Which comes first ... managing risk or strategy-setting? Both! Effectively integrating risk management with the strategy-setting process enables management to focus on achieving its expected return while controlling its accepted risk exposure.
An enterprisewide risk assessment can help management determine whether there are risks that are inconsistent with or in excess of the organization's risk appetite. Because the operating environment is constantly changing, strategy-setting is a dynamic process that never ends. The same applies to risk assessment.
So, management should never set strategy without evaluating risk. Managers will naturally gravitate to the opportunities with the highest return, regardless of the risk. That is why a risk evaluation must be performed when strategy is formulated, because each enhances the other.
In those situations when a risk assessment is conducted after the business strategy is developed, the strategy must be reevaluated to consider risks not identified during the risk assessment. Business strategies often warrant revisiting once the risks inherent in those strategies are fully understood. Thus the entity's goals and objectives may be further refined when an enterprisewide risk assessment is conducted.
An Enterprisewide Approach
Whatever the enterprise's proxy for measuring value, the most important contribution of risk management is to help executives make better strategic choices. Not only is this contribution an important one as companies face an increasingly uncertain future, it can make or break the formulation and execution of a successful strategy.
Over the last 10 years, Protiviti Inc. has conducted several research projects involving senior executives. The most recent survey was conducted in the third quarter of 2005 and involved 76 C-Level executives of Fortune 1000 companies. The research during this 10-year period has consistently found that six of 10 senior executives lack high confidence that their organization is identifying and managing all potentially significant risks.
During times of substantial change, integrating risk management with strategy-setting is the key to increasing the relevancy of and the confidence in risk management capabilities.
Traditional risk management tends to focus primarily on loss prevention and managing uncertainties around physical and financial assets and related contractual agreements. As such, traditional risk management is often a fragmented, reactive, sporadic, cost-based, narrowly focused and functionally driven activity.
Integrating risk management with strategy-setting, such as an enterprise risk management (ERM) approach, helps an organization manage its risks to protect and enhance enterprise value in three ways. First, it helps to establish sustainable competitive advantage. Second, it optimizes the cost of managing risk. Third, it helps management improve business performance. These contributions redefine the value proposition of risk management to a business.
Just as potential future events can affect the value of tangible physical and financial assets, so also can they affect the value of key intangible assets such as customer assets, employee/supplier assets and the entity's distinctive brands, differentiating strategies and innovative processes and systems. This is the essence of what ERM contributes to the organization--the elevation of risk management to a strategic level by assessing all sources of value, not just physical and financial ones. ERM transforms risk management to a coordinated, proactive, continuous, value-based, broadly focused and process-driven activity.
Under an enterprisewide risk approach, the focus is on integrating risk management with strategy-setting.
The Focus on Enterprise Value
While the strategy-setting process takes many forms in different organizations, it generally includes the following continuous cycle of activities: assessing the environment, evaluating alternatives, formulating strategy, establishing metrics and monitoring execution. Integrating risk management with strategy-setting transforms risk management from "avoiding and hedging bets" to a differentiating skill for protecting and enhancing enterprise value as management seeks to make the best bets in the pursuit of growth and returns.
Enterprise value is the value placed upon an organization by its stakeholders. While value can be expressed in different ways, this will presume that shareholder value is the measure of choice for executives of public companies. Using enterprise value as a context, it can be better understood how integrating risk management with strategy-setting can make a difference.
There are at least four broad choices available to management when protecting and enhancing enterprise value:
* Create new opportunities. The enterprise invests in new business activities promising attractive returns expected to exceed the cost of capital.
* Improve performance. The enterprise improves performance and increases returns of existing business activities by improving policies, processes, competencies, reporting, technology and/or knowledge in ways that achieve this desired result.
* Harvest existing value. The enterprise withdraws from existing business activities with inadequate returns. For example, these activities have generated (or are expected to generate) returns that do not exceed the cost of capital.
* Align risk-taking with risk appetite. The enterprise takes specific steps to align its risk taking with its core competencies.
For strategy-setting to be effective, it must focus on these four choices. The relative risks inherent in individual business units and activities vary. To address these inherent risks, management should insist that the strategy-setting process consider the risk equivalency of alternative business activities. As senior management evaluates opportunities for generating superior returns, three issues arise. It is necessary to:
1. Evaluate the key underlying variables in the business plan that are exposed to performance variability over time and that require specific risk responses;
2. Understand the loss exposures or drivers inherent in the enterprise's business model that require specific risk responses; and
3. Identify incongruities inherent in the business model where management has, either knowingly or unknowingly, accepted risks that should be avoided, given the entity's risk appetite.
For risk management to be value-added, it must enhance the strategy-setting process by providing the discipline, focus and control to ensure the three issues above are satisfactorily addressed.
That is, risk management must: manage and monitor performance variability in the business plan; protect accumulated enterprise value from unacceptable losses; and support alignment of opportunity seeking behavior with risk appetite.
