Most large companies have a risk department in one form or another.
This is most often the chief risk officer (CRO). According to Wikipedia, a CRO of a corporation “is the executive accountable for enabling the efficient and effective governance of significant risks, and related opportunities, to a business and its various segments. Risks are commonly categorized as strategic, reputational, operational, financial or compliance-related. CROs are accountable to both the executive committee and the board for balancing risk and reward.” Wow, that is a mouthful!
This approach makes sense for large organizations, but what about the small to midsize companies? In smaller companies, the responsibility for risk management typically falls to the chief financial officer or a senior financial executive. For some risks, this makes perfect sense — mostly around insurance, compliance and other defined risks that can be monitored in a systematic way.
But the greatest risks tend to be those less easily defined, such as cyber, strategic, competitive and executive risk. Most companies that experience massive failure have encountered and unsuccessfully managed one of these ill-defined risks.
In a 2012 Harvard Business Review article, “Managing Risks: A New Framework,” Robert S. Kaplan and Anette Mikes provide an in-depth review of risk management. In particular, they categorize risk into three areas as preventable, strategy and external risks.
Key risk areas
The best way for a small to midsize company to manage its strategic and external risks is to have a board of directors or board of advisers. The board’s primary role is to oversee and challenge the CEO and senior management on the key business risks facing the company. Below is a partial list of some of the areas of risk that should be considered and discussed:
1. Banking. Is the company living within any loan covenants that if called could significantly disrupt the business? Will the bank continue to provide capital for growth if required?
2. Inventory valuation. Write-downs are painful but necessary. While small write-downs can be painful, a large unanticipated one can be fatal.
3. Government compliance. The Environmental Protection Agency, Immigration and Customs Enforcement, Occupational Safety and Health Administration, Department of Health and Human Services and, of course, the IRS can all cause business interruption if not properly managed.
4. Customer concentration. The general guideline is that there is risk in having more than 10 percent of revenue tied to a single customer. Many companies have 30 percent or more and no contingency plan.
5. Distribution network. Do your salespeople control you by controlling/owning the customer relationship?
6. Long-term strategy. Without having a written strategic plan, the business is operating partly in the dark.
7. Single source supplier. If your supplier has a problem, you have a problem.
8. Commodity availability and pricing. What would happen if the main ingredient for your product were unavailable or doubled in price?
9. Natural catastrophe. Weather is unpredictable and can bring disruption to the company operations.
10. Myopic thinking. If there is no diversity of thought within senior management, you will only see what you know.
These are some of the risks that one can be aware of and control. However, an outside event that cannot be controlled could happen. In the investing world it is called a Black Swan event. Sept. 11 and the Great Recession are recent examples. When an external event happens, the real risks inside the company raise their heads and need immediate attention.
Having a board comprised mostly of outside independent people that are engaged can considerably lower the risk profile of the firm.
Ideally a company’s independent board members:
1. Have worked for a company that is two times larger than your company so they have traveled the path you are on.
2. Have a strong financial acumen.
3. Have specific experience that is key to the company (operations, sales/marketing, development, executive).
4. Know your industry or at least will be able to get smart quickly.
5. Are collaborative in a positive fashion to challenge and support the company.
6. Are willing to do more than just attend board meetings; they should be able and willing to help the company achieve its goals through advice, introductions, etc.
The biggest advantage of a strong independent board is managing strategy risks. Too often we see the day-to-day details and issues facing CEOs and their management teams create a “can’t see the forest for the trees” scenario that increases organizational risk. Outside advisers or directors, thoughtfully and strategically recruited, are focused on the forest, maximizing upside and minimizing downside. A strong independent board is a huge hedge against the variety of risks an organization faces.