For Risk Management (RM) Best Practices (BP) sometimes are worst practices.

BP’s are not always the best Risk Management approach especially when there is inadequate consideration of the business’s stage of growth or development, market and/or competitor landscape and other aspects of the business environment.

The term “Risk Management” (RM)  for this page is refined as follows:  RM is shortened from Enterprise Risk Management with Best Practices (BP) being one of the several tools for implementing RM.  A broad definition of RM is the process for mitigating the negative effects of fortuitous events across all parts of the of the organization.  We abbreviate the concept to simply “RM” and this discussion does not include Core Business Risk*.

The Trouble with BP’s – They Are the Best

BP’s can be inefficient and expensive because they are “best” when the best is not what the enterprise needs at the moment.  Instead, targeted and efficient practices are more appropriate if they are designed precisely to suit the need.  The Goldilocks Zone may suit the need; not too much, not too little, just right for the company, budget and resources.  Sometimes cash flow may be the most important aspect of enterprise risk and so expensive BP’s increase the enterprise risk, i.e. cash flow risk.  It may suit the enterprise to temporarily operate with more than comfortable risk and focus less on RM and more on building revenue and/or cash flow since a failure here could be more immediate and catastrophic.

The True indication of RM excellence is establishing the Goldilocks Zone of risk & reward that is right for the stage of growth of the enterprise.

The Goldilocks Zone of Contractural Risk Transfer** is an example of this balance.  Striking the right balance may mean that the Startup in contract negotiations may have to convince the other party to accept the Startup’s narrow liability insurance coverage to help control the cost of risk for the Startup.  Having less than ideal insurance would not be considered insurance BP.

Timing and Balance – The Goldilocks Zone:



To get the balance right there must be an understanding of the timing of the enterprise’s development.

Here are three enterprise timing indicators and their oversimplified attributes:

  • Startup:
    • Angel investors
    • Handful of employees (probably less than 50 employees)
    • Shoestring budget and likely not yet profitable
    • Founder(s) know 1st names of all employees
  • Surnames:
    • Because there are too many, founder(s) can not know the 1st names of all employees
    • Management hierarchies begin forming, span of management and lines of communication take shape, sometimes informal
    • RM on the way from “as needed” to “deliberate”
  • Stable enterprise structure – relative long term steady state of development
    • Stricter chain of command
    • Formal and informal organizational pecking order
    • External and internal oversight configuration

As an enterprise develops and as it moves through the above stages from Startup the Goldilocks Zone shifts as well.

An example of this shift is that for a Startup getting customers may be the highest priority and necessitates taking more risk than in the Surname stage when development of written procedures for keeping customers safe may be an equal or higher priority.  Startups are short of resource so written procedures may have to be the second priority at the Startup stage and become the focus after the customers are signed up.  The Goldilocks Zone may shift from customer acquisition to a blend of acquisition and safety procedures.

BP’s for Startups may not be appropriate or effective and likely expensive thereby taking away from the resources for new customer acquisition.  Also, these days, with the constant and rapid invention of new & unique business models, there are likely few relevant BP’s.

Startups have an inordinate amount of risk but sometimes the successful ones survive because RM flows down from the founder(s) in an unconscious cultural assimilation.

BP’s are often born out of mistakes and/or failures.  But in todays rapid pace of change learning from mistakes is often too slow.

Fire walls – the old fashioned kind in olden days – are an example of BP’s developing from trial and error and mistakes.  Fire walls are tools of building design that limit spread of fire in a structure.  Improvements on the Fire Wall Standard (BP’s in today’s lingo), were made over time as we learned from mistakes.  For example, we learned that fire would spread though unsealed pipe chases and so BP’s eventually included monitoring and sealing fire wall pipe chases with fire retardant sealants.

BP’s developed from trial and error are likely to be less relevant with Startups, because of the rapid pace of change, and become more relevant for the Stable Enterprise.  As they move through the above 3 phases the more successful enterprises incorporate learned relevant BP’s into practice, documentation and communication at just the right time.


Balance, I.e. Goldilocks Zone, needs to fit the business and the culture.  Unless it is an extremely risky business (examples: nutraceuticals, health care, construction to name a few) and has well accepted industry standards sometimes the culture largely dictates RM and as mentioned BP’s are not as relevant.

It’s important that RM fit the culture so that the process of RM helps craft the business priorities.  It must also continually strike the right balance each time the enterprise’s RM needs change.  This requires that RM be plugged into and have honest and accurate communication with senior management.  In other words have a “seat at the table”.

RM must also continually learn how the risks of the business are changing and how RM must change in parallel.  Referencing the BP customer safety example above, the most valuable skill RM brings to the enterprise is focus on relevant BP’s just slightly earlier than:

1) it becomes necessary and/or

2) the competition.  Such RM investments aligned with the culture are determined by boundaries of the Goldilocks Zone.

In Summary this all takes finesse, tact, intuition and technical expertise (and maybe some gray hairs) to name a few important traits.  Just as important is the drive to make the enterprise succeed and take just the right amount of risk.  Especially for Startups, managing risk in the Goldilocks Zone may be one of the most important elements of business success.

For RM to get all this right he or she must be plugged in at the top.  The bottom line is this; if the Risk Manager doesn’t have a seat at the table he or she might as well be on the menu.



* Enterprise risk = core business risk + operational risk – Simplistically, core business risk (such as market timing) are those that arise as a result of the business decisions taken by the management, while operational risks are those that arise as a result of the implementation of those decisions, or from outside factors.  In our view, the two main contexts within which operational risk should be considered are (a) in order to meet regulatory requirements or (b) as part of internal management processes.   Detail

** Contractural risk transfer is a non-insurance contract/agreement between two parties whereby one agrees to indemnify and hold another party harmless for specified actions, inactions, injuries or damages.  Journal Article