Risk management - Risky business
This exclusive extract from a forthcoming publication by The Association of Corporate Treasurers shows how business risk is something to be managed, rather than avoided at all costs.
Early in 1990 US scientists discovered that the purified water theyation of Corporate Treasurers shows how business risk is something to be managed, rather than avoided at all costs. Association of Corporate Treasurers. were using in their experiments was in fact contaminated. That water was Perrier, a brand name for which purity was the major selling point.
Within a few months Perrier’s share of the bottled water market in the US had fallen by 30%, and by 40% in the UK. Shareholder value had been destroyed, the motivation of management undermined and confidence in the future threatened.
Why did this happen to Perrier? Like many large, global organisations, Perrier prided itself on being a decentralised business in which each subsidiary operated autonomously. But subsequent analysis showed that this style of operation had seriously impaired the organisation’s ability to both detect and manage the consequences of risk. During the corporate panic that followed the original discovery of benzene and carcinogens by the US scientists, a variety of causes were uncovered, including local North American factors, problems in the bottling line, and later faults in the filtering system. As different parts of the organisation came up with different answers, the market lost confidence. Management teams in the US, France and the UK all reacted differently, creating further confusion.
It is clear with hindsight that Perrier had no coherent plan for dealing with this operational risk even though it must have been one of the most likely that it faced. The risk and its sources had not been explicitly identified across the organisation. The consequences to Perrier’s reputation, its brand value, and the overall financial impact could not have been rationally assessed. There was no coherent management plan for addressing the risk. Such a plan might have included eliminating some sources of the risk by updating equipment and improving quality assurance. Neither was any management plan developed to minimise the consequences for Perrier should such an incident – the “risk event” – occur. While some of the autonomous businesses within the Perrier organisation had clearly evolved a crisis management plan, this knowledge and awareness had not been shared with other businesses in other locations.
It must be concluded that there was no explicit, co-ordinated risk management function across the Perrier group. The Perrier organisation, as The Economist observed, was one in which managers were wrong-footed by corporate crisis because they were used to shaping events, and not to having events grasp, control and shape them.
Risk: an inclusive approach
The Association of Corporate Treasurers (ACT) has spent two years researching how firms manage risk, and will shortly be publishing the results. They show that many companies want to develop an integrated approach to the management of risk, embracing both operational and financial risk. However, we found that they are struggling to define precisely what is needed to achieve such an approach. Most of the companies with whom we have talked have, following Cadbury, reviewed the risks which their businesses face.
The degree of thoroughness has varied – reflecting, as always, the strength of the existing risk management culture, the recent experiences of the organisation and of the individuals who make up the senior management team, and the extent to which third parties (shareholders, auditors, bankers) are able to exert pressure.
We did not find any organisation that claims to have fully implemented a satisfactory consolidated measure of risk (ie, one which is meaningful for management purposes). But organisations did believe that managing risk better is a key factor in differentiating their performance in the market-place and are investing in the attempt to measure risk and create a tool which helps them to manage their business better.
From our discussions and research we have developed a framework which, we hope, will help achieve this integrated approach. It seeks to assist directors in meeting their responsibilities in the management of the full spectrum of business risk.
Risk is an intrusive issue, so we propose an inclusive approach to its management. This approach builds on the skills of those already involved with particular types of functional risk, such as the insurance manager who focuses on compensation for certain events, the treasurer with a mandate for financial risk management, the operational manager concerned about the production line, or the human resources officer embroiled in pay negotiations.
It brings together the analytical approach that has driven financial market solutions and the instinctive response that is applied elsewhere.
The result is a more comprehensive approach, a means whereby those at the top can feel more comfortable that the full range of risks – from those on the shop floor in Asia to those implicit in the corporate strategic plan – are being managed. As things currently stand, many of those with risk responsibilities perform them unaware of their impact on the company’s ability to deliver its objectives to stakeholders.
Categorising risk
To make a start, it is helpful to set down what is at risk. For many companies, reported financial performance and strength (its profit & loss account and balance sheet) and the share price seem to be directors’ prime concerns. For others, it may be the protection of brand names, credit ratings, or reputation. These concerns will be reflected in the business objectives and evidenced in strategies, plans and budgets.
