We cannot avoid risk. Nor should we want to. It is a part of our daily lives. Without it, there is no reward. But what we can do is learn to understand it, manage it, benefit from it and prepare ourselves better for the inevitable, unexpected risks that come our way. Let's explore the concept of enterprise risk management
There has never been a time when risk has been completely absent from our world, our businesses and our lives. But, today, risk comes in more flavours than ever before.
The threat of terrorism and the reality of war have heightened geopolitical risk. Wild and unpredictable economic gyrations, coupled with corporate scandals and tighter regulation, have increased risk to our businesses.
And both of these have had a considerable impact on our lives as we cope with our day-to-day obligations and seek to plan for a stable future.
Given these realities, organizations react to risk in different ways. Some ignore risk and pretend that it doesn’t exist. But, as the demise of the global accounting firm Arthur Andersen has taught us, ignoring risk is a risk in itself.
Some overreact to risk, piling precaution upon precaution. However, when the Glass-Steagall Act was reversed – ending the separation of investment banking from retail and consumer banking in the United States – the resulting innovation and global capital market growth clearly demonstrated the benefits of not following a defensive, risk avoidance strategy. Some accept the reality of risk, take reasonable precautions and act to seek out potential opportunities within a risk-management framework. These organizations are turning to enterprise risk management (ERM) to make risk work for, rather than against them.
While many profitable companies belong in this category, few manage risk with maximum effectiveness. Dramatic corporate failures in the United States, Europe, and Asia bear this out.
Risk is predicated upon uncertainty. Any decision is risky when its outcomes are uncertain. The bad news is that uncertainty is a double-edged sword: it includes both risks and opportunities that can either erode or enhance value.
The good news is that risk, when well managed, can be a positive force and can help every enterprise cope with factors that create uncertainty and turn them to their advantage.
Almost three years ago, PricewaterhouseCoopers was asked by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) to lead its project to research and develop a comprehensive enterprise risk management framework. We have also contributed to the UK’s Trumbull Report, which presented best practices in risk management.
In conducting our research, we learned that taking an ERM perspective helps organizations, regardless of size or mission, to identify events and, in an integrated way, to measure, prioritize and respond to the risks challenging the initiatives they undertake. ERM enables organizations to determine what level of risk they can – or want to – accept as they seek to build value for shareholders and other stakeholders. By enabling organizations to manage risk more successfully, ERM helps them to achieve their objectives, reduce volatility of outcomes and ensure effective reporting and compliance.
Managing risk is a top priority among today’s global executives. A majority of CEOs who participated in our 7th annual global CEO survey supported ERM, had ERM processes in place at their companies, and periodically report internally and externally on their risk profiles.
Many also agree that ERM has the potential to enhance their ability to take appropriate risks to help create value and to think in an entrepreneurial and innovative manner. And many believe that ERM has a positive impact on their confidence and on their ability to meet strategic goals.
The dilemmas of risk
ERM covers three dilemmas of risk – downside loss, upside gain and uncertainty. The following features should be borne in mind:
»Reducing uncertainty about downside loss, both external and internal, entails a real cost.
Managing downside loss – whether through insurance contracts or through documenting and assessing internal control and compliance systems – means spending money, and sometimes the quantifiable benefits associated with the cost are not readily apparent. For example, many question the value of complying with recent regulations around the world, such as the Basle II Capital Accord’s risk management and capital adequacy rules, and the governance standards set forth by Sarbanes-Oxley in the United States and by South Africa’s King Report. They worry that the resources allocated to these activities might be better used to pursue commercial activities such as innovation. In post 9/11 New York City, many worry that increased insurance requirements will drive businesses elsewhere.
»Reducing uncertainty about upside gain also entails a real cost.
“The greater the risks, the greater the rewards” may be a cliché, but the statement contains a kernel of truth. For example, some companies that are unwilling to assume the risk of entering new and untested but potentially lucrative markets or of embracing new technologies have discovered to their regret that the cost of attempting to do so later, when risk is lower, is far higher. Sometimes it can actually be too late, regardless of the costs the company is willing to bear. For example, Digital Equipment Corporation (DEC) was an industry pioneer and a leading manufacturer of minicomputers. DEC was a company of firsts: the first commercially successful workstation, the first laptop, and the first MS-DOS computer to use standard floppy disks. However, it failed to see that the future belonged to PCs. Although reconfiguring the company for the PC market entailed risks, the larger risk was in failing to do so. While some gains can be achieved under circumstances of certainty, opportunities generally are greatest when uncertainty is highest. Reducing one often reduces the other as well.
»Reducing downside loss can reduce opportunities.
Actions taken to mitigate risk can dampen and curtail the incentive to pursue opportunity. Organizations that work to control and/or transfer risk can develop risk-averse cultures, thereby missing out on opportunities that might have been perfectly appropriate. For example, as Rob Brownstien points out, “risk aversion by US memory-chip makers in the 1970s downturn permitted Japan’s memory industry to leapfrog them and sustain that advantage.”
