John Abbott pleads for a more enlightened corporate attitude to risk management

Historically, value preservation issues have driven the risk and controls agenda. In today’s ever-changing risk environment, with so much time and effort being expended on the management of risk, it is not unreasonable that businesses should now start to expect more of a return from this investment.

Businesses should be seeking to move beyond value preservation, and to prove that all this investment brings more benefits than just compliance with the latest regulation. However, the move from value preservation to value creation is no small step.

For years, corporates have thought of risk in purely defensive terms. The challenge was seen as mitigating – or even eliminating – risk in an effort to preserve the value of the company. After all, risk is a bad thing isn’t it? If possible, we would eliminate the slightest hint of risk in everything we do, wouldn’t we?

Well, possibly – but that will never happen. Instead, some companies have come to realise that a little bit of risk equates to opportunity and have accepted that heightened risk – so long as it is well managed – may be a way of sneaking an advantage over their competitors. Accordingly, more forward-thinking companies now seem to think of risk in offensive rather than defensive terms. They still appear to be in the minority, but they are now thinking about creating value, not just preserving it.

Arguably, there have never been more risks to a business than there are in the current marketplace. Even leaving aside today’s prevailing concerns about the credit crunch, consider the following: technology, entering new markets, changing consumer habits, new products and dealing with the emerging economies. These are all aspects of business which carry far greater risks than they used to, thanks to the effects of globalisation and a more demanding end-user.

With so many potential risks out there, it is no surprise that companies have, on the whole, become highly competent in monitoring them. With so much risk information to hand, you could be forgiven for thinking that it is one quick, easy step to start dissecting that information, with a view to finding something which could give rise to a competitive advantage.

Sadly, this is not the case. Many companies’ default position on risk is to try to avoid it. They will be aware of unavoidable risks; they will monitor them and report on them – but embracing more risk can prove a step too far for many. Instead, they prefer to shy away.

In this changing risk environment, companies should be able to assess and quantify how much risk they are exposed to. The quantification point is crucial here. Initially, many people would think that risk is not something which can be quantified – but I disagree.

“In these post-credit crunch days, there is a burning desire to be completely aware of all the potential risks

Risk can be quantified in terms of the potential losses to a business which would occur if the worst case scenario relating to a specific risk became a reality. This sort of economic analysis would reveal whether a company could take a hit from every single risk facing it, and yet still emerge, able to keep on trading, on the other side.

It is no different to what the banks do with their capital adequacy ratios. At any point in time, they know how much of their own capital has to be kept aside to cover their borrowings. The remainder is then available for their lending business.

For banking capital, read corporate risk. Once you know how much capacity you have to take on further risk, you can actively pursue the commercial opportunities which your less proactive competitors may be shying away from. In short, if you know your business could afford to increase its risk bank by 10% without jeopardising your future, would you not seek to use that 10% for competitive advantage?

It sounds simple, but few companies appear to be going down this route because the word ‘risk’ is still not one which sits comfortably with many corporate boards. It has a pejorative feel to it – and is treated accordingly.

In time, this may change, but until then, we may have to accept that there has probably never been a time when corporates have been more sensitive about risk and its implications than they are now. In these post-credit crunch days, there is a burning desire to be completely aware of all the potential risks which could suddenly transform into a wolf at the door.

No guarantee of survival

A recent KPMG international survey, The Evolution of Risk & Controls, showed that the single most influential factor behind the development of risk and controls within a business was an increased focus on the topic by senior management and the board. If they are scared of – or unnerved by – risk, you cannot really blame them. The spotlight on risk has never shone more brightly.

Consider the current fascination with enterprise risk management (ERM). Few would argue that ERM is a bad thing. It is not. It is a way of getting a company’s risk affairs in order and is a crucial corporate governance tool.

“The slightest perceived failings in terms of risk management can have a major impact in terms of reputation, regulatory investigation or a downgrading in credit rating

However, there is almost no correlation between the state of a company’s ERM framework and the chances of that company going bust – yet many institutional investors and ratings agencies give the impression they believe there is a link and pressurise the company to further improve its ERM arrangements as a result.

The quantification analysis of risk mentioned previously could be a better indication of the likelihood of a company getting into trouble. The ERM framework is merely a mechanism for ensuring that risk is efficiently and effectively monitored across a large organisation. A company could have the most incredible ERM set-up but could still ultimately be undone by some rather ill-judged, overly risky decisions made at the highest level, or by an unmonitored, niche part of the business.

Anyway, for right or wrong, that is what the current situation is – and companies should react accordingly. Such is the intense focus on risk that KPMG member firms are seeing private equity houses ordering complete risk reviews on all the businesses within their portfolios; something which did not seem so important when the purchases were made a few years ago. Current market conditions have now acted as a catalyst though, and the work needs to be done.

The events of the past few months have also thrown into sharp focus the increasing power of the ratings agencies in this area. It could be fair to say that they have been a key driving force behind the rise of ERM up the corporate agenda. The threat of a company’s credit rating being adjusted downwards as a result of perceived failings in its ERM frameworks hangs like a sword of Damocles over companies around the world.

What many people forget is that any adjustment of a company’s rating could be made on the basis of numerous factors, not just its ability to manage risk. In fact, the ERM assessment has made it no further than the consultation stage yet, but the fear remains that, once introduced, it could be the tie-breaker; the one final black mark against a company’s name which would tip the balance in favour of a downgrade.

In this regard, it would be no different to any one of the other numerous factors against which companies are assessed – but as it includes that ‘risk’ buzzword, it cannot simply be swept under the carpet.

As someone who spends his professional life working with risk issues, I am not going to complain about this new-found focus on risk, especially as it is forcing companies to approach it more seriously, more consistently and with greater rigour. However, if companies do not take this opportunity to move their organisation from value preservation towards value creation, this could be a chance missed.

For example, with many companies, you have to ask the question of when it was that senior management last made a decision based on risk management information? Sadly, the answer is rarely encouraging as such decisions are made infrequently, if at all.

For sure, the information is there, as the processes for reporting on risk, the management of risk and the mitigation of risk are sound. It is comforting to have that information to hand but, from experience, that information is seldom used in a forward looking manner to help inform the really big, strategic decisions. Therefore, an opportunity exists to make better use of this information.