Private companies, like their public company counterparts, are subject to a wide range of risks that could impact their activities and challenge their ability to successfully accomplish their strategies. Unlike public corporations, private firms are not subject to SEC regulations requiring the disclosure of key risks in their financial statements. However, private companies and their boards, whether family-owned, private equity-owned or employee-owned, play just as dangerous a game if they ignore the possibility of such risks and fail to prepare for them. Enterprise risk management (ERM) is a critical function that enables private companies to increase their chances of achieving their goals. While boards and companies often think first about addressing negative risks (threats) when considering risk management, ERM can also be utilized to take advantage of the opportunities these risks present. A private company’s board plays a critical role in ensuring not only the company has an effective ERM program, but it also looks for and acts on opportunities arising from these risks.
How ERM Assists Companies with Their Threats and Opportunities
A variety of risks confront private companies, their directors and their executives. Such risks can be internal or external, while being limited to one department, having cross-functional effect or company-wide impact. These include natural disasters, competition, customer concentration, technology, supply chain, cybersecurity and more. Ignoring them will not make them go away, which is why a well-led company with an effective board addresses these risks head on through robust processes.
ERM is an effective, disciplined, recurring way for private company boards and executives to analyze both the threats and opportunities that can impact a company’s ability to achieve its strategic, financial and operations goals. Cross-functional internal teams, often combined with a risk management consultant, work together to identify, prioritize and address these risks with the goal of reducing the likelihood of threats and the severity of their impact, when feasible. The magnitude of risk will vary by industry, company size, location, market dynamics and other factors.
Brainstorming is used to create a list of possible risks. This is where the aforementioned composition of the team first becomes important — the variety of experiences and responsibilities reduces the chance that important risks will be overlooked. Next, they prioritize those risks based on their likelihood of occurring and the significance of their impact to the company’s strategy, goals and operations. This allows the company and team to focus limited resources on the risks that deserve the most attention.
Risk management actions include reducing or mitigating the risk, sharing or transferring it, avoiding the risk and accepting the risk. Sometimes, more than one option should be exercised in order to best confront threats. These actions are a key part of ERM.
An often-overlooked aspect of ERM is risks may not only be accepted, mitigated, avoided or shared, but can also be turned into opportunities.
Consider, in the recent past, the case of insurance companies and the cybersecurity risks they and their clients face. Those insurance companies should take appropriate steps to reduce the likelihood and impact of cybersecurity attacks on their own companies and help their clients where feasible as part of their ongoing risk management activities. Insurance companies, of course, insure their corporate and individual customers against a variety of negative occurrences. Sensing the increase in cybersecurity threats and an interest among clients for ways to reduce their financial impact, insurance companies started offering cybersecurity insurance for an additional cost, either stand-alone or along with business or homeowners insurance. A risk became a revenue- and profit-increasing opportunity.
Similarly, there is no shortage of private software companies that, conscious of the risks they and their clients face, have evaluated these cybersecurity risks and seized on the opportunity to add protection to their software offering — either enhancing the value to their customers or allowing those software firms to provide this as an extra cost option.
Risks and opportunities can extend beyond product and service offerings. Competitive risks may create an opportunity to innovate, acquire a competitor or adjacent player, or decide to focus on a different market altogether. Supply chain costs and risks may present the opportunity for vertical integration. A financially troubled customer could be a risk for accounts receivable but potentially an opportunity as an acquisition target.
How can a private company’s board best help the company’s executives identify and take advantage of these opportunities?
The Board’s Role
Respecting its role and that of management, the board should not attempt to run the company’s ERM program. That is the responsibility of the CEO and his or her leadership team. The board should start by working with the owners and the executive team to establish the firm’s risk appetite and approach.
Good governance, including duty of care, means that the board does have responsibility for ensuring the company has a risk identification and management program in place and that it is properly supported by the executive team. The board will want to know that top leadership receives useful risk reports, acts as appropriate, and provides a reasonable level of employee time and funding as needed. The board should also verify the company is engaging in this activity at an appropriate level and frequency.
Many boards will either have a stand-alone risk committee or include that responsibility under the purview of the audit or governance committees. The structure will vary by company size and industry, among other considerations. This committee should, through information provided by executives and through their own questions, understand the risks and actions taken to address them. Directors, especially those with risk management experience, can suggest enhancements to the risk mitigation program as appropriate to best support and protect the company.
With this information in hand, the board can next collaborate with the leadership team to review the risks and identify where, beyond just threats, there are also opportunities for the company. Directors provide additional value by calling on their experience and insights to ask questions about which of the risks can also be opportunities and then asking executives to analyze those potential opportunities just like they would threats. Questions directors should ask include:
- What opportunity or opportunities does this risk present?
- How significant of an opportunity is this?
- What is the likelihood of successfully exploiting this opportunity?
- What steps need to be taken by whom and by when in order to best seize this opportunity?
With this information in mind, executives can then prioritize efforts to seize these opportunities (as they should be prioritizing efforts to address threats) and report this to the board so directors can share their guidance and insights.
Successful risk management can not only protect private companies from downside risks but also should guide executives to look at risks as both threats and opportunities. This means exploring the potential for these to lead to opportunities that can be used to increase customer satisfaction, capture new markets and improve revenue. By providing corporate governance that guides executives through looking at and acting on both risks and opportunities in a structured, repeatable process, private company directors add value by increasing the likelihood of a company achieving its strategy and seizing those growth opportunities.