Skip to content

    Rethinking Corporate Risk Management: Evolution, Roles, and Best Practices

    Rethinking Corporate Risk Management
    Picture of Steven Barge-Siever, Esq. ·
    Compliance

    Clients that have experienced claims typically have a greater appreciation of how catastrophic and frustrating a claim can be without strong risk management partnerships. Much like a teenager that is rebelling against their parents, some startups have to learn the hard way before they get to maturity. This is one of the reasons first time founders don't think about insurance too often while 65% of repeat founders address insurance in the seed stage.

    What is Risk Management?

    Risk management is an essential component to the success of all high-growth companies.  

    At its core, risk management involves the identification, interpretation, prioritization, and mitigation of cross-functional risks and uncertainties with the potential to harm an organization's operations, finances, or reputation.  Risk management is fundamental to corporate success and, as a company grows and matures, risk management should be in lock step.  

    In this blog post, we explore how risk management should evolve in real time with company growth.  We also challenge the idea that any one person or department can effectively manage all risks.  Finally we discuss best practices for developing a cohesive risk management program and where a company should look to utilize specialized technology products/partners to mitigate risk effectively. 

    The solution proposed focuses on several of the unique risks to fintech firms, including regulatory risk, vendor relationships and data loss.  We propose a cohesive solution developed by Vouch and Basis Theory, creating a robust, specialized, plug and play risk management program allowing your high-growth firm to focus on core business functions. 

    Standard Risk Strategy

    How is Risk Management handled today?

    When looking at the macro environment of fintech startups, we know that risk management strategies are generally an afterthought and, therefore, behind the maturation of the company. The current standard for first time founders is to purchase no insurance or the bare minimum protections to do business.  As the company progresses, we often see a rush by new company stakeholders to fill in gaps at suboptimal times - generally a tipping point for the company’s success.   Interestingly, the opposite is true for successful repeat founders who have learned to address risk when it is small, easy, cheap and malleable through the high-growth stages.  If this sounds far fetched, we challenge you to reach out to four successful, repeat founders, and ask whether they put risk safeguards (insurance and security)  in place early in their latest venture - three of them will say yes.  

    In the earliest stages, companies tend to have no clearly defined risk strategy or philosophy, and implement the bare minimum protections necessary to satisfy contractual obligations.  As these companies hit high-growth, they tend to have turnover, make mistakes and assign out specific tasks related to risk to different functional areas within the company, including the CISO, GC, CFO, and COO.  Finally, in the pre-IPO stage, there is often a central risk manager or an enterprise risk management department that consolidates these diverse functions under a single risk manager.    

    Given the speed at which companies grow pre-IPO, it’s important for each company to confront the idea that risk management is best handled by an ever changing group or individuals/departments.  Companies should also be cognizant that risks are not quarantined - they are always cross-functional.  If cyber security fails (CISO), litigation ensues (GC), financials will be impacted (CFO), operations will change (COO).  

    It should also be noted that if your senior people resources are spending too much time on non-mission critical projects (insurance, data security, etc.) then you are likely inhibiting the growth of the company's core business. 

    Best practices today include utilizing an ecosystem of nimble, expert partner firms, who have seen the same rapid growth hundreds of times for similar clients, and will provide expertise, stability and consistency to your firm’s evolving risk.  Specialization in regtech, insurtech, and data security, has created a suite of incredibly precise, scalable products that are able to speak to the proper parties at the firm, no matter the stage of growth.  

    Best Practice Risk Management to Companies at all Stages 

    As companies progress through the growth cycle, their approach to risk "matures." In the early stages, companies tend to perceive risk as low and are time-constrained.  While logical on its surface, unmitigated risks are often mission-critical for early stage companies.  For example, a $1,000,000 claim may not be terribly detrimental to a Series C company with hundreds of millions raised, but the same lawsuit could, and probably would, put a seed stage company out of business.   

    IPO stage companies tend to understand the concept of risk retention, mitigation, elimination and indemnification because they have entire departments dedicated to this analysis.  They are not able to simply plug and play technologies to prevent risk because the firm is too late in the game to make nimble choices and simply implement new technologies over a long weekend.  

    Timing

    There are a few questions that should be asked and answered by your firm:

    1. Do you plan to grow fast?
    2. Do you plan to grow big? 
    3. When should you worry about risk? 

    We can gloss over 1 and 2 as “yes.”  So to get into question 3, when is risk important?  

    Risk management implementation is incredibly simple when a company is small, and remarkably clunky when a firm is big.  In other words, no matter what stage your company is now, it will be harder to create a cohesive structure for risk management the more you grow.  More directly, the best practice for timing is as early as possible, and with partners that can grow with you.   

    Insurance as an example.  Seed companies probably need a few coverages - General Liability, Business Property and Cyber.  You should not go out and buy every coverage available and call it risk management.  Rather, you should find a partner like Vouch, who can help you build the best insurance solution at every stage, from pre-seed to IPO and beyond

    If you wait until you have a lawsuit, or a coverage requirement to satisfy a large contract, the results will necessarily be suboptimal.  We recommend engaging with trading partners well before you need it. It signals to important stakeholders that you take risk seriously.

     

    Another equally important area is data security and compliance. When a company is starting out they are often either too small to be a concern for regulators or don’t yet need to have compliance certifications required for enterprise customers or partners. The data and security practices that develop around open access to data internally so that teams can move quickly becomes an impediment later when access controls and security processes are needed for regulated data. A tokenization solution like Basis Theory can enable you to protect sensitive data early on while still enabling teams to move quickly and not introducing delays with security and compliance practices and training.

    Solution - Outsourcing

    It is fascinating that while high-growth companies are acutely aware of the value their firm is adding to the tech world, they often overlook the same specialization/value that exists in the very same “risktech” ecosystem.  

    If you are building the next greatest AI enabled Fintech company, should you really be learning insurance?  Should you also be learning how to integrate data protection through tokenization and how to best present that to your insurance carrier to save premium?  While these questions may sound rhetorical, few high-growth companies effectively outsource these critical risk functions sufficiently.   

    To give an example, if the CISO uses Basis Theory to protect data, this will be reflected in the premiums Vouch charges for insurance as we appreciate the fact that you are mitigating risk with a trusted partner. Further, if the GC is properly mitigating risk through top-notch business practices, and the CFO is using best payment partners for payments, then we know data and payments are protected.  

    The key component of the process is trust in vendors.  Our approach is to put our money where our mouth is - if you use proper controls to mitigate the probability of litigation (Basis Theory), then Vouch will charge you less money.  This cohesive system is intended to prove, without your firm vetting every vendor, that there are ways to achieve control of risk, that is reflected in your premiums.   

    Collaboration between stakeholders (GC, CFO, etc.), and the cohesiveness of their risk prevention (BasisTheory) and risk mitigation (Vouch/Insurance) strategies should work together. It is crucial to recognize that the different tools used should coexist and interact with each other to provide robust risk shifting and avoidance. Through technology and partnerships, separate specialization can seamlessly integrate into a risk management program for the firm.

    Vetted Partners

    Risk sharing between firms and validation of partners is one way Vouch views the collaboration and cohesiveness of risk management strategies.  These partnerships exist because we find the right partners in the crowded tech ecosystem. 

    At Vouch, one of the services offered is a partner platform of approved partners to help clients develop a professional-grade Risk Management Program. This platform helps clients navigate the complexities of selecting the right partners to integrate into their risk management program, ensuring that all tools coexist and interact seamlessly. With Vouch's partner platform, clients can develop a cohesive risk management strategy that effectively mitigates all identified risks.

    How Can a Firm Act Through Multiple Internal Stakeholders to Build a Robust Risk Management Program?

    As previously noted, risk prevention and mitigation is cross functional. Specific to Fintech firms, highly specialized and unique hurdles come from an amorphous regulatory repertoire, and data loss is a never ending game of tag. Basis Theory is a front-end preventer of risk in these areas, while Vouch is a litigation costs and settlement last resort. Together, Basis Theory reduces regulatory risk and limits data functionality if lost, and Vouch mitigates the costs and damage of litigation.

     

    Basis Theory is a platform that offers a tokenization service, providing businesses with a secure and reliable way to protect their sensitive data by removing it from a company's databases while still providing access to the systems that need it. By using Basis Theory, businesses can ensure that their data is stored securely, and they can mitigate the risk of data breaches and cyber-attacks.

    One significant advantage of using Basis Theory is that all compliance and security requirements can be handled within the vault because a company's systems are de-scoped from the risk. Evolving security practices and compliance requirements are handled by the tokenization platform and any potential security or compliance issues are handled by Basis Theory. As a result, businesses can focus on their core operations, knowing that their sensitive data is being protected by a trusted partner.

    If a client does not have Basis Theory, from the moment they receive customer data, they take all risk associated with it. Basis Theory guarantees regulatory compliance, mitigating this risk. Without Basis Theory, from the moment a client passes data to a vendor, they are now responsible for both a breach at the client and vendor of customer data. Basis Theory scrambles that data, making it useless, or still in the hands of the customer, thus mitigating this risk.

    At any time, litigation can ensue, whether regulatory, shareholder, or any other form. Clients need to have insurance to mitigate those costs, which is where Vouch comes in, offering indemnification for these risks. By combining the services of Basis Theory and Vouch, Fintech firms can build a comprehensive and effective risk management program that mitigates all identified risks.

    Conclusion

    Effective risk management is essential for any business strategy and, as companies grow and evolve, their approach to risk management should also mature.  Firms should also collaborate with partners to ensure that their risk management strategy is comprehensive and effective. Fintech firms, in particular, face unique hurdles, including regulatory risk and data risk, but with the right tools and partnerships, they can build a robust risk management program. By combining the services of Basis Theory and Vouch, Fintech firms can mitigate all identified risks and ensure that their operations, finances, and reputation are protected.

    Subscribe to the Blog

    Receive the latest updates straight to your inbox

    Build the Payments Stack fit for Your Business   Book a Meeting or Contact us to Learn More