A strategic approach to Enterprise Risk Management By A V Vedpuriswar1

Phani Madhav & Nagendra V. Chowdary2 Understanding Enterprise risk management Risk Management has become a favorite topic of discussion these days. Bankruptcies and huge

losses have reemphasized the importance of identifying corporate risks and dealing with them

effectively. The publicity surrounding recent bank failures and risk management disasters has

been overwhelming. Barings PLC lost US$1.3 billion, leading to the bank's bankruptcy. Orange

County lost $1.64 billion and Daiwa lost $1.1 billion by pursuing aggressive trading strategies.

Hedge fund long-term Capital Management required central bank intervention to prevent a

systemwide collapse when it lost $3.5 billion through over-leveraged investment in emerging

markets. Closer home, we have seen many Non Banking Finance Companies (NBFCs) winding

up after taking risks totally inconsistent with their resources or capabilities. Clearly, employing

proper risk management business processes and controls could have prevented such dramatic

losses—a fact that has not escaped regulators and the people who could steer the companies out

of their imminent risk exposures. New reporting requirements have been legislated in Europe and

North America and are either in place or soon to be implemented in China, Japan, Asia-Pacific,

and Latin America. Risk management is no longer optional; it is a mandatory requirement in most

countries. This paper argues that smart companies go beyond regulatory compliance (see the

box item on page no.7) and pursue an effective and integrated risk management framework that

stabilizes earnings and inspires the confidence of shareholders.

Enterprise risk management (ERM) is the process of planning, organizing, leading and controlling

the activities of an organization in order to minimize the effects of risk on an organization's short

term and long term prospects. ERM expands the process to include not just risks associated with

accidental losses, but also financial, strategic, operational, environmental and other risks. In

recent years, various exogenous factors have fueled a heightened interest by organizations in

ERM. Industry and government regulatory bodies, as well as investors have begun to scrutinize

the risk-management policies and procedures of companies. In many organizations, boards of

directors are required to review and report on the adequacy of risk-management processes in the

organizations they administer. Before we proceed further, we need to understand clearly the

meaning of risk and some of the common misconceptions thereof.

1 A V Vedpuriswar is DEAN, Icfaian School of Management (ISM), Hyderabad. 2 Phani Madhav and Nagendra V. Chowdary are faculty members at ISM,

2

Risk is all about vulnerability and risk management is about taking steps to reduce it. Risk

management assesses the risks affecting a company's chances to achieve its strategic

objectives. In addition, enterprise risk management identifies risks that are opportunities to exploit

for competitive advantage. Several factors contribute to this vulnerability. Fluctuations in financial

parameters such as interest rates, exchange rates or stock indices are only one part of the story.

Unfortunately, most organizations are obsessed with financial risks. As Butterworth3 puts it: “A

strong appreciation of finance and accounting is useful, since all risk effects will have an impact

on the profit and loss account and the balance sheet. But this focus on finance as an important

core skill may have been overemphasized.” Just as the field of Knowledge Management has

been dominated by IT companies, risk management has been strongly associated with the

finance function. Investment bankers, corporate treasurers and insurance companies seem to

have hijacked the risk management agenda.

It is simplistic to focus only on those risks for which insurance cover or derivatives are available.

As the Economist (February 10, 1996) has put it: “Managers and boards too often regard risk

management as a matter for financial experts in the corporate treasury department rather than as

an integral part of corporate strategy.” Quite clearly, risk management is much wider in scope.

Failure to appreciate this simple fact can land companies in trouble by missing the woods for the

trees.

Protecting and Enhancing Enterprise Value Every now and again, a dimension of business is transformed by new thinking. Frequently, the

inspiration for change is the recognition that enterprise value can be enhanced by the removal of

internal barriers to the sharing of insights, knowledge and ideas. Enterprise risk management

seems to be providing this inspiration these days.

Enterprise risk management is a three-step process that harnesses a range of advanced risk

management techniques to help build enterprise value and achieve competitive advantage (see

figure 1.1 ):

The process begins with identification and prioritization of the critical risks that affect enterprise

value. It continues with the quantification of these risks, both individually and jointly, so that

correlations among risks can be understood. It concludes with the adoption of organizational and

3 Mark Butterworth, “The emerging role of the risk manager” Financial Times Mastering Risk Volume I, p.23

3

financial strategies to manage risk on an enterprise-wide basis, so as to maximize enterprise

value by optimizing the balance between risk and return.

