Private companies face a variety of risks that threaten their ability to achieve their goals. These include geopolitical, cybersecurity, natural disasters, customer concentration, regulatory, competitive, and supply chain risks, in addition those specific to the industry and company. Unlike public companies that must adhere to SEC and other government agency risk disclosure requirements (such as describing risks in their 10-K financial statements), private companies are subject to no such rules. However, just as a robust Enterprise Risk Management (ERM) program benefits these public companies and their stakeholders, private firms and their owners can realize an enhanced chance of success by implementing a custom, properly sized ERM program. The Board of Directors places a key role in governance of the company’s risk and risk management efforts. 

Is Your Company Prepared for the Strategic and Operational Risks that it Faces? 

There are a number of risks that a private company’s Board of Directors should ensure are being considered. Operational risks more often come to mind, but strategic risks are at least as important and can often have a more far-ranging impact. Some of both that apply to a broad range of companies are: 

• Customer concentration – what happens if your company’s major customer moves its business to a competitor? What advice do you as a Board Member provide to the executive team to manage this risk? 

• Natural disasters – if an earthquake, fire, or hurricane hits an office or factory, is there a back-up plan to continue providing services and serving customers? How will these facilities recover? 

• New product development – is the company’s strategy leading it to invest in the wrong technology or product development? What if the company is not investing enough or at all? How does the Board help the leadership assess and address this aspect of strategy? 

• Cybersecurity – is the company prepared for the numerous attacks it is likely seeing every day? How do Board Directors best evaluate whether the company’s practices and systems are best able to handle these threats and recover from successful ones? 

• Competitive - how will the actions of existing competitors or the entry of new competitors impact the company’s strategy and financial goals? 

If your firm’s Board and the Executive team do not have good answers to these “what-if" questions, it is time to look at the company’s risk environment in a more structured manner. 

What is ERM? 

Enterprise Risk Management is an effective, disciplined way for private company boards and executives to implement an analysis of both the negative risks (threats) and positive risks (opportunities) that can determine whether a company can achieve its strategic, financial, and operations goals. 

Companies create a cross-functional internal team often combined with a risk management consultant to identify, prioritize, and address risks that could influence the success of company operations or initiatives. The contribution of team members from different departments provides heightened awareness of potential risks and expertise to better assess their impact. For example, including an appropriate representative from the IT department will better allow the team to understand cybersecurity and other IT system risks.  A risk management consultant can guide the overall process while providing additional risks and solutions based on experience. 

The team first engages in the task of identifying possible risks that the company and its initiatives face. This is often achieved through a brainstorming session. The next step is to prioritize those risks based on their likelihood of occurrence and magnitude of impact on the company if the risk is realized. This prioritization is important because it determines which risks to address first and, for those that score lowest, which not to spend limited time on. 

Risk management actions include: 

• Reduction or mitigation – implement actions such as backups, inspections, and other controls to reduce the likelihood of the risk occurring or the impact of that risk 

• Share or transfer – such as purchasing insurance or contractual responsibilities 

• Avoid – alter aspects of the initiative or strategy that present the risk 

• Accept – determine that the potential benefits outweigh the risk or that the costs of otherwise addressing the risk outweigh the risk itself 

• Exploit opportunities – positive risks can lead to identifying opportunities for enhanced growth and customer satisfaction 

For example, cybersecurity risk consists of multiple aspects which present different levels of likelihood and impact. Risk management strategies might include cybersecurity insurance (share/transfer the impact if this risk materializes); two factor identification for software access (reduce/mitigate the likelihood of risk occurring); implementing backups and offline servers (reduce the impact of risk); employee cybersecurity training (reduce/mitigate the likelihood of the risk becoming reality); and possibly deciding not to install a specific software that does not have sufficient cybersecurity protections (risk avoidance). 

Effective Enterprise Risk Management is not a one-time event. It requires periodic review, often quarterly or annually, of the risks that the company faces along with the effectiveness of the previous risk management actions. This review may bring to light new risks, change the priority order of risks, or identify additional steps to further reduce the likelihood or impact of those risks. In addition, it is important that the team practices responses to simulated risks so that they are prepared should an actual risk become reality.  

Common Misconceptions About ERM 

Leaders sometimes incorrectly associate risk management with stopping the company from advancing into new products, markets, and geographies. Risk management does not mean taking no risks. ERM is not saying no to every opportunity. An effective Enterprise Risk Management program realizes that starting a company is itself a risk and that many strategies and actions undertaken by a company involve some level of risk. The goal of a customized ERM program is to reduce the impact or likelihood of risk through the above methods, not to prevent strategies to be implemented or actions taken. 

An effective ERM program for private companies also does not require spending excessive time and money or investing in expensive tools. They should be scaled, in terms of complexity and effort, to fit the company’s size, industry, strategy, and external environment. Often this means utilizing existing resources to lead the effort, perhaps from the quality or financial audit departments, in a part-time capacity. Providing them and the cross-functional team with sufficient training in Enterprise Risk Management is critical to success. Similarly, in most situations there will not be a need to invest in costly software tools. Frequently, the use of appropriate spreadsheets will provide what is needed. 

The Private Company’s Board’s Role in ERM 

The private company’s Board of Directors Board is essential for success. The message that risk management is an integral part of the strategy and operations of the company needs to come from the Board and be communicated downward. The Board should emphasize to stakeholders the importance of Enterprise Risk Management for the company’s success and assert its commitment to the process.  The Board should also work with the Executive team to establish the firm’s risk appetite and approach. In addition, board governance should include verifying that the company is engaging in this activity at an appropriate level and frequency. 

The Board of Directors should not implement the Enterprise Risk Management program itself. However, in keeping with the tenets of good governance the Board does have responsibility for ensuring that such a program is in place, is effective, and is provided sufficient time and resources for success.  

Effective governance requires establishing a home for the review of the ERM efforts on the Board. This may mean establishing a Risk Committee at the Board level. Alternatively, this could fall under the purview of another committee – some companies have a combined Audit and Risk Committee. Regardless of the specific structure, a summary of the review of the ERM process should be shared routinely with the full board. A board composed of members with experience in different industries and with a variety of functional expertise can also ask questions about risks that they are familiar with but may not have been identified by the internal risk team. Including on the board a director (or directors) with Enterprise Risk Management experience provides additional support and expertise for this critical aspect of effective governance. 

Private company board members should understand at a high-level what risks are being prioritized and how they are being addressed. The company executive responsible for implementing Enterprise Risk Management should periodically share reports on top risks, the actions and results of risk management, and the effectiveness of the handling of simulated risk events. The private company’s board directors are responsible for understanding these risks, asking insightful questions about threats and opportunities that are presented (as well as those that are not), and suggesting enhancements to the risk mitigation program as appropriate to best support and protect the company. 

Successful risk management enables companies to increase the chance of achieving the strategies that have been defined and the associated goals. Company executives should implement the Enterprise Risk Management plan while Boards of Directors, in order to fulfill their governance role, should validate the effectiveness of process. Private company board directors can also add value by identifying additional risks and risk mitigation strategies. Together, these two groups can collaborate to identify and implement the best risk management plan for their specific company.  

 ABOUT THE AUTHOR

STEVEN LUSTIG

Steven Lustig is the founder and CEO of Lustig Global Consulting and an experienced operations executive. He is a recognized thought leader in board governance, risk mitigation, and supply chain, and serves on the boards of Loh Medical and Atlanta Technology Angels. He is an Enterprise Risk Management Certified Professional (ERMCP).