undocumented human knowledge.

Ask yourself: if your most experienced team member left tomorrow, could your business continue operating without them? If the honest answer is no, you have a process risk — not a people problem.

2.3 Security and access control gaps

Informal IT processes are a direct entry point for cyber threats. When system access is granted verbally, or when former employees retain credentials because offboarding was never formally completed, your business is exposed. In 2026, nearly 79 percent of Kenyan firms expect to increase their security budgets — but budget alone cannot solve a governance problem.

Proper IT governance means documented, enforced processes for who can access what, under what conditions, and for how long. Without this, even the best antivirus software or firewall cannot protect your business.

2.4 Compliance risk is rising

The regulatory environment for Kenyan businesses is tightening. The Data Protection Act, KRA’s integration systems, and sector-specific regulations all require businesses to demonstrate controlled, documented, and auditable processes. Informal workflows cannot meet this bar — and the penalties for non-compliance are real.

2.5 Scaling becomes impossible

Informal processes might work when your team is five people in one office. They collapse when you reach twenty, open a second branch, or begin working with enterprise clients who require supplier compliance documentation. Businesses that want to grow beyond the Nairobi market — regionally or internationally — need process infrastructure that can scale with them.

Key insight for 2026: Operational continuity must be treated as a strategic function, not an emergency response. Businesses that formalise their processes now will have a measurable competitive advantage as compliance requirements and client expectations continue to rise in Kenya.

3. The Real Cost of Doing Nothing

The consequences of informal processes are not always immediate — which is precisely why many businesses ignore them until it is too late. Here is what the research and on-the-ground experience in Kenya tells us:

70 percent of Kenyan SMEs fail within the first three years. Process breakdown is a consistent contributing factor.
A cybersecurity incident traced to an access control failure can cause downtime, data loss, and reputational damage that takes months to recover from.
A single compliance audit failure — ODPC, KRA, or sector-specific — can result in fines, operational suspension, or the loss of a major client contract.
When a key team member leaves and takes undocumented process knowledge with them, the cost to rebuild and re-train far exceeds the cost of documented systems.

4. What Formalising Your Processes Actually Looks Like

Process formalisation does not mean bureaucracy. For most Kenyan SMEs and growing businesses, it means putting in place practical, lightweight systems that capture how work gets done — and making sure those systems are enforced consistently.

The starting points are typically:

Process documentation — writing down the steps, approvals, and responsibilities for your most critical workflows
Digital workflow tools — replacing WhatsApp approvals with tracked, time-stamped digital processes that create an audit trail
IT governance basics — a clear record of who has access to which systems, and a formal process for granting and revoking access
Accountability structures — defined roles for process ownership so no single person becomes a bottleneck or single point of failure

The good news is that you do not need to do this alone. Managed IT services and business process support providers in Nairobi and across Kenya can help you assess where your risks are, design appropriate controls, and implement tools that fit your business — without disrupting daily operations.

Frequently Asked Questions

What is an informal business process?

An informal business process is any workflow or decision that happens outside a documented or auditable system — such as approvals by WhatsApp, verbal authorisations, or undocumented IT access. While convenient in the short term, these processes create accountability gaps and expose businesses to operational, compliance, and security risks.

How do informal processes create operational risk for Kenyan businesses?

Informal processes create operational risk because they lack an audit trail, depend on specific individuals who may leave, and cannot be consistently enforced or audited. In Kenya’s increasingly regulated environment — with ODPC compliance, KRA digital systems, and rising cyber threats — undocumented workflows are a direct liability.

What is IT governance and why does it matter for SMEs in Kenya?

IT governance refers to the policies, processes, and controls that determine how a business manages its technology systems, data, and digital access. For Kenyan SMEs, basic IT governance — documented access control, system usage policies, and incident response processes — is increasingly essential to meet compliance requirements and protect against cyber threats.

How can a Kenyan business start formalising its processes?

Start with your highest-risk workflows: financial approvals, IT access management, and customer data handling. Document the current steps, identify where accountability is unclear, and replace verbal or messaging-based approvals with tracked digital alternatives. A managed IT services provider in Nairobi can help you prioritise and implement these changes efficiently.

How Softlink Options Supports Kenyan Businesses

Softlink Options provides managed IT services and business process support designed for Kenyan businesses of all sizes. We help organisations in Nairobi and across Kenya identify process risks, implement IT governance frameworks, and build the operational infrastructure needed to grow with confidence in 2026 and beyond.

Whether you are dealing with informal approval chains, unclear IT access controls, or undocumented workflows, our team can help you build practical, scalable solutions that meet Kenya’s evolving regulatory requirements.

Talk to our team →

Final Thoughts

Informal processes are not a sign of a poorly run business — they are a natural by-product of growth and the practical realities of running an SME in Kenya. But left unaddressed, they become the operational, compliance, and security risks that slow businesses down, attract regulatory attention, and ultimately limit growth.

The businesses that will thrive in Kenya’s increasingly digital and regulated environment are those that treat process formalisation as a strategic priority, not an administrative overhead. The cost of doing it properly is far lower than the cost of recovering from the risks it prevents.