This article first appeared in KPMG Agenda, Issue 4, Oct/Nov 09.
Risk management is in the dock, accused of partially precipitating recession. Yet paradoxically, the magnitude of the crisis has taught many companies one salutary lesson: those who fail to grasp that every reward comes with a risk attached – and misunderstand that risk – are in trouble.
“The credit crunch has highlighted not only financial risks – but all risks,” says Oliver Engels, an internal audit, risk and compliance services partner based in KPMG’s German firm. “One reason we had the credit crunch was companies measuring liquidity risk, credit risk and operational risk – but not all the other risks.”
For René Stulz, chair of banking and monetary economics at Ohio State University, it is too simple to blame the discipline of risk management: “The fact that an institution makes an extremely large loss does not imply that risk management failed or that the institution made a mistake.”
After studying the collapse of Long Term Capital Management (LTCM), the U.S. hedge fund rescued in 1998 by a US$3.65 billion Federal Reserve bail-out, Stulz notes: “The only argument one could make is that managers took risks they should not have, but that is not a risk management issue as long as the risks were properly understood.
Rather, it is an issue of assessing the costs of losses versus the gains from making large profits.” Stulz points out that top management held large stakes in the big U.S. banks that collapsed recently and had every incentive to avoid taking risks knowingly – but still their institutions went under.
He identifies half a dozen mistakes companies commonly make: relying too much on historical data; focusing on narrow measures; overlooking knowable risks outside the normal risk classes; overlooking concealed risks; failing to communicate and not managing in real time.
Preparing for the Next Crisis
On the big question – how do you prepare for the next crisis? – Stulz urges companies to take a leaf out of the disaster management handbook: use scenario analysis to understand the ways a crisis might unfold, and plan how you would respond to each.
Stulz says risk managers should not rely solely on statistical models: they must think about how crises could unfold. “Such a scenario requires economic and financial analysis. It cannot be done by risk management departments populated only by physicists and mathematicians.”
One concept whose time may finally have come is enterprise risk management (ERM). Mike Nolan, global head of risk and compliance for KPMG and partner in the U.S. firm, says the old worry – that it was hard to gauge ROI on ERM programs – is no longer valid. He says there are plenty of quantifiable ERM outputs: decreased variability in financial results, as well as reduced hedging and capital costs. “Used proactively, ERM can help avoid the risk management failures that precipitated the current crisis,” he says.
The obvious thing to do – appoint a risk manager – can, Engels warns, be damaging if it means others no longer feel responsible for risk. “You need a person called a risk manager for binding things together. It does not have to be at board level, but the risk manager should have direct access to the CFO or CEO. At some companies, the job is too far down the food chain.”
As risk management moves up the agenda, it could overburden companies. Engels warns: “A lot of companies have risk, compliance, internal control and internal audit – so you have four risk assessments. That’s wrong.” He proposes a single assessment that looks at risk in terms of each of the requirements, with each function being represented on the risk committee.
"It’s longer and more cumbersome to do it for all four, but it ensures nothing slips between the chairs,” says Engels. He believes that a narrow approach to risk management contributed to the credit crunch. “Companies did what was necessary for regulation, but nothing more. They did a compliance exercise, but not so as to challenge their own business.”
Best Practice Steps
Here are ten steps which can help companies better focus on risk. They will be most effective when considered in unison. Risk management can help to lower the cost of capital and open up new profit opportunities, but only if all your efforts are coordinated under one strategy.
Adopt a champion. If companies fail to consider risk, they cannot manage it. Who takes responsibility is crucial. Appointing a risk manager is not the whole story. Stulz says: “If risk is everybody’s business, it is harder for pockets of risk to be left unobserved. And if employees’ compensation is affected by how they take risks, they will take risk more judiciously.”
Someone must accept ownership of risk and that person must be on the board – or directly answerable to it. Engels says: “Responsibility for risk has to be with those who take business decisions.”
That said, in a recent Economist Intelligence Unit/KPMG survey of executives, only 30% think their organizations spend enough time discussing risk at board level. In most companies surveyed, chief risk officers play no role in strategic initiatives. Half the businesses have no risk committee and don’t intend to appoint a director with risk experience.
If Texaco had taken a risk management approach to its bid for Getty Oil, it might have been spared bankruptcy. Getty agreed to a deal with Pennzoil in 1984. Texaco stepped in and won the battle for Getty – but it lost the war. Pennzoil was awarded US$10.5 billion in damages; and in 1987, Texaco filed for Chapter 11 protection.
Adopt a strategy. Risk can be avoided, reduced, mitigated or accepted. Organizations should consider their risk tolerance before deciding how to cope with it. While some will accept none, others will find different degrees of risk acceptable. Tightening procedures or changing activities can reduce risks, but some can be offset by hedging, insurance or sharing with partners.
Given that the current crisis took most people unawares, businesses worldwide are wondering how to identify the next big risk. KPMG’s research suggests that big risks often emerge from within, as a direct consequence of management actions.
Charles ‘Tex’ Thornton was a young Texan entrepreneur who expanded a tiny microwave company into Litton Industries, one of the most successful high technology conglomerates of the 1960s. Making selective acquisitions, Litton grew at an explosive rate. But it began to buy larger and more troubled firms in industries it barely understood. The failure to monitor its own risks triggered a downward spiral and, in 2001, it was acquired by Northrop.
All change equates to risk: the trick is to create a more self-aware corporate risk culture. However, having assessed a threat, some executives will choose to accept it. “A lot of our firms’ clients identify a risk but, as a conscious business decision, take it,” says Engels. “That’s good. That is what risk management is about: it’s not about not doing things.”
Identify your risks: internal, external, systemic. Risks come from all directions. It may be weather, demographics, competition, process failure – or risk from pricing, hedging or leverage. Sometimes the threat from within – a careless, disgruntled or dismissed employee – is greatest.
In 2007, nine Trusts of Britain’s National Health Service units lost 168,000 patient details. In 2008, French regulator la Commission Bancaire fined Société Générale US$5.7 million for shortcomings in its control systems and internal procedures leading to tardy identification of rogue trader Jérôme Kerviel – a failure that cost the firm US$6.9 billion.
One internal lesson of the banking crisis in particular is that traders’ risk was not aligned with their employers’. Stulz describes this as a ‘concealed’ risk: desk traders receive a significant share of any profits they generate, but don’t have to defray their losses, so they are encouraged to assume risks.
Such misalignments trouble Nolan, who urges companies to look out for the moment “strategy looks in one direction but incentives encourage movement in a different direction”. As risks develop, companies should constantly align and realign the linkages between the array of activities they undertake, Nolan says.
The rising dangers of systemic risk – banks unable to lend, a collapse of consumer spending, swine flu preventing staff travel – are a challenge, because they rarely fall within the remit of one regulator. The current crisis suggests effort should be expended at a macro level. Extensive scenario analysis, as recommended by Stulz, may help tackle systemic risk.
Measure the risk accurately. Entrepreneurs are usually optimists, but often see the worst when assessing potential dangers, says Engels. “People tend to be more risk-averse and to exaggerate the risk propensity. But if that deters companies from growth, it is as serious a failure as underestimating risk.”
Stulz says statistical techniques work when risks are known, but points out there was no historical data for house prices falling when sub-prime lending in the U.S. was high: “In such a case, statistical risk management reaches its limits and risk management goes from science to art.”
Sometimes, the historical data can lead firms to overestimate risk and forgo revenue. In the 1930s, MGM initially turned down the movie rights to the bestseller Gone With The Wind on the grounds that, as producer Irving Thalberg told studio boss Louis. B Mayer: “Forget it, Louis, no Civil War picture ever made a nickel.”
The box office records of previous U.S. Civil War epics proved Thalberg right. But Gone With the Wind still went on to become the biggest-grossing movie of all time (when ticket prices are adjusted for inflation), raking in US$1.22 billion in today’s money, 32% more than Titanic.
Don’t ignore risks.
