A strategic approach to Enterprise Risk Management
-
Upload
api-19666393 -
Category
Documents
-
view
703 -
download
2
Transcript of A strategic approach to Enterprise Risk Management
A strategic approach to Enterprise Risk Management By A V Vedpuriswar1
Phani Madhav & Nagendra V. Chowdary2 Understanding Enterprise risk management Risk Management has become a favorite topic of discussion these days. Bankruptcies and huge
losses have reemphasized the importance of identifying corporate risks and dealing with them
effectively. The publicity surrounding recent bank failures and risk management disasters has
been overwhelming. Barings PLC lost US$1.3 billion, leading to the bank's bankruptcy. Orange
County lost $1.64 billion and Daiwa lost $1.1 billion by pursuing aggressive trading strategies.
Hedge fund long-term Capital Management required central bank intervention to prevent a
systemwide collapse when it lost $3.5 billion through over-leveraged investment in emerging
markets. Closer home, we have seen many Non Banking Finance Companies (NBFCs) winding
up after taking risks totally inconsistent with their resources or capabilities. Clearly, employing
proper risk management business processes and controls could have prevented such dramatic
losses—a fact that has not escaped regulators and the people who could steer the companies out
of their imminent risk exposures. New reporting requirements have been legislated in Europe and
North America and are either in place or soon to be implemented in China, Japan, Asia-Pacific,
and Latin America. Risk management is no longer optional; it is a mandatory requirement in most
countries. This paper argues that smart companies go beyond regulatory compliance (see the
box item on page no.7) and pursue an effective and integrated risk management framework that
stabilizes earnings and inspires the confidence of shareholders.
Enterprise risk management (ERM) is the process of planning, organizing, leading and controlling
the activities of an organization in order to minimize the effects of risk on an organization's short
term and long term prospects. ERM expands the process to include not just risks associated with
accidental losses, but also financial, strategic, operational, environmental and other risks. In
recent years, various exogenous factors have fueled a heightened interest by organizations in
ERM. Industry and government regulatory bodies, as well as investors have begun to scrutinize
the risk-management policies and procedures of companies. In many organizations, boards of
directors are required to review and report on the adequacy of risk-management processes in the
organizations they administer. Before we proceed further, we need to understand clearly the
meaning of risk and some of the common misconceptions thereof.
1 A V Vedpuriswar is DEAN, Icfaian School of Management (ISM), Hyderabad. 2 Phani Madhav and Nagendra V. Chowdary are faculty members at ISM,
2
Risk is all about vulnerability and risk management is about taking steps to reduce it. Risk
management assesses the risks affecting a company's chances to achieve its strategic
objectives. In addition, enterprise risk management identifies risks that are opportunities to exploit
for competitive advantage. Several factors contribute to this vulnerability. Fluctuations in financial
parameters such as interest rates, exchange rates or stock indices are only one part of the story.
Unfortunately, most organizations are obsessed with financial risks. As Butterworth3 puts it: “A
strong appreciation of finance and accounting is useful, since all risk effects will have an impact
on the profit and loss account and the balance sheet. But this focus on finance as an important
core skill may have been overemphasized.” Just as the field of Knowledge Management has
been dominated by IT companies, risk management has been strongly associated with the
finance function. Investment bankers, corporate treasurers and insurance companies seem to
have hijacked the risk management agenda.
It is simplistic to focus only on those risks for which insurance cover or derivatives are available.
As the Economist (February 10, 1996) has put it: “Managers and boards too often regard risk
management as a matter for financial experts in the corporate treasury department rather than as
an integral part of corporate strategy.” Quite clearly, risk management is much wider in scope.
Failure to appreciate this simple fact can land companies in trouble by missing the woods for the
trees.
Protecting and Enhancing Enterprise Value Every now and again, a dimension of business is transformed by new thinking. Frequently, the
inspiration for change is the recognition that enterprise value can be enhanced by the removal of
internal barriers to the sharing of insights, knowledge and ideas. Enterprise risk management
seems to be providing this inspiration these days.
Enterprise risk management is a three-step process that harnesses a range of advanced risk
management techniques to help build enterprise value and achieve competitive advantage (see
figure 1.1 ):
The process begins with identification and prioritization of the critical risks that affect enterprise
value. It continues with the quantification of these risks, both individually and jointly, so that
correlations among risks can be understood. It concludes with the adoption of organizational and
3 Mark Butterworth, “The emerging role of the risk manager” Financial Times Mastering Risk Volume I, p.23
3
financial strategies to manage risk on an enterprise-wide basis, so as to maximize enterprise
value by optimizing the balance between risk and return.
