 |
|
Managing risk organization-wide
By George N. Allport
A comprehensive risk-management program identifies and quantifies the impact of all the risks facing an organization.
Illustration: Sara Tyson
 Most organizations face three different types of risk: strategic, financial and operational. Strategic risk includes items such as product obsolescence and changes in distribution systems, while financial risk includes interest-rate volatility, currency risk and default risk. Operational risk is often defined as everything besides strategic and financial risk. It includes insurable risks, such as a factory fire, and uninsurable risks, such as losing a key design team to a competitor.
In most organizations, responsibility for strategic, financial and operational risk rests with different people in different areas. For example, the CEO and the line business managers generally are responsible for mitigating strategic risk. They implement efficient product development programs, streamline distribution systems and continually update marketing strategies. The CFO and treasurer are responsible for handling financial risk, through hedging, diversification and other risk-mitigating techniques.
The responsibility for managing operational risks rests with various managers throughout the organization. For example, while business interruption resulting from natural or man-made catastrophes is the traditional risk manager's responsibility, mitigating employment-related risk by providing strong benefit programs and a safe workplace are, at least partially, the responsibility of the human resources manager. Other managers are responsible for still other operational risks (i.e., customer loss due to late deliveries).
While strategic, financial and operational risk do differ, the management of financial risk and insurable operational risks has been similar - risk management has equalled cost management. Financial and insurable operational risks manifest themselves as financial losses for the organization, which ultimately is the same as costs for the organization. Treasurers and risk managers have, therefore, relied on derivatives and insurance policies to limit or transfer these "downside" risks, thus reducing their ultimate costs.
However, using derivatives and insurance policies to limit the ultimate cost of risk without looking at the correlation between strategic, financial and operational risks can lead to problems. An organization may set up risk-management programs that fail to address the multiple effect on the organization caused by any particular risk. Accordingly, the organization could incur an expense (the derivative or insurance coverage), with no "upside" potential and perhaps with only limited "downside" protection.
Today, many managers at different levels believe that, if they can identify and quantify the impact of all of the risks their organizations face, they can develop more effective and efficient ways of financing and mitigating that risk. This is Enterprise Risk Management (ERM), generally defined as "the systematic, holistic approach to managing risk at a business-wide level."
Advocates of ERM believe that it will improve operational efficiency and the management of working capital, and reduce or stabilize a company's overall cost of capital. It will allow a company to develop more effective working relationships with risk management partners, including banks, insurance companies, consultants and even regulators. Advocates also believe ERM will allow a company to develop insurance coverage tailored to its specific needs and to produce risk-adjusted performance comparisons to demonstrate shareholder value.
The problem - and the challenge - is figuring out how to implement a comprehensive process for gathering and sharing information when organizations are divided into different sections, divisions or subsidiaries, and are spread across continents or around the world. It can be done, but it requires that many people take many steps - and do so continuously so that ERM becomes an ongoing process and not a one-time snapshot.
To develop and implement an ERM program, it is necessary to identify and assess the risks facing the organization, then analyse and prioritize them. Next, the magnitude and financial impact of these risks will need to be quantified, and one or more mitigation strategies designed and implemented. Finally, the enterprise-wide risk management strategy should be monitored and enhanced.
In order to manage risks, it is necesssary to know what risks the organization faces. The first step, therefore, in developing an ERM program is to identify all the losses (big and small) that the corporation has incurred over a set number of years. These losses are not risks themselves but are the telltale signs of risk - the proof that risks existed and led to a financial loss for the organization. Some losses will be readily known, such as those that have been insured. It is the other losses, such as misdirected shipments of products or waste of raw materials, that may be harder to uncover, but that must be found nonetheless.
Will employees or outside consultants identify the myriad events that cause financial loss for the organization? And how will this task be carried out? The most fundamental way is to get out on the shop floor and ask the employees, since people are usually willing to discuss work problems that have a deleterious effect on the company. It is critical, therefore, that the person looking for this information ask the right questions and - perhaps even more important - listen for telltale signs of risk in the answers.
Another way to identify losses is to review with the company's general counsel any lawsuits or complaints made against the company. While this should never be a substitute for an internal investigation, it can help identify risks that become relatively large problems. Ultimately, a review of legal damages may be necessary to identify the potential cost of individual risks. All this may involve reviewing old records or transactions, especially those that were problematical, to see what went wrong, how it was resolved and what the resolution cost. It will be a lengthy and costly process. There is no way to avoid having the employees and managers of the company spend a great deal of time in this identification process, particularly if old records need to be retrieved or even reconstructed.
Losses will not only differ in amount, but will also differ in importance to the organization. Individual late shipments may produce losses because payment for the merchandise will be late, but those losses may be less important than the loss of entire product runs because the purity of a raw material was not properly checked. Then again, the aggregate of the late payments due to late shipments could be much more severe than the cost of disposing of an entire product run.
What are the greatest risks? Which ones can be mitigated quickly and easily, and which threaten the corporation's life? Placing the myriad of risks in a hierarchy is a difficult task, and employees may not be in a position to make such a judgment. For example, small processing errors may be a fact of life to employees, but the customer may find them a compelling reason to move to a new supplier. To obtain an objective ranking of risks, it may be necessary to retain experts in various areas, and this additional cost must be factored into the overall assessment.
Once the risk information has been gathered and prioritized, the company can quantify its level of risk. Various methodologies should be used, because there are various types of risk. "Monte Carlo simulations" are almost always employed, but extremes must also be tested. One writer on the subject has described the modelling tools available today as "a smorgasbord of methodology." (Monte Carlo simulation is a statistical sampling technique that is used to estimate a range of possible outcomes for an event whose outcome cannot be predicted exactly. It requires some initial idea of what the probabilities are of the event occurring [i.e., a probability distribution], and then a computer program is run to "simulate" a range of possible results over a large number of iterations. It is useful in getting a sense of how likely it is that certain adverse results will occur.)
Ironically, modelling the identified risks may itself create new risks. Risk models have allowed some extraordinary failures to occur during the past 10 years, leading to "model risk" becoming a key concern for firms that depend on the quantification of financial data. If risk mitigation strategies are now going to be based on, and built around, risk models, the organization must be comfortable with the degree and precision of the models it has used.
With identification and quantification of the aggregate risks, the organization can begin to utilize the information in various ways. It can be used to measure the risk-adjusted return on the entity's capital (or that of a subsidiary or division); to develop procedures, such as quality assurance programs, to mitigate the risk; or to define the types and amounts of insurance that should be purchased.
The cost and complications of acquiring risk information, the difficulty with quantifying that information, and the potential inaccuracy of modelling the risk level have precluded many companies from proceeding with an ERM program. Competition within the insurance industry has also mitigated the need for a company to undertake an expensive ERM solution. In the past five years, insurance companies have been broadening their coverage while reducing rates, and, while enterprise-wide risk has not been insured, more individual risk exposures have been covered at competitive prices.
Despite this, interest in ERM is increasing rapidly and a growing number of consulting and accounting firms are offering ERM services. Insurance brokers are also offering assistance in developing ERM strategies and insurance companies are willing to assist in the development of tailored insurance contracts.
The obstacles to the successful development of an ERM initiative remain daunting but the goals are enticing. The business community may ultimately consider Enterprise Risk Management to be simply the sum of quality control, prudent financial management and far-sighted business planning. Each company will find its own path to achievement.
George N. Allport is senior vice-president and manager of the alternative risk group for Chubb & Son in Warren, New Jersey.
Peter Jackson, CA, Toronto-based consultant in organizational performance and corporate governance
|
|
|
|
|
|
|
