One of the most important challenges for management today is determining the risk appetite of the corporation. Current economic uncertainties, scandals such as Enron, Parmalat and WorldCom, and a generally complex business environment have created the need for a robust framework that enables management to evaluate and improve risk management and provide confidence to board members, investors, regulators, investors and rating agencies.
Determining the risk appetite requires a clear articulation of the company’s approach to risk taking, including the nature of the risks, the amount of risk the company wants to carry and the desired balance of risk and reward. Running a business of any size involves choices, and the board’s aim will be to match the effect of decisions as closely as possible to the risk appetite and for the implications of those policies to follow through into day-to-day operations. Maximizing returns while remaining within the risk limits is, clearly, not a new concept. What has changed is the rigour and comprehensive approach that companies are increasingly expected to apply to the identification, measurement and management of the uncertainties involved across the board: to strategic, financial, operational and hazard-related risks.
Regulators and rating agencies want assurance that the company applies a robust approach to all the risks to which the business is exposed in a global way, not one that buys fire insurance for its buildings but fails to anticipate a competitor’s attack on a valuable intangible asset or that becomes aware too late that an acquisition has a legacy of environmental pollution exposures from discontinued activities. The traditional risk management approach starts with categorizing risks, important because it permits the company to define and organize the risk management functions and activities. Classification makes risk manageable. At the same time, it tends to compartmentalize it.
Within such confines, the risks may be well managed, but the business can remain vulnerable because the global view is missing. Interrelated exposures, cross-enterprise risks and gaps in responsibilities may not be evident from the perspective of a business unit or function, but, nonetheless, they must be managed or they will remain a threat to the company’s objectives and the legitimate expectations of shareholders and regulators. Furthermore, the traditional risk management approach focuses on loss prevention for tangible assets rather than on creating opportunities through tangible and intangible assets.
This sets the scene for enterprise risk management (ERM). ERM differs from risk management in scale, comprehensiveness and volume. By definition, the scope of the investigation is the enterprise, but this does not mean that it addresses all risks equally or that there is no focus on critical areas. Its aim is to make management aware of the necessity for communication and coordination across the different risk silos, and of taking a global view. There are many definitions of ERM. My company has adopted the following:
‘Understanding the key risks facing the entire organization, and aggregating this information, so that the right decisions can be made about where to allocate capital to facilitate business improvement.’
Thus, the value of ERM goes beyond compliance and avoidance of surprises to better usiness performance and more efficient use of capital. Armed with robust information about the company’s exposures and their relative weight, the directors will be able to take strategic decisions that maximize opportunities within the defined risk appetite.
Further, if the analysis highlights interrelationships between risks, it may be possible to change processes or locations, create controls to reduce the exposure or use insurance to bring it to an acceptable level. It should also enable the company to spot opportunities that would be only weakly correlated or that would diversify risk with its existing activities. In this way, a company can exploit business opportunities that would otherwise make its exposure to risk unacceptable
Determining the risk appetite requires a clear articulation of the company’s approach to risk taking, including the nature of the risks, the amount of risk the company wants to carry and the desired balance of risk and reward. Running a business of any size involves choices, and the board’s aim will be to match the effect of decisions as closely as possible to the risk appetite and for the implications of those policies to follow through into day-to-day operations. Maximizing returns while remaining within the risk limits is, clearly, not a new concept. What has changed is the rigour and comprehensive approach that companies are increasingly expected to apply to the identification, measurement and management of the uncertainties involved across the board: to strategic, financial, operational and hazard-related risks.
Regulators and rating agencies want assurance that the company applies a robust approach to all the risks to which the business is exposed in a global way, not one that buys fire insurance for its buildings but fails to anticipate a competitor’s attack on a valuable intangible asset or that becomes aware too late that an acquisition has a legacy of environmental pollution exposures from discontinued activities. The traditional risk management approach starts with categorizing risks, important because it permits the company to define and organize the risk management functions and activities. Classification makes risk manageable. At the same time, it tends to compartmentalize it.
Within such confines, the risks may be well managed, but the business can remain vulnerable because the global view is missing. Interrelated exposures, cross-enterprise risks and gaps in responsibilities may not be evident from the perspective of a business unit or function, but, nonetheless, they must be managed or they will remain a threat to the company’s objectives and the legitimate expectations of shareholders and regulators. Furthermore, the traditional risk management approach focuses on loss prevention for tangible assets rather than on creating opportunities through tangible and intangible assets.
This sets the scene for enterprise risk management (ERM). ERM differs from risk management in scale, comprehensiveness and volume. By definition, the scope of the investigation is the enterprise, but this does not mean that it addresses all risks equally or that there is no focus on critical areas. Its aim is to make management aware of the necessity for communication and coordination across the different risk silos, and of taking a global view. There are many definitions of ERM. My company has adopted the following:
‘Understanding the key risks facing the entire organization, and aggregating this information, so that the right decisions can be made about where to allocate capital to facilitate business improvement.’
Thus, the value of ERM goes beyond compliance and avoidance of surprises to better usiness performance and more efficient use of capital. Armed with robust information about the company’s exposures and their relative weight, the directors will be able to take strategic decisions that maximize opportunities within the defined risk appetite.
Further, if the analysis highlights interrelationships between risks, it may be possible to change processes or locations, create controls to reduce the exposure or use insurance to bring it to an acceptable level. It should also enable the company to spot opportunities that would be only weakly correlated or that would diversify risk with its existing activities. In this way, a company can exploit business opportunities that would otherwise make its exposure to risk unacceptable
0 comments:
Post a Comment