Risk Management, The Precursor To Profitability

In 2002, after having been a CEO for a couple of years, I faced a looming liquidity crisis. I had several large stockholders who wanted their stock repurchased, total accounts receivables (AR) globally of >110 days (not unusual for significant offshore AR content), and the company was annually losing significant profit on four to six projects out of the firm’s portfolio of hundreds of jobs. I was quickly heading to a point of no return for liquidity that required urgent action. An independent director came to me and said, “Bob, you could make some money to solve your problems if you could just stop those bleeders.’ So simple, but so correct! I knew that was great advice but it required more than just doing that.

I immediately initiated three separate efforts:

A ‘war on the receivables’ to reduce them by 30 days within six months;
Continue to grow the best clients’ revenue as fast as possible; and
Reduce the number of losing projects by one half through better risk management.

I did not want to co-mingle, confuse and dilute the efforts, so I created three separate cross-discipline teams to set goals and implementation. I gave each team wide authority to institute policies by studying risk management from larger and more sophisticated firms. Perhaps it was just luck, but in 18 months we had repatriated nearly $200m of AR from our clients, doubled our profit margins (only by reducing the number of large losing projects) and had a demanding and disciplined risk management program in place going forward.

This article is on the topic of risk management.

Risk Management is certainly one of the most mundane topics to write about. If you ask a CEO whether they have a good risk management program, they would, of course, say “yes.” It is like asking someone if they wash their hands, i.e. corporate hygiene. Most companies have immature risk programs but get religion when the bullets pass their head…or hit them. Only after near misses and some bleeding, CEOs become curious how they really compare to the better programs. Most firms don’t know where they stand because there is little shared information between companies on the topic. Every company’s risk program usually has evolved organically through past lessons learned.

Risk management should be viewed as the ‘defense’ of the organization—not nearly as “sexy” as the marketing or as exciting as successful projects, which is the offense. But I would submit a successful risk management defense is more important to the bottom line profitability than the offense.

There are generally two levels of corporate risk management—project risk management and enterprise risk management. Both reflect two distinct elements: thought and overall impact. These two levels often get confusingly co-mixed and/or sometimes are totally non-existent. Programs for each are required and are usually owned by different parties. Both project and enterprise risk management can affect the overall results, and even survival, of the organization.

Let me start with enterprise risk management. As you work to the highest level, the more you face the issues of enterprise survival. The CEO and the board should own the enterprise risk program. It should be visited once or twice a year. Enterprise risks are those that, if realized, threaten the very existence of the organization. Each risk should have an outline action plan. Typical enterprise risks I have seen are:

A ‘black swan event’ disrupting the most critical part of the organization that is absorbing the corporate overhead for weeks. 9-11 was such an event for Cantor Fitzgerald, whose headquarters and trading desks were wiped out. The Lehman Brothers bankruptcy suddenly created calls on bank lines in heavy capital businesses. No one expected Brexit to pass.
A news disclosure picked up by a national media service involving accused criminal, corruption, theft, wrongful death or illicit sexual activity of key executives of the firm. Guilt is not the issue, as the accusation does the damage.
The sudden loss of revenue or funding that contributes to greater than 20% of the company’s source. A large client bankruptcy, market crash or project terminations could be examples.
Cyber security breaches that require national disclosure and halting of electronic transfers vital to the cash flow of the company. Remediation of cyber breaching can require a completely new accounting system.
The failure and collapse of a designer’s or builder’s catastrophic infrastructure projects causing wide spread death and consequential third party damage outside the insurance coverage of the company. Examples are failures of dams, levees, tunnels, high story buildings, cranes, railroads and bridges.
The sudden and unexpected death or disability of several of the key management team. IBM’s personal computer division lost their top five executives in a Florida plane crash.

Now to project risk management: The success key to project risk management is multi-disciplinary overview and applying cumulative company lessons learned. It requires the time and personal attention of the executive floor. The less attention is delegated to this task, the less effective the program and the lessons learned are more limited. A sorting method needs to efficiently discover and identify the 20 to 40 jobs out of hundreds that require upper management scrutiny. Pre-prepared forms that explain the project description, contract details and all risks with many ‘check the box’ components are common in the culling process. Once the 20 to 40 projects are chosen, they get another level of risk scrutiny and resultant mitigation requirements.