Never turn a blind eye to a risk just because it is hard to evaluate. A bad assessment is better than none, but more consideration – or a new approach – might allow better measurement.
Stulz says if risks are ignored, they are not monitored and large organizations can expand in unmonitored areas – with dire results. Samsung’s diversification into cars in 1995 coincided with an economic crisis in Korea and – realizing it had underestimated the market risk and been overconfident about the contribution its core competencies could make – it sold its car business to Renault in 2000.
Allow for unknown risks. No matter how good your processes, you have to allow for the unexpected. For a financial firm, that means keeping capital in reserve;for others, it may mean ensuring management have the resource to handle problems that emerge out of left field.
The bursting of the South Sea Bubble in 1720, which ruined many British investors, is a reminder of how massive hidden risks can be. The South Sea Company, a British joint stock company, was granted a monopoly to trade in Spain’s South American colonies during the War of the Spanish Succession (1701-1714). In return, it assumed England’s war debt.
Through promotion, insider dealing and a get-rich-quick fever, South Sea’s shares rose tenfold in a year before crashing. Scientist Isaac Newton, one of thousands who lost money, noted: “I can calculate the movements of the stars, but not the madness of men.” A dictum that ought to be on every risk manager’s desktop.
Never underestimate the velocity of risk. Remember, risks alter. “If you see risk registers that change minimally from one year to another, it is not reflecting the real situation,” says Engels. The dangers threatening a company change constantly and managers should regularly re-assess their strategy, measurement and appetite for risk – yet the KPMG survey suggests most do not have a clearly defined and updated register.
Boards are becoming depressingly familiar with the concept of ‘velocity of risk’. Nolan says the existing audit committee or a newly created, board-level risk committee can help cope with the way risk rapidly evolves. Ideally, the internal audit function should have a voice on the board.
Communicate the strategy. There’s no point having a risk management plan if the rest of the organization knows nothing about it. “Communications failures played a role in the most recent crisis,” says Stulz. If a risk manager cannot explain a system to senior executives properly, even perfect systems can do more harm than good by inspiring false confidence, he says. “Worse, information can arrive to top management too late or distorted by intermediaries.”
Too much information can swamp management, but it is important communication is horizontal – across the corporation – and vertical. In the KPMG survey, only 36% of respondents think their organizations ensure information about risk reaches the right people. “A failure in communicating risk to management is a risk management failure as well,” says Stulz.
So how can a risk management culture be fostered? The International Financial Risk Institute says it’s the board’s responsibility to clearly allocate risk management responsibilities at the highest level to ensure accountability, placing risk control on a par with other strategic business matters. The function should be properly resourced, says IFRI, and risk control personnel recognized – not regarded as second-class citizens because they are not direct revenue-earners.
It is vital that lines of communication are clear – so risks are reported to where they can be managed – and useful if project managers discuss risks with the relevant experts to secure buy-in. The board must ensure appropriate risk education continues throughout the company.
Invest wisely. The main obstacles to successful risk management used to be poor data quality and availability, shortage of relevant expertise and ineffective tools and technology. But many executives surveyed by KPMG identified a lack of financial resources as their biggest problem in the coming year. Without careful planning, a dearth of money will prevent problems being addressed.
Remember that risk management isn’t all negative. Risk strategies need not be a costly brake on entrepreneurial activity. Recession is making many users realize that ERM can be quantitative as well as qualitative and deliver a return on investment. By using ERM and creating a corporate risk awareness culture, companies can more shrewdly identify, monitor and prioritize risk, reduce the volatility of their results and save on wasteful insurance, hedging or excess capital.
If improved measurement shows companies operating below risk tolerance, they can increase exposure. Optimizing capital can cut financing costs and give scope to expand. Measuring lost opportunities is hard, but the effects are real and can justify the costs to even the most skeptical accountants.
About the Authors
Richard Northedge is a former U.K. Sunday Telegraph City editor who appears as a commentator on Sky and Bloomberg. Peter Bradley is sub-editor at KPMG Agenda.