Enterprise risk management differs from traditional risk management techniques in a number of

important ways (figure 1.2). Risk has traditionally been managed in "silos." For example, hazard

risks, such as product liability or windstorm damage, have been managed entirely separately from

operational risks, such as high employee turnover. The same silo-based approach has applied to

financial risks, such as exchange rate or commodity price fluctuations, and strategic risks, such

as brand erosion or the emergence of new sources of competition.

Many organizations also make the mistake of dealing with risk in piecemeal fashion. Within the

same company, the finance, treasury, human resources and legal departments could be covering

risks independently. According to Jerry Miccolis, a principal at Tillinghast-Towers Perrin who

oversaw a recent study that highlights the attitudes of 66 top insurance executives said that, "

many leading companies in various industries have recognized that doing risk management on an

enterprise scale - that is, assessing risks of multiple types of risk - can provide meaningful

information to senior management as to which risk they need to pay attention to. Looking at all

the risks using a common measure helps them decide which risks require attention". An

organization-wide view of risk management can greatly improve efficiencies and generate

synergies. That is why many companies are taking a serious look at Enterprise Risk

Management (ERM), which addresses some fundamental questions:

♦ What are the various risks faced by the company?

♦ What is the magnitude of each of these risks?

♦ What is the frequency of each of these risks?

♦ What is the relationship between the different risks?

♦ How can the risks be managed to maximize shareholders' wealth?

Enterprise risk management encompasses all four major categories of corporate risk: hazard,

financial, operational and strategic. But rather than analyzing these risk categories in isolation

from one another, enterprise risk management provides a picture of their combined impact on the

enterprise.

ERM Benefits The essence of enterprise risk management is the recognition that risks affect one another - and

that they jointly affect the performance of the company. An integrated risk management approach

will yield a different - and much more valuable - result than the sum of a series of silo-based

approaches.

4

The main benefits of enterprise risk management for any company are: q Prioritization of risks. By evaluating critical risks according to consistent standards,

companies can allocate their capital more efficiently. q Early notification of aggregating and/or offsetting risk patterns. Appropriate action can thus be

taken, either saving money if risks offset one another, or arranging additional protection if risks are aggregating.

q Creation of a strong and comprehensive risk management framework to identify and control

existing risks and to enable the company to address new risk exposures as they emerge. q Enhanced safeguards against earnings-related surprises - both for management and for

shareholders. Over time, this can lead to improved share performance and lower capital costs.

Exploding some myths

Like any other evolving discipline, the subject of risk management is shrouded with certain myths.

A closer look at these myths provides a better and clear understanding of the principles governing

the risk management. Four points need to be made at the outset. Risk is something new. One

of the earliest examples of risk management features in the Old Testament of the Bible. A

Pharaoh had a dream that was interpreted as seven years of plenty to be followed by seven

years of famine. To deal with this risk, the Pharaoh purchased and stored large quantities of corn

during the good times. As a result, Egypt prospered during the famine.

The modern era of risk management probably goes back to the Hindu Arabic numbering system

which reached the West about 800 years back. The serious study of risk began in Europe during

the Renaissance when long-held beliefs began to be challenged. As theories of probability,

sampling and statistical inference evolved, the risk management process became more scientific.

Many of the risk management tools used by traders today originated during the period 1654-

1760. These ideas were later supplemented by the ‘discovery of the regression to the mean’ by

Francis Galton in 1875 and the formulation of the concept of portfolio diversification by Harry

Markowitz in 1952. Today, risk management has become a fairly sophisticated discipline thanks

to the availability of computers, which can collect and process information efficiently.

The second point is that risk can neither be avoided nor eliminated completely. Indeed,

without taking risk, no business can grow. And if there were no risks, managers would not be

needed. The Pharaoh in the earlier example was obviously taking a risk in the sense that his

strategy would not have made sense, had there been no famine. Similarly, when a company

uses derivatives to hedge its exposure, it is not only limiting the downside risk but also the profits

if the rates move in its favour. As Dan Borge, the former managing director of Bankers Trust puts

5

it4: “Many people think that the goal of risk management is to eliminate risk – to be as cautious as

possible. Not so. The goal of risk management is to achieve the best possible balance of

opportunity and risk. Sometimes achieving this balance means exposing yourself to new risks in

order to take advantage of attractive opportunities.”

