Think Tank

Risk Management: Imperatives and Best Practices

In conversation with Sanjay Mehta, Senior Advisor, KPMG

As a concept, Enterprise Risk Management (ERM) has been around in some form just as long as business itself has existed. After all, managing risk is fundamental to any firm’s survival. Yet, with intangibles now dwarfing physical assets as a share of the firm’s overall ‘value’, and given the spate of recent high-profile governance failures, the principles guiding ERM are shifting. Risks to cash flows, reputation, or other intangibles today have the potential to wipe out billions in investor wealth overnight. The Enron/Anderson and Satyam debacles are cases in point. The regulatory response – SOX in America, and Clause 49 and a new Companies Act in India – has been definitive. More recently, the Global Financial Crisis redefined risk management in the financial sector, while in India, the IL&FS crisis promises to raise new questions. CFOs, clearly, are at the forefront of managing all sorts of risks, and they would be well advised to institutionalise rigorous ERM processes. At its core, ERM seeks to preserve and enhance enterprise value, and it rests on some basic principles. At a recent India CFO session in Bangalore, Sanjay Mehta, Senior Advisor at KPMG, who has studied risk management processes at the world’s leading companies, laid out what exactly what it entails.

From safety issues…

…and e-Commerce disruptors…
…to piracy, brand reputation…

…external disruption risks…

…and local and country-specific issues

Diverse risks….

In seeking to understand how world-class businesses manage risk, Mr Mehta closely studied a whole gamut of industries. What he found was that each sector faces its own unique risks, demanding different types of ERM programmes. For example:

  • Boeing’s entire ERM focus is on engineering and safety, because if those areas fail, the business fails.
  • For US retailer Safeway disruptors like Amazon present the most serious long-term risks.
  • Microsoft faces critical issues around licensing and piracy, and has mobilised huge resources to deal with this.
  • For mature businesses like PepsiCo and Coca-Cola, nothing is more important than brand reputation.
  • Technology companies are disruptors, but they also face disruption risks. For them, ERM is about the interplay between internal resilience and external awareness: being innovative, nimble-footed, and having the right financial and operational controls.
  • Large construction and other ‘project’ companies face a range of local- or country-level issues that must be closely integrated with their overall risk framework.

One goal to guide them all

Moving away from ad-hocism

…but a common aim: Making risks visible

The risks they face vary, but a common goal guides many of the world’s most sophisticated companies: making risks – whether current or future, hidden or in plain sight – visible. This includes evaluating impact, readiness, and the quality of decision-making in the organisation. In parallel, it means creating a strong awareness of where the company stands, in the most efficient manner possible, and getting both managers and the Board to respond. On a related note, leading firms have done away with the old ad-hoc approach to risk, towards one that is more systematic and institutionalised. Instead of a pure art, ERM must be strongly backed by science. Today’s computing power allows for insights that are derived from billions of data points, and endless correlations between causal factors – something that was previously impossible. Multiple scenarios can be built, though ultimately, a human being must choose between these scenarios.

Compliance lies at one end of the scale…

…but the choice between proactive and reactive ERM is not so clear-cut

Proactive, reactive, or compliance-driven?

Broadly, there are three approaches to risk management. At one end of the scale is a tick-box style, compliance-driven ERM, which is usually of limited value. Choosing between a proactive and a reactive approach is less clear-cut, and one is not necessarily ‘better’ than the other. Dominant firms – Microsoft, say, or Coca-Cola – lean towards being proactive, but this also tends to slow down decision-making. Since the value at risk is huge – one bad decision can destroy years of hard work – it breeds caution. On the flip side, disruptive businesses tend to be more reactionary about managing risk. A new entrant in the Indian telecom industry, for example, will be faster to react to evolving situations, but even faster to reverse bad decisions. Taking a risk without understanding all of the underlying factors is acceptable only so long as it is possible to quickly change tack. A failure on this count can destroy value, and damage the business model no end.

Strategy is foremost for certain types of companies…

…but for others, financial and operational issues are key…

…while still others combine the two

Varying focus areas

Companies vary also in where they focus their ERM programmes. Some concentrate only on strategic risks, while for others, it is mainly about operational/financial ones. The choice depends on where the company stands in its life-cycle, and the nature of its business. ‘Steady state’ firms like Pepsi – they know what to produce, how to produce it, and where to sell it – are concerned mainly with strategic and emerging risks. In contrast, project-based companies like GE or Bechtel keep an eye on softer issues as well as financial risks. There is also a third category of firms – those like Cisco, which outsources much of its manufacturing to contractors, who further outsource to sub-contractors, including in other countries. This extra layer of intermediation makes it hard to monitor quality, or to assure supply-chain continuity. It also brings strategic risks, such as when a trade war erupts. To overcome this challenge, Cisco mapped its supply chain from end to end, determining precisely where the disruption risks lay.

Start-ups will focus more on operations and finance…

…as will companies that take an enterprise-wide approach to risk

…while still others combine the two

In general, financial and operational risks are easier to quantify, and usually also less ‘damaging’ to a company’s long-term health than strategic ones. That said, for start-ups, they are actually more important: until an organisation has its house in order, and has scaled up sufficiently, strategic issues are secondary. Finally, ERM programmes can be either enterprise-level or enterprise-wide. Firms that focus on strategic risks usually tilt towards the former, while those focused on financial and operational risks are more inclined to the latter.

There is no one-size-fits-all, but…

…setting the tone matters…

…as does overcoming resistance to change

ERM programmes can be housed nearly anywhere, depending on need…

…but a mature ERM manager is key

The business must own risk, with ERM managers acting as facilitators

Adequate resource commitment is crucial

ERM implementation: guiding principles

An ERM programme and risk culture are two sides of the same coin. Indeed, a risk manager’s primary role is to build or strengthen a risk culture, by fostering awareness, starting conversations, and breaking down silos. While there are no silver bullets, a number of principles might guide ERM implementation in any situation:
  • Accountability must be held at each level, but the tone at the top is what sets the overall direction
  • Resistance to change, especially at the mid-manager level, is often a constraint. People may say they are on board with new practices, but this does not automatically translate into behavioural change. Winning their confidence, including by building communities, is essential
  • It is unimportant where the ERM is housed, or even to have a separate ‘ERM function’. What matters is structuring it in a way that maximises impact, by making risks visible and equipping the organisation for change
  • Equally critical is to have a mature, well-respected, resourceful and dynamic ERM manager – one who can galvanise cross-functional teams, who understands the business, and can leverage technology the fullest
  • The ownership of risk must lie with the business, and in no circumstances should ERM managers operate in parallel with the existing management structures. Ideally, they should serve as independent facilitators who provide thought leadership and institutionalise knowledge, instead of acting as the ‘risk police’
  • Some companies place the ERM programme within strategy and planning, while for others, it may reside with Treasury (if they have large forex exposures), controllership, internal audit, or even the CEO’s office. The goal should be to make risks visible and find ways to manage them, in ways that best suit the business, so structures will vary accordingly
  • Most ERM teams are small, and some are a ‘one-person army’. Yet, while it may be expensive to commit additional resources, it is critical: if those individuals leave, so does the knowledge that resides with them