“How do you develop a risk management strategy?” Risk management strategies are methodical and logical plans for pinpointing, analyzing, and addressing risk. The company you’re analyzing faces any number of business and operational risks. Therefore, it pays to research the strategies they’re using to manage these risks.
Risk management strategies can be developed by the organization as a whole, or by smaller units (departments) within the company. Whichever is most appropriate for the circumstances. These strategies should be updated and reviewed on a regular basis. Over time, different risks will emerge and different approaches must be taken to handle the risks.
When a company assesses risk they are attempting to make themselves aware of the uncertainty in their environment. Furthermore, they’ll try to ascertain what steps they might take to limit the downside of the company, its employees, and other stakeholders.
Risk management strategies will vary between organizations. The executive team may not be best equipped to identify, analyze, and manage all risks. It may be the lower-level employees who have a more hands-on understanding of the situation.
Identifying risk means seeking out potential obstacles that could prevent the company, its units, or its projects from achieving their goals. Additionally, identifying risk involves the documentation and communication of those obstacles. Public companies identify risks in the Risk Factors section of their 10-K.
A considerable amount of research might be necessary to identify risks. Not all risks are obvious (unknown unknowns). When researching, it might pay to be somewhat pessimistic. Not a good attitude to have all of the time. But, when identifying risks, one must be focused on what could go wrong.
With the risks identified, the extent of the risk must be determined. Risk analysis includes a detailed consideration of risk probabilities and the potential severity of the negative effects.
Not every risk will have a single probability. They aren’t necessarily binary. Likewise, not every risk will have the same effect. The severity of a risk can vary and each variation can have a different probability.
When a risk has been identified and assessed, the company must decide what action to take. That action can manifest itself in four general forms.
- Avoidance – Not partaking in the actions that generate risk.
- Reduction – Attempting to minimize the probability or extent of a negative impact. Hedging. Limiting the downside.
- Sharing – Transferring some of the risk to another party. Insurance or outsourcing.
- Retention – Accepting the chance of loss. The risk is exceedingly unlikely and/or the risk would be so catastrophic that it can’t practically be protected against
Risk management examples
In the previous post on business risk management, I looked at three publicly traded companies:
- Netflix, Inc. (NFLX)
- Comcast Corporation (CMCSA)
- DISH Network Corporation (DISH)
For each, I summarized the Risk Factors listed in their Form 10-K. Now, I’ll take the analysis one step further. I’ll look at some real-life examples of risks that these companies face. Plus, the risk management strategies they use to identify, assess, and manage that risk.
Example 1 – Netflix quantifies risk
This example highlights how Netflix’s Information Security department assess its risks. Using computer models and Monte Carlo simulations, they can estimate probabilities for different levels of loss. E.g. a 10% probability of a $1 billion loss.
While they’re a little vague on which risks they’re analyzing (“deliberate and accidental losses”), we can refer to their Risk Factors for an idea. It could be that they’re assessing risks of competition & piracy, liability in connection with content, or cybersecurity.
They also briefly touch on managing the analyzed risks. How taking probabilities and projected loss amounts to executives can help in acknowledgment. From there, an informed approach to risk management can hopefully be settled upon.
Example 2 – Comcast considers an acquisition
This is information is now moot since we now know that Disney acquired Fox’s movie and television assets. Not Comcast. That was not known when the author wrote this piece, of course.
An acquisition qualifies as more of an operational/financial risk than a business risk (as defined in the previous post). The downside is also more easily identifiable. Nevertheless, the author analyzes the risks he identifies – particularly the enormous financial leverage Comcast would have to shoulder. Alternatively, he also pinpoints the upside to the investment in Fox.
Similar risk management conversations were probably taking place within Comcast at the time. Particularly how the risks could be reduced (offset with revenue and lower costs) or avoided altogether. Risk Factors that hinted at this sort of thing were touched on in their 10-K. Particularly the highly competitive and dynamic industry, increasing programming expenses, and poor content.
Example 3 – Dish Network ventures into wireless
This news is a little more timely. Though, by the time you read it, it may also be moot. In any event, it is an interesting, risk-laden examination of Dish Network.
Dish Network, it seems, is trying to get into the 5G game. I had no idea, personally, until I read their 10-K Risk Factors. In there, they discuss some of the particulars related to this bold project. Specifically, they address the inability to commercialize wireless spectrum licenses, competing in the wireless services industry, and the inability to attract and retain key employees.
The article’s headline itself identifies the risk – “Dish’s risk lies with the network-analyst“. This is an operational/financial risk, of course. But, according to this author, it is a huge one. The assessment of the risk concludes that Dish could lose its “substantial investments” (tens of billions of dollars) in its wireless services venture.
As with the Comcast risk, this one can be offset with revenue. If this venture is anything like their primary business, the selling of satellite transmissions, it doesn’t appear as though they’ll transfer much risk via insurance.
Identifying, analyzing, and managing risks
Hopefully, risk management is a consistent and methodical process that’s consistently reviewed within the company you’re analyzing. Every employee in the company assumes some responsibility for identifying and analyzing risks. The buck stops with management, however. Managing risk is one of, if not their most important responsibility.
A simple search for “[your stock] risk” can yield interesting results, like those above. Risks to the company means risks to your stock investment. So, I think it’s worthwhile to perform some “scuttlebutt” on the events that could lead to disaster for the company you’re analyzing.