- Email: [email protected]
Strategic risk management: the new competitive edge
414
Strategic Risk Management: the New Competitive Edge Christopher J. Clarke and Suvir Varma
If you can make one heap of all your winnings and risk it on one turn of pitch-and-toss, . . . then you're a damn fool, as Kipling might have said.
Risk is a key strategic issue. Business is about risk and the old adage, ``The bigger the risk, the greater the reward'',1 is still widely believed. Unfortunately, the rewards do not always follow. Investors, creditors and employees expect companies to turn in consistently strong performances, providing them with return interest or pay commensurate with various degrees of security. Without risk there can be no reward. There may well be a normal distribution of risk and returns performance. Most companies will perform around the mode of the distribution. However, some companies seem to comprehend risk more effectively than others and this shows in their long-term stock prices. Success can be the result of luck or superior risk management. Some risks taken, pay out huge returns. Microsoft's Windows and Glaxo's Zantac anti-ulcer drug are two examples. For others, poor risk management can destroy the company. Nick Leeson's wild and unsupervised speculations brought down the mighty and historic Barings. The disastrously under-performing Canary Wharf property development project in London's docklands brought down Olympia and York, then the world's biggest property company. The Bhopal chemical plant explosion in India devastated Union Carbide as well as the local population. The Exxon Valdiz catastrophe severely dented Exxon's market value. Leveraged hedge funds have recently threatened the world's ®nancial system with the collapse and rescue of LTCM.2 Other hedge funds have con®rmed the relationship between high rewards and high risks. The Tiger Fund lost $5 billion in two months and the Soros Fund is restructuring.3 Pergamon www.elsevier.com/locate/lrp
PII: S0024-6301(99)00052-7
Risk Management has become a critical issue as a result of globalization and the continued quest for greater returns. Whilst most companies now see risk as a key strategic issue, risk is typically still treated tactically and piecemeal. In this article, the authors argue that an integrated risk management approach allows companies to consistently deliver superior performance while proactively managing risks. The article outlines a structured methodology for risk management process evaluation and change. The methodology has been developed through the authors' work as risk management consultants to various companies globally. # 1999 Published by Elsevier Science Ltd. All rights reserved
Satisfying stakeholders' needs is more risky today than in the past. This is partly due to globalization. Dealing with suppliers and customers across the world provides additional opportunities, but it brings increased complexity and political and currency risks. Consequently, there is an increase in the potential for unplanned events to occur. If corporate managements could manage risks better, avoid catastrophes and achieve above-normal returns, a company's stock price would soar. In this article, we argue that an integrated strategic risk management approach allows companies to consistently deliver superior performance while proactively managing risks. Our approach is based on A. T. Kearney's work with more than 50 national and Long Range Planning, Vol. 32, No. 4, pp. 414 to 424, 1999 # 1999 Published by Elsevier Science Ltd. All rights reserved Printed in Great Britain 0024-6301/99 $ - see front matter
415 multi-national companies, both ®nancial and industrial. The tree of modern risk management has its roots in a number of unrelated disciplines. Military risk analysis led to the evolution of operational research.4 Personal and commercial risks generated the insurance and actuarial approach to risk management.5 Strategic risk analysis and the recognition that the future may not be like the past gave birth to scenario planning.6 Another approach is the use of option pricing theory to view different alternatives.7 Currency, interest and credit risks generated a banking approach to risk management and various hedging instruments.8 Operational and environmental risk management gave rise to contingency planning approaches.9 With the millennium bug almost upon us, the risks of computer failure are generating their own management science.10 All of these focused contributions add value to our understanding of risk.
Risk is a Strategic Issue, but is Treated Tactically However, our client work reveals a number of common failings in corporate risk management. Too often, management focuses on the negative consequences rather than on such questions as, `How does risk affect capital allocation? What risk-based information do we need? How do we create a risk culture? What are the best companies doing about risk'? and `How do we ensure that our risk pro®le is commensurate with returns and shareholder risk appetites?' Traditional risk management responsibilities and responses are typically fragmented as a result of their differing origins. Different departments deal with different risks, using different approaches and often at a very low level. Historically, a variety of tools have evolved to support companies in managing discrete types of risk. For example, insurance has traditionally been focused on hazard risks such as ®re and theft. Financial derivatives evolved to help banks manage commodity, currency and interest rate risks. Credit products are used to safeguard against operational setbacks. Many companies seek to manage risk by relying on forecasting from the past and databases, but these are all insuf®cient. There is a need for a holistic approach to understand enterprise-wide risk, rather than this piecemeal approach. In our experience, even in sophisticated companies, management becomes confused and fails to adequately manage risks for the company's advantage. Most companies have no comprehensive mechanism to bring important risk management and risk return issues to the board's attention. The approach we suggest in this article
can be used by top management to guide the development of the risk management process, the organizational structure and the culture towards a best practice approach, incorporating all aspects of risk. It is a systematic approach to managing risk. It can be viewed as enterprise-wide risk management because it addresses all of a company's risks at an enterprise or strategic level.
De®nition
Risk management is a strategic business process. Management needs to assess whether the company's business activities are consistent with its stated strategic objectives, and how risk management is linked to investment and growth decisions. It needs to determine what risk-based returns the company expects of its business activities. The board needs an overall, bird's-eye view of risk exposures to avoid surprises and to engender good governance. Risk can best be understood in terms of its two main elements: `stake' and `uncertainty' (see Figure 1). Each element usually has a gain and a loss potential. The stake may be a ®nancial gain or loss; an improvement or deterioration in strategic position; an improvement in or a damage to reputation; a threat to a company's existence; or an increase or decrease in its sense of security. The higher the stakes, the greater the potential gains or losses. Intel's development of the Pentium chip design for the sub-$1000 PC had a high stake, as it cost hundreds of millions to develop. Many in the industry felt that this segment did not require processing speed. However, Intel's calculated risk paid off handsome returns. Uncertainty, in turn, varies by time and situation. For example, forecasting from historic data only works in periods of stability. These are intermittent. In more turbulent periods or for the longer term, scenario planning is a more appropriate approach.4 Risk management is shown as a strategic business process in Figure 2. Information is continually gathered on the ®rm's environment. Using this input, management evaluates, analyses and prioritizes the dynamic risks facing it. It takes appropriate measures to accept, share or reduce risks in accordance with stakeholders' appetites for risks and value-based management principles, i.e. returns commensurate with risks and cost-effective risk management. Each of these steps is discussed in detail below. The process starts with a stream of inputs on the ®rm's external environment. Most companies do not have a consistent process to monitor the external environment in which they operate and consequently remain unaware of all the risks being faced. The second step is to scan for opportunities and threats based on the external environment analysis. The prevailing business strategies must be re-aligned Long Range Planning Vol. 32
August 1999
416
Large
Stake Financial gain or loss Strategic position ± Reputation/image ± Existence/health ± Sense of security ±
Risk
Small Low
Uncertainty Re-Gains or Losses Nature of Scale of Likelihood of Factors affecting
High
Validity of data Validity of process Risk tradeoffs
FIG. 1. Risk has two elements: stake and uncertainty. based on the revisions in the environment. The process of monitoring, measuring and managing risks may need to be modi®ed based on the environmental scan. The recent Asian crisis has meant that many ®rms now pay greater attention to counterparty credit risks and place less value on relation-
