Effective risk management can improve strategic planning and decision-making, creating value throughout the enterprise, explains Saikat Nandi  Industrial disasters such as the Bhopal gas tragedy and numerous other accidents in industrial plants have prompted authorities and industries to review the system for better safety and risk management. The Union Carbide tragedy marked a watershed in twentieth-century industrial safety. It injured or killed record number of people, and saw untold delays in treating and compensating victims. In the wake of this event, the safety standards and practices at the plant came under scrutiny. To prevent any occurrences of a similar nature, government and international agencies have instituted a variety of codes, conventions and guidelines for risk reduction, enacted several laws, and formulated many rules and regulations.For example, in the US, Imperial Chemical Industries (ICI) Mond Index evaluates the chemical and toxicity hazards, as well as fire and explosion hazards associated with a process area or operations. The US Environmental Protection Agency has developed a ranking method—Threshold Planning Quantity (TPQ)—to help determine which materials should be considered extremely hazardous when used in emergency response planning activities. The Occupational Safety and Health Administration (OSHA) and the American Petroleum Institute have brought out the Substance Hazard Index (SHI) to help decide whether special process safety management efforts are needed in particular processes. These systems are aimed at helping companies identify and estimate risks in their operations. There are various risk identification techniques. Most can be categorised into two broad approaches—the reactive approach and the proactive approach. Accident investigation, plant inspection, critical incidence techniques (CIT) and incident recall techniques are all reactive approaches, whereas proactive approaches include job safety analysis (JSA), failure mode and effect analysis (FTA), hazard and operationability study (HAZOP), fault tree and event tree analysis (FTA and ETA), management oversight risk tree (MORT) analysis, fire explosion and toxicity index (FETI), material/chemical reactive analysis, consequence analysis, etc. Risk is present in situations in which there is a range of possible states or outcomes associated with the system. Risk management is the process of identifying elements of a system that vary due to uncertainty, quantifying the likelihood of occurrence and impact, monitoring system performance relative to the risks, and, finally, creating or adjusting risk controls in ways that are beneficial. Examples of systems are the human body, a photocopy machine, the atmosphere, a university, an automobile assembly line, a computer, a bank, an airport, a farm, an oil refinery, the US economy, the Pacific Ocean, a rainforest, the lending value chain, and a nuclear power plant. Rania Azmi, who is currently involved in a PhD research on Portfolio Selection using Goal Programming at the University of Portsmouth, says, “Risks are categorised in many ways. For example, there is the systematic risk, which is the market risk and it is usually undiversifiable, and there is the unsystematic risk, with is company-specific and could be diversified away.” She further explains that risks can be categorised as liquidity risks, credit risks, and so on. She says, “Each type of risk is subject to certain aspect of the organisation’s business or to the overall economic condition. There is also systemic risk-risk pertaining to the whole system—such as that which increased after Lehman Brother’s collapse in September 2008 after the onset of the current financial and economic crisis.” In order to avert the various types of risk, companies like BPCL, HLL, Godrej Industries and Hindustan Lever have put comprehensive disaster recovery and business continuity (DR/BC) strategies in place to protect their operations. Nature of risk The range of all possible states, or outcomes, can include both positive and negative results. Therefore, risk management can have a range of objectives, including (but not limited to):
Maximising a positive outcome (such as returns in a financial system) subject to system constraints, Minimising a negative outcome (such as losses), or Minimising the variation in the distribution of forecast versus observed outcomes.  Different types of risks In the financial services sector, a common regulatory taxonomy divides risks into the following broad categories: credit, market, liquidity, operational, legal, strategic and reputation risks. Effective risk management requires gathering multiple perspectives of risk information to enhance risk analysis. This includes gathering risk intelligence from:
Internal perspectives: The organisation must evaluate the internal environment of controls, audits, assessments, issues, events, incidents, corporate performance and risk indicators, and other internal data points. External perspectives: The organisation must monitor the external environment round the clock for geopolitical, environmental, competitive, economic, regulatory and legal, and other risk intelligence sources.
