Determining Risk Appetite with focus on Strategic Risk Management

Risk Appetite, a term familiar yet confusing as multiple interpretations and perceptions exist. To put it simply, no one can run a business without taking risks. Therefore, risk appetite is the quantity of risk the business owners are willing to take to get the desired rewards. The perception is that organizations are doing a good job of calculating risk appetite. The financial crises showed that financial institutions, the torchbearers for risk management did a pathetic job at assessing their risk appetites. Further emphasizing the issue, KPMG survey stated that just a quarter of the organizations have a formal risk appetite statement.

While assessing risk appetite goes to the core of strategy formation, it becomes a more vexing and perplexing from the perspective of Strategic Risk Management (SRM) as an incorrect assessment can bankrupt the organization. To add on, nowadays in some countries boards are accountable for defining the risk appetite of an organization. For example, the UK Corporate Governance Code states, “the board is responsible for determining the nature and extent of the significant risks it is willing to take in achieving its strategic objectives” (Financial Reporting Council, 2010).

The challenge is how to determine risk appetite as a simple ballpark figure cannot be calculated. While one can say the devil is in the detail, the question remains how does one work out the details. In my view, there are three stages for designing and implementing a risk appetite statement in specific reference to SRM – assessing risk capacity, aligning to strategic objectives, and implementing measurement and monitoring framework. Let us discuss these three areas.

1.    Assessing Risk Capacity

The strategic objectives of the organization are growth, market share, profitability, increase in share value, reputation, regulatory standing, capital structure etc. To achieve objectives two aspects have to be balanced – propensity to take risks and propensity to control risks. For example, growth at the cost of reputation damage is not desirable.    

 The various aspects that impact risk appetite are organization culture, market position, geographical spread, reputation, industry sector, share price, ownership pattern, capital structure, business model, business processes and risk management maturity within the organization. Hence, a one-size fit all approach cannot be adopted for assessing risk appetite.

The Institute of Risk Management consultation paper of Risk Appetite propagates the concept of calculating risk appetite as a basis of shareholder value. “The model is based on the hypothesis that shareholder value is calculated as the cash flow from operations, discounted by the weighted average cost of capital, less the value of debt”. The model suggests that risks should be tested on their impact on shareholder value and an aggregate of various risks should be taken as risk appetite. However, this model does not take the qualitative factors in to account and some aspects of the business are not measurable. For example, reputation damage is difficult to measure and the impact is long term. In my view, both qualitative and quantitative factors should be taken.

In my opinion, the following approach may be followed. 

• Board decides the strategic objectives of the organization and then explores the upside and downside risks, and their qualitative and quantitative impact.
• Next, assess interrelationships between various factors influencing risk appetite.
• Map these on a quadrant for level of risk and impact. This allows the board to have flexibility in determining assessing the separate risks for meeting each objective and the cumulative risk of the organization.

For example, the objective of a multinational is 100% increase in sales. The strategy is to enter Indian market. Now the upside risks are- different customer preferences, cheaper local products, lower costs of production etc. The downside risks are high-level corruption, geographical distance reduces managerial control, license permits etc. Here the risks for exploiting opportunities and mitigating threats are listed, graded and quantified where possible. Play with the growth figures to assess the movement in various risks. Do they change significantly or remain the same. Assess the impact on shareholder value if these risks occur. 

Next, to stay on the conservative side take the value of threats without deducting the opportunities for assessing risk appetite. Grade the level of threats with varying sales growth. Identify the figure at which the management is comfortable while taking risks and its impact on shareholder value. I think this figure should ideally be the risk appetite of the organization.    

2.    Aligning Risk Appetite

One of the frequent debates is that all operational risks eventually impacts strategic risks and strategic risks affect operational risks. However, it is not easy to line up all the ducks in a row. A strategic risk may occur while the tactical and operational risks are mitigated. For example, political risk is an external strategic risk, which can have huge impact on the organization although tactical and operational risks relating to the activity are adequately addressed.

The second aspect is that how does one align upside strategic risks to operational risks. Although operational risks can also have an upside, they may not be directly correlated to strategic upside risks.

The third challenge is that risk appetite of the organization continuously changes according to the various events occurring within and outside the organization. For example, the strategy was to increase sales of X product for which the organization determined a specific risk appetite. However, the competitor introduced a technologically advanced and cheaper Y product which made X product redundant. Hence, now since the organization has a strategy failure its risk appetite changes and that change would reflect on other products.

Hence, the big question is how does one align risk appetite to strategic objectives and link it back to other risks.

First, clear the misconception that risk appetite is one fixed number for an organization. Risk appetite is a moving figure continuously fluctuating and requires adjustment on an ongoing basis. Second, an organization can have a range of risk appetites for different strategic objectives. For example, if the organization sells two main products, for each the risk appetite will be different. For the same product, an organization has different risk appetites according to geographical area.

 Therefore, one can say that the overall risk appetite is a cumulative total of strategic, tactical and operational risks. Hence, as a first step apportion the total risk appetite to different strategic objectives and plans. From the strategic objectives, further break down risk appetite for tactical and operational goals. Follow this method to align risk appetite from top to the bottom of the organization. Finally, monitor the changes required by setting up measurement criteria at each level.    

3.    Implementing Measurement and Monitoring Framework

Peter Drucker cynical observation was “Management by objective works- if you know the objectives. Ninety percent of the time you don’t.” This dilemma is caused because organizations are measuring a number of things, and frequently effort is spent on measuring non-critical aspects of the business. The need of the hour is to have a strong framework for measuring risk appetite and deviations and exceptions to it. Dropping the ball in this aspect sometimes results in losses in millions. Hence, implementing good measurement criteria for risk appetite is crucial for any business.

