Managing Risk: An Enterprise-wide Approach.Managing risk on an integrated and enterprise-wide basis is a vital issue confronting executives. The CFO See Chief Financial Officer. is a key decision maker in crafting the company's strategy. Twenty-first century businesses worldwide operate in an environment where forces such as globalization globalization Process by which the experience of everyday life, marked by the diffusion of commodities and ideas, is becoming standardized around the world. Factors that have contributed to globalization include increasingly sophisticated communications and transportation , technology, the Internet, deregulation Deregulation The reduction or elimination of government power in a particular industry, usually enacted to create more competition within the industry. Notes: Traditional areas that have been deregulated are the telephone and airline industries. , restructurings and changing consumer expectations -- are creating much uncertainty and prodigious pro·di·gious adj. 1. Impressively great in size, force, or extent; enormous: a prodigious storm. 2. Extraordinary; marvelous: a prodigious talent. 3. risks. Consider, for example, that no force is having as great an impact on business today as the Internet. And as the Internet evolves, companies in all industries are rethinking the basics: business models, core strategies and target customer bases. These new developments create new issues related to risk and risk management. Managing risk on an integrated and enterprise-wide basis is a vital issue confronting executives, with the CFO a key decision-maker in crafting the company s strategy. "I think the point to risk management is not to try and operate your business in a risk-free environment. It's to tip the scale to your advantage. So it becomes strategic rather than just defensive," observed Peter Cox, chief financial officer of United Grain Growers United Grain Growers, or UGG, was a Canadian grain distributor. Founded in 1906 in Winnipeg, UGG was active in grain sales, crop inputs and livestock production services. Ltd. (of Canada). To some extent, no matter what its products or services, every organization is in the business of risk management. Most executives would likely agree that risk management is part of their job, and there is probably agreement that risks are increasing rather than decreasing. But ask executives to elaborate on risk management and you'll no doubt get a variety of answers: "It's about preventing disasters," or, "It's something the insurance or finance people handle." Is it just business management? What does "risk management" mean to management in today's companies? Financial Executives Research Foundation recently published a book summarizing research on the subject gleaned from five companies in diverse industries. The book, Making Enterprise Risk Management Pay Off, reports on how the five are implementing enterprise-wide risk management. The companies studied were: Chase Manhattan Corp. (now J. P. Morgan Chase & Co.), E.I. du Pont de Nemours Du Pont de Ne·mours , Pierre Samuel 1739-1817. French-born economist and politician who took part in negotiations after the American Revolution (1783) and in the acquisition of the Louisiana Territory (1803). and Co., Microsoft Corp., United Grain Growers, Ltd. and Unocal Corp. One key finding is that risk management is not just about finance, insurance or disasters. It's about running the business effectively and understanding, at the core, the fundamental risks facing the business. Tim Ling ling: see cod. , president and chief operating officer Chief Operating Officer (COO) The officer of a firm responsible for day-to-day management, usually the president or an executive vice-president. of Unocal (and the company's former CFO), emphasized, "I think you will see almost all companies over the next few years moving in the same direction [as we are], really trying to integrate the notion of risk management with the notion of just business management. To me, running a business is all about managing risk." Successful companies, almost by definition, have managed risks well, but practicing "risk management" has typically been informal and implicit. Some companies may have survived without ever knowing their real portfolios of risks. Taking an implicit approach to risk management can be risky itself, as it's caused some major surprises to companies unaware of the explicit risks. Examples include major debacles such as product recalls or fraudulent The description of a willful act commenced with the Specific Intent to deceive or cheat, in order to cause some financial detriment to another and to engender personal financial gain. securities trading securities trading, financial activity involving transactions of property such as stocks, bonds, commodities, and currency (see securities). Although the trading of stocks and bonds dates back several centuries in many Western nations, the development of the , major shifts in markets that management missed or saw too late, and increasingly complex environmental or business changes not recognized by management. Successful risk management today is not just about debacles and the downside Downside The dollar amount by which the market or a stock has the potential to fall. Notes: You might hear someone say that the downside on stock XYZ is $10. What that means