Measuring the payoffs of strategic risk management.The new risk management environment requires that organizational leaders expand their scope to incorporate a broader set of risks. Managing these risks effectively, to improve performance and meet stakeholder expectations as well as meet regulatory requirements, is the challenge this expectation presents. CMA Canada and the AICPA are lending their members a hand with a new Management Accounting Guideline, which introduces a new Risk Management Payoff Model and a selection of performance measures to identify, measure, manage and report risks. ********** In years past, most organizations viewed the process of risk management primarily as an issue of compliance with statutory or regulatory requirements. Further, risk management within organizations typically occurred in silos--technology, financial, environmental, etc.--with little or no coordination among them. [ILLUSTRATION OMITTED] Events that occurred early in the second millennium highlighted many risks not previously contemplated by most organizations--from the terrorist attacks of September 11, to the burst of the dot com bubble, to the collapse of major companies, such as Enron and WorldCom, that were apparently constructed on an accounting house of cards. Whether directly or indirectly affected by these events, leaders began to realize the wide range of risks, many of them avoidable, to which their organizations were potentially vulnerable. Moreover, increased globalization, rapid advances in technology, and an increasingly environmentally conscious society were just a few of the factors that contributed to the regularly evolving risk landscape of organizations, and continue to do so today. While the recent Sarbanes-Oxley (SOX) legislation and similar guidance issued by the Canadian Securities Administration generated a renewed focus on risk assessment, it has become increasingly apparent that the process of managing organizational risk must be a dynamic one that continually surveys both the internal and external environment of the organization, reaching far beyond mere compliance. Although compliance requirements may be the catalyst for leaders to address the issues of risk management, effectively managing organizational risks carries with it the potential to yield significant benefits. Indeed, properly identifying, measuring and managing organizational risks offers real opportunities for improved performance. Broadening risk measurements Risks are generally considered to be any event that adversely affects the organization's ability to successfully achieve its business objectives and execute its strategies. Such risks might arise from within the organization or may be the result of actions or events that occur externally. Keep in mind that risk management, at its optimal level, is neither intended nor expected to eliminate risks altogether, as doing so would eliminate the potential for significant rewards in many scenarios. The key is for organizations to develop the appropriate response to risks and, where possible, design those responses to gain a competitive edge in the marketplace. In a new CMA Canada Management Accounting Guideline, jointly produced with the American Institute of Certified Public Accountants (AICPA), authors Marc Epstein and Adriana Rejc argue, "Measuring a broader set of risks more effectively is necessary not only to meet the new regulatory requirements but also, primarily, to improve managerial performance and stakeholder confidence." With this new guideline, entitled Identifying, Measuring, and Managing Organizational Risks for Improved Performance, Epstein and Rejc offer a Risk Management Payoff Model, along with a selection of performance measures to properly identify, measure, manage, and report risks. Specifically, the guideline offers the following: * A comprehensive overview of risk management, highlighting the role of risk identification and measurement within the risk management process; * A broader framework for risk identification; * A detailed description of the key elements--inputs, processes, outputs, and outcomes--of a measurement model (the Risk Management Payoff Model) that will allow organizations to successfully address risks, both strategically and operationally, by identifying and evaluating risks and the potential benefits of risk management initiatives; * Examples of risk management drivers and the causal relationships among them; * Specific performance metrics that organizations can select and/or adapt to effectively accommodate their unique risk management strategies; and * An illustration of the calculation of the return on investment (ROI) for risk management initiatives. Typically, strategic business analysis models or systems are designed to measure critical success factors that are fundamental to the accomplishment of specific organizational objectives. Similarly, Epstein and Rejc's Risk Management Payoff Model highlights four key factors for success in an organizational risk management process (see Exhibit 2). [GRAPHIC OMITTED] These key factors include inputs and processes that are critical to success in risk management outputs. These outputs, in turn, minimize the cost of risks and increase revenues. The final key factor identified in the Model is the result--outcomes--and their contribution to organizational success. It is the outcomes, of course, that will ultimately determine the payoff of risk management. Responding to risk Fundamental to the success of any strategic business model are valid and representative measures that support the organization's objectives and drivers of success. Intuitively, such metrics will vary from one organization to the next. The new Management Accounting Guideline offers a generous set of measures from which leaders can select and/or adapt those metrics that are more closely aligned with their organization's risk management strategy. Once the various risks have been identified and their potential impact measured, a decision must be made as to how the organization should respond (see Exhibit 1). Using the quantification process outlined in the Risk Management Payoff Model, management can more knowledgeably determine the appropriate response to a given risk, as well as assess the effectiveness of those risk management processes and controls that are currently in place within the organization. [GRAPHIC OMITTED] Appropriate responses to risks might be to: * Accept -- Take no action to affect risk likelihood or its impact. Typically, organizations accept risks because they can withstand the impact, have transferred the risk, or have reduced the risk to a tolerable level. It is the CEO's responsibility to clarify with the board of directors both the categories of risk and the extent of exposure