Printer Friendly

Managing Risk: An Enterprise-wide Approach.

Managing risk on an integrated and enterprise-wide basis is a vital issue confronting executives. The CFO is a key decision maker in crafting the company's strategy.

Twenty-first century businesses worldwide operate in an environment where forces such as globalization, technology, the Internet, deregulation, restructurings and changing consumer expectations -- are creating much uncertainty and prodigious risks. Consider, for example, that no force is having as great an impact on business today as the Internet. And as the Internet evolves, companies in all industries are rethinking the basics: business models, core strategies and target customer bases.

These new developments create new issues related to risk and risk management. Managing risk on an integrated and enterprise-wide basis is a vital issue confronting executives, with the CFO a key decision-maker in crafting the company s strategy. "I think the point to risk management is not to try and operate your business in a risk-free environment. It's to tip the scale to your advantage. So it becomes strategic rather than just defensive," observed Peter Cox, chief financial officer of United Grain Growers Ltd. (of Canada). To some extent, no matter what its products or services, every organization is in the business of risk management.

Most executives would likely agree that risk management is part of their job, and there is probably agreement that risks are increasing rather than decreasing. But ask executives to elaborate on risk management and you'll no doubt get a variety of answers: "It's about preventing disasters," or, "It's something the insurance or finance people handle."

Is it just business management?

What does "risk management" mean to management in today's companies? Financial Executives Research Foundation recently published a book summarizing research on the subject gleaned from five companies in diverse industries. The book, Making Enterprise Risk Management Pay Off, reports on how the five are implementing enterprise-wide risk management. The companies studied were: Chase Manhattan Corp. (now J. P. Morgan Chase & Co.), E.I. du Pont de Nemours and Co., Microsoft Corp., United Grain Growers, Ltd. and Unocal Corp.

One key finding is that risk management is not just about finance, insurance or disasters. It's about running the business effectively and understanding, at the core, the fundamental risks facing the business. Tim Ling, president and chief operating officer of Unocal (and the company's former CFO), emphasized, "I think you will see almost all companies over the next few years moving in the same direction [as we are], really trying to integrate the notion of risk management with the notion of just business management. To me, running a business is all about managing risk."

Successful companies, almost by definition, have managed risks well, but practicing "risk management" has typically been informal and implicit. Some companies may have survived without ever knowing their real portfolios of risks. Taking an implicit approach to risk management can be risky itself, as it's caused some major surprises to companies unaware of the explicit risks. Examples include major debacles such as product recalls or fraudulent securities trading, major shifts in markets that management missed or saw too late, and increasingly complex environmental or business changes not recognized by management. Successful risk management today is not just about debacles and the downside -- it's as much about opportunities and the upside. As UGG's Peter Cox said, it's a "strategic" initiative, not a "defensive" one.

A paradigm shift

By way of definition, enterprise-wide risk management, or integrated risk management, is a paradigm shift for many companies. Its goal is to create, protect and enhance shareholder value by managing the uncertainties that could either negatively or positively influence achievement of the organization's objectives. Historically, managing risk was done in 'silos' rather than enterprise-wide. That is, companies knew how to manage certain obvious risks individually but never thought about examining every risk and involving management in managing all of those risks. Typically, companies would have people who managed process risk, safety risk, insurance, financial and assorted other risks. A result of this fragmented approach was that companies would often take huge risks in some areas of the business while over-managing substantially smaller risks in other areas.

Enterprise-wide risk management is a coordinated and focused approach for managing all risks together.

What's driving companies to adopt enterprise-wide approaches to risk management? The study found three major reasons. For starters, risk management has gained recognition as companies have seen major debacles occur internally or at other companies. The size of these disasters can be devastating, and executives frequently lose their jobs as a result. Simply stated, one of the main reasons risk management has become necessary is to manage strategically and avoid catastrophes.

Secondly, many executives believe risks are greater than ever before. In fact, even being a chief executive is risky. The Economist (Nov. 11, 2000) reported that this past October alone, 129 chief executives left their companies and that the Business Council no longer puts an incoming executive on its member list immediately, but instead waits to see if the newcomer will last. Executives know the risks are there, but they are not sure what to do to manage them. Indeed, many executives would welcome a risk management plan and related risk infrastructure.

The third reason concerns shareholder value. Companies have learned (as Unocal's Tim Ling expressed) that managing risk is really about managing the business and therefore managing risk can create shareholder value if done correctly. Susan Stalnecker, DuPont's treasurer, comments on the old view of risk management versus the new, more integrated approach: "What we have is a control process now. We don't have a value creation process. That's what we're trying to do."

