An integrated approach

In May 2008 the rating agency Standard & Poor’s said it would include enterprise risk management (ERM) in its ratings of non-financial corporations. The decision to apply ERM ratings to its analysis has helped push risk management into the spotlight. S&P considers ERM a good indicator of ‘forward-looking stability’. However, there are no guarantees that a sign-off from the rating agency actually means a company is well risk managed. S&P has included ERM analysis in its ratings of financial institutions and insurers since 2005, but the agency was unable to provide any early warnings about the financial crisis.

One of the problems is that there are still lots of issues to be ironed out in the assessment process. Rating agencies tend to complete their evaluations with limited resources, which means they rely heavily on information provided by the company they are rating. The risk management profession, despite some big efforts, has difficulty defining standards in ERM. Different businesses organise their ERM efforts in totally different ways, which means it is very difficult to compare one with the other.

Despite these difficulties in evaluating ERM, it is generally agreed that the process delivers some important benefits for companies. It also brings a visibility boost to the risk management profession and the opportunity for them to contribute in strategic discussions with senior management. If banks acknowledge that a company has good ERM in place a company may even be able to secure financing at a cheaper rate. That is more important now than ever.

Aymeric Boyer-Vidal, director of audit and risk, GDF-Suez, is part of an AMRAE working group tasked with pushing the ERM rating initiative forward and addressing some of these issues. ‘Today there are some good success stories of embedding risk management in big companies in France,’ he says. ‘More and more companies are doing ERM and there is a feeling that we are reaching a critical mass. But it is never won, it is a constant battle.’

He describes the process at GDF-Suez: ‘We have a network of risk officers that are in charge of ERM processes in the company. That network is being widened to embed risk management at an operational level. We have between 50 and 100 people who are in the ERM network. And in each of the group’s six business units we are cascading the process down.’

One of the challenges he says is to ensure everyone thinks about risk in the same way. ‘When we first started talking about risk it was not easy. The natural reaction of a manager was to say there is no risk in my area because I have eliminated it with good management. Now we are challenging this view. When you have a good risk culture managers are comfortable admitting they have many risks in their area and they are able to tell you what they are doing to mitigate them to an acceptable level.’

Lessons learned

The financial crisis revealed some serious problems with this process. Banks and financial houses were supposed to be the institutions with the most well established risk management culture. Except when it came down to it the flow of risk information was either ignored or not understood at the top level of the organisation. Risk management departments were too siloed – and that meant there was no single picture of the total exposure to bad debt. Chief executives were never able to get a proper handle on the total risk exposures their business units were mounting up. Risk managers also made the mistake of relying too much on their models, which only assessed historical data. And that meant they could not get a view of what was around the corner. It is important that the profession learns from these mistakes so it can prevent the same happening again.

‘The financial crisis is also a crisis of the risk management system itself,’ notes Boyer-Vidal. ‘Some companies thought they were not exposed to certain risks, but in fact their exposures were much stronger than they thought. It was a failure of evaluating the right level of risk. I think more and more people are aware of that.

&#8220One of the challenges is to ensure everyone thinks about risk in the same way.

 

‘The risk management profession should build on this financial crisis,’ he adds.

‘We have a tendency to look back and inside our companies. We should build systems that are capable of looking outside the company and assessing the threats coming down the tunnel. And pay enough attention to those signals.’

Industrial companies do not rely on models as much as financial institutions. Their risk management takes on a more operational face. However, the idea that it is best to integrate several different views of risk to give an overall objective picture applies whether you are selling mortgages or building a gas pipeline.

‘A model only encompasses what you have learnt from past situations. There are so many new things that bring those models out of the picture that at a certain time you lose contact with the reality. Another lesson to learn from the crisis is that what we believe to be low risk may not actually be so low.

‘Risk managers need systems that give them the courage to challenge certain truths in the company, so they can question directors when they say the situation is comfortable. There is an important role for the risk manager to play in challenging these conventional wisdoms,’ comments Boyer-Vidal. Risk managers are in a difficult position because they do not want to be seen as slowing the business down but helping it to avoid major disasters. The profession sometimes compares itself to the brakes

on a car, but this means it can get excluded from business decisions rather than going hand in hand with them. Certainly many risk managers in banks felt they were swimming against the tide when the boom in structured credit products took off. This position can feel even less tenable in the current economic turmoil and risk managers might be worried about sticking their necks out by making unpopular decisions. With companies scrutinising the value of their investments much more closely, there are some concerns about the future of the profession. These are misplaced. Cutting into risk management costs is not a sensible decision, it is not a luxury that companies can afford to do without in the current environment.

Boyer-Vidal comments: ‘For certain managers risk management is seen as a structure that reduces their degree of liberty in the initiatives they can take, or raises costs. It is always an issue to convince senior management that it is the right investment which is in the long term interest of the company. I think during this crisis we have we will have a bigger audience than we have had in the past.’

He adds: ‘2009 is a year for confronting threats and delivering efficiency in the company. Cash will be closely monitored so it is not a year for big investments. But I do not believe that top management will decrease investment in risk management. In fact, the opposite will be true. Even in tough times management will not retrench in terms of investment they put in risk management systems.’

The main lesson from the financial crisis is that risk management is only truly effective if it is done strategically. That means getting an overall picture of the risk and matching it up with a company’s goals. It also suggests that organisations should breed a culture that values the role risk management plays. To achieve this, risk managers need to step up to the challenge and present the right insights but, equally, senior managers need to take on board that advice.