THE IMPORTANCE OF RISK MANAGEMENT
Risk, in a business sense, is uncertainty. If uncertainty is not properly managed, then forward planning will be almost impossible, and the risk of business catastrophe will be great. Directors who fail to manage risk are failing in their duty to shareholders.
It is not just that things might go wrong … they may of course go right! If an organisation chooses to take no risk at all, it is likely that its return will not be very high.
The amount of risk that an organisation needs to take, or wants to take, will depend on a number of factors that will be looked at below.
The board and risk management
The Board is responsible for strategic decisions. As such, the directors need to decide on a suitable risk strategy.
This strategy must fit in with overall corporate strategy, or corporate goals are unlikely to be achieved.
Working Together on Risk
Once the objective is selected, the Board need a risk strategy that the whole football club understands and is working towards – they need to embed the risk strategy throughout the culture and operations of the club. Let us assume that the Board have decided to push for the glory of winning the league:
- The Manager, when selecting the team and tactics, needs to focus on winning matches – a draw is not enough! He may need to put several strikers on the substitute bench, so he can bring on fresh goalscoring talent at the end of each match.
- The Players need to understand that winning each game is essential. If they are ahead, they should keep the ball and try to waste as much time as possible. If they are tied with a few minutes left of a game, they need to hurry things up and throw every player forward
- The coaching staff need to protect key players for the actual games, and not risk injury on the training ground
- The club doctors need to understand some players may have to play through injuries, and save proper treatment to the end of the season
- The Board themselves need to ensure they can provide the necessary finance to allow the manager to do what is required
- Those looking for new players to buy (the “scouts”) need to understand that the focus is on players who can score goals, players with a winning mentality etc.
Risk Management is typically part of the Audit Committee’s job. However, the Audit Committee already has a long list of responsibilities, and in some larger companies there is likely to be a separate Risk Committee to deal with the job of monitoring risk management processes (especially the non-financial risks), and ensuring risk strategy is successfully embedded throughout the company.
RISK MANAGEMENT PROCESS
Once the Board has considered its risk strategy, a typical risk management process may look like this:
IDENTIFY RISKS -> MEASURE RISKS-> DESIGN SOLUTIONS-> IMPLEMENT SOLUTIONS-> MONITOR
The process is a continuous cycle – risks will change on a regular basis, so a company cannot afford to design solutions and then relax!
There are many different types of risk, and many methods for identifying them:
Methods for identifying risks
- The use of SWOT or PEST / PESTLE analysis
- Brainstorming sessions
- The use of risk questionnaires throughout the organization
- The use of external consultants
Different levels of risk
Risk can occur at different levels:
The risk that strategies fail. Major business decisions, such as a re-branding, an acquisition of another company, a merger, could all go wrong.
The more day-to-day risks for a business, of which there are many types. Whilst operational risks could be viewed as less important than strategic risks, an operational problem can still lead to major business problems.
Directors and senior management need to ensure they do not ignore operational issues because they are focusing on higher level strategy.
Examples of risk types:
The risk that a company will not be able to survive as a going concern.
This risk has a number of elements:
The risk that customers fail to pay their bills on time (or at all!)
The risk of changes in the value of a company’s financial assets (e.g. shares, bonds)
The risk of running out of cash because inflows are not arriving in time to pay outflows!
The risk of changing foreign exchange rates in the future. This could lead to:
- Transaction Risk – change in the value of a future receivable or payable
- Translation Risk – change in the value of the company’s Balance Sheet if year-end exchange rates have changed
- Economic Risk – change in the competitiveness of the company due to longer term changes in exchange rates
Interest Rate Risk:
The change in the value of investments and loans as a result of changing interest rates.
Legal and Compliance Risk
This is the risk of breaching laws and regulations and being fined (or even closed down) as a result. The cost is not necessarily just financial – the time taken in dealing with an investigation can be distracting to the Board.
It also creates reputation risk.
The risk of operating in a particular country may be high. A change in government or sudden imposition of new laws could make it difficult for the company to operate.
The risk of technological failure, which could be caused by weather, water damage, poor ventilation (leading to overheating) … or simply a badly designed system that fails, or is corrupted.
With the ever growing use of IT, a lack of computer controls could lead to a virus, or staff with a grudge deliberately placing false transactions on the system.
Email or internet access could lead to data corruption.
Health and safety risk:
Apart from the risk of injury to employees (who may refuse to work unless the risk is dealt with), poor health and safety can affect the reputation of a company.
The risk of environmental factors affecting the operations of a business. For example:
- Repeated bad weather leading to farmers having a poor harvest
- Heavy rain and floods have resulted in Worcestershire County Cricket Club having to close their ground … and look at finding a new home
- If global warming continues, the tourism industry is likely to see big changes, with traditional beach resorts becoming too hot and tourists seeking new locations where previously temperatures were not tempting enough.
It is also the risk of a business affecting the environment itself.
The risk of fraud by employees, customers, suppliers etc. There are many different types of fraud, and many reasons why someone may carry it out.
Intellectual property risk:
This is the risk of loss of “knowledge”. It could be caused by systems failure, but equally could be caused by staff leaving the company and taking knowledge with them.
The risk becomes greater if they have gone to a competitor, where the knowledge they have could be of great value.
It is very difficult to stop someone telling a new employer everything they know – even if legal steps are taken, it is impossible to prove that a private conversation took place.
Reputation Risk is an extremely important issue for the majority of companies. A bad reputation can wreck a business (Ratners, Andersens) … although sometimes a bad reputation can actually improve profits (Kate Moss, any song banned by the radio stations).
Reputation Risk is affected by every other type of risk, so is very difficult to manage. A good reputation can take years to create, and seconds to destroy!
Industry specific risks
Of course, different risks affect different businesses in different ways.
Some risk types are likely to be relevant to virtually every business:
- Reputation risk
- Fraud risk
- Credit risk
In terms of risk management, a Risk Committee should identify the most important risk classifications for the organization, in order to create a framework for considering risk management. It would be very difficult to sit in a room and think up types of risk with a blank sheet of paper, and not very time efficient to do this at the start of every meeting.
It also helps to assure shareholders if the Annual Report gives an indication of the main risk areas that the company has considered.
EXAMPLE – BARCLAYS
In its 2006 Annual Report (310 pages!!!), Barclays identified the following list of risks that it used as its framework of risk management:
- Market (foreign exchange, interest rates, commodity prices)
- Capital (lack of finance)
- Financial reporting and tax
- Brand management
- Corporate responsibility
- Financial crime
- Legal and compliance
EXAMPLE – BRITISH AEROSPACE
In its 2006 Annual Report (a tiny 134 pages), British Aerospace listed the following major risks:
- Reduced defence spending by governments
- Reliance on a small number of large contracts
- Political risk associated with some regions
- Fixed price contracts
- Government regulation (e.g. export controls)
- Inability to control joint venture partners
- Strategic failure of their policy to grow by acquisitions
- Pension scheme deficit
- Foreign exchange
- Legal and compliance
Once risks have been identified, decisions have to be taken about how (if at all) they should be managed. Clearly, some risks are more important than others. Risk prioritisation
There are 2 main variables in assessing the importance of risks:
Both of these are of course estimates, although some statistical analysis may be possible to improve certainty.
Clearly, high-likelihood, high-impact risks need to be considered first … and low-likelihood, low-impact risks may be completely ignored.
There are many techniques available for quantifying risk:
- Expected Values – create an average.
- Value at Risk – can help to understand the amount of risk not being managed.
- Worst case / best case – looks at extremes rather than averages.
There are many techniques available to manage risk. Some look to manage overall risk, whilst others target specific risks.
Some risks can be totally avoided. If a business has identified that opening a subsidiary in Austria appears high risk, then not opening the subsidiary solves the problem!
However, to totally avoid a business opportunity is often a rather extreme reaction – and if no risks are taken, the chance of returns being earned is small!
Overall Risk Reduction
Risk is the uncertainty caused by variable returns. One way to deal with uncertainty is to diversify.
By operating in many different sectors, it is likely that when one sector is performing badly, another will be doing well, leading to a smoothing of profits.
Advantages of Diversification:
- Smoothing of profits, making forward planning easier
- May be economies of scale between some sectors, however diverse those sectors are.
Disadvantages of Diversification:
- Spreading resources and knowledge too thin
- Being reasonable at many things, but not particularly good at any of them, can smooth returns, but at a relatively low average return
- Investors may question the strategy
- Harder to control the business as it grows in size
- Maybe diversification should be left to shareholders…
- Diversification works best where the business areas are negatively correlated – and this means they are usually very different sectors where the ability to get economies of scale, share knowledge etc. may be limited.
In some areas of a business, risks can be reduced by centrally managing transactions and looking for possibilities to offset positions.
A centralized Treasury function can manage cash inflows and outflows throughout a business, matching cash surpluses in one sector with cash deficits in other parts of the business.
The most common way to reduce individual risks is to design internal controls.
Transfer of Risk:
The most common way to transfer risk is insurance – by paying a premium, the cost of major disasters can be passed on to the insurance company. Insurance companies themselves may seek to transfer away some of their newly acquired risk to other insurance companies, to share the cost of a catastrophe throughout the insurance industry.
There are other ways to transfer risk:
- Joint Ventures or franchise arrangements can help to transfer some of the risk, by sharing with another party.
- It may be possible to pass risk on to employees, suppliers, customers etc., although they are likely to expect payment for this Accepting Risk
Some risks will simply be accepted, and nothing done about them. This may be because:
- A deliberate choice has been made to take the risk
- There is nothing that can be done to manage or avoid the risk.