Tips to Manage Business Risks with Your Board and Management Team

Creating a Risk Management System Requires Communication and Long-Term Commitment

Most business owners are so busy running their business that they don’t have time to think about unlikely events or manage business risks. How can you think about possible “black swan” events when you are struggling with today’s problems? To protect shareholders, boards and management need to make time to think about the causes, frequency and severity of unusual events. For a business to endure for decades, the leadership needs to expect, and plan for, the unexpected. A risk management plan will help your company do just that.

Unlike an investment, which drives revenue or reduces costs, risk management programs are not just about the numbers. It is easier to justify an investment when you can measure the benefit. It is hard to write a check for something that is unlikely to happen. Consider the difference between buying insurance, backup generators or cyber defenses, when you really want to spend more on marketing and sales.

The key drivers in risk management are risk tolerance and judgment. These vary widely from person to person. A management team may be cohesive and high performing, but that does not mean each person has the same risk tolerance.

How to Best Examine Business Risks

In a recent situation, the outside directors led the board through an exercise to define, qualify, rate and rank the major threats to the business. These risks included:

• Regulatory changes
• Supplier pressures
• Natural disasters (or biological ones)
• Cybersecurity
• Loss of a “key man”
• Technology

The individual executives had a good grasp of their view of risk, but they had never discussed it as a management team. So while there were a lot of well-formed opinions, there was not a consolidated view, and therefore no action plan. Without a consolidated view, the company could not define the costs and risk/reward of investing in protective measures. They could not develop a risk management plan.

Step 1: Define, Rate and Rank Company Risks

For this company, the first step was to separate insurable from uninsurable risks. The insurable risks had been handled consistently and responsibly by the CFO. The Board reviewed the program and agreed that most of it was appropriate, but wanted to spend more time understanding cyber coverage. Since this is a rapidly evolving area, this effort was needed.

The harder part was to define, rate and rank the intangible risks to the business. This is a classic case of the value being in the process; considerable debate and head scratching were needed to produce a simplistic looking outcome.

Over a series of board meetings, and with committee meetings in between, the directors debated the risks across the enterprise, as well as within individual lines of business. A simple rating system was used to force rank issues. As this rolled up, it represented the accumulated thoughts and opinions of all of the directors.

Step 2:  Continue Managing Business Risks Each Quarter

Establishing a risk management plan is not enough. It must be continuously managed. The second step is the ongoing monitoring and course corrections needed to keep the risk management system current.

Each quarter, the board takes a deeper dive into one or two specific issues. Over the course of a year, each major risk is thoroughly vetted. Budgets can be set and adjusted based on changing conditions and risk tolerance.

Preparing for the Unexpected is Part of the Board’s Duty of Care

Family and other private businesses still have a fiduciary duty to their shareholders, even if they are key executives or minor children. The duty of care is a prime responsibility for all fiduciary directors, regardless of ownership structure. Managing business risks is the essence of duty of care for directors.

Make sure you and your directors establish a risk management plan that addresses all of the potential risks and threats to your business. If you are diligent about the process, your company will be protected for years to come.

---

[Editors’ Note: To learn more about this and related topics, you may want to attend the following webinars: It’s So Hard To Say Goodbye: Minimizing Risk When Terminating Employees, How to Build and Implement your Company’s Information Security Program and Leveraging & Protecting Trade Secrets in the 21st Century. This is an updated version of an article originally published on February 26, 2019.]

©All Rights Reserved. June, 2021.  DailyDAC^TM, LLC d/b/a/ Financial Poise^TM