Who takes care of risk management in fintech startups?
Executive Education / 4 August, 2017
  • Share

  • 1086

  • 0

  • Print
Dozent, Gründer der NomoRisk GmbH
Stephan Hartenstein ist Risikomanagement-Experte mit 15 Jahren einschlägiger internationaler Erfahrung aus leitenden Positionen in führenden Instituten. Als Dozent der Frankfurt School gibt er sein Wissen in Seminaren zu MaRisk, Informationssicherheit und Risikokultur an Fach- und Führungskräfte weiter.

To Author's Page

More Blog Posts
Drei betriebswirtschaftliche Begriffe, die Sie kennen sollten
Standardisierung des Projektmanagements beim Global Player NORMA Group
Über die Herkunft des Begriffes „Artificial Intelligence“

Almost invariably, discussions of fintech startups focus exclusively on their disruptive potential and the speed with which they are capturing market share. Some experts worry about the regulatory grey areas in which fintechs often operate – and yet, interestingly, much less is said about the way they handle risk management. Why is this? As any venture capitalist knows, investments in startups carry huge risks.

Depending on their strategies and business models, fintechs[1] are not significantly different from conventional financial services providers in terms of the types of risk they incur. If we assume that their owners or shareholders, supervisory board members and executive directors all share a lively interest in the risks affecting their businesses, hence also in ensuring that suitable risk management structures are in place, we may also assume that the subject of risk management should appear on the agenda at each and every meeting of the above stakeholders – as indeed it does in other companies. And so it should: risk management makes a crucial contribution to a company’s ability to develop steadily while avoiding costly mistakes (risk events), hence plays an important – if not the most important – role in determining the organisation’s overall wellbeing. But if we accept this premise, we must also accept that the approach frequently adopted by startups – whereby they first build up their business and only later (cash flow permitting) invest in “useful but non-essential” items such as risk management, quality control, internal audits and so on – is quite simply untenable, precisely because companies face some of their greatest risks during the startup phase.

Benefitting from financial services providers’ risk management experience

So why not make use of the conventional financial sector’s experience and set up similarly effective (albeit suitably modified) risk management systems in fintech startups? It goes without saying that compared to the usual solutions adopted by conventional financial services providers, certain adjustments would have to be made to match the idiosyncratic requirements of a fintech risk management system. But then, the same is also true of the risk management systems used by conventional financial services providers, which often differ substantially depending on each company’s business model, hence on the requirements that determine what kind of risk management system is most suitable in each case.

The first step is to carry out a comprehensive risk assessment to identify all material risks of relevance to the fintech company. The “usual suspects” for financial services providers – hence also important for fintech startups to consider – are credit risks, interest-rate and foreign-currency (exchange-rate) risks, counterparty (default) risks and operational risks, including risks related to information security. Fintech startups should also pay attention to the following especially relevant risks: strategic risks, liquidity risks and special circumstances associated with operational risks.

Let us start with the last-mentioned type of risk – special operational risks. The company’s dependency on key personnel should be analysed in detail. It is vital to identify and evaluate the roles of key individuals so that appropriate steps can be taken to minimise the risk of their absence or unavailability, but also to prepare for their possible absence or unavailability.

Because startups are usually young companies with a predominantly youthful workforce, high priority should also be given to analysing process risk and the risk of human error. In turn, these risks should be taken into consideration when setting up internal controls – albeit without unduly hampering the flexibility so necessary to the company’s success. At the same time, while a company’s flexibility and openness to change are essential characteristics during the startup phase – enabling the organisation to respond rapidly to unexpected developments or spontaneous new requirements – they are also a source of exacerbated operational risk. This is because constant change can eventually result in uncertainty as employees become confused about which processes are still valid, or who has responsibility for what.

The importance of well-designed IT systems

Even more important, however, are the risks associated with information security. A fintech startup’s success depends very largely on the successful development and operation of suitable IT systems. Particular risks arise from young developers’ preference for rapid programming results over carefully considered models. Unfortunately, this means they tend to ignore the need for and efficiency of painstakingly formulated functional specifications signed off by product managers, as well as system models and even IT documentation. This attitude regularly results in significantly higher development and maintenance costs. The belief that such costs are obviated by agile programming methods is a misconception – in fact, the associated risk is greatly increased wherever senior managers are also “infected” by this belief. A talented coder does not necessarily make a good CTO or CIO, let alone a CEO. Furthermore, the ability to code at speed is not always preferable to quality, even though certain fintech models are subject to fierce competition in which the struggle for market share depends on high-speed growth. Quality deficits can rapidly destroy any early success in building market share. Regular reviews of IT processes by experienced IT auditors, and the implementation of an information security management system based on, for example, BSI or ISO standards, are undoubtedly helpful in avoiding aberrations or dead ends during the early stages of a fintech’s development.

Another crucially important factor for startups to consider is their liquidity (cash flow). To efficiently manage a fintech startup’s liquidity risks, the same elements that comprise liquidity management systems in other companies should be put in place right at the outset: a spreadsheet-style overview, key liquidity figures, a liquidity cushion calculated from specific liquidity risks, and access to alternative sources of finance in case of “emergencies”. This may appear unnecessary to many startups because the equity injected by investors has set them up very comfortably for the initial phase. And yet this cosy situation can change all too swiftly in response to changing circumstances (sudden business success; unexpectedly high costs). In such circumstances, the ability to manage liquidity efficiently is essential for survival.

Reviewing business processes and business strategy

The final type of risk that strongly differentiates startups from well-established companies is strategic risk. Compared to established companies, startups must review and if necessary make radical changes to their business strategies more often and more rapidly. This is not to say that established companies can afford to simply relax back and see what happens, but – depending on their financial stability – they do have the luxury of preparing adjustments to their strategies over extended periods, whereas startups may have to redefine both strategy and objectives in a matter of weeks. This requires the essential ability to rapidly identify strategic necessities and implement them in radical ways – an ability that is normally a standard feature of startups and their management teams. But to be quite sure that the relevant risks are identified and evaluated so that appropriate action can be taken, setting up a r
isk management system is clearly the right thing to do.

Supervisory board: significance and function

So who should take responsibility for setting up a suitable risk management system in a new fintech startup? As in other companies, this is really the responsibility of the supervisory board, upon receipt of appropriate instructions from the company’s owners or shareholders. After all, the supervisory board is charged with ensuring that the company in its care takes the right strategic decisions and puts them into practice. Doing so requires a smoothly functioning risk management and control system.

When should a startup set up a risk management system? Clearly right at the start, in the manner most appropriate to the company’s current stage of development! But of the many startups that attempt to establish themselves and achieve business success, only a very small minority actually follow this advice. For most of them, success fails to materialise despite their highly promising business models. The answer to the question of what causes a startup (or indeed any other company) to fail is largely related to in-house risk management, irrespective of the stage in the company’s development at which it starts to fail. Thus managers, supervisory board members and shareholders are well advised to invest in this function at the earliest possible stage. This will increase the company’s chances of success and enable the startup to become profitable before it runs out of equity capital – or investors run out of patience. Indeed, this step should be taken even if the relevant regulatory requirements have not yet been clarified. After all, the aim is not to satisfy regulatory authorities, but to stave off possible harm to the company.

[1] By “fintech”, I mean companies that provide streamlined financial services based on new technologies.