The risk management process

Study results from the five companies clearly indicate there is no "cookie-cutter" or one-size-fits-all approach to risk management. Each company developed different yet overlapping approaches. Yet, in spite of the differences, each company's management believed that their approach was adding value to their organization. The discussion that follows highlights some of the lessons learned about adding value through enterprise-wide risk management.

1. Identify risks. Effective risk management initially means knowing your risks, Each of the case study companies had, in one way or another, made a concerted effort to identify its risks. Risks were identified in a variety of ways: using scenario analysis, brainstorming, performing risk self-assessments and generally by looking across the organization (or enterprise-wide) to make sure they had covered the major business risks. Karl Primm, Unocal's general auditor, said of the new approach: "Risk management is not new; managers have been doing this since the beginning of time. An integrated approach, however, does shed new light and benefits on the process." Risk identification is not static. As the business, economy and industry change, so do the risks and so, too, must the risk identification process.

2. Rank risks. Once risks are identified, management can determine what to do with them, depending on the effect of the risk on the business. A good first step in assessing the effect is to rank risks by some scale of impact and likelihood. DuPont implicitly ranks risks, while Microsoft uses risk rankings to generate "risk maps." (Risk maps are a graphical approach for viewing and plotting both likelihood and impact of risks.) Either way, can you imagine trying to run a business without knowing the real risks and without knowing the possible importance of each risk? It's a recipe for poor performance or even disaster. The goal is to make conscious decisions about risk, including all risks facing the business.

3. Try to measure risks. As previously noted, some companies implicitly or explicitly rank risks; others decide to validate the risk's perceived importance. These companies want to have more evidence on importance before they make decisions about how to manage the risk. Gathering this additional evidence helps management allocate capital efficiently and avoid over-managing those risks that are not as important while under-managing those that are important.

Risk Measurement Approaches

But some risks seem to defy reliable measurement. "The approach we have taken in financial risk and business risk is to try to quantify what we can and not necessarily worry that we are unable to capture everything in our measurement," said George Zinn, director of corporate finance for Microsoft, describing how his company views the problem. Still, companies should attempt serious risk measurement because it offers hard data to back up the perceived impact of risks.

The most sophisticated measurement of risk occurs in the area of financial risk. Companies are using value at risk or VAR (effect of unlikely events in normal markets), and stress testing (effect of plausible events in abnormal markets) methodologies to measure the potential impact of the financial risks they face. To Microsoft, VAR provides a way to respond to the question, "How much risk Is Microsoft taking?" Microsoft's treasurer, Brent Callinicos, said that before the company used VAR, it would have to ask "what they really meant." The risk management group, according to Callinicos, decided it "would tell anyone who asks what we mean when we say we have risk."

The measurement of risk has been evolving from financial risk to now include non-financial risk which is more problematic. However, the companies studied have developed eclectic approaches to measuring these various risks. For example:

* UGG took risk measurement to a new level by developing, among other measures, gain/loss curves for risks. Such curves reveal the dollar effect and likelihood of a risk affecting earnings. In addition, UGG found that a certain subset of its risks contributed to as much as 50 percent of the variance in revenues. Knowing what affects revenue (and earnings) variance is extremely valuable to any organization, and UGG was even able to negotiate insurance coverage incorporating its most significant risk, grain volume, at no incremental cost because the risks were integrated in the insurance package. Also, UGG's risk measurement included more than traditional financial risks

* DuPont advanced financial risk measurement even further by developing earnings at risk (EAR) measurement tools, To DuPont, VAR was not as helpful because it's a concept that's hard for some managers to understand and manage. With EAR, DuPont measures the effect of risk on reported earnings. It can then manage risk to a specified earnings level based on the company's risk appetite. With this integrated view, it can even now begin to see how risks affect the likelihood of achieving certain earnings targets. At DuPont, this new approach is dramatically altering the way it manages risk.

* Chase Manhattan developed its own measurement system - shareholder value added (SVA), because management was concerned that decision-makers were not explicitly considering the cost of risk. "We're in the business of taking risk, but we're in the business of getting paid for the risks that we take," said vice chairman Marc Shapiro. Asset growth under SVA has slowed from 15 percent to two percent in only three years, while cash income is at a healthy 17 percent growth rate.

