How to Manage Investment Risk in Emerging Markets
I was recently in a conversation with an investor, discussing opportunities to deploy capital in Africa, where I principally invest. The investor, let’s call him “he”, immediately brought up the subject of risk management. How do you protect against default? What jurisdiction do you operate in? What is your legal strategy? What recourse do you have? Can you seize assets? These may be fair questions (although a bit aggressive I must say), but the speed and intensity with which he asked them was a pretty dead giveaway not only that he had been burned before, but that he was currently in litigation.
Early in my career I worked in the telecom and wireless broadband sectors in emerging markets. We operated in Africa, southeast and central Asia, eastern Europe, and Latin America. I worked with a group of companies, “government contacts”, and entities like the UN’s development agency, UNDP. At the center of it all was an extraordinary entrepreneur who acted as a pseudo mentor to me and my business partner.
At one point he told us an ancient Chinese proverb:
If a man’s word won’t protect you, no amount of paper will.
He had been in a lot of dicey situations, and he always emphasized the importance of trust. But this is the type of lesson that you don’t learn until you experience it. We then learned the lessons ourselves, through decades of experiences, and I feel like somehow the importance of trust is still under appreciated.
We think of trust in a business context through the lens of how easy it is to do business in a country, and the sophistication of rights and protections related to property, copyright, IP theft, corruption, and so on. Countries with strong rule of law, like the Netherlands, Austria, Australia, Switzerland, and Finland score highly, while countries with weak (or nonexistent) rule of law, like Venezuela, Haiti, or Mauritania, score poorly.
But our intuitions, and the use of the word “trust”, are wrong.
In cybersecurity, there is a distinction between trust and assurance. Trust is typically when you have to rely on other actors who may or may not have aligned interests and may act in ways that are unpredictable. Assurance is when you are confident you can rely on predictable behavior because that behavior is typically determined programmatically, by systems that were, until recently, deterministic. These terms are often confused, even in the security industry, but trust means relying on people, assurance on systems.[1]
We seem to be in the modern practice of just using words to mean what we want them to (see “intelligence”, “learning,” “trust”). When we think we’re talking about trust, we’re usually talking about assurance.
High trust societies don’t require a lot of trust, because there is assurance. People feel assured of outcomes. They know if there is an issue, it will be resolved. They know they can enter into transactions with untrustworthy people, because legal codes of conduct translated into norms of behavior combined with technical systems that often manage them suggest that you can be reasonably assured that they will behave in a predictable and appropriate way, and if not, that recourse is available and at least marginally convenient.
In emerging markets, where there is much less assurance, there is a lot more trust. You only go to the vendor that you have a relationship with. You don’t expect every transaction will go smoothly, so you constrain your transactions to those with people whom you have a history with, or that you have reputational networks in common with, or simply situations with low consequences.
Low trust societies run on trust. High trust societies run on assurance.
It’s precisely because of the lack of security and protection in low scoring countries, that trust is more important. Trust matters most in environments of greater risk, because when risk is low, people don’t fear engaging in legal battles to get what they want. Or to do business with people who they should avoid. If things go wrong they reason, there is more straightforward legal recourse. This is a line of thinking usually employed by people who have not actually had to exercise legal recourse.
To be clear, I’m not suggesting to do business in Venezuela, Haiti, or Mauritania. I would avoid it if possible. But I believe that when the stakes are higher, it is more important to focus on trust and only do business in situations that you truly understand and can rely on. In those situations, if you are forced to get into litigation, you’ve already lost. As a result, the primary mechanisms of risk management are twofold: 1) deep trust, and 2) high margin of safety.
Thanks for reading! In a future post I want to dive deeper into what comprises a high margin of safety in Africa.
[1] As a side note, it is incredibly disingenuous to advocate for a security philosophy that prohibits privileged access to sensitive systems and information, but than advocates for an exception to that philosophy when it comes to that security vendor so that they can have total control and surveillance capabilities. This just introduces another and particularly extreme vulnerability that has proven to be a terrible move.