For whatever reason, my conversations during the first month of 2017 have focused disproportionately on risk - quantifying it, understanding it, controlling it, or avoiding it altogether. I don't know if it's the prevailing social and political winds or just a random sequence of discussions, but risk seems to be on the mind of all of my clients, prospects, and partners.
Here are two highlights from my risk-laden January:
Middle Market Risk
I presented to the Exit Planning Exchange this month on how operations can be used to increase the value of a business prior to an exit. The case study we worked through, which was based on a real business, involved a lower middle-market company that couldn't drum up any interest from 30+ strategic buyers, and only a little low-value interest from 120+ PE firms.
The company certainly had some value drivers to explore, but my judgement was that to increase the pool of potential buyers, the main thing they needed to do was decrease the risk of acquisition.
I explored the three main areas I felt were the likely reasons for this lack of interest:
1. Key Man Risk
Where you see it: Most middle-market companies have key-man risk in spades. As they grow, and especially as they grow towards a majority investment or exit, that key man risk becomes more and more costly
Control it by: 1) Building a professional management team; 2) developing management disciplines like project planning, portfolio management, implementing smart performance management frameworks; and 3) understanding KPIs and start holding managers accountable for them
Pay particular attention to: 1) Sales organization - if most sales are relationship-based, those cannot be replaced just with business processes. Reducing risk will involve warm intros to other salespeople - either up or down the chain; 2) Operations - if only one or two people know all the ins and outs of your production process, that means everyone else is operating in a silo. Use small improvement projects, technology projects, and promotions to expose other people to and create accountability for end-to-end business processes
2. Geographic Risk
Where you see it: Most lower middle market companies. It's far easier for founders and owners to manage people who are physically close to them. Any company outside of the high tech sector that has grown from an SMB to a larger business is susceptible to this risk
Control it by: Build disciplined core business processes, implement easy-to-use cloud-based enterprise systems, roll out management KPIs, and then hire great people
Pay particular attention to: It may be tempting to hire the most technical, specialized people you need for a new region first. In reality, you also need to know how to manage them. A slightly larger upfront cost structure to an expansion may result in faster, more sustainable results.
3. Vendor / Customer Risk
Where you see it: Companies that have a concentration in a small number of products or who serve industries that are dominated by a few large companies
Control it by: For vendors, diversify the portfolio a little bit. For customers...well you're going to need to sell more. Nothing overly complicated there.
Pay particular attention to: For vendors pay attention to quality. If you need to, institute stringent quality thresholds before adding new vendors to the portfolio - at least for critical goods. For customers, build some relationship walls around existing customers and be very strategic about how to/whether to sell to their direct competitors.
It seems that not a month goes by without being exposed to some new information about the prevalence and cost of cybercrime. Middle market companies are especially vulnerable.
At a January conference organized by Staffleader, several people spoke about the trends and costs of these intrusions to the community. I had three key takeaways from the event which apply to nearly every organization I interact with:
- You are vulnerable and, if you haven't been compromised yet, will at some point
- If your business is compromised it will be expensive to fix, even if the only cost is figuring out who you are legally obligated to report to. If customer data is compromised, the cost will be exponentially higher.
- Malware is a pain, ransomware is a pain, and viruses are a pain. But if you have good IT infrastructure and a well-designed (and tested!) backup system these risks are largely mitigated. Data breaches are much worse, and most of them will occur because of human error from people who work for you.
- Staff training is key and something you can start now
- Spending a little money on prevention and a good data breach response plan now can save you a lot of money and significant reputational damage later
- Your current insurance probably does not include breach insurance. If you don't have a cyber policy, it's worth pricing one out. From the numbers I've heard here and elsewhere they are not terribly expensive
Value is always the most fun thing to think about, but when choosing where to invest don't forget about risk. Some risks need to be controlled for now, others can wait for later, but either way they should be included in your roadmap.
Value investments will compound over time, risk will not, so pick your value investments for the most long-term potential and your risk investments for when they will most need to be controlled.
It will just take a few poorly controlled risks and one piece of bad luck to unravel years of great results from value-focused investments.