Addressing the Increasing Challenges of Risk Management at Private Equity Firms

Product recalls. Food contamination. Supply chain disruptions. Major IT failures. Cyber breaches. Regulatory compliance failures. Fraud. Terrorism. Political instability. Workplace violence. IP theft. Strikes. Natural disasters. These are just a few examples of how a mismanaged risk can quickly turn into an operationally crippling and brand-damaging event for organizations big and small, in every industry, across every geography around the world.

Understanding and managing risk can be a difficult task for any organization but even more so for private equity (“PE”) firms, due to:

• Quantity and diversity of risk: Ownership in diverse set of portfolio companies brings with it exposure to an equally diverse set of geographic, operational and industry-based risks.
• Limited diligence: Due diligence activities often focus only on the evaluation of key strategic and financial risks rather than understanding the more opaque risks a sponsor faces. 
• No complete picture of risk: Mechanisms to understand the aggregated risk profile across portfolio companies are informal, nonexistent or quickly become antiquated.
• Uncertainty: There can be a lack of clarity on roles and responsibilities related to the unique shared responsibility of risk management between the PE firm and portfolio company. 
• Ineffective communication: There is frequently a lack of formalized escalation and communication channels to share information and raise concerns as risks transition into crises.
• Priorities: A heavy focus on financial growth and productivity can come at the expense of risk management and control.

Unfortunately, for many companies, the realization that change is required comes too late, often following a crisis with detrimental consequences. These could range from short-term operational disruptions to longer-term impacts on brand, reputation, and the ability to meet financial and strategic objectives. Further, crises can invite unwanted media attention, increased speculation and lawsuits from employees and customers, as well as increased regulatory scrutiny.

For example: a private equity firm invested in the oilfield services space in Nigeria without conducting thorough diligence on its joint venture partner. When red flags emerged in the business operation, it was quickly discovered that the private equity firm’s counter-party was highly connected to the top of the Nigerian government, deeply implicated in corruption schemes, and frequently working with unsavory characters. This gave way to concerns about the safety of the firm’s employees as the relationship worsened, a crisis unfolded and external assistance was needed to help evacuate personnel as the sponsor moved to dissolve the relationship.

With all of this in mind, it’s more important than ever that PE firms embrace risk management and build “fit-for-purpose” capabilities to aid them in managing their unique risk profiles. Although risk management capabilities look different from firm to firm, our experience shows that PE firms that do this well exhibit behaviors such as:

• Setting and communicating expectations: A risk management standard is created and maintained that formally documents minimum risk management expectations of every portfolio company and clearly describes risk management roles and responsibilities for both the portfolio companies and the PE firm.
• Enforcing expectations: Risk management is a standard “agenda item” during formal interactions between the PE firm and portfolio company (e.g., audit committee meetings, strategy and planning sessions) and actions being taken to reduce risk to acceptable levels are discussed and monitored by the PE firm at an aggregated level across portfolio companies.
• Preparing for the inevitable: Recognizing that even the best risk management cannot prevent all risks from materializing, baseline crisis management capabilities are in place that include clear escalation and communication paths between the PE firm and portfolio company and help prepare management to be able to respond effectively to whatever crisis they may face.

Recognizing that all companies already manage risk to some degree, we suggest that PE firms ask themselves a few key questions to aid in determining how best to improve their risk management capabilities:

• How well do you feel your portfolio companies understand and are managing existing and emerging risks resulting from day-to-day operations (e.g., security, compliance), transformational initiatives (e.g., new market entry), or factors outside of their control (e.g., changes in political leadership and/or regulations)?
• Do you feel your portfolio companies understand your expectations related to risk management? 
• Do you feel you have sufficient and consistent insight into the key risks your portfolio companies are facing and activities they are undertaking to mitigate the related exposure to both you and them? 
• How prepared are you to respond to a risk that materializes and transitions into a crisis at both the portfolio company and PE firm level? 

These questions highlight common areas where PE firms often under-invest in risk management capabilities, very often to their own detriment. However, firms that proactively invest the time and resources to “getting risk management right” often experience a variety of benefits, including increased clarity on roles and responsibilities that minimize confusion and improve collaboration; better communication between portfolio companies and the PE firm; increased accountability for risk management activities; and reduced risk of “surprises” or crises occurring at the portfolio company and PE firm levels. Most importantly, companies with robust and proactive risk management capabilities have better information to aid in making informed strategic and operational decisions while protecting their assets and continuing sustainable business growth.