Inputs
Data on the firm's environment • Opportunities • Threats
ships alone. The latter have been a key component of the so called `bamboo networks' supporting the previous wave of Asian growth. In a recent survey of small and medium enterprises in Australia, results showed that most credit risks were still considered to be reduced by `the face and handshake'.11
Risk Management Process
Scanning for • Opportunities • Threats Sizing
Evaluation • Stakeholder appetites • Trade-offs
Risk Strategy Development • Options • Selection
Action Planning
Evaluate and improve Performance and Process
Learning
FIG. 2. Risk management is a strategic business process. Strategic Risk Management
Outputs
Implementation
• Returns commensurate with risks • Avoidance of catastrophes • Contingency plans • Speed
417 Once the opportunities and threats are assessed, management needs to decide what are its risk tolerance levels and its goals for risks and returns. Companies such as Shell and BP have close to a zero tolerance for environmental risk due to the potentially huge impacts on their reputations of catastrophes, let alone the immediate ®nancial impacts. Different investor groups usually have different risk reward appetites. Widows and orphans clearly wish to take fewer risks than vulture funds and venture capitalists. The latter also expect higher returns. Management needs to develop a risk management vision and strategy based on the risk environment and stakeholders' risk appetite. The overall strategy for risk management should include the risk management philosophy and organizational responsibility. Policy choices can range from a highly centralized `controller' model (as evidenced by some ®nancial institutions like J. P. Morgan) to a highly de-centralized and autonomous risk policy (as evidenced by GE and its subsidiaries). From our benchmarking for clients, best practice companies have an explicit and widely understood risk management charter or policy document. Like matter, risk cannot be destroyed. It can only be changed from one form to another. This is shown in Figure 3. There are clear trade-offs between risk reducing activities. Risk can be reduced but only by
reducing returns or trading one kind of risk for another. Companies can attain signi®cant competitive advantage from superior risk competencies (see Figure 4). These include risk processes, culture, incentives, training and organization. There are a number of stake management competencies and competitive advantages. Among these are the scale to absorb larger projects (as exempli®ed by Bechtel's ability to undertake large infrastructure and development projects as it has a huge balance sheet and it spreads risks through its large global portfolio of projects). A second stake management competency is developing alliance skills to share the stake (as evidenced by oil majors BP and Mobil which have combined their European re®ning and marketing operations through an alliance).12 However, it is important to select the right allies. Those who selected Soharto family members as their Indonesian business partners to reduce their political risk and increase returns are now experiencing the opposite reality as that dynasty falls. Other stake competencies include superior technology to reduce the stake (e.g. ministeel mills cost much less than large one) and speed. The latter diminishes the time that the stake is exposed. Global power company Enron is faster at deal making. Its project exposures are reduced as it of¯oads risk more quickly than many competitors. There are also a number of management competen-
Hedging and Insurance Management Approaches and Behaviors To Risk
Alliances
Greater Analysis Portfolio Spread
Smaller Scale
Focus on Core Business
No Risk
Consequences of Management Approaches
No Returns Lower Returns, Opportunities for Competitors, Sub Scale Risks
Restricted to Core Returns Average Returns
Slower Returns, Competitive Threats
Lower Returns, Danger of Defection, Lack of Control Increased Costs, Lower Returns
FIG. 3. Like matter, risk cannot be destroyed. It can only change from one form to another. Long Range Planning Vol. 32
August 1999
418 Stake Management Competencies Examples . Scale to absorb bigger projects
Ability to manage high stakes
. Alliance skills to
Greatest Competitive Advantage
. Use of government
share stake
relations
. Unique technology to reduce stake . Speed
Examples
Limited ability to manage stake and uncertainty
. Influence on law Ability to manage high uncertainty
and regulation
. Superior databases . Use of allies
Uncertainty Management Competencies
FIG. 4. Competitive advantage comes from superior competencies, i.e. risk processes, culture, incentives, training and organization. cies that a company can use in order to reduce uncertainty. A company can make use of personal government relations and contacts (which is particularly prevalent in many Asian and developing countries). Companies can also have an in¯uence on law and regulation (as evidenced by accounting ®rms working with regulators to have derivatives activities disclosed in annual reports in order to protect themselves from shareholder lawsuits). Another uncertainty management competency is to use superior databases (e.g. credit scoring, as used by credit card companies to reduce fraud and bad debts). Lastly, companies can make use of allies to reduce uncertainty (such as a local partner in Chinese joint ventures; the ally has insights into local culture and procedures which reduce uncertainty). Superior competencies also result from a company's risk processes, culture, incentives, training and organization.
The Need for a New Approach
Corporations are beginning to see the need to reconsider risk management holistically. Whilst management in the relatively mature and stable food industry shows a lower focus on risk management, at the other extreme, rapidly changing or speculative industries such as ®nancial services, mining/ exploration, information technology, and venture capital already exhibit a `think risk' culture. The telecommunications and the power industries are going through a period of globalization, privatization and deregulation. Management in these industries is shifting from an `avoid risk' culture to a `think risk' culture (see Figure 5). Strategic Risk Management
Yet risk is often badly managed. Our work with over 50 large companies in risk management around the world indicates that common corporate failings include weak processes, e.g. leaving everything to the CEO or entrepreneur; too narrow a focus, e.g. focusing only on ®nancial trading or insurable risks; inadequate data or analysis, e.g. relying only on published data or credit ratings; focusing only on the negative, or disaster avoidance; fragmenting risk management by division, e.g. each division giving the same customer different credit lines; and inadequate organization or teams. Most companies do not have a comprehensive risk strategy or vision. They have no clear risk organization responsibilities or culture. The approach taken is fragmented, with operations, insurance, treasury and human resources reacting ad hoc to events as they arise. The relationship between risk management and shareholder value is arbitrarily kept separate. Risk management sophistication ranges from mere risk identi®cation, to consistent measurement across risks, to linking risks and returns. At the high end of the spectrum, companies are able to demonstrate the strategic interrelationship between risks, returns and shareholder value. Strategy is value-based, and business risk pro®les drive capital allocation and, ultimately, shareholder value (see Figure 6). Weak risk culture sti¯es performance and adversely affects shareholder value. Entrepreneurs taking a `damn the torpedoes, full speed ahead' management style may reap huge returns, but they also court disaster if their decisions are based on insuf®cient analysis. Often, they win once or twice
419 'Think Risk' Culture
Risk / Reward Trade-Off Financial Services Mining / Exploration Pharmaceutical Consumer Products
Venture Capital
Telecommunications Airline
Power
Risk Management Capabilities
Technology
Defense Technology Health Care Telecommunications Automotive
Power
Little or No Focus on Risk Management
Food Risk Control Focus
Mature / Stable
Nature of Business
Changing Rapidly / Speculative
FIG. 5. Industries need to reconsider risk management. and then hit the rocks. As for those deciding not to take any risks or to defer making a decision, the consequences may be to miss the boat or lose out to the competition. As a result, ®rms need to vary their
risk management style according to their strategy. There is a pantheon of individuals who dared too muchÐthe Reichmans, Freddie Laker, Robert Maxwell, Tiny Rowland and others. One might label
Shareholder Value Objectives Value Based Management
Maximization of Cash Flows
Value Based Strategy Dynamic Capital Allocation Capital Allocation Techniques
Quality of Earnings Linking Risk and Return(s) Consistent Measurement Across Risks Protection Against Unforeseen Losses
Identification of Risks Risk Management Sophistication
FIG. 6. Typically, companies develop from left to right. Long Range Planning Vol. 32
August 1999
420 1.
