- What is our risk taxonomy? Just listing risks in an ever-expanding inventory is not enough. An effective risk management foundation requires structuring the forces that have an impact on a company’s worth and survival. Risks need to be categorized in a systematic way and into components that together are exhaustive (all possible risks are covered) and exclusive (no risk is included more than once).
Many industries have begun to develop a generalized structure suited to the risks that have the most significant impact on value in that particular industry. No taxonomy is perfect. Some important forces are not well integrated into the standard approach. Reputation risk and liquidity risk are two such areas. A role for directors is to recognize where integration is needed and to help their company’s management team make the necessary changes. But, more important, once a workable foundation has been established, they should encourage the company to move forward to the next question. - How do we quantify risk? Significant attention has been paid to risk measurement and the inaccuracy of some past measurements. These inaccuracies point out the care and judgment that risk quantification demands. But with due regard for its limitations, the mathematical discipline of probability and statistics continues to provide a useful language for discussing risk. Broadly speaking, there are two compatible approaches to measuring risk. One is to forecast a possible future, then calculate and study the impact that that future would have on the company. This is called stress testing or scenario testing. The other is to take statistical measurements of the company’s assumed probability distribution of future values. Value at risk is one such measure, among many others, that seeks to quantify the “riskiness” of a range of potential outcomes.
Risk quantification enables the management of risk. Once the method and assumptions are agreed upon, the quantification needs to be embedded in the decision-making process so that day-to-day decisions can incorporate risk. But, any quantification system will have its limits and needs reasoned judgment, not strict adherence. That is, it is necessary to simultaneously: (1) accept the quantification and (2) question the quantification. It seems reasonable to suggest that a director is likely to be more valuable when questioning the quantification methods and assumptions. - What is our risk appetite? Risk appetite can be broadly defined as “a measure of the amount of total risk a company is willing to accept in pursuit of its business goals and objectives.” Making such a definition concrete and actionable is a task to which risk quantification is well suited. As an example, consider value at risk. Value at risk is the statistical measure of the maximum amount of money that can be lost with a defined level of probability over a defined period of time. If the maximum loss is set at the company’s capital and the time period is set at a year, we can solve for the probability that the annual loss is bigger than the capital, i.e., the probability of insolvency. One component of a company’s risk appetite then can be defined as the amount of capital it wishes to hold, as a buffer, above this level of solvency support.
A good risk appetite needs to consider other components, too. In addition to capital adequacy, risk appetite should address earnings volatility to ensure that value growth and dividend capacity are not compromised by acute incidences. Liquidity and brand (reputational) risk are two other dimensions that should be included.
But the most important attribute of an effective risk appetite statement is the connectivity between board-level, strategic statements of appetite and the operational level tolerances and limits that ensure that day-to-day business decisions are carried out in concert with the appetite. Without this connectivity, a risk appetite statement is aspirational at best, and at its worst, it creates a dangerously false sense of security. - What return are we generating for the risks we take? There is no reason to take on risk if doing so does not confer value above what a risk-free investment would return. This holds true for the risks a company solicits and takes on proactively as well as those that emanate from its business activity, like operational risks.
A company that takes on risk proactively and has a competitive advantage in understanding and managing that risk—perhaps better information, scale, or a barrier to entry—can expect to earn a higher-than-average return. Where a competitive advantage does not exist, only an average return would be anticipated. As a corollary, then, skepticism is warranted when a high return is promised without a supporting competitive advantage.
This question is particularly germane in probing the risks of new business activities. Are we going to generate an adequate expected return for undertaking these risks? Are the risks within our appetite? And is this where we should deploy our capital? - How do we separate responsibility for risk-taking from responsibility for risk management? Given our inability to predict the future, directing efforts to ensure an unbiased assessment of risk is essential. Separating responsibility for quantifying risk from the responsibility for using that quantification is necessary but by no means straightforward. Both are certainly the responsibility of the CEO and the board of directors. Better attention needs to be paid at a higher level to the interaction between a company’s business lines and the entire company’s risk. Risk-takers and risk managers need to cooperate and work effectively together. This is nowhere more evident than in operational risk, where business leaders need to communicate fully and frankly the risk inherent in their operations, even if doing so may increase the return required.
- How do we include risk when we compensate risk-takers? Greater risk-taking should yield greater returns. Motivation simply to increase returns without incorporating the cost when more risk is assumed will not yield appropriate behavior in risk-takers. If compensation is going to reflect the value that the risk-taker provides to the company, then it should also reflect the risk to which the company is exposed by the risk-taking. Compensation needs to be risk-adjusted. Furthermore, when motivating risk-taking behavior, in addition to incorporating the costs of increased risk, it must be understood and acknowledged that the results of risk-taking can vary randomly. Consideration should be given to whether the observed result is within the range of possible outcomes. Was this a randomly good or a randomly bad outcome? Are the outcomes over time doing better or worse and why? A consistently better outcome with no competitive risk-taking advantage bears closer inspection.
- How do we ensure that our risk management is performing well? Risk management is not the art of predicting the future—it is the science of organizing the factors that can have an impact on a company’s worth and measuring what that impact could cost. Armed with this information, the goal is twofold: (1) to reduce the impact of uncertainty without unnecessarily diminishing returns and (2) to contribute to increasing returns without unnecessarily increasing risk. While measuring risk management performance based only on events unfolding according to predictions is too simple and flawed, it does not mean that performance cannot be measured.
There are two dimensions to judging how well risk management performs: (1) how effective management was in recognizing potential risks and (2) how effective management was in recognizing the impact of those risk factors on company value. Performance typically cannot be judged based on only one outcome. But over time, outcomes can be compared to the predicted pattern.
Finally, it is worth noting that “conservatism” is not automatically a virtue in risk management. Frequently, positions can be taken on either side of a risk, long or short. Likewise, missed opportunities due to overcharging for a risk can also lead to lost value. Being too safe is no safe haven. So the standard against which risk management performance should be measured is comprehensiveness of coverage and accuracy of assessment, and the criteria established by an ongoing program to improve.
Authors: Eric Krell, Henry Essert
Source: Risk Test: 7 Answers You Need to Know
Subjects: Corporate Governance Questions, Risk Management Questions
Source: Risk Test: 7 Answers You Need to Know
Subjects: Corporate Governance Questions, Risk Management Questions
There Are No Comments
Click to Add the First »
Click to Add the First »