As a first step, develop a set of Key Risk Indicators and Key Control Indicators for the strategy and business objectives. These indicators will measure propensity to take risks and control risk are within the parameters specified by the risk appetite statement. For example, the strategic objective is to grow sales of product X by 100%. To achieve this objective implementation plans would be developed and operations geared towards it. This may involve installing new machines for production of product X, developing a new market campaign, entering a new geography etc. After aligning tactical and operational risks to strategic risks, the deviation in any will reflect in the whole chain. The effect on interconnected risks and projects will be apparent. This continuous monitoring of risks will enable the organization to actual risks within the risk appetite of the organization. Secondly, as it is unlikely that the organization developed a completely accurate risk appetite statement the first time round, the monitoring will show the errors. The organization can go back to the designing phase and reconsider their assumptions and risks to further fine tune risk appetite statement. These juxtapositions spark fresh insights in re-sketching the risk appetite statement.

Closing thoughts

The short story is that risk appetite is an evolving concept that requires much more work and research. While developing risk appetite statements for organizations, risk managers get disheartened as they think they are zigzagging and backtracking between various risks, strategic objectives and business plans. It appears that they are following a lost trail. Though the concept is still fuzzy in some areas, it is a useful tool to manage risks within the organization. My suggestion to risk managers is to start with dipping your toes in the water and with practice, you can swim across the sea.

References

1. Risk Appetite and Risk Tolerance – A consultation paper from the Institute of Risk Management,  May 2011
2. Understanding & Articulating Risk Appetite – KPMG

Enterprise Risk Management V/s Strategic Risk Management

Now this post is going to get me killed, all the ardent fans of Enterprise Risk Management (ERM) will take their knives out and I will have to duck under the table to save my skin. However, as I am a dedicated risk activist, I shall ignore that discretion is better part of valor and commit the folly of putting my thoughts in public domain. So here are some of my radical thoughts about ERM not addressing Strategic Risk Management (SRM). For the sake of convenience and familiarity, I am using COSO ERM framework for putting my opinion forward. Let us start with the definition of ERM

“Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

As the definition contains “applied in strategy setting” and “reasonable assurance regarding achievement of entity objectives” it appears that COSO framework is addressing strategic risks. Now let us consider the definition of Strategic Risk Management as given by Risk and Insurance Management Society (RIMS) recently:

“Strategic Risk Management is a business discipline that drives deliberation and action regarding uncertainties and untapped opportunities that affect an organization’s strategy and strategy execution.”

The SRM definition clearly states that it relates to strategy formation and implementation. Secondly, it is talking about the upside of risks and not the downside of risks.

1. Confusion about meaning of SRM

The prevailing perception is that ERM is equivalent to SRM or these are terms which can be used interchangeably. However, from the definitions itself it is evident that these are absolutely two different things.

Secondly, some state the ERM facilitates in viewing risks from a strategic perspective. Even if you read research papers, there is a lot of confusion on the term. For example, in the survey of RIMS “Excellence in Risk Management VII Elevating the Practice of Strategic Risk Management” the top risks mentioned are business disruption, regulatory compliance and property. These risks can help in forming a risk management strategy for an organization. These are not risks relating to formation or implementation of a business strategy hence cannot be equated to strategic risk management. An example of strategic risk is the Swiss Air case, where the company decided to adopt a strategy of becoming a global airline and failed. In a more recent example Tata group purchased Jaguar and Land Rover to build international dominance in automobile industry and the strategy hasn’t yielded much results.

2.  ERM focus is on operational, compliance and financial reporting risks

A detailed analysis of ERM frameworks indicates that they are focused on addressing tactical and operational risks. The negative aspects of risks are discussed elaborately for risk mitigation purpose. The four risk mitigation guidelines are –treat, transfer, tolerate and terminate risks. The risk avoidance strategies are mentioned in detail. The focus is normally on operational, financial reporting and regulatory risks. 

3. ERM frameworks do not give methodology for exploiting upside risks 

The ERM frameworks mention upside of risks but they do not give a methodology, tools or an approach to exploit these risks.ERM is considered a holistic framework, which addresses all risks. In my view, it is now become hackneyed term where all possible risks are put without appreciating the finer differences in them.

Most of the ERM frameworks do not provide detailed guidance on risk managers’ involvement at strategy formation and implementation stage. The link between business strategy and ERM is weak. Aaron M. Konarsky in his research paper – ‘Linking risk management to business strategy, processes and operations’ stated that ”four in ten companies do not have formal processes to align risk man­agement with corporate strategy”. Generally, risk management strategies are formed after business strategies are decided. The business strategy is taken as a base for risk management strategy. It indicates that frequently business strategies and risk strategies are not worked on concurrently. The risk management strategies do not explore risk as a business opportunity.

My observation is supported by the paper “Top Ten ‘Next’ Practices for Enterprise Risk Management- 2010 AICPA Survey Results” which specifies one of the bigger trends in risk management is to incorporate ERM into strategic planning process. Clearly, results are indicating that SRM is not being addressed properly.

4.  Identifying Strategic Risks

For clarity purpose, conduct two mental tests to assess whether a risk comes under SRM:
1. Does the risk relate to business strategy of the organization? That is, either business strategy formation or implementation.
2. How does the information relating to the risk impact strategic decision-making of the organization?

Examples of strategic decisions are – deciding to outsource or offshore processes, acquiring an organization, developing a new product line, changing financial structuring etc. Taking the example of offshoring processes, when risk managers provide to the CEO and board information about offshoring risks, then they are doing strategic risk management.

