5 Steps to Managing Risk in Your Growing Company

By Alexander Tuff

A YPO member since 2016

We all make mistakes. When I was working for a hedge fund, I watched one trader sell a bond to another trader — three doors away in the same office. Yep, the middleman trader who earned a 2 percent fee from both sides of the trade must still be laughing today.

I once witnessed an extra zero mistakenly added to a 5,000-share transaction cost a firm tens of thousands of dollars. And yet another unnamed company was still making USD10 million loans at the same exact time it was facing a liquidity crisis and ended up in bankruptcy.

The only surefire way to avoid silly mistakes is through building a robust governance and controls environment. These words no longer belong only to large regulated organizations. Any growing company that wants to survive the ever-increasing world of risks — from fraud to cyberterrorism — can manage and mitigate these by taking simple steps to protect the business.

This five-step process guides the development of a governance and controls framework using basic project management tools — protecting you from the very risks that your organization faces.

Step 1: List and map your risks. What is the full spectrum of risks that your young and growing firm faces? Many are not obvious at first. Start by listing all the situations where things have gone wrong in the past and all the worries that keep you up at night, from that vice president who cheated on his expense report to the virus that shut down your computers for two days. A good way to get a jump-start on key risks is to obtain a vendor or bank due-diligence list and review their most pressing concerns.

Separate risks into internal (inside the organization) and external (facing the company from the outside). Examples of internal risks include: retaining top staff and key persons, social media, client concentration, lack of succession planning, diminishing brands, legal suits, compliance failures, IT security breach data entry/trade errors, intellectual property loss and data integrity.

Examples of external risks include: regulatory changes, reputational risk, headline risk, competitive market disruption, legislative risks, fraud risk (such as an external party stealing money), margin compression, facility shutdown from weather and data security breach.

A great way to capture the internal and external risks is with a basic risk map that calibrates likelihood of a risk occurring and the loss should an event occur. Once you’ve laid out the key risks, you can figure out the various tools that will help you put controls around those risks.

Step 2: Develop your governance and controls framework. An effective governance and controls framework is a set of mitigation efforts to address everyday risks in a very thoughtful and targeted way.

Step 3: Describe your current state and your desired future state. How are processes being completed today, and how can they strengthen and improve in the future? This high-level plan allows the senior team to see where you’re headed and why it is so important.

With your controls in place, you’ll become more efficient and effective in shifting from your current state to your desired future state. In one of my former companies, for example, an employee was spending 100 percent of her time reconciling all credit cards and wire transfers across the organization. We examined the process and determined a different approach that could be completed electronically — and in 10 percent of the time.

Automated processes reduce manual errors. Procedures will reduce variation of output, data will become much more reliable, and transparency into data and reporting will allow for better and quicker decision-making. As you grow your enterprise, stay tuned to how you adapt your governance and controls to mitigate new emerging and changing risks.

Step 4: Develop a customized action plan to serve as your project management tool. This is your project management tool, one that will allow you to implement and build out of the desired future state framework and infrastructure. Dozens of software tools, such as Microsoft Project, Google Project Management, Slack, Wrike, Trello and Asana, can maintain tabs on all your projects and assigned tasks.

With a plan in place, you’ll be able to track various projects, assign out responsibilities, monitor progress, and provide simple reports for senior management to show success and obstacles.

Step 5: Execute and lead. The single most important element of governance and controls success is 100 percent buy-in from the senior team. High-level executives set the tone from the top, communicating the critical role of a governance and controls framework, recognizing and rewarding talent for identifying and addressing risks as they occur. It may take quarters, if not years, to implement the full framework, but once it’s in place, you’ll have the controls infrastructure to easily pass any vendor due diligence and snuff out or mitigate key risks.

5 quick risk-control tips

Data security: Lock this down before you build out your suite of technologies. Look at file and email encryption, password-protected portals, firewalls for network protection, secure remote access, virus protection, cloud based security, video monitoring of office and disaster recovery sites.

Insurance: Get this in place, considering Errors and Omissions, Directors and Officers, Property and Casualty and Key Man insurance. Work with a broker to determine what you need to protect your greatest assets and your balance sheet.

Cash movements and accounting: Require dual signatures and verbal approvals on cash movements, key fob to access accounts. Someone outside of finance should approve wire transfers. And a system such as Quick Books or Concur can allow you to move off spreadsheets and into a more robust system that provides oversight and monitoring of accounting and finances as well as time tracking for employees.

Controls audit and financials audit: Every year or other year, hire an outside firm to conduct an audit. A few professionals with fresh eyes can make all the difference in finding future risks and vulnerabilities.

Social media policy: To address one facet of reputational risk, be sure to lock down a strict social media policy. You don’t want an employee’s social life crossing into firm life lest the outside world viewing your firm very differently than you want it to. This applies to LinkedIn, Facebook, Snapchat or any other social site.

YPO member Alexander Tuff has been President of Winged Keel Group since joining in 2013. He has more than 18 years of executive experience in the financial services industry. In addition to overseeing and managing all business functions and employees, Tuff serves as a member of Winged Keel Group’s Executive Management Committee. Prior to Winged Keel, Tuff spent five years as the COO of the 650-person Risk Management Group at CIT. Tuff has been a featured lecturer at Brown University on leadership and management topics. He earned an MBA in finance with distinction from Columbia Business School and a bachelor’s degree in economics from Colby College.

Learn about joining YPO

With more than 26,000 members in more than 130 countries, members of YPO are peers who share in common the achievement of success at an early age; a commitment to learning as a lifelong adventure; and a desire to connect authentically in an environment of trust and confidentiality. If you are a member interested in contributing, please email blog@ypo.org.