Which comes first ... managing risk or strategy-setting? Both! Effectively integrating risk management with the strategy-setting process enables management to focus on achieving its expected return while controlling its accepted risk exposure.In what can be viewed as the proverbial pro·ver·bi·al adj. 1. Of the nature of a proverb. 2. Expressed in a proverb. 3. Widely referred to, as if the subject of a proverb; famous. which-comes-first, chicken or egg scenario, businesses continue to grapple with to enter into contest with, resolutely and courageously. See also: Grapple a fundamental issue: Should a business strategy be formulated prior to conducting an enterprisewide risk assessment, or vice versa VICE VERSA. On the contrary; on opposite sides. ? The nature of the question in itself suggests the need for effective integration of risk management with strategy-setting. An enterprisewide risk assessment can help management determine whether there are risks that are inconsistent with or in excess of the organization's risk appetite. Because the operating environment In computing, an operating environment is the environment in which users run programs, whether in a command line interface, such as in MS-DOS or the Unix shell, or in a graphical user interface, such as in the Macintosh operating system. is constantly changing, strategy-setting is a dynamic process that never ends. The same applies to risk assessment. So, management should never set strategy without evaluating risk. Managers will naturally gravitate grav·i·tate intr.v. grav·i·tat·ed, grav·i·tat·ing, grav·i·tates 1. To move in response to the force of gravity. 2. To move downward. 3. to the opportunities with the highest return, regardless of the risk. That is why a risk evaluation must be performed when strategy is formulated, because each enhances the other. In those situations when a risk assessment is conducted after the business strategy is developed, the strategy must be reevaluated to consider risks not identified during the risk assessment. Business strategies often warrant revisiting once the risks inherent in those strategies are fully understood. Thus the entity's goals and objectives may be further refined when an enterprisewide risk assessment is conducted. An Enterprisewide Approach Whatever the enterprise's proxy for measuring value, the most important contribution of risk management is to help executives make better strategic choices. Not only is this contribution an important one as companies face an increasingly uncertain future, it can make or break the formulation and execution of a successful strategy. Over the last 10 years, Protiviti Inc. has conducted several research projects involving senior executives. The most recent survey was conducted in the third quarter of 2005 and involved 76 C-Level executives of Fortune 1000 companies. The research during this 10-year period has consistently found that six of 10 senior executives lack high confidence that their organization is identifying and managing all potentially significant risks. During times of substantial change, integrating risk management with strategy-setting is the key to increasing the relevancy of and the confidence in risk management capabilities. Traditional risk management tends to focus primarily on loss prevention and managing uncertainties around physical and financial assets Financial assets Claims on real assets. and related contractual agreements. As such, traditional risk management is often a fragmented, reactive, sporadic sporadic /spo·rad·ic/ (spo-rad´ic) occurring singly; widely scattered; not epidemic or endemic. spo·rad·ic or spo·rad·i·cal adj. 1. Occurring at irregular intervals. 2. , cost-based, narrowly focused and functionally driven activity. Integrating risk management with strategy-setting, such as an enterprise risk management (ERM (Enterprise Relationship Management) An umbrella term with many shades of meaning over the years. It may refer to the management of information from any or all of an organization's customers, suppliers, business partners and employees. ) approach, helps an organization manage its risks to protect and enhance enterprise value in three ways. First, it helps to establish sustainable competitive advantage. Second, it optimizes the cost of managing risk. Third, it helps management improve business performance. These contributions redefine Verb 1. redefine - give a new or different definition to; "She redefined his duties" define, delimit, delimitate, delineate, specify - determine the essential quality of 2. the value proposition of risk management to a business. Just as potential future events can affect the value of tangible physical and financial assets, so also can they affect the value of key intangible assets Intangible Asset An asset that is not physical in nature. Notes: Examples are things like copyrights, patents, intellectual property, and goodwill. These are the opposite of tangible assets. such as customer assets, employee/supplier assets and the entity's distinctive brands, differentiating strategies and innovative processes and systems. This is the essence of what ERM contributes to the organization--the elevation of risk management to a strategic level by assessing all sources of value, not just physical and financial ones. ERM transforms risk management to a coordinated, proactive, continuous, value-based, broadly focused and process-driven activity. Under an enterprisewide risk approach, the focus is on integrating risk management with strategy-setting. The Focus on Enterprise Value While the strategy-setting process takes many forms in different organizations, it generally includes the following