Risk Management for Venture Capital Firms

Ricardo Taveras
Oct 24, 2018 · 10 min read

A Dynamically Enhanced Strategic Planning Process for Venture Capital Firms Based on Enterprise Risk Management Strategies and Techniques

Venture Capital (VC) firms/funds are investing in one of the riskiest assets classes: startups. According to Harvard Business School report, over a ten-year timeline, 70% of startups failed. In my experience, the reason for failure in most startups is either lack of good timing between the value proposition of the businesses and the market’s perception of need; an incorrect strategy on the basis of being uninformed, misinformed or biased; an unsound execution of a sound strategy (what some VCs call “team risk” or “execution risk”); movements in market conditions — including the actionable responses of competitors; an operationally inefficient business model, and in some cases, inaccuracy of funding needs (having too much money can be as bad as not having enough money). All startup failures are derived from the decisions the startup companies make in their best capacities. Decisions that in part, VC firms influence from being part of the board of directors and having voting rights in such startup companies. These strategic decisions can be drastically enhanced by employing a decision-making process based on proven Enterprise Risk Management techniques that cover strategic risks management, operational risks management, financial risks management, and cybersecurity risks management.

These techniques can quantify the overall risk exposure of the portfolio companies of the VC firm, and therefore, the total aggregated risk exposure of the VC firm/fund. The VC firm shall decide what is their desired risk appetite (which is usually very large). Every important and influential decision made by the VC firm (whether is a decision impacting the direction of the VC firm, or influencing the decision of a portfolio company) is targeted to manage the risk exposure to within the desired risk appetite of the portfolio companies and the VC firm. This means making strategic decisions to either increase or decrease the risk exposures depending on the position of their desired risk appetite.

Setting the Basis

We define risk as any deviation from what is expected — whether is upside deviation (opportunity: an unexpected event potentially resulting in a better outcome than expected), or downside deviation (threat: an unexpected event potentially resulting in a worse outcome than expected). We also define risk by its cause, not by its impact. Therefore, “reputational risk” is not a risk given that reputational damage is an impact caused (usually) by operational malpractice derived from an operational risk. Risks are represented at three different levels in this framework: Categories, Subcategories, and Risk Definition.

Here is one Example of each risk category:

Image for post
Image for post
Copyright © SimErgy Consulting.

On the complete list of risk categorizations and definitions, for every risk category, there are 4–9 risk subcategories and definitions that cover the entire spectrum of risks that any company can possibly face. All these risks are covered in this framework. (The table above is an excerpt of such complete list of risk categorizations and definitions).

How Does It Work?

There are four parts to the Enterprise Risk Management cycle for VC firms: Risk Identification, Risk Quantification, Risk Decision Making, and Risk Messaging.

Risk Identification Process

1. Build a baseline financial model with all the value drivers that represent the business model of the company (as well as other financial statements). This is called the baseline model and should represent 20 years of the expected financial projections of the company, as agreed by the company’s strategic stakeholders (Founders, Investors, Company’s Senior Management, etc.). This model serves as the company’s benchmark to determine whether an event can be considered a risk event or not, as determined by how much the event deviates from the expected baseline financial projection of the company. This baseline model will help the risk management professional gain a better understanding of the business model of the startup companies and VC firm, and help his/her preparation for the QRA interview series.

Image for post
Image for post

2. Perform the Qualitative Risk Assessment or QRA interview series: The QRA is a series of interviews with key stakeholders of the company where we ask expansive information about the possible worst-case risk scenarios — including its possible impact, the probability of occurrence, management’s probable response, etc. Example of a risk description for a B-to-B business in the enterprise software industry: Unexpected employee turnover rate increases from 10% to 40% due to executive’s constant miscommunication, passive aggressiveness, and the company’s operational chaos. Because of this, the value of the company decreases monthly by 7% and the accounts receivable increases by 20 thousand dollars a month. The probability of occurrence is 65% according to the averaged opinion of the entire staff, executives/founders, investors, and other stakeholders such as the subject matter experts. Historically speaking, this interview series had anonymously gathered nearly 120 risks scenarios per company. Please note that the QRA interview series is not concerned with accuracy, rather than with a close understanding of what currently concerns key stakeholders of the company.

3. Organize a consensus meeting with all the QRA contributors of the company– including the board of directors, senior management, and strategically chosen staff. The purpose of the consensus meeting is to collectively choose the key 30 risks facing the company.

4. The key 30 risks facing the company transition to the next part of the risk management framework: the risk quantification process. The rest of the risks that did not make the key risks (in this case, the rest 90 non-key risks) are assigned Key Risk Indicators to track their severity escalation overtime and maintain awareness regarding when they cross the predetermined risk limits and start to become as severe as the key risks.

Risk Quantification Process

1. Conduct the FMEA (Failure Mode Effects Analysis) Interview series: The FMEA interview series are targeted to solemnly interview the subject matter experts of each of the key 30 risks previously selected. In these interview series, the subject matter experts are asked to come up with four different risks scenarios: Very Optimistic, Optimistic, Pessimistic, and Very Pessimistic. Every one of these scenarios is considered risks, as they represent a deviation from the expected baseline financial projection. The FMEA interview series is not concerned with precision, rather than with gathering detailed information from subject matter experts on what impacts can be in the vicinity of a possible outcome for a probable/impactful risk.

Image for post
Image for post

2. Use the baseline model previously built (in the Risk Identification process) to quantify all the key risks concerning their potential impact on the expected cash flow projections and company value. Once every key risk is thoroughly quantified in detail, it is time to quantify the enterprise risk exposure of the portfolio company by modeling and calculating every possible combination of all the impacts and probabilities of all risks scenarios.

