Sunday, August 24, 2008

Managing All of Your Enterprise's Risks

Managing All of Your Enterprise's Risks


Shaw, Jack


In 1962, Canadian risk management pioneer Douglas Barlow, an executive with equipment manufacturer Massey Ferguson, famously said, "All management is risk management." Nearly half a century later, the vision first expressed by Doug Barlow finally is coming to fruition.


Historically, corporate management of risks of various types has been handled in isolated "silos." Traditionally insurable risks such as automobile and general liability might be handled in an insurance department. Product liability might be managed by legal. Supply chain risks would be dealt with in logistics or procurement. And market risks could be addressed in the sales or marketing organizations.


The problem with this prototypical approach is that it entirely misses two critical aspects of risk management from a corporate, or enterprise risk management (ERM), perspective. The first is the corporate risk appetite. The second is the management of emergent risks.


Risk Appetite


The concept of risk appetite is actually a very important capital allocation issue. A company's risk appetite is the amount of risk a company is willing to absorb for the returns it expects to gain. Every company has a risk appetite, although in most cases it is implicit, and only vaguely understood, rather than being explicitly stated by senior management.


Ultimately, it is the financial markets who evaluate the prospective returns a business promises and weigh them against the risks to which it exposes itself in order to gain those returns. If the return-to-risk ratio is deemed appropriate by the markets, the value of the firm goes up. If not, it goes down.


Clearly, it is then important for a company to ensure that the degree of risk to which it is exposed stays very close to its desired risk appetite. Figure 1 shows a simple ERM tool called a risk appetite graph. Here, we see an illustration of how the risks found within various business areas of a representative company might vary with respect to one another and the company's risk appetite.


By reviewing such a graph, one can quickly see that while most areas of the business seem to have risk exposures under control, there seems to be a problem in operations. Whether its origin is a difficulty in the supply chain, a safety exposure in manufacturing or a retail location, or some other operational predicament plainly the company must correct the situation. If uncorrected, the risk could turn into an actual loss that could not only be expensive for the business but could also cause a punishing drop in valuation by the financial markets.


Many executives, however, might miss the second risk management problem highlighted by this same figure. That is, in one area of the business, the risk exposure is too low.


Many executives' initial response to this idea is "Preposterous! How can any area of risk be too low? Isn't that the point of risk management-to eliminate as much risk as possible?"


The answer, in a word, is no. There is only one way to eliminate all the risk in your business. That is to shut the doors and go home. But, no risk, no reward. So, if you are going to be in business you are going to have risk. The objective is not to eliminate risk altogether, but to manage it to an appropriate level-not too high, and not too low.


A common example of where risk can be too low is in the credit department. All too often credit managers become obsessed with having the lowest possible credit losses. Unfortunately, they may achieve this by turning down otherwise profitable business that has even the slightest credit risk associated with it. While credit losses are indeed reduced, it may be at the cost of much greater losses in profits associated with the rejected sales.


So risk in some areas really can be too low. It is not that additional risk in and of itself is desirable. As mentioned above, it is really a capital allocation problem. In this case, the company may benefit by shifting risk management resources from one area to another.


The principles underlying risk appetite are straightforward and the diagram is simple to understand. It is important to bear in mind, however that, as described below, risk is a six-dimensional problem. As a result, comparing risks across various facets of your business, and, even more importantly, managing those risks effectively is a very complex undertaking. This is a key aspect of why ERM has not yet been widely implemented. The existing tools and technologies to support it to date were not designed to manage such complexity well.


Emergent Risks


The second aspect of risk management often overlooked by executives in companies that do not have ERM is combinatorial or emergent risk. Emergent risks arise from actions taken in multiple areas of the company that, by themselves, do not increase risk. In fact, these individual actions may reduce risk, but combined, they can dramatically increase it.


A classic example of emergent risk took place in the 1990s at Ford Motor Company. For the past 30 years or so, automobiles sold in the United States have been equipped with catalytic converters to reduce air pollution. One drawback of these catalytic converters was that they required such rare metals as platinum, palladium and rhodium. In the early 1990s, two different areas at Ford recognized that a significant price increase in some or all of these rare elements could have a devastating impact on Ford's profitability. Each set out to do something to reduce this risk.


The purchasing department took a commodities hedging approach to solving the problem. It reduced the risk by entering into a series of long-term contracts to purchase these rare metals at prices locked in to the acceptable prices in the market at the time.


The research and development department took a research-based approach to solving the problem. They were determined to develop new catalytic converters that required only a tiny fraction of the rare and expensive metals in question.


You can probably see where this is going. Five years later, Ford had new catalytic converters that no longer required the metals they had committed to purchasing. Unfortunately, at that time, an oversupply of these metals in the marketplace had brought about a price drop. As a result, Ford had to take a write-off of almost a billion dollars on their rare metals purchase contracts.


The frustrating problem for Ford in this case was that each department did exactly what they were supposed to do to reduce risk-but only from their limited perspective. It was only the combination of actions that ultimately caused Ford the great loss it incurred. Had it had an ERM system in place, Ford could have recognized much earlier that the actions being taken by the two departments were counterproductive. It then could have taken steps to correct the situation and probably significantly reduced, if not eliminated, the loss.


Other companies expose themselves to many kinds of emergent risks on a regular basis. The marketing department rolls out a new promotional program without realizing the impact on the supply chain. Product development comes up with a new product without seeing how it might affect the company's product liability. Manufacturing builds a new plant in a third-world country to take advantage of low labor costs but fails to recognize the effect on the company's foreign exchange positions. In an increasingly complex, interdependent world, the number of emergent risks businesses face is growing exponentially.


None of these problems can be solved, or even effectively addressed, with the traditional risk management tools in place in most organizations today. To solve these problems requires businesses to put in place a well-designed enterprise risk management process and the systems to support it. For these purposes, enterprise risk management can be defined as the identification of and appropriate response to events and trends, both internal and external to the enterprise, which may impact the value of the enterprise or its ability to execute its strategy to increase that value.


Notice that ERM does not solely address those risks that may negatively affect value. It also deals with opportunities that may have a positive impact on the enterprise.


Implementing Enterprise Risk Management


There are seven steps to implementing an effective ERM program for your organization: 1) assemble and educate a cross-functional team representing each significant functional area of your business, 2) identify your risks and opportunities, 3) determine your risk tolerance, 4) identify correlations among your risks and opportunities, 5) prioritize your risks and opportunities, 6) determine appropriate actions for mitigating risks or exploiting opportunities as necessary and 7) put an enterprise risk management system in place to monitor and respond to events and trends on a continual basis.


As referred to in this issue's previous story, "Where Are You on the Journey to ERM," you could start by purchasing copies of the COSO "Enterprise Risk Management-Integrated Framework." Developed over the course of several years by the inter-industry Committee of Sponsoring Organizations (COSO) of the Treadway Commission, it is a set of well-thought out recommendations on how organizations in any industry should address ERM.


It also can be very helpful to have a risk management consultant assisting you in this process. However, if you do decide to hire a consultant, be sure they are there to consult with you and not simply to sell you insurance. An experienced ERM consultant can provide objective advice uncolored by the desire to increase their revenues by selling insurance policies.


Identify your risks by starting with your company's business plan. This is why it is important to have representatives from each major area of your business participating in the process. Consider each of the activities your business has planned and identify internal and external trends and events that might significantly affect that activity-either positively or negatively.


Determining your risk tolerance can be tricky because it can be difficult to compare risks from one part of your business to another. One simple way to compare risks of different types is through a risk assessment chart cross-referencing the likelihood and potential severity of risks. Different risks can then be placed on the chart for ready visual comparison.


When assessing risks, it is important to keep in mind the potential relationships between various risks. Many risks are positively correlated with other risks. That is, as the likelihood of one risk increases, that of an associated risk also increases. This means that the impact of a risk may be accompanied by additional effects that could catch you by surprise if you fail to recognize these correlated risks. At the same time, it may mean that steps taken to mitigate one risk also could positively impact another risk.


Risks may also be negatively correlated. This means that as the likelihood or impact of one type of risk increases, that of an associated risk decreases and vice versa. For example, a company may choose to invest in both variable interest CDs and bonds. As interest rates increase, the value of the bonds generally drops, but the return on the CDs improves. If interest rates fall, the return on the CDs does also, but the value of the bonds typically increases.


Figure 2 (see p.26) shows a risk assessment chart. Note that the color distribution is not perfectly balanced. This is intentional. The more likely an event is, the easier it is to plan for. As the likelihood of an event approaches certainty, it actually becomes less of a "risk" in the traditional sense of the word, and instead becomes simply an actuality that must be planned for.


By looking at the four corners of the chart, you can see four basic types of risk. On the upper right are the critical risks. These are the "drop everything else and fix this problem" risks that threaten the very survival of the organization. One key objective, and potential benefit, of risk management is to avoid risks ever reaching this state. On the opposite corner, in the lower left, are those risks that are insignificant-at least for the moment. While they should be monitored, they rarely require immediate action.


Perhaps the most interesting sets of risks are those in the other two corners. Historically, most risk management has centered on those predictable risks of minimal to moderate magnitude that could either be absorbed or could be addressed by purchasing insurance. These are reflected in the lower right corner.


However, history also has shown that, for most businesses, the most devastating risks have been those that emerged unrecognized from the upper left corner of the chart. These are the severe to catastrophic risks that, however unlikely or remote they may seem, can jeopardize a business's existence. This is why the colors in the risk assessment chart indicate that those risks in the upper left part of the chart are more significant than those in the lower right.


These low-likelihood, high-impact risks may be manmade, such as terrorist attacks or rogue financial trading, or natural, such as hurricanes or the tsunami that struck the Indian Ocean at the end of 2004. And while, if disregarded, they have potential to do the greatest harm to organizations, these are the risks that traditional approaches to risk management, and most of the risk management systems in the market today, most completely fail to address.


The Dimensions of Risk


There are actually six dimensions to any risk. These are 1) the likelihood of a relevant trend or event, 2) the magnitude of the effects of the trend or event, 3) the degree of uncertainty in the estimate of event likelihood, 4) the degree of uncertainty in the estimate of the magnitude of the effects, 5) the ability to influence the trend or event's likelihood and 6) the ability to influence the magnitude of the effects.


We have already discussed the likelihood and magnitude of risk. Often, though, these can not be as accurately estimated as we would like. The degree of uncertainly in these estimates is one reason why traditional statistical models of risk may be limited in their effectiveness.


Even more significant is the ability the organization has to influence the likelihood or magnitude of a trend or event. This is the essence of risk mitigation, and it is the very area where most risk management systems today fall on their faces.


It is fine to identify and prioritize risks. And there is no doubt that the financial markets are very unforgiving of corporate management that fails to recognize the risks facing them. At the same time, it is obviously unacceptable to go to the Board of Directors or the financial markets and say, "We have clearly identified and ranked our risks; we just are not going to do anything about them."


For many risks, the likelihood of occurrence can be significantly reduced. For example, increasing lighting and security at facilities in areas showing a trend of increasing crime can reduce the likelihood of crime-related risks. For others, the magnitude of the effects can be affected. You might not be able to influence whether a hurricane is going to hit your area of operations, but you can certainly take steps to minimize the damage if it does.


So, a project to identify and prioritize risks and determine steps to mitigate them is an excellent start. But a one-off ERM project does not conslitute an effective enterprise risk management program for your business.


For your organization to benefit from ERM in the long run, you must put into place an ERM process to help you continuously monitor and respond to risk on an on-going basis. To do this cost effectively means you will also need to use the most appropriate information technology to support your ERM process.


Automating Enterprise Risk Management


In the October 2004 issue of Risk Management magazine, Brian Warren noted some of the critical shortcomings of current risk management information systems. These included:


* The ability to contend with operational risk as well as traditional financial and credit risks


* The ability to collect all the relevant data needed to manage risk from both internal and external sources


* The ability to employ analytical tools that address not simply historical data, but that can project risks and impact for events that have never previously occurred


* The ability to identify a chain of events that may follow an initial loss event and accurately project the impact of the "ripple" effects emanating from that event


Warren is absolutely correct in identifying the limitations of current technologies in the ERM marketplace. In order to effectively manage enterprise risk on an on-going basis, you must address two problems. First, you must continuously gather information from all relevant sources. Then you must analyze that information to determine the risk priorities and assess appropriate risk mitigation actions to undertake.


Until the past few years, gathering relevant information in an automated way was not practical. However, with the emergence of the Internet, web services, enterprise service buses and other services-oriented architectures, the task has become far easier. By leveraging these technologies, businesses can now integrate information from systems throughout their own organizations with important, relevant data from external sources.


While gathering the requisite data is a challenge, at least the necessary technologies are currently deployed in the commercial marketplace. This makes this aspect of automated risk management somewhat easier. A handful of the leading ERM systems in the marketplace can do this today.


A much more challenging task is what to do with all this information. If a company could afford to staff its risk management organization with a large enough number of people and assuming that they could communicate very efficiently among themselves, they could keep up with the flood of data, identify key risks and recommend appropriate risk mitigation actions.


Clearly though, this is not financially feasible. For an ERM system to be truly effective it must not only gather relevant data. It must also analyze that data, identify crucial risks, determine appropriate risk mitigation actions, and, in some cases perhaps, even execute those risk-mitigating activities.


A six-dimensional problem such as ERM is a very complex one to solve. This is why so few organizations have implemented truly effective ERM systems today. The existing technology in the commercial information technology marketplace is simply not up to the task.


This existing technology falls into three categories: statistical models, rules-based or expert systems, and neural networks.


Statistical models. For a limited range of risk management problems, statistical modeling can be very effective. The challenges to statistical models, though, are significant. Is all the historical data available? If available, is it really relevant? The biggest problem with statistical modeling approaches is that they are virtually useless when it comes to projecting risks for which there is no prior history.


Rules-based or expert systems. These can be helpful for solving certain small-scale problems. For example, a rules-based system might very effectively recommend which of a limited number of product configurations might be most appropriate for a particular use. But rules-based systems do not handle uncertainty well, and uncertainty is the very basis of risk management.


Also, rules-based systems do not scale well. Since there is no inherent structure to rules-based systems, once you get beyond a few dozen rules, they can no longer handle the complexity. They begin to give bizarre and inappropriate results. Efforts to change the rules to correct these problems invariably result in different, equally peculiar errors.


Neural networks. These are an intriguing and highly touted emerging technology. Again for a certain class of problems, they can be very useful. Neural networks are good at solving problems where we do not understand the thought processes people use to solve the same problems. For example, we can look at a bush or a tree and tell which is which at a glance although only a trained botanist would be able to explain the differences explicitly. However, even a four-year-old can accurately distinguish trees from bushes even though he or she would never be able to explain exactly how they can tell the difference.


A neural network, presented with many photos of trees and bushes, and provided with feedback as to the accuracy of its guesses, will eventually "rewire" itself to be able to identify trees versus bushes with a very high degree of accuracy. However, its "reasoning" process is totally opaque. You can no more get a neural network to "explain" how it arrived at its conclusions than you could get a four-year-old to explain how they reached theirs.


In an area as important as enterprise risk management, it is critical that the people carrying out risk mitigation activities recommended by an automated ERM system have complete confidence in those recommendations. This means they must be able to clearly understand the chain of reasoning the system used in arriving at its conclusions.


A Solution to the ERM Technology Problem


Fortunately, there is technology new to the commercial marketplace which solves the risk management "reasoning" problem very effectively. This technology is explicit causal modeling.


Causal modeling uses a series of advanced knowledge engineering tools to solve complex, real-time problems that are intractable by other means. Causal modeling accurately simulates the ERM objectives of the firm within the context of its broader strategic goals. A causal modeling approach to ERM not only can gather all the relevant information, it can use that information to recommend optimal risk mitigation actions. And the chain of reasoning it uses to do so, while complex, is completely clear and understandable to people considering its recommendations.


An ERM system based on causal modeling can identify the relationships (including both positive and negative correlations) among trends and events that could impact the enterprise. Thus it will automatically recognize and take into account the "ripple effects" that may come about as a result of a specific loss event. An ERM system based on causal modeling can even reason about events without historical precedence. This makes this approach uniquely effective for managing operational risk.


While none of the ERM systems on the market today leverage causal modeling, the technique shows great promise for addressing a ranged if highly complex problems-including ERM. Causal modeling, combined with the sophisticated web-based information access tools developed in the past few years, can provide the basis for enterprise risk management systems that, at last, allow businesses to manage all risk on a consistent, coherent basis across the organization. Thus finally, after nearly half a century, Douglas Barlow's insight that "All management is risk management" can come to pass.


Jack Shaw, vice president of commercial systems for Applied Systems Intelligence in Roswell, Georgia, is recognized as a leading expert on business and technology. He is the author of several books on business technology.


Copyright Risk Management Society Publishing, Inc. Sep 2005
Provided by ProQuest Information and Learning Company. All rights Reserved

No comments: