Risks have well-known similarities. All risks present a potential impact on an organization and management also does not know if or when they will transpire. However, there are also important and distinguishing differences among major categories of risk that should be considered. Not all risks should be subjected to the same assessment methodology.
Four kinds of risk
For this discussion, we segregate risks into the following broad categories: strategic risk, operational risk, financial risk and compliance risk.
- Strategic. This is the risk that the business model is not effectively aligned with the strategy or that one or more future events may invalidate fundamental assumptions underlying the strategy. These risks relate primarily to the external environment (e.g., the actions of competitors, changing customer wants, technological innovation and the actions of regulators).
- Operational. This is the risk of one or more future events impairing the effectiveness or viability of the business model in creating value for customers and achieving expected financial results. These risks relate to the various business activities along the value chain within which the organization’s business model is applied (e.g., the supply chain, customer fulfillment processes, human resources, information technology, key channels, key customers and end users).
- Financial. This is the risk that cash flows and financial risks are not managed cost-effectively to (a) maximize cash availability and preserve liquidity, (b) reduce uncertainty of currency, interest rate, credit, counterparty and other financial risks, or (c) move cash funds quickly and without loss of value and at minimal cost to wherever they are needed most.
- Compliance. This is the risk of non-compliance with laws, regulations, internal policies and/or contractual arrangements resulting in penalties, fines, increased costs, lost revenue and/or reputation loss. Financial reporting is a form of compliance risk for public companies.
Measurement and time horizon
There are different ways to distinguish these four categories of risk. First, there is susceptibility to measurement. The above categories of risk are not subject to the same level of precision from a quantification standpoint. Strategic risks, as defined above, arise primarily from invalid assumptions and a lack of alignment in execution. Given their nature, the analytical framework applied to these risks must be more qualitative than for other risks.
For example, interest rate and other price risks are easier to size in terms of their impact on the business by using scenario analyses, stress tests and value-at-risk frameworks that take into account changes in the economy and market volatility. Strategic risks arising from invalid assumptions, on the other hand, are more about obtaining sufficient knowledge of expected economic trends, competitors, customers, suppliers, regulators and other external environmental factors to evaluate whether the critical assumptions underlying the strategy remain valid.
Second, there is time horizon, the period of time over which management assesses the level of risk and the alternatives for managing risk. The longer the assessment horizon, the more likely a stated scenario or event could occur. Because they are a function of the board’s and executive management’s long-term view of the market and the expected pace of change, strategic risks have a longer time horizon than other risks.
By contrast, operational risks typically have a shorter horizon, as they are often evaluated in the context of the business planning cycle. For instance, one company’s board requested that management conduct two risk assessments: one for one year, to mirror the horizon for the annual budget, and the other for three years, to mirror the horizon for the strategic plan.
The time horizon can be a significant factor in determining the currency of the organization’s risk assessment in a rapidly changing environment. The time horizon also can have an impact on management’s risk response options. For example, some issues, such as a capacity shortage at a manufacturing company, can be quite severe over the short term. However, most risks, including capacity, are less of an issue over the longer term because management has more flexibility to make adjustments.
2012, May 18 
0 comments
Print
Digg