continuous cycle of activities: assessing the environment, evaluating alternatives, formulating strategy, establishing metrics metrics Managed care A popular term for standards by which the quality of a product, service, or outcome of a particular form of Pt management is evaluated. See TQM. and monitoring execution. Integrating risk management with strategy-setting transforms risk management from "avoiding and hedging bets" to a differentiating skill for protecting and enhancing enterprise value as management seeks to make the best bets in the pursuit of growth and returns. Enterprise value is the value placed upon an organization by its stakeholders Stakeholders All parties that have an interest, financial or otherwise, in a firm-stockholders, creditors, bondholders, employees, customers, management, the community, and the government. . While value can be expressed in different ways, this will presume that shareholder value is the measure of choice for executives of public companies. Using enterprise value as a context, it can be better understood how integrating risk management with strategy-setting can make a difference. There are at least four broad choices available to management when protecting and enhancing enterprise value: * Create new opportunities. The enterprise invests in new business activities promising attractive returns expected to exceed the cost of capital. * Improve performance. The enterprise improves performance and increases returns of existing business activities by improving policies, processes, competencies, reporting, technology and/or knowledge in ways that achieve this desired result. * Harvest existing value. The enterprise withdraws from existing business activities with inadequate returns. For example, these activities have generated (or are expected to generate) returns that do not exceed the cost of capital. * Align risk-taking with risk appetite. The enterprise takes specific steps to align its risk taking with its core competencies A core competency is something that a firm can do well and that meets the following three conditions specified by Hamel and Prahalad (1990):
For strategy-setting to be effective, it must focus on these four choices. The relative risks inherent in individual business units and activities vary. To address these inherent risks, management should insist that the strategy-setting process consider the risk equivalency equivalency the combining power of an electrolyte. See also equivalent. of alternative business activities. As senior management evaluates opportunities for generating superior returns, three issues arise. It is necessary to: 1. Evaluate the key underlying variables in the business plan that are exposed to performance variability over time and that require specific risk responses; 2. Understand the loss exposures or drivers inherent in the enterprise's business model that require specific risk responses; and 3. Identify incongruities inherent in the business model where management has, either knowingly or unknowingly, accepted risks that should be avoided, given the entity's risk appetite. For risk management to be value-added, it must enhance the strategy-setting process by providing the discipline, focus and control to ensure the three issues above are satisfactorily addressed. That is, risk management must: manage and monitor performance variability in the business plan; protect accumulated enterprise value from unacceptable losses; and support alignment of opportunity seeking behavior with risk appetite. As Anurag Saksena, chief enterprise risk officer for Freddie Mac Freddie Mac: see Federal Home Loan Mortgage Corporation. , explains: "For firms to succeed in this increasingly global and competitive marketplace, risk management must become a state of mind. A systematic and proactive enterprise-wide approach to managing risks is essential to making risk management an integral part of the company's DNA DNA: see nucleic acid. DNA or deoxyribonucleic acid One of two types of nucleic acid (the other is RNA); a complex organic compound found in all living cells and many viruses. It is the chemical substance of genes. ." The four broad choices available to management during strategy-setting and the interplay in·ter·play n. Reciprocal action and reaction; interaction. intr.v. in·ter·played, in·ter·play·ing, in·ter·plays To act or react on each other; interact. with risk management are discussed in detail below. Create New Opportunities Every successful business takes risk in the pursuit of value-added opportunities. For example, when management decides to enter new markets, introduce new products, merge with or acquire another entity or exploit other market opportunities, inherent in these decisions are choices to take on additional risk. When risk management is integrated with strategy-setting, these choices are transparent. Risk management is relevant to strategy-setting when it provides assurance to directors and executive management that risks are taken with knowledge--knowledge of the business, knowledge of the risks and knowledge of markets. That knowledge is a result of the organization's persistent efforts to understand, monitor and track risk during the strategy-setting process. ERM allows management to identify the priority risks inherent in its planned actions and price the acquisitions, transactions and deals resulting from those actions to appropriately compensate the enterprise for the risks it is assuming. Failure to make this assessment may result in management committing to undertake activities in which there are risks that exceed its risk appetite, such as unacceptable performance variability, loss exposure