is that the stock could fall by this amount if things got bad. -- it's as much about opportunities and the upside Upside The potential dollar amount by which the market or a stock could rise. Notes: This is basically an educated guess on how high a stock could go in the near future. See also: Bull, Downside . As UGG's Peter Cox said, it's a "strategic" initiative, not a "defensive" one. A paradigm shift A dramatic change in methodology or practice. It often refers to a major change in thinking and planning, which ultimately changes the way projects are implemented. For example, accessing applications and data from the Web instead of from local servers is a paradigm shift. See paradigm. By way of definition, enterprise-wide risk management, or integrated risk management, is a paradigm shift for many companies. Its goal is to create, protect and enhance shareholder value by managing the uncertainties that could either negatively or positively influence achievement of the organization's objectives. Historically, managing risk was done in 'silos' rather than enterprise-wide. That is, companies knew how to manage certain obvious risks individually but never thought about examining every risk and involving management in managing all of those risks. Typically, companies would have people who managed process risk, safety risk, insurance, financial and assorted other risks. A result of this fragmented approach was that companies would often take huge risks in some areas of the business while over-managing substantially smaller risks in other areas. Enterprise-wide risk management is a coordinated and focused approach for managing all risks together. What's driving companies to adopt enterprise-wide approaches to risk management? The study found three major reasons. For starters, risk management has gained recognition as companies have seen major debacles occur internally or at other companies. The size of these disasters can be devastating dev·as·tate tr.v. dev·as·tat·ed, dev·as·tat·ing, dev·as·tates 1. To lay waste; destroy. 2. To overwhelm; confound; stun: was devastated by the rude remark. , and executives frequently lose their jobs as a result. Simply stated, one of the main reasons risk management has become necessary is to manage strategically and avoid catastrophes. Secondly, many executives believe risks are greater than ever before. In fact, even being a chief executive is risky. The Economist (Nov. 11, 2000) reported that this past October alone, 129 chief executives left their companies and that the Business Council no longer puts an incoming executive on its member list immediately, but instead waits to see if the newcomer will last. Executives know the risks are there, but they are not sure what to do to manage them. Indeed, many executives would welcome a risk management plan and related risk infrastructure. The third reason concerns shareholder value. Companies have learned (as Unocal's Tim Ling expressed) that managing risk is really about managing the business and therefore managing risk can create shareholder value if done correctly. Susan Stalnecker, DuPont's treasurer, comments on the old view of risk management versus the new, more integrated approach: "What we have is a control process now. We don't have a value creation process. That's what we're trying to do." The risk management process Study results from the five companies clearly indicate there is no "cookie-cutter" or one-size-fits-all approach to risk management. Each company developed different yet overlapping approaches. Yet, in spite of the differences, each company's management believed that their approach was adding value to their organization. The discussion that follows highlights some of the lessons learned about adding value through enterprise-wide risk management. 1. Identify risks. Effective risk management initially means knowing your risks, Each of the case study companies had, in one way or another, made a concerted effort to identify its risks. Risks were identified in a variety of ways: using scenario analysis Scenario analysis The use of horizon analysis to project total returns under different reinvestment rates and future market yields. , brainstorming, performing risk self-assessments and generally by looking across the organization (or enterprise-wide) to make sure they had covered the major business risks. Karl Primm, Unocal's general auditor, said of the new approach: "Risk management is not new; managers have been doing this since the beginning of time. An integrated approach, however, does shed new light and benefits on the process." Risk identification is not static. As the business, economy and industry change, so do the risks and so, too, must the risk identification process. 2. Rank risks. Once risks are identified, management can determine what to do with them, depending on the effect of the risk on the business. A good first step in assessing the effect is to rank risks by some scale of impact and likelihood. DuPont implicitly ranks risks, while Microsoft uses risk rankings to generate "risk maps." (Risk maps are a graphical approach for viewing and plotting both likelihood and impact of risks.) Either way, can you imagine trying to run a business without knowing the real risks and without knowing the possible importance of each risk? It's a recipe for poor performance or even disaster. The goal is to make conscious decisions about risk, including all risks facing the business. 