This leads us to the third point. Risk management is all about making choices and tradeoffs.

These choices and tradeoffs are closely related to a company’s assumptions and its interpretation

of the developments in the external environment. So, risk is about making choices rather than

waiting passively for events to unfold. Consider two leading global pharmaceutical companies,

Merck and Pfizer. Merck is betting on a scenario in which Health Maintenance Organizations

(HMOs) rather than doctors will dominate the drug-buying process. Hence its acquisition of the

drug distribution company Medco. On the other hand, Pfizer has invested heavily in its sales force

on the assumption that doctors will continue to play an important role. Each company is

implementing its strategies based on an assumption and consequently taking a risk. However,

this risk cannot be avoided, as there may not be enough resources to invest in both options.

Similarly, a company, which bets on a new technology, could be diverting a lot of resources from

its existing business. If the new technology fails to take off, it may become a severe drain on the

company’s finances. But, if the firm decides not to invest in the new technology and it does prove

successful, the very existence of the company is threatened. So, what it means is that in many

cases, not taking a risk may turn out to be a risky strategy. Indeed, this is what Peter Drucker

refers to as risks one cannot afford not to take.

4 In his book, “The Book of Risk”

6

Enterprise Risk Management: Views of Nandan M Nilekani, Managing Director, Infosys Technologies

On the mechanisms to manage risk at a strategic level. The following mechanisms need to be in place to manage risks at the strategic level: (i) The Board of Directors of the company need to take ultimate bottom-line responsibility for Risk

Management, thus ensuring that Risk Management is part of the charter for the company. (ii) The business portfolio of a company needs to be diverse so that vagaries in one segment do not

affect the company's business performance adversely. This is done by putting in place prudential norms of restricting business exposure, especially in business segments where there is high volatility.

(iii) Management Control Systems that ensure timely aggregation of inputs in the external and internal environment, enabling quick top management decision making on Risk Management are required. These mechanisms should cascade to the level of line managers so that the company can implement these decisions quickly.

On the ideal business model There is no one size fits all’ kind of business model. The specific aspects of the derisking model for each company depend on the nature of the business the company is in, its capability in different areas, etc. The Infosys business model rests on four pillars - predictability, sustainability, profitability and de-risking (PSPD model). This model helps management evaluate risk-return trade-offs and make effective strategic choices. This leads to a predictable and sustainable revenue stream for the company. Infosys' pioneering global delivery model has helped the company to consistently be among the most profitable IT services companies in the world. Derisking provides the company with the strength and stability to effectively handle variations in the business environment. On enterprise risk management in India. In the past, the software industry in India has grown exponentially. There are risks inherent in this kind of growth and managing this requires strong risk management practices. Since the software sector in India has had to compete with global companies, the exposure they have to global best practices is significant. The visionary managements of some software companies in India have implemented these global best practices in their company. One area in which global best practices have been implemented is enterprise-wide risk management. On short-term focus of risk management Any successful derisking model should be balanced, keeping in mind long-term as well as short term, financial as well as non-financial aspects. Focusing on the short- term financial impact alone can lead to sub-optimal solutions, which may be counter- productive. On globalization and increase in risks Globalization means that the war for talent no longer respects geographical boundaries. Hence, the risk of attrition of highly talented employees is an important factor that companies, need to manage. Further, companies are faced with the challenge of ensuring that their knowledge base, technology and processes are robust enough to meet changing global market requirements. Risks associated with the international political environment also have a bearing on the company's performance. On the Infosys model of derisking We ensure that we do not become overly dependent on any single segment of our business. For example we had put a cap of 25% on ourY2K revenues. We try to diversify our risk by operating in multiple technologies and multiple market segments. We make sure that no one customer provides more than 10% of our business. We ensure that we operate in a variety of vertical domains. The whole idea is that one should not become overly dependent on any one segment and that we broad base our operations so as to de-risk the company. Expansion into under-penetrated markets is part of the derisking strategy at Infosys. Infosys has already entered markets in Europe and the Asia-Pacific by opening marketing offices in Paris, Frankfurt, Brussels, Stockholm, Tokyo, Hong Kong, Sharjah, Sydney and Melbourne. Our aim is to have multiple development centers across the globe to provide instant reaction to our customer needs and take advantage of talent pools available in cost-competitive economies. This strategy also reduces the risk to our operations due to changes in geo-political equations. Source: Chartered Financial Analyst, July 2000. (Reprinted with Permission)

7

A fourth point, which is often overlooked, is that risk may arise not only because of environmental

changes. Many of the risks which organizations assume have more to do with their own

strategies, internal processes, systems and culture than any external factors. For example,

the collapse of Barings Bank had as much to do with poor management control systems as

unfavorable developments in the external environment. Similarly, many of the risks which

organizations assume are due to the beliefs and actions of the top management in general and

the CEO in particular.

