Risk management – Enhancing capacity to build value

 D.S.W. Andradi

The growing interest in risk management

Since the spectacular collapse of the Barings Bank in 1995 there has been an ever growing interest in risk management. This has been fuelled by subsequent high profile corporate debacles, as well as natural and manmade disasters – 9/11, Enron, Worldcom, Ahold, Parmalet, the 2004 tsunami, Hurricane Katrina, Northern Rock and Lehman Brothers, to name a few.

Risk has been viewed, more and more, as something negative – a hazard that needs to be managed, if not avoided or eliminated altogether; a value destroyer. Understandably, governments and regulators have reacted with stringent regulatory initiatives such as the Sarbanes – Oxley Act 2002, Basel 2 Accord, accounting standards and numerous codes of corporate governance.

Risks and opportunities

It is needless to say that hazardous risk – risks which have only a downside (examples: accidents, corporate fraud, human error, disasters) – need to be managed rigorously, in order to preserve value and to ensure the sustainability of companies. Otherwise, companies could lose money.

However, it is important not to focus only on downside risks. Many risks, business risks in particular (examples: business acquisitions, new products, investments in technology, innovation) have an upside as well as a downside – a positive side as well as a negative one.

It is the upside of risks, which provide opportunities for growth and profit. Whilst it is necessary to manage the downside of such risks, it is also vital that the upside should be exploited. After all, risk-taking is the engine that drives business and propels growth, as suggested by the well known adage ‘nothing ventured, nothing gained’: Business enterprise is essentially about taking risks.

Companies which focus only on the downside of risks could miss opportunities which might have initially appeared too risky, and not properly analysed. Exploiting the upside of risks, i.e. opportunities, is at the centre of value creation process. One should be mindful of opportunities to create value that could be hidden in risk.

In many instances, risk and opportunity are a duality; they are like the two sides of a coin. Accordingly, a risk could present opportunities for innovation and competitive advantage, which in turn could lead to short and long term growth and profitability. In such instances, ‘risk management’ provide a window for ‘opportunity management,’ which leads to ‘ risk and opportunity management’.

As explained above, focusing exclusively on the downside of risk could be harmful to the wellbeing of organisations. Several initiatives have been taken to remedy this situation. Two somewhat early responses are: 1. Enterprise Risk Management – Integrated Framework 2004 of the Committee of Organisations sponsoring the Treadway Commission (COSO) and 2. Enterprise Governance – Getting the Balance Right, 2004, of the International Federation of Accountants (IFAC) and the Chartered Institute of Management Accountants (CIMA).

Both initiatives are attempts to address risks in a broader and holistic manner, rather than viewing risk as a mere threat to be avoided. They look at risk in the context of the organisations strategy, culture and operations. Of these two initiatives, the Enterprise Governance approach and methodology has a distinct orientation toward addressing the much neglected value creating upside risks.

Enterprise governance

The early responses to corporate failures were mostly in the form of codes of corporate governance. These codes attempted to seek compliance with rules and regulations on issues such as board structures, chairman and CEO, non-executive directors, executive remuneration, internal control and oversight mechanisms (examples: audit committees, remuneration committee). They sought to bring about improved accountability and assurance.

Whilst the philosophy of enterprise governance accepts the importance of corporate governance, it argues that good corporate governance on its own cannot ensure success: “Good corporate governance is a necessary, but not sufficient, foundation for success. Bad corporate governance can ruin a company, but cannot, on its own, ensure its success” (Enterprise Governance – Getting the balance Right: IFAC).

It goes on to assert that companies must balance conformance with performance. Enterprise governance is defined as “ the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the organisation’s resources are used responsibly” (Information and Systems Audit and Control Foundation, 2001 ).

There are two dimensions to enterprise governance, viz conformance and performance. Conformance is also called ‘corporate governance,’ whilst performance is also called ‘business governance’. The performance dimension focuses on strategy, value creation and resource utilisation. It seeks to help the board to make strategic decisions; understand its risk appetite and key drivers of performance.

Enterprise governance philosophy recognises that the performance dimension cannot be easily subjected to regime of standards and audit. Hence, it seeks to develop a set of best practice tools and techniques in performance related areas such as ‘enterprise risk management,’ ‘acquisition process’ and ‘board performance’.

Unlike in the case of the conformance dimension, the performance dimension lacks a formal board oversight mechanism. Hence, the IFAC study on Enterprise Governance has proposed the ‘strategic scorecard’ to bridge this ‘oversight gap’.