2. Set Direction
3.
Baseline and Benchmark
5.5.
4.
Create the Vision
6. Design Embed Process Continuous Improvements Improvements
Implement Change
FIG. 7. Structured methodology for risk management process evaluation and change. this as `the Napoleon tendency', i.e. the drive through which victories reinforce risk-taking until, ultimately, there is a Moscow or a Waterloo, where too much has been bitten off.
Building a Risk Management Competitive Edge The approach, which we will describe below, can help top management protect the company against catastrophic losses and support superior risk returns performance and shareholder value growth. Our six step approach, developed through extensive work with companies across a number of industries, allows for the evaluation of the risk management process and the implementation of change (see Figure 7). Each step is described below. Multi-disciplined risk process teams are established to undertake these projects. Board involvement and commitment are vital.
Step 1: Set Direction
This step focuses on developing an understanding of the company's and its stakeholders' risk concerns and on identifying the major areas of risk, such as operations, enterprise, events, and market risks. The key objective is to identify and aggregate the risks facing the enterprise and the risk issues as perceived by management and stakeholders (see Figure 8). This step generally begins with a thorough review of the infrastructure, decision-making channels and operating systems. The risk appetites and cultures of the management and stakeholders are identi®ed through interviews and focus groups. Areas of critical concern are discussed and priorities set. The prioritization of risk factors generally involves looking at the stake, the uncertainty and the quality of Strategic Risk Management
risk controls and processes already in place. At the end of this step, management gets a clear understanding of the risk factors and a prioritization of risk issues. A recent article in an Australian journal on risk management stated that ``risk assessment and acceptance was important because the organization could then focus on the risk and then work to eliminate or reduce it''.1 In their book Seeing Tomorrow, Dembo and Freeman make an important contribution to the ways of evaluating risk appetites which can be used at this stage.13 Based on the work of a number of academics, they explore the concept of `regret', i.e. how risk takers feel about not winning or losing, and a number of other powerful concepts.
Step 2: Baseline and Benchmark
In this work step, the team evaluates risk and returns and the appetites of investors and other stakeholders. We quantify major risk elements and priorities, analyse risk drivers, and map current processes. It is important to quantify the risks. For some risks such as ®nancial market-related risks, this may appear to be a relatively simple exercise. For more operational risks such as safety or technology risks, quanti®cation often requires making assumptions. We have found that using multi-disciplinary teams involving those actually on the ground gives superior results to using assumptions generated by planners at corporate headquarters. Risk processes and risk performance are benchmarked against global best practice. We now have a database on this. It is usually essential to go beyond the immediately obvious competitors and to compare other industries where best practice lies. A `value at risk' approach is often used. This calculates the probability of loss on a ®nancial portfolio rather than the possibility of losing the entire
421 Example Credit Risk Continuity of Demand or Supply Counter Party Risk
Operational Control Risk
Demands
Equity Price Risk Project Risk Operational Risk
Enterprise Risk
Market Risk
Interest Rate Risk Foreign Exchange Risk
Transaction Risk Event Risk
Liquidity Risk
Reputation Risk
Systems Risk
Legal and Regulatory Risk
Port Concentration Risk
Disaster Risk Political Risk
Correlation Risk
FIG. 8. Set direction: identify major areas of risk. portfolio. Unfortunately, in the LTMH hedge fund case, this approach proved disastrous. The problem was that it assumed both liquidity in the market for hedging instruments and a normal distribution of risk. It transpired that in the current emerging markets, crisis, the risks which were predicted to be in the lower tail of a normal distribution of probabilities came to pass, Secondly, the liquidity in emerging market debt dried up almost entirely as a result of the crisis. As the assumptions of the value at risk model were broken, so too was LTMH.14 When South Korea's LG Group, a conglomerate, recently decided to embark on a risk management program, it chose to benchmark itself against Caltex, an oil company in some areas.15 Next, performance gaps and learning opportunities are identi®ed, and an assessment is made of risk exposures. This is where clients realize and accept the size of the mountain to be climbed.
Step 3: Create the Vision
Like the AWACS long-range airborne radar and control system for detecting enemy aircraft and vehicles, the vision of management should be to scan the environment and to identify quantitative and qualitative opportunities and threats, and to determine the most appropriate response, depending on stakeholders' risk sensitivity. A risk management vision is created, comprising the three key components of measuring, managing and monitoring
risk. Management may develop appropriate strategies, for example, decrease the stake, through sharing the risks and rewards with co-investors, suppliers and customers. It may reduce the uncertainty, through bringing in partners with data and who can control risk drivers. It can also prepare scenarios and contingency plans. It can focus on core business or spread its risks through a range of businesses and geographies.
Step 4: Design Process Improvements
Based on the data gathered in earlier steps, management decides on the most appropriate improvement options. Improvement options include designing processes and documenting policies (if the problem is ad hoc processes), and tighter process management and parallel processing (to remedy decision delays). The top management team can use a risk± returns matrix to evaluate the overall risk position of projects (see Figure 9). The risk matrix is used to decide where each strategic business unit lies on the risk axis. This can then be plotted against expected returns. The designing of process changes usually occurs in four areas. Firstly, strategy and policy changes need to be made. A clear risk management strategy must be articulated by top management in the visioning phase and this is converted to a risk management policy document and training plan in the design phase. It is important to ensure that the overLong Range Planning Vol. 32
August 1999
422 Example Risk Matrix Returns Risk Matrix
High
Stake High
Medium
High Medium
Medium
Low
Medium
Low High Uncertainty
Low
Low
Medium Risk
High
Avoid Pointing to Risk
FIG. 9. Design process improvements: top team evaluates the overall risk position of projects or businesses. all business policies are supported by the risk management policy. For example, a growth-focused business objective will not work whilst maintaining a minimal risk tolerance, as seeking growth will inevitably lead to undertaking enhanced risk. The policy manual outlines the risk objectives, tolerance levels, acceptable procedures, speci®c risk-related accountability and risk measurement and reporting guidelines. Once the risk process design is ®nalized, management endorsement and commitment is needed to provide a mandate for the risk management program. Management also needs to review the organization structure that will be used to support risk management. Centralized risk management options tend to work for a `controller' company (as evidenced by many ®nancial institutions), whereas decentralized risk management models tend to work for a `portfolio manager' company (as evidenced by conglomerates such as BTR). Depending on the risk vision, design changes relating to the formation of risk committees/councils need to be made. Risk measurement is the third area where changes need to be designed. Effective tools to proactively assist in monitoring and managing risks are crafted. According to risk managers polled in the UK, one of the greatest challenges is simply searching for the risk-related information.16 Several of our clients now use a PC-based risk dashboard that allows top Strategic Risk Management
management to be appraised of the status of all risks. The dashboard provides an overall picture of various types of risk, e.g. country, project, credit, trading, operating and environmental risks, as well as allowing for a more in-depth view of each type, if required (see Figure 10). In half an hour, the board can go through all of the main risks and opportunities faced by the corporation in considerable depth, or take an overview in just a few minutes. Lastly, design changes must also focus on the operations and systems of the company. This includes changes to the IT infrastructure, internal controls and operating guidelines.
