3.11 Risk Assessment

As the depth of Board oversight continues to increase, an area that is receiving more attention is risk assessment and risk management. Inevitably, this task will devolve to the CFO. He will then be responsible for identifying the sources of risk and developing plans to mitigate them. The Board may wish to hear and question a report on risk from the CFO from time to time.

In a tech start-up, the risks are legion and the ability to manage most of them is often limited by few resources. However, current thinking is that early-stage companies can and should manage the following risks:

  1.  Intellectual Property: For a tech company, the IP is its family jewels. Key innovations should be patented or trade-marked, if feasible. Importantly, all employees and contractors must have in place an employment or consulting agreement which clearly transfers all IP to the company.  

This requirement is highlighted because the risk to the company is existential: the due diligence performed by potential investors and inquisitors will focus heavily on this area. If the risk of leaky IP appears to be too great, then the potential investor or buyer may withdraw, as they are loath to take the risk that the IP could partially reside with entities that are not controlled by the company.

  • Contracts: There are standard form distribution contracts, joint-development agreements, manufacturing license agreements, etc. Companies can beg, borrow or steal templates of standard agreements from other companies to avoid the heavy expense of developing them from scratch with a lawyer. All material business must have contracts in place to protect the company’s interests should events not turn out as expected.
  • Employment agreements, incentive plans, equity plans: The relationship between the company and its employees, and between their performance and compensation needs to be clearly laid out in contract form. There is no greater negative impact on morale than for an employee to discover that his extensive efforts do not result in the reward he was expecting because the rules were not well established.

Most companies implement employee stock  or share option plans early on in their development. A stock option plan must be in place before options are granted, or the company risks compromising the integrity of its capital structure. This is not only an embarrassment but is quite expensive to fix later to support a professional financing.

  • Management Information Systems: Pulling the plug on the server or crashing a disk drive should not put the company at great risk. Backup systems and disaster recovery plans should be in place and tested.
  •  Building and equipment insurance. It is relatively simple to purchase insurance for standard perils.

The Board’s role is to request management to report as to the state of its risk identification and mitigation. It may be important to have management report on not only the risks they have mitigated, but also the risks that have been identified, but will not be mitigated and the reasons why. This is part of the due diligence that the Board should do in its fiduciary duty to protect the company