3. After calculating the enterprise risk exposure of the first portfolio company, perform these processes for every portfolio company under the VC firm at hand, and add every enterprise risk exposure of all the portfolio companies to obtain the overall enterprise risk exposure of the VC firm/fund.

Risk Decision Making

1. Strategic Stakeholders (founders, investors, and others) must decide the ultimate risk appetite for the portfolio companies, as well as the ultimate risk appetite of the VC firm/fund. In other words, how much probability of losing how much of the value of the company are the stakeholders comfortable with? Brief example of risk appetite statement: The strategic stakeholders need the enterprise risk exposure not to exceed 40% probability of losing 60% of the total value of the company. Thus, that is the maximum level of risk that the stakeholders are willing to accept or consume.

2. The Risk Management expert will collaborate with the strategic stakeholders to formulate decisions and briefly run the suggested decisions through the model of the risk scenario previously built in the risk quantification process while observing how much such decisions affects the change in company value. After discussing all possible decisions for every key risk, the strategic stakeholders will reach a conclusion regarding how they may choose to respond to the risk: whether strategizing a mitigation plan, transferring the risk, accepting to tolerate the risk, or eliminating the risk.

Putting the decision-making process in context:

2-A. How much the value of the company may decrease if an individual key risk or a combination of any of the key risks occurred. (Keeping in mind that these key risks always represent a highly probable and material threat or opportunity for the portfolio companies and for the VC firm/fund). Ex: a successfully unexpected data breach/cybersecurity attack due to lack of email phishing training to employees may result in a ransomware attack (a bad actor/hacker gaining access to a key employee’s password, the company’s networks, computer systems, and valuable information — all while blocking the company’s access to its own data and systems, and then threating to expose such valuable information unless the company makes a substantial payment of X amount to the bad actor in cryptocurrency). In this example, this risk represents a 72% probability of occurrence and a decrease of 15% of company value.

Image for post
Image for post

2-B. How much will the cost of every risk decision decrease or increase the value of the portfolio companies and the value of the VC fund? Ex: In the case of a decision being a mitigation strategy (as a response) for a data breach risk, the post-mitigation company value immediately decreases 0.10 % because of the immediate cost of executing that mitigation strategy. After such mitigation has been in place, if the data breach risk occurs, the company value only decreases 0.40 % as supposed to 4.5 %, and the probability of occurrence decreases from 72% to 15%.

2-C. The same approach applies if the risk represents an opportunity and the mitigation strategy is aimed to increase the risk exposure. Ex: If the VC firm’s risk appetite is an 80% probability of losing 80% of its company value, and their previously quantified risk exposure states that there is a 60% probability of losing 70% of their company value — stakeholders at such VC firm may choose to influence decisions at a chosen company in their portfolio to increase the risk profile of such company and therefore the risk profile of the VC firm to within the previously mentioned risk appetite: 80% probability of losing 80% of company value.

3. The main purpose of making these strategic decisions is to manage the enterprise risk exposure of the startup companies and the VC firm/fund to within the risk appetite that the startup companies and the VC firm/fund decided to consume. These decisions can increase or decrease the risk exposure as wished by the strategic stakeholders/decision makers. This exercise should give decision makers information regarding the probabilistic expectations of achieving the baseline financial expectations of the company, as well as other useful sets of data and knowledge that can enhance and inform the decision-making process of the organization. After the models have been built, running the model should not take more than a few hours (or a few minutes depending on the company), making the decision-making process very accessible to repeat every time there may be a substantial decision to be made.

Risk Messaging

After the decision process has reached its conclusion, it is time to inform the limited partners of the VC fund. These are the most important keys that should be expressed:

Image for post
Image for post

1. Expose all the key risks facing the firm in detail and the robust process that was used to gather them.

2. Expose each of the decisions that were concluded as risk responses to every one of the key risks. In the case of a risk mitigation strategy — explain the planned execution of such mitigation strategy in detail.

3. Express the change in company value attached to the cost of responding to all the risks.

4. Express what would be the post-response/post-mitigation change in company value in case such key risk(s) happened.

5. Expose the enterprise risk exposure of all the startups and the aggregated enterprise risk exposure of the VC firm, as well as its previously decided risk appetite.

6. Based on the current enterprise risk exposure, express the current probabilistic expectation of achieving the expected baseline financial projections of each startup.

7. Ask for Limited Partners’ input regarding which decisions they recommend as responses to the current risks facing the portfolio companies and the VC firm.

A VC firm that starts its strategic planning with a quantifiable understanding of how to maximize the threats and opportunities facing the firm and its subordinates is likely to enhance the confidence of its limited partners while decreasing the overall failure rate of its portfolio companies. The quantification of an aggregated enterprise risk exposure that represents the overall risk profile of the VC firm is useful knowledge to make decisions — especially when the VC firm and the portfolio companies know how much risk they are willing to take. Filtering the important strategic decisions through this risk management-based decision-making process not only dynamically enhances the decision-making abilities of the startup companies and VC firm, but it also enhances the stakeholder’s understanding of the companies’ business model and the potential risks (threats and opportunities) that the startups and the VC firm face.

There is much detail left from this article when comparing everything that has been described with how it looks in practice. The practical implementation of this dynamic strategic planning process based on enterprise risk management techniques is more comprehensive and perceived as useful when personalized for the company at hand. Solemnly, this dynamic strategic planning process is aimed to increase the number of successful decisions that startups make and reduce the failure rate of portfolio companies while increasing the carried interest that VC firms/funds pay themselves and their Limited Partners.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store