|
|
 |
 |
 |
| Monday, 13 October 2003 |
 |
|
 |
Business | |
| News Business Features Editorial Security Politics World Letters Sports Obituaries
|
Emerging need for enterprise - wide risk management by D. S. W. Andradi, FCA, FCMA, FSCMA The concept of risk management is not something new to the business world. In fact businesses have been managing their risks using techniques of varying complexity down the ages. Transferring risks to external parties using insurance, hedging risks using derivatives, and spreading risks by diversifying business activities are few well-known methods. However, it is only in recent times that risk management has gained growing prominence as a vital business discipline. This is obviously due to the sensational collapse of high profile companies such as the Bank of Credit and Commerce International (BCCI), and Barings Bank of the UK, Sumitomo Corporation of Japan, Long Term Capital Management (LTCM), Enron and Worldcom of the USA. These bankruptcies have resulted in loss of savings, investments and jobs of numerous people and have lead to the general erosion of pubic confidence in the capital markets. This in turn has resulted in the clamour for enterprise-wide risk management and corporate governance from influential quarters. In fact, risk management is now recognized as a vital and integral part of sound corporate governance and strategic management. This calls for an enterprise-wide strategic approach to the management of risks. What is risk? Risk is the possibility of incurring losses due to volatility. Accordingly, when the volatility is high the level of risk will also be high and vice versa. Needless to say, volatility is brought about by the rapid changes taking place in the business environment. Several major changes continue to take place in the business world such as: * Rise in the level of corruption in society * Liberalisation and de-regulation of economies and markets * Globalisation * Widespread use of information technology in business activities * Proliferation of financial instruments such as derivatives * Corporate fraud and abuse of executive power * Cross-border criminal activities such as drug trafficking, terrorism and money-laundering * Worldwide economic downturn and recession These changes generate a host of risks such as business risks (examples are threat of new competitors, threat of substitute products, alienation of suppliers, possibility of loss of business reputation viz. reputation risk), financial risks (examples are interest rate risks, exchange rate risks, credit risks, liquidity risk), operational risks (for example fraud risks, technology failure risks) to name a few. The possible outcome of not managing such risks would be the incurring of massive losses, which could eventually lead to bankruptcy. Hence, the vital need for risk management. Risks and rewards It is true that organizations should guard themselves against risks that could result in huge losses. However, on the other hand, it should not be forgotten that business enterprise is essentially about assuming risks. The saying goes, "nothing ventured, nothing gained". This amounts to saying that there is no reward without risks. The higher the risk, higher is the reward or return expected by a business enterprise. However, the inclination to take risks in order to achieve a given level of return is different from enterprise to enterprise. This inclination, which is called risk appetite, is higher in the case of risk seeking organizations when compared with risk averse ones. The relationship between risk and reward is in fact one of the central themes of finance theory. There are two types of risks - risks which have only a down-side and risks which have an upside as well as a down-side. Risks arising from natural disasters, accidents, fraud and theft, loss of reputation, breakdown of IT systems, and the breach of law fall into the first category. These risks could only result in losses. Therefore, they need to be reduced or eliminated as much as possible. Insurance is a traditional method of mitigating some of these risks (e.g. risks from natural disasters, accidents). Another approach would be to strengthen internal control mechanisms such as internal audits. This is particularly true in regard to risks arising from fraud and technological failure. However, the approach to be taken with regard to the second category viz, risks with an upside as well as a down-side is quite different because they are associated with potential profits as well as losses. Business risks arising from introducing a new product into the market and financial risks arising from volatility in interest rates and foreign exchange rates fall into this category. A company may assume or mitigate such risks depending on its risk-appetite. Risk, return and risk capital Due to understandable reasons, an organization may not proceed to eliminate all risks facing it. It will assume some risks simply because the costs associated with mitigating such risks exceed the respective benefits. It will also assume certain business and financial risk with the view to achieve rewards, i.e. profits. These risks which remain with the business are generally called residual risks. As they could result in the company incurring unexpected losses, the company should have adequate risk-capital to sustain such losses in order to avert bankruptcy. The risk capital, also called capital-at-risk, performs the function of a buffer and takes the form of equity fund. This explains to a great extent the importance placed on the concept of capital adequacy by regulators of financial institutions, especially those which accept deposits from the public. In fact, the Basel Committee on Bank Supervision requires banks