Step 5: Implement Change
This step is where the rubber meets the road. As in all strategic processes, successful implementation is the key to ensuring the long-term success of any risk management programme. Implementation success can be attained from focusing on two main areas: people and processes. In terms of people, implementation requires the involvement and commitment of senior management and employees. The working teams that are responsible for the enterprise-wide change effort must be balanced in their composition and include corporate staff, risk experts for complex risk areas, process champions and line mangers. The entire effort should be driven by a risk manage-
423 Example Overall Risk Monitoring
Risk Types
Country
Red Yellow Green
Country Risks 1 2 3
Trading
1
Operating
1
2
3
Project
Credit
Project
1
Credit Risk
1
2
3
2
3
Trading
Operating Environmental
2
3
Environmental 1 2 3
Value at Risk
FIG. 10. Design process improvements: PC-based risk dashboard. ment committee made up of key decision-makers from across the enterprise. In terms of process implementation, we have found that it is best done one step at a time. Initially, the focus is on the core risk areas as de®ned in the baseline and benchmark phase. Implementation is focused on developing a common risk language that can be understood by all. Armed with a thorough design of risk management processes, strong people to lead the implementation effort and a realistic implementation schedule, implementation succeeds and penetrates the organization. Training and communication programmes are an essential element of roll-out.
Step 6: Embed Continuous Improvements
Risk management excellence is a journey, not a destination. Continuous improvements must be embedded: compliance is monitored; results measured against plans; risk review programmes institutionalized; best practice tracked; processes and procedures updated; and returns measured against market expectations. Risk management also centres around people and ®rms must develop good risk managers. On this journey, we have identi®ed four stages of development for risk management from our research with clients. . At the entrepreneur stage, the approach is ad hoc and there are no procedures. Each subsidiary either does its own thing or the entrepreneur handles everything, often in his or her head.
. In the next stage, bureaucracy is introduced. Formal procedures are put in place, with the focus on compliance, risk avoidance and standardization. This is an improvement but can lead to slowness, rigidity and risk aversion. . The process management stage sees improved processes and empowered teams. However, risk management is still separate from shareholder value-based management, and this limits the extent to which risk and returns can be aligned and superior investment decisions made. . The fourth, and most developed stage, is strategic risk management. Here risk management is integrated with shareholder value management and the company exhibits a healthy risk management culture aimed at building the value of the company. This is the frontier to which we are striving. Getting from stage one to being a strategic risk management company cannot occur overnight. Companies need a risk management blueprint, capable and committed leaders and employees and effective processes in order to make the change. If a risk management program is instituted properly and with conviction, the resulting organization will be stronger, ®nancially more secure and the envy of its peers.
Conclusion Risk and turmoil are normal in all industries and Long Range Planning Vol. 32
August 1999
424 geographies. Financial services, telecommunications, aviation, public works, energy and shipping are deregulating aggressively. Cross-border trade investment has increased signi®cantly, capitalizing on broad-scale tariff changes initiated by the ASEAN Free Trade Area, GATT/WTO, and APEC activities. Technology is changing rapidly. Political and ®nancial mine®elds abound. Companies affected by changes must be nimble in their response. Yet, in such a highly uncertain environment, a quick move in the wrong direction will be costly. The recent turmoil in global ®nancial mar-
kets demands changes in how we manage risks. As stated by a senior Malaysian government of®cial recently, ``The challenge for top management is to proactively plan for the inevitable redirection of strategy, rather than passively endure the unpleasant consequences of this crisis environment''.17 A comprehensive understanding of the playing ®eld is required, and an integrated risk management methodology must be used for identifying and evaluating risks. From this, a strategy can be developed to maximize shareholder valueÐbut this requires effective risk management.
References 1. I. Porter, Big or Small, All Can Win With Risk Management, Australian Financial Review, June 17 (1997). 2. A New Approach to Financial Risk, The Economist, October 17, pp. 15±16 (1998). 3. P. Martin, Hedge of the Abyss, Financial Times, November 11, p. 14 (1998). 4. A. Jones, The Art of War in the Western World, Harrap (1998), pp. 351±353 gives a good review of Lanchester's N-square-rule an early example of how mathematics was used to calculate the chances of troops getting shot according to the number of attackers. These models are now more advanced; see also Paul K. Davis, Interactive Simulation in the Evolution of Warfare Modelling, Proceedings of IEEE, Vol. 83, No. 8, August (1995). 5. M. S. Dorfman, Introduction to Risk Management in Insurance, Prentice-Hall, Englewood Cliffs, NJ (1994). 6. K. Vander Heijden, Scenarios: The Art of Strategic Conversation, Wiley, New York (1996). 7. T. A. Luchman, Strategy as a Portfolio of real Options, Harvard Business Review, September±October (1998). 8. K. Dowd, Beyond Value at RiskÐThe New Science of Risk Management, Wiley, New York (1998). 9. A. M. Zevitt, Disaster Planning and Recovery, Wiley. See also Chris Chapman, Project Risk Management, Wiley (1997). 10. I. C. Palmer and G. A. Pot, Computer Security Risk Management, Van Nostrand Reinhold, New York (1989). See also Capers Jones, Assessment and Control of Software Risks, Yourdon Press (1994). 11. Australian Securities Commission Survey, AAP Information Services, April 15 (1998). 12. D. Keefe, Don't Mention the D-Word, Energy and Power Risk Management, March 10 (1997). 13. R. S. Dembo and A. Freeman, Seeing TomorrowÐRewriting the Rules of Risk, Wiley, New York (1998). 14. Turmoil in Financial Markets, The Economist, October 17, pp. 21±23 (1998). 15. N. Reed, Facing up to Risk, Asia Risk, November (1996). 16. D. Keefe, The Search for Success, Energy and Power Risk Management, September 5 (1997).
Christopher J. Clarke, Visiting Professor at Henley Management College, was formerly Managing Director of A. T. Kearney's management consultancy in Southeast Asia. Previously he was a managing director in investment banking. He is a former chairman of the Strategic Planning Society and has degrees in Economics and Management. Corresponding address: VP and MD Southeast Asia, A. T. Kearney Pte Ltd, 1 Temasek Avenue, ]35-01 Millenia Tower, Singapore; e-mail: gina.goh@atkearney. com
17. Hedging can Minimize Risk of Malaysian Companies, Asia Pulse, June 4 (1998).
Suvir Varma is a manager with A. T. Kearney in their Singapore office. He has advised various clients on risk management. Previously, he was in commercial and investment banking. Strategic Risk Management
Strategic Risk Management: the New Competitive Edge Christopher J. Clarke and Suvir Varma
If you can make one heap of all your winnings and risk it on one turn of pitch-and-toss, . . . then you're a damn fool, as Kipling might have said.