As Anurag Saksena, chief enterprise risk officer for Freddie Mac, explains: "For firms to succeed in this increasingly global and competitive marketplace, risk management must become a state of mind. A systematic and proactive enterprise-wide approach to managing risks is essential to making risk management an integral part of the company's DNA."
The four broad choices available to management during strategy-setting and the interplay with risk management are discussed in detail below.
Create New Opportunities
Every successful business takes risk in the pursuit of value-added opportunities. For example, when management decides to enter new markets, introduce new products, merge with or acquire another entity or exploit other market opportunities, inherent in these decisions are choices to take on additional risk. When risk management is integrated with strategy-setting, these choices are transparent.
Risk management is relevant to strategy-setting when it provides assurance to directors and executive management that risks are taken with knowledge--knowledge of the business, knowledge of the risks and knowledge of markets. That knowledge is a result of the organization's persistent efforts to understand, monitor and track risk during the strategy-setting process.
ERM allows management to identify the priority risks inherent in its planned actions and price the acquisitions, transactions and deals resulting from those actions to appropriately compensate the enterprise for the risks it is assuming.
Failure to make this assessment may result in management committing to undertake activities in which there are risks that exceed its risk appetite, such as unacceptable performance variability, loss exposure and/or business model incongruities. The objective is to fully understand the good things and the bad things that can happen and the various scenarios in between.
In addition, following the consummation of acquisitions, transactions and deals, a process is in place to monitor the risks and mitigate them if they are determined to be different than originally contemplated by the strategy.
Effectively integrated with strategy-setting, risk management should invigorate opportunity-seeking behavior by helping managers develop the confidence that they truly understand the risks and have the capabilities within the organization to manage those risks. The result: management and the board fully understand the downside and how much it might hurt. They also know what to watch over time.
A robust, comprehensive risk assessment of a given business unit may identify priority risks that expose future revenue streams and cash flows to unacceptable performance variability or loss exposure. Rigorous event identification and risk assessment enhance the business strategy and business plan, as well as their execution.
For example, Holcim, a multinational organization with 61,000 employees and a presence in more than 70 countries, integrates the first two steps of its Business Risk Management process--identify risk and source risk--with the risk assessment phase of its business planning process. The result is that business risk management and the business planning process are, in effect, a single process.
Clemens Mann, risk manager with Holcim's corporate strategy and risk management team, describes the process: "In this first element of the business planning process, we look at the risk profile in each of our group companies, and examine how the business environment has changed or might change in the future." To develop a truly comprehensive risk profile, Holcim analyzes both internal and external risk factors and external market situations to determine where to focus the business planning process and where the critical elements reside.
"This way, we know where and how to dig deeper," says Mann. He adds, "Early in the process, we make preliminary decisions about how we want to handle the risk. This becomes our future risk profile, or so-called 'target risk map,' which results in first indications as to how we want to handle the risks."
Once a consistent risk assessment framework is implemented and used enterprisewide by the organization's business and support units, comparison and aggregation across the enterprise become possible. Capital allocation becomes more meaningful, and investment choices become clearer. A more robust risk assessment process reduces the chance of overlooking key risks and incurring unacceptable opportunity costs due to risk-averse behavior. Risk responses can then be evaluated to reduce the priority risks to an acceptable level (see Four Alternative Risk Responses on page 37).
Identification of potential events or scenarios may provide useful insights as to the soft spots in the enterprise's or unit's business strategy. Because the future is uncertain, management should consider a range of potential outcomes in earnings and cash flow projections, not single-point estimates.
Harvest Existing Value
Decisions to exit a market or geographic area or to sell, liquidate or spin off a product group or business must be carefully evaluated. Managers need to understand the "relative riskiness" of different units, geographies, products or markets.
If performance is measured without considering the risks assumed by managers through their respective activities, the company might choose to withdraw from a business that is actually generating superior risk-adjusted returns, even though its gross returns may appear lackluster. The analysis supporting this assessment could be as simple as a risk map prepared for each business unit or as sophisticated as deploying risk-adjusted performance measurement.
Align Risk-taking with Risk Appetite
Every organization has a risk appetite, whether it acknowledges it explicitly or not. Risk appetite is expressed through an entity's actions or inactions. It represents executive management's "view of the world," which drives their strategic choices. In its Enterprise Risk Management--Integrated Framework, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) set a standard for management to manage risk within the entity's risk appetite, as understood and agreed by the board of directors.
Management considers risk appetite when defining objectives, formulating strategy, allocating resources, setting risk tolerances and developing risk management capabilities. If articulated explicitly, risk appetite provides overall direction for risk management and is grounded during the objective-setting process.
During the strategy-setting process, companies that are serious about risk management strive to configure their risk-taking with their core competencies, avoiding unduly constraining risk-averse behavior. The business model of every successful organization exploits to the maximum extent possible the areas in which the company excels relative to its competitors.
In leveraging these advantages, however, management needs assurance that the company is not gambling its future. An ERM infrastructure supports strategy-setting, because it provides the discipline, focus and control by which management capitalizes on competitive strengths while protecting enterprise value.
