Company risk management [ULTIMATE GUIDE]

Joseph Chamberlain, a British politician and entrepreneur, made an introduction to company risk management more than 100 years ago:

We are living in most interesting times (…) in which our history was so full, in which day by day brought us new objects of interest, and, let me also say, new objects for anxiety.

As early as 1898, when he said those words, people knew that the future could bring many threats worth anticipating today. The present times also harbor many things that we can be anxious about.

While it’s impossible to predict and prevent every adverse condition, you can take steps to build a more resilient company. This will help you feel more secure and less vulnerable to potential risks.

Monitoring is the basis of company risk management

By concentrating on a few critical risks, you can avoid the overwhelming task of monitoring numerous risks simultaneously. This approach allows you to maintain a sense of control and effectively manage the risks that could potentially have the most significant negative consequences for your company.

For example, from this perspective, it’s not worth worrying about general employee turnover. Still, you should be concerned about what will happen when those employees who are most crucial to your business leave.

Don’t assess risk, assess consequences

Instead of solely estimating the likelihood of a risk, which can often be unreliable, it’s crucial to assess the potential consequences of individual risks. Focusing on the severe consequences, even if they seem unlikely, can help you feel more prepared and less uncertain about the future of your company.

An example that will surely stick in the memory of anyone who sold fast-moving products in the UK at the time of Brexit: you don’t want to calculate the risk of someone not unloading a truck. You want to calculate the consequences if someone fails to do so once. And what would happen if the situation repeated itself? What if half a million trucks remain unloaded for six months?

Calculating risk is about ensuring we can still live tomorrow.

Why is company risk management so tricky?

Calculating risk based on historical data makes no sense.

Imagine that a turkey is born on Thanksgiving Day. For the next 999 days, the world seems like a beautiful place for it. It feels great, and nothing threatens it—indeed, it’s been fed even more in recent weeks! The turkey achieves the highest level of security 999 days after its birth. And on the 1000th day, contrary to all forecasts derived from historical data, it dies. This is the problem of risk management based on historical data.

Flood defenses are built to the height that the water reached during the last flood, plus one meter. Your risk management system must have buffers. It would help if you aimed for higher revenues, more customers, and a diversified portfolio of industries and geographies. You should always have more buffers than you need because this increases your company’s chances of surviving in “interesting times.”

Risk can accumulate over time, even without us realizing it until it explodes. Consider a startup that initially serves 100 clients. The approach to the potential consequences of neglecting cybersecurity will be vastly different when the company starts serving 10,000 clients, 100,000, etc. This is the concept of accumulating risk, and it underscores the importance of proactive risk management.

Many assume that they will address a particular risk “someday”—and for a long time, they succeed with this approach. The problem arises when the time comes to pay the debt. Many people predicted that a pandemic would occur again someday—but nobody did anything about it until we had to.

It’s unknown what is correlated with company risk management and what is not?

Initially, most believed Bitcoin was an uncorrelated asset, so even when stock prices fell, it would still rise or maintain its value. So far, this has proven untrue.

One significant problem with estimating risk is the complexity of our world. We can never be sure whether one thing is somehow related to another in a way we have yet to learn. This means we might only discover many risks when they materialize. For instance, the belief that Bitcoin was an uncorrelated asset was proven untrue when its value was affected by stock market fluctuations. This underscores the need for a comprehensive risk management strategy that accounts for unknown correlations with risk.

How to build a company that’s a bit more resilient to adverse conditions?

We have already established that:

1. It’s easier to estimate the consequences of a risk materializing than the likelihood of it happening—and you should focus on that.
2. You cannot monitor everything—monitor 3-6 risks with terminal consequences for your company.

Additionally, it’s worth adding one more point:

3. In case of problems, respond quickly, but ensure you have ample time to react.

Suppose you run a company in a way that allows you to respond quickly but also gives you a substantial buffer time for response, and you know how to respond well. In that case, you can manage the situation before a sudden shock brings you to your knees. Below are a few tips to help you increase that response time.

Continuously monitor critical indicators for your company

You should know that a storm is coming when the wind shifts, not when the first raindrops fall or when you are already drenched to the bone.

The founders of Casbeg, Bartosz Majewski and Marcin Deręgowski, often joke that they predicted nine out of the last two crises. In this post, you will read about which indicators we monitor and how frequently we monitor them at Casbeg. This real-world example will provide practical insights into applying company risk management strategies in your business.

Ensure the quality of costs and revenues

From a risk management perspective, costs and revenues can differ significantly, even if they look the same in Excel.

From a risk management perspective: Would you prefer an office with a one-month notice period or the same one in a mall with rent in euros and a five-year notice period? Similarly, regarding revenues, how easy is it for clients to cancel your service? Suppose Google suddenly decided to raise the price of Google Workspace. In that case, most companies conducting most of their business in the cloud would first complain and then pay a higher bill.

Diversify

Customers, industries, regions, services.

What percentage of your revenues comes from your three most significant clients, and what would happen if they left? If your primary service is delivering audio equipment for mass events, how did 2020 look for your business? And how would the last few months have been if 80% of your suppliers had come from Ukraine?

In addition to diversifying external areas (customers, sales markets), it also diversifies internally: business lines and geographies.

From a risk management perspective, you want your business to rely on something other than a specific client, service, or country.

Ensure financial predictability

If possible, invoice on short or advance terms. Ensure cash flow security—if a crisis suddenly takes half your clients “overnight”, it would be beneficial if “overnight” meant, for example, “two months” for you.

This article teaches you how to prevent situations where clients do not pay and what to do if this happens.

In the context of financial predictability, it’s also worth:

Collaborating with clients in a subscription model, with upfront payment.
Trading items with short sales cycles (if you have long sales cycles, there is a greater chance that you will run out of cash in your company’s account before you manage to avert the crisis—even if you have a lot of it).

A company is only as strong as its management team

Even if you monitor the suitable risks and have the appropriate buffer in place to allow time for a response, the question remains whether you know how to respond and can do so when a crisis arises.

It is very vulnerable if the organization’s top consists solely of people who only remember growth and good times. I observed this during the entrepreneurs’ protests during the pandemic when a surprising number of entrepreneurs lost their heads. Since 1989, we have had uninterrupted economic growth, and many managers were not mentally prepared for a crisis. It’s hard to blame them. How do you explain a hurricane to someone who has never experienced rain?

Some build shelters when a storm is approaching—and some build windmills. If you have ensured the resilience of your organization, then while other companies are losing value, you go shopping and increase your market share. Risk management is meant to enable you to go on the offensive, not just to lie in wait.

Suppose you don’t face some unforeseen risk exploding in your face every 2-3 years. In that case, the result is significantly faster revenue growth and more stable company profitability.

Services

Company risk management [ULTIMATE GUIDE]

Bartosz Majewski i Agnieszka Polak

Monitoring is the basis of company risk management

Don’t assess risk, assess consequences

Why is company risk management so tricky?

It’s unknown what is correlated with company risk management and what is not?

How to build a company that’s a bit more resilient to adverse conditions?

Continuously monitor critical indicators for your company

Ensure the quality of costs and revenues

Diversify

Ensure financial predictability

A company is only as strong as its management team

Blog

We are happy to share our knowledge - if you want to read more about marketing and sales, take a look at our other texts:

100+ must-read books for entrepreneurs

68 movies and series for entrepreneurs

7 Most Common Product-based business and SaaS Pricing Mistakes