Alternatively, entrepreneurial organizations, whose people revel in risk-taking, suffer from the opposite extreme. The internet bubble was, in part, the result of indifference to some very real risks. In both cases, the organizations involved require a proactive and balanced approach to risk, or they might not be around long enough to benefit from the risks that do pay off.
Enter the world of ERM Although there are never easy answers to dealing with these dilemmas, ERM is an approach that helps people encounter fewer surprises and make better risk/reward decisions. I will highlight the key steps that must be taken to deal with risk effectively. Under the ERM framework, companies can best work toward purposefully managing and proactively exploiting risk by:
- assessing the current risk profile;
- determining the desired risk profile;
- aligning the current with the desired risk profile.
Assessing the current risk profile
Most executives know, at least implicitly, what their organization’s risk profile ought to be. And many have made great strides in developing an approach to risk. Unfortunately, most tools and techniques are designed to manage risk in a piecemeal fashion. Few enable companies to take an integrated approach designed to exploit as well as manage risk.
What would explain the fact that some companies that truly believe they are managing risk effectively still find themselves in trouble with regulators, coping with reputation issues, losing money, replacing key employees and underperforming with regard to share price?
Most likely, these companies are not taking an integrated view with regard to their risk profiles, and, therefore, are unable to assess accurately all the risks they face. They fail to realize that the relationship among risks can be complex.
Some risks are positively correlated (an increase in one risk might mean an increase in another); some are negatively correlated (a decrease in one risk might mean a decrease in another); and some have no correlation at all.
It should be noted that while the focus in this article is on business, risk management is not limited to companies. Countries can face similar risks. For example, some developing countries depend on certain industries just as some companies depend (perhaps overly so) on a few products.
In 1995, WTO members agreed to a 10-year phase-out of the 1974 Multi-Fibre Arrangement quota system for textiles and apparel. The current anxiety in countries like El Salvador and Lesotho, where garment exports exceed 50% of total exports, suggests that some country leaders did not adequately assess the associated risks and are thus unprepared for 2005.
In hindsight, like the companies discussed above, these countries did not take an integrated view with regard to their risk profiles. Countries that supported eliminating quotas in hopes of increasing their share of the $350 billion world trade in garments did not anticipate that China would enter the WTO. They failed to see the complex relationship among risks.
Determining the desired risk profile
Organizations must decide how much risk they are willing to take. While this risk profile should be grounded in the return on capital they are seeking to deliver to shareholders, it should also include risks related to delivering value to other sometimes competing constituencies: clients, regulators, communities, employees, management, partners/suppliers and other stakeholders.
Such an objective is difficult to accomplish. However, only by taking all of these relationships into account can an organization achieve an integrated view of its risk profile.
In determining the desired risk profile, questions that must be adequately addressed include:
- Is the desired risk profile consistent with company’s environment? Taking too little risk might mean sacrificing good available opportunities, leaving them for competitors to exploit. Did Levi Strauss’s conservatism in remaining committed to American manufacturing leave them vulnerable to competitors using significantly cheaper labour in Asia? Ironically, a risk-averse approach can increase a company’s overall long-term risk.
- Are the management team and the organization capable of managing this level of risk? To manage risk effectively, it must be thoroughly understood. Otherwise, the results can be catastrophic. For example, some media reports highlight the fact that Enron directors did not fully understand all of the risks that were affecting the company and that a similar problem may have played a part in the collapse of Barings Bank.
- Has the desired risk profile and anticipated return been clearly communicated to shareholders and other/stakeholders? Shareholders and other stakeholders need to be able to judge for themselves whether the company’s risk profile is consistent with their own. Clearly the shareholders and banks involved with the hedge fund Long Term Capital Management did not know the extent of their risks when its failure and the subsequent impact on global financial markets caused billions of dollars in losses.
Aligning the current with the desired risk profile
In an uncertain world characterized by continuously shifting downside losses and upside gains, organizations often find it difficult to align their existing risk profile with the one that they identify as ideal. Here, too, ERM can be extremely valuable. Using ERM, management might discover, for example, that certain business units should be taking more risks and that others should be taking fewer. Or it might find that individual decisions regarding risk have boosted the company’s risk profile to an unacceptably high level.
Had Allied Irish Banks, for instance, been aware of the activities of one of its currency traders, whose losses went unnoticed for years, undoubtedly those losses would not have been as great.
It is important to note, however, that the risk profile should not be viewed as a goal. Rather it is the result of an organization’s reaction to the risk it faces. In other words, an appropriate risk profile will emerge when its appetite for risk is aligned with its strategy and related business objectives.
Expect the unexpected
Because new frameworks and methodologies often prove themselves to be extremely effective, the danger always exists that some will treat them as the be-all and end-all solutions to all of their problems.
Such an attitude leads to complacency rather than to the action these tools are designed to facilitate. This in itself leads to considerable risk.
To paraphrase the words of the 18th-century Scottish poet Robert Burns: “The best-laid plans of mice and men often go awry.” While tools such as ERM can be extremely useful in helping to determine the level and types of risk an organization should take, we should always be prepared to expect the unexpected and to act when the unexpected occurs, as it surely will.
While risk can and should be discussed, prolonged discussions can and often do lead to paralysis rather than action. The result can be more risk, not less.