People start a business for many reasons. Some do it out of sheer passion, while others do it to create wealth and economic growth. Yet, underlying it all is a willingness to take risks. Entrepreneurs and established companies make risky decisions every day in the hope that those risks will translate into better opportunities, better performance, and greater profitability. However, as we all know, too much or too little risk can be a bad thing. So, how do you find the middle ground? How do you effectively balance risks and rewards for optimal success? In this regard, I believe a lot of great advice can come from your board of directors.
Many startups choose not to establish a board of directors until a few years down the line. However, I’ve found that the startups that grow the fastest are often those that built a good board of directors as soon as they started their business. Having a board helps you keep your eye consistently on the strategic aspects of your business which, in turn, helps you attract investors and customers. What’s more, a board, being responsible for corporate governance, plays a major role in ensuring that your risk management program is as robust as it needs to be.
A few weeks ago, I had the pleasure of joining a boardroom panel discussion at the MetricStream GRC Summit 2016 in Washington, DC, on the subject of “Leading with Governance, Risk, and Compliance.” With me on the panel were eminent business and government leaders, and board directors: Kenneth Bacon, Co-Founder and Managing Partner, RailField Partners, Board Director at Comcast; Rodney Slater, Partner, Squire Patton Boggs, Former United States Secretary of Transportation, Board Director at Verizon Communications; and Candace Duncan, Former Managing Partner at KPMG, Board Director at Discover Financial Services, FTD Companies, and Teleflex.
The panel, which was moderated by Bill Coffin, Editor in Chief of Compliance Week, shed some light on what companies – both large and small – should be doing to effectively balance risks and opportunities. Here are some insights and key takeaways from the discussion:
The Top Risks Keeping Boards Up at Night
While companies are getting better at managing operational risks, the primary concern for many boards is controlling external risks – whether they be geopolitical uncertainties, changes in buyer behavior, financial volatility, regulatory changes, or cybersecurity risks.
Kenneth Bacon added, “An opportunity that presents a lot of risks is what I call the democratization of technology. There was a time when all the data in a company was centralized and controlled by a few people, and the velocity of information was relatively slow. So it was easy to control things.”
Today, however, the situation is different. Now, many more employees have access to confidential information about the business. “What’s to stop them from leaving their iPad on the plane or talking about things with their neighbor?” asks Bacon. Something as simple as an open calendar can be manipulated for information if it falls into the wrong hands.
“So on one hand, you have this need to be faster and spread out technology, but the more you do it, the harder it is to control the risks associated with all that information floating around the company,” he remarked.
These risks become increasingly challenging to manage as the company grows. However, even in a small startup, there are many risks that matter – such as hiring the wrong leaders, not getting sufficient investor support, or lacking a competitive advantage. Then there are product risks (can we translate our vision into a successful product?), market risks (do we have customers who are willing to buy our product?), and cash risks (can we generate enough money to self-sustain the business?).
Mitigating Risks and Seizing Opportunities
Given the range of risks that affect both large and small companies, here are four best practices to effectively balance downside risks with the upside risks, from the board’s perspective:
1. Give Risk and Compliance Professionals a Seat at the Table
Unlike traditional risk and compliance management – which was largely a retrospective look at the risk incidents that occurred – today, boards and C-suite executives want to spend more time looking ahead at what risks could occur; what can be done to keep them in check, or more importantly, what can be done to transform them into opportunities.
The best people to answer these questions are risk and compliance executives, which is why it is so imperative that they be included in board discussions. Noted Candace Duncan, “Compared to ten years ago, there’s now a seat at the table for the risk and compliance individual. That individual is there to not only help protect and prevent, but also encourage the strategy.”
2. Ensure that Risk Information is Communicated to the Board in a Simple Manner
Once risk professionals have a seat at the table, the onus is on them to report risk data to the board as effectively as possible. Remarked Duncan, “It can be very difficult boiling down what you and your team have spent thousands of hours on, into a 15 minute presentation. But keep it simple. Make sure that what you’re presenting is efficient and effective for that board member…What do you want us to learn from this information and how do you best share it? It isn’t easy to do, but putting effort and energy into that can be very helpful.”
It’s also important to set a context for the issues that are reported. Are they big or small? Which part of the business do they affect? What will be done about them? The truth is that board members may not be aware of the ins and outs of risks. They need clear, comprehensive information to make decisions.
3. Pay Attention to How Other Companies Tackle Risk
Sometimes, the best way to decide whether or not to take a risk is to look at how other companies are doing it. Bacon observed, “One thing that companies often neglect is the competitive element. If there’s a risk, and you’re pointing it out to me, I want to know what my competitors are doing. Are they taking the risk or mitigating it? If you tell me not to take this risk, but my competitors are taking it, I need to know that… Risk doesn’t exist in a vacuum. Sometimes, it’s relative.”
Bill Coffin reminded us that the biggest risk can be not taking a risk at all. And that information also needs to be communicated to the board, so that they can make choose how to take risk intelligently, and manage it well.
4. Implement an Effective Risk Management Framework
Incidents like the Panama Papers leak and even the upcoming presidential elections are poised to trigger significant regulatory changes that may bring some serious risk and compliance challenges. So, it’s important for boards and the C-suite to get back to the basics and make sure that they have the right risk management framework in place. Scenario planning also helps you prepare to respond effectively to a potential risk.
“I would add that one thing to do is to get the issue of risk and risk mitigation on the strategy agenda,” said Rodney Slater. “Generally, a strategy session stretches across 2-3 days, and gives you the time to sit, digest, contemplate, and respond to risk data. That’s better than a board meeting where you’ve got a number of things to get through.”
In an increasingly volatile and regulated business landscape, the board of directors is no longer just an oversight function, but an active participant in building a risk-intelligent organization. However, risk management is ultimately a concerted effort. Therefore, risk and compliance professionals must engage in board discussions, communicate risk intelligence effectively to support decision-making, learn from how other companies manage risks, and ensure that robust processes and controls are in place to balance risks and opportunities.