Closing thoughts

The finer differences between ERM and SRM need to be recognized. Although the focus on ERM has increased after the financial crises, there is still a long road ahead. Major challenges said for ERM implementation is financial resources and management commitment. These two are interlinked, if management does not see demonstrated value, resources will not be allocated. Risk managers need to explore the idea of first focusing on SRM and then gradually moving to ERM. The logic behind this suggestion is that SRM is focusing on adding business value. With a good SRM initiative, management will see business value and it will become easier for risk managers to present a business case for full-fledged ERM.

A complex topic and definitely requires a few more blog posts for further discussion. In your opinion, are ERM and SRM same or different? How do you think these should be approached?

References

1. Book: Perspectives on Strategic Risk Management – Torbun Juul Anderson
2. Risk and Insurance Management Society -Excellence in Risk Management VII Elevating the Practice of Strategic Risk Management
3. Top Ten ‘Next’ Practices for Enterprise Risk Management- 2010 AICPA Survey Results

Managing Political Risks

Last Friday, results of five state elections were declared. In two of these states, West Bengal and Tamil Naidu the political landscape will change tremendously. Mamata Banerjee’s Trinamool Congress won West Bengal elections and  Jayalalithaa’s AIADMK won Tamil Naidu. Besides, both the states favoring parties led by woman, the victories are significant. Mamata Banerjee ousted the Left party CPI(M) after 34 years and Jayalalitha knocked off the 2G telecom scam tainted DMK party. West Bengal voted for progress and Tamil Naidu against corruption.

 The election results coverage got me thinking. In a large country like India political risks change state wise and these risks not only impact multinational companies but Indian organizations also. For example, Tata Nano project in Singur faced the political backlash when farmers protested against forceful takeover of 400 acres of agricultural land for the project by West Bengal government. Trinamool party supported the farmers, played hardball and Ratan Tata took a decision to shift the project from West Bengal to Gujarat. One states loss was another states gain. West Bengal now is a financial mess. CPI(M) has left the state with Rs 2 lakh crore debt. To succeed as chief minister,  Mamata Banerjee has to woo back industrialists and multinational investments to West Bengal. Will the corporate world play ball and take the risk of setting up business in West Bengal. Politicians are fickle, they change stance seeing the direction of the wind, can they be relied upon? 

When political changes can severely affect business, a questions that begs an answer is – how do organizations manage political risks?

In my view, political risks fall under the category of external strategic risks and organizations generally do some analysis about them at the time of investment. Insurers treat political risks as part of risk mitigation, by analyzing the countrywide risks and insuring the organization from negative impact. In my view, this strategy does not explore the golden opportunities accessible by leveraging political risks. Political risks if managed proactively can add tremendous business value. So let us discuss the various aspects of political risks.

The research paper “Political Risk Management: A Strategic Perspective” written by Witold J. Henisz and Bennet A. Zelner describes political risks faced by organizations as – “Individual firms confront different sources of policy uncertainty and political influence depending on factors such as their size, nationality, familiarity with the local environment, partner status, technological leadership and network of global stakeholders”.  I like the definition at it encompasses all aspects of political risks.

1.    Boundaries of Ethical Lobbying

Governments and business generally are hand-in-glove but their relationship can change from trust worthy partners to arch enemies quite fast. For example, in the 2G-telecom scam case, DMK party person A. Raja favored Reliance, Tata and other telecom companies by waiving rules for allocating bandwidth. Niira Radia tapes disclosed that there was a lot of lobbying from corporate sector for appointment of A. Raja as telecom minister. However, with the CAG report mentioning fraudulent activities, things have gone sour. Telecom heads are being grilled by CBI and some are presently behind bars. This is a case were political relationships were used in an unethical manner to add business value. Hence, one of the major questions for managing political risks is – where is the thin line between ethical and unethical behavior and how does one stay within ethical boundaries to manage political risks?

This case clearly illustrates that participating in corruption, bribes and crony capitalism does not add business value to an organization. Political risks need to be managed while respecting ethical norms and legal laws. Flouting laws and government regulations because some businesspersons believe they are good buddies with the politicians doesn’t help their case in the long run.

2.    Fluctuating relationships

Business lobbies with government and political parties to get favorable policies and benefits. In India the various industry forums – NASSCOM, FICCI, CII etc. provide a good base to organizations to have a bargaining power with government. However, the government may not listen to their requests or change its opinion at any time. For example, last year SKS Microfinance change in CEO got the focus on Micro Finance Institutions (MFI). The laws were immediately changed to protect the farmers in Andra Pradesh. Cases of farmer suicide had increased as a few MFIs were doing collections  by threatening farmers and their families.

 A few companies mis-management has resulted in the whole industry paying a heavy price. Within six months, the whole industry cash flows were impacted. An industry, which was considered a cash cow, is struggling to maintain liquidity. Again, a situation where the start of the relationship was good as government needed micro finance companies in rural areas. However, because of their exploitative procedures the industry has painted itself in a corner. The industry as a whole lost its bargaining power.

Lesson here is that relationships need to be managed on a continuous basis. A sense of entitlement and privilege of organizations can damage the long-term relationships with government bodies. Organizations need to master the art of tight rope walking to add business value. It is never plain sailing with government, so don’t let your guard down.

3.    Foreign investments and relationships with multinationals

 Everyone wants their place under the sun, and multinationals more so. They want a slice of the emerging markets from strategic growth perspective. But, the fear is always there that they are biting more than they chew. In India, states chief ministers clamor to get multinationals to invest in their states. The offer sops in the form of cheaper land, tax-breaks, easy licensing schemes etc. The courting period of state government and multinationals is sweet, it is hard to believe that things can go wrong. However, state governments being infidel lovers, loose interest after the investments are made in their state by the multinationals.

