Developing a Risk Management System

Sometimes it feels like your to-do list has become a fractured, sprawling beast daring you to tame it. As priorities compete, new initiatives are put on the table, and fires pop up, entrepreneurship can require nearly superhuman endurance. Unfortunately, this often means that planning takes a back seat to progress.

Most business owners are so busy running their businesses that they don’t have time to think about unlikely events. To protect shareholders and boards, management needs to make time to think about the causes, frequency, and severity of unusual events. These may include regulatory changes, supplier pressures, natural disasters, cybersecurity, concentration risks, key man issues, and technology concerns.

Business Leadership and Fiduciary Duty

For a business to endure for decades, leadership must expect and plan for the unexpected.  

Unlike an investment that drives revenue or reduces costs, risk programs are not just about the numbers. It is easier to justify an investment when you can measure the benefit. It is hard to write a check for something unlikely to happen. But that doesn’t mean you should ignore the issue.

The key drivers of an effective risk management system are risk tolerance and judgment, which vary from person to person. A management team may be cohesive and high-performing, but that does not mean everyone has the same risk tolerance.

ISO 31000 is the standard for the development of a risk management system. Large organizations require this kind of standardization due to internal challenges and market forces. But private companies can benefit from a more practical approach.

The Nature of Developing a Risk Management System

Developing a risk management system for a business is a process, not an event. Sometimes, the greatest value is gained from doing the work – not the outcome. You have to think: 

• What can go wrong?
• How bad can it be? 
• What can I do about it? 

The subsequent answers inform management and the board of what they are facing. They won’t cover everything, of course. The following questions could serve as a starting point for developing your own plan.

How do we separate the insurable from the uninsurable risks?

Most understand the basic concept of insurance. Understanding how it interacts with your business’s exposure to risk is a different animal.

The CFO usually handles the insurable risks during the annual review. If there are questions about coverage and deductibles, they may need to go to the board for review. As the insurance industry innovates, it offers new products to cover previously unmentioned risks (reps and warranty insurance, cybersecurity, etc.).

What types of risks should we focus on?

Managing routine risks is a basic part of the job for management. But think beyond that. Consider events that may cause a debt default, bankruptcy, significant loss of talent, or brand damage. You should be prepared to identify, quantify, and mitigate events so large that contemplation of their consequences would not be part of your basic risk management approach.

Who should be included?

Who on the management team can materially contribute to the thought process? The three parts of the process are:

• Identifying risks
• Evaluating the impact
• Considering mitigation strategies.

You are looking for creative thinkers who can see what is not apparent and won’t rush to evaluate ideas too early.

Is this a group or individual activity?

Some people do better by starting this as a solo activity and then comparing notes. Others need group interaction to spur thought. Since there are no correct answers, think about your corporate culture and the scenarios that will produce the best cross-functional results.

Should people work outside of their area of opportunity?

Functional leaders are likely quick to make a list of what they are worried about. There are often natural frictions within a management team (ex. sales vs. production). What are the benefits of having leaders examine each other’s areas? Does it provide more insight, or does it trigger challenged relationships? Sometimes this can serve as a good team-building exercise and influence how you design the process.

How much time is this worth?

Development is an interactive process, the goal being a thorough substantive working document with the team’s approval and feedback from the board.

The first time through tends to be the most difficult since, in addition to doing the work, you need to figure out how to do it. Two or three rounds of development should produce a working document. You might need one more round before it goes to the board.

After that, the annual review should take an hour or two unless there has been a substantive change in the business or the management team.

How Does This Fit the Timing of Annual Activities?

Annual budgeting, performance reviews, and strategic planning tend to have annual cycles driven by the fiscal year. A risk management discussion is not tied to a specific date. Look at all of the yearly events of this type, find a blank spot in the calendar, and think about discussing risk then.

Risk management is an ongoing activity and needs an in-depth review by the board at least once annually.

The Best Risk Management Starts Today

The hardest part of developing a risk management system is often just getting the ball rolling.

Even private and family businesses have a fiduciary duty to their shareholders, whether they are key executives or minor children. The duty of care is a prime responsibility for all fiduciary directors, regardless of ownership structure. The essence of a director’s duty of care is risk management.

Is risk top of mind for you these days? We understand. There are a lot of moving pieces involved with protecting yourself, your employees, and your business. The following webinars may provide additional valuable insights:

• It’s So Hard to Say Goodbye: Minimizing Risk When Terminating Employees
• Understanding Risk Management Basics for Business Owners

For more information about our on-demand webinar series, click here.

This is an updated version of an article originally published in February 2019. ©2022. DailyDACTM, LLC d/b/a/ Financial PoiseTM. This article is subject to the disclaimers found here.