Organisations must develop processes to harness internal and external information in order to be aware of its risk environments so as to make wise business decisions. This involves gathering information such as the following from the internal environment: Losses: What are the historical trends and patterns of loss in the organisation? Issues/events: What events, issues, incidents, and investigations has the organisation undergone? Success and performance: Where has the organisation been surprisingly successful in seasoning opportunities and creating value? Controls: What is the state of controls in the environment? Are they effective? Policies: Does the organisation have adequate policies and procedures? Are they current and up-to-date? Do responsible parties understand them? Risk appetite: Is the organisation taking on too much risk or to little risk? Risk management: Is the risk taken adequately monitored and managed? Compliance: Are compliance obligations being met? Are there issues with law enforcement or regulators? Culture: Do employees understand and subscribe to the corporate ethics and code of conduct? Business relationships: Is there unwarranted risk, unacceptable values and ethics, or issues with compliance across third-party business relationships? Over the years, many organisations have matured in their view of internal risk intelligence issues.However, external environment issues remain disconnected from the risk information gathering process. Risk intelligence of the external environment includes: Legal monitoring: Monitoring new case laws, regulations, and pending legislation to predict the readiness of the organisation to meet new requirements. Geopolitical risks: Monitoring countries that the organisation has operations in or does business with to determine events that could have a positive or negative impact on the business. This includes civil unrest, terrorism, new laws, and business dealings. Environment: Monitoring environmental threats around natural or man-made events that could impact the organisation, e.g. tornados, hurricanes, earthquakes, volcanoes, or disease. Hostile threats and vulnerabilities/exposure: Monitoring individuals, organisations, and governments that may be hostile to the organisation, and looking for vulnerabilities and exposure to threats. Financial risks: Monitoring capital markets and conditions such as foreign exchange rates and commodities so that the organisation can capture returns and opportunity while mitigating and controlling loss. This allows for proper hedging. Competitive environment: Monitoring competitors to evaluate their strategies, products, services, marketing, sales, financial condition, and partnering performance.
Identifying risks: Depending on the subject area, a domain expert or pre-existing public body of knowledge may be sourced to identify the categories of risk, and possibly individual risk factors, and the associated metrics and benchmark values, which will enable one to determine the extent of the risk associated with any particular factor. A key point is that when multiple risk factors are present, they are rarely independent of one another, so one has to measure the degree of correlation that exists between them. When there is a failure to consider all of the relevant risk factors, one tends to overestimate or underestimate the system outcome, i.e. the likelihood that a loan will default, or a copy machine will break down, or that someone will have a heart attack.
Benefits of risk management Clark Abrahams, Global Risk Product Manager, SAS, says, “The benefits of risk management vary depending upon the objective. A company may maximise its returns given that it is willing to accept a specified level of losses, or it may ensure that it limits its losses at a certain threshold. It may also invest in greater controls to reduce its exposure to potentially large operational losses. In the case of a factory assembly line or individual machine, risk management can help determine appropriate preventative maintenance schedules, operator training needs, parts inventory, design improvements and so on based upon failure monitoring.” In short, risk management enables an organisation to operate more effectively and efficiently, to identify and better control risk exposures, and to anticipate, rather than react, to problems. A manager’s worst enemy is surprise.
Role in shaping company strategy Risk management should be integral to a firm’s overall strategy.Without it, a company is essentially climbing a cliff in a dense fog. Uncertainty is unavoidable, and it needs to be managed effectively in order to limit losses and also to enhance returns based on market and competitive forces. Every company has a strategic plan, irrespective of the industry, and all companies need to maintain adequate capital to cushion them from unfavourable circumstances. Risk management enables the development of a corporate risk profile, which should accompany both the capital plan and strategic plan of every enterprise.
 With a proper risk management solution, business owners are provided with the tools needed to make risk-intelligent decisions across their areas of responsibility, drawing from proven best practice risk responses, enabling alignment and unification of fragmented risk management processes across the enterprise. Effective risk management as a part of the overall strategy of the company leads to: Optimised efficiency Easy assessment of effectiveness taken by risk owners via risk response tracking
Enterprise-wide transparency via the automation of manual and fragmented risk and control activities across all lines of business, including risk identification and evaluation Rapid access to risk information with automatic monitoring of key risk indicators Comprehensive assessment of risk versus reward by aligning risk management activities with corporate strategy. Increased effectiveness
Proactive management of risks through the ability to automatically monitor risks and permit identification and action prior to business impact
Comprehensive risk mitigation via design of cross-function risk response and mitigation of activities Consistent management of risks through a unified approach that encompasses strategic, financial, operational, and compliance risks. Maximised visibility Aligning and integrating the management of risks and controls across the enterprise through a unified framework
Simplified and complete risk and performance analysis via consolidated views across multiple lines of business. Budgeting for risk management The collective budget for risk management usually spans a risk management departmental budget, and portions of operating division budgets that are allocated for risk management purposes (this may also be combined with regulatory compliance functions). Corporate staff areas may also have budget allocation for risk management, at least to cover the cost of periodic data gathering and risk monitoring activities.
