RISK MANAGEMENT PERSPECTIVES Nitin Bhatt, Partner – Advisory Services, EY has authored these articles for various renowned media publications.
Battling the certainty of uncertainty Published in The Hindu Business Line In Greek mythology, the two-headed God Janus was famous for a quirky contradiction: one of his faces was smiling, the other frowning. Expert commentary and analyst reports on the global economic outlook are somewhat in this vein. While some are upbeat and uplifting, others predict doom and gloom. For instance, a recent report by the Conference Board suggests that the global economy is on an upswing: the world’s GDP is expected to increase from 2.8 percent in 2013 to 3.1 percent in 2014, and mature economies – including the Eurozone – will clock higher growth compared to previous years. On the other hand, a November 2013 report released by the World Economic Forum raises several red flags. According to this research, rising societal tensions in the Middle East and North Africa, widening income disparities, increasing structural unemployment, inaction on climate change and persistent cyber threats do not bode well for the global economy in the coming years. India’s economic indicators present a mixed bag as well. According to a World Bank report released in October 2013, India’s growth potential remains high. The macroeconomic environment is expected to improve, with growth likely to accelerate over the next two years. On the other hand, challenges related to the country’s slowing GDP growth and spiraling inflation, combined with high fiscal deficit and regulatory bottlenecks, continue to dampen consumer and business confidence. Even as surveys and statistics continue to confound observers, they all agree on one thing: we are living in an environment that is marked by perpetual uncertainty. How are businesses responding to this new normal? EY asked 641 companies across 21 countries to identify and rank the top risks and opportunities they see in the 2013 – 2015 timeframe. The results indicate that the pressure on prices and profits, market instability, weak growth prospects and skill shortages are risks that will dominate the conversation for some time to come. On the brighter side, firms also see this as a
time to invest in innovative products and services, new markets and productivity-enhancing processes – all seen as opportunity areas that can separate the leaders from the laggards. The new paradigm The EY study also found that successful companies are seeking to achieve two goals. Certainly they want to keep out of trouble – sound governance and compliance are still in the forefront – but they also want to improve their performance by way of innovation and operational excellence. Indeed, if one analyzes the management strategies of companies that have outperformed their peers, three differences stand out. Protecting the core Pricing and cost pressures have exerted unprecedented stress on organizations over the past few years. As the term “customer loyalty” becomes increasingly elusive, retaining and growing core customer-accounts is central to every CEO’s agenda. In order to do so, leading organizations are continually challenging themselves to ensure alignment with their customers’ priorities. How is my customer’s business changing? What kind of enablement and risk-sharing would deliver the maximum value? What must be done to better align my products and services with the customer’s agenda? The answers to these questions have equipped several companies to rapidly transform internal processes and systems to deliver superior value and competitive advantage to their customers. Leveraging risk intelligence Leading companies adopt a clinical approach to protecting themselves from downside-risks. Directors and executives of such organizations typically benefit from a periodically updated risk dashboard that pinpoints mission-critical risks and assesses how well potential exposure-areas are being managed. A mix of qualitative and quantitative criteria is used to determine risk tolerance. Critical risks are regularly stress-tested and early warning systems alert the board and management when risk-levels are likely to exceed established thresholds. Risk-intelligence is leveraged to drive decision making. Perhaps most importantly, executives’ performance scorecards are linked to risk-performance. Leading organizations also leverage risk intelligence to create new opportunities. For example, a large technology company’s risk analysis revealed a threat to its hardware business from cheaper
providers in an emerging market. The company started looking for market adjacencies, including products and services that its customers bought from other vendors to complement the hardware that the company supplied. By quickly transforming itself from a product vendor to an end-to-end solution provider, the company not only mitigated a downside risk, it also created a big revenue upside for itself. Smart controls Over the last several years, many organizations have accumulated layers of redundant and ineffective controls in response to regulatory and operational triggers. EY research indicates that companies typically spend 20-30 percent of their process-cost on “controlling” activities. Unfortunately, up to 40% of such controls can be duplicative, value-erosive and oftentimes misaligned with the risks that truly matter. It is not surprising that over-controlled organizations find themselves losing “speed,” and over time, experiencing lethargy when respond to internal and external imperatives. The future vision of controls is much smarter. It ensures that companies eliminate unnecessary controls and free-up organizational bandwidth for analysis, decision-making and value-added initiatives. Indeed, organizations that have implemented “smart controls” have benefitted from operational agility, organizational nimbleness, and ultimately, competitive advantage. Battling the certainty of uncertainty is not for the faint hearted. It requires an unrelenting focus on winning in the market on one hand, and a sharp focus on execution-intensity and risk resilience on the other. Indeed, organizations that successfully execute this agenda are more likely to deliver market-leading performance.
Black Swan Plans: Is your company anti-fragile? Published in Economic Times, Corporate Dossier The devastation caused by the multiple global crises over the last three decades has exposed the fragility of modern-day risk management practices. For instance, the Wall Street crash of 1987, the Asian financial crisis of 1997 and the banking sector collapse of 2007 left several global companies in a state of disarray. Similarly, the safetysystem failures at Japan’s Fukushima Daiichi nuclear plant, structural compromise of the New Orleans leevies and the Mumbai terror attacks led to unprecedented economic losses for many organizations. In retrospect, while each of the above events – referred to as Black Swans by some observers – was possible, none was adequately anticipated. These events highlighted the shortcomings of our knowledge, perspectives and risk models. The Black Swan concept dates back several centuries. It was based on the mistaken notion that all swans are white. But in the late 17th century, black swans were observed in Australia, revealing the limitations of our information and imagination. In management literature, Black Swan events generally refer to low-likelihood, high-impact occurrences that are disruptive in nature. They can evolve rapidly from a combination of factors, including human error, negligence, malicious actions, or acts of nature. Black Swans can paralyze an organization’s operations. In rare instances, they can lead to its demise. Black Swan skeptics retrospectively assert that catastrophic events are predictable: post-event investigations routinely identify design flaws, inadequate maintenance or other patterns that should have signaled an event’s likely occurrence. Yet, these same experts fail to predict such events. Fukushima Daiichi serves as a good example. The plant was rated for a 19-foot tidal surge when 46-foot surges were experienced every 30 years on average, and four such surges had occurred in the past 30 years. While most CXOs are well-intentioned in assessing and managing their enterprise-wide risks, cognitive biases often render their risk strategies inadequate. These biases place too much emphasis on personal experience (I’ve never experienced this, so this is unlikely). Further, executives tend to focus on known financial and operational risks (for example, market volatility, cost competitiveness and talent management). Very little time is spent on discussing lowprobability scenarios that can harm the company. Even when unlikely risk scenarios are discussed, they are quickly dismissed. In some cases, this is due to the seemingly expensive preventive measures related to their mitigation. In other cases, it is because executives are too focused on delivering short-term performance targets for professional and personal gains.
Doing so, unfortunately, is highly risky. This is because we are living in a time when extraneous factors over which companies have limited or no control are rapidly proliferating. Geo-political instability, labor market inequalities, and new technologies for customer engagement are a few examples that make the case for resilience and anti-fragility stronger than ever before. What is an anti-fragile company? According to the Lebanese-American scholar and The Black Swan author Nassim Taleb, anti-fragile organizations do not spend inordinate amounts of time modeling unpredictable events. Instead, they routinely simulate disruptive events and stress-test organizational resilience. Further, they develop response mechanisms to mitigate their exposures should such events unfold. In doing so, they become genetically stronger organizations and benefit from the upside that such events can present. While Taleb’s thesis can be debated, it does provide one key takeaway for Boards and Chief Executives: crises triggered by risk-events that fall in the unknown-unknown category cannot be ignored. In order to address such risks, companies need to engage in a detailed planning exercise to identify such potential “unexpected” events. The crisis-response options for each scenario should then be developed and documented. This should be followed by a simulation to assess the operational effectiveness of the crisis-response plan, including recovery and restoration protocols. Doing so usually uncovers tactical gaps that can be fixed by redesigning the response processes and systems, as appropriate. The design of Black Swan response plans also needs to incorporate critical “human” dimensions. For instance, in a crisis situation, most people are worried first about personal and family welfare. Situations that result in panic and shock may impede rational thinking. Balancing these behavioral possibilities with the imperatives of business continuity should be a key consideration for risk management executives. History has taught us that the time to adopt and test crisis management programs is before a disruptive event occurs. As such, Black Swan plans need to be updated and assessed for operational effectiveness on a regular basis. Doing so enables organizational leaders to think through and debate the framework for their response. While actual events will seldom match what is anticipated, such an exercise will enable a more effective response should the unexpected occur.
Rethinking risk management Published in Economic Times, Corporate Dossier
This September of 2010 marked the second anniversary of the collapse of some of the largest banks in the US. Across the globe, much water has fl own under the “reform” bridge during the last two years: governments have spent hundreds of billions of dollars on fiscal stimulus packages and bailing out failing financial institutions; lower economic growth has become the new normal in much of the developed world; regulators have implemented new corporate compliance standards; and business leaders have sharpened their focus on eliminating inefficiencies, reducing costs and strengthening controls to “protect the core.” The above initiatives notwithstanding, global economic recovery continues to be threatened by an increasingly complex web of risks facing organizations today. For instance, despite the lessons learnt from the recent crisis, most companies are unlikely to be able to ascertain systemic risks. This is concerning because the threat of exogenous shocks such as sudden declines in asset prices, as well as fiscal crises that could be triggered due to unsustainable levels of debt in several parts of the world, remain very real. Further, companies are equally unlikely to be able to predict black-swan events – seemingly improbable incidents that could threaten a company’s survival – such as the oil spill in the Gulf of Mexico this past April. History demonstrates that such one-in-amillion chance events do materialize and have a devastating impact on the reputation and financial stability of organizations. The World Economic Forum’s Global Risks Report 2010 highlights several other key risks. First, unemployment continues to rise in many parts of the world. It is estimated that unemployment in OECD countries alone has increased by over 25 million over the last two years. Globally, the increase could cross 50 million by year-end. Since job-creation is not robust, a long period of high unemployment could adversely impact consumption as well as the stability of civil society. Second, if the Chinese economic growth slows to less than six percent, it could impede global capital flows and disrupt commodity markets. Third, chronic diseases across the developed and developing world threaten to drive up health costs while reducing productivity and economic growth. Finally, large segments of the world’s energy, water and transport infrastructure are structurally deficient or functionally obsolete. It is only a matter of time before a catastrophe occurs.
My sense is that not many corporate leaders have systematically thought through the impact of the above risks on their organizations. The recent crisis, in fact, exposed many organizations’ inherently weak risk management systems: boards that did not consider macro-economic factors when assessing risks, risk committees that did not receive accurate information regarding missioncritical risks and the effectiveness of organizations’ responses to mitigate these, and executives who built silo-based risk management infrastructures that failed to embed risk-appetite within organizational processes in a consistent fashion. Given this background, it is not surprising that the global spotlight on risk management has intensified. The U.S. Securities and Exchange Commission (SEC) now requires that proxy statements fi led by public companies include the role of the board of directors in risk oversight, the nature of communications between executives and the board on risk issues, and disclosure of riskbased compensation policies. The US Association of Corporate Directors’ Blue Ribbon Report on Risk Governance urges boards to assess strategic risks, closely monitor risks in culture and incentives, and consider emerging global risks to the firm’s business. The International Organization for Standardization’s recent ISO 31000 guidance defines a common global approach to risk management. Unfortunately, organizations still have a long way to go in enhancing the effectiveness of their risk management efforts. For instance, in a study of large US corporations conducted by North Carolina State University researchers earlier this year, 49% of respondents described the sophistication of their risk oversight processes as immature to minimally mature. Over 63% of respondents believed that the volume and complexity of risks had changed “extensively” or “a great deal” in the last fi ve years and 70 percent admitted that they had been caught off-guard by an operational surprise. It is therefore not surprising that many companies have recently increased their investments on risk-related activities. In a recent global survey of over 500 organizations conducted by Ernst & Young, 73% of the companies reported having seven or more separate risk functions! Throwing money and resources at the problem has obviously not produced the desired results as the coverage and focus of these risk functions have become increasingly difficult to manage. Sixtyseven percent of companies had overlapping risk coverage with two or more risk functions. Further, 50% of companies reported gaps in the coverage between risk functions and 61% of companies believed that they could get more risk coverage for less spend. Overall, 96% of companies agreed that there were opportunities to improve their risk management effectiveness.
How should companies approach risk management as they prepare for an uncertain future? It is critical to move away from a departmental, silo-based approach to risk management towards a holistic, enterprise-wide approach to risk management (ERM). Doing so establishes a common language of risk and sets the limits for effective risk-taking based on a mix or quantitative and qualitative criteria. Further, on a periodic basis, it identifies and prepares for controllable and uncontrollable events that could get a company into trouble. As boards and executive managers take stock of their ERM maturity, they need to ask some fundamental questions to assess the extent to which the organization is balancing risk, cost and value considerations. Risk: Do we understand the strategic, operational, financial and compliance risks that the company faces? Do we know our mission-critical risks? Are we accepting the right level of risk? Do we get effective risk reports? Do we know if our risks are being properly managed? Do we have a comprehensive risk framework in place? Cost: Are we focused on the risks that matter? Do we have duplicate or overlapping risk functions? Are we leveraging automated controls versus manual controls? Do we have the right mix of skills at the right cost? Have we optimized the use of technology to manage risks? Can we use alternative sourcing strategies to reduce costs? Value: Is our risk-taking behavior aligned to our business strategy and objectives? Are we getting the right return on our risk investment? Are we getting performance improvement ideas? Are we taking the right risks to achieve competitive advantage? Is risk management slowing us down or helping us go faster? Finally, it is critical for companies to evaluate if their risk governance and incentive structures are appropriately designed. Do disconnects exist at the strategic and operating levels between the board, executive management and line management? For example, it was recently reported that the US Federal Reserve, six months into a review of the country’s 28 largest financial companies, has found that many of the bonus and incentive problems that led to the financial collapse two years ago remain in place. Many risk managers, for instance, still report to executives who have influence over their year-end bonuses and whose own compensation might be curtailed by reducing risk. In many cases, risk managers do not have full access to the compensation committee of the banks’ boards. Further, banks tend to set similar bonus structures for diverse
employees and generally do not adjust payouts to account for risks taken, say, by traders or mortgage lending officers. Bank executives and directors, however, are often unaware of the compensation structures of these employees – people whose decisions could take the company under. If such is the state of affairs in the world’s most regulated industry, the reported risk-resilience of companies in other sectors should obviously be taken with a pinch of salt. For risk- management to deliver on its promise, it is therefore critical for boards and corporate leaders to urgently identify and fi x risk-governance and incentive-related problems, and further, to appropriately balance risk, cost and value considerations as they prepare for an uncertain future. What are the keys to implementing a sound ERM programme? Critical enablers include robust processes and risk measurement techniques, clearly defined risk owners and performance metrics, and information systems that facilitate easy reporting to the management and board. In leading practice organizations, these enablers serve as a radar that continually scans the company’s internal and external environment, “dropping” risks that have lost their relevance, and “picking up” risks that can matter. Most successful ERM programmes are CEO-championed. The CEO’s involvement promotes the kind of discipline and accountability that is needed to embed a healthy risk management culture – exemplified by awareness and constructive challenge – within the organization. What is the state of ERM maturity within global organizations? Two separate research efforts shed some light on this issue. In a global survey of board members conducted by Ernst & Young, over two-thirds of the respondents felt that the risk landscape had changed for the worse; over 40 percent believed that the increase in risks has been significant. While audit committee members identified rising levels of regulatory and compliance risks, non- audit committee members perceived greater levels of business and competitive risks. In addition to better managing compliance- related risks, board members thought that identifying emerging risks and improving systems for risk management remain key priorities. Research conducted by the Conference Board points out that many board members who think they have a good handle on their companies’ risks could be functioning with a “false sense of security.” According to the study, the problem is that many directors approach risk more on a case-by-case
basis, and as such, “may not have adequately robust and systematic enterprise risk management processes in place.” How mature is your company’s ERM programme? You can conduct a quick health-check by responding “Yes” or “No” to the following questions. 1. My company defines and updates its risk appetite periodically 2. Mission critical strategic, operational, reporting and compliance risks are prioritized 3. Risk management activities focus on compliance as well as value-creation 4. Emphasis is placed on implementing risk mitigation plans 5. Risk owners are identified and held responsible for risk monitoring and reporting 6. A risk culture is championed by the CEO and embedded in the organization’s operational and support processes 7. Sufficient resources and investments are committed to deliver on risk management objectives 8. People are measured on how well they manage risks and rewards 9. The board regularly receives robust, transparent information that can be used for decisionmaking 10. The risk or audit committee devotes adequate time to enterprise risk management A “Yes” response for eight or more questions indicates good health. A score of five or below suggests the need for an ERM fitness-programme.
****
You can get in touch with Nitin Bhatt on
[email protected]