Rightsizing risk management for your family enterprise

Risk can be scary; risk management doesn’t have to be

October 01, 2020

Carin Robinson - Corporate Governance Director, US Family Enterprises - Email
Belinda Sneddon -Managing Director, US Family Enterprise Advisory Services - Email

The past several months have created new challenges and unanticipated risks for family enterprises. From the health and welfare of their employees to operations and supply chain difficulties to investment and wealth management considerations, many family business and family offices are assessing their current risk management protocols and thinking about how they can optimize and “rightsize” them for their particular environment.

Developing and implementing a risk management strategy can be daunting. The idea of building out a whole new function is formidable at any point, but is particularly challenging during periods of transition or instability when resources are often stretched thin. At the same time, it is often during a crisis—external or internal—that gaps in existing risk management processes are exposed. While crises can cause a lot of uncertainty and disruption, they can also present a chance to plan for a better future. Organizations can use these opportunities to take a fresh look at how they think about and manage risk to emerge stronger.

Risk management programs only work if they are sustainable, so it is important to be pragmatic in your design. You don’t want to risk abandoning your plan simply because it seems too hard to implement and monitor.

To that end, outlined below are some foundational elements and leading practices around building and sustaining a rightsized risk management model:

Risk identification: Cast a wide net. Think broadly about the different types of risk (financial, cyber, reputational, regulatory, operational, etc.) that could affect your enterprise and determine whether they are related to internal or external factors or circumstances. Conduct (or update) your risk profile with a view of what has changed in your environment, either temporarily or for the long term. Identifying changes—and the duration of those changes—is important to assessment and mitigation strategies. So:

  • Tap existing resources and expertise within your management team and board

  • Think broadly about risks and how they are interrelated. While what we have experienced in the past six months is arguably a 100-year event, many families have realized that there may be more interdependence of certain risks than they otherwise would have expected. There is plenty of debate as to whether the global COVID-19 crisis is a “black swan” event, but regardless of how you define it, the pandemic has shown that generally uncorrelated risks can be similarly magnified by a single external event.

Risk assessment: In assessing and prioritizing risks, it is important to consider the type of risk, as well as the potential impact (severity) and the likelihood of risk exposure:

  • Prioritize risks by ranking them based on impact and probability. Showing them graphically can help. Here is an example of a risk assessment heat map:

  • Focus on the highest priorities. Generally, your executive team and board (if applicable) should focus on the top 10 risks. This can be accomplished with a defined, repeatable monitoring and reporting format and cadence (see below).
  • Develop mitigation or contingency plans. Not all risks can be eliminated or mitigated, but well-developed plans can help you adapt more quickly to an external, uncontrollable risk. It is also helpful to frame the range of acceptable outcomes or amount of risk that you are willing to take, which can be documented as a risk appetite statement for management and the board. Pre-established guardrails can help foster a more proactive environment where you are ready to respond quickly. Helpful tools include a risk and control matrix to document risks, mitigation controls, and defined Key Risk Indicators (KRIs) and monitoring and testing protocols.

Business integration of risk management: Risk is most effectively managed when it is incorporated into day-to-day activities and integrated into your company’s culture. Embedding risk management and controls into your existing policies, procedures and business processes allows everyone to look through a risk lens. Here are some other ways to further inculcate risk management into your organization:

  • Train your team(s) on how to embed risk management practices into existing processes.

  • Integrate risk into your strategic planning process.

  • Include risk management discussions in appropriate existing forums, for example team meetings or project updates.

Risk monitoring and reporting: Leverage existing governance and reporting frameworks to monitor risks and remediation plans where applicable. When defining your monitoring strategy, make it manageable and measurable. Remember that risk management programs are sometimes abandoned because the effort required to support them is greater than the perceived benefit. Rightsizing your monitoring and reporting strategy is important for sustainability. Consider these two strategies:

  • Technology can be particularly helpful in monitoring certain types of risk. There are some good commercially available solutions for family offices to assess and monitor various investment risks, but availability and frequency of data can vary widely.

  • For many family businesses, a well-designed risk management scorecard highlighting the top priorities and risks for executive management and the board can be a great starting point. For that to be effective, you will need to identify the KRIs associated with your top risks. For instance, if credit risk is a top priority, you may look at charge-offs and delinquencies, whereas KRIs for operational risk could include internal or external fraud, employment practices and systems failures. KRIs should be reasonable to measure and monitor.

Risk culture and communication: Some companies find that once they build out their risk management programs, things don't go according to plan. Key executives or employees may not see the value, or there may confusion and a lack of excitement. You want to move forward, but you can't get past the initial rollout of the risk assessment. Effective and continuous communication can help drive acceptance of and support for risk management activities. Simple strategies include the following:

  • Consider the different audiences you have to convince and how they fit into your risk framework.

  • Keep things positive by holding open dialogues about what is working well and where additional resources can reduce risks or improve capabilities.

  • Integrate risk orientation and awareness into your existing training and communication protocols.

  • Build specific risk management metrics into performance goals and objectives to promote its importance to the organization—and the need for responsibility and accountability from all parties.

Now is a great time to start assessing—or reassessing—risk. Think broadly about the types of risk you face and where those risks originate. Be thoughtful in how you assess their severity and how you prioritize the top risks to your organization—don’t try to boil the ocean. Make sure to monitor and report on risk management in a way that’s both manageable and measurable, and remember to integrate risk management into your culture.

Follow us