Risk is a key strategic issue. Business is about risk and the old adage, ``The bigger the risk, the greater the reward'',1 is still widely believed. Unfortunately, the rewards do not always follow. Investors, creditors and employees expect companies to turn in consistently strong performances, providing them with return interest or pay commensurate with various degrees of security. Without risk there can be no reward. There may well be a normal distribution of risk and returns performance. Most companies will perform around the mode of the distribution. However, some companies seem to comprehend risk more effectively than others and this shows in their long-term stock prices. Success can be the result of luck or superior risk management. Some risks taken, pay out huge returns. Microsoft's Windows and Glaxo's Zantac anti-ulcer drug are two examples. For others, poor risk management can destroy the company. Nick Leeson's wild and unsupervised speculations brought down the mighty and historic Barings. The disastrously under-performing Canary Wharf property development project in London's docklands brought down Olympia and York, then the world's biggest property company. The Bhopal chemical plant explosion in India devastated Union Carbide as well as the local population. The Exxon Valdiz catastrophe severely dented Exxon's market value. Leveraged hedge funds have recently threatened the world's ®nancial system with the collapse and rescue of LTCM.2 Other hedge funds have con®rmed the relationship between high rewards and high risks. The Tiger Fund lost $5 billion in two months and the Soros Fund is restructuring.3 Pergamon www.elsevier.com/locate/lrp
PII: S0024-6301(99)00052-7
Risk Management has become a critical issue as a result of globalization and the continued quest for greater returns. Whilst most companies now see risk as a key strategic issue, risk is typically still treated tactically and piecemeal. In this article, the authors argue that an integrated risk management approach allows companies to consistently deliver superior performance while proactively managing risks. The article outlines a structured methodology for risk management process evaluation and change. The methodology has been developed through the authors' work as risk management consultants to various companies globally. # 1999 Published by Elsevier Science Ltd. All rights reserved
Satisfying stakeholders' needs is more risky today than in the past. This is partly due to globalization. Dealing with suppliers and customers across the world provides additional opportunities, but it brings increased complexity and political and currency risks. Consequently, there is an increase in the potential for unplanned events to occur. If corporate managements could manage risks better, avoid catastrophes and achieve above-normal returns, a company's stock price would soar. In this article, we argue that an integrated strategic risk management approach allows companies to consistently deliver superior performance while proactively managing risks. Our approach is based on A. T. Kearney's work with more than 50 national and Long Range Planning, Vol. 32, No. 4, pp. 414 to 424, 1999 # 1999 Published by Elsevier Science Ltd. All rights reserved Printed in Great Britain 0024-6301/99 $ - see front matter
415 multi-national companies, both ®nancial and industrial. The tree of modern risk management has its roots in a number of unrelated disciplines. Military risk analysis led to the evolution of operational research.4 Personal and commercial risks generated the insurance and actuarial approach to risk management.5 Strategic risk analysis and the recognition that the future may not be like the past gave birth to scenario planning.6 Another approach is the use of option pricing theory to view different alternatives.7 Currency, interest and credit risks generated a banking approach to risk management and various hedging instruments.8 Operational and environmental risk management gave rise to contingency planning approaches.9 With the millennium bug almost upon us, the risks of computer failure are generating their own management science.10 All of these focused contributions add value to our understanding of risk.
Risk is a Strategic Issue, but is Treated Tactically However, our client work reveals a number of common failings in corporate risk management. Too often, management focuses on the negative consequences rather than on such questions as, `How does risk affect capital allocation? What risk-based information do we need? How do we create a risk culture? What are the best companies doing about risk'? and `How do we ensure that our risk pro®le is commensurate with returns and shareholder risk appetites?' Traditional risk management responsibilities and responses are typically fragmented as a result of their differing origins. Different departments deal with different risks, using different approaches and often at a very low level. Historically, a variety of tools have evolved to support companies in managing discrete types of risk. For example, insurance has traditionally been focused on hazard risks such as ®re and theft. Financial derivatives evolved to help banks manage commodity, currency and interest rate risks. Credit products are used to safeguard against operational setbacks. Many companies seek to manage risk by relying on forecasting from the past and databases, but these are all insuf®cient. There is a need for a holistic approach to understand enterprise-wide risk, rather than this piecemeal approach. In our experience, even in sophisticated companies, management becomes confused and fails to adequately manage risks for the company's advantage. Most companies have no comprehensive mechanism to bring important risk management and risk return issues to the board's attention. The approach we suggest in this article
can be used by top management to guide the development of the risk management process, the organizational structure and the culture towards a best practice approach, incorporating all aspects of risk. It is a systematic approach to managing risk. It can be viewed as enterprise-wide risk management because it addresses all of a company's risks at an enterprise or strategic level.
De®nition
Risk management is a strategic business process. Management needs to assess whether the company's business activities are consistent with its stated strategic objectives, and how risk management is linked to investment and growth decisions. It needs to determine what risk-based returns the company expects of its business activities. The board needs an overall, bird's-eye view of risk exposures to avoid surprises and to engender good governance. Risk can best be understood in terms of its two main elements: `stake' and `uncertainty' (see Figure 1). Each element usually has a gain and a loss potential. The stake may be a ®nancial gain or loss; an improvement or deterioration in strategic position; an improvement in or a damage to reputation; a threat to a company's existence; or an increase or decrease in its sense of security. The higher the stakes, the greater the potential gains or losses. Intel's development of the Pentium chip design for the sub-$1000 PC had a high stake, as it cost hundreds of millions to develop. Many in the industry felt that this segment did not require processing speed. However, Intel's calculated risk paid off handsome returns. Uncertainty, in turn, varies by time and situation. For example, forecasting from historic data only works in periods of stability. These are intermittent. In more turbulent periods or for the longer term, scenario planning is a more appropriate approach.4 Risk management is shown as a strategic business process in Figure 2. Information is continually gathered on the ®rm's environment. Using this input, management evaluates, analyses and prioritizes the dynamic risks facing it. It takes appropriate measures to accept, share or reduce risks in accordance with stakeholders' appetites for risks and value-based management principles, i.e. returns commensurate with risks and cost-effective risk management. Each of these steps is discussed in detail below. The process starts with a stream of inputs on the ®rm's external environment. Most companies do not have a consistent process to monitor the external environment in which they operate and consequently remain unaware of all the risks being faced. The second step is to scan for opportunities and threats based on the external environment analysis. The prevailing business strategies must be re-aligned Long Range Planning Vol. 32
August 1999
416
Large
Stake Financial gain or loss Strategic position ± Reputation/image ± Existence/health ± Sense of security ±
Risk
Small Low
Uncertainty Re-Gains or Losses Nature of Scale of Likelihood of Factors affecting
High
Validity of data Validity of process Risk tradeoffs
FIG. 1. Risk has two elements: stake and uncertainty. based on the revisions in the environment. The process of monitoring, measuring and managing risks may need to be modi®ed based on the environmental scan. The recent Asian crisis has meant that many ®rms now pay greater attention to counterparty credit risks and place less value on relation-
Inputs