For me, project risk management logic is centered on four key principles.

PRINCIPLE #1: The likelihood for risk realized is indirectly proportional to repetition for both solution approach and scale. The more repetitions you have, the more predictability and the less failure risk for each additional repetition. For example, there is virtually no risk in producing DVDs, pharmaceuticals and building templated log cabins. Large project scale jumps, in even repeated solutions, are problematic, due to the requirement for more sophisticated process management.

PRINCIPLE #2: The second principle is that the past is the best predictor of the future. If the client did not pay you last time, expect that same outcome again. If the client sued you last time, expect it again. If a joint venture partner failed in a previous project, again, use that history as a predictor for future projects.

PRINCIPLE #3: You cannot control a partner’s competency; so betting on them in a subordinate contractual role for your survival is insane. Bet only on what you can control.

PRINCIPLE #4: Scale is an important indicator of potential risk—but not exclusively. Actual risk is in the impact of consequential damages, regardless of project scale. A dangerous small revenue project can damage far more than its scale would predict.

Let me end by providing a list of project risk flaws I see service firms frequently make:

Allowing marketers or the doer-sellers to have a say in risk assessment and then double down by having them negotiate the contract. The genetics of a marketer would never allow them to assess risk without bias on a project they devoted their talents to win.
Believing that FCPA training and getting signed certifications will assure that employees in ‘red’ corruption countries serving public agencies will adhere to U.S. and EU laws. Corruption laws are legal concepts of ‘shades of grey lines’ between facilitation, entertainment and a Western ethics violation. Locals have different cultures/ definitions and believe corporate headquarters does not understand how business is done in their indigenous countries. Hence, two things are bound to occur: the local attitude of ‘…just sign the forms, what corporate does not know will not hurt them because they expect us to be successful’; or ‘…the U.S./EU legal definition of corruption does not apply in my country. I work here and they do not.’ Staying away from the risk is often far superior to trying to create a fool-proof mitigation.
Believing that a fair client evaluates mistakes or problems. A predecessor once told me, “Friends don’t sue you and seek a solution, yet unfriendly or neutral clients seek to assign blame and blow things out of proportion.” A key to risk management is the quality of the personal nature of the client relationship. When agreeing to take a large dangerous job, there should be a parallel commitment of the Chief Executive or President team to improve that high-level client relationship.
Failing to see the importance of the Chief Legal Officer (CLO) in risk evaluation and mitigation. CLOs should have veto power on project risk because they understand claims and insurance better than anyone in the company.
Having a detailed and disciplined review process, but no follow up to see if the risk conditions actually were met in negotiations and execution. Internal audits should be expanded from accounting to project risk compliance.
When a project manager leaves a critical project at the 75% completion point, the company should see this as a desperate act of escape to a pending disaster and react accordingly. Assume a crisis rather than waiting to see what/how the next project manager is going to evaluate.
Falsely thinking that custom solutions drive high profit where, most of the time, the innovative value is given away free to the client, but the product guarantee risk is retained by the service company.
Depending on a smaller subcontractor to do a critical element of a project (possibly to meet small business goals) then finding that they do not have the insurance or balance sheet to handle the damages, leaving your company as the ‘deep pockets’ to settle claims.
Continuing to work on changed conditions at the request of a client to ‘run a tab’ until the end of the project, and not having the original PM there at the end of the project. This is particularly a risk with public sector clients who avoid bureaucratic paperwork.
Being a victim of false over-confidence. It is the hubris of ‘it won’t happen to me,” and therefore, the past lesson learned does not apply.
Not having a pre-designated SWAT team ready to implement crisis plans when ‘black swan’ or unexpected events occur. The SWAT teams should be multi-disciplinary (legal, commercial, technical, media) and available to travel on a moment’s notice.
Not firing clients that were previously unreasonable and litigation-oriented. Having a culture that says, “we have lousy clients…but they are our clients” is a commitment to stagnate low earnings.

Risk management might be a dull topic, but it is a subject that has a higher return on investment than any other corporate activity. Stop the bleeders and make some money!