Uncertainty and risk

Over the years, man has continued to make attempts to master uncertainty. While it is

impossible to anticipate and deal with uncertainty in a perfect manner, man has succeeded in

developing various tools to deal with uncertainty. As Peter Bernstein5 puts it, “The revolutionary

idea that defines the boundary between modern times and the past is the mastery of risk…Until

human beings discovered a way across that boundary, the future was a mirror of the past or the

murky domain of oracles and soothsayers who held a monopoly over knowledge of anticipated

events.”

Organizations face various types of uncertainty. The challenge they face is to understand

uncertainty, quantify it, weigh the consequences of different actions and then take appropriate

decisions. Let us first list the various types of uncertainty that companies face.

A. State Uncertainty: This refers to unpredictability about the environment. Causes of state

uncertainty are:

a) Volatility in the environment

b) Complexity in the environment

c) Heterogeneity in the environment

B. Effect Uncertainty: This is the uncertainty about the impact on the organization due to the

unpredictability in the environment.

C. Response Uncertainty: This refers to the uncertainty about the options available to an

organisation and their outcome.

The dividing line between risk and uncertainty is thin. Some scholars look at risk as a term

appropriate for situations where it is possible to define probability distributions for probable

outcomes, and uncertainty as a term better suited for situations where such probability

5 In his book “Against the Gods”

8

distributions cannot be constructed. Others argue that this distinction is not really needed. We

agree with them. The key issue is to collect more information and analyse it carefully so that the

various uncertainties can be quantified to the extent possible and a total reliance on intuition can

be avoided.

Drucker categorises risk into four types at a broad macro level:

♦ The risk that is built into the vary nature of the business and which cannot be avoided

♦ The risk one can afford to take

♦ The risk one cannot afford to take

♦ The risk one cannot afford not to take

Maximising shareholders’ wealth through risk management

When we think of risk we immediately think of how to cut losses or protect ourselves against

vulnerability. Thus, risk management does have a defensive connotation. But superior risk

management processes hold tremendous potential for generating sustainable competitive

advantages in the long run. How is this so? A prudent risk management strategy, by developing

the required expertise and knowledge, encourages people to take more risk than they would

otherwise. By understanding and controlling risk, a firm can take better decisions about pursuing

new opportunities (which means adding risk) and withdrawing from existing businesses (which

means eliminating risk). As Butterworth6 puts it: “Good risk awareness and management will give

organizations the confidence to take on new ventures, develop new products and expand abroad.

Indeed, risk assessment may well suggest that doing nothing might be the most risky strategy of

all.” Thus, the dividing line between risk management and value creation is much thinner than we

imagine.

Types of risk What are the various risks a company can face? The Economist Intelligence Unit divides risks

into four broad categories. Hazard risk refers to natural hazards, accidents, fire, etc that can be

insured. Financial risk refers to volatility in interest rates, exchange rates, defaults, asset-liability

mismatch, etc. Operational risk covers systems, processes and people and includes issues such

as succession planning, human resources, information technology, control systems and

compliance with regulations. Strategic risk stems from an inability to adapt to changes in the

environment such as changes in customer priorities, competitive conditions and geopolitical

developments.

6 Financial Times Mastering Risk Volume I

9

A 1999 study by Mercer Management Consulting (see figure 1.3 ) found that, between June 1993

and May 1998, 10 percent of Fortune 1000 companies lost more than one quarter of their

shareholder value during a one-month period. The main causes are indicated in figure 1.3

The very nature of uncertainty implies that it is difficult to identify all risks. So, instead of fine

tuning the method of classifying risks, what is more important for companies is to think more

deeply, clearly and consistently about the risks they face. To that extent, each company should

carefully dissect its value chain and understand the uncertainties associated with its important

value adding activities. Then, it can quantify these uncertainties to the extent possible and take a

view on which risk to hold, which to transfer completely and which to reduce. At the same time it

should be realistic enough to appreciate that all risks cannot be quantified.

