An experienced businessperson and serial entrepreneur and I were talking about risk management. He asserted that he doesn’t think about risk — he just weighs options, considers alternatives and makes his business decisions. Needless to say, I responded that this is exactly what we are talking about: bringing some rigor to this process of trying to avoid “bad stuff” that can interfere with an enterprise’s goals while increasing the opportunities for success. The point of thinking about risk is to enable enterprise leaders to manage downsides and increase upside consequences with lower risk so as to better achieve the enterprise’s goals.
Large corporations appoint chief risk officers, commission risk committees at the board of directors level, and sometimes create internal teams to formalize “enterprise risk management.” Boards of directors of public companies include formal statements about their companies’ approaches to risk management in public reports. But what should a small or mid-sized business do?
I have no doubt that right now many owners, executives and managers are saying, “Leave us alone — we just want to run our businesses.” Here’s the thing: Not taking any risks will put you out of business and not thinking about how to avoid unwanted risks can also put you out of business. Presumably, you’d prefer to avoid both these routes.
RISKS THAT CAN HURT ANY ENTERPRISE
For any and every organization: Be risk-aware. Make sure that you have controls and procedures in place for the handling of money and other valuables. Steps include standard management controls such as requiring dual signatures or electronic authorizations to disburse money, separation of duties so that the person authorizing a payment is not also the person issuing the payment and reconciling bank statements. On May 4, 2017, the FBI issued an alert describing business email Compromise as a $5 billion scam in which spoofing emails purport to come from senior executives and authorize money transfers. But establishing and enforcing clear procedures and authorities around disbursements can thwart such attempts.
Make sure that legally required processes and core insurance policies are in place. For example, money withheld from payrolls or collected as sales taxes must be paid in a timely fashion. Meet with a couple of insurance brokers to make sure that the firm is up to date on primary insurance policies such as workers’ compensation, general liability and property coverage. Consider cyber insurance to cover the risk of losses via online operations as well as hacking or other loss of internally held data files. Firms with multiple owners and senior decision makers should price directors and officers (D&O) insurance and key person life insurance policies. Make sure you have more than one person who can cover all core functions, just in case. In a two-person firm this can be hard. In a larger firm, designate key backup responsibilities.
RISKS SPECIFIC TO YOUR BUSINESS
Because the risks relevant to each organization differ from those of every other enterprise, planning how to reduce them will vary as well. All businesses along an ocean waterfront might face equal risk of flooding, but a food stand will lose more merchandise when electricity fails than will a T-shirt store. A business based on personal integrity, such as a medical practice or law firm, likely faces higher cost of reputational damage than, say, a bookstore.
There are a few questions to ask about your enterprise. What are your primary assets and relationships, what are they worth to you, do they have value to others, what would happen if they were lost or compromised? How are these primary assets — be they physical inventory, customer records, proprietary formulae, reputation, buildings or land — backed up? Insured? Duplicate or triplicate files on site and in remote storage? Physical locks and keys?
CORPORATE CULTURE MATTERS
Do your employees know which risks you want them to take or avoid? This applies to everyone, from core product development and production to internal operations to financial staff to customer service. Do employees report problems, potential problems, or problems avoided? If you know about potential and avoided problems you can change processes to avoid them in the future.
Do company incentives support or undermine your preferences? Just about a year ago, the CEO of Wells Fargo Bank was forced to resign after revelations that thousands of employees, under a pay incentive arrangement that rewarded opening of new accounts, opened as many as two million bogus accounts without customers’ knowledge, in some cases forging signatures. Thus, actions, expectations and rewards that don’t align create unnecessary risk.
DECIDE TO BE A RISK-AWARE AND RISK-SAVVY ORGANIZATION
No owner of a small or mid-sized business will do a risk management review that feels like a paperwork exercise. Large firms can easily make the case to institutionalize review processes and senior committee structures. With less formality, mid-sized and smaller firms can also effectively use risk reviews.
Once a year, have a conversation with all staff or representatives of all departments to identify internal and external factors that have changed and discuss whether these have introduced new risks or opportunities, or both. Gather views from across the enterprise to illuminate risks that senior managers might not see. Ask external advisors and board members to raise issues from their experience that might undermine the firm.
Once a year, ask your insurance carrier to review coverage and services. Every so often — maybe every two to five years — ask another insurer to propose coverage to see if you’ve missed something. Finally, discuss the assessment and steps to address uncomfortable risks with your board of directors.
By being conscious of these risks, considering the tradeoffs and using some risk “treatments,” enterprises can take steps to reduce potential downsides. If you are a sole proprietor of a small enterprise, maybe you can do it all yourself. But why not be efficient and leverage the wisdom of others to make your organization more risk-savvy.
This is the first of a two-part series on risk management for small and medium-sized businesses.
Michele Braun is director of the Institute for Managing Risk in the School of Business at Manhattanville College. She can be reached at Michele.Braun@mville.edu or 914-323-1238.