The strategic scorecard is neither a detailed strategic plan nor a substitute for the Balanced Scorecard. It aims at helping the board of directors ensure that all the aspects of the strategic process have been completed thoroughly. The strategic scorecard has four quadrants – strategic position, strategic options, strategic risks and strategic implementations. Thus, risks, in the form of strategic risks, have been embedded in the performance dimension of enterprise governance, i.e. business governance.

Risk management and value creation

The need to proactively approach risk-taking, in order to take advantage of value creating opportunities, should not be underestimated. Intelligent risk-taking is essential in order to build value; it needs to be operationalised.

The management accounting guideline titled ‘Managing Opportunities and Risk,’ jointly published by the Society of Management Accountants of Canada, the American Institute of Certified Public Accountants and the Chartered Institute of Management Accountants of the UK, provides a comprehensive and invaluable framework in this area.

The guideline expands the risk assessment model to include opportunities and innovation, and provides the needed tools and techniques to capture the positive side of risk, while rigorously managing its downside impact. It asserts that “an organisation may come to see that developing a greater capacity to identify and mitigate risk allows it to capture opportunities that the competition cannot”.

It goes on to state: “Effective risk management practices and tools are necessary for companies to seize opportunities and gain competitive advantage over companies that do not know of these practices and tools, or cannot effectively implement them.”

It encourages taking a portfolio view in regard to risks as managing some risks well create the opportunity to take risks in other areas. It also proposes techniques that organisations can use to alter risk appetites to capitalise on opportunities.

In addition to following the traditional risk management practices, the management accounting guideline ‘Managing Opportunities and Risks’ emphasises the need to 1. Indentify and manage opportunities, often related to innovation, and manage related risks, and 2. Identify and manage opportunities where others see only unmanageable risks. The risk and opportunity management process proposed by the guideline has the following three major phases:

1.Identify risks and opportunities

2.Manage risks and opportunities

3.Evaluate risks and opportunities

4.The identification of risks and opportunities draws attention to the following: (A) the sources of risk and opportunities and (B) strategies for identifying risks and opportunities. Some key sources of opportunity are 1. Supply chain, 2. Product and service offering, 3. Processes, 4. Technology, 5. New markets, 6. Customers and 7. Political, legal and social forces.

The strategies recommended for identifying risks and opportunities are: 1. Learning from the past, 2. Developing customer sensitivity, 3. Learning from others, 4. Scanning, 5. Scenario planning, 6. Seeing the market gaps and change the game, 7. Developing idealised design and competing in advance and 8. Developing market sensitivity.

The second phase – ‘managing risks and opportunities’ – consists of the following four steps: 1. Assess and alter risk appetite, 2. Assess risks and opportunities, 3. Managing risks, and 4. Managing opportunities.

Assessing the risk appetite allows an organisation to decide how best to respond to the opportunities and risks it has recognised. Risk appetite is the risk exposure, or potential adverse impact from an event, that an organisation is willing to accept without taking action. It is heavily influenced by the organisation’s culture and changes over time. It should be quantified in monetary terms. Risk appetites should be defined and agreed upon at least annually; it should be proposed by the senior management and endorsed by the board of directors.

Once the risk appetite is assessed, the company should proceed to assess all major risks and opportunities against it. For this purpose, it is very important to quantify the risks and opportunities in monetary terms. If a risk exposure exceed the risk appetite threshold (also called risk tolerance), measures could be taken to bring it back within the accepted level, so that the exposure is in line with the risk appetite.

In the alternative, the risk appetite itself could be altered. A low risk appetite could result in narrow assessment of risk, which could in turn result in the rejection of promising opportunities. If the goal is to capture an opportunity, and the existing risk appetite is a hurdle, it might be desirable to alter the risk appetite. This can be done by enhancing the capacity to accept more risk, thereby shifting the risk appetite threshold.

The guideline ‘Managing Opportunities and Risks’ describes methods of altering risk appetites. After assessing risks and opportunities, the company could reject them, or proceed to manage them. The final phase is the evaluation of risks and opportunities.

Contd.on page 14

(The writer is Partner, SJMS Associates. This article was based on the CMA Sri Lanka presentation at the 52nd National Cost Convention organised by the Institute of Cost and works Accountants of India, Chennai 4-6 January 2011.)