In this industrialised world, stagnation means capital erosion. Destroying capital is not an option. So, in order to achieve the expected return of 13% or 15%, risks must be taken as part of everyday life. This is the job of managers and, ultimately, what they are paid for. So where do risk managers come in? They are the people who should manage the managers.
Risk managers collect information concerning all the possible outcomes of a variety of decisions, both internal and external, and assess the cumulative effects of them on the company's business plan. Armed with this range of scenarios, and taking the company's risk appetite into account, they will offer advice on the course to take that will reduce any adverse effects on the expected return.
This advice should not to be confused with the approach to normal risks that are taken as part of everyday life. Instead it must aid management to assess those effects that go beyond the normal.
In essence, risk management is the ability to measure the deviation from a range of possible outcomes and to realise those that benefit the company and its stakeholders (See Fig.1)
Once a decision has been made and is being followed, it is the job of the internal auditors to ensure that correct management procedures are being followed. This is a control function, not a management function. Therefore, placing the risk management of a company in the hands of internal audit is likely to shackle the free thinking that is vital to produce those ideas which make a great company and which can enhance positive capital return. If correctly managed, the risk management function can be used to monitor the internal audit function and visa versa.
Why so much talk about internal audit? As internal audit try to monitor control functions, they spread their authority and knowledge of the management of risks, while subconsciously benchmarking risks. They are the right hand of the board and have direct channels to inform and influence them. And there are a lot of them around.
True risk managers are few and far between. The normal risk managers tend to speak a different language to the board members and they have very successfully barricaded themselves into specialist silos and behind nice job titles. This must change, as risk management and audit are not the same. The ultimate goals and procedures are different. We must take risks, but we need to be prepared. Audit should monitor that preparedness; risk management should do the preparing.
In this, a rigid system of procedures is not ideal however, as it will tend to generate inflexibility and complacency. The best risk management system should allow for flexibility and promote dynamic growth. This means setting up a framework where all of the players use the same parameters and benchmarks.
When an incident occurs for which you were unprepared, the system should react smoothly and effectively to assess the damage and potential consequences, offer top management a transparent solution portfolio and actively enter a damage control mode. It is this speed of response that can give the competitive advantage needed to make the stakeholders invest in your company.
What about the existing role of risk managers? As each facet of a company is specific and has unique risks, experts are certainly needed to manage them. But in future, such experts will not, however, manage risks in the true sense. They prepare, document and analyse specific criteria and parameters. The risk manager will set up and define the framework that will be filled by each expert, using the unique facts specific to their areas. The ensuing risk map will enable risks to be managed at a corporate level, with a unique portfolio effect that is dependent only on the company's business plans and stakeholder values. The accumulated risks are what will ultimately be managed.
The benchmarks are clearly return on equity and debt and can be formulated in terms of free cash flow or share price fluctuation, depending on your preference. As we have seen in the past taking the share price as a benchmark can be dangerous, as who is to say if the share price is correct in the first place? Following significant world events many share prices drop even though they are independent of the actual event. They are subject to the typical knee-jerk reaction and market hysteria common today and I think we will have to live with that for many years to come (Fig.2).
So, are we to make all of our risks transparent for the stakeholders, ourselves, the auditors or the authorities and financial institutions?
The risk manager, that person who should manage risk, should listen to the consultants out there who are offering frameworks and consultancy, but should ultimately develop a model which fits his company's business strategy the best. As mentioned before the risk map will be unique so using the easily auditable framework of COSO, for example, will not work.
The framework must be altered to customer requirements. If you have ever tried to fit your company's risks into the COSO framework you will know how difficult this can be. And that is not all. The five stages of risk management defined by COSO are clear: identify, map, assess, reduce and monitor. These are the basic principles of risk management so there is nothing new here. But these parameters are clearly taken from an audit viewpoint, as they are what are being controlled. What are missing are the effects these have on the business: ability to raise cash; ability to grow revenues; value creation, industrial performance, and so on.
These are the actual tools being used to measure the effectiveness of risk management, which ultimately enable the company to provide the 15% return on equity necessary today. Call it entrepreneurship or risk transparency; the aim is to identify and grow the positive risk while reducing the downside risk.
Broadly speaking we have a split in a company's architecture. The top management are very positive thinking and are looking for possible takeovers, mergers, product development, and so forth. But they are being partially held back by horror stories in the newspapers and, for example, by the insurance department, which often thinks negatively in assessing worst case scenarios and trying to transfer those risks to the financial markets.(Fig.3)
There are four types of scenario that both extremes should consider in their analysis of financial exposure. The risk manager should act as a mentor in this regard. These four scenarios are:
- short term risk
- long term risk
- short duration risk
- long duration risk.
Some examples to clarify the ideas behind these four concepts could be:
- food poisoning: a short duration risk lasting a few hours when the food being distributed by the canteen is contaminated. The result, in the case of salmonella, could be that half the work force is off work for six weeks which will cause considerable damage across the entire company
- ad hoc business development: entering a business market for six months to one year, with the aim of taking initial market share profits before pulling out would be a short-term risk
- mergers: the merging of two companies to enhance synergies would be a long-term risk
- hurricanes: these short duration risks which occur on a regular basis over many years could be seen as long duration risks.
The system to be put in place, using the four benchmarks indicated above on all critical company risks, should support the ability of a company to manage risk deviation from a set of predefined conditions, ie towards the higher return of equity end of the scale. However, it should not reduce the size of the decision cloud as this reduces company response time.
One example could be if one of your peers has a critical manufacturing facility and suffers an incident there. Your ability to take over the customer portfolio will depend on your flexibility and ability to act. Being pre-warned of legal, manpower, quantity and quality requirements, will add to your competitive advantage.
The risk manager is managing the managers by simply doing his job and with no mention of the words holistic, enterprise or total risk management. As a consequence of this type of management we have defined our risk appetite, can now, and only now, assess our need for credit risk transfer, insurance requirements, human resource levels, stock levels and total risk cost financing.
We, the risk managers, are the right hand of the stakeholders. They need to be clearly aware of who actually takes the risks. Insurance does not transfer risk after all but only spreads it. If we lose customers then it is we that lose them, not the insurance company. Let us take up the challenge.
- Adrian Clements is senior insurance risk manager, Arcelor Insurance Consultants SA, Tel.: +352 4792 2314, E-mail: Adrian.Clements@Arcelor.com