The Risk Management rule of...?
As a rapidly growing SaaS software provider, we see a number of key KPIs and metrics that are used to judge the ‘health’ of a SaaS company like Riskonnect. A popular one that has been written about quite a bit is ‘the rule of 40’.
The SaaS rule of 40 is calculated by adding your revenue growth rate percentage to your profit percentage with a target sum of greater than 40%.
As it relates to SaaS company health – this becomes an interesting measure to judge performance when growth might be high, but at the sacrifice of profits due to investments in areas like sales, marketing or products; alternatively, when growth begins to slow is there efficiency in the operations so as to capture increasing profits – or finally somewhere in between with good growth and good profitability.
The main point is that while it could be acceptable to have lower profits in exchange for growth – the minimum point of this acceptance is to the sum of 40%.
What is the risk management equivalent to the SaaS rule of 40? Is there a simple health check that can be used to benchmark an organization’s minimum risk performance level that can be calculated as the sum between growth/profit (opportunity) and realized enterprise risk (loss)?
Is it the risk management rule of 20%? 30%? The answer to that question is likely to be set based upon your specific industry, risk aversion, and size of potential opportunity in aggregate.
Photo Credit: Martin Taylor CC BY 2.0
Before we have a look at how this could apply to your business – it’s worth noting that the SaaS rule of 40, like many KPIs, is useful but overly simplistic. So many additional health-checks are critical to an ongoing and sustained SaaS enterprise: Customer satisfaction and retention, employee engagement, or growth relative to market are a few.
The same would be said about our risk management rule defined above. Not all losses are created equal. Some types of realized risks aren’t acceptable at any potential value. So, we need to factor these in to our formula.
Risk Management Rule = (Growth% + Profit%) – (Loss% x Loss Index). Where the loss index is a multiplier against the loss% based upon factors such as it contradicts corporate values, impacts reputation, or overextends the organization.
What does the outcome of this formula look like for your organization? Is there a threshold that you could establish that helps balance new investments against potential risks to stimulate discussions and analysis of trade-offs and guardrails?
If you can’t, it could mean that you don’t have an applied framework of risk analysis that is ongoing and flowing across the entire enterprise. It could mean that you can’t identify potential or realized events affecting the organization and manage the trade-offs within your risk appetite. It could mean that you aren’t geared toward the achievement of more aggressive objectives due to unknown fears related to action.
Photo Credit: Erik Verspoor CC BY 2.0
A digitalized Enterprise Risk Management approach can remove these gaps by:
- Allowing risk professionals to directly link risks to their organization’s performance
- Linking identified risks with your organizational functions, processes, and objectives allowing you to consider risk exposure when evaluating new risk
- Assess these risks using likelihood / impact criteria and stakeholder feedback to drive configurable scoring and impact evaluation
- Evaluate scenarios and playbooks related to top risks and keep an up to date and aligned view of unrealized and realized risks
A system with loss through risk (amplified by the Loss Index – Likelihood & Impact) linked to objectives (growth and profit goals) can provide the baseline necessary to determine your risk management rule.
What does a risk/reward threshold look like in your organization today? How are you linking goals to risks and quantifying the trade-offs? I’d love to have your comments below about how enterprise level operational risk is being quantified to help make strategic business decisions in your organization.