* Microsoft adds an advanced but different version of scenario analysis to assist with non-financial risk identification and measurement. The company's risk management group has utilized several scenarios to identify key business risks. As Callinicos emphasized, "The scenarios are really what we're trying to protect against." Two scenarios are the possibility of an earthquake in the Seattle region and a major downturn in the stock market.

In some cases, after a risk was measured, management learned that the real effect of the risk was significantly lower or higher than they had previously believed. This further reflects the value of having good risk measurement. Bottom line: when management knows the real level of the risks they face, they can then manage those risks more effectively and successfully.

Thomas L. Barton is a CPA and the Kathryn and Richard Kip Professor of Accounting and KPMG Research Fellow of Accounting at the University of North Florida.

William G. Shenkir is a CPA and the William Stamps Farish Professor of Free Enterprise at the University of Virginia's McIntire School of Commerce.

Paul L. Walker is a CPA and an associate professor of accounting at the University of Virginia's McIntire School of Commerce.

Barton, Shenkir and Walker ate co-authors of Making Enterprise Risk Management Pay Off

This study was sponsored by the Financial Executives Research Foundation, which published the resulting book, Making Enterprise Risk Management Pay Off It can be ordered by calling 800.680.FERF.

Case Study Companies

The five companies studied in Making Enterprise Risk Management Pay Off:

1. Chase Manhattan Corp. (now J.P. Morgan Chase & Co.)

2. E.I. du Pont de Nemours and Co.

3. Microsoft Corp.

4. United Grain Growers, Ltd.

5. Unocal Corp.

Value Lessons - Highlights

Each of the five companies in the study believed they were creating, protecting and enhancing value by managing enterprise-wide risks. Here are some highlights:

* Managing requires a formal, dedicated effort to identify significant risks.

* A "cookie-cutter," one-size-fits-all approach is not feasible.

* Rank risks on a scale that captures importance, severity/dollar amount, frequency or probability.

* Measure financial risk with sophisticated and relevant tools.

* Know your appetite for risk-- for the company and the shareholders.

* Adopt an enterprise-wide (not silo) view of risk management.

* Consultants, when and if used, are supplements to senior management.

* Enterprise-wide risk management offers more at potentially lower costs.

* Risk management infrastructures vary but are essential for driving decision-makers to consider risks.

* Implementing enterprise-wide-risk requires the commitment of one or more senior management champions.

How Does Your Risk Rate?

Here's a quiz to assess your organization's risk management strategy. You may be pleasantly surprised - or shocked - at how your organization is doing in managing enterprise-wide risks.


* List the three most important risks your organization faces, defining risk as anything that keeps your organization from accomplishing its objectives. (If you do not know your important risks or if you get different answers from different managers within your organization, you may have even more risk than you realized.)

* Assess each risk according to how important it is to your organization. Use a scale of 1 to 10, with 10 the highest risk.

* Ask yourself how effective management is at managing that risk. Again, use a scale of 1 to 10, with 10 implying that the risk is managed extremely well and 1 implying that the risk is not managed at all.

* Finally, determine the gap, or the difference, between the importance of the risk and the effectiveness level of managing that risk. Simply subtract the 3rd column from the 2nd to get the gap. The gap can indicate many things, but a positive gap generally implies that risks are under managed while a negative gap may indicate risks are over managed.
COPYRIGHT 2001 Financial Executives International
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2001, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

Article Details
Printer friendly Cite/link Email Feedback
Author:Walker, Paul L.
Publication:Financial Executive
Geographic Code:1USA
Date:Mar 1, 2001
Previous Article:'Distance Education' Embraces the Web.
Next Article:Unlocking Value Through Internal Audit.

Related Articles
Examine Risk to Define Capital Needs.
Enterprising Solutions.
Ready for anything: The Sept. 11 terrorist attacks and the resulting losses across multiple lines have renewed interest in enterprise risk...
Strategic risk management reduces financial uncertainty. (Property/Casualty: Loss/Risk Management Notes).
Are CEOs to blame for tech failures? (Trends to Watch).
Need more effective risk management. (Letters).
Breaking barriers: risk managers and information technology managers need to work together to protect their companies from cyber-crime. (Cover Story:...
CFOs positioned to drive BI integration: two major CFO challenges--improving performance management and improving access to information--can be...
Which comes first ... managing risk or strategy-setting? Both! Effectively integrating risk management with the strategy-setting process enables...

Terms of use | Privacy policy | Copyright © 2018 Farlex, Inc. | Feedback | For webmasters