9 9/ Risks

Adapted from Entrepreneurship by Rice University is licensed under a Creative Commons Attribution 4.0 International (CC BY) license.

Source: Anna Nekrashevich .

Mitigating and Managing Risks

Risk management is key to operating any business profitably. There are many risks facing an entrepreneur when starting and operating a new business venture. The trick is to eliminate risks that will hurt the venture, while taking on risks that will provide for long-term profitability. The risks facing the entrepreneur need to identify as part of developing a business plan and revisited regularly in ongoing operations. Preparation for adverse events affecting a new business venture is necessary but being too pessimistic or allowing fear of adverse events to stop an entrepreneur from taking any risk will keep a business venture from achieving it greatest potential and profit.

It is important that an entrepreneur develop an understanding of the risks of the business environment. The risks include liability risks stemming from contracts and torts, sometimes referred to as operating risks, regulatory compliance risks, financial risks, and strategic risks, including taxation. Understanding how the business structure is used to operate the business venture allows the entrepreneur to develop a plan to manage business growth and understand business risk.

Enterprise Risk Management

Profitable ventures develop a strong enterprise risk management program, which is an integrated, cross-disciplinary approach to monitoring risk. An organization needs to look at both long-term and short-term risks at all levels of the organization, and these risks need to be evaluated from all stakeholders’ perspectives and developed into an entity-wide program.

Enterprise risk management attempts to address the specific risks discussed in the preceding section by implementing a risk program that enables a business to identify and manage risk. Specifically, a business will go through a process that involves a multistage process of risk identification, risk assessment, and risk abatement. Examples of risks that businesses face include those from natural causes, economic causes, and human causes.

Natural causes of risk include disasters such as hurricanes and flooding, as well as earthquakes or other catastrophes that result in loss of life and property, as well as business interruption. For example, a business in New Orleans could be flooded by a hurricane. This results in damage to facilities and products and threatens the lives of workers. To counter such causes, businesses need to plan for business continuity, take out comprehensive insurance coverage, and have an evacuation/shut down plan in place.

Economic causes of risk include global events leading to rising prices of raw materials, currency fluctuation, high interest rates, and, of course, competition from other companies in the same industry. An example of this would be unpredictable trade wars with China, leading to tariffs.

Human causes of risk refer to actions by employees, contractors, and those persons over which a company has control. These events can include torts stemming from negligence at work, labour strikes, shortages of qualified trained workers, and corporate mismanagement. An example of this type of risk would include embezzlement of money by an internal financial executive.

Using a comprehensive approach allows a business entity to review and combine all risks into a functional perspective that allows the entrepreneur to evaluate risks and integrate additional risks as different opportunities become more important to the business venture. Businesses sometimes use a risk matrix to assess or characterize the probability and impact of risk (see Figure below). Such a tool can help a business quantify risk and decide whether to undertake an activity based on its level of risk.

Figure 1. Risk Matrix

SOURCE: Copyright Rice University, OpenStax, under CC BY 4.0 license)

Risk appetite is important for a business venture to consider, both when creating its business structure and during ongoing operations. The Table below shows an overview of the considerations a business venture should entertain in both its creation and operation.

Table 1. Risk Appetite84

COSO’s Enterprise Risk Management, Understanding and Communicating Risk Appetite outlines these considerations for assessing a business’s appetite for risk.

This is the basic approach to evaluating a new venture’s appetite for risk. Determining and understanding the risks facing a new venture should start when preparing the business venture’s written business plan and should continue through the operations of the venture.

Legal Risk and Protection

Business operations of any sort need to follow business regulations and laws. Failing to follow business regulations may lead to fines, lawsuits, or even criminal penalties. Legal risk stems primarily from a breach of contract and/or the commission of a tort. Common examples of this type of risk includes product liability lawsuits. These lawsuits are frequently very expensive class action lawsuits or regulatory investigations of dangerous products. There are many famous case examples including automobiles, asbestos, pharmaceutical drugs, breast implants, and airplanes.

Other lawsuits stem from contracts, including borrowing money from a bank. The business has an obligation to pay it back, or it breaches a covenant within a contract. Other common types of contracts are those used in selling services and products, leasing real estate, and other similar contractual obligations.

Because of liability risks, business owners, and investors are always looking for ways to limit their personal liability. Incorporation is a standard risk protection strategy for this potential problem, as are the use of other types of limited liability structures such as LLCs. Partners in GPs and sole proprietors are personally liable for all the debts of the business, even beyond their own investment in the business. A particular challenge for small business entrepreneurs is that even when they form a corporation or LLC, many lenders, landlords, and other entities providing credit to a small business circumvent the limited liability protection by requiring owners and investors to personally guarantee the debts of the business operations. This means that the owner who guarantees the credit will have to pay back the obligation if the business cannot. An owner can get insurance or borrow money for such guarantees. LLCs and corporations protect their owners, shareholders, and members from several tort claims, such as personal injury lawsuits and claims made directly against the organization.

Financial Risk and Protection

An entrepreneur needs money to launch a business, whether that comes as loans from family, their own savings, or investors. The founder will be expected to put their own money at risk, whether as a loan to their own business or equity in their own business. If they do not have any “skin in the game,” then others will not be interested in loaning them money. This means that if the business fails, it will have repercussions for the owner, even if they operate as a corporation or LLC. This is the essence of financial risk: starting a new business with insufficient funds to sustain operations over a period.

Any new business owner needs to have a sound financial strategy as a part of the overall business plan. This should show income projections, the liquid assets that will be required to break-even, and the expected return on investment for all investors in the first five-to-ten-year timeframe. Failure to plan could mean that the entrepreneur risks business closure and bankruptcy, and investors get nothing.

Insurance Protection

Risk management and protection are enhanced with the purchase of different insurance, which involves spreading risk over many people (policyholders). If a company is a corporation, it may need directors’ and officers’ liability insurance to indemnify the directors and officers if they get sued. Another insurance policy many companies get is called errors and omissions insurance, and this insurance coverage protects employees in negligence claims and cases if employee theft. Other types of insurance policies that most businesses carry include automobile insurance, health insurance, property insurance, and cyber/data breach insurance. Insurance coverage for a business venture needs to be specific to the business structure and its operations. Keep in mind that not all risks can be insured against—for example, a poor economy that leads to a loss of business or a critical decision by the owner to enter a market that does not work out.

Information Technology/Cybersecurity for Small Business

Table 2. Small Business Administration Recommendations for Cybersecurity85

According to the SBA, the risk of hacking, ransomware, and customer privacy are equally significant for most small businesses as for larger ones. The SBA has set guidelines related to cybersecurity for entrepreneurs. The SBA recommends the ten-step action plan shown in the table below.

Managing Payment Data

If you operate a small business, are you prepared to deal with hackers who break into your website and steal credit card data from consumers who bought your products online? Small businesses running an e-commerce site must comply with the Payment Card Industry Data Security Standard (https://www.pcisecuritystandards.org/). This is a regulation that could cause severe legal risk for entrepreneurs if your system is compromised, and credit card data are stolen. Consumers rightfully expect and demand a safe online experience when they visit your site. Have you paid an expert to evaluate your system and install the best security system? It may be costly, but perhaps not as expensive as the damages you could be ordered to pay by a court if credit card data are hacked.

Develop Tactical and Operational Plans

Adapted from Exploring Business by the University of Minnesota is licensed under a Creative Commons Attribution-NonCommercial–ShareAlike 4.0 International License, except where otherwise noted.

The planning process begins at the top of the organization, where upper-level managers create a strategic plan, but it does not end there. The execution of the strategic plan involves managers at all levels.

Tactical Plans

The plan is broken down into more manageable, shorter-term components called tactical plans. These plans specify the activities and allocation of resources (people, equipment, money) needed to implement the overall strategic plan over a period. Often, a long-range strategic plan is divided into several tactical plans; a five-year strategic plan, for instance, might be implemented as five one-year tactical plans.

Operational Plans

The tactical plan is then broken down into various operational plans that provide detailed action steps to be taken by individuals or groups to implement the tactical plan and the strategic plan. Operational plans cover only a brief period, say, a week or a month. At Notes-4-You, for example, note-takers might be instructed to turn in typed class notes five hours earlier than normal on the last day of the semester (an operational guideline). The goal is to improve the customer satisfaction score on dependability (a tactical goal) and, as a result, to earn the loyalty of students through attention to customer service (a strategic goal).

Plan for Contingencies and Crises

Even with brilliant planning, things do not always turn out the way they are supposed to. Perhaps your plans were flawed, or maybe you had great plans but something in the environment shifted unexpectedly. Successful managers expect and plan for the unexpected. Dealing with uncertainty requires contingency planning and crisis management.

Contingency Planning

With contingency planning, managers identify those aspects of the business that are most likely to be adversely affected by change. Then, they develop alternative courses of action in case an expected change occurs. You probably do your own contingency planning: for example, if you are planning to take in a sure-fire hit movie on its release date, you may decide on an alternative movie in case you cannot get tickets to your first choice.

Crisis Management

Organizations also face the risk of encountering crises that require immediate attention. Rather than waiting until such a crisis occurs and then scrambling to figure out what to do, many firms practice crisis management. Some, for instance, set up teams trained to deal with emergencies. Members gather information quickly and respond to the crisis while everyone else carries out his or her normal duties. The team also keeps the public, the employees, the press, and government officials informed about the situation and the company’s response to it (Perkins, 2000).

An example of how to handle crisis management involves Wendy’s. After learning that a woman claimed she found a fingertip in a bowl of chili she bought at a Wendy’s restaurant in San Jose, California, the company’s public relations team responded quickly. Within a few days, the company announced that the finger came not from an employee or a supplier. Soon after, the police arrested the woman and charged her with attempted grand larceny for lying about how the finger got in her bowl of chili and trying to extort $2.5 million from the company. But the crisis was not over for Wendy’s. The incident was plastered all over the news as a grossed-out public sought an answer to the question, “Whose finger is (or was) it?” A $100,000 reward was offered by Wendy’s to anyone with information that would help the police answer this question.

Video 1. BP Oil Spill

(Video Link). The response to the BP oil spill by its former CEO, Tony Hayward, is an example of poor crisis management.

The challenge Wendy’s faced was how to entice customers to return to its 50 San Francisco–area restaurants (where sales had plummeted) while keeping a low profile nationally. It accomplished this by giving out free milkshakes and discount coupons to customers in the affected regions and, to avoid calling attention to the missing finger, by making no changes in its national advertising. The crisis management strategy worked, and the story died down (though it flared up temporarily when the police arrested the woman’s husband, who allegedly bought the finger from a coworker who had severed it in an accident months earlier) (Elliott, 2005).

Even with crisis management plans in place, however, it is unlikely that most companies will emerge from a damaging or potentially damaging episode as unscathed as Wendy’s did. The culprits in the Wendy’s case were caught, and the public will forgive an organization it views as a victim. Given the current public distrust of corporate behaviour, however, companies whose reputations have suffered because of questionable corporate judgement do not fare as well. These companies include the international oil company, BP, whose CEO, Tony Hayward, did a disastrous job handling the crisis created when a BP controlled oil rig exploded in the Gulf Coast, killing 11 workers and creating the largest oil spill in U.S. history. Hayward’s lack of sensitivity will be remembered forever; particularly his response to a reporter’s question on what he would tell those whose livelihoods were ruined: “We’re sorry for the massive disruption it’s caused their lives. There is no one who wants this over more than I do. I would like my life back.” His comment was obviously upsetting to the families of the 11 men who lost their lives on the rig and had no way to get their lives back (The Times of London, 2010).

Then, there are the companies at which executives have crossed the line between the unethical to the downright illegal, like Arthur Andersen, Enron, and Bernard L. Madoff Investment Securities. Given the high risk associated with a crisis, it should come as no surprise that contemporary managers spend more time expecting crises and practicing their crisis management responses.

Footnotes