Business risk management is the identification, analysis, mitigation, and monitoring of threats to a company’s overall well-being.
Owners and managers manage risks in an effort to minimize or eliminate the damage done from adverse events.
Business risks can be known or unforeseen, probable or unlikely, frequent or rare.
Risks can also manifest inside or outside of the company.
Risks exist everywhere. Even though publicly traded companies are wealthy, powerful, and staffed with (hopefully) some pretty smart people, they are still subject to considerable risk. As an investor in these companies, you need to understand what risks the company you’re analyzing is subject to. Beyond that, hopefully, you can get an idea of how they’re managing those risks.
Fortunately, publicly traded companies all discuss risks, to a greater or less or degree. As part of the SEC requirements, Risk Factors, are a topic in Form 10-K (Item 1A). In fact, risk is discussed in such a forthright manner, that you might learn of risks to the company you didn’t even know existed.
After reading the Risk Factors section of a 10-K you’ll understand that the company you’re analyzing could experience losses from any number of events. However, you might find comfort knowing that acknowledging risk is the first step toward managing risk. Unfortunately, though, the Risk Factors section typically lacks an abundance of information on how those risks are being mitigated.
The risks in the risk factor section, are typically from the outside environment. What is known as business risk. These can be contrasted with internal risks – also known as operational risks.
Operational risks might stem from choosing which projects to invest in. Fortunately, unless they are extremely ill-conceived, a single operational risk shouldn’t threaten the company’s existence. A single business risk, however, can be catastrophic.
Operational risks should have upside. Business risks typically only have downside. Therefore, in order to manage business risks, the company needs to hedge against them.
Your job, as an investor, is to understand the Risk Factors for your stock. You must decide if the company is prepared to protect itself. Try to get an idea of what the company’s exposure could be, and weigh that information into your investment decision.
What is involved in risk management?
- Recognizing that a risk exists
- Determining how big the risk is
- Taking action to reduce the risk
- Observing the risk and the effects of risk reduction
- Keeping records for all of the above
Do the executives of the company you’re analyzing cultivate a culture of risk management? Do you feel like they have a grasp on the company’s business risks? Do they acknowledge these risks when they speak publicly? Or, do they dodge the topic?
Simply listing Risk Factors in the 10-K isn’t enough. Those Risk Factors could’ve been conceived of a long time ago. They might just continue to be included so that the company can say “well, we warned ya!”
If the company has suffered losses from a business risk (like COVID-19/Coronavirus), determine how the company fared and if they learned any lessons. Did they require a bailout?
Business is all about taking chances. Sometimes, those gambles fail. If a company never takes any operational risks it’s not going to outperform the competition. So, be careful not to judge operational risk-taking as harshly as business risk-taking.
As mentioned in the post on financial ratios, operational risks are based on cost-benefit analyses. If projects fail, lessons can be learned.
What are the categories of risk?
- Risks can be classified in many different ways:
- Compliance (disobeying laws or regulations)
- Financial (poor investment decisions)
- Credit (inability to collect money)
- Currency (lower/higher cash in/outflows)
- Liquidity (inability to convert assets to cash)
- Market (a changing environment)
- Inflationary (money is worth less)
- Volatility (sharp/unpredictable changes in value)
- Operational (failure of company assets)
- Customer (decreasing satisfaction)
- Reputational (people less willing to conduct business)
- Safety (greater chance of injury)
- Seasonal (periods of underperformance)
- Security (theft of assets and information)
- Strategic (lack of, or poor planning)
- Competitive (customers purchase elsewhere)
- Technological (competing inefficiently)
- External (outside of the company)
- Infrastructure (failure of societal systems)
- Expertise (lack of qualified employees)
- Political (unfavorable authority)
- Natural disaster (catastrophic events)
- Supplier (inability to deliver)
- Conflict (disruption from combat)
Thus far, I’ve discussed two broad types of risk – business and operational. There is, however, a third type that I’d like to address in this post. That is a financial risk. Let’s look at each of these in a little more detail.
These are the risks that can affect all businesses, entire industries, and entire geographic areas. The type of risk that can shut businesses down.
Business risks include things such as recessions, sharp changes in commodity prices, pandemics, and government/political risks. These are generally unavoidable and are a normal part of being in business. The “upside” is that your stock’s competitors are also subject to these very same risks.
These risks can come from project choice, lackluster internal processes, and substandard management/employees. They are related to how the company conducts its business and can, therefore, more easily be managed.
Technological failures, poor maintenance, lackluster accounting controls, and bad financial modeling are other examples of operational risk.
Financial risks are related to operational risks. These risks threaten a company’s ability to generate adequate cash flow to pay its obligations. More specifically, they are related to operating leverage and financial leverage. The fixed costs related to both of these types of leverage can translate into financial risk.
How do you assess risk when analyzing stocks?
Most experts advise investors to appraise riskiness by reviewing measures such as alpha, beta, r-squared, standard deviation, (Conditional) Value at Risk, and the Sharpe Ratio. An investor can expand on their risk analysis by reviewing the company’s (and competitions’) SEC Form 10-K. Specifically, the section (Item 1A) Risk Factors.
It’s possible that many of the same Risk Factors will be acknowledged by all of the companies in a given industry.
All you can do is read and surmise how big you think a given risk is. You can do your homework and learn more about the nature of a particular type of risk. Ultimately, however, you’ll have to decide if the company’s exposure to a given risk is greater than the reward it can offer you.
Let’s take a look at the Risk Factors for three competitors in the Entertainment industry. These companies are:
- Netflix, Inc. (NFLX)
- Comcast Corporation (CMCSA)
- DISH Network Corporation (DISH)
Each Risk Factor has been (hopefully accurately) summarized for the sake of simplicity.
|NFLX Risk Factors||CMCSA Risk Factors||DISH Risk Factors|
|Attracting and retaining members||Highly competitive and dynamic industry||Competitors ability to offer bundled services|
|Competition and piracy||Changes in consumer behavior||Changes in consumer behavior|
|Long-term fixed costs of content||Decline in ad expenditures||Weak economic conditions|
|Liability in connection with content||Inability to keep pace with technology||Competitors’ exclusive content|
|Unfavorable content licensing terms||Domestic and foreign regulation||Depth and breadth of competition in streaming|
|Inability to manage change and growth||Increasing programming expenses||Internet regulations|
|International economic, political, and regulatory issues||Poor content||Network handling and expense|
|Multiple jurisdiction taxation||Programming distribution and licensing disputes||Competitors’ unique content|
|Establishing and maintaining a positive reputation||Interruption in telecommunication access||Deteriorating customer satisfaction|
|Changes in how services are marketed||Cybersecurity||Increased customer acquisition expense|
|Reliance upon partners||Intellectual property claims||Increasing programming expenses|
|Cybersecurity||Inability to obtain technological support||Decreased access to programming|
|Amazon Web Services (AWS) operation||Weak economic conditions||Licensing disputes with local networks|
|Failure of operational technology||Failed strategic initiatives||Cost of investments in programming|
|Internet regulations||Uncertainty related to international business||Cybersecurity|
|Network handling and expense||Unfavorable litigation||Obsolescence of technology|
|Inability to leverage member information||Labor disputes||Heavy reliance on a few suppliers for support|
|Member information hacked||Loss of key management or on-air personalities||Heavy reliance on a few suppliers for set-top boxes|
|Payment processing failure||Influence of CEO’s voting rights||Theft of programming|
|Loss of trademark protection||Dependence on third parties to solicit new business|
|Intellectual property claims||Limited satellite capacity|
|Pending legal proceedings||Satellite construction, launch, operational and environmental issues|
|Shareholder dilution||Lack of in-orbit insurance on satellites|
|Financial leverage||Conflicts of interest with EchoStar|
|Inability to generate cash flow||Loss of key employees|
|Loss of & inability to attract key employees||Loss of investment in wireless spectrum assets|
|Labor disputes||Competing in the wireless services industry|
|Anti-takeover provisions in charter documents||Loss of investment in Northstar and SNR Entities|
|Volatile stock price||Inability to commercialize wireless spectrum licenses|
|Poor forecasting of financial results||Inability to attract and retain key employees|
|Completion of Prepaid Business Sale|
|Prepaid Business Sale not as lucrative as anticipated|
|BSS Business not as successful as anticipated|
|Master Transaction Agreement not as beneficial as anticipated|
|Loss of satellite capacity|
|Master Transaction Agreement dilutes shareholder ownership|
|Tax repercussions of Distribution|
|Poor performing acquisitions|
|Lack of access to capital|
|If convertible notes are triggered|
|Convertible note hedge may affect common stock|
|Convertible note hedge counterparty risk|
|Lack of liquidity of investments|
|Difficulty in being acquired|
|Concentration of voting power|
|Tax Reform Act|
|Intellectual property claims|
|Potential legal liabilities|
|Changes to the Cable Act|
|Revocation of retransmission injunction|
|FCC license revocation or modification|
|Digital HD “carry-one, carry-all” requirements|
|Failure of internal controls|
Admittedly, I’ve never scrutinized Risk Factors like this before. A couple of things stuck out to me.
First, is the volume of Risk Factors. Particularly by DISH. Part of me wants to interpret that as transparency by management. Another part of me is skittish that they’re trying to cover their hide for any little thing that can go wrong.
Furthermore, there were certain Risk Factors that showed up for all three companies. But, not as many as I would have thought. Especially for three companies in the same industry with relatively similar business models.
The business with the fewest Risk Factors, Comcast, still lists nineteen of them. Could it be that Comcast’s near monopoly on internet service makes them less risky? Or, am I reading too much into it?
In any event, you can see that there’s a lot of risks that you might not have considered when investing. Beyond that, these are just the “known unknowns.” There still exist “unknown unknowns” that are business risks to these companies.
I don’t mention any of this to scare you. Something that can happen if you dwell too much on the risks. Rather, to point out that acknowledging risks can help you round out your analysis. It can help you make a quality investment decision.
Disadvantages of risk management
- Difficult to calculate
- Uncertainty across every aspect
- Unknowable losses
- Factors outside of control
- Fear of too little/much management
- Difficult to implement
- Costly in terms of money & time
- False sense of security
Conventional thinking says “risk is bad, so managing it is good.” Generally speaking, that’s correct.
However, everything comes at a cost. Risk management is no exception.
For starters, managing risks is complicated. The company you’re interested in investing in might be “managing its risks.” Is it doing so effectively, though?
Managing risks is very subjective. Recognizing risks is a judgment call. As is determining how big the risk is. Not to mention, the most appropriate way to mitigate the risk.
Like any other activity in a company, the quality of the work is only as good as the people performing it. And, let’s face it, organizations, in general, are rarely meritocracies.
So, use your own judgment about the company’s ability to manage risks. Decide how much confidence you have in management. Finally, take steps to mitigate your own downside.