Nick Dryden is a Partner in Moore Stephens in Geneva specialising in risk management for international and family companies.
Risk management is no longer the preserve of publicly traded concerns and safeguarding interests means taking a hard look at the programmes on offer
Risk management has been considered by family businesses to be mainly an issue that concerns publicly quoted corporations. Historically this was due to the perception that being private and having family members in the management provided a natural 'hedge' against business risk issues. However changes in legislation and harsher commercial realities are changing this perception.
The excesses of the global stock markets during the 1980s and 1990s produced the traditional legislative backlash, initially in the UK with the publication of a Corporate Governance code and subsequently in the US with the Sarbanes-Oxley legislation. Other countries have established, or are establishing, similar requirements. Embarassing corporate failures are not unique to public companies. The collapse of Barings Bank and the loss of family wealth for the Barings Trust has been well documented.
These new rules have formalised the responsibility of directors with respect to implementing a sound system of corporate governance in their companies. As a result of corporate failures such as Enron, the legislators have increasingly turned to individual corporate officers as the responsible parties to be pursued. Although family companies do not have public shareholders, it is not difficult to foresee increasing litigation from family members who are shareholders against family members who are company officers or directors. Similarly, governments are more aggressively pursuing the officers and directors of a company that has broken local laws or rules. The outcome of these can be substantial fines for the individuals concerned.
Even more serious is the potential threat of jail sentences being handed down by national courts of justice against officers and directors of a company. The increasingly aggressive approach taken by the courts is not just a US phenomenon. In Europe and Asia, Departments of Justice are looking beyond the corporate veil at the officers behind the company's operations. In the long term, whether or not a company is publicly or privately owned, this will be a key issue for any director.
In both situations the objective of a sound risk management process would be to assess the risks the company faces and to provide suitable treatment for these risks. This will provide a paper trail to validate the process the directors have followed to satisfy a key area of their corporate governance obligations.
The second major driver of change has been the increasingly aggressive level of global competition. In previous decades this competition existed but there were substantial local barriers to entry. In addition the timescales involved meant that companies could respond to risks within their normal operational cycle. Today the speed of change means that this is no longer possible. Changes in local rules, technology or competition are more rapid than before and responses cannot be developed within the normal operating cycle. This has become more critical as operational groups are being slimmed down to maintain profitability in the face of expanded competition. In extreme cases failure to anticipate and respond rapidly to these risks can seriously impair or even destroy the value of a family business. For those companies that are nimble, the inverse is also true. Rapid change can generate significant new business opportunities.
The benefit of a sound risk management process is that it identifies upside risks (opportunities) as well as downside risks (hazards) for a family business. The challenge is to identify these new opportunities at an early enough stage to be able to nurture them and obtain competitive advantage before the competition does.
In terms of implementation of a risk management process, the steps to be taken by a family company are similar to those followed by a public company. After defining the business units and their leaders with the board of directors, a risk management specialist sits down with the key business unit leaders and maps out the key risks and lost opportunities in terms of likelihood and probability. A suitable remedy is also highlighted for the risk or lost opportunity identified. This is enlarged upon below.
- Definition of the corporation's strategic objectives by the board of directors. Without a tight definition of the corporate objectives that are clear and well understood by the business unit leaders, a risk management exercise will not be successful. The board also has to define its risk criteria, ie what level of risk it is willing to accept in achieving the objectives they have set.
- Identification of the risks and the sources of the risks the corporation faces in achieving these objectives. It is the responsibility of the business unit leaders to identify and highlight the sources of risks that may affect the achievement of these objectives. These can be both positive as well as negative risks but the identification of the risk is the responsibility of the business unit leader.
- Estimating the probability of a risk occurring during a time period and estimating the consequences of the risk. At this point an assessment of the financial aspect of the risk is calculated. For example, there is a 75% chance of a key supplier failure in the next 12 months, which would cost $10 million in alternative sourcing costs.
- Evaluation of the risks in terms of comparing identified risk exposure against the risk criteria set by the board of directors. By carrying out this process a corporation can identify risks that it is willing to accept as part of normal business and those risks it needs to treat in some way. This will result in risks in small business units being considered as insignificant from an overall corporate perspective. The alternative, significant risks arising in small business units should set alarm bells ringing.
- Choice of risk treatment. There are four alternative responses to a risk – it can be avoided; it can be optimised to minimise the consequences of the risk event crystallising or the probability of the risk event crystallising, it can be transferred to a third party, usually through insurance, or it can be retained. Take the example of a commodity trading dealing room and the risk of a terrorist act. To avoid the risk the company could exit the business, as the profits from the activity are insufficient to compensate for the risk involved. To optimise the risks it could implement stringent security controls and even install duplicate facilities. To transfer the risk it could obtain accident insurance having calculated the losses it would incur. To retain the risk the company makes no change to its operational procedures but may want to check that the profits from this activity against the risks it is taking on.
- Communicating the risks that exceed the risk criteria and their treatment back to the board of directors. It is vital that the board has a reporting facility in place to enable them to view the excessive risks arising from their strategic objectives and to adjust them as necessary for operational realities. This covers both hazards as well as opportunities.
Typically there are less than a dozen key risks that should be monitored by a board of directors on a regular basis. Similarly at the business unit level, the unit leader should have a similar number of issues that he or she monitors as well. The important point to note is that it is the business unit leader who is actively anticipating and monitoring key risks in a structured manner and providing appropriate and rapid feedback to the board of directors. Using an existing reporting channel minimises the additional administration required within the company.
In the picture
Family businesses have one extra dimension that needs to be appropriately dealt with by the risk management specialist. There can be a reticence in identifying key risks and lost opportunity. This has to be dealt with to ensure that the complete picture is obtained. More a matter of experience rather than technique, it is a dimension that needs to be identified and addressed during the risk management process.
In a situation like this it is important to have risk specialists that have empathy with the family members concerned. This requires individuals who are perceived to have the necessary level of skill and experience to facilitate the discussions and to extract the key issues.
The use of risk management techniques is spreading from publicly quoted companies to private and unquoted companies as the benefits of a sound risk management process become more generally accepted – as much due to the identification of business opportunity as to the identification of downside risks.