It also ensures that the company only takes those risks it is best equipped to handle within the parameters of its risk appetite, while minimizing exposure to those areas considered "off-strategy" because of the lack of competence to manage.
Understanding and effectively managing the relationship between capital, risk and reward within the boundaries of an organization's strategy-setting process create a significant opportunity for increasing the relevance of risk management.
For example, does it make sense to take all of the risk an organization is capable of undertaking without reserving capital for new investment opportunities? Is it appropriate to retain a significant risk when options for transferring that risk are available at reasonable cost? What is the desirable relationship between the capacity to bear risk and the appetite to take risk, and should capital allocation be modified to reflect that relationship? From a strategy-setting standpoint, it is useful to have a notion of at what point the organization's capacity for bearing risk would be encroached upon.
Evaluate Early, Meet Expectations
By effectively integrating risk management with the strategy-setting process, management is able to sharpen the focus on improving expected returns, or alternatively holding the expected returns constant and favorably altering the organization's risk characteristics. Management alters their risk characteristics by reducing:
* The enterprise's net exposure;
* The variability of the enterprise's expected returns caused by specific sources of uncertainty (such as exposure to fluctuating currency rates);
* The likelihood of financial distress in the event of realized changes in key variables (such as changes in interest rates for a highly leveraged company); or
* Other uncertainties in the attainment of expected returns.
In effect, integrating risk management with strategy-setting means two things. First, it means the risk profile of strategic decisions is evaluated early in the strategy-setting process--leading to a more robust business strategy. Second, it means that policies, procedures, measures and monitoring are established and continuously improved, providing assurance to management and the board that the company is on target with achieving its expected return while controlling its accepted exposure to risk.
Everett Gibbs (firstname.lastname@example.org) and Jim DeLoach (email@example.com) are Managing Directors for Protiviti Inc. Protiviti (www.protiviti.com) is a provider of independent risk consulting and internal audit services.
RELATED ARTICLE: Four Alternative Risk Responses
According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO), there are four alternative risk responses--Avoid, Accept, Reduce, Share. Each of these are detailed below, along with an illustrative example:
Eliminate the risk by preventing exposure to future possible events from occurring. Examples of avoidance responses include:
Prohibit unacceptably high-risk activities, transactions, financial losses and asset exposures through appropriate corporate policies, limit structures and standards
Stop specific activities by redefining objectives, refocusing strategies and policies or redirecting resources
Target business development and market expansion to avoid pursuit of "off-strategy" opportunities
Screen alternative capital projects and investments to avoid low-return, off-strategy and unacceptably high-risk initiatives
Divest by exiting a market or geographic area, or by selling, liquidating or spinning off a product group or business
Maintain the risk at its current level. Illustrative responses include:
Retain risk at its present level taking no further action
Reprice products and services by including an explicit premium in the pricing, market conditions permitting, to compensate for risk undertaken
Self-insure risk through internal charges to earnings, borrowed funds (from external sources should a specific event occur), reserving losses (under accepted accounting principles), a pure captive insurance company or participation in a group or an industry captive
Offset risk against others within a well-defined pool
Implement policies and procedures to lessen the risk to an acceptable level. For example:
Disperse financial, physical or information assets geographically to reduce risk of unacceptable catastrophic losses
Control risk through internal processes or actions that reduce the likelihood of undesirable events occurring to an acceptable level (as defined by management's risk tolerance)
Respond to well-defined contingencies by documenting an effective plan and empowering appropriate personnel to make decisions; periodically test and, if necessary, execute the plan
Shift the risk to a financially capable, independent counterparty. For example:
Insure through cost-effective contract with independent, financially capable party under a well-defined risk strategy
Reinsure to reduce portfolio exposure through contracts with other insurers, when such arrangements are available
Hedge risk by entering into the capital markets, making feasible changes in operations or executing new borrowings
Securitize risk by accessing the capital markets and structuring deals with potential investors through efficient pricing mechanisms
Transfer risk and rewards of investing in new markets and products by entering into alliances or joint ventures
Outsource non-core processes (a viable risk transfer option only when risk is contractually transferred)
Indemnify risk by entering into contractual risk-sharing arrangements with independent, financially capable parties
Source: Adapted from "Frequently Asked Questions About Enterprise Risk Management," Protiviti Inc., 2005
RELATED ARTICLE: takeaways
* An enterprise risk assessment can help management determine whether there are risks that are inconsistent with or in excess of the organization's risk appetite.
* Research conducted by Protiviti Inc. over 10 years consistently finds that six of 10 senior executives lack high confidence that their organizations identify and manage potentially significant risks.
* Four broad choices are available to management for protecting and enhancing enterprise value: create new opportunities, improve performance, harvest existing value and align risk-taking with risk appetite.
|Printer friendly Cite/link Email Feedback|
|Date:||Jan 1, 2006|
|Previous Article:||Struggling to get attention: in the past few years, smaller public companies have found rough going when it comes to getting analyst coverage and the...|
|Next Article:||XBRL: a 'revolution' in corporate reporting? Touted by the SEC chairman as the next revolution in corporate reporting, FERF spoke with three...|