Risk, Actions and Behaviours (Part 2)

Hans-Kristian Bryn and Carl Sjostrom

An approach to incorporating risk, actions and behaviours in strategy planning and evaluation in family-owned businesses

In part 2 of this article we address the risk management dimension of their approach to incorporating risk, actions and behaviours in strategy planning and evaluation. This builds on part 1 of the article, in which we addressed strategy, purpose, performance, actions and behaviours as set out in the diagram below: 

In this second part of our article, we build on these concepts and add a clearly articulated risk management dimension. The two parts together address the entire approach that we propose and set out a road map tailored to the specific situation of a private and/or family owned business. However, the approach is equally applicable to public companies if they haven’t reached a stage of maturity where all the elements we discuss are being considered concurrently.

Risk management or Managing uncertainty and volatility 

Risk management has become an integral part of business practices in large and complex organisations. However, the terminology of uncertainty, volatility and risk management are not used as extensively in privately owned businesses. The concepts are often applied implicitly and inconsistently rather than explicitly and consistently. Therefore, gut feel and situational context trump a consistent analytical and documented approach. The reasons for this attitude to a key feature of doing business are many, however, it is unlikely that existing family-owned businesses would have been as successful as they have been if risk management did not play its part. On the other hand, they might also have avoided some of the unforeseen ups and downs if they had moved to a more consistent and explicit way of considering the uncertainty (and risk) they face.

As organisations grow, mature, and become more complex in terms of operations and stakeholders, it becomes harder, as described above, to act consistently as decision-making tends to become more devolved. There will also be a broader range of perceptions of what the risk is and how significant it is - this is due to the fact that we all have differing views of the types of risk and magnitude of these: our individual risk perception and appetite. Also, over time, the influence of a founder, for example, will be diluted as new owners or generations begin to share control and organisational complexity increases, hence making it harder to explain with a single message what is and what is not acceptable, and the underlying rationale. It therefore becomes even more important that the organisation defines and communicates the key principles for the types of risk that it is willing to take, how much of the risk is acceptable, and what actions and behaviours are expected to generate sustainable returns for the firm’s owners.  In summary, we are looking at risk management from a value protection and value enhancement perspective.

Defining risk and risk appetite

As we have set out in the figure below, risk should not be considered in isolation from the other drivers of corporate performance and value creation. Given the diversity of the stakeholders in complex organisations (owners, management, customers, suppliers, employees and local communities that rely on the business both from an employment but also their charitable activities), an articulation of risk appetite is an important underpinning of consistent decision-making. In order to articulate the risk appetite as risk-return trade-offs, it will be necessary to understand the risk preferences of the various stakeholder groups and the extent to which they are aligned or divergent. In summary, the current leadership team and the Board need to actively engage to be able to answer questions such as:

• What are the risks to the achievement of e our purpose and strategy?
• What risk are we willing or unwilling to take in order to achieve our objectives and expected returns?
• For those that we are willing to take, what is the risk preference of the various stakeholder groups? 

A structured process is required to help management and the owner to articulate its risk preferences (or appetite if you will) for each key risk facing the business. At a minimum, this need to cover the most important and material risks facing the company. By important and material, we typically mean; “A risk or combination of risks that can seriously affect the performance, future prospects or reputation of the entity. These should include those risks that would threaten its business model, future performance, solvency or liquidity” (Financial Reporting Council, UK).

In order to capture the risk preferences, a three-point risk appetite scale as set out below has proved a very useful tool:

So, what type of risks do we tend to find in each ‘bucket’? Clearly, there is no one-size fits all however, we can draw out some observations:

• Risk averse; The risks that would be rated risk averse tend to be those where the organisation would not be rewarded for taking on that risk. For example, Health & Safety, Product Safety and Compliance are risks that might fall in this category 
• Risk neutral; Risks that tend to be rated in this category are often of an operational nature where clear cost / risk trade-off can be evaluated. Equally, we have observed cyber risk being put in this bracket – partly a recognition that it is too costly to minimise the risk (i.e. being risk averse) and therefore that each additional layer of investment is evaluated on a business case basis. We have often also seen the risk preference for bolt-on acquisitions as being in the risk neutral bucket
• Risk tolerant; Typically, we find strategic risks, such as organic and inorganic growth, innovation, market entry and transformational M&A in this bucket, as organisations believe that increasing the exposure in these areas will benefit from higher, if more volatile, returns

Overall, no organisation can be risk averse across the entire spectrum of risks and expect to create value for its owners– indeed, it could go out of business due to the cost associated with the controls necessary to be risk averse. Equally, one would not expect owners to bet the farm where there is unlikely to be a positive pay-off for taking the increased level of risk. The fundamental tenet in this article is therefore the call for explicit, consistent and considered evaluation of risk-return trade-offs.  

The final step in our approach is then to develop a risk appetite statement based on a comprehensive identification and assessment of the key risks facing the business.

The development of a risk appetite statement requires careful planning and good insight into how the organisation has historically made its risk-return trade-off decisions – both in terms of metrics as well as process and stakeholder engagement. 

In our experience, a well-articulated risk appetite statement can be a key tool in:

• The Board / owner defining the risk expectations and hence ‘tram lines’ they expect management to observe
• Giving guidance to management as to acceptable as well as unacceptable risks and exposures
• Allowing stakeholders’ perspectives to be incorporated to ensure that the organisation’s purpose is fulfilled. 

However, a clear identification and assessment of the key risks facing the business is a necessary pre-cursor to the risk appetite discussion. In our experience, it is beneficial to take a ‘clean sheet of paper’ approach. This would allow the organisation to consider risk in the context of the purpose and strategy, and consider risk areas such as external; strategic, operational and disruptive as defined below:

The resultant risk profile should by definition cover important and material risks and be a mix of risks that fall into each of the categories in the diagram. Typically, we would expect compliance risks (e.g. compliance with ABC/AML/Modern slavery.) to feature as well as political/economic uncertainty, cyber/data, M&A, Health& Safety etc. However, the risk profile of each organisation is unique and a consequence of the strategy being pursued and executed.

Conclusions

In these two parts of our article, we have argued that as family-owned business grow and develop with more complex and decentralised decision-making, a new approach to strategy development and execution is required. We have therefore demonstrated that we can hone the strategy and optimise the quality of the performance delivered by:

• Contextualising strategy and performance outcomes
• Defining and signalling how we want and need managers and employees to act and behave
• Setting the risk boundaries to guide the most effective use of the capital invested in the organisation

It is clear that there is no single ‘silver bullet’ that will address all the issues that impact the outcome of the implementation of a strategy. However, by addressing each element of our proposed approach and their interaction with the other elements, the quality of performance outcomes will be more transparent. We therefore encourage firms to use the proposed approach to incorporate risk, actions and behaviours into their planning to increase their resilience and ability to thrive.   

Hans-Kristian Bryn is a senior risk management and governance advisor focused on value enhancement and protection; and

Carl Sjostrom is an independent executive compensation and governance advisor.

This article was first published in Governance (www.governance.co.uk), May 2020 (reprinted with permission).