A practical definition of risk may therefore be a “threat that a company will not achieve its objectives”. It is particularly useful if the objectives include maximising the business’s potential, because risk is then seen as a natural and manageable consequence of pursuing business opportunities.
The minimum performance criteria may be those which, for example, ensure the continuity of investment plans, meet bank covenants, or honour shareholder undertakings.
On the other hand there are risks, sometimes termed speculative, which are incurred as an accepted part of a business enterprise, as the corollary of reward. In this sense risk is a movement in either direction, because of uncertainty as to whether a gain or loss will occur. In these cases, the underlying objective of management is to maximise profit. Operational or line management is normally responsible for this type of risk, with the treasurer assuming responsibility for risks where the gain or loss is due to potential changes in financial prices (ie, market risk).
By viewing risk in terms of the variability of assets, earnings or cash flow – all of which can include an upside as well as a downside – risk becomes an unexpected change in value; a likelihood that something good won’t happen is as much of a threat as that something bad will happen.
A year ago, Microsoft’s Bill Gates admitted that the world’s biggest software company had almost missed the most important event in the computer industry since the rise of the Internet: while Microsoft had “snoozed” a company called Netscape Communications had created a massive new market in Internet navigating browser software.
Exactly 15 years before, computer industry giant, IBM had done exactly the same thing with personal computers, and then found that life became much more difficult. Even companies or industries with a policy of risk-taking may, if not anticipating risks well, find themselves in trouble.
Another distinction about types of risk can be made, which is also useful in discussion of the board’s role. This is the distinction between the strategic and the operational. The strategic risks are the issues which require companies to think on a grand scale. They must be tackled at the board level and require strategic planning. Operational risks also require board involvement, but are managed at a lower level.
The distinction between controllable and uncontrollable risk is used by some companies in preference to the pure or speculative description.
The concentration on the word “control” is often perceived as constraining and restricting the activities of operational management. But with the knowledge that all of the material risks to their objectives have been identified and appropriately managed, directors may be happy to raise their risk tolerance, thereby encouraging rather than restricting further activity.
Looking at specific individual risks, there are some other pairings which may act as an aid to grouping the risks as they are identified. The relevant/irrelevant categorisation is not as fatuous as it might at first sound. The purpose of the risk identification exercise is not only to surface and share the knowledge about the risks which the business teams are already aware of, but also to spot threats which have not even occurred to management. Lateral consideration of what at first sight may seem an irrelevant risk may reveal an exposure not previously identified. The ability to think sideways and forwards is also important when considering external as opposed to internal risks. Monitoring of the external category – sometimes described as environment risks and including political, regulatory and competitor risk – is a critical part of the risk management process. External risks would include a catastrophe destroying raw materials, a price war, a shift in public opinion (that on smoking has been instrumental in the US tobacco industry’s recent proposed settlement of law suits), environmental factors (such as the impact on Shell’s public image and reputation as a result of Greenpeace’s attack on the company’s disposal plans for its Brent Spar oil platform), or the regulatory framework.
Risks that might arise within the organisation include the crash of the company’s accounts receivable system, employees’ activities (such as the failure of internal controls to monitor Nick Leeson’s derivative dealings at Barings), the processes of dealing with suppliers and customers, or controls that haven’t worked.
The big/not big distinction is a useful first line of categorisation although you should always keep an eye on knock-on effects and cumulative values of high frequency, low impact risk.
Risk measurement emerges as another aid to thinking about types of risk: should risks be measured or should they be resolved? The risk identification process will flush out many areas of risk that have only downside attached to them. However, before they are included in the risk database and assigned a value, think about whether measuring them is the right management response.
Certain risks – integrity of management information may be one – should not be controlled or financed or insured; rather, it should be eliminated by improvement in the management process.
Identifying risk
Having suggested some ways of thinking about risk, it is possible to describe the methods being used by some companies to identify the business risks they face. It is interesting to note that for certain companies this has been a review of their risks while for others the exercise has been described as a control assessment. This again underlines a fundamental difference of perspective about risk: is it to be subject to tighter controls or is it to be managed to acceptable levels? The answer of course is likely to be a mixture of both, tailored to the particular circumstances of the business concerned. However, the mind set of the individual driving the risk management activity will largely determine the type of contribution it makes to the business.The objective is to know and understand all the risks that are faced by a particular business. Many companies have adopted the “self assessment” approach. At its most informal, this process consists of groups of relevant managers brainstorming to identify the risks encountered in their area of responsibility. This can be done either “top down” or “bottom up”.
The chairman of a quoted packaging business chose the top-down approach.
He sought external assistance to help spur some “out-of-the-box” thinking by involving one of the group’s auditors; they facilitated sessions for members of the board and the management committee, at which key risk issues were identified.
A major insurer chose a bottom-up route. They circulated detailed risk questionnaires to line managers, and provided them with checklists and a visit from a friendly consultant to prompt “risk focus” thinking on the part of each manager.
Drawing out the risk awareness in each of the process-owners is key to a comprehensive identification of risk. Co-opting expert help, whether from outside the organisation or from relevant specialists within the company, is likely to help the process of “thinking out of the box”.
Many organisations have published checklists to provide assistance to companies in the risk identification task. One such checklist is shown in the box on page 48.
The use of checklists has many advantages as part of the risk identification exercise. First, it promotes the spread of a common language to talk about business risk. The importance of this should not be underestimated; attempts to generate a consolidated picture of risk and to transfer knowledge and skills about risks and their management will be frustrated if agreed terminology is not recognised by everyone in the organisation.
Second, a good checklist will prompt the reader to think beyond the risk issues he has become accustomed to thinking about. The checklist above was described by a large utility company as “an agent of consciousness rather than a tool for delivering avoidance”.
Many companies, including the Post Office, have used facilitated workshops to help identify risk. Workshops that have been focused on a process or activity (for instance the business chain for a particular product) seem to get better results than those concentrating on functional responsibility (for instance human resource, information technology, treasury). Analysing the movement through the business chain flags up risks associated with inter-dependency that may not emerge from a review that takes a functional perspective. Again the involvement of skilled facilitators and risk specialists will improve the quality of the output.
Clearly, to capture all the risks in most businesses will require many workshops. Some companies have chosen to pilot this stage for one business unit or one product line. The insights achieved in the first exercise are used to demonstrate value to the participants and the organisation; the experience can then be used in the roll-out of the workshops to the rest of the group.
The workshop environment serves not only to identify risk more comprehensively, it provides an opportunity for management education which is a fundamental part of taking a new approach to risk management. For the risk management framework to provide directors with what they would ideally like – ie, effective organisationwide risk management – every manager must see himself as a risk manager. In addition, he must share his risk awareness with other groups in his organisation.
Willingness to do this will require a cultural change in many companies.
But without the commitment to change that this implies, the directors are unlikely to get value out of their risk management investment. The workshop can be used to create an awareness in managers at all levels of the wider risk goals of the business and to see the purpose of changing the way in which risk is currently managed.
This process can be supplemented by desktop research to ensure the whole population of risks a business may be facing have been thought about.
These might include a review of the history of the business, the risks and threats to performance encountered in the past and their continued relevance. This process should identify those threats that ultimately did not impact financial performance because they were identified and managed appropriately.
As well as researching their own experience, companies will find it useful to review that of their competitors or those who occupy a similar sector position but in a different market. Shell, for example, judged that a bank making a 10-year lending decision would have to consider many of the same risks that it would encounter in a medium-term contractual relationship.
The banks’ risk criteria were, therefore, useful prompts for Shell’s risk identification. Rating and credit agency findings may also provide useful analogies.
Risk and reward
Risk is one side of the coin. On the other side are the expected returns of the company. Successful businesses create explicit links between the two. An understanding of the risk will help in understanding the returns, although it will not determine them. As importantly, focus on risk provides directors with a critical tool for value-based planning and for efficient capital allocation. A proper and appropriate risk assessment will ensure that management focuses investment in areas where the risks-reward equation aligns with corporate strategy. It should increase the efficiency of the business and create value for the shareholders.
Providing some ideas about the ways in which individually measured and managed risks might be brought together should help boards make decisions more confidently and reliably. Business will always involve tricky issues of judgement. But where these can be supported by an analytical underpinning, decisions will be easier to take and justify.
