Logical assessments
In a previous newsletter, I discussed the 80/20 principle in assessments. This principle involves developing risk assessment tools that can quickly identify the 20% of activities that are responsible for 80% of the risk. This approach is particularly useful when analysing your company or a few critical third-parties (such as JV partners, sole distributors, portfolio companies, etc.). It allows you to focus your time and resources on understanding that 20% in depth, using various tools like interviews, workshops, surveys, and document reviews. However, what if you need to conduct desktop assessments across a broader field of third-parties?
I’m currently engaged in an interesting project with an impact fund. They’ve asked for a tool that can customise and assess risk simultaneously. I’ve previously developed similar tools using software and if/then logic, but the requirement for this tool to be in Excel adds an extra layer of complexity.
What sort of logic are we talking about? Well, the assessment tool will span environmental, social, and integrity risk topics, so let’s use the UK Bribery Act guidance to give some examples:
– Country risk
– Sector risk
– Transaction risk
– Business opportunity risk
– Business partner risk
The relevance of each risk area depends on what the (proposed) investment does. For example, country risk factors are more salient if the company interacts extensively with the state (e.g., government contracts, mandated state-owned enterprise partners, etc.). Different sectors have nuanced risk profiles – questions around land (acquisition, consent, access, community rights, etc.) are highly relevant in renewables projects but less so in an online pharmacy disruptor (where licensing, customs, counterfeit, cold chain, etc. become more appropriate).
Transaction risk is a world of “if/then” logic. If a company forbids gifts, sponsorships and donations, you don’t need to ask as many questions as you might of the firm setting EUR 200 per person limits for a business operating in places where that sum can go very far! Similarly, suppose a company relies heavily on third-parties (distributors to EPC contractors). In that case, you must ask different business partner risks to an organisation with few partners beyond a total reliance on one logistics company (clearing customs).
It’s logical but surprisingly complex. And we haven’t even got to the scoring. Some questions are binary; others exist on scales (e.g., frequency or volume). But scoring must make sense.
It will be worth the effort. Properly assessing risk informs decision-making and rightsizes all that follows (due diligence, monitoring, oversight, etc.). Is your risk assessment bespoke to what you do? If not, let’s chat.