THREE AND a half years into the post-Lehman Brothers era – and with structural deficiencies in the global banking system only slowly being addressed – there has been a fundamental shift in the way companies think about risk.
The fate of the likes of Lehman’s has highlighted the disastrous consequences of senior management essentially ignoring risk management. Its importance has not always been reflected in budgets but businesses around the world have started to invest heavily in personnel, processes and technology to mitigate risk, yet many companies are still deficient in terms of addressing strategic risks, because they continue to rely on historical experience when assessing exposure.
There is clearly a need to address issues such as financial controls and regulatory compliance. But if it is to the detriment of strategic business risk, companies could be left exposed in other ways – should an unexpected event or set of conditions occur that greatly reduces the ability of managers to implement their intended strategy.
Paul Moxey, head of corporate governance and risk management at the Association of Chartered Certified Accountants (ACCA) argues that while many categories of risk have been created – credit risk, market risk, financial risk, operational risk, compliance risk, IT risk, health and safety, environmental risk, people risk and strategic risk – this can also lead to “categorisation risk” – where organisations look for one type of risk and fail to either notice others or understand how one type can impact the whole business.
“Risk management in many companies takes a company’s strategy as a given, so any risks that could arise from a defective strategy might not be considered,” says Moxey. “Corporate graveyards are littered with companies whose strategy was wrong, or became wrong, so clearly it makes sense to consider such risks.”
While the first focus of any corporate risk management strategy should be about guarding against “black swan” events, the canny finance director can also use it to drive top-line profitability.
According to a study by Ernst & Young (E&Y), Turning risk into results: how leading companies use risk management to improve performance, companies that succeed in turning risk into results are able to create competitive advantage through more efficient deployment of scarce resources, better decision-making and reduced exposure to negative events.
The study assessed the maturity level of risk management practices and their impact on financial performance. It found that companies in the top 20% of risk maturity, where maturity was defined by the number of risk management practices applied, generate three times the level of EBITDA as those in the bottom 20%.
The global quantitative survey – based on 576 interviews with companies from 16 countries and information from 2,750 analyst and company reports – identified the leading risk management practices that differentiated the various maturity levels, and organised them into specific risk components. The results revealed while most organisations perform the basic elements of risk management, top performers do more; and certain risk practices were consistently present in the top performers.
But it is not just a numbers game. The study also determined financial performance is highly correlated with the level of integration and coordination across risk, control and compliance functions.
By aligning and coordinating risk activities across all risk and compliance functions, it found organisations can reduce risk burden (overlap and redundancy), lower their total costs, expand coverage and drive efficiency.
For effective strategy and governance, proper oversight and accountability at the board and executive levels is critical. Ownership of risk throughout the organisation is also needed and at the management level, executives must play a crucial role in assessing and managing risk.
Organisations that embed risk management practices into business planning and performance management are also more likely to achieve strategic and operational objectives. Moreover, conducting an enterprise risk assessment can help to prioritise and identify opportunities for improvement.
A risk committee
In one case study, a global 50 consumer products business wanted to increase transparency and communications with its stakeholders. To do so, it began by establishing a risk committee at the board level. Although the board itself acts as a risk committee, no one on the board had been specifically assigned to risk. A risk committee was then established at the executive level and a chief risk officer (CRO) brought in. Risk champions were then identified at the business level.
To establish better external communication, the company developed a governance structure and increased its overall risk agenda by aligning risk to strategy. This can occur at different levels – the most basic level being to put additional assumptions around the overall strategic plan, which typically looks three to five years ahead.
The organisation listed these additional assumptions and then asked three basic questions to develop a risk profile and identify the strategic risks: First, what has to go right to achieve our strategy? Second, what could go wrong? Finally, how would we know?
The company also embedded risk principles into the business planning cycle – asking the same three basic questions as it put together its 12-month forecasts to identify the operational risks.
Developing a risk governance structure also included establishing the organisation’s risk appetite, defining the risk universe, determining how the business would measure risk and establishing enabling technology to help manage it. Asking the three questions at both the strategic and operational levels enabled the organisation to reportedly document 80% of the risks that have an impact on performance.
Hugo Sharp, director of risk services at Deloitte, says a company’s ability to identify and respond to key strategic shifts – from the emergence of new technologies to the opening up of new markets – identifies the winning organisations from those that fail.
“Over the past two years we have started to see organisations address this gap in their risk management frameworks,” he says. “Leading organisations are starting to build the consideration of risk into their strategy setting processes, not just identifying potential risks, but considering the company’s risk appetite in relation to these – how much are we prepared to invest in this new market before we pull out?”
Businesses are asking which data points they need to track to ensure they identify when they are reaching this point. Moreover, have they planned for and practised different scenarios relating to this risk?
Sharp adds this shift in focus for risk teams is leading to a different profile in the organisation and potentially a different skill set requirement, placing risk management at the heart of an organisation’s key decisions.
Peter Davis, principal at E&Y’s financial services office in New York, concurs.
“We are seeing institutions develop more formal processes for defining the firm’s overall risk appetite and then establishing limits and measuring performance against risk tolerances established underneath their risk appetite,” he says.
“Also, many firms are continuing to work on embedding risk appetite into day-to-day decision-making and in establishing reporting frameworks that effectively support the board’s risk governance role without blurring the board’s oversight role with management’s responsibilities.”
Key to organisations is for boards and senior management to ensure immediate priorities do not necessarily overshadow longer-term strategic planning and risk management.
Corporate winners will be those organisations that can more efficiently deploy scarce resources, have better decision-making capabilities and reduce their exposure to negative events. But they will need to integrate both short and long-term objectives. ?