Risk Management is management!

Risk management is, in a certain way, the “quantification” of events that may be materialized conjugated with actions to mitigate them. This “quantification” is an exercise based on probability.

Risk may be quantified by using financial models and records of historical events and may be mitigated by transferring it. An example of the quantification is as simple as the cash flow estimation while the mitigation would be buying a financial hedge aiming to fix the price of raw material or of a currency.

Risk management may be seen as a loss of time and money – until something bad happens. When incurring in a loss, first action is to find those responsible. Nevertheless, the risk mitigation and containment as well the reaction against its materialization continues to be unaddressed.

Any company is subject to various types of risks, such as, to name a few:

. Reputation: threats to the image of products and brands;
. Regulatory: involving the observance of laws and regulatory framework;
. Human Resources: scarcity of talents or turbulence in the succession of leadership;
. Technology: operational or security failures in critical systems;
. Market: assets devaluation;
. Country: political, social and economic;
. Credit and Financing: delinquency (customers) or impossibility of obtaining credit lines to fund the business;
. Natural disasters: destruction or inoperability of offices and plants or production units.

Surely risk management has a cost. Hence the need of realism when deciding on which elements will be used to mitigate risks.

An important step is the design of a risk matrix. In this document existing risks are listed as well as the minimum control to be observed; the responsible for its implementation and control, and with what frequency. 

Among the risk mitigation elements that may exist, some are simple to implement and are part of the "internal control system" for any large organization.

(1)    Auditing
Given the number of scandals involving audited companies questions about the effectivity of this service (and obligation) may arise. It may, nevertheless, only by those that do not understand what the auditing service is about.

The responsibility of an external auditing firm is that of providing an opinion about the financial statements of a company prepared by its management. In order to do that, the auditing firm base its work on the existing internal controls, which reliability will define the scope (extension) of the tests that will be applied.

The work of the external audit is limited as based on tests and not on the reconstitution of all transactions, and, it also does not work on the assumption of the existence of fraud. Finally, it assumes that the financial statements are correct and elaborated according to the recommended accounting practices and that all that is known is there reflected / pictured. In fact, management must sign a statement to that effect, which is delivered to the audit firm. Of course, the audit firm remains responsible for the quality of its work, very much based on the quality of supervision, as fieldwork, for cost efficiency reasons, is performed by less experienced and cheaper staff.
So if the auditing service does not represent a safeguard or validation, why do it? First, it is important to bear in mind that there are steps prior to hiring an external audit firm, mainly the existence of formal accounting and internal controls. Without the existence of both auditing loses effectiveness and becomes prohibitively expensive.

Assuming that a formal accounting and internal control system exist, external audit integrates a system of checks and balances, being instrumental to give assurance to the board and exempt managers from responsibilities.

In addition to the external audit service, a company can - and must - create an internal audit department, also with the aim of reducing the hours spent by the external audit. While the external audit focus is on the financial statements, internal audit would be more focused on compliance (adherence to the rules and procedures and internal control). In addition, internal audit is (by its proximity and involvement with the business) more empowered to identify and prevent fraud than the actual external audit.

(2)    Insurance
Insurance is bought in order to transfer risks. In fact, currently, various types of risks can be transferred. The important thing is to measure the risk and its impact on the business. The risks commonly covered are: property (risk falls on property); liability (risks against the company); and credit (risk of default-delinquency). Insurers will both weigh the risks and establish a premium to be charged or decline the risk.

(3)    Use of financial instruments
Hedging is made to seek protection or limit volatility (or losses) that a company is subject to. Of course, this protection is largely contingent on the analysis (of the company) on the movement in the markets in which it operates or is dependent. There are traditional and more sophisticated hedging transactions. Derivatives are examples of the latter.

Traditional hedge, seeks protection on adverse price moves of an asset or liability being them a good, raw material or currency. “Derivatives”, as the name indicates, has a value that is derived from another, being an asset, index, currency or interest rate.

A common example of this type of contract is the swap of exchange rate variation for an interest rate. In both cases, the most common instruments are forwards (fixing a future price) and options (purchase or sale on a certain date).

(4)    Licenses
It is virtually impossible to be with the licenses (and / or permits and certificates) up to date. This for the following reasons: (a) are large in number; (B) are obtained from different governmental bodies and different levels (decentralized); and (c) renewal term is short. On the other hand, be in compliance with these obligations means, at least in theory, that the property and the business is compliant with the requirements needed to operate, thus mitigating risk.

The list of the required licenses is wide and can be, for the sake of simplicity, grouped into two main categories: (1) Licenses on Property and Construction (2) Licenses on Business Operation.

Thus, is recommendable to have a list of all necessary licenses. In this list should be included their expiration date, the involved risks and the area or person responsible for obtaining them. Generally, there is a department at Head Quarters responsible for overseeing it while securing the licenses is confided to a specialized agent or to the administrative area of the store.

(5)    Communication Channels
In normal conditions, the flow of communication is hierarchical. There is, however, times when communication can fail and important information is not reported, preventing the company’s management from anticipating problems that may affect the business or its reputation.

In retail, where there is a large number of employees working in different locations, there is a need to create a communication channel that can enable them to be heard. A good communication channel should be divulged and provide safeguards to the user (identity protection no exposure) and, above all, be connected to an independent committee responsible for analyzing and responding. More common means of contact are: phone, email or dedicated website.

The Committee should involve members of various areas (usually at least HR, legal and someone from the office of the CEO or the managing board), with periodic meetings to review the communications received. In case of need of clarifications or further investigations, the committee should have competence to trigger the internal audit or even make use of a consultant or external professional.

The Ethics Committee is one that is being adopted. It deals with complaints of various kinds, from those related to strategy as to corruption and moral and sexual harassment. The institution of such committees should not be seen as bureaucratization but instead, a necessary tool to avoid that the company may be found colluding, even if for lack of knowledge, with malpractices, irregularities or illegalities.

(6)    Crisis Management Plan
A crisis management plan should not be seen as something bureaucratic. A large company needs a plan to deal with situations that pose a threat that cannot be anticipated and that require immediate response. Examples of crises range from the closure of a store as a result of an inspection promoted by a governmental agency to a contamination of private label products or a fire. Important thing is to keep things simple.

There are three basic aspects to be covered and observed in any crisis management plan, in the following order: (1) physical safety of customers, employees and affected surroundings; (2) physical security of the store (assets); and (3) communication to management.

Communication is important. However, before something is disclosed, the facts must be established in order to avoid misinformation. This is why coordination among the responsible areas before making occurrences public is required. And the reason for simplicity is to allow quick responses / reactions.

If you need help in dealing with issues related to business models or just want to discuss them further, please contact us. Contact us by sending an email to This email address is being protected from spambots. You need JavaScript enabled to view it.

At 2B Partners Consulting we aim to help companies to address the questions or problems thru the services of advisory board, interim management, managerial applications and consulting focused on financial advisory, operations improvement and organizational efficiency. Contact us to obtain more information by sending an email to This email address is being protected from spambots. You need JavaScript enabled to view it.

This email address is being protected from spambots. You need JavaScript enabled to view it.  | Advisory Board | Interim Management | Consulting