Financial Poise
Share this...
risk management

Creating a Risk Management System

Identifying and Managing Risks to Your Business Make It Stronger

Most business owners are so busy running their business that they don’t have time to think about unlikely events. How can you think about possible  “black swan” events when you are struggling with today’s problems? To protect shareholders, boards and management need to make time to think about the causes, frequency and severity of unusual events. For a business to endure for decades, the leadership needs to expect, and plan for,  the unexpected. A system of risk management will help your company do just that.

Unlike an investment which drives revenue or reduces costs, risk management programs are not just about the numbers. It is easier to justify an investment when you can measure the benefit. It is hard to write a check for something that is unlikely to happen. Consider the difference between buying insurance, backup generators or cyber defenses, when you really want to spend more on marketing and sales.

Unlike an investment which drives revenue or reduces costs, risk management programs are not just about the numbers. Click To Tweet

The key drivers in risk management are risk tolerance and judgment. These vary widely from person to person. A management team may be cohesive and high performing, but that does not mean each person has the same risk tolerance.

[Editor’s Note: For more information on businesses needs, see Start-Up Businesses: Essential Tips from Experts and Entrepreneurs.]

How to Best Examine Business Risks

In a recent situation, the outside directors lead the board through an exercise to define, qualify, rate and rank the major threats to the business. These risks included regulatory changes, supplier pressures, natural disasters, cyber, key man, and technology risks. The individual executives had a good grasp of their view of risk, but they had never discussed it as a management team. So while there were a lot of well-formed opinions, there was not a consolidated view, and therefore no action plan. Without a consolidated view, the company could not define the costs and risk/reward of investing in protective measures. They could not develop a risk management plan.

Step 1: What Are the Risks?

For this company, the first step was to separate insurable from uninsurable risks. The insurable risks had been handled consistently and responsibly by the CFO. The Board reviewed the program and agreed that most of it was appropriate, but wanted to spend more time understanding cyber coverage. Since this is a rapidly evolving area, this effort was needed.

A simple rating system was used to force rank issues. As this rolled up, it represented the accumulated thoughts and opinions of all of the directors.

The harder part was to define, rate and rank the intangible risks to the business. This is a classic case of the value being in the process; considerable debate and head scratching were needed to produce a simplistic looking outcome.

Over a series of board meetings, and with committee meetings in between, the directors debated the risks across the enterprise, as well as within individual lines of business. A simple rating system was used to force rank issues. As this rolled up, it represented the accumulated thoughts and opinions of all of the directors.

Step 2:  Continuing Management of Risks

Establishing a risk management plan is not enough, it must be continuously managed. The second step is the ongoing monitoring and course corrections needed to keep the risk management system current. Each quarter the board takes a deeper dive into one or two specific issues. Over the course of a year, each major risk is thoroughly vetted. Budgets can be set and adjusted based on changing condition, and risk tolerance.

Conclusion

Family and other private businesses still have a fiduciary duty to their shareholders, even if they are key executives or minor children. The duty of care is a prime responsibility for all fiduciary directors, regardless of ownership structure. Managing risk is the essence of duty of care for directors.

Make sure you and your directors establish a risk management plan that addresses all of the potential risks and threats to your business. If you are diligent about the process, your company will be protected for years to come.

Like what you just read?

Then sign up to receive our weekly Financial Poise newsletter, our take on the most relevant and topical business, financial and legal issues affecting investors and small business owners.

Always Plain English. Always Objective. Always FREE.

About Bruce Werner

Bruce Werner is the Managing Director of Kona Advisors LLC and served as an outside director on private company boards for the last three decades. Kona Advisors LLC provides advisory services to the owners, investors and CEOs of private and family-owned businesses. With deep experience in governance, succession planning, finance, strategy and management issues, Kona…

Read Full Bio »   •   View all articles by Bruce »

follow me on:
Share
Hide
>