Let us now look at some of the important risks faced by companies (figure 1.4). Some of them

are ongoing or recurring while others are more sporadic. Some make a tremendous impact while

others have a low impact. The matrix in figure 1.5 gives a framework for dealing with these

different situations.

Strategic risks arise from the company’s core strategies like capacity expansion, vertical

integration and diversification. Capacity expansion has associated risks. After adding capacity, if

the demand does not arise, the company may find itself burdened with overheads. At the same

time, if capacity is not built in time, competitors may move ahead and grab market share. Arvind

Mills, which built up huge capacity for denim production, ran into serious problems when demand

tapered off. Vertical integration gives a company control over additional stages of the value

chain. Yet there are risks involved, as the competencies required to compete across different

segments of the value chain are different. In the computer industry for example, focussed players

like Microsoft and Intel have done much better than vertically integrated companies like Apple.

Excessive dependence on a single or few products, or a single or few regions for generating

revenues results in risk. Many companies look at a diversified product portfolio or geographical

base as a means to stabilize revenues and profits. At the same time, diversification also makes

management tasks more complex. In India, the packaging company, Metal Box went bankrupt

when it diversified into bearings. On the other hand, GE has successfully built up a portfolio of

businesses ranging from financial services to aircraft engines.

10

Technology risk has become a major factor these days. Innovation cycles have become shorter.

Consequently, companies, which do not have a strategy to cope with changing technology, may

find themselves at a disadvantage. The key decision involved is whether to move early or adopt a

wait-and-watch policy, when a new technology is emerging. In the disk drive industry, many of

the established players were completely taken by surprise when smaller disk drives emerged. In

the earth moving industry, hydraulics technology unseated many of the industry leaders.

Mergers and acquisitions, generally considered a strategy to generate fast growth and quick

access to the marketplace are also fraught with major risks. Many companies have paid

unrealistic prices for their acquisitions and the projected synergies have later failed to materialize.

Moreover, integration of the pre-merger entities can run into big problems because of cultural

differences. Some of the deals which have run into problems include AT&T’s acquisition of NCR,

Kimberly Clark’s purchase of Scott Paper and the acquisition of Republic Airlines by Northwest

Airlines.

The most commonly discussed form of risk is financial risk. When interest or foreign exchange

rates fluctuate, there is an impact on cash flows and profits. Risk also increases as the debt

component in the capital structure increases. This is because debt involves mandatory cash

outflows while dividends can be paid at the discretion of the company depending on the profits

generated. Today, sophisticated hedging tools like derivatives are available to manage financial

risk. Among the companies that have failed to manage financial risk well in recent times are

Barings, Procter & Gamble and Sumitomo.

Another type of risk is environment risk. If companies do not take steps to protect the

environment in which they operate, they face the risk of resistance and hostility from society and

the local government. In some cases, this could even threaten the very existence of the

company, as well illustrated by the example of Union Carbide in Bhopal. Similarly, oil companies

like Exxon have faced major crises due to oil spills from their tankers.

Political risk arises from the possibility that political decisions or events may adversely affect a

company’s profitability. It covers actions of governments that interfere with business transactions

resulting in loss of profit potential. In extreme cases, political risk results in confiscation of

11

property. The more common scenario is one in which government imposes constraints on the

conduct of business. Enron has encountered various problems since its entry into India.

More and more importance is also being paid to high standards of legal compliance, ethics and

corporate governance. Illegal and unethical practices and low standards of corporate governance

can bring down the reputation of a company in the eyes of its shareholders, and severely erode

market capitalization. A good example of a company, which has seen a severe decline in its

business owing to unethical and illegal disclosure practices, is the famous insurance company,

Lloyd’s of London. Class action suits by employees or shareholders can pose grave concerns.

Similarly, anti-trust proceedings by the government can distract a company so much that it may

not have enough time for its core business. Microsoft has been heavily burdened in this respect.

On the other hand, Intel is generally credited with having dealt with anti-trust issues much more

professionally.

An integrated approach to managing risks

Integrated risk management is all about the identification and assessment of the risks of the

company as a whole and implementation of a company-wide strategy to manage them. In the

past, a systematic and integrated approach to risk management was an exception rather than the

rule. Fortunately, the scenario is changing. The cumulative experience of the past few decades

in managing risk, the development of financial management and probability theories and the

availability of a wide range of financial instruments has made Enterprise Risk Management

(ERM) a reality. At the heart of an integrated approach to risk management lies three different

approaches which should be seen as complementary. The first is to modify the company’s

operations suitably. The second is to reduce debt in the capital structure. The third is to use

insurance or derivative instruments. A combination of these approaches should be used

judiciously, depending on the situation.

Take the case of environmental risk in a chemical plant. Modifying the company’s operations

could mean installation of sophisticated pollution control equipment or using a totally new

environment friendly process. On the other hand, it could buy an insurance policy that would

protect it in case an accident were to occur resulting in big compensation payments to victims.

Consider an oil company which needs a steady supply of petroleum crude to feed its refineries.

Faced with fluctuating oil prices, the company could set up a large number of oil fields all over

the world to insulate itself from price volatility caused by cartels such as OPEC. On the other

hand, it may buy oil futures contracts that guarantee the supply of oil at predetermined prices.

12

A company like Walt Disney which operates theme parks is exposed to weather risks. If the

weather is not sunny, people will not turn up. So, Disney took the decision to set up a theme park

in Florida. Today, Disney can buy weather derivatives or an insurance policy to hedge the risks

arising from bad weather.

Microsoft manages its risk by maintaining low overheads. Financially, Microsoft operates with

zero debt. So, it does not have to worry about cash outflows on this count. But Microsoft also

believes in maintaining a lean staff and uses temporary workers to deal with surges in work load

from time to time. This not only reduces the risk associated with economic slowdowns, but also

results in greater job security for its smaller group of permanent, talented workers.

An airline can manage its exposure to fluctuating oil prices by taking operational measures to cut

fuel consumption. Alternatively, it can purchase more fuel efficient engines. At the same time, it

can use financial instruments such as futures to hedge this risk.

Operational approaches to risk management are difficult in many situations. They may be too

complicated, too expensive or may conflict with the company’s strategic goals. By using financial

instruments, companies may be able to focus on specific risks and hedge them at a lower cost.

Unfortunately, financial instruments are not available for some types of risk. Moreover, they can

be issued only for risks which can be clearly identified and quantified.

Of course, the ultimate strategy for the rainy day is to keep overheads low, keep debt low and

hold lots of cash to tide over uncertainties about which managers have little idea today. Indeed,

equity is an all-purpose risk cushion. The larger the amount of risk that cannot be accurately

measured or quantified, the larger the equity component should be. Of course, lower risk through

use of more equity also implies lesser returns, as equity is a more expensive source of funds.

An integrated view of the three different approaches needs to be taken. Indeed, one approach, if

implemented, can have an impact on the other two. For example, the leverage a company

deploys would depend on capital investments, which in turn may depend on the company’s

diversification plans. Similarly, cross business risks should not be overlooked. In 1988, Salomon

Brother’s unsuccessful attempt to take over R J R Nabisco changed its risk profile adversely

resulting in a negative impact on its derivatives business.

Company-wide integration of risk management activities enables the purchase of more efficient

and cost effective insurance contracts. In 1997, 7Honeywell purchased an insurance contract that

7 Lisa Meulbroek, “Total strategies for companies for company-wide risk control ”, Financial Times, Mastering Risk Volume I, p. 71.

13

covered various types of risk – property, casualty, foreign exchange, etc. Honeywell cut its

insurance costs by 15% in the process. Aggregate risk protection not only costs less than

individual risk coverage but will also be better tailored to the company’s risk management needs.

Conclusion

In this dynamic and complex environment, events are unfolding with a degree of uncertainty and

speed never seen before. The magnitude and nature of risks faced by companies are constantly

changing. Good risk management has become more critical than ever before. But risk

management is a challenging discipline. It is all about changing the way decisions are made.

Moreover, risk management is not a purely defensive tool as many believe and certainly does not

imply excessive caution. Rather, it is about creating conditions in which managers are

encouraged to achieve the right balance between minimizing risks and exploiting new

opportunities. Indeed, the ultimate aim of risk management is to make available a steady stream

of cash flows that can be utilized to maximize shareholders’ wealth.

To be effective, ERM should be strategic rather than tactical in its orientation. A tactical

orientation means that the objectives are limited, typically involving hedging of explicit future risks.

On the other hand, strategic approach looks at how the company as a whole and its competitive

position within the industry will be affected. An integrated approach requires an overall

understanding of the company’s operations as well as its financial policies and is consequently

the responsibility of senior managers and cannot be delegated to the treasury desk or individual

businesses.

Is risk management an art or a science? Many feel that in an attempt to master risk, man has

become a slave to mathematical tools, techniques and models. As Bernstein (Against the Gods)

puts it: “Our lives teem with numbers but we sometimes forget that numbers are only tools. They

have no soul; they may indeed become fetishes. Many of our most critical decisions are made by

computers, contraptions that devour numbers like voracious monsters and insist on being

nourished with ever greater quantities of digits to crunch, digest and spew back.” Yet, a total

reliance on intuition may not be advisable. A successful risk management framework would

strike the right balance between intuition and numbers.

14

References: 1. Arie P De Geus, “Planning as Learning”, Harvard Business Review, March-April 1988,

pp. 70-74. 2. Robert S Kaplan and David P Norton, “The Balanced Scorecard – Measures that drive

performance,” Harvard Business Review, January – February, 1992, pp. 71-79.

3. Kenneth A Froot, David S Scharfstein and Jeremy C Stein, “A framework for risk management.” Harvard Business Review, November – December, 1994, pp. 91 – 102.

4. Joseph L Bower and Clayton M Christensen, “Disruptive Technologies: Catching the Wave,” Harvard Business Review, January – February, 1995.

5. Rita Gunter McGrath and Ian C Mac Millan, “Discovery – driven planning” Harvard Business Review, July-August 1995, pp. 44-52.

6. Michael E Porter and Claas Van der Linde, “Green and competitive: Ending the Stalemate”, Harvard Business Review, September-October, 1995, pp. 120-133.

7. N Gaig Smith and Robert J Thomas, “A strategic approach to managing product recalls”, Harvard Business Review, September/October, 1996, pp. 102-112.

8. James M Utterback, “Mastering the Dynamics of Innovation”, Harvard Business School Press, 1996.

9. Heidi Deringer, Jennifer Wang and Debore Spar, “Note on Political Risk Analysis”, Harvard Business School, Number 9-798-022, September 17, 1997.

10. Hugh G Courtney, Jane Kirkland and S Patric Viguerie, “Strategy under uncertainty”, Harvard Business Review, November-December, 1997.

11. Mark L Sinower, “The Synergy Trap”, The Free Press, New York, 1997. 12. Andrews Merkl and Harry Robinson, “Environmental risk management: Take it back

from the lawyers and engineers”, the McKinsey Quarterly 1997 Number 3, pp. 150-163. 13. Patric Wetzel and Oliver de Perregaux, “Must it always be risky business?”, The

McKinsey Quarterly, 1998, Number 1, pp. 14. Peter L Bernstein, “Against the Gods”, John Wiley & Sons, 1998. 15. Robert Simons, “How risky is your company?” Harvard Business Review, May – June

1999, pp. 85 – 94. 16. Rober G Eccles, Kersten L Lanes and Thomas C Wilson, “Are you paying too much for

that acquisition?” Harvard Business Review, July-August 1999. 17. Clayton M Christensen and Michael Overdorf, “Meeting the challenge of disruptive

change.” Harvard Business Review, March – April, 2000. 18. Joanne Sammer, “The three faces of Risk Management”, Business Finance Magazine,

December 2000, www.businessfinancemag.com 19. Forest L Reinhardt, “Down to Earth”, Harvard Business School Press, Boston, 2000. 20. David B Yoffie and Mary Kwak, “Playing by the rules – How Intel avoids antitrust

litigation, Harvard Business Review, June 2001, pp. 119-122. 21. D G Prasuna, “Scanning for De-risking,” Chartered Financial Analyst, July 2001,

pp. 23-31. 22. Christopher L Culp, “The Risk Management process”, John Wiley & Sons, 2001. 23. Mark Butterworth, “The emerging role of the risk manager” Financial Times Mastering Risk, Volume I, p.23 24. Lisa Meulbroek, “Total strategies for companies for company-wide risk control”, Financial Times, Mastering Risk Volume I, p. 71. 25. Philip Bell, “Product failure and the growing culture of claims”, Financial Times,

Mastering Risk Volume I, pp. 156-160.