NetSuite 
Sage Intacct 
QuickBooks 
Microsoft Dynamics 
Jira 
Ironclad 
DocuSign 
Asana 
Slack 
TravelPerk 
SSO 
ERP Integration API 
American Express Card 
Silicon Valley Bank Card 
Every company takes risks.
But not every company identifies, measures, and manages those risks — especially smaller, early-stage companies. The rigorous risk management practices employed at enterprise-level companies that have withstood many economic, political, and market cycles can point the way toward best practices.
It’s likely, however, that early-stage companies that are moving fast, and building products and market share, have a limited view into how any of the significant risks they face can impact their company. Those risks generally include:
- Strategic risk.
- Compliance risk.
- Operational risk.
- Financial risk.
- Reputational risk.
The extent and importance of each of these will depend on a company’s product or services, its business model, and the markets that it operates in.
A concrete risk management strategy starts with companies identifying risks, measuring them, and ensuring they are tracked and reported so that mitigation strategies can be used when necessary. To put it simply, being aware of these risks will enable businesses to make plans to avoid risks, price for them, or deal with them efficiently if and when they arise.
To learn more about risk management and why it is imperative to the success of any company, I spoke with Airbase’s newly appointed Risk Manager, Tom Frantz, who’s devoted his career to studying the innovative aspects of risk management and the impact it has had on the companies he’s worked with. That includes more than five years as a senior risk advisor to Gusto. At Airbase, Tom is now responsible for communicating risk policies and processes to the organization. He provides hands-on development of risk models for the types of risks that Airbase’s business faces, including financial, compliance, and operational risk. He is responsible for ensuring that controls are operating effectively as the company continues to experience rapid growth.
Q: Can you explain risk management and why companies need it?
A: The simple definition of risk management is forecasting potential risks on the horizon and identifying procedures to avoid or minimize their impact. Done right, risk management enables growth. It’s safely extending your product to the maximum number of customers while maintaining the health of your business.
So why do we need it? In organizations, it’s pretty common to under-invest in risk departments, or to keep it very lean because it’s not really viewed as a revenue-driving team. But risk management is as much part of growth as any other aspect of the business. Risk management protects your customers and your company from unacceptable financial loss, and therefore actually facilitates growth in the right direction.
Q: How do you identify potential risks? What does your process look like?
A: I start by thoroughly understanding our product, our customers, our market, and our operational infrastructure to identify buckets of risk that we need to focus on. And because risks are constantly changing, they need to be tracked over time.
There are various ways of tracking risks, and it’s vital to build them into the natural operational flows of your business. For example, if you have exposure to a customer or a vendor, getting the information you need from them at sign-up is part of it. Having your teams trained to watch out for certain flags in their ongoing engagements is also essential.
Q: How do risk managers monitor risks, and what tools do they use?
A: I would say it’s a combination of in-house products that companies build to address their specific needs and then using many third-party vendors.
For example, financial services companies often have a certain amount of credit or counterparty risk, and a tool like Plaid provides insights into companies’ financial accounts. Having this data means that it’s possible to build in-house models to monitor the risk.
The direction we’re moving is to use the aggregated signals from risk events to create complex, predictive algorithms to surface future risk. We’ll also feed confirmed events back into these algorithms to enhance the data and promote machine learning.
Q: What are your crucial risk management strategies?
A: The first seems obvious, but has taken me a few years to learn, and that is to have a simple strategy. Allowing yourself to become too granular with your policy decisions can frustrate internal employees and customers. There can also be quantifiable risks that come with an over-detailed policy that can lead to miscommunications — and that’s a huge problem.
The second is using a data-driven approach. That goes without saying, but it’s an important point to make as it’s super important to rely on the data you have and not make a policy unless you’ve reviewed the data, gone over it, and analyzed it thoroughly. Risks are by nature probabilistic — that is, they describe the possibility of an event that will lose your company money. Therefore, including the probability that an adverse outcome will occur in your measurement will help you focus your energies on the risks that are most likely to impact your business. Risk managers rely on statistical modeling to describe potential outcomes.
Next is making decisions based on growth and scalability. It’s easy to say: “Hey, I want to review everything that has this certain signal.”
But that’s not scalable when you’re dealing with hundreds of thousands of customers. This applies to policy making, operational duties, and one-off situations. Sometimes you have to accept a little more risk to keep your business growing in a traditional risk–reward trade off.
Finally (and this one is always hard for many folks to stomach), it’s looking at loss as an investment in future improvement.
Something I like to say is: It’s not if, but when there’s going to be some problem in your business.
I want to use any loss as a learning experience because each one has its own characteristics. Every failure is unique in its own way, and you can use that to help build out a better product or service for the long run — and that has always been my philosophy.
Q: What qualities make a good risk manager?
A: There’s a couple that stand out for me. I think there’s no substitute for being analytical. Sometimes you have minimal data, but you have to find trends and patterns in that limited information and make high-impact decisions. Having an analytical mind, finding the minor details, and coming up with a conclusion is significant.
An interesting one here is being intuitive. Sometimes you just have a feeling, and you have to roll with that. You don’t know why you have the feeling about a particular risk or a specific decision, but you need to act on that feeling and find the actual data and signals to back that up. You have to listen to your gut sometimes!
I also believe there’s no substitute for being an excellent communicator. For me, this is an essential quality for any risk manager. You couldn’t imagine the number of different stakeholders a risk management team has. It can include everyone from customers, software engineers, product managers, leadership teams, lawyers, and accounting. As a risk manager, you have to deliver the same message in a variety of different ways to very different groups of people — and it generally has the added pressure of having a high-dollar implication! So you have to be correct and be able to communicate that both efficiently and clearly.
Because risk management is a continuous function, that is, there is no set-it-and-forget-it mode, having the right resources dedicated to it is essential. It’s human nature to assume that if some adverse thing isn’t happening today, it won’t happen tomorrow. But a business that never experiences loss is probably a business that isn’t taking enough risks. Risk management lets you be smart about which ones to take.
To learn more about Airbase, contact us for a product demo.
