Most business owners are so busy running their business that they don’t have time to think about unlikely events or manage business risks. How can you think about possible “black swan” events when you are struggling with today’s problems? To protect shareholders, boards and management need to make time to think about the causes, frequency and severity of unusual events. For a business to endure for decades, the leadership needs to expect, and plan for, the unexpected. A risk management plan will help your company do just that.
Unlike an investment, which drives revenue or reduces costs, risk management programs are not just about the numbers. It is easier to justify an investment when you can measure the benefit. It is hard to write a check for something that is unlikely to happen. Consider the difference between buying insurance, backup generators or cyber defenses, when you really want to spend more on marketing and sales.
The key drivers in risk management are risk tolerance and judgment. These vary widely from person to person. A management team may be cohesive and high performing, but that does not mean each person has the same risk tolerance.
In a recent situation, the outside directors led the board through an exercise to define, qualify, rate and rank the major threats to the business. These risks included:
The individual executives had a good grasp of their view of risk, but they had never discussed it as a management team. So while there were a lot of well-formed opinions, there was not a consolidated view, and therefore no action plan. Without a consolidated view, the company could not define the costs and risk/reward of investing in protective measures. They could not develop a risk management plan.
For this company, the first step was to separate insurable from uninsurable risks. The insurable risks had been handled consistently and responsibly by the CFO. The Board reviewed the program and agreed that most of it was appropriate, but wanted to spend more time understanding cyber coverage. Since this is a rapidly evolving area, this effort was needed.
The harder part was to define, rate and rank the intangible risks to the business. This is a classic case of the value being in the process; considerable debate and head scratching were needed to produce a simplistic looking outcome.
Over a series of board meetings, and with committee meetings in between, the directors debated the risks across the enterprise, as well as within individual lines of business. A simple rating system was used to force rank issues. As this rolled up, it represented the accumulated thoughts and opinions of all of the directors.
Establishing a risk management plan is not enough. It must be continuously managed. The second step is the ongoing monitoring and course corrections needed to keep the risk management system current.
Each quarter, the board takes a deeper dive into one or two specific issues. Over the course of a year, each major risk is thoroughly vetted. Budgets can be set and adjusted based on changing conditions and risk tolerance.
Family and other private businesses still have a fiduciary duty to their shareholders, even if they are key executives or minor children. The duty of care is a prime responsibility for all fiduciary directors, regardless of ownership structure. Managing business risks is the essence of duty of care for directors.
Make sure you and your directors establish a risk management plan that addresses all of the potential risks and threats to your business. If you are diligent about the process, your company will be protected for years to come.
©All Rights Reserved. June, 2021. DailyDACTM, LLC d/b/a/ Financial PoiseTM
Bruce Werner is the Managing Director of Kona Advisors LLC and served as an outside director on private company boards for the last three decades. Kona Advisors LLC provides advisory services to the owners, investors and CEOs of private and family-owned businesses. With deep experience in governance, succession planning, finance, strategy and management issues, Kona…
Please log in again. The login page will open in a new tab. After logging in you can close it and return to this page.