Simon Dale, Senior Vice President, Business Users, SAP Asia Pacific Japan, says, “SAP’s Risk Management application solution provides risk-adjusted management of enterprise performance that can empower enterprises to optimise efficiency, increase effectiveness, and maximise visibility across risk initiatives. An organisation can perform qualitative and quantitative analysis; identify key risks across the enterprise; create resolution strategies for top risks that maximise return on capital; and build proactive monitoring into existing business processes and strategies and hence gear up its risk appetite.” In Mitsubishi Electric, the target set for financial year 2009 was to strictly comply with the Restriction Of Hazardous Substances (RoHS) Directive in their manufacturing units. The company promoted contamination risk management at each business unit, complied with the RoHS Directive, enhanced analytical capabilities and checked analytical equipment, confirming analytical precision in conformity with international standards. This has also been made possible by the procurement, use and recycling of eco-products. Work done to prevent risk By monitoring and identifying risk exposure and performing regular control self-assessments associated with business processes within all organisational units, the frequency and severity of risk is quantified by type. The idea is not to eliminate negative risk, but to manage it. If the losses are large enough to justify investment in better controls or other risk mitigation activities, then prevention measures can be initiated. In some cases, risks can be transferred (as in the case of insurance against certain types of losses, the sale of risky assets or sale of an interest in a pool of risky assets). Risks can be shared, as in the case of a joint oil exploration venture between two independent energy companies. Risk can also be accepted, whereby no action is taken. Finally, it is vital to view risk at an enterprise level. Though individual risks may pose a small exposure, the same risk aggregated across business silos may result in an unacceptable concentration for a particular type of risk relative to a particular customer, region, industry, country, distribution channel, supplier, vendor, and so on.
Strategy implementation This is usually determined by a management committee composed of executives of the firm, and approved by the Board of Directors. At the end of the day, it is the Board of Directors that is responsible for determining the risk appetite and capacity of the enterprise, and risk definitely plays a part in any business strategy. This is not to be confused with tactical plans, which do not require board approval.
Company’s philosophy towards financial risks Financial risk taking must be evaluated within a proper and complete context. As previously mentioned, the Board shall determine the risk bearing capacity of the firm. Prudent risk-taking can enhance earnings, market position, new product development, and so forth. How much to invest, what to invest in, which parts of the business to grow, maintain, or abandon are all decisions affected, in part, by financial risks. The philosophy is reduced to practice via corporate policies that provide direction and guidance and a governance structure (often Board Chartered or Corporate Chartered Committees) that ensures that policies are kept current and that violations are quickly surfaced and appropriate action is taken to penalise those involved and prevent future occurrences.
Fostering a risk management culture Simply put, this is leadership by example. The CEO should be held accountable to mould a risk management culture whereby risk management is everyone’s responsibility in their day-to-day activities. It should be viewed as a process improvement initiative as well as a compliance and internal control necessity. The CEO must make it clear that risk management is not a ‘nice-to-have’ option, rather, it is a necessity. Adequate education and training on the various facets of risk management must be made available to managers. Managers, in turn, can best decide the individual training needs for their respective areas. Finally, managers can best manage what they can actually measure. In that vein, a risk technology platform is needed to source, maintain, quantify, analyse and report on material risk exposures and items requiring further attention. Summarised appropriately, this is important information for the board.
Infosys has a dedicated energy trading and risk management practice (ETRM) that serves global majors.The company has established an ETRM academy to develop its competencies. Its associates deliver value by leveraging multidimensional skills across the front office, mid office and back office trading activities, which include hedging instruments, risk management strategies, logistics and contract management, petroleum refining, invoicing and settlement, and pricing and forward curves.
Tesoro Corporation, an independent refiner and marketer of petroleum products implemented SAP Environmental Compliance. The company is now able to respond more quickly than ever before to problem situations and generate a clear audit trail that more than meets the requirements of the regulatory authorities.This reduces Tesoro’s risk, builds valuable trust with the regulating agencies, and reduces the cost of compliance through improved efficiencies. Role of managerial board in an organisation Board ensures integrity of the risk management system.This is ensured by requiring timely issue surfacing, adequate transparency and process validation. That means that any solution for managing risk must be auditable, and should effectively identify and measure risk exposures. It should be capable of periodic validation to ensure the integrity of the information reported. If surprises in terms of losses, illiquidity, concentrations of risk or poor asset quality become the norm rather than the exception, then the risk management system is not doing its job and the board needs to take action to fix or replace it.
Major risks resulting from financial instruments Financial instruments are primarily subject to market, credit and liquidity risks. An example of market risk would be the movements in interest rates affecting bond prices—bonds gain value in a declining rate environment and their prices decline in a rising rate environment. Relative to credit risk, a borrower may fail to repay a loan, in which case the lender is exposed to a loss. For liquidity risk, the market for a security, such as a sub-prime mortgage-backed security,may have vanished, in which case the owner of the security is unable to sell it. There is also a grey area between credit risk and operational risk. Risk models are only as good as the data and assumptions that go into them. Bad data and bad models pose operational risk, which may result in losses on financial instruments that sometimes are classified as credit losses, but are in fact due to operational risk.
Looking ahead Risk has been an inherent concern of humans since the dawn of recorded history. Not only are there more risks today, but modern technological development has brought a heightened awareness of risk—both of those risks that we knew about in the past, and the emerging risks that are associated with the march of progress. This is not completely discouraging, however, as evolving technology has simultaneously provided us with the tools to measure and to manage risk, as well as avoid it wherever possible.
|