The corruption factor also has to be dealt with. It is not unheard that politicians to grant licenses recommend local partners (including their relatives), demand equity and other perks. Secondly, after the technology is transferred to the country especially in manufacturing sector, the multinationals loose bargaining power. The challenges for multinationals are to ensure that state governments deliver on the promises, continue with policies, which are favorable for foreign investments and allow free market economy to work. To do so the multinationals can use their respective embassy business relationship managers, local industry lobbies, their own country’s business lobbies and government. Lastly, multinationals should sign watertight agreements with government bodies so that the organization is not shortchanged.

Closing thoughts

Managing political risks is equivalent to walking on a landmine. Anything can erupt without much notice. It is a tough task to prepare after considering the political, economic and social uncertainties in the environment. Lessons can be learnt from some odd cases.

In my humble view, one of the finest examples of political risk management was demonstrated by Indian women. A few years back women in Bangalore pubs were physically assaulted by members of a political party in broad daylight. The political party workers stance was that it is against Hindu religion concepts for women to drink alcohol. Selective reading I say, as Indian historical books have quite a few anecdotes of women drinking. Coming back to the situation, Indian women being docile, sweet-tempered and non-violent in nature did put their delicately strapped foot down. They raised a campaign and sent truckloads of pink lingerie to the minister’s house. Never heard any news after that, of any minister attempting to stop Indian women from getting royally drunk.  

References

Political Risk Management: A Strategic Perspective Witold J. Henisz and Bennet A. Zelner

Should Risk Managers Get Into Strategic Risk Management?

As we look at Strategic Risk Management (SRM) from different lenses, the one key question which risk managers would be thinking  is – whether they should bite the bullet or sit on fence and watch the events unfolding before making a decision. The general hesitation on entering into a new field, reframing strategy or re-engineering processes is that one isn’t certain of what one will reap. The second aspect is that risk managers already have a lot on their plate, so does it make sense to add on more. Lastly, not much information is available on SRM and a little learning can be a dangerous thing. Risk managers’ interventions and assistance may cause more problems than provide solutions. My opinion is jump into the fray and here are the reasons for it.

The first aspect to analyze is the value-add risk managers can give by taking up SRM. Would a fresh pair of eyes looking at business strategy benefit the organization? I read “The McKinsey 2010 Strategy Survey” results to understand the status of business strategy within organizations. The results show that most organizations are doing a pathetic job in forming business strategies, the processes are woefully inadequate and a big push is required in the direction. Here are some details of the survey:

1.    Status of Corporate Strategy Development Process

As per the survey results only a minuscule 6.5% of the participating organizations were “effective developers of strategy”. These 6.5% respondents say that their companies follows a consistent strategy development process, management spends time in developing strategy, frequently reviews strategies and successfully implements them.

The challenges mentioned are:

-       20% of organizations view corporate strategy development as an aggregation of business unit strategies. Management does not make any exclusive effort on building a corporate strategy.

-       Just 8% of the respondents stated that their organizations review strategies on an ongoing basis. In 42% cases, the organizations were not conducting annual reviews of strategy.

-       Approximately 14% respondents said that their senior management spent 15% or more of their time in strategy development. In the balance, the time spent was much lesser.

I had mentioned in my earlier post that there is a huge opportunity for risk managers to form processes for strategy development in an organization. Across the board, this looks like corporate worlds Achilles heels.  Risk managers can put their organization ahead of the curve by leading the initiative.

2.    Components of Business Strategy

 One of my grouses is that whenever “business strategy” is mentioned, normally corporate world inhabitants think of financial projections and numbers. Business strategy drivers are customers, suppliers, new competitors and new products and these four can make or break the organization however organizations don’t focus on these. McKinsey survey results show the same. Here are some of the issues:

-       Interestingly respondents coming in “effective development strategy” group consider macro level trends the most important, followed by performance of overall portfolio and industry dynamics,  and rank financial projections fourth. However, other respondents consider financial projections the most important.

-       Competitors strategy, operational benchmarking, human resources and legal compliance still are not considered of significant importance by both category of respondents

It looks simple, to get ahead of the pack in strategy development, organizations can start focusing on business aspects of the strategy besides the financial numbers. Risk managers can contribute by doing knowledge management on these aspects. They can do market surveys, business impact analysis, test marketing, market research etc. to identify areas for exploiting risks to add business value.

3.    Implementation of Strategy

 Strategic failures are largely of two kinds - either the strategy was poor or the implementation was poor. A significant number of strategies fail because senior management did not remove the roadblocks for implementation. The organization structure, processes, resources remained the same while strategy changed drastically. Hence, the gap in strategy and operational execution widened.

Larry Bossidy in the book “Execution - The discipline of getting things done” in introduction says, “My job at Honeywell International these days is to restore the discipline of execution to a company that had lost it. Many people regard execution as detail work that’s beneath the dignity of a business leader. That’s wrong. To the contrary, it’s a leader’s most important job.”

Just to highlight the dismal situation I am going back to McKinsey Survey results. According to it, 32% of effective development strategy group states that they have no barriers to implementing strategy. That means, even in effective development strategy group, around 68% do face problems. The situation is far worse for other respondent group. A minuscule 11% states that they have no barriers.

