Financial Poise
Risk Management

Developing A Risk Management System

Most business owners are so busy running their businesses that they don’t have time to think about unlikely events. To protect shareholders, boards and management need to make time to think about the causes, frequency, and severity of unusual events. These risks include regulatory changes, supplier pressures, natural disasters, cyber-security, key man, and technology risks.

Business Leadership and Fiduciary Duty

For a business to endure for decades, the leadership needs to expect and plan for the unexpected.  

Unlike an investment that drives revenue or reduces costs, risk programs are not just about the numbers. It is easier to justify an investment when you can measure the benefit. It is hard to write a check for something unlikely to happen. But that doesn’t mean you should ignore the issue.

The key drivers of an effective risk management system are risk tolerance and judgment, which vary from person to person. A management team may be cohesive and high performing, but that does not mean each person has the same risk tolerance.

ISO31000 is a standard for the development of a risk management system. Large organizations require this kind of standardization due to internal challenges and market forces. But private companies can benefit from a more practical approach.

The Nature of Developing a Risk Management System

Developing a risk management system for a business is a process, not an event. Sometimes, the greatest value is gained from doing the work, not the final outcome. The process of thinking through “what can go wrong?” “how bad can it be?” and “what can I do about it?” is what informs management, and the board, of what they are facing.

Consider these questions as a starting point.

How do we separate the insurable from the uninsurable risks?

Everyone understands insurance. The insurable risks are usually handled by the CFO during the annual review. If there are questions about coverage and deductibles, they may need to go to the board for review. As the insurance industry innovates, it offers new products to cover risks that were previously not covered (e.g., reps and warranty insurance or cyber).

What types of risks should we focus on?

Think about events that may cause a debt default, bankruptcy, a major loss of talent, or brand damage. A 10% drop in revenue is ordinary business. You still need to deal with routine risks, but this conversation is to identify, quantify and mitigate events that are so large that you would not prepare for them in the ordinary course of business.

Who should be included?

Who on the management team can materially contribute to the thought process? The three parts of the process are identifying risks, evaluating the impact, and considering mitigation strategies. You are looking for creative thinkers who can see what is not apparent and who won’t rush to evaluate ideas too early.

Is This a Group or Individual Activity?

Some people do better by starting this as a solo activity and then comparing notes. Others need group interaction to spur thought. Since there are no right answers, think about your corporate culture and the scenarios that will produce the best cross-functional results.

Should People Work Outside Their Area of Responsibility?

Functional leaders are likely quick to make a list of what they are worried about. There are natural frictions within a management team (e.g., sales vs. production). What are the benefits of having leaders examine each other’s areas? Does it provide more insight, or does it trigger challenged relationships? In some cases, this can serve as a good team-building exercise and influence how you design the process.

How Much Time Is This Worth?

Development is an interactive process, the goal being a substantive working document that is thorough, has the approval of the team, and has feedback from the board.

The first time through tends to be the most difficult since, in addition to doing the work, you need to figure out how to do it. Two or three rounds of development should produce a working document, and then maybe one more round before it goes to the board.

After that, the annual review should take an hour or two unless there has been a substantive change in the business or the management team.

How Does This Fit the Timing of Annual Activities?

Annual budgeting, performance reviews, and strategic planning tend to have annual cycles driven by the fiscal year. A risk management discussion is not tied to a specific date. Look at all of the annual events of this type, find a blank spot in the calendar, and think about discussing risk then.

Risk management is an ongoing activity and needs an in-depth review by the board at least once annually.

The hardest part of developing a risk management system is often just getting started.

Even private and family businesses have a fiduciary duty to their shareholders, regardless if they are key executives or minor children. The duty of care is a prime responsibility for all fiduciary directors, regardless of ownership structure. The essence of a director’s duty of care is risk management.


We think you’ll also like:

[Editors’ Note: To learn more about this and related topics, you may want to attend the following on-demand webinars (which you can listen to at your leisure, and each includes a comprehensive customer PowerPoint about the topic):

This is an updated version of an article originally published in February 2019. It has been updated by Daniel Pelland]

©2022. DailyDACTM, LLC d/b/a/ Financial PoiseTM. This article is subject to the disclaimers found here.

About Bruce Werner

Bruce Werner is the Managing Director of Kona Advisors LLC, which provides advisory services to owners and investors of private and family-owned companies. With exceptional experience in finance, strategy, M&A, governance, and succession planning, Kona Advisors creates practical solutions to the most challenging corporate problems. Mr. Werner is an experienced Corporate Director, leading businesses through…

Read Full Bio »   •   View all articles by Bruce Werner »

follow me on:

Article Comments

>