Enterprise risk management differs from traditional risk management techniques in a number of
important ways (figure 1.2). Risk has traditionally been managed in "silos." For example, hazard
risks, such as product liability or windstorm damage, have been managed entirely separately from
operational risks, such as high employee turnover. The same silo-based approach has applied to
financial risks, such as exchange rate or commodity price fluctuations, and strategic risks, such
as brand erosion or the emergence of new sources of competition.
Many organizations also make the mistake of dealing with risk in piecemeal fashion. Within the
same company, the finance, treasury, human resources and legal departments could be covering
risks independently. According to Jerry Miccolis, a principal at Tillinghast-Towers Perrin who
oversaw a recent study that highlights the attitudes of 66 top insurance executives said that, "
many leading companies in various industries have recognized that doing risk management on an
enterprise scale - that is, assessing risks of multiple types of risk - can provide meaningful
information to senior management as to which risk they need to pay attention to. Looking at all
the risks using a common measure helps them decide which risks require attention". An
organization-wide view of risk management can greatly improve efficiencies and generate
synergies. That is why many companies are taking a serious look at Enterprise Risk
Management (ERM), which addresses some fundamental questions:
♦ What are the various risks faced by the company?
♦ What is the magnitude of each of these risks?
♦ What is the frequency of each of these risks?
♦ What is the relationship between the different risks?
♦ How can the risks be managed to maximize shareholders' wealth?
Enterprise risk management encompasses all four major categories of corporate risk: hazard,
financial, operational and strategic. But rather than analyzing these risk categories in isolation
from one another, enterprise risk management provides a picture of their combined impact on the
enterprise.
ERM Benefits The essence of enterprise risk management is the recognition that risks affect one another - and
that they jointly affect the performance of the company. An integrated risk management approach
will yield a different - and much more valuable - result than the sum of a series of silo-based
approaches.
4
The main benefits of enterprise risk management for any company are: q Prioritization of risks. By evaluating critical risks according to consistent standards,
companies can allocate their capital more efficiently. q Early notification of aggregating and/or offsetting risk patterns. Appropriate action can thus be
taken, either saving money if risks offset one another, or arranging additional protection if risks are aggregating.
q Creation of a strong and comprehensive risk management framework to identify and control
existing risks and to enable the company to address new risk exposures as they emerge. q Enhanced safeguards against earnings-related surprises - both for management and for
shareholders. Over time, this can lead to improved share performance and lower capital costs.
Exploding some myths
Like any other evolving discipline, the subject of risk management is shrouded with certain myths.
A closer look at these myths provides a better and clear understanding of the principles governing
the risk management. Four points need to be made at the outset. Risk is something new. One
of the earliest examples of risk management features in the Old Testament of the Bible. A
Pharaoh had a dream that was interpreted as seven years of plenty to be followed by seven
years of famine. To deal with this risk, the Pharaoh purchased and stored large quantities of corn
during the good times. As a result, Egypt prospered during the famine.
The modern era of risk management probably goes back to the Hindu Arabic numbering system
which reached the West about 800 years back. The serious study of risk began in Europe during
the Renaissance when long-held beliefs began to be challenged. As theories of probability,
sampling and statistical inference evolved, the risk management process became more scientific.
Many of the risk management tools used by traders today originated during the period 1654-
1760. These ideas were later supplemented by the ‘discovery of the regression to the mean’ by
Francis Galton in 1875 and the formulation of the concept of portfolio diversification by Harry
Markowitz in 1952. Today, risk management has become a fairly sophisticated discipline thanks
to the availability of computers, which can collect and process information efficiently.
The second point is that risk can neither be avoided nor eliminated completely. Indeed,
without taking risk, no business can grow. And if there were no risks, managers would not be
needed. The Pharaoh in the earlier example was obviously taking a risk in the sense that his
strategy would not have made sense, had there been no famine. Similarly, when a company
uses derivatives to hedge its exposure, it is not only limiting the downside risk but also the profits
if the rates move in its favour. As Dan Borge, the former managing director of Bankers Trust puts
5
it4: “Many people think that the goal of risk management is to eliminate risk – to be as cautious as
possible. Not so. The goal of risk management is to achieve the best possible balance of
opportunity and risk. Sometimes achieving this balance means exposing yourself to new risks in
order to take advantage of attractive opportunities.”