Secondly, 32% in effective group and 51% in other group state that decision makers are averse to taking risks and see emerging business opportunities as riskier. Now this is a clincher for risk managers to participate in SRM. First, risk managers can offer better information and analysis to the decision makers on implementation challenges. Second, they can do continuous monitoring of risks during implementation. The decision makers will be more confident to exploit opportunities.

Closing thoughts

It appears that organizations are failing the acid test of building robust corporate strategies. On a lighter note, their strategy seems to not have a strategy. It is huge opportunity for risk managers to add business value, and turn themselves to profit adding resources from cost centers. The next big question is the knowledge and skills required for strategic risk management. I hope that in the next few posts I can shed some light on these aspects.

References

 McKinsey Survey: Creating more value with corporate strategy

Risk Managers – Change Mindset For Strategic Risk Management

In the previous post, I discussed the role risk managers can play in Strategic Risk Management (SRM). In my view to enter into the SRM arena, risk managers need to change their own mindset first. Presently the risk management function focuses on mitigating operational risks at micro level and hedging financial risks. To add to the confusion people equate SRM to Financial Risk Management. In my view SRM is more than hedging of risks, as this is risk mitigation where risk is viewed as a threat. Business strategy covers market, operations, finance, resources and products. Hence, SRM encompasses exploiting the upside and protecting the downside of business strategies across functions to increase business value

Risk managers are nowhere near addressing the strategic risks.  As per the survey “Fall guys : Risk management in the front line – A report from the Economist Intelligence Unit Sponsored by ACE and KPMG”  - just 41% of the organizations involve risk management function in formulating and implementing corporate strategy. The gap is huge and risk managers need to restructure and reframe their departments to focus on strategic risk.  I am giving here three suggestions for risk managers to bring about this change.

 1.    Fragmented risk management departments

Risk management function in a large organization constitutes of internal audit, compliance, information security, disaster recovery, fraud risk and physical security departments. Sometimes these departments are integrated and reporting to one Chief Risk Officer. In some organizations, these departments are reporting to different functional heads, namely Chief Financial Officer, Head of Shared Services, Chief Technology Officer etc.

These departments are all focused on addressing the financial and operational issues of the business. None of them has the objective to provide a strategic level understanding of business risks to CEO and board. When the department structuring and key performance indicators are incorrect, it is not possible to address larger issues of the business. The first step is to restructure the risk management function and prepare an annual plan incorporating time for addressing strategic risks. Risk management function should integrate embed itself in the organization framework.  

2.    Risk managers focus on negative aspects

Generally, on checking risk registers one will find negative aspects –  threats and weakness with a “what can go wrong” analysis.  Risk registers do not contain the opportunities business managers can exploit to increase business value. The positive aspects or the upside of risk is not evaluated by risk managers. Without it, how can they contribute to strategy? According to Economic Intelligence Unit survey, senior managers think risk management function top three objectives are- identifying new and emerging risks,  enabling managers to make better business decisions and ensuring corporate survival.

Sit back and think about it, how many risk managers have effectively contributed towards these objectives in the last year. Risk managers need to start working towards being business partners and enablers. That is, focus on the constructive aspects and become solution providers.

3.    Supply not meeting demand

According to the Economist Intelligence Unit survey, the top three activities, which risk managers focus on, are – conforming to regulatory requirements, securing corporate reputation and image, and stemming financial loss. The top three risks which senior management are concerned about – weak demand, instability in one of the major markets, and financial market instability. In the analysis of top ten, some of the risks mentioned in senior management demand and risk managers supply chart are common. However, it is clear that there is variance is senior management requirements and risk managers’ fulfillment. What is demanded is not supplied.

Hence, it shouldn’t surprise risk managers that senior management is frustrated and does not see value add from their role. Risk managers need to get a better understanding of senior management expectations to become involved at strategic level. Leave the risk management jargon at your desk and focus on understanding business strategy.

Closing thoughts

Risk managers need to develop a holistic view, look at the big picture and understand macro level risks. The focus should shift from identifying micro level financial and operational weaknesses in the business to strategic level. Risk management functions need to rebrand themselves from being problem creators and nitpickers to business partners and positive contributors. The doors to the CEO and board cabins will only open when risk managers effectively address strategic business risks and demonstrate to board their business understanding and usefulness

References:

1. Fall guys : Risk management in the front line – A report from the Economist Intelligence Unit Sponsored by ACE and KPMG

Risk Managers’ Role in Strategic Risk Management

Nowadays Strategic Risk Management (SRM) is smoking hot discussion topic amongst risk managers. Traditionally strategy formation comes under the ambit of CXOs and Board. The CFO and strategy consultants do the number crunching, operation heads present the business case and board approves the same. However, SRM is gathering viral attention hence the question that needs an answer is – where does the Chief Risk Officer (CRO) fit into this game plan and what value addition do they provide to management?

The pet peeve of CROs is that they are not involved at board level and of CEOs is that CROs don’t provide value addition at strategic level. The tug of war can end if CROs are able to provide value addition at strategic level as this will get them the desired visibility at board level. I am presenting some of my thoughts on role risk managers can play in strategic risk management field. Let us discuss these and share your viewpoint with me.

To put forth a CEO’s perspective, Andy Groove in an interview in 2003 had said on strategy – “None of us have a real understanding of where we are heading. I don’t. I have senses about it. But decisions don’t wait; investment decisions or personal decisions don’t wait for that picture to be clarified. You have to make them when you have to make them.”  

This indicates the basic challenges CXOs face in strategy formation and implementation. Some strategies for example of Facebook, Google, and Apple worked in the long run despite the odds, and some failed although the conditions were favorable.  When we see known brand names suddenly collapsing due to adoption of incorrect strategies, our reactions range from -  “In my wildest imagination I didn’t think this strategy was incorrect” to “Why didn’t the company see it, disaster was written all over it, except a neon sign stating so.” Then what does it take a strategy to be successful, plain luck and intuition or is there more to it.