to comply with risk-based capital adequacy standards. Risk management cycle Business enterprises need to adopt an enterprise-wide strategic approach to risk management. The risk management process should cut across all levels of management (board of directors, senior management, middle management and operational management) and functional departments (operations, marketing, finance etc.) Above all, it should receive the fullest commitment of the board of directors and the CEO. It should be an integral part of the organization's governance and strategic planning and control process. The following steps could be followed in regard to enterprise-wide risk management. * Establish risk management committee with clear terms of reference * Identify risks * Measure and prioritize risks * Develop risk management strategy * Implement risk management strategy * Monitor and control implementation Risk Management Committee A risk management committee (RMC) with clear terms of reference need to be established. Major functional areas (e.g. operations, fiance, marketing, administration and the risk management function itself) need to be represented on the committee at senior management level. The RMC should report to the CEO and should have the support of the Board of Directors in order to function satisfactorily. The RMC should be responsible for the development, implementation and the monitoring of the entire risk management process throughout the organization. The RMC could also be a catalyst in the propagation of risk culture and risk thinking within the enterprise. Identification of risks The identification of risks calls for a sound enterprise-wide risk reporting system. Each department and business unit needs to be required to report the significant risks, say the top ten risks, facing them. For instance, at Unilivers, the 300 companies were required to report the top risks to the Corporate Risk Committee through 13 business groups. Early Warning Systems to track emerging risks also needs to built into the enterprise's risk reporting structure. Other methods which could be used to identify risks are: * Workshops and interviews * Brainstorming * Questionnaires * Process mapping * Comparison with other organizations * SWOT analysis Measure and prioritise risks The next step in the risk-management cycle would be to measure and prioritize risks. This could be done by risk mapping. The possible severity of impact of each risk on the one had and its respective likelihood or occurrence on the other would have to be measured in this regard. The risks with high impact and high likelihood would obviously get the highest priority while those with low severity of impact and low likelihood of occurrence would get lowest priority. The other risks would be ranked in between. The measurement of risks would in some instances entail the use of mathematical models with the help of software tools. The measurement of Value At Risk (VAR) with reference to financial risks is a case in point. Develop a risk management strategy Having prioritized the risks, the enterprise needs to develop a strategy to manage them. This could be in the form of risk mitigation or assumption of risks on the basis of the enterprise's risk appetite. This is where it becomes imperative to view risk management in the context of corporate strategy and the overall business planning process. Broadly speaking, an enterprise could consider the following methods to mitigate risks: * Transferring risks to external parties through insurance * Risk reduction through intensification of internal controls including internal audit * Risk mitigation through hedging * Risk reduction through diversification * Development of disaster recovery plans Implement strategy The effective implementation of risk management strategies is as important as the development of strategy. Detailed risk management action plans need to be prepared and implemented. However, it is essential to assign the overall risk management function to a senior manager of the organization. In financial institutions such as banks, insurance companies and finance companies it is necessary to have a full-time risk manager at senior management level, who possesses the necessary specialist skills. The employment of such specialist at senior levels would be justifiable in the case of large non-financial enterprises as well. However, the unstinted support of the board of directors, the CEO and the RMC will be vital for the successful implementation of risk management strategies. Monitor and control implementation The Board of Directors and the RMC need to monitor the implementation of risk management strategy and action plans. The information generated by this process could be a useful input, inter-alia, when fine tuning the risk management process. Benefits from enterprise-wide risk management Effective enterprise-wide risk management would be beneficial to business organizations in many significant ways, such as: * The enterprise would be protected from downside risks. This would enhance its chances of survival. * The organization would be able to assume risks which are associated with potential rewards. This would enhance its profit-potential. * The organisation would be able to raise cheap funds in the capital markets as the potential investors and regulators would be pleased with its risk management. This in turn would enhance its profits as its finance cost would be low. In view of the obvious benefits stated above, more and more progressive companies throughout the world are adopting enterprise-wide risk management. (D. S. W. Andradi. FCA.FCMA.FSCMA is a partner of SJMS Associates, Chartered Accountants). |
|
News | Business | Features
| Editorial | Security
Produced by Lake House |
