"You miss 100 percent of the shots you don't take," hockey legend Wayne Gretzky once said, perfectly explaining the necessity of accepting business risk. While Gretzky missed a lot of shots in his long career, he was also the greatest goal scorer in NHL history. Risk and reward are intrinsically linked, and the ability to assess and properly manage business risk is a core management function for any middle market company.
While big companies generally have entire departments devoted to risk management, middle market companies may be more vulnerable because of limited resources available for the task. Additionally, middle market companies have less resources to withstand large failures of risk management. "Big corporations are often better able to absorb the effects of risk exposure" than middle market companies, says Wayne Malgas of Pasco Risk Management.
Knowing what's mission-critical to your middle market business is the foundation of all efforts to define and manage business risk. As consulting firm PWC puts it, "risk assessment should begin and end with specific business objectives that are anchored in key value drivers." Middle market companies generally encounter risk in four areas.
Operational risk. This type of risk is associated with the potential disruption of critical systems, such as IT or supply chain management, as well as the loss of key people. For example, if you're purchasing components from a single supplier and that supplier unexpectedly goes bankrupt, you will be exposed to problems in your production area, your sales area, and more. If an important IT system goes down, you're in a similarly bad operational situation. Compliance with regulations is another area of operational risk, and you'll need to have good control systems (and redundancies) to limit your risk exposure.
Strategic risk. This type of risk is associated with the changing preferences of your customers and your market, which can force you to review the underlying assumptions upon which your strategy was based. In today's fast-paced, competitive landscape, companies need to create structures that support flexibility and adaptability as customer needs and competitors' offerings change. Due to their customer focus and organizational agility, middle market companies often have an advantage here over larger rivals.
Financial risk. This type of risk is connected with your cash flow, debt, investments, exposure to exchange rate/foreign currency fluctuations, and your accounts receivables. You need to monitor these closely and develop contingency plans for various worst-case scenarios. If your biggest customer, for example, is facing financial problems, then you are similarly confronting financial risk. Taking on large amounts of debt also represents risk, as you'll need to get a sufficient return on investment (ROI) to pay off the debt financing and make a profit too.
Economic risk. This type of risk is related to the macroeconomic indicators like unemployment, high interest rates, inflation, and the general level of economic activity. Obviously, your middle market company will face more economic risk during a recession, as overall demand for goods and services drops, so you'll need to develop contingencies as part of your risk-management process.
A Structured Approach to Risk Management, in Five Steps
1. Before starting any business risk-management process, carefully review your organizational objectives and your capabilities. You'll need to focus risk management efforts on the areas and goals that are most important to your middle market business. If you produce goods for a mature market, then operational risks related to your production area may be your biggest risk exposure. If you provide services, then strategic risk related to changing customer demands may be your biggest risk, and you may need to quickly adapt your offerings to a changing market.
2. Identify and describe in detail all possible risks, in each risk-area, that could derail your ability to meet your business goals. The risks need not be obvious, like the failure of a critical IT system, but could be remote and unanticipated too, like the possibility of an electrical fire in a production facility. Get together with your relevant people and brainstorm potential risks, then put them down on paper. After that, explore the potential impact on your business if any particular risk, however remote, actually happens.
3. Rank the risks you've listed and then create a tool or "risk management" document that maps out each risk, its possibility of happening, its potential impact on the business, and what might be done to cover or mitigate the risks. Circulate this document among relevant people and ask for feedback.
4. Mitigate your business risks. Implement internal control systems that reduce the probability of a risk happening or lessen its impact (the way that ceiling sprinklers can stop an electrical fire). Make changes that better control your risk, like multi-sourcing the supply of a critical component. Buy insurance that covers your losses. Seek to transfer risk to outsiders, like suppliers, by altering contracts to integrate and better share risk among the parties.
5. Monitor your risks constantly, report on them, and integrate feedback into a dynamic risk management process. Don't just "do" risk assessment once a year and then file away your plan. Managing risk needs to be an integral part of your decision-making processes and your organizational mindset.
Following the five steps above should give you a framework for managing your business risk. As Wayne Gretzky proved, great performers need to take many shots on goal. The key is not avoiding risks (yes, some shots will be off the mark), but managing them effectively.
Boston-based Chuck Leddy is an NCMM contributor and freelance reporter who contributes regularly to The Boston Globe and Harvard Gazette. He also trains Fortune 500 executives in business-communication skills as an instructor for EF Education.