that are considered acceptable for the organization. * Share -- Reduce the likelihood of the risk or its impact by transferring or otherwise sharing a portion of that risk. * Transfer -- Pass risk to an independent, financially capable third party at a reasonable economic cost under a legally enforceable arrangement. For many years, buying insurance was considered the only risk management tool that organizations could employ. Today, other forms of risk management are essential to help guard against foreseeable risks that essentially remain within the control of the organization. Ways to transfer risk include buying insurance, hedging risk in the capital markets, sharing risk through joint venture investments or strategic alliances, arranging outsourcing accompanied by a contractual risk transfer, and indemnifying risk through contractual agreements. * Reduce/Mitigate -- Take action to reduce risk likelihood or impact, or both. Building controls in response to risk is a form of mitigation. Leaders should evaluate the organization's ability to reduce the incidence of risks and the impact on the business. * Avoid -- Exit the activities that give rise to risk. Responses to risks should be influenced by the organization's appetite for risk, giving particular consideration to stakeholder appetites as well. Likewise, the cost of certain risk responses relative to the anticipated benefit to be derived should be carefully considered. The guideline suggests various approaches and techniques for preventing, mitigating, transferring, and sharing organizational risks, which Epstein and Rejc have organized into four distinct categories--strategic, operational, reporting, and compliance. Strategic risks include risks such as industry, social, and political risks, while operational risks include risks such as environmental, financial, and business continuity. Reporting and compliance risks include those risks with which leaders can typically identify when contemplating the notion of risk within the organization. Though not to diminish the importance of or level of consideration that should be given to reporting and compliance risks, strategic and operational risks include risks that tend to be less intuitively managed, so they naturally require more creative input and time to consider. A strategic benefit The new Management Accounting Guideline provides valuable tools for those professionals charged with assessing, analyzing, and controlling risk throughout the organization. Perhaps more importantly, however, the purpose of the guideline is to offer an effective framework for senior leaders--Boards, Audit Committees, CEOs, CFOs, etc.--who, in the wake of SOX legislation, can no longer escape the ultimate responsibility for establishing and managing comprehensive organizational risk strategies within their company. Epstein and Rejc remind us that "... the risk management perspective is shifting from a fragmented (departments or business functions managing risks independently), ad hoc (according to need, as perceived by managers), and narrow approach (focused primarily on insurable and financial risks), to one that is integrated, continuous, and broadly focused. Everyone in the organization should view risk management as part of his/her job and risk management efforts should be coordinated through senior-level oversight. The risk management process should be ongoing and all business risks and opportunities considered." Therefore, today's leaders should no longer consider the compulsory regulations of SOX to be merely an exercise in compliance. Rather, the entire risk management process should be viewed as an opportunity for organizations to develop and implement a responsible risk management business discipline as well. The Risk Management Payoff Model can and should be incorporated into all operational and capital investment decisions. Employing the Model will ensure that the assessment of risk exposure becomes a fundamental component of the decision-making processes within the organization. In the guideline, Epstein and Rejc suggest that risk assessment can become an integral part of the organization's decision-making process by: * Articulating the organization's risk management attitude in its mission statement and strategic objectives; * Communicating the risk management philosophy, specifically the link between risk management and strategy; * Consistently incorporating risk awareness in the budget process; * Instilling risk awareness in the corporate culture and enabling employees to become aware of all risks that are faced; * Conducting risk education and training to ensure that employees understand how risks can be identified and managed; * Articulating risk policies and tolerances through the use of analytical tools and assessments; * Introducing mechanisms to connect performance evaluation and incentives to risk management initiatives; and * Making risk assessment a required annual exercise within the business units. When participation in these assessments is broad, and the discussion and prioritization of risks thorough, the mindset of managers and employees can be altered so that risk management is viewed no longer as a verification of compliance with rules and regulations but rather as an important part of everyday decision making. One of the conclusions of the 9/11 Commission was that a key contributing factor to the catastrophic events of that day was a "failure of imagination." If leaders were to assess--objectively--their organization's approach to the risk management process, many would likely conclude that their current process is, similarly, long on intellect and operational and technical expertise, yet short on imagination and creative thought. A case in point is that, as this guideline goes to print, the chaos associated with the aftermath of hurricane Katrina, arguably the worst natural disaster in North American history, illustrates the need for organizations to imagine the unimaginable and then assess the extent to which preparation for those contemplated events makes sound business sense. The new Guideline, with Epstein and Rejc's newly created Risk Management Payoff Model, should prove a valuable resource for organizations desiring to cultivate and instill an effective risk management business discipline. Melanie Woodard McGee, CPA, is an accounting manager with American Airlines and is currently dedicated to, and serving in a controller capacity for, its joint venture with Rolls-Royce, Texas Aero Engine Services Limited. She is a member of the AICPA's Business and Industry Executive Committee and served as a member of the CMA/AICPA focus group for the new Management Accounting Guideline. By Melanie Woodard McGee, CPA |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion