Chapter 1 of The 2004 Handbook of Business Strategy
CEOs face many challenges. They must focus and motivate their organizations to capitalize on emerging opportunities. They must continually invest scarce resources in the pursuit of promising — though uncertain — investments and business activities. They must manage the business in the face of constantly changing circumstances. And as they do all of these things, they must simultaneously be in a position to confidently assure investors, directors and other stakeholders that their organizations manage risk in today’s demanding global marketplace.
Our premise is this: An enterprisewide risk management process (EWRM) will help CEOs increase their confidence that all potentially significant business risks are identified and managed. Your organization needs an enterprisewide process to bring risk into balance as a strategic imperative in a complex and fast-changing world. This chapter focuses on the trends driving what we call the new risk imperative, and provides an overview of the key elements of an enterprisewide approach to managing the critical risks and creating and protecting enterprise value.
Five trends driving the new risk imperative
We see five key trends raising the bar for risk management.
Trend No. 1: The assets used to create value are changing. Business models are changing radically, increasing the emphasis on sources of value that are neither owned nor ownable, and reducing costs of capital and entry. These assets are your customers, employees and suppliers, as well as such organizational assets as your distinctive brands, innovative processes, proprietary information systems and differentiating strategies. These intangible assets may very well present the greatest source of enterprise value. Likewise, they may present the greatest source of risk.
The increasing significance of these strategic assets present challenges because, even today, the traditional risk management model as deployed by most companies – perhaps even yours – focuses primarily on the physical and financial assets on the balance sheet and the related contractual obligations. As power shifts from suppliers to consumers, innovative companies are altering the competitive balance in their respective industries through revolutionary business models built on relationships and innovative uses of technology. The risks associated with these new business models elevate the importance of risk management in creating and protecting enterprise value.
Is your business model focused on the right strategies that emphasize your strategic assets, competitive strengths and core competencies? Are you managing the risks to your reputation, brands, channels, supply chain, knowledge capital and intellectual assets just as you manage the risks to your tangible physical and financial assets? How do you know?
Trend No. 2: The meaning of risk is changing. The increasingly complex business environment is creating a paradox. Risk is more significant than it has ever been, and yet it is less understood than ever before. In the past, most organizations tended to see risk as something to avoid with the objective of preserving value. Past conventions and attitudes about “risk as a threat” have resulted in a narrow view of the role of risk management in a business, a view that ignores reality.
Unless companies take risks, they die. To be successful, they must be open, positive and proactive about the risks they face. That is why the traditional risk management model, while perhaps good for companies in the past, is no longer good enough as they face an uncertain future. Companies and investors that see risk management as a differentiating asset are focused on the future and on the possibilities of what could happen if they manage risk effectively — not just what might go wrong if they don’t. Thus companies need to be more systematic in their approach to assessing and managing risk.
Have you discarded the notion that risk is something unwelcome or to be avoided? Are you embracing risk as thoughtfully and as thoroughly as you can to gain competitive advantage, improve business performance and achieve your strategic goals? Are you concentrating on the value that accepting and managing risks can create and not just the costs that might be incurred?
Trend No. 3: The approach to managing risk is evolving. As competitive and other external forces drive the call for improving risk management, new risk management processes and tools are emerging. These include more robust risk identification techniques, more effective risk measurement methodologies, better information management tools, and increasingly effective scenario analysis and planning. As a result of these and other developments, business risk management is evolving to a more holistic, comprehensive and integrated approach, an approach that is truly enterprisewide. Companies are teaching their people to manage risks – all kinds of risks – with common methods, processes and tools that can be adapted to new and emerging circumstances. These risk management methods, processes and tools are being integrated within key business processes, such as strategic management and business planning.
Is your company utilizing effective tools to continually identify, source and measure its risks? Is it allocating capital to the best prospects for earning acceptable risk-adjusted returns? Is it capturing, aggregating and utilizing all data and information relevant to measuring and managing risk? Is it betting on a single forecast or even on a few discrete scenarios? Are business planning and risk management separate appendages? If an adverse scenario occurs, do you know in advance what actions you will take?
Trend No. 4: The role of risk management in strategy is growing. Change is no longer linear, but exponential. Technologies, customer loyalty and labor markets are changing more rapidly over time, behaving in a manner resembling the volatility of commodity, currency and equity markets. In addition, just-in-time inventory, sole sourcing, outsourcing, Internet-based sales and procurement are just a few of the increasingly prevalent practices that provide points of focus for strategists. While the Internet and related technologies are having a major impact on external relationships and commercial transactions, their impact on internal operations and communications is increasingly pervasive.
To be successful, companies must innovate and deliver products and solutions that create new sources of value for their customers or markets; otherwise, they will lose ground to nimbler, more creative rivals. As companies increasingly sell, promote, procure, design, distribute, plan – in general, conduct all business virtually and electronically – effective risk controls and contingency plans become essential, particularly in the post-September 11 era. Never-ending innovation also gives rise to new risks that should be evaluated virtually real-time. Unless these risk management considerations are factored into the business plan, they won’t be addressed. Business planning is a fluent, dynamic process. Risk management augments that process.
Do you know your greatest strategic risks and opportunities today as they evolve? Is your organization and culture capable of adapting to change? Is it able to quickly adjust its strategies to capitalize on profitable growth opportunities and respond to competitive and other risks? As you adopt new practices, have you also evaluated the new risk-return trade-offs of using them? Have you considered the “unthinkable scenarios” in your evaluations of the future?
Trend No. 5: The demands of external stakeholders are increasing. The ability to define a company’s future in terms of its opportunities – not to mention its ability to manage its destiny in an uncertain environment – is a powerful driver of share price. The emphasis on improving corporate governance and transparency in reporting is leading to increased accountability for boards, CEOs and other senior executives. As a result, many directors and executives are searching for more comprehensive, holistic techniques that give them greater confidence that their organizations are identifying, measuring, controlling and monitoring risk. Too often the focus is on reacting to financial disasters: “Can what happened to them happen to us?” But as investor and regulator “need to know” heightens, as the volume of calls for transparency in financial reporting increases and as competitors develop and communicate increasingly value-added business models, it is imperative that boards demonstrate equal competence in managing both the “upside” and the “downside.”
Are you satisfied with your certification process? Are you prepared to communicate in a public forum what your company’s risks are and how effectively you are managing them? Will your revelations inspire confidence or raise more questions than they answer? Is your reporting keeping investors informed with no surprises? Should you wait until the board starts asking these and other related questions before taking action or, conversely, should you take proactive steps to address them now?
The new risk imperative – an enterprisewide approach
In this evergreen environment, every organization has a business model – and certainly your organization’s business model is critical to differentiating itself in the marketplace and positioning for success. But traditional business models often treat risk as an afterthought. Ultimately, it is your company’s ability to manage the risks inherent in its business model that will determine whether or not it succeeds. Risk management, effectively integrated into strategic management processes, makes business plans more robust.
Risk management forces a fresh perspective. No organization, however large and capable and no matter how bright and smart its management, is immune to change. That is why risk should be an active part of the business strategy agenda with a balanced focus on the upside as well as the downside. Understanding the consequences of inaction versus action helps managers see the full picture, particularly as the lifecycle of business models compress in the global economy.
An EWRM process will help CEOs and their teams improve the linkage of risk and opportunity and position business risk management as a source of competitive advantage. Organizations need a new, strategic business process to bring risk into balance as a strategic imperative in a complex and fast-changing world.
What is EWRM? It is a structured and disciplined approach to managing risk. It aligns strategy, processes, people, technology and knowledge with the purpose of evaluating and managing the uncertainties the organization faces as it creates and protects enterprise value. “Enterprisewide” is a truly holistic, integrated, forward-looking and process-oriented approach to managing all key business risks and opportunities – not just financial ones – with the intent of maximizing shareholder value for the enterprise as a whole. It is an elimination of functional, departmental or cultural barriers.
In an EWRM environment, risk and opportunity are inextricably tied to one another. It is a shift from traditional risk management approaches in which the focus is fragmented, risk is a negative, reactive and ad hoc behavior is the norm, and the risk management activity itself is transaction-oriented (or cost-based), narrowly-focused and functionally-driven. Proponents of EWRM realize that risk management is neither an afterthought nor an appendage to the organization’s core business.
EWRM is not a “one-size-fits-all” solution. That is because every company is different. The components of EWRM will be different, as defined by the company’s business model and strategies, organizational structure, culture, risk appetite and dedicated resources. However, most companies undertaking a journey to implement EWRM are focused on seven essential tasks. These tasks are illustrated using the process at right. These tasks begin with setting goals and objectives, defining a common language and implementing an effective oversight structure for risk management. With that as a foundation, the remaining tasks form an ongoing process – assess risk, develop strategy, design and implement capabilities, monitor performance, and continuously improve the process. All of these tasks are supported by information for decision-making.
Establish goals, objectives and oversight — Under EWRM, clearly articulated goals and objectives are vital to success. Management aligns these goals and objectives with overall business objectives, strategies and performance goals, and communicates them throughout the enterprise with crisply written policies. EWRM is built on a well-defined organizational oversight structure, with clarity of process ownership issues a prime focal point. Risk management responsibilities, authorities and accountabilities are assigned to appropriate personnel so that everyone understands his or her respective role from the highest levels of the organization down. Senior management ensures that the entrepreneurial “money making” activities and restraining control activities are carefully balanced so that neither one is disproportionately strong relative to the other.
Assess business risk — As managers compete within their organizations for funding to fuel new investments and projects, a process is needed to separate emotion from fact. In an EWRM environment, risks are systematically identified and sourced by executives who operate in an open, positive and proactive environment and are accountable for their choices. The key managers rigorously measure the risks that matter on an aggregated basis. Priority risks are clearly understood, including the risks affecting the organization’s intangible sources of enterprise value. These sources of value include the company’s customer base, its distribution partners, its supply chain, its innovative processes and systems, its proprietary knowledge capital, and other intellectual property, the risks to which are acknowledged just as fully as the risks to its physical and financial assets.
An effective risk assessment requires three things – skillful risk owners, a common risk language and a forward-looking, continuous process for identifying, sourcing and measuring risks and opportunities. These elements are applied consistently across the enterprise to understand the nature of the priority risks impacting on business objectives, strategies and performance, including the root causes or drivers of those risks to provide a basis for measuring, controlling and monitoring them. Individual and aggregate risks taken are priced in terms of capital, earnings and cash flow at risk. Once a consistent risk assessment framework is developed and implemented, risk aggregation and comparison across the different types of investments, products and business units that matter to management becomes possible. Capital allocation techniques become more meaningful in their application.
Develop risk management strategies — Management has to make choices about how to manage priority risks. A systematic process is needed to bridge the gap between risk identification and implementation. Such a process should be integrated tightly with the key elements germane to managing a business, such as:
- the organization’s business objectives, business strategy, structure and culture;
- the decision-making processes that are vital to value creation;
- the process for formulating business strategy;
- the measurement and monitoring of organization performance; and
- the organization’s approach to continuous process improvement.
Under EWRM, the process for deciding the appropriate risk strategy takes an enterprise view rather than a unit or functional view, and considers all available options for managing risk so that the selected strategy optimizes risk and reward for the enterprise as a whole. The tired old “this is the way we’ve always done it” mantra is ruthlessly cast away. Fresh thinking is the order of the day because the competitive marketplace demands no less. Decisions to transfer or accept risks are evaluated on both a standalone and an aggregate basis, leading to more cost-effective hedging through a better understanding and exploitation of diversification opportunities. They also lead to more focused relationships with risk underwriters. For example, considering natural internal offsets and changes in operating and borrowing practices can reduce the need for hedging through financial derivatives.
“Risk owners” are responsible for developing and assessing risk management alternatives and selecting the appropriate strategy. Through a structured approach to evaluating risk management options, they work with business-unit operators to evaluate risk/reward trade-offs and the effectiveness of alternative strategies to bring risk into balance with established risk parameters and limits. They decide what must be done to execute the selected risk strategy, design the capabilities for executing the strategy, and monitor performance to ensure the capabilities are executed according to design and achieve the desired objectives. They share knowledge and best practices, enabling the enterprise to learn once and capture intellectual capital.
Design and implement risk management capabilities — Risk owners decide and design the processes, competencies, reporting, methodologies and systems that execute the selected risk strategies and policies. They ensure such capabilities are built and executed, and are integrated with processes for managing the business. Finite resources are efficiently allocated to the most significant risks; therefore, such redundant and unnecessary risk controls are eliminated.
Monitor performance — Effective monitoring enables managers to answer the question, “how do you know?” Risk owners and executive managers create performance measures to monitor the design and operational effectiveness of risk management capabilities, including risk controls. Monitoring adds value because it helps managers do a better job running the business. Relevant, actionable business-unit information is gathered, evaluated and reported on a standardized basis for monitoring purposes, including formalized reporting to the board and appropriate levels of management. A continuous review process is in place to monitor achievement of objectives, execution of strategies, compliance with policies and identification of evolving “best practices” for managing risk. Executive management also monitors the monitoring processes deployed by owners of “mission critical” risks. Internal audit plays a value-added role in the monitoring process.
Continuously improve risk management capabilities — Business risk management is a process. As with other business processes, managers and risk owners (who are the process owners) continuously improve it as conditions change over time. Executive management and directors monitor plans for improving risk management through final completion. Benchmarking, education and training are a priority. The flow of knowledge and information about risk and risk management capabilities up, down and cross-functionally across the enterprise is facilitated and supported by all levels of management, and enabled by web-based tools and other technology.
Common frameworks are useful in facilitating the kind of knowledge sharing that can drive continuous improvement. Today’s information technologies – the Internet, intranets and e-mail – create tremendous opportunities to share knowledge and experience. For example, one European telecommunications firm uses cellular Internet communications technology to poll its risk owners and their teams regarding the likelihood and severity of key risks.
Support the process with information for decision-making — In an EWRM environment, directors and senior managers are in a position to confidently make informed decisions regarding the trade-off between risk and reward, and daily business decisions at the operating level are made within the context of the organization’s strategies for bearing risk. Timely, relevant information, including measures of individual risks, are aggregated into an overall “portfolio” framework or scorecard, and are linked to relevant measures of enterprise performance. Data and information about the effectiveness of risk management capabilities and risk control processes are provided by risk owners all over the enterprise using web-enabled feeds to data warehousing facilities. A central group then manually and electronically extracts relevant information for analysis and reporting purposes.
Summary — The single most important benefit of EWRM is to provide greater confidence and relevant summary information to the board, CEO and management that risks and opportunities are being systematically identified, rigorously analyzed and effectively managed on an enterprisewide basis – all fully aligned with the enterprise’s business model for creating value. The seven essential tasks outlined above help organizations build or improve their capabilities to master risk as they create and protect enterprise value.
Taking an enterprisewide view
The view that managers take of the scope of their responsibilities influences their view of risk. If their view is a functional one, they will manage risks to achieve functional excellence. For example, a procurement manager may focus on ensuring the availability of raw materials at the lowest possible cost without regard to the costs and risks of carrying inventory.
EWRM requires an enterprisewide view of the business and its risks and risk management capabilities. Ultimately, taking an enterprisewide view means taking aim at achieving the highest level of risk-adjusted return possible from the resources available to managers within defined enterprise boundaries. From a risk management standpoint, this view has to be consistent with executive management’s view of the organization. If management takes a centralized view of the business, an enterprise view would extend to the entire organization. On the other hand, if management has a decentralized view of the organization with different units operating autonomously, an enterprise view would apply at the unit level.
An enterprisewide view of an organization means three things:
- First and foremost, it means that when managers make choices, they consider the best interests of the organization as a whole. Every decision made is meant to improve the organization as a whole, and not just any particular segment. This level of understanding is difficult to achieve because, for many companies, the predominant command and control culture facilitates information flows up and down, but rarely horizontally. That this is difficult does not justify ignoring it.
- Second, it means that the objectives and incentives of individuals are aligned with the organization’s performance measurement systems. An enterprisewide view requires management to recognize, measure and reward decisions that consider the organization’s overall interests. A systematic enterprisewide approach to managing risk can create dysfunctional behavior if the objectives and incentives and the firm’s performance measurement systems do not also reflect a similar enterprisewide perspective. If the performance of different managers is not assessed and rewarded according to an enterprisewide view, how can these managers be expected to evaluate risks and make decisions according to an enterprisewide perspective?
- And third, it means that the tools and measures used by key decision-makers at all levels of the organization reflect an enterprisewide view. Risk management goals, objectives, policies and processes must be consistent with the view of the organization being managed. If management’s focus is primarily directed to the success of specific operating units, then the policies and processes for managing risk should likewise be directed to such units. The challenge here is avoiding needless redundancy in risk management capabilities across multiple units. In cases where there are risks common to multiple units, it may make sense to organize a strategic risk unit to develop and deploy the required risk management skills, methodologies and systems managing one or more key risks inherent in the business model. Then the enterprise is able to act quickly, as conditions and circumstances change, with the knowledge that it has the competencies to effectively manage the risks undertaken.
An enterprisewide view, through which every decision made is meant to improve the institution as a whole and not just a particular part, is not new. Global banks have been taking such a view for years in managing their market risk and credit risk. For example, they find that aggregation of risks relating to their trading positions and loan portfolios makes sense when shocks occur from time-to-time in the currency markets.
The value proposition
EWRM helps a company manage its risks to create and protect value in three ways. First, it helps to establish sustainable competitive advantage. Second, it optimizes the cost of managing risk. And third, it improves business performance. These contributions redefine the value proposition of risk management to a business by elevating risk management capabilities to a strategic level. They also lead to possibly the single greatest benefit risk management can make to the success of a business. That is, instill greater confidence in the board, CEO and executive management that risks and opportunities are being systematically identified, rigorously analyzed and exploited on an enterprisewide basis consistent with the business model for creating and protecting enterprise value. Moreover, in an EWRM environment, the company gains confidence that the business model and its underlying assumptions are continually challenged and refined in a dynamic cycle of continuous change.
We have discussed the trends that are driving a more strategic approach to managing risk. We have explored the essential tasks of assessing, managing and monitoring risk and what is required in taking an enterprisewide view in implementing these tasks. We also discussed the benefits of EWRM. In the next chapter, we explore the steps to take when implementing an EWRM solution.