This leads us to the third point. Risk management is all about making choices and tradeoffs.
These choices and tradeoffs are closely related to a company’s assumptions and its interpretation
of the developments in the external environment. So, risk is about making choices rather than
waiting passively for events to unfold. Consider two leading global pharmaceutical companies,
Merck and Pfizer. Merck is betting on a scenario in which Health Maintenance Organizations
(HMOs) rather than doctors will dominate the drug-buying process. Hence its acquisition of the
drug distribution company Medco. On the other hand, Pfizer has invested heavily in its sales force
on the assumption that doctors will continue to play an important role. Each company is
implementing its strategies based on an assumption and consequently taking a risk. However,
this risk cannot be avoided, as there may not be enough resources to invest in both options.
Similarly, a company, which bets on a new technology, could be diverting a lot of resources from
its existing business. If the new technology fails to take off, it may become a severe drain on the
company’s finances. But, if the firm decides not to invest in the new technology and it does prove
successful, the very existence of the company is threatened. So, what it means is that in many
cases, not taking a risk may turn out to be a risky strategy. Indeed, this is what Peter Drucker
refers to as risks one cannot afford not to take.
4 In his book, “The Book of Risk”
6
Enterprise Risk Management: Views of Nandan M Nilekani, Managing Director, Infosys Technologies
On the mechanisms to manage risk at a strategic level. The following mechanisms need to be in place to manage risks at the strategic level: (i) The Board of Directors of the company need to take ultimate bottom-line responsibility for Risk
Management, thus ensuring that Risk Management is part of the charter for the company. (ii) The business portfolio of a company needs to be diverse so that vagaries in one segment do not
affect the company's business performance adversely. This is done by putting in place prudential norms of restricting business exposure, especially in business segments where there is high volatility.
(iii) Management Control Systems that ensure timely aggregation of inputs in the external and internal environment, enabling quick top management decision making on Risk Management are required. These mechanisms should cascade to the level of line managers so that the company can implement these decisions quickly.
On the ideal business model There is no one size fits all’ kind of business model. The specific aspects of the derisking model for each company depend on the nature of the business the company is in, its capability in different areas, etc. The Infosys business model rests on four pillars - predictability, sustainability, profitability and de-risking (PSPD model). This model helps management evaluate risk-return trade-offs and make effective strategic choices. This leads to a predictable and sustainable revenue stream for the company. Infosys' pioneering global delivery model has helped the company to consistently be among the most profitable IT services companies in the world. Derisking provides the company with the strength and stability to effectively handle variations in the business environment. On enterprise risk management in India. In the past, the software industry in India has grown exponentially. There are risks inherent in this kind of growth and managing this requires strong risk management practices. Since the software sector in India has had to compete with global companies, the exposure they have to global best practices is significant. The visionary managements of some software companies in India have implemented these global best practices in their company. One area in which global best practices have been implemented is enterprise-wide risk management. On short-term focus of risk management Any successful derisking model should be balanced, keeping in mind long-term as well as short term, financial as well as non-financial aspects. Focusing on the short- term financial impact alone can lead to sub-optimal solutions, which may be counter- productive. On globalization and increase in risks Globalization means that the war for talent no longer respects geographical boundaries. Hence, the risk of attrition of highly talented employees is an important factor that companies, need to manage. Further, companies are faced with the challenge of ensuring that their knowledge base, technology and processes are robust enough to meet changing global market requirements. Risks associated with the international political environment also have a bearing on the company's performance. On the Infosys model of derisking We ensure that we do not become overly dependent on any single segment of our business. For example we had put a cap of 25% on ourY2K revenues. We try to diversify our risk by operating in multiple technologies and multiple market segments. We make sure that no one customer provides more than 10% of our business. We ensure that we operate in a variety of vertical domains. The whole idea is that one should not become overly dependent on any one segment and that we broad base our operations so as to de-risk the company. Expansion into under-penetrated markets is part of the derisking strategy at Infosys. Infosys has already entered markets in Europe and the Asia-Pacific by opening marketing offices in Paris, Frankfurt, Brussels, Stockholm, Tokyo, Hong Kong, Sharjah, Sydney and Melbourne. Our aim is to have multiple development centers across the globe to provide instant reaction to our customer needs and take advantage of talent pools available in cost-competitive economies. This strategy also reduces the risk to our operations due to changes in geo-political equations. Source: Chartered Financial Analyst, July 2000. (Reprinted with Permission)
7
A fourth point, which is often overlooked, is that risk may arise not only because of environmental
changes. Many of the risks which organizations assume have more to do with their own
strategies, internal processes, systems and culture than any external factors. For example,
the collapse of Barings Bank had as much to do with poor management control systems as
unfavorable developments in the external environment. Similarly, many of the risks which
organizations assume are due to the beliefs and actions of the top management in general and
the CEO in particular.
Uncertainty and risk
Over the years, man has continued to make attempts to master uncertainty. While it is
impossible to anticipate and deal with uncertainty in a perfect manner, man has succeeded in
developing various tools to deal with uncertainty. As Peter Bernstein5 puts it, “The revolutionary
idea that defines the boundary between modern times and the past is the mastery of risk…Until
human beings discovered a way across that boundary, the future was a mirror of the past or the
murky domain of oracles and soothsayers who held a monopoly over knowledge of anticipated
events.”
Organizations face various types of uncertainty. The challenge they face is to understand
uncertainty, quantify it, weigh the consequences of different actions and then take appropriate
decisions. Let us first list the various types of uncertainty that companies face.
A. State Uncertainty: This refers to unpredictability about the environment. Causes of state
uncertainty are:
a) Volatility in the environment
b) Complexity in the environment
c) Heterogeneity in the environment
B. Effect Uncertainty: This is the uncertainty about the impact on the organization due to the
unpredictability in the environment.
C. Response Uncertainty: This refers to the uncertainty about the options available to an
organisation and their outcome.
The dividing line between risk and uncertainty is thin. Some scholars look at risk as a term
appropriate for situations where it is possible to define probability distributions for probable
outcomes, and uncertainty as a term better suited for situations where such probability
5 In his book “Against the Gods”
8
distributions cannot be constructed. Others argue that this distinction is not really needed. We
agree with them. The key issue is to collect more information and analyse it carefully so that the
various uncertainties can be quantified to the extent possible and a total reliance on intuition can
be avoided.
Drucker categorises risk into four types at a broad macro level:
♦ The risk that is built into the vary nature of the business and which cannot be avoided
♦ The risk one can afford to take
♦ The risk one cannot afford to take
♦ The risk one cannot afford not to take
Maximising shareholders’ wealth through risk management
When we think of risk we immediately think of how to cut losses or protect ourselves against
vulnerability. Thus, risk management does have a defensive connotation. But superior risk
management processes hold tremendous potential for generating sustainable competitive
advantages in the long run. How is this so? A prudent risk management strategy, by developing
the required expertise and knowledge, encourages people to take more risk than they would
otherwise. By understanding and controlling risk, a firm can take better decisions about pursuing
new opportunities (which means adding risk) and withdrawing from existing businesses (which
means eliminating risk). As Butterworth6 puts it: “Good risk awareness and management will give
organizations the confidence to take on new ventures, develop new products and expand abroad.
Indeed, risk assessment may well suggest that doing nothing might be the most risky strategy of
all.” Thus, the dividing line between risk management and value creation is much thinner than we
imagine.
Types of risk What are the various risks a company can face? The Economist Intelligence Unit divides risks
into four broad categories. Hazard risk refers to natural hazards, accidents, fire, etc that can be
insured. Financial risk refers to volatility in interest rates, exchange rates, defaults, asset-liability
mismatch, etc. Operational risk covers systems, processes and people and includes issues such
as succession planning, human resources, information technology, control systems and
compliance with regulations. Strategic risk stems from an inability to adapt to changes in the
environment such as changes in customer priorities, competitive conditions and geopolitical
developments.
6 Financial Times Mastering Risk Volume I
9
A 1999 study by Mercer Management Consulting (see figure 1.3 ) found that, between June 1993
and May 1998, 10 percent of Fortune 1000 companies lost more than one quarter of their
shareholder value during a one-month period. The main causes are indicated in figure 1.3
The very nature of uncertainty implies that it is difficult to identify all risks. So, instead of fine
tuning the method of classifying risks, what is more important for companies is to think more
deeply, clearly and consistently about the risks they face. To that extent, each company should
carefully dissect its value chain and understand the uncertainties associated with its important
value adding activities. Then, it can quantify these uncertainties to the extent possible and take a
view on which risk to hold, which to transfer completely and which to reduce. At the same time it
should be realistic enough to appreciate that all risks cannot be quantified.