Judith Harris-Jones is a partner at Arthur Andersen and was previously treasurer at Letraset International, Rolls Royce and the Bricom Group.
The treasurer’s new risk role
Who within the management team has the knowledge and all-round business and facilitation skills to co-ordinate these risk management functions?
The “business risk manager” must be independent of the process owners, be objective and be supported at board level.
In practice, the support at board level is of paramount importance in getting the job done. The board is (as confirmed by Cadbury and Hampel, and required by the regulators) responsible for ensuring the appropriate control and management framework is in place to carry out its duty of care and stewardship of shareholders’ funds and corporate resources in the most efficient manner. Their support of the risk management framework – and of the executive charged with its successful introduction and operation – will demonstrate to internal and external parties that it takes that responsibility seriously.
The ACT’s research indicated that, although the majority of treasurers and finance directors consider the proper execution of the traditional roles of the treasurer to be of primary importance (“… it is important that the treasurer is comfortable with traditional financial risks before trying to tackle the more complex issues of business risk …”), the evolution of the management of risk often starts within the treasurer’s department.
The answer to the question “What makes a successful treasury function?” has been shown to embrace at least three strands. It would seem to require:
– a thorough understanding of the global business within which the treasury operates;
– an alignment of the treasury objectives with those of the business, covering such issues as the risk appetite of the business and the overall culture of the organisation; and
– an articulation of the treasury’s response to the company’s financial risks in the form of clear, unambiguous policies and procedures, leaving no one in any doubt as to how the risks should be managed.
We believe that these attributes provide the foundation for a wider risk role, with the treasurer building on existing strengths to assist in the management of the risk process.
To put it another way, treasury is just one example of a specialised business function. So in what ways could the treasurer help fulfil this role of “risk champion”? As in his existing role, the treasurer can provide a forum for risk recognition; the application of relevant measurement skills elsewhere in the organisation; and the co-ordination of different risks originating in different areas.
At one FTSE-100 company, for example, there has been an extensive project underway within treasury aimed at business risk, at assessing its totality, offsetting it (where possible) at the centre and then – and only then – applying financial risk management techniques. The centre has gradually recognised the need to move away from a risk control mentality, to make a distinction between risk management and risk elimination, to redress the historical situation where risk has been “salami sliced” – shifted around in bits without an awareness of the big picture.
The intention is not simply risk prevention but a form of management that looks for the potential reward – and at what risk it might be achieved.
While it is true that the majority of treasurers surveyed described their current role as a traditional one looking at financial risks, there was a significant minority who thought that this role was gradually moving towards business risk.
The arrangement should be mutually beneficial. On the one hand, better risk management throughout the company; on the other, the treasury is promoted as a centre of technical excellence, and the treasurer enhances his contribution to shareholder value.
It is important to recognise that, by involving the treasurer, it is not suggested that the treasurer comes to own the risk. The objective of the treasurer in the role of risk champion must be the same as that of other managers: to increase the value of the firm. It is not to accumulate ownership responsibilities.
This article is an edited extract from Management of Corporate Risk: A framework for directors.
Copies will be available shortly from Claire Gwinnett, publications manager, The Association of Corporate Treasurers. Tel: (0171) 213 9728
Risks checklist
PROCESS RISK
Operations risk
– Customer satisfaction
– Human resources
– Product development
– Efficiency
– Capacity
– Performance gap
– Cycle time
– Sourcing
– Commodity pricing
– Obsolescence/shrinkage
– Business interruption
– Product/Service failure
– Environmental
– Health & safety
– Trademark/brand name erosion
Empowerment risk
– Leadership
– Authority
– Limit
– Performance incentives
– Communications
Financial risk
– Currency
– Interest rate
– Liquidity
– cash transfer/velocity
– Derivative
– Settlement
– Reinvestment/rollover
– Credit
– Collateral/Security
– Counterparty
Information processing/technology risk
– Access
– Integrity
– Relevance
– Availability
ENVIRONMENT RISK
– Competitor
– Sensitivity
– Shareholder relations
– Capital availability
– Catastrophic loss
– Sovereign/political
– Legal/Regulatory
– Industry
– Financial markets
INFORMATION FOR DECISION MAKING RISK
Operational
– Pricing
– Contract commitment
– Measurement
– Alignment
– Completeness & accuracy
– Regulatory reporting
Financial
– Budget and planning
– Completeness & accuracy
– Accounting information
– Financial reporting evaluation
– Taxation
– Pension fund
– Investment evaluation
– Regulatory reporting
Strategic
– Environmental scan
– Business portfolio
– Valuation
– Measurement
– Organisational structure
– Resource allocation
– Planning
– Life cycle
Source: Arthur Andersen, Business Risk Model(TM).
