Business Risk Management | Identifying & Assessing Examples


Business risk management is the identification, analysis, mitigation, and monitoring of threats to a company’s overall well-being.

Owners and managers manage risks in an effort to minimize or eliminate the damage done from adverse events.

Business risks can be known or unforeseen, probable or unlikely, frequent or rare.

Risks can also manifest inside or outside of the company.

Risks exist everywhere. Even though publicly traded companies are wealthy, powerful, and staffed with (hopefully) some pretty smart people, they are still subject to considerable risk. As an investor in these companies, you need to understand what risks the company you’re analyzing is subject to. Beyond that, hopefully, you can get an idea of how they’re managing those risks.

Fortunately, publicly traded companies all discuss risks, to a greater or less or degree. As part of the SEC requirements, Risk Factors, are a topic in Form 10-K (Item 1A). In fact, risk is discussed in such a forthright manner, that you might learn of risks to the company you didn’t even know existed.

After reading the Risk Factors section of a 10-K you’ll understand that the company you’re analyzing could experience losses from any number of events. However, you might find comfort knowing that acknowledging risk is the first step toward managing risk. Unfortunately, though, the Risk Factors section typically lacks an abundance of information on how those risks are being mitigated.

The risks in the risk factor section, are typically from the outside environment. What is known as business risk. These can be contrasted with internal risks – also known as operational risks.

Operational risks might stem from choosing which projects to invest in. Fortunately, unless they are extremely ill-conceived, a single operational risk shouldn’t threaten the company’s existence. A single business risk, however, can be catastrophic.

Operational risks should have upside. Business risks typically only have downside. Therefore, in order to manage business risks, the company needs to hedge against them.

Your job, as an investor, is to understand the Risk Factors for your stock. You must decide if the company is prepared to protect itself. Try to get an idea of what the company’s exposure could be, and weigh that information into your investment decision.

What is involved in risk management?

  1. Recognizing that a risk exists
  2. Determining how big the risk is
  3. Taking action to reduce the risk
  4. Observing the risk and the effects of risk reduction
  5. Keeping records for all of the above

Do the executives of the company you’re analyzing cultivate a culture of risk management? Do you feel like they have a grasp on the company’s business risks? Do they acknowledge these risks when they speak publicly? Or, do they dodge the topic?

Simply listing Risk Factors in the 10-K isn’t enough. Those Risk Factors could’ve been conceived of a long time ago. They might just continue to be included so that the company can say “well, we warned ya!”

If the company has suffered losses from a business risk (like COVID-19/Coronavirus), determine how the company fared and if they learned any lessons. Did they require a bailout?

Business is all about taking chances. Sometimes, those gambles fail. If a company never takes any operational risks it’s not going to outperform the competition. So, be careful not to judge operational risk-taking as harshly as business risk-taking.

As mentioned in the post on financial ratios, operational risks are based on cost-benefit analyses. If projects fail, lessons can be learned.

What are the categories of risk?

  • Risks can be classified in many different ways:
    • Compliance (disobeying laws or regulations)
    • Financial (poor investment decisions)
      • Credit (inability to collect money)
      • Currency (lower/higher cash in/outflows)
      • Liquidity (inability to convert assets to cash)
      • Market (a changing environment)
        • Inflationary (money is worth less)
        • Volatility (sharp/unpredictable changes in value)
    • Operational (failure of company assets)
      • Customer (decreasing satisfaction)
    • Reputational (people less willing to conduct business)
    • Safety (greater chance of injury)
    • Seasonal (periods of underperformance)
    • Security (theft of assets and information)
    • Strategic (lack of, or poor planning)
      • Competitive (customers purchase elsewhere)
    • Technological (competing inefficiently)
    • External (outside of the company)
      • Infrastructure (failure of societal systems)
      • Expertise (lack of qualified employees)
      • Political (unfavorable authority)
      • Natural disaster (catastrophic events)
      • Supplier (inability to deliver)
      • Conflict (disruption from combat)

Thus far, I’ve discussed two broad types of risk – business and operational. There is, however, a third type that I’d like to address in this post. That is financial risk. Let’s look at each of these in a little more detail.

Business risks

These are the risks that can affect all businesses, entire industries, and entire geographic areas. The type of risk that can shut businesses down.

Business risks include things such as recessions, sharp changes in commodity prices, pandemics, and government/political risks. These are generally unavoidable and are a normal part of being in business. The “upside” is that your stock’s competitors are also subject to these very same risks.

Operational risks

These risks can come from project choice, lackluster internal processes, and substandard management/employees. They are related to how the company conducts its business and can, therefore, more easily be managed.

Technological failures, poor maintenance, lackluster accounting controls, and bad financial modeling are other examples of operational risk.

Financial risks

Financial risks are related to operational risks. These risks threaten a company’s ability to generate adequate cash flow to pay its obligations. More specifically, they are related to operating leverage and financial leverage. The fixed costs related to both of these types of leverage can translate into financial risk.

How do you assess risk when analyzing stocks?

Most experts advise investors to appraise riskiness by reviewing measures such as alpha, beta, r-squared, standard deviation, (Conditional) Value at Risk, and the Sharpe Ratio. An investor can expand on their risk analysis by reviewing the company’s (and competitions’) SEC Form 10-K. Specifically, the section (Item 1A) Risk Factors.

It’s possible that many of the same Risk Factors will be acknowledged by all of the companies in a given industry.

