CHAPTER 2

The Role of Enterprise Risk Management

Enterprise risk management has, at its core, a