Risk management, as it is called in the Anglo-Saxon world, has reached an impasse. Dealing as it does almost exclusively with operational or insurable risks, it is really only responsible for about 10% of the exposures that a business faces. Only when the remaining 90% of the risks - financial and leadership - are included in the picture will the organisation really be in a position to inform its shareholders that it has done true risk management.
So says Eberhard Knebel, an elder - but far from elderly - statesman of risk management. Knebel retired in October 1998 after 32 years experience as an insurer with Allianz, and as a risk manager with BMW. Today, despite having the time for a leisurely interview in the garden of a country inn outside Munich, he remains active as a lecturer in the faculty of business administration at Passau University and as part of the team developing Prorim, the risk management education project of the Federation of European Risk Management Associations (FERMA).
"What affects shareholder value is rarely within that 10%," he says.
He estimates that 40% of the risks to the success of a business are financial - interest rates, foreign exchange, taxation and so on. What he calls 'soft risks' are responsible for 50%. By this, he means principally the quality of the company's management and the culture of the organisation.
Pierre Sonigo spent his career in risk management with a number of large, French-based companies. He and Eberhard Knebel know each other well through the network of European risk managers. Sonigo comments, "I cannot verify the figures stated by Eberhard, but fully agree that a very small portion of the risks of a corporation are under what we used to call the risk manager. This was the not the case a few years back, but has greatly changed in the past five years. The scope of risks is moving quickly: new legislation applies, and accounting best practices are implemented everywhere. A formal financial risk management system must be put in place. New cash, decisions and information flow analysis is being conducted and controls placed at strategic points. Many more actors are involved: internal auditors, procurement officers, legal counsel ... Outside consultants are everywhere. Risk control is spreading at all levels of the organisation, but in a disorganised way, with no real transversal approach, leaving a lot of risk domains untouched, with the traditional risk manager often not even implicated."
These soft risks are much more likely to destroy value in the business than the loss of a factory somewhere. "A company's major risks are attributable to errors made on the leadership level," Knebel has written in his study on hard and soft risks for GE in 2001. In monetary terms, he says, soft risk could cost billions, even tens of billions of euros. What he calls hard risk would run at most to hundreds of millions of euros.
The risk proportions, he says, may not be absolute, but they are close, and no one ever challenges the assumptions behind them. "Everyone agrees that these soft factors are responsible for at least 50%. No one ever disagrees, except to suggest that operational risk factors may be less than 10% and the soft factors more than 50%." For example, the risks inherent in mergers and acquisitions - assumed as a result of decisions taken voluntarily by the board - are among the most dangerous to shareholder value. As Sudi Sudarsanam, professor of finance and corporate control at Cranfield School of Management and the author of Creating Value from Mergers and Acquisitions, points out, 'Estimates of the proportion of M & A deals that fail to create value, range from 50% to more than two-thirds'.
Knebel suggests flawed decision-making can result from a lack of understanding in new situations, such as acquisitions, or ventures into new countries.
An ivory tower management may respond so slowly to changing circumstances, that it does not react until sales have fallen by 50%.
Sonigo comments, "Strategic issues are, by necessity in the hands of a very small number of executives. Their sensitivity to risk and awareness of risk management techniques, vary greatly. But unless risks are properly identified, quantified and controlled, at this critical stage, the consequences can be dramatic. The traditional risk manager is very seldom part of this executive committee. Therefore, although his role is expanding, his contribution to these issues is minimal. Companies lack integrated risk management teams with transversal responsibility, which can provide recommendations at the highest decision levels."
Risk management methods are hardly ever applied to leadership risks, although, ultimately, they are what rating agencies are trying to assess, Knebel believes. Yet he thinks they are just as amenable to a process of risk analysis and mitigation as operational risks. "It just needs to be approached from a different angle. It calls for sensitivity - a process of self-education." It requires behaviour-related risk management standards to become part of the company's leadership portfolio.
There is also a need for someone who can play the role of the medieval court jester and say unwelcome things to senior managers - without the modern equivalent of the medieval fate of losing his head.
But if the CEO is an autocrat, the directors are isolated, or lack the ability to deal with the situations, who has this responsibility? It is unlikely to be the risk manager or, as Knebel prefers, risk co-ordinator, if he or she is only responsible for 10% of the risks.
Nor will insurance issues affect the thinking of senior managers if they lack insight - except in a defensive way. Knebel points out that insurance has become less relevant to enterprise risk. If 10% of the exposures are fortuitous risks with which the risk manager is preoccupied and large businesses probably self-insure 20%, then insurance will only respond to 8% of potential losses. Shareholders and the providers of loans are providing the great bulk of the risk capital.
Knebel dislikes the title risk manager in any case; he believes it is a misnomer. The job must be one of risk co-ordination or risk consultant; the real managers of risk are those who are taking them at operational level. The risk co-ordinator's job is to set out what has to be done and get line managers' committed to doing it. The way Metro, the leading European cash and carry company, operates, strikes Knebel as the right approach.
There the risk co-ordinator sets out eight risk management principles to which the line managers must commit themselves - and the framework covers operational and financial risks.
However, according to Sonigo, it is important to keep the name risk manager as the guardian of the risk management in the corporation. It gives him or her status in the company, which is necessary to remain credible with peers. "However, I am in favour of adding specific domains of activity to the name. Financial risk managers, operational risk managers, legal risk managers or communication risk managers should be nominated. They would use the same tools in a coherent way, under the supervision of a chief risk officer, a member of the executive committee. This would improve the handling of soft risks."
What institutional investors want, says Peter Montagnon, head of investment affairs for the Association of British Insurers (ABI), is for companies to achieve high-quality, sustainable earnings, paying dividends over the long term. Speaking at AIRMIC's annual conference in Brighton in June 2005, he said, "Investors expect companies to manage their risks sensibly so that they do not destroy value unnecessarily. We don't expect companies to manage risks so nothing bad ever happens, but we do want them to manage risk with their eyes open."
Knebel asks, "But how is it possible to co-ordinate risk management if 90% of the risks are excluded?" He blames the Anglo-Saxon approach for a compartmentalised approach to risk, a paradox given its emphasis on shareholder value. "They refuse, for instance, to include financial risk, which is narrow minded." The problem gets worse as companies become more international and have three separated risk functions that do not speak to each other, in 50 different countries.
Knebel finds the practice closest to the model he envisages in GE, where the risk manager is based in the finance department and has oversight of both financial and operational risk. Knebel reckons this would allow the risk officer to have oversight of about 50% of the risks and their interaction.
This would still leave the soft risks untouched, for even an astute, well-qualified risk officer who reports to the CFO is still not going to be able to challenge senior management. "At the moment, there are no tools at the moment to manage such risks," says Knebel, "but there should be. We need things such as a soft risk audit, a mind-map for sensitivity to anticipating risk, or a system on how to deal with early hints of an impending disaster."
This is supposed to be the job of the representatives of the shareholders or the stakeholders. In other words, non-executive directors in Anglo-Saxon companies and the supervisory board in continental Europe. However, despite all the corporate governance laws and guidelines, there are notable manifestations of soft risks, which continue to cost jobs and shareholder value. The danger is that the very businesses that most need methods to manage their soft risks are the least likely to adopt them.
A trusted but disinterested senior adviser, or a risk council representing a wide range of opinion, including customer representatives and even NGOs are among the ideas Knebel puts forward. Sonigo suggests a risk management team of specialists for each important function, using the same tools for treatment and reporting, with psychologists and sociologists to deal with the new perceived risks (terrorism, heath, stress), under the supervision of a CRO who has access to the president and the board, and is responsible for spreading a risk culture throughout the organisation.
We are at the beginning of a new era in risk management. No definite clear model is emerging but no doubt this will happen quickly.
- Lee Coppack is the editor of Strategic Risk's sister publication, Catastrophe Risk Management.