Data on the firm's environment • Opportunities • Threats
ships alone. The latter have been a key component of the so called `bamboo networks' supporting the previous wave of Asian growth. In a recent survey of small and medium enterprises in Australia, results showed that most credit risks were still considered to be reduced by `the face and handshake'.11
Risk Management Process
Scanning for • Opportunities • Threats Sizing
Evaluation • Stakeholder appetites • Trade-offs
Risk Strategy Development • Options • Selection
Action Planning
Evaluate and improve Performance and Process
Learning
FIG. 2. Risk management is a strategic business process. Strategic Risk Management
Outputs
Implementation
• Returns commensurate with risks • Avoidance of catastrophes • Contingency plans • Speed
417 Once the opportunities and threats are assessed, management needs to decide what are its risk tolerance levels and its goals for risks and returns. Companies such as Shell and BP have close to a zero tolerance for environmental risk due to the potentially huge impacts on their reputations of catastrophes, let alone the immediate ®nancial impacts. Different investor groups usually have different risk reward appetites. Widows and orphans clearly wish to take fewer risks than vulture funds and venture capitalists. The latter also expect higher returns. Management needs to develop a risk management vision and strategy based on the risk environment and stakeholders' risk appetite. The overall strategy for risk management should include the risk management philosophy and organizational responsibility. Policy choices can range from a highly centralized `controller' model (as evidenced by some ®nancial institutions like J. P. Morgan) to a highly de-centralized and autonomous risk policy (as evidenced by GE and its subsidiaries). From our benchmarking for clients, best practice companies have an explicit and widely understood risk management charter or policy document. Like matter, risk cannot be destroyed. It can only be changed from one form to another. This is shown in Figure 3. There are clear trade-offs between risk reducing activities. Risk can be reduced but only by
reducing returns or trading one kind of risk for another. Companies can attain signi®cant competitive advantage from superior risk competencies (see Figure 4). These include risk processes, culture, incentives, training and organization. There are a number of stake management competencies and competitive advantages. Among these are the scale to absorb larger projects (as exempli®ed by Bechtel's ability to undertake large infrastructure and development projects as it has a huge balance sheet and it spreads risks through its large global portfolio of projects). A second stake management competency is developing alliance skills to share the stake (as evidenced by oil majors BP and Mobil which have combined their European re®ning and marketing operations through an alliance).12 However, it is important to select the right allies. Those who selected Soharto family members as their Indonesian business partners to reduce their political risk and increase returns are now experiencing the opposite reality as that dynasty falls. Other stake competencies include superior technology to reduce the stake (e.g. ministeel mills cost much less than large one) and speed. The latter diminishes the time that the stake is exposed. Global power company Enron is faster at deal making. Its project exposures are reduced as it of¯oads risk more quickly than many competitors. There are also a number of management competen-
Hedging and Insurance Management Approaches and Behaviors To Risk
Alliances
Greater Analysis Portfolio Spread
Smaller Scale
Focus on Core Business
No Risk
Consequences of Management Approaches
No Returns Lower Returns, Opportunities for Competitors, Sub Scale Risks
Restricted to Core Returns Average Returns
Slower Returns, Competitive Threats
Lower Returns, Danger of Defection, Lack of Control Increased Costs, Lower Returns
FIG. 3. Like matter, risk cannot be destroyed. It can only change from one form to another. Long Range Planning Vol. 32
August 1999
418 Stake Management Competencies Examples . Scale to absorb bigger projects
Ability to manage high stakes
. Alliance skills to
Greatest Competitive Advantage
. Use of government
share stake
relations
. Unique technology to reduce stake . Speed
Examples
Limited ability to manage stake and uncertainty
. Influence on law Ability to manage high uncertainty
and regulation
. Superior databases . Use of allies
Uncertainty Management Competencies
FIG. 4. Competitive advantage comes from superior competencies, i.e. risk processes, culture, incentives, training and organization. cies that a company can use in order to reduce uncertainty. A company can make use of personal government relations and contacts (which is particularly prevalent in many Asian and developing countries). Companies can also have an in¯uence on law and regulation (as evidenced by accounting ®rms working with regulators to have derivatives activities disclosed in annual reports in order to protect themselves from shareholder lawsuits). Another uncertainty management competency is to use superior databases (e.g. credit scoring, as used by credit card companies to reduce fraud and bad debts). Lastly, companies can make use of allies to reduce uncertainty (such as a local partner in Chinese joint ventures; the ally has insights into local culture and procedures which reduce uncertainty). Superior competencies also result from a company's risk processes, culture, incentives, training and organization.
The Need for a New Approach
Corporations are beginning to see the need to reconsider risk management holistically. Whilst management in the relatively mature and stable food industry shows a lower focus on risk management, at the other extreme, rapidly changing or speculative industries such as ®nancial services, mining/ exploration, information technology, and venture capital already exhibit a `think risk' culture. The telecommunications and the power industries are going through a period of globalization, privatization and deregulation. Management in these industries is shifting from an `avoid risk' culture to a `think risk' culture (see Figure 5). Strategic Risk Management
Yet risk is often badly managed. Our work with over 50 large companies in risk management around the world indicates that common corporate failings include weak processes, e.g. leaving everything to the CEO or entrepreneur; too narrow a focus, e.g. focusing only on ®nancial trading or insurable risks; inadequate data or analysis, e.g. relying only on published data or credit ratings; focusing only on the negative, or disaster avoidance; fragmenting risk management by division, e.g. each division giving the same customer different credit lines; and inadequate organization or teams. Most companies do not have a comprehensive risk strategy or vision. They have no clear risk organization responsibilities or culture. The approach taken is fragmented, with operations, insurance, treasury and human resources reacting ad hoc to events as they arise. The relationship between risk management and shareholder value is arbitrarily kept separate. Risk management sophistication ranges from mere risk identi®cation, to consistent measurement across risks, to linking risks and returns. At the high end of the spectrum, companies are able to demonstrate the strategic interrelationship between risks, returns and shareholder value. Strategy is value-based, and business risk pro®les drive capital allocation and, ultimately, shareholder value (see Figure 6). Weak risk culture sti¯es performance and adversely affects shareholder value. Entrepreneurs taking a `damn the torpedoes, full speed ahead' management style may reap huge returns, but they also court disaster if their decisions are based on insuf®cient analysis. Often, they win once or twice
419 'Think Risk' Culture
Risk / Reward Trade-Off Financial Services Mining / Exploration Pharmaceutical Consumer Products
Venture Capital
Telecommunications Airline
Power
Risk Management Capabilities
Technology
Defense Technology Health Care Telecommunications Automotive
Power
Little or No Focus on Risk Management
Food Risk Control Focus
Mature / Stable
Nature of Business
Changing Rapidly / Speculative
FIG. 5. Industries need to reconsider risk management. and then hit the rocks. As for those deciding not to take any risks or to defer making a decision, the consequences may be to miss the boat or lose out to the competition. As a result, ®rms need to vary their
risk management style according to their strategy. There is a pantheon of individuals who dared too muchÐthe Reichmans, Freddie Laker, Robert Maxwell, Tiny Rowland and others. One might label
Shareholder Value Objectives Value Based Management
Maximization of Cash Flows
Value Based Strategy Dynamic Capital Allocation Capital Allocation Techniques
Quality of Earnings Linking Risk and Return(s) Consistent Measurement Across Risks Protection Against Unforeseen Losses
Identification of Risks Risk Management Sophistication
FIG. 6. Typically, companies develop from left to right. Long Range Planning Vol. 32
August 1999
420 1.
2. Set Direction
3.
Baseline and Benchmark
5.5.
4.
Create the Vision
6. Design Embed Process Continuous Improvements Improvements
Implement Change
FIG. 7. Structured methodology for risk management process evaluation and change. this as `the Napoleon tendency', i.e. the drive through which victories reinforce risk-taking until, ultimately, there is a Moscow or a Waterloo, where too much has been bitten off.
Building a Risk Management Competitive Edge The approach, which we will describe below, can help top management protect the company against catastrophic losses and support superior risk returns performance and shareholder value growth. Our six step approach, developed through extensive work with companies across a number of industries, allows for the evaluation of the risk management process and the implementation of change (see Figure 7). Each step is described below. Multi-disciplined risk process teams are established to undertake these projects. Board involvement and commitment are vital.
Step 1: Set Direction
This step focuses on developing an understanding of the company's and its stakeholders' risk concerns and on identifying the major areas of risk, such as operations, enterprise, events, and market risks. The key objective is to identify and aggregate the risks facing the enterprise and the risk issues as perceived by management and stakeholders (see Figure 8). This step generally begins with a thorough review of the infrastructure, decision-making channels and operating systems. The risk appetites and cultures of the management and stakeholders are identi®ed through interviews and focus groups. Areas of critical concern are discussed and priorities set. The prioritization of risk factors generally involves looking at the stake, the uncertainty and the quality of Strategic Risk Management
risk controls and processes already in place. At the end of this step, management gets a clear understanding of the risk factors and a prioritization of risk issues. A recent article in an Australian journal on risk management stated that ``risk assessment and acceptance was important because the organization could then focus on the risk and then work to eliminate or reduce it''.1 In their book Seeing Tomorrow, Dembo and Freeman make an important contribution to the ways of evaluating risk appetites which can be used at this stage.13 Based on the work of a number of academics, they explore the concept of `regret', i.e. how risk takers feel about not winning or losing, and a number of other powerful concepts.
Step 2: Baseline and Benchmark
In this work step, the team evaluates risk and returns and the appetites of investors and other stakeholders. We quantify major risk elements and priorities, analyse risk drivers, and map current processes. It is important to quantify the risks. For some risks such as ®nancial market-related risks, this may appear to be a relatively simple exercise. For more operational risks such as safety or technology risks, quanti®cation often requires making assumptions. We have found that using multi-disciplinary teams involving those actually on the ground gives superior results to using assumptions generated by planners at corporate headquarters. Risk processes and risk performance are benchmarked against global best practice. We now have a database on this. It is usually essential to go beyond the immediately obvious competitors and to compare other industries where best practice lies. A `value at risk' approach is often used. This calculates the probability of loss on a ®nancial portfolio rather than the possibility of losing the entire
421 Example Credit Risk Continuity of Demand or Supply Counter Party Risk
Operational Control Risk
Demands
Equity Price Risk Project Risk Operational Risk
Enterprise Risk
Market Risk
Interest Rate Risk Foreign Exchange Risk
Transaction Risk Event Risk
Liquidity Risk
Reputation Risk
Systems Risk
Legal and Regulatory Risk
Port Concentration Risk
Disaster Risk Political Risk
Correlation Risk
FIG. 8. Set direction: identify major areas of risk. portfolio. Unfortunately, in the LTMH hedge fund case, this approach proved disastrous. The problem was that it assumed both liquidity in the market for hedging instruments and a normal distribution of risk. It transpired that in the current emerging markets, crisis, the risks which were predicted to be in the lower tail of a normal distribution of probabilities came to pass, Secondly, the liquidity in emerging market debt dried up almost entirely as a result of the crisis. As the assumptions of the value at risk model were broken, so too was LTMH.14 When South Korea's LG Group, a conglomerate, recently decided to embark on a risk management program, it chose to benchmark itself against Caltex, an oil company in some areas.15 Next, performance gaps and learning opportunities are identi®ed, and an assessment is made of risk exposures. This is where clients realize and accept the size of the mountain to be climbed.
Step 3: Create the Vision
Like the AWACS long-range airborne radar and control system for detecting enemy aircraft and vehicles, the vision of management should be to scan the environment and to identify quantitative and qualitative opportunities and threats, and to determine the most appropriate response, depending on stakeholders' risk sensitivity. A risk management vision is created, comprising the three key components of measuring, managing and monitoring
risk. Management may develop appropriate strategies, for example, decrease the stake, through sharing the risks and rewards with co-investors, suppliers and customers. It may reduce the uncertainty, through bringing in partners with data and who can control risk drivers. It can also prepare scenarios and contingency plans. It can focus on core business or spread its risks through a range of businesses and geographies.
Step 4: Design Process Improvements
Based on the data gathered in earlier steps, management decides on the most appropriate improvement options. Improvement options include designing processes and documenting policies (if the problem is ad hoc processes), and tighter process management and parallel processing (to remedy decision delays). The top management team can use a risk± returns matrix to evaluate the overall risk position of projects (see Figure 9). The risk matrix is used to decide where each strategic business unit lies on the risk axis. This can then be plotted against expected returns. The designing of process changes usually occurs in four areas. Firstly, strategy and policy changes need to be made. A clear risk management strategy must be articulated by top management in the visioning phase and this is converted to a risk management policy document and training plan in the design phase. It is important to ensure that the overLong Range Planning Vol. 32
August 1999
422 Example Risk Matrix Returns Risk Matrix
High
Stake High
Medium
High Medium
Medium
Low
Medium
Low High Uncertainty
Low
Low
Medium Risk
High
Avoid Pointing to Risk
FIG. 9. Design process improvements: top team evaluates the overall risk position of projects or businesses. all business policies are supported by the risk management policy. For example, a growth-focused business objective will not work whilst maintaining a minimal risk tolerance, as seeking growth will inevitably lead to undertaking enhanced risk. The policy manual outlines the risk objectives, tolerance levels, acceptable procedures, speci®c risk-related accountability and risk measurement and reporting guidelines. Once the risk process design is ®nalized, management endorsement and commitment is needed to provide a mandate for the risk management program. Management also needs to review the organization structure that will be used to support risk management. Centralized risk management options tend to work for a `controller' company (as evidenced by many ®nancial institutions), whereas decentralized risk management models tend to work for a `portfolio manager' company (as evidenced by conglomerates such as BTR). Depending on the risk vision, design changes relating to the formation of risk committees/councils need to be made. Risk measurement is the third area where changes need to be designed. Effective tools to proactively assist in monitoring and managing risks are crafted. According to risk managers polled in the UK, one of the greatest challenges is simply searching for the risk-related information.16 Several of our clients now use a PC-based risk dashboard that allows top Strategic Risk Management
management to be appraised of the status of all risks. The dashboard provides an overall picture of various types of risk, e.g. country, project, credit, trading, operating and environmental risks, as well as allowing for a more in-depth view of each type, if required (see Figure 10). In half an hour, the board can go through all of the main risks and opportunities faced by the corporation in considerable depth, or take an overview in just a few minutes. Lastly, design changes must also focus on the operations and systems of the company. This includes changes to the IT infrastructure, internal controls and operating guidelines.
Step 5: Implement Change
This step is where the rubber meets the road. As in all strategic processes, successful implementation is the key to ensuring the long-term success of any risk management programme. Implementation success can be attained from focusing on two main areas: people and processes. In terms of people, implementation requires the involvement and commitment of senior management and employees. The working teams that are responsible for the enterprise-wide change effort must be balanced in their composition and include corporate staff, risk experts for complex risk areas, process champions and line mangers. The entire effort should be driven by a risk manage-
423 Example Overall Risk Monitoring
Risk Types
Country
Red Yellow Green
Country Risks 1 2 3
Trading
1
Operating
1
2
3
Project
Credit
Project
1
Credit Risk
1
2
3
2
3
Trading
Operating Environmental
2
3
Environmental 1 2 3
Value at Risk
FIG. 10. Design process improvements: PC-based risk dashboard. ment committee made up of key decision-makers from across the enterprise. In terms of process implementation, we have found that it is best done one step at a time. Initially, the focus is on the core risk areas as de®ned in the baseline and benchmark phase. Implementation is focused on developing a common risk language that can be understood by all. Armed with a thorough design of risk management processes, strong people to lead the implementation effort and a realistic implementation schedule, implementation succeeds and penetrates the organization. Training and communication programmes are an essential element of roll-out.
Step 6: Embed Continuous Improvements
Risk management excellence is a journey, not a destination. Continuous improvements must be embedded: compliance is monitored; results measured against plans; risk review programmes institutionalized; best practice tracked; processes and procedures updated; and returns measured against market expectations. Risk management also centres around people and ®rms must develop good risk managers. On this journey, we have identi®ed four stages of development for risk management from our research with clients. . At the entrepreneur stage, the approach is ad hoc and there are no procedures. Each subsidiary either does its own thing or the entrepreneur handles everything, often in his or her head.
. In the next stage, bureaucracy is introduced. Formal procedures are put in place, with the focus on compliance, risk avoidance and standardization. This is an improvement but can lead to slowness, rigidity and risk aversion. . The process management stage sees improved processes and empowered teams. However, risk management is still separate from shareholder value-based management, and this limits the extent to which risk and returns can be aligned and superior investment decisions made. . The fourth, and most developed stage, is strategic risk management. Here risk management is integrated with shareholder value management and the company exhibits a healthy risk management culture aimed at building the value of the company. This is the frontier to which we are striving. Getting from stage one to being a strategic risk management company cannot occur overnight. Companies need a risk management blueprint, capable and committed leaders and employees and effective processes in order to make the change. If a risk management program is instituted properly and with conviction, the resulting organization will be stronger, ®nancially more secure and the envy of its peers.
Conclusion Risk and turmoil are normal in all industries and Long Range Planning Vol. 32
August 1999
424 geographies. Financial services, telecommunications, aviation, public works, energy and shipping are deregulating aggressively. Cross-border trade investment has increased signi®cantly, capitalizing on broad-scale tariff changes initiated by the ASEAN Free Trade Area, GATT/WTO, and APEC activities. Technology is changing rapidly. Political and ®nancial mine®elds abound. Companies affected by changes must be nimble in their response. Yet, in such a highly uncertain environment, a quick move in the wrong direction will be costly. The recent turmoil in global ®nancial mar-
kets demands changes in how we manage risks. As stated by a senior Malaysian government of®cial recently, ``The challenge for top management is to proactively plan for the inevitable redirection of strategy, rather than passively endure the unpleasant consequences of this crisis environment''.17 A comprehensive understanding of the playing ®eld is required, and an integrated risk management methodology must be used for identifying and evaluating risks. From this, a strategy can be developed to maximize shareholder valueÐbut this requires effective risk management.
References 1. I. Porter, Big or Small, All Can Win With Risk Management, Australian Financial Review, June 17 (1997). 2. A New Approach to Financial Risk, The Economist, October 17, pp. 15±16 (1998). 3. P. Martin, Hedge of the Abyss, Financial Times, November 11, p. 14 (1998). 4. A. Jones, The Art of War in the Western World, Harrap (1998), pp. 351±353 gives a good review of Lanchester's N-square-rule an early example of how mathematics was used to calculate the chances of troops getting shot according to the number of attackers. These models are now more advanced; see also Paul K. Davis, Interactive Simulation in the Evolution of Warfare Modelling, Proceedings of IEEE, Vol. 83, No. 8, August (1995). 5. M. S. Dorfman, Introduction to Risk Management in Insurance, Prentice-Hall, Englewood Cliffs, NJ (1994). 6. K. Vander Heijden, Scenarios: The Art of Strategic Conversation, Wiley, New York (1996). 7. T. A. Luchman, Strategy as a Portfolio of real Options, Harvard Business Review, September±October (1998). 8. K. Dowd, Beyond Value at RiskÐThe New Science of Risk Management, Wiley, New York (1998). 9. A. M. Zevitt, Disaster Planning and Recovery, Wiley. See also Chris Chapman, Project Risk Management, Wiley (1997). 10. I. C. Palmer and G. A. Pot, Computer Security Risk Management, Van Nostrand Reinhold, New York (1989). See also Capers Jones, Assessment and Control of Software Risks, Yourdon Press (1994). 11. Australian Securities Commission Survey, AAP Information Services, April 15 (1998). 12. D. Keefe, Don't Mention the D-Word, Energy and Power Risk Management, March 10 (1997). 13. R. S. Dembo and A. Freeman, Seeing TomorrowÐRewriting the Rules of Risk, Wiley, New York (1998). 14. Turmoil in Financial Markets, The Economist, October 17, pp. 21±23 (1998). 15. N. Reed, Facing up to Risk, Asia Risk, November (1996). 16. D. Keefe, The Search for Success, Energy and Power Risk Management, September 5 (1997).
Christopher J. Clarke, Visiting Professor at Henley Management College, was formerly Managing Director of A. T. Kearney's management consultancy in Southeast Asia. Previously he was a managing director in investment banking. He is a former chairman of the Strategic Planning Society and has degrees in Economics and Management. Corresponding address: VP and MD Southeast Asia, A. T. Kearney Pte Ltd, 1 Temasek Avenue, ]35-01 Millenia Tower, Singapore; e-mail: gina.goh@atkearney. com
17. Hedging can Minimize Risk of Malaysian Companies, Asia Pulse, June 4 (1998).
Suvir Varma is a manager with A. T. Kearney in their Singapore office. He has advised various clients on risk management. Previously, he was in commercial and investment banking. Strategic Risk Management