Early in 1990 US scientists discovered that the purified water theyation of Corporate Treasurers shows how business risk is something to be managed, rather than avoided at all costs. Association of Corporate Treasurers. were using in their experiments was in fact contaminated. That water was Perrier, a brand name for which purity was the major selling point.
Within a few months Perrier’s share of the bottled water market in the US had fallen by 30%, and by 40% in the UK. Shareholder value had been destroyed, the motivation of management undermined and confidence in the future threatened.
Why did this happen to Perrier? Like many large, global organisations, Perrier prided itself on being a decentralised business in which each subsidiary operated autonomously. But subsequent analysis showed that this style of operation had seriously impaired the organisation’s ability to both detect and manage the consequences of risk. During the corporate panic that followed the original discovery of benzene and carcinogens by the US scientists, a variety of causes were uncovered, including local North American factors, problems in the bottling line, and later faults in the filtering system. As different parts of the organisation came up with different answers, the market lost confidence. Management teams in the US, France and the UK all reacted differently, creating further confusion.
It is clear with hindsight that Perrier had no coherent plan for dealing with this operational risk even though it must have been one of the most likely that it faced. The risk and its sources had not been explicitly identified across the organisation. The consequences to Perrier’s reputation, its brand value, and the overall financial impact could not have been rationally assessed. There was no coherent management plan for addressing the risk. Such a plan might have included eliminating some sources of the risk by updating equipment and improving quality assurance. Neither was any management plan developed to minimise the consequences for Perrier should such an incident – the “risk event” – occur. While some of the autonomous businesses within the Perrier organisation had clearly evolved a crisis management plan, this knowledge and awareness had not been shared with other businesses in other locations.
It must be concluded that there was no explicit, co-ordinated risk management function across the Perrier group. The Perrier organisation, as The Economist observed, was one in which managers were wrong-footed by corporate crisis because they were used to shaping events, and not to having events grasp, control and shape them.
Risk: an inclusive approach
The Association of Corporate Treasurers (ACT) has spent two years researching how firms manage risk, and will shortly be publishing the results. They show that many companies want to develop an integrated approach to the management of risk, embracing both operational and financial risk. However, we found that they are struggling to define precisely what is needed to achieve such an approach. Most of the companies with whom we have talked have, following Cadbury, reviewed the risks which their businesses face.
The degree of thoroughness has varied – reflecting, as always, the strength of the existing risk management culture, the recent experiences of the organisation and of the individuals who make up the senior management team, and the extent to which third parties (shareholders, auditors, bankers) are able to exert pressure.
We did not find any organisation that claims to have fully implemented a satisfactory consolidated measure of risk (ie, one which is meaningful for management purposes). But organisations did believe that managing risk better is a key factor in differentiating their performance in the market-place and are investing in the attempt to measure risk and create a tool which helps them to manage their business better.
From our discussions and research we have developed a framework which, we hope, will help achieve this integrated approach. It seeks to assist directors in meeting their responsibilities in the management of the full spectrum of business risk.
Risk is an intrusive issue, so we propose an inclusive approach to its management. This approach builds on the skills of those already involved with particular types of functional risk, such as the insurance manager who focuses on compensation for certain events, the treasurer with a mandate for financial risk management, the operational manager concerned about the production line, or the human resources officer embroiled in pay negotiations.
It brings together the analytical approach that has driven financial market solutions and the instinctive response that is applied elsewhere.
The result is a more comprehensive approach, a means whereby those at the top can feel more comfortable that the full range of risks – from those on the shop floor in Asia to those implicit in the corporate strategic plan – are being managed. As things currently stand, many of those with risk responsibilities perform them unaware of their impact on
Was this article helpful?
YesNo
Leave a Reply
You must be logged in to post a comment.