In my view, corporate strategy is akin to a war strategy, and the same rules apply. To quote Sun Pin from Art of War:

“One who knows the enemy and knows himself will not be endangered in a hundred engagements. One who does not know the enemy but knows himself will sometimes be victorious and sometimes meet with defeat. One who knows neither the enemy nor himself will invariably be defeated in every engagement.”  

Hence, to formulate a winning strategy to gain market share and profits, or for any other business segment, having accurate information is essential. The best way forward for CROs is to understand the limitations of the strategy formation process and provide the support to remove the roadblocks.

1.    Establishing a Strategy Approval Process

The assumption is that CXOs and Boards have numerous strategies to choose from and an informed decision making process is followed to make critical decisions. In some organizations, this is not true. The situation reminds me of Dilbert strip saying “Once again are only line of profitable business is intentional billing errors.”

The catch is that when business heads present a strategy to CEO and board, the other CXOs rarely raise objections and there is limited healthy debate. Reasons vary from attempting to be politically correct towards the business head presenting the strategy, or presenting views contrary to the CEO, to lack of interest as they themselves have a large organization to manage. Whatever be the case, strategies sometimes do not get the due attention they warrant. This generally results in the organization not having an alternative strategy to choose and weigh the pros and cons.

On the other hand, when an organization has a formal strategy approval process, the board is able to take informed decisions. There is less reliance on gut feel, intuition and half-baked information. A formal strategy approval process includes steps for formation of strategy, the required whetting and due diligence, developing alternative strategies, evaluating past failures and presentation to the board. CROs as a first step can introduce a formal process or review the existing one and suggest improvements.

2.    Focusing On Organization Psychology

Organization and CXO behaviour and attitudes affect strategy selection. CXOs are generally confident and over optimistic by temperament. They are unable to identify their blind spots in their thinking and are sometimes caught in a psychic trap. Their teams do not give them a candid picture due to fear of punishment, corporate orthodoxy and confirmation bias. Hence, while the assumption is that all pros and cons are evaluated, this is rarely so.

Secondly, reports indicate that organizations that are doing badly are prone to take higher strategic risks. This could be because of organization culture and a desperate need to show revenues. This can also be attributed to distorted perceptions of reality. An outsider would think that if management had a lick of sense, the strategy wouldn’t be chosen. However, the internal perceptions are such that all resources are committed to it.

The third aspect is that some strategies are not offered by staff because of fear of failure. The psychology is that if the risk is high in a strategy, a staff may not present it because the probability of reward is low and punishment is high. If employees are individually responsible for strategy formation, failure of a strategy results in job loss, decline in bonus etc. Hence, personal interests supersede the desire to contribute to corporate success. In such cases, employees actively deceive the organization for personal safety and interest.

Developing an organization culture, which is transparent, allows constructive confrontation, rewards initiatives even if not successful is necessary for proper decision making at strategic level. CROs need to focus on building a healthy organization psychology to ensure good strategies are selected.  

3.    Measuring Risk Appetite

CXOs tend to sway from risk avoidance to excessive risk exposure. Without risk taking an organization cannot operate, as complete risk avoidance would damage business. On the other hand, without considering the downside of a strategy, an organization may reduce business value. Management sometimes do not know the total value of risk that an organization can take to leverage business growth.

Another aspect is that sometimes CXOs are unsure in which areas they can undertake risk exposure. For example, while investing in another country, the country laws may prohibit investments beyond certain limits. Hence, if organization is looking for bigger markets these clauses may limit its potential to go solo. Here, at each state of investment risks need to be measured to ensure business continuity.

Hence, the best way to measure risk taking is to assess whether the value of business increases with the risk taking. That is, the upside and downside of a strategy should be evaluated. For example, management may consider future profitability with the negative consequence of higher borrowings for capital investments. CXOs need to focus on exploiting upside risks and reducing potential downside risks. CROs can play an active role in assessing the risk appetite of the organization in total and of its various strategies. As Sun Tzu stated “One who knows when he can fight, and when he cannot fight, will always be victorious.”

4.    Improving Corporate Governance

The underlying assumption in strategy selection is that the one benefitting the organization’s best interests will be chosen. The human factor is ignored as the decision makers primarily consider their own interests first. Studies state that strategic risk taking differs for owner and professionally managed organizations. The three situations are:

a.  Decision-makers having limited stake in equity prefer risk avoidance, as they do not profit from the benefits of risk taking.

b.  Decision-makers having extensive stake in the organization are risk averse, as they fear losing significant portion of their wealth.

c.   Decision-makers owning diversified investment portfolios take balanced risks after considering the types of risks.

 According to the report “The venture capital and private equity investors who provide equity for young, high growth firms are perhaps the closest that we get to this ideal. They invest significant amounts in high-growth, high-risk businesses, but they spread their bets across multiple investments, thus generating diversification benefits.”

 Hence, corporate governance practices of appointing independent directors, formulating investment committees, management pay committees and risk management committees enhance strategic decision quality in organizations. Risk managers should focus on developing corporate governance practices, which ensure independent decision-making.    

5.    Independent Evaluation of Strategy

Strategy makes or breaks the organization, and management is spring-loaded to believe that a strategy presented by a business head is properly evaluated for pros and cons. The assumption is that SWOT analysis covered all threats and opportunities hence risk assessment is complete. However, this is far from the truth. Generally, a rosy picture is presented by the teams if they believe that CEO & board are in favour of a particular strategy or deal. The reasons for not adopting the strategy are not assessed properly.