Let us now look at some of the important risks faced by companies (figure 1.4). Some of them
are ongoing or recurring while others are more sporadic. Some make a tremendous impact while
others have a low impact. The matrix in figure 1.5 gives a framework for dealing with these
different situations.
Strategic risks arise from the company’s core strategies like capacity expansion, vertical
integration and diversification. Capacity expansion has associated risks. After adding capacity, if
the demand does not arise, the company may find itself burdened with overheads. At the same
time, if capacity is not built in time, competitors may move ahead and grab market share. Arvind
Mills, which built up huge capacity for denim production, ran into serious problems when demand
tapered off. Vertical integration gives a company control over additional stages of the value
chain. Yet there are risks involved, as the competencies required to compete across different
segments of the value chain are different. In the computer industry for example, focussed players
like Microsoft and Intel have done much better than vertically integrated companies like Apple.
Excessive dependence on a single or few products, or a single or few regions for generating
revenues results in risk. Many companies look at a diversified product portfolio or geographical
base as a means to stabilize revenues and profits. At the same time, diversification also makes
management tasks more complex. In India, the packaging company, Metal Box went bankrupt
when it diversified into bearings. On the other hand, GE has successfully built up a portfolio of
businesses ranging from financial services to aircraft engines.
10
Technology risk has become a major factor these days. Innovation cycles have become shorter.
Consequently, companies, which do not have a strategy to cope with changing technology, may
find themselves at a disadvantage. The key decision involved is whether to move early or adopt a
wait-and-watch policy, when a new technology is emerging. In the disk drive industry, many of
the established players were completely taken by surprise when smaller disk drives emerged. In
the earth moving industry, hydraulics technology unseated many of the industry leaders.
Mergers and acquisitions, generally considered a strategy to generate fast growth and quick
access to the marketplace are also fraught with major risks. Many companies have paid
unrealistic prices for their acquisitions and the projected synergies have later failed to materialize.
Moreover, integration of the pre-merger entities can run into big problems because of cultural
differences. Some of the deals which have run into problems include AT&T’s acquisition of NCR,
Kimberly Clark’s purchase of Scott Paper and the acquisition of Republic Airlines by Northwest
Airlines.
The most commonly discussed form of risk is financial risk. When interest or foreign exchange
rates fluctuate, there is an impact on cash flows and profits. Risk also increases as the debt
component in the capital structure increases. This is because debt involves mandatory cash
outflows while dividends can be paid at the discretion of the company depending on the profits
generated. Today, sophisticated hedging tools like derivatives are available to manage financial
risk. Among the companies that have failed to manage financial risk well in recent times are
Barings, Procter & Gamble and Sumitomo.
Another type of risk is environment risk. If companies do not take steps to protect the
environment in which they operate, they face the risk of resistance and hostility from society and
the local government. In some cases, this could even threaten the very existence of the
company, as well illustrated by the example of Union Carbide in Bhopal. Similarly, oil companies
like Exxon have faced major crises due to oil spills from their tankers.
Political risk arises from the possibility that political decisions or events may adversely affect a
company’s profitability. It covers actions of governments that interfere with business transactions
resulting in loss of profit potential. In extreme cases, political risk results in confiscation of
11
property. The more common scenario is one in which government imposes constraints on the
conduct of business. Enron has encountered various problems since its entry into India.
More and more importance is also being paid to high standards of legal compliance, ethics and
corporate governance. Illegal and unethical practices and low standards of corporate governance
can bring down the reputation of a company in the eyes of its shareholders, and severely erode
market capitalization. A good example of a company, which has seen a severe decline in its
business owing to unethical and illegal disclosure practices, is the famous insurance company,
Lloyd’s of London. Class action suits by employees or shareholders can pose grave concerns.
Similarly, anti-trust proceedings by the government can distract a company so much that it may
not have enough time for its core business. Microsoft has been heavily burdened in this respect.
On the other hand, Intel is generally credited with having dealt with anti-trust issues much more
professionally.
An integrated approach to managing risks
Integrated risk management is all about the identification and assessment of the risks of the
company as a whole and implementation of a company-wide strategy to manage them. In the
past, a systematic and integrated approach to risk management was an exception rather than the
rule. Fortunately, the scenario is changing. The cumulative experience of the past few decades
in managing risk, the development of financial management and probability theories and the
availability of a wide range of financial instruments has made Enterprise Risk Management
(ERM) a reality. At the heart of an integrated approach to risk management lies three different
approaches which should be seen as complementary. The first is to modify the company’s
operations suitably. The second is to reduce debt in the capital structure. The third is to use
insurance or derivative instruments. A combination of these approaches should be used
judiciously, depending on the situation.
Take the case of environmental risk in a chemical plant. Modifying the company’s operations
could mean installation of sophisticated pollution control equipment or using a totally new
environment friendly process. On the other hand, it could buy an insurance policy that would
protect it in case an accident were to occur resulting in big compensation payments to victims.
Consider an oil company which needs a steady supply of petroleum crude to feed its refineries.
Faced with fluctuating oil prices, the company could set up a large number of oil fields all over
the world to insulate itself from price volatility caused by cartels such as OPEC. On the other
hand, it may buy oil futures contracts that guarantee the supply of oil at predetermined prices.
12
A company like Walt Disney which operates theme parks is exposed to weather risks. If the
weather is not sunny, people will not turn up. So, Disney took the decision to set up a theme park
in Florida. Today, Disney can buy weather derivatives or an insurance policy to hedge the risks
arising from bad weather.
Microsoft manages its risk by maintaining low overheads. Financially, Microsoft operates with
zero debt. So, it does not have to worry about cash outflows on this count. But Microsoft also
believes in maintaining a lean staff and uses temporary workers to deal with surges in work load
from time to time. This not only reduces the risk associated with economic slowdowns, but also
results in greater job security for its smaller group of permanent, talented workers.
An airline can manage its exposure to fluctuating oil prices by taking operational measures to cut
fuel consumption. Alternatively, it can purchase more fuel efficient engines. At the same time, it
can use financial instruments such as futures to hedge this risk.
Operational approaches to risk management are difficult in many situations. They may be too
complicated, too expensive or may conflict with the company’s strategic goals. By using financial
instruments, companies may be able to focus on specific risks and hedge them at a lower cost.
Unfortunately, financial instruments are not available for some types of risk. Moreover, they can
be issued only for risks which can be clearly identified and quantified.
Of course, the ultimate strategy for the rainy day is to keep overheads low, keep debt low and
hold lots of cash to tide over uncertainties about which managers have little idea today. Indeed,
equity is an all-purpose risk cushion. The larger the amount of risk that cannot be accurately
measured or quantified, the larger the equity component should be. Of course, lower risk through
use of more equity also implies lesser returns, as equity is a more expensive source of funds.
An integrated view of the three different approaches needs to be taken. Indeed, one approach, if
implemented, can have an impact on the other two. For example, the leverage a company
deploys would depend on capital investments, which in turn may depend on the company’s
diversification plans. Similarly, cross business risks should not be overlooked. In 1988, Salomon
Brother’s unsuccessful attempt to take over R J R Nabisco changed its risk profile adversely
resulting in a negative impact on its derivatives business.
Company-wide integration of risk management activities enables the purchase of more efficient
and cost effective insurance contracts. In 1997, 7Honeywell purchased an insurance contract that
7 Lisa Meulbroek, “Total strategies for companies for company-wide risk control ”, Financial Times, Mastering Risk Volume I, p. 71.
13
covered various types of risk – property, casualty, foreign exchange, etc. Honeywell cut its
insurance costs by 15% in the process. Aggregate risk protection not only costs less than
individual risk coverage but will also be better tailored to the company’s risk management needs.
Conclusion
In this dynamic and complex environment, events are unfolding with a degree of uncertainty and
speed never seen before. The magnitude and nature of risks faced by companies are constantly
changing. Good risk management has become more critical than ever before. But risk
management is a challenging discipline. It is all about changing the way decisions are made.
Moreover, risk management is not a purely defensive tool as many believe and certainly does not
imply excessive caution. Rather, it is about creating conditions in which managers are
encouraged to achieve the right balance between minimizing risks and exploiting new
opportunities. Indeed, the ultimate aim of risk management is to make available a steady stream
of cash flows that can be utilized to maximize shareholders’ wealth.
To be effective, ERM should be strategic rather than tactical in its orientation. A tactical
orientation means that the objectives are limited, typically involving hedging of explicit future risks.
On the other hand, strategic approach looks at how the company as a whole and its competitive
position within the industry will be affected. An integrated approach requires an overall
understanding of the company’s operations as well as its financial policies and is consequently
the responsibility of senior managers and cannot be delegated to the treasury desk or individual
businesses.
Is risk management an art or a science? Many feel that in an attempt to master risk, man has
become a slave to mathematical tools, techniques and models. As Bernstein (Against the Gods)
puts it: “Our lives teem with numbers but we sometimes forget that numbers are only tools. They
have no soul; they may indeed become fetishes. Many of our most critical decisions are made by
computers, contraptions that devour numbers like voracious monsters and insist on being
nourished with ever greater quantities of digits to crunch, digest and spew back.” Yet, a total
reliance on intuition may not be advisable. A successful risk management framework would
strike the right balance between intuition and numbers.
14
References: 1. Arie P De Geus, “Planning as Learning”, Harvard Business Review, March-April 1988,
pp. 70-74. 2. Robert S Kaplan and David P Norton, “The Balanced Scorecard – Measures that drive
performance,” Harvard Business Review, January – February, 1992, pp. 71-79.
3. Kenneth A Froot, David S Scharfstein and Jeremy C Stein, “A framework for risk management.” Harvard Business Review, November – December, 1994, pp. 91 – 102.
4. Joseph L Bower and Clayton M Christensen, “Disruptive Technologies: Catching the Wave,” Harvard Business Review, January – February, 1995.
5. Rita Gunter McGrath and Ian C Mac Millan, “Discovery – driven planning” Harvard Business Review, July-August 1995, pp. 44-52.
6. Michael E Porter and Claas Van der Linde, “Green and competitive: Ending the Stalemate”, Harvard Business Review, September-October, 1995, pp. 120-133.
7. N Gaig Smith and Robert J Thomas, “A strategic approach to managing product recalls”, Harvard Business Review, September/October, 1996, pp. 102-112.
8. James M Utterback, “Mastering the Dynamics of Innovation”, Harvard Business School Press, 1996.
9. Heidi Deringer, Jennifer Wang and Debore Spar, “Note on Political Risk Analysis”, Harvard Business School, Number 9-798-022, September 17, 1997.
10. Hugh G Courtney, Jane Kirkland and S Patric Viguerie, “Strategy under uncertainty”, Harvard Business Review, November-December, 1997.
11. Mark L Sinower, “The Synergy Trap”, The Free Press, New York, 1997. 12. Andrews Merkl and Harry Robinson, “Environmental risk management: Take it back
from the lawyers and engineers”, the McKinsey Quarterly 1997 Number 3, pp. 150-163. 13. Patric Wetzel and Oliver de Perregaux, “Must it always be risky business?”, The
McKinsey Quarterly, 1998, Number 1, pp. 14. Peter L Bernstein, “Against the Gods”, John Wiley & Sons, 1998. 15. Robert Simons, “How risky is your company?” Harvard Business Review, May – June
1999, pp. 85 – 94. 16. Rober G Eccles, Kersten L Lanes and Thomas C Wilson, “Are you paying too much for
that acquisition?” Harvard Business Review, July-August 1999. 17. Clayton M Christensen and Michael Overdorf, “Meeting the challenge of disruptive
change.” Harvard Business Review, March – April, 2000. 18. Joanne Sammer, “The three faces of Risk Management”, Business Finance Magazine,
December 2000, www.businessfinancemag.com 19. Forest L Reinhardt, “Down to Earth”, Harvard Business School Press, Boston, 2000. 20. David B Yoffie and Mary Kwak, “Playing by the rules – How Intel avoids antitrust
litigation, Harvard Business Review, June 2001, pp. 119-122. 21. D G Prasuna, “Scanning for De-risking,” Chartered Financial Analyst, July 2001,
pp. 23-31. 22. Christopher L Culp, “The Risk Management process”, John Wiley & Sons, 2001. 23. Mark Butterworth, “The emerging role of the risk manager” Financial Times Mastering Risk, Volume I, p.23 24. Lisa Meulbroek, “Total strategies for companies for company-wide risk control”, Financial Times, Mastering Risk Volume I, p. 71. 25. Philip Bell, “Product failure and the growing culture of claims”, Financial Times,
Mastering Risk Volume I, pp. 156-160.