All you can do is read and surmise how big you think a given risk is. You can do your homework and learn more about the nature of a particular type of risk. Ultimately, however, you’ll have to decide if the company’s exposure to a given risk is greater than the reward it can offer you.

Let’s take a look at the Risk Factors for three competitors in the Entertainment industry. These companies are:

  • Netflix, Inc. (NFLX)
  • Comcast Corporation (CMCSA)
  • DISH Network Corporation (DISH)

Each Risk Factor has been (hopefully accurately) summarized for the sake of simplicity.

NFLX Risk FactorsCMCSA Risk FactorsDISH Risk Factors
Attracting and retaining membersHighly competitive and dynamic industryCompetitors ability to offer bundled services
Competition and piracyChanges in consumer behaviorChanges in consumer behavior
Long-term fixed costs of contentDecline in ad expendituresWeak economic conditions
Liability in connection with contentInability to keep pace with technologyCompetitors’ exclusive content
Unfavorable content licensing termsDomestic and foreign regulationDepth and breadth of competition in streaming
Inability to manage change and growthIncreasing programming expensesInternet regulations
International economic, political, and regulatory issuesPoor contentNetwork handling and expense
Multiple jurisdiction taxationProgramming distribution and licensing disputesCompetitors’ unique content
Establishing and maintaining a positive reputationInterruption in telecommunication accessDeteriorating customer satisfaction
Changes in how services are marketedCybersecurityIncreased customer acquisition expense
Reliance upon partnersIntellectual property claimsIncreasing programming expenses
CybersecurityInability to obtain technological supportDecreased access to programming
Amazon Web Services (AWS) operationWeak economic conditionsLicensing disputes with local networks
Failure of operational technologyFailed strategic initiativesCost of investments in programming
Internet regulationsUncertainty related to international businessCybersecurity
Network handling and expenseUnfavorable litigationObsolescence of technology
Inability to leverage member informationLabor disputesHeavy reliance on a few suppliers for support
Member information hackedLoss of key management or on-air personalitiesHeavy reliance on a few suppliers for set-top boxes
Payment processing failureInfluence of CEO’s voting rightsTheft of programming
Loss of trademark protectionDependence on third parties to solicit new business
Intellectual property claimsLimited satellite capacity
Pending legal proceedingsSatellite construction, launch, operational and environmental issues
Shareholder dilutionLack of in-orbit insurance on satellites
Financial leverageConflicts of interest with EchoStar
Inability to generate cash flowLoss of key employees
Loss of & inability to attract key employeesLoss of investment in wireless spectrum assets
Labor disputesCompeting in the wireless services industry
Anti-takeover provisions in charter documentsLoss of investment in Northstar and SNR Entities
Volatile stock priceInability to commercialize wireless spectrum licenses
Poor forecasting of financial resultsInability to attract and retain key employees
Completion of Prepaid Business Sale
Prepaid Business Sale not as lucrative as anticipated
BSS Business not as successful as anticipated
Master Transaction Agreement not as beneficial as anticipated
Loss of satellite capacity
Master Transaction Agreement dilutes shareholder ownership
Tax repercussions of Distribution
Poor performing acquisitions
Lack of access to capital
Financial leverage
If convertible notes are triggered
Convertible note hedge may affect common stock
Convertible note hedge counterparty risk
Lack of liquidity of investments
Difficulty in being acquired
Concentration of voting power
Telemarketing litigation
Tax Reform Act
Intellectual property claims
Potential legal liabilities
Internet regulations
Changes to the Cable Act
Revocation of retransmission injunction
Regulatory oversight
FCC license revocation or modification
Digital HD “carry-one, carry-all” requirements
Failure of internal controls

Admittedly, I’ve never scrutinized Risk Factors like this before. A couple of things stuck out to me.

First, is the volume of Risk Factors. Particularly by DISH. Part of me wants to interpret that as transparency by management. Another part of me is skittish that they’re trying to cover their hide for any little thing that can go wrong.

Furthermore, there were certain Risk Factors that showed up for all three companies. But, not as many as I would have thought. Especially for three companies in the same industry with relatively similar business models.

The business with the fewest Risk Factors, Comcast, still lists nineteen of them. Could it be that Comcast’s near monopoly on internet service makes them less risky? Or, am I reading too much into it?

In any event, you can see that there’s a lot of risks that you might not have considered when investing. Beyond that, these are just the “known unknowns.” There still exist “unknown unknowns” that are business risks to these companies.

I don’t mention any of this to scare you. Something that can happen if you dwell too much on the risks. Rather, to point out that acknowledging risks can help you round out your analysis. It can help you make a quality investment decision.

Disadvantages of risk management

  • Difficult to calculate
  • Uncertainty across every aspect
  • Unknowable losses
  • Factors outside of control
  • Fear of too little/much management
  • Difficult to implement
  • Costly in terms of money & time
  • False sense of security

Conventional thinking says “risk is bad, so managing it is good.” Generally speaking, that’s correct.

However, everything comes at a cost. Risk management is no exception.

For starters, managing risks is complicated. The company you’re interested in investing in might be “managing its risks.” Is it doing so effectively, though?

Managing risks is very subjective. Recognizing risks is a judgment call. As is determining how big the risk is. Not to mention, the most appropriate way to mitigate the risk.

Like any other activity in a company, the quality of the work is only as good as the people performing it. And, let’s face it, organizations, in general, are rarely meritocracies.

So, use your own judgment about the company’s ability to manage risks. Decide how much confidence you have in management. Finally, take steps to mitigate your own downside.

Recent Posts