Secondly, the assumptions taken for particular strategy can be significantly incorrect. For example, when McDonalds entered Indian market they estimated huge market potential. The menu was the same as that served in US. After incurring losses for 2-3 years, the management understood that Indians prefer spicy burgers and do not eat bland food. Now the menu has Chicken Tikka burgers, which no American will be able to fathom that it is a McDonald product.

Last but not the least; the projected numbers may be overly optimistic as the people preparing the strategy are too close to the project to evaluate negatives. Hence, an independent check on the financials is a good move.

One of the techniques to encourage independent evaluation is to develop failure scenarios for the strategy. Assume conditions under which the strategy fails, and then determine risk mitigation plans for those situations. Risk managers should recognise that the strategy is not iron clad and a change in assumptions, financials and additional information can facilitate evaluating the strategic risks.

Closing thoughts

The list above is not exhaustive and risk managers can definitely add more value by developing knowledge management systems to provide accurate market information and crises management teams to facilitate a situation where a strategy is failing. Identifying early warning signs of strategy failure prevents the organization from going too far in the wrong direction. It also ensures that sunk costs for incorrect strategies are minimized and new strategies are adopted at the earliest. Risk managers can play a critical role in this area, the question is –are they willing to take up the challenge?

References

1. Strategic Risk Management
2. Andy Grove on the Confident Leader by HBS
3. How CFOs can keep strategic decisions on track by Mckinsey Quarterly
4. Distortions and deceptions in strategic decisions by Mckinsey Quarterly

Auditors Create Caustic Work Environment

When I say auditors create caustic work environment, I expect an indignant response from auditorville to the effect – “What are you saying, we are beacons of decency and always walk the high moral ground.” A question that begs an answer is – have auditors acknowledged the angst of business teams and if so, what have they done about it? Auditors sing paeans about their positive contribution to business operations. However, business teams frequently hold the opinion that auditors badger and bulldoze them. Such contrarian views create disharmony in the working environment. Hence, to some extent auditors can be said to be contributing to building a negative work culture.

Now before going on the defensive, just hear me out. As auditors, we sometimes build walls between audit and business teams without realizing that we are doing so. As clichéd as it may sound, our attitude and approach cause negative perceptions and build resistance amongst business teams. From being harbingers of building a risk culture in the organization, we become potent controversy creators.

Let me give a few examples here and some suggestions to corroborate my statement. Tell me whether you agree or disagree with the scenarios mentioned below.

1.    Park your ego at the door 

Whenever I read a blog and to see the text I have to close an advertisement, I am irritated. I feel why I am being forced to read an advertisement when I wish to read the article. I didn’t sign off for seeing a large advertisement covering the text. The interruption in my desire to read the blog post by closing the advertisement is a cause of annoyance.

Come to think of it, as auditors we are equivalent to these advertisements to business managers. Audit projects interrupt their smooth operations, as business managers prefer focusing on their key result areas. We are irritants to them and can become a source of stress if not managed properly. 

A few auditors deal with business managers with a sense of narcissistic entitlement.  Auditors somewhat falsely believe since they are auditing the work of business teams they have the upper hand and are superior. In some cases, without having knowledge and experience of business operations, auditors still believe that their opinions and suggestions must be accepted by business managers.

Sometimes auditors forget that the business managers have a different set of strengths and must be appreciated for the same. Rather than adopting a command-control structure, a positive culture is formed when auditors handhold the business teams.

2.    Don’t make a mountain of a molehill

Ever felt the urge as an auditor to present a B or C level observation in a manner to senior management as if the sky is falling. Just to settle an old grouse with the business manager and show him/her in bad light. Well you won’t be the first one, and as humans, all of us feel tempted sometime in our career to be spiteful. However, each such incident causes distrust amongst business teams.

To put it bluntly, auditors enjoy the privilege of having access to confidential information of the organization and to senior management. If they wish, they can abuse this power by politicizing audit observations to harm business teams. Each audit project gives auditors new ammunition to use against business teams. The idea to politicize audit report findings may appear tempting; however, auditors end up creating potential hurdles for themselves.  Whenever an audit is scheduled business managers would perceive that they are dancing with wolves and will be eaten alive for lunch.

Auditors need to take care that they do not damage anyone’s credibility. They need to empathize with the business managers and work together with them to resolve organization issues.

3.    Don’t take yourself so seriously

 Key to building good relationships is that communicate in a manner where the receiver of the message first gets a message that generates positive emotions. After making the emotional deposit, then maybe share a critical view and then again make an emotional deposit. This ensures that the receiver is positively inclined to take negative feedback and initiate dialogue. However, sometimes auditors don’t spend time on niceties. Auditors have the reputation of being brusque and humorless. They carry the serious furrowed-brow look, which makes them somewhat unapproachable to business teams. Without humor and empathy forming socially harmonious relationships becomes challenging.

 If you don’t beleive me, read the story below to understand the sentiments of the business teams for their auditors.

 A senior auditor and business manager were kidnapped. The kidnappers called the CEO for ransom money threatening to kill both of them. The CEO did a quick math and said “Go ahead and shoot them, in the ransom money amount, I can hire 20 more.”

Now the kidnappers asked the auditor what his last wish was. The auditor said – “It has saddened me to hear that my CEO whom I had worked for 20 years has no value for me. I have always worked diligently; hence as my last act on this earth I would like to read out my audit report to the business manager.”