and/or business model incongruities. The objective is to fully understand the good things and the bad things that can happen and the various scenarios in between. In addition, following the consummation CONSUMMATION. The completion of a thing; as the consummation of marriage; (q.v.) the consummation of a contract, and the like. 2. A contract is said to be consummated, when everything to be done in relation to it, has been accomplished. of acquisitions, transactions and deals, a process is in place to monitor the risks and mitigate them if they are determined to be different than originally contemplated by the strategy. Effectively integrated with strategy-setting, risk management should invigorate in·vig·or·ate tr.v. in·vig·or·at·ed, in·vig·or·at·ing, in·vig·or·ates To impart vigor, strength, or vitality to; animate: "A few whiffs of the raw, strong scent of phlox invigorated her" opportunity-seeking behavior by helping managers develop the confidence that they truly understand the risks and have the capabilities within the organization to manage those risks. The result: management and the board fully understand the downside Downside The dollar amount by which the market or a stock has the potential to fall. Notes: You might hear someone say that the downside on stock XYZ is $10. What that means is that the stock could fall by this amount if things got bad. and how much it might hurt. They also know what to watch over time. Improve Performance A robust, comprehensive risk assessment of a given business unit may identify priority risks that expose future revenue streams and cash flows to unacceptable performance variability or loss exposure. Rigorous event identification and risk assessment enhance the business strategy and business plan, as well as their execution. For example, Holcim, a multinational organization with 61,000 employees and a presence in more than 70 countries, integrates the first two steps of its Business Risk Management process--identify risk and source risk--with the risk assessment phase of its business planning process. The result is that business risk management and the business planning process are, in effect, a single process. Clemens Mann, risk manager with Holcim's corporate strategy and risk management team, describes the process: "In this first element of the business planning process, we look at the risk profile in each of our group companies, and examine how the business environment has changed or might change in the future." To develop a truly comprehensive risk profile, Holcim analyzes both internal and external risk factors and external market situations to determine where to focus the business planning process and where the critical elements reside. "This way, we know where and how to dig deeper," says Mann. He adds, "Early in the process, we make preliminary decisions about how we want to handle the risk. This becomes our future risk profile, or so-called 'target risk map,' which results in first indications as to how we want to handle the risks." Once a consistent risk assessment framework is implemented and used enterprisewide by the organization's business and support units, comparison and aggregation across the enterprise become possible. Capital allocation becomes more meaningful, and investment choices become clearer. A more robust risk assessment process reduces the chance of overlooking key risks and incurring unacceptable opportunity costs Opportunity costs The difference in the actual performance of a particular investment and some other desired investment adjusted for fixed costs and execution costs. It often refers to the most valuable alternative that is given up. due to risk-averse behavior. Risk responses can then be evaluated to reduce the priority risks to an acceptable level (see Four Alternative Risk Responses on page 37). Identification of potential events or scenarios may provide useful insights as to the soft spots in the enterprise's or unit's business strategy. Because the future is uncertain, management should consider a range of potential outcomes in earnings and cash flow projections A Cash Flow Projection is an attempt to forecast the cash flows that will be generated by an asset, often a company, over a specified time frame. Methodology Projections can be made with varying levels of detail, but any cash flow projection for a business entails , not single-point estimates. Harvest Existing Value Decisions to exit a market or geographic area or to sell, liquidate To pay and settle the amount of a debt; to convert assets to cash; to aggregate the assets of an insolvent enterprise and calculate its liabilities in order to settle with the debtors and the creditors and apportion the remaining assets, if any, among the stockholders or owners of the or spin off a product group or business must be carefully evaluated. Managers need to understand the "relative riskiness" of different units, geographies, products or markets. If performance is measured without considering the risks assumed by managers through their respective activities, the company might choose to withdraw from a business that is actually generating superior risk-adjusted returns Risk-Adjusted Return A measure of how much risk a fund or portfolio takes on to earn its returns, usually expressed as a number or a rating. Notes: This is often represented by the Sharpe Ratio. The more return per unit of risk, the better. , even though its gross returns may appear lackluster. The analysis supporting this assessment could be as simple as a risk map prepared for each business unit or as sophisticated as deploying risk-adjusted performance measurement. Align Risk-taking with Risk Appetite Every organization has a risk appetite, whether it acknowledges it explicitly or not. Risk appetite is expressed through an entity's actions or inactions. It represents executive management's "view of the world," which drives their strategic choices. In its Enterprise Risk Management--Integrated Framework, the Committee of Sponsoring Organizations of the Treadway Commission
Committee of Sponsoring Organizations of the Treadway Commission (COSO), is a U.S. private-sector initiative, formed in 1985. (COSO COSO Committee of Sponsoring Organizations of the Treadway Commission COSO Church of Spiral Oak COSO Corporate South COSO Class of Service Override COSO Combat Oriented Supply Operations (USAF) ) set a standard for management to manage risk within the entity's risk appetite, as understood and agreed by the board of directors. Management considers risk appetite when defining objectives, formulating strategy, allocating resources, setting risk tolerances Risk Tolerance The degree of uncertainty that an investor can handle in regards to a negative change in the value of their portfolio. Notes: An investor's risk tolerance varies according to age, income requirements, financial goals, etc. and developing risk management capabilities. If articulated explicitly, risk appetite provides overall direction for risk management and is grounded during the objective-setting process. During the strategy-setting process, companies that are serious about risk management strive to configure See configuration. (software) configure - A program by Richard Stallman to discover properties of the current platform and to set up make to compile and install gcc. Cygnus configure was a similar system developed by K. their risk-taking with their core competencies, avoiding unduly constraining con·strain tr.v. con·strained, con·strain·ing, con·strains 1. To compel by physical, moral, or circumstantial force; oblige: felt constrained to object. See Synonyms at force. 2. risk-averse behavior. The business model of every successful organization exploits to the maximum extent possible the areas in which the company excels relative to its competitors. In leveraging these advantages, however, management needs assurance that the company is not gambling its future. An ERM infrastructure supports strategy-setting, because it provides the discipline, focus and control by which management capitalizes on competitive strengths while protecting enterprise value. It also ensures that the company only takes those risks it is best equipped to handle within the parameters of its risk appetite, while minimizing exposure to those areas considered "off-strategy" because of the lack of competence to manage. Understanding and effectively managing the relationship between capital, risk and reward within the boundaries of an organization's strategy-setting process create a significant opportunity for increasing the relevance of risk management. For example, does it make sense to take all of the risk an organization is capable of undertaking without reserving capital for new investment opportunities? Is it appropriate to retain a significant risk when options for transferring that risk are available at reasonable cost? What is the desirable relationship between the capacity to bear risk and the appetite to take risk, and should capital allocation be modified to reflect that relationship? From a strategy-setting standpoint, it is useful to have a notion of at what point the organization's capacity for bearing risk would be encroached upon. Evaluate Early, Meet Expectations By effectively integrating risk management with the strategy-setting process, management is able to sharpen sharp·en tr. & intr.v. sharp·ened, sharp·en·ing, sharp·ens To make or become sharp or sharper. sharp the focus on improving expected returns Expected Return The average of a probability distribution of possible returns, calculated by using the following formula: , or alternatively holding the expected returns constant and favorably fa·vor·a·ble adj. 1. Advantageous; helpful: favorable winds. 2. Encouraging; propitious: a favorable diagnosis. 3. altering the organization's risk characteristics. Management alters their risk characteristics by reducing: * The enterprise's net exposure; * The variability of the enterprise's expected returns caused by specific sources of uncertainty (such as exposure to fluctuating fluc·tu·ate v. fluc·tu·at·ed, fluc·tu·at·ing, fluc·tu·ates v.intr. 1. To vary irregularly. See Synonyms at swing. 2. To rise and fall in or as if in waves; undulate. v. currency rates); * The likelihood of financial distress Financial distress Events preceding and including bankruptcy, such as violation of loan contracts. in the event of realized changes in key variables (such as changes in interest rates for a highly leveraged company); or * Other uncertainties in the attainment of expected returns. In effect, integrating risk management with strategy-setting means two things. First, it means the risk profile of strategic decisions is evaluated early in the strategy-setting process--leading to a more robust business strategy. Second, it means that policies, procedures, measures and monitoring are established and continuously improved, providing assurance to management and the board that the company is on target with achieving its expected return while controlling its accepted exposure to risk. Everett Gibbs (everett.gibbs@protiviti.com) and Jim DeLoach (james.deloach@protiviti.com) are Managing Directors for Protiviti Inc. Protiviti (www.protiviti.com) is a provider of independent risk consulting and internal audit services. RELATED ARTICLE: Four Alternative Risk Responses According to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. the Committee of Sponsoring Organizations of the Treadway Commission (COSO), there are four alternative risk responses--Avoid, Accept, Reduce, Share. Each of these are detailed below, along with an illustrative il·lus·tra·tive adj. Acting or serving as an illustration. il·lus  tra·tive·ly adv.Adj. 1. example: ** AVOID Eliminate the risk by preventing exposure to future possible events from occurring. Examples of avoidance responses An avoidance response is a form of escape behavior present in animals in which the subject evades an aversive event. This can be due to anxiety or a frightening situation. include: Prohibit unacceptably high-risk activities, transactions, financial losses and asset exposures through appropriate corporate policies, limit structures and standards Stop specific activities by redefining objectives, refocusing Noun 1. refocusing - focusing again focalisation, focalization, focusing - the act of bringing into focus strategies and policies or redirecting resources Target business development and market expansion to avoid pursuit of "off-strategy" opportunities Screen alternative capital projects and investments to avoid low-return, off-strategy and unacceptably high-risk initiatives Divest To deprive or take away. Divest is usually used in reference to the relinquishment of authority, power, property, or title. If, for example, an individual is disinherited, he or she is divested of the right to inherit money. by exiting a market or geographic area, or by selling, liquidating or spinning off a product group or business ** ACCEPT Maintain the risk at its current level. Illustrative responses include: Retain risk at its present level taking no further action Reprice products and services by including an explicit premium in the pricing, market conditions permitting, to compensate for risk undertaken Self-insure risk through internal charges to earnings, borrowed funds (from external sources should a specific event occur), reserving losses (under accepted accounting principles), a pure captive insurance Captive insurance companies are limited purpose insurance companies established with the specific objective of financing risks emanating from their parent group or groups, they sometimes also insure risks of the parent company's customers. company or participation in a group or an industry captive Offset risk against others within a well-defined pool ** REDUCE Implement policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental to lessen the risk to an acceptable level. For example: Disperse disperse /dis·perse/ (dis-pers´) to scatter the component parts, as of a tumor or the fine particles in a colloid system; also, the particles so dispersed. dis·perse v. 1. financial, physical or information assets geographically to reduce risk of unacceptable catastrophic losses Control risk through internal processes or actions that reduce the likelihood of undesirable events occurring to an acceptable level (as defined by management's risk tolerance) Respond to well-defined contingencies by documenting an effective plan and empowering appropriate personnel to make decisions; periodically test and, if necessary, execute the plan ** SHARE Shift the risk to a financially capable, independent counterparty Counterparty The other participant, including intermediaries, in a swap or contract. . For example: Insure through cost-effective contract with independent, financially capable party under a well-defined risk strategy Reinsure re·in·sure tr.v. re·in·sured, re·in·sur·ing, re·in·sures To insure again, especially by transferring all or part of the risk in a contract to a new contract with another insurance company. to reduce portfolio exposure through contracts with other insurers, when such arrangements are available Hedge risk by entering into the capital markets, making feasible changes in operations or executing new borrowings Securitize Securitize The practice of a company selling accounts receivables or other debts owed to it. The third party that buys the debt assumes ownership of it and the responsibility for collecting the debts, and keeps the repayments when made. risk by accessing the capital markets and structuring deals with potential investors through efficient pricing mechanisms Transfer risk and rewards of investing in new markets and products by entering into alliances or joint ventures Outsource non-core processes (a viable risk transfer option only when risk is contractually transferred) Indemnify To compensate for loss or damage; to provide security for financial reimbursement to an individual in case of a specified loss incurred by the person. Insurance companies indemnify their policyholders against damage caused by such things as fire, theft, and flooding, which risk by entering into contractual risk-sharing arrangements with independent, financially capable parties Source: Adapted from "Frequently Asked Questions About Enterprise Risk Management," Protiviti Inc., 2005 RELATED ARTICLE: takeaways * An enterprise risk assessment can help management determine whether there are risks that are inconsistent with or in excess of the organization's risk appetite. * Research conducted by Protiviti Inc. over 10 years consistently finds that six of 10 senior executives lack high confidence that their organizations identify and manage potentially significant risks. * Four broad choices are available to management for protecting and enhancing enterprise value: create new opportunities, improve performance, harvest existing value and align risk-taking with risk appetite. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion