Sue Copeman reports on the Willis Business Risk Practice Think Tank on risk information for the 2ist century.

Sue Copeman reports on the Willis Business Risk Practice Think Tank on risk information for the 2ist century.

Following a brief presentation by knowledge management specialist David Skyrme on risk knowledge management: strategies, practices and tools, Think Tank members addressed a range of issues relating to assessing and meeting risk information demands. They began by looking at the internal and external sources of demand for risk information.

It was clear that the risk managers felt most of the demand for risk information to be externally driven and to be growing. Adrian Belton and Alan Fleming stressed that regulators were increasingly important drivers, requiring regular information and monitoring. Chris Temple said that investment analysts had huge information requirements. "It is getting to the stage where one is expected to be able to report on a monthly basis, almost down to each sub-unit. More and more people are looking at sustainability and environment."

Chris Lajtha pinpointed the customer. "Increasingly, customers are concerned about their supply chain. They want to know how robust the solution that you are proposing is, whether you can deliver, and how predictable your performance is."

Don Lloyd believed that the external demand for data was largely driven by the 'comfort factor'. "Regulators, analysts and investors want to know that managers are aware of the issues and are managing the company in a responsible manner. If we can start from scratch and become risk embedded, maybe they would ask for information rather than just data." Temple responded that this was the driver behind TurnbuU's recommendations. "The committee did not think people were looking sufficiently at risks in internal systems. I do not know how many companies will accept the idea that TurnbuU improves performance. Compliance may just be seen as just another thing that has to appear in the annual report."

He also foresaw problems for multinationals, where many subsidiaries outside the UK might not have heard of TurnbuU. "If you suggest they follow Turnbull guidelines to help run the business better, the answer maybe: 'We've been fine up to now, why should we change?' The challenge is that no-one has clearly demonstrated that all of the data which external people want actually does improve the business." Lajtha asked why there was not so much internal demand for risk information. Temple saw trying to create awareness and the desire for knowledge of risk as one of the key issues. Neil Campbell suggested that internal demand was changing. Companies wanted to know how much risk they should take, what was strategic and what was not.

The right information?
There was considerable discussion on the meaning of information and risk. Campbell described information as a mix of data and knowledge. "Data is the numbers. Knowledge adds the experience - the ability to make decisions best on the day." Belton said that while regulators were concerned to know that management were competent and in control, the evidence they often sawwas hard stuff- data and reports, which did not reveal the part played by knowledge. He added that analysts anticipating future performance looked for forward indicators, where, historically, companies have run on 'lag' indicators. Temple agreed that better tools were needed, to enable you to show that you were looking ahead.

Lajtha suggested that another reason for the current demand for risk information was because of an evolution in business models. He suggested that conventional accounting protocols did not adequately address items such as intellectual and human capital, which should really appear on a balance sheet in some form. At a time when market expectations have driven many p/e ratios to several multiples of their historic levels, there was a growing appetite for relative risk information. Temple felt that this presented a challenge for a company's financial management - how to provide the information that helps run the business, and how to assess the contribution of risk information?

Participants felt there was little understanding of how risk information and indicators could contribute to performance and profit objectives. Fleming focused on two external factors. "Political and human considerations influence performance. How do you identify and tackle the measurement factors relating to these? What sort of performance indicators are we looking at and what are the key considerations?" He also said that TumbuU had been a driver for processes. "Viewing Turnbull merely as a compliance issue would be a waste. Since we have to do it, we might as well get some value out of it. It can make us realise that we don't know as much about the business as we thought we did."

Campbell was concerned that product managers might be taking decisions in isolation. "You need to look at the effect on the rest of the company, which you cannot see until you've got all the data. For example, managements should be concerned about possible unevenness of risk transfer."

Belton commented that risk assessment is often built around finance rather than comprising a comprehensive strategic assessment, Fleming agreed. "Everyone has a contingency plan but most do not spend any money on it. Where a major project is concerned, you get really good risk management work going and a big budget to go with it. So why are companies prepared to spend a lot of money on risk management for major projects but not for their core business?"

Defining risk
Campbell tackled the knotty issue of defining risk. "When you actually analyse what managers perceive as risks, many are not risks at all but issues, or outcomes of risk. They don't drill down to fundamental causes." Temple commented that people could associate with a risk issue, but analysing the causes that lead to ultimate exposure-is more time consuming and difficult.

Following discussion, Lajtha came up with this definition. "Risk is a measure of deviation from a range of expected outcomes. In other words, when decisions are made, they assume a number of anticipated outcomes. A little volatility is immaterial, but, if the range of expected outcomes is exceeded, sub-optimal and undesirable volatility may arise."

He explained that he saw this definition as leading to the creation of 'snapshots' of relative riskiness to go with a set of decisions, at a specific time, and for a specific duration. "The implication is that risk management can produce a series of exposure profiles during the life of a project, which can provide a measure of the changing risk/reward relationship. Reward is linked to risk - where risk is defined in terms of volatility." Fleming felt that was agood analogy. "Sometimes you do some risk management and think that that's it. But risk management should be continuous, constantly forward looking." Temple felt that it was important to monitor the difference between current status and ultimate destination. "This involves considering major failure rates, plotting them in a range and always trying to limit the range. You can identify what risk events over the period might prove to be serious, run a simulation model and then analyse those that caused most variance. The value of this approach is that it can incorporate soft as well as hard objectives. For example, your hard objectives would include profit, while softer objectives include building brand image."

Identifying issues
Campbell stressed that one of the most important starting points is to have a total supply map of the company. "We have got to understand what the flow is through the whole company. Only then can you start looking at the risk management information required. Such a supply map should go right back to the commodities on which your products are based. Beyond operations, we should also look at R&D." Lloyd considered that the strategic level extended beyond the supply chain. "You need to decide what your corporate strategy is, what represents deviation from that strategy, and how you measure that."

Lajtha summarised the group's thinking with a step by step approach to identifying and dealing with risk issues.

  • Identify business strategy and segmental activities.
  • Assess the key business performance measures
  • Analyse how business strategies are converted into operational plans and activities.
  • Decide on the key performance indicators (KPIs) for your managers (how do you lead your people?).
  • Ask what the segmental expected outcomes are.
  • Determine what is acceptable and unacceptable deviation from those expected outcomes.
  • Identify the principal sources of volatility (Key Volatilities Sources - KVSs).
  • Having done this, decide on your system of internal controls (how you manage it).

    Lloyd said that this approach provides the sort of risk information you might need to run your business. "What you might need to communicate is different."

    In the afternoon session, the group moved to looking at external communication. To those sectors already discussed, they added employees, media, community, stewards, and government.

    Campbell pointed out that the information these groups required, while overlapping, was largely discrete, Belton added that companies needed a joined-up approach here. "What we say to analysts needs to be aligned to what we say to employees." Temple provided a note of scepticism. "We are losing control of information because it is so freely available. We are losing control of a very important tool in managing our exposure." Lajtha agreed: "Once we could target individual members of a stakeholder group. Now we have lost that choice." He considered that most managers are more comfortable addressing return/reward metrics than the associated risk - "although maybe Turnbull is changing that". This led to discussion of the risk information to be included within annual reports. Temple considered that many companies required their managers to state what they had done about risk and this formed the basis of their risk reporting. But he felt that the knowledge from, for example, brainstorming sessions, delivered the real management value. "How do you communicate this in a report?"

    Campbell suggested that many companies might consider that they were doing risk management because they had people doing various things such as product checks, but had no one looking at the broad picture. Temple agreed. " It is easier to satisfy the world with lots of activity rather than with a brainstorming session that found a single critical issue and focused on it. The majority of risk audits focus on a fairly low level. The real risks are usually at the highest level of decision making. It is easier for all of us to tackle what is going on in the field than some of these really high level things. Our challenge is to show we can make a positive contribution by providing quality risk information to improve decision making."
    Sue Copeman is editor of Strategic Risk.

    Think Tank members
    Gordon Hill of Willis chaired the group, with corporate risk managers represented by:

  • Alan Fleming, AIRMIC
  • Neil Campbell, AstraZeneca
  • Adrian Belton, Bradford & Bingley
  • Chris Temple, Invensys
  • Don Lloyd, Nycomed Amersham
  • Chris Lajtha, Schlumberger

    Also present for Willis were Deborah Graham, Tracey Morris and Glen Walsh.