The kidnappers saw no harm in the request and asked the business manager his last wish. The business manager looked deeply into the eyes of the auditor and requested pleadingly to the kidnappers – “Shoot me immediately”.

 Closing Thoughts

In my view one of the important things to do for making audit project successful is to make collaboration enjoyable for the business teams. Auditors have the choice to be enablers, navigators or roadblocks to the success of business teams.

According to you what lessons should audit teams learn to improve the working environment of audit projects and develop stronger relationships with business teams?

Peacetime Vs Wartime Risk Managers

I read the article “Peacetime CEO/ Wartime CEO” on Ben’s Blog authored by Ben Horowitz describing the different attitudes and approaches required from a CEO during peacetime and wartime. It got me thinking whether this applies to risk managers too. Do risk managers need to have different traits and approaches during wartime and peacetime?

Then I read the post “How to scope an audit of thingamajigs” on IIA Marks on Governance blog where Norman Marks is saying even in complex situations the regular approach to an assurance project can be applied. I beg to differ on it. In my view, a wartime risk manager needs to think differently.

Now the first question is do risk managers really face wartime situations? A definite yes, let us consider the Satyam example. The company was doing fine, until one day the CEO disclosed that he had defrauded the company to the tune of Rs 7000 crore or more. Now this is definitely a wartime situation for a risk manager to manage.

In normal course, a risk manager in an assurance or advisory role has the time to plan for an assignment, go in depth and then issue a report with findings. However, let us approach it from a fraud investigators viewpoint. Let us say, the fraud team discovered a one million dollar fraud and it suspects employee involvement. Now the approach of fraud investigator will be to determine the modus operandi of the fraud and identify suspects. As a prevention measure, the investigator needs to involve management to suspend the suspected employees. This is to ensure that suspected employees do not commit further frauds or destroy evidence. Simultaneously, the investigator needs to assess whether the fraud loss money can be recovered. These first three actions response time is 24-48 hours of discovering a fraud. After reporting preliminary investigation findings to management, the investigator has some time to do the detailed investigation, assess legal way forward and determine reputation damage when the case gets media attention.

A million dollar fraud in a large organization can start a small fire; however, the sky is not falling. Let us envisage a situation where roof is crashing over the heads of senior management then what does the risk manager do. As written by Ben Horowitz “In wartime, a company is fending off an imminent existential threat”. In such a situation, the wartime CEO is looking for support from risk managers to deal with the threats. Quoting Mr. Horowitz  again -“Wartime CEO is too busy fighting the enemy to read management books written by consultants who have never managed a fruit stand.” The point is in wartime CEOs are not interested in long drawn out reports, hence the risk managers need to be action oriented. Risk managers need to change their stance from recommendatory staff role to a leading line command role to manage risks.

Let us take here a scenario where the organization is in wartime and risk managers role becomes frontline. A CEO of a large multinational discovered that in one business unit extensive fraudulent activities are occurring. The business unit heads have established a deviant organization culture and are taking bribes, kickbacks and misappropriating funds. The value of fraud is not known and the CEO suspects that nearly 200 employees are involved in it. In such a case what advise should risk managers give to the CEO to manage this forest fire?

In my opinion, the following are some key aspects, which a risk manager should consider to manage the crises:

1.   If 200 employees are involved including senior members, can they be simultaneously suspended or terminated without affecting the business? Should the short-term replacements be from other business units or external temporary hires? Does the management have the political will and support to pull off this level of terminations? It is not a good idea to move the culprits in another part of the organization since they will contaminate the good units with destructive management practices.

2.   As frauds are occurring in the business unit, is it single or multi locations? If multi-locations, is it worthwhile to depute separate fraud investigation teams at different locations? These teams can simultaneously assess damage at multiple locations and defuse the situation. Investigating one location at a time may prolong the period, provide suspects to damage evidence and stress out the organization.

3.   Formulate a strategy for recovering the money from suspects or third parties beneficiaries of the fraud payments. Does the organization have a leverage to recover money from the suspected employees?

4.   Obtain a legal opinion on how law enforcement agencies can help the organization and the process of pursuing criminal case legally against the suspects. The organization might need to pay a heavy price for taking a legal course of action; however, a tough stance will act as a future deterrent to existing employees. The organization should also envisage that as a number of employees are involved they might put up a dirty fight to browbeat the organization into submission.  The organization should look for ways to distance itself from criminal and illegal behavior quickly.

5.   Develop a communications plan for internal circulation to employees and addressing the media. The employees’ morale will be negatively impacted and needs to be carefully managed to ensure minimum resignations. Secondly, external reputation damage from media coverage should be assessed.

6.   The organization should simultaneously start working towards establishing good corporate governance, business ethics and risk management practices. This will send out positive messages in the staff and customers and prevent a repeat occurrence. If whistle-blowing process is not working, this should be re-established promptly. Start focusing on building a constructive organization culture immediately to heal the organizational wounds.

In such wartime situations, sometimes management and risk managers are as the deer trapped in front of the headlights of a car. One is frozen in fear and indecision, not knowing which direction to move. However, this is dangerous since the cost of not doing anything is higher to the organization than the cost of legal actions and reputation damage. The following verse  by Abe Gubegna, Ethopia, circa 1974, aptly describes the wartime situation:   

Every day in Africa a gazelle wakes up.
It knows it must run faster than the fastest lion or it will be killed.
Every morning a lion wakes up. It knows that it must outrun the slowest gazelle or it will starve to death.
It doesn’t matter whether you are a lion or a gazelle.
When the sun comes up, you better be running.

Coming back to the beginning.  Do you think that wartime risk managers require a different skill set to address organization risks?