The Five Step Program to Risk Management Health
Speak with chief risk officers, chief financial officers and corporate treasurers about the risks they face in their businesses, and one point becomes quite clear – many companies have policies only dealing with interest or currency risk. Few have identified or quantified other risks the company may face, and often there is nothing in existing policies defining the various types of risks, nor is there an overall policy regarding corporate risk appetite and a coordinated strategy to manage all known risk.
This is not to suggest that companies adopt a ‘one size fits all’ approach to risk. Rather, it is important to determine whether the mitigation strategies employed to manage each type of risk are compatible with each other – and consistent with an overall strategy of risk management. Taking a comprehensive approach to risk evaluation will not only ensure consistency, but there is a strong likelihood that new risks will be identified, the real ‘unknowns’ that have the potential to cause serious harm to the enterprise.
There are five steps in this comprehensive approach – a good starting point for companies developing strategies for the first time – and can add value to existing risk programs.
First, establish corporate tolerance to risk and make sure it is applied consistently across all risk classes. The automatic reaction is that the company is ‘risk averse’ – but what does that really mean and to what degree? A manufacturing company might hedge its raw material needs but not hedge the interest rate risk on its debt. One is seen through the lens of strategic sourcing and other as market speculation. While management may view this as following the stated risk goal, a company that is truly risk averse will identify and mitigate all risk to the same degree. While it’s not really possible to eliminate all risks, most known risks should be managed. In addition, there may be other risks, central to its core competencies which a company might actively seek to embrace, once identified.
How is this done? By examining risk in terms of strategic objectives, corporate core competencies, and the approaches followed by the company’s main competitors. Patterns will begin to emerge on what might be hedged, and why. Also, there needs to be consensus on the priority of managing risk or managing accounting. While having both would be nice, compromise is often required. The perfect hedge may have imperfect FASB 133 accounting implications – can the company live with quarterly mark to market variations on the income statement?
Finally, determine the metrics for measuring risk measurement (such as % EBITDA, % NOPAT or EPS) and apply it consistently to all risk quantification and ranking.
To create a truly comprehensive program, the financial, operational, insurance and competitive risk issues need to be examined.
Financial risk may be seen through the impact of exchange rate variations on the company’s foreign currency receivables and/or payables, exposure to changes in interest rates or commodity prices, the impact of improved or deteriorating credit scoring on supplier payments terms or on receivables. Sometimes two or more risks come together, creating additive risk. For example, US companies importing raw materials from Canada may be exposed to both stronger commodity prices linked to increased world demand and a strengthening Canadian dollar as a result of higher commodity prices. These combined risks could lead to a deterioration of market share versus a competitor that sourced from a different country and/or managed their risk more effectively. The impact from this on a company’s financials could lead to adverse debt covenant implications, higher borrowing costs, worsening supplier credit terms, and a real dollar impact on EPS.
Operational risk issues may include the cost of equipment/process downtime versus system redundancy, managing location specific infrastructure challenges, or even the company’s plans to deal with such issues as avian flu.
Insurance risk review entails examining contractual liabilities in all markets and locations in light of current insurance coverage. If the business is global, is there global coverage or a series of local policies for each location? How consistent are the coverage levels?
Ultimately all these risks become part of a company’s competitive risk, but the list does not end there. How unique are the risks in the business model versus the company’s competitors? Do they use a similar business model and earn higher margins? Why? Could it be that they are managing their risks better?
In all these instances, evaluations must determine the size, scale, impact and anticipated frequency – the probability – of risk measured in the unit agreed on in Step 1. This will create a ranked risk matrix that can ensure that a cohesive and consistent approach to risk mitigation is developed.
Often risk policies are drafted so that the same type of strategy is used to hedge a number of risk types. This ‘slavish’ consistency does not address the central risk problem. Having differing risk management strategies for currencies and key processes is completely valid on a mitigation and common sense level, as long as these approaches are consistent with the overall approach to risk.
In many cases, there will be a choice of hedging strategies. Some will be more flexible – and perhaps more costly – than others. It is important to weigh the value of flexibility in terms of today’s scenarios and potential future adverse developments. Companies often seek ‘natural’ hedges within their operations as a source of internal risk mitigation. In many cases, the determination of these hedges can be based on perceived correlations between one activity and another such as buying raw materials and selling finished product in the same currency. Be sure to examine these risks individually as well as collectively, as significant changes in correlations can occur and thus have an additive impact on overall risk.
How often to hedge – the hedging cycle – is an important consideration, as aspects of the business will have differing cost and revenue creation cycles. Ensure that strategies meet the requirements for consistency of risk profile and flexibility that the business requires.
Before implementing any strategy, it is prudent to back test the approach against prior year data to see its impact in a real world setting. Test that strategies comply with the stated accounting approach. Finally, agree and keep to a defined time frame for implementation, operation and review.
For SOX 404 compliance purposes, US public companies are required to document and audit all significant financial policies for policy adherence. Private companies should do this to ensure that risk activities are compliant with the company’s stated risk goals.
This is the easiest to say and the hardest to do, especially in companies with decentralized management structures. The creation of a risk management review committee reporting to the CFO/CEO/board of directors and drawing its membership from across the company can be an effective way to ensure policy compliance across all areas of business activity. This group should be responsible for regular risk reviews and strategy effectiveness testing in terms of meeting the corporate goals and operational and accounting requirements as determined in Step 1. They should also approve all risk acceptance or mitigation actions.
Risk is a fact of life in business and it’s extremely difficult, if not impossible, to identify and mitigate all risks. But any known risks should be managed. (Note – this does not necessarily mean ‘hedged’, which may carry a negative connotation for some in senior management.) Following the five steps outlined above will not provide a magic bullet to protect the company from all risks, but it will provide a solid foundation for the overall corporate risk management process. Managing risk means managing opportunity and this translates to higher and less volatile profits – an outcome sure to please the board and shareholders!