3. Try to measure risks. As previously noted, some companies implicitly or explicitly rank risks; others decide to validate To prove something to be sound or logical. Also to certify conformance to a standard. Contrast with "verify," which means to prove something to be correct. For example, data entry validity checking determines whether the data make sense (numbers fall within a range, numeric data the risk's perceived importance. These companies want to have more evidence on importance before they make decisions about how to manage the risk. Gathering this additional evidence helps management allocate capital efficiently and avoid over-managing those risks that are not as important while under-managing those that are important. Risk Measurement Approaches But some risks seem to defy de·fy tr.v. de·fied, de·fy·ing, de·fies 1. a. To oppose or resist with boldness and assurance: defied the blockade by sailing straight through it. b. reliable measurement. "The approach we have taken in financial risk and business risk is to try to quantify Quantify - A performance analysis tool from Pure Software. what we can and not necessarily worry that we are unable to capture everything in our measurement," said George Zinn, director of corporate finance for Microsoft, describing how his company views the problem. Still, companies should attempt serious risk measurement because it offers hard data to back up the perceived impact of risks. The most sophisticated measurement of risk occurs in the area of financial risk. Companies are using value at risk or VAR (effect of unlikely events in normal markets), and stress testing Determining the durability of a system by pushing it to its limits. Stress testing a network is performed by transmitting excessive numbers of packets or attempting to break in illegally. (effect of plausible events in abnormal markets) methodologies to measure the potential impact of the financial risks they face. To Microsoft, VAR provides a way to respond to the question, "How much risk Is Microsoft taking?" Microsoft's treasurer, Brent Callinicos, said that before the company used VAR, it would have to ask "what they really meant." The risk management group, according to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. Callinicos, decided it "would tell anyone who asks what we mean when we say we have risk." The measurement of risk has been evolving from financial risk to now include non-financial risk which is more problematic. However, the companies studied have developed eclectic e·clec·tic adj. 1. Selecting or employing individual elements from a variety of sources, systems, or styles: an eclectic taste in music; an eclectic approach to managing the economy. 2. approaches to measuring these various risks. For example: * UGG UGG You Go Girl UGG United Grain Growers, Ltd. (Canada) UGG Urban Golf Gear (clothing brand) UGG Underground Groovement (Finland band) took risk measurement to a new level by developing, among other measures, gain/loss curves for risks. Such curves reveal the dollar effect and likelihood of a risk affecting earnings. In addition, UGG found that a certain subset A group of commands or functions that do not include all the capabilities of the original specification. Software or hardware components designed for the subset will also work with the original. of its risks contributed to as much as 50 percent of the variance in revenues. Knowing what affects revenue (and earnings) variance is extremely valuable to any organization, and UGG was even able to negotiate insurance coverage incorporating its most significant risk, grain volume, at no incremental cost Incremental Cost The encompassing change that a company experiences within its balance sheet due to one additional unit of production. Notes: Incremental cost is the overall change that a company experiences by producing one additional unit of good. because the risks were integrated in the insurance package. Also, UGG's risk measurement included more than traditional financial risks * DuPont advanced financial risk measurement even further by developing earnings at risk (EAR) measurement tools, To DuPont, VAR was not as helpful because it's a concept that's hard for some managers to understand and manage. With EAR, DuPont measures the effect of risk on reported earnings. It can then manage risk to a specified earnings level based on the company's risk appetite. With this integrated view, it can even now begin to see how risks affect the likelihood of achieving certain earnings targets. At DuPont, this new approach is dramatically altering the way it manages risk. * Chase Manhattan developed its own measurement system - shareholder value added Value Added The enhancement a company gives its product or service before offering the product to customers. Notes: This can either increase the products price or value. (SVA SVA School of Visual Arts SVA Severe (Thunderstorm) Advisory SVA Statens Veterinärmedicinska Anstalt (National Veterinary Institute, Sweden) SVA Shareholder Value Added ), because management was concerned that decision-makers were not explicitly considering the cost of risk. "We're in the business of taking risk, but we're in the business of getting paid for the risks that we take," said vice chairman Marc Shapiro. Asset growth under SVA has slowed from 15 percent to two percent in only three years, while cash income is at a healthy 17 percent growth rate. * Microsoft adds an advanced but different version of scenario analysis to assist with non-financial risk identification and measurement. The company's risk management group has utilized several scenarios to identify key business risks. As Callinicos emphasized, "The scenarios are really what we're trying to protect against." Two scenarios are the possibility of an earthquake in the Seattle region and a major downturn in the stock market. In some cases, after a risk was measured, management learned that the real effect of the risk was significantly lower or higher than they had previously believed. This further reflects the value of having good risk measurement. Bottom line: when management knows the real level of the risks they face, they can then manage those risks more effectively and successfully. Thomas L. Barton is a CPA (Computer Press Association, Landing, NJ) An earlier membership organization founded in 1983 that promoted excellence in computer journalism. Its annual awards honored outstanding examples in print, broadcast and electronic media. The CPA disbanded in 2000. and the Kathryn and Richard Kip kip 1 n. pl. kip See Table at currency. [Thai.] kip 2 n. 1. Professor of Accounting and KPMG KPMG Klynveld Peat Marwick Goerdeler (accounting firm) KPMG Kaiser Permanente Medical Group KPMG Keiner Prüft Mehr Genau (German) KPMG Kommen Prüfen Meckern Gehen Research Fellow of Accounting at the University of North Florida The University of North Florida (UNF) is a public university in Jacksonville, Florida. It currently has an enrollment of more than 16,000 students and employs over 500 full-time faculty. The current president is former Jacksonville mayor John Delaney. . William G. Shenkir is a CPA and the William Stamps Farish There are several individuals named William Stamps Farish from one family.
Paul L. Walker is a CPA and an associate professor of accounting at the University of Virginia's McIntire School of Commerce. Barton, Shenkir and Walker ate co-authors of Making Enterprise Risk Management Pay Off This study was sponsored by the Financial Executives Research Foundation, which published the resulting book, Making Enterprise Risk Management Pay Off It can be ordered by calling 800.680.FERF FERF Financial Executives Research Foundation FERF Far End Reporting Failure FERF Far End Receive Failure . Case Study Companies The five companies studied in Making Enterprise Risk Management Pay Off: 1. Chase Manhattan Corp. (now J.P. Morgan Chase & Co.) 2. E.I. du Pont de Nemours and Co. 3. Microsoft Corp. 4. United Grain Growers, Ltd. 5. Unocal Corp. Value Lessons - Highlights Each of the five companies in the study believed they were creating, protecting and enhancing value by managing enterprise-wide risks. Here are some highlights: * Managing requires a formal, dedicated effort to identify significant risks. * A "cookie-cutter," one-size-fits-all approach is not feasible. * Rank risks on a scale that captures importance, severity/dollar amount, frequency or probability. * Measure financial risk with sophisticated and relevant tools. * Know your appetite for risk-- for the company and the shareholders. * Adopt an enterprise-wide (not silo) view of risk management. * Consultants, when and if used, are supplements to senior management. * Enterprise-wide risk management offers more at potentially lower costs. * Risk management infrastructures vary but are essential for driving decision-makers to consider risks. * Implementing enterprise-wide-risk requires the commitment of one or more senior management champions. How Does Your Risk Rate? Here's a quiz A quiz is a form of game or mind sport in which the players (as individuals or in teams) attempt to answer questions correctly. Quizzes are also brief assessments used in education and similar fields to measure growth in knowledge, abilities, and/or skills. to assess your organization's risk management strategy. You may be pleasantly surprised - or shocked - at how your organization is doing in managing enterprise-wide risks. Instructions: * List the three most important risks your organization faces, defining risk as anything that keeps your organization from accomplishing its objectives. (If you do not know your important risks or if you get different answers from different managers within your organization, you may have even more risk than you realized.) * Assess each risk according to how important it is to your organization. Use a scale of 1 to 10, with 10 the highest risk. * Ask yourself how effective management is at managing that risk. Again, use a scale of 1 to 10, with 10 implying that the risk is managed extremely well and 1 implying that the risk is not managed at all. * Finally, determine the gap, or the difference, between the importance of the risk and the effectiveness level of managing that risk. Simply subtract A relational DBMS operation that generates a third file from all the records in one file that are not in a second file. the 3rd column from the 2nd to get the gap. The gap can indicate many things, but a positive gap generally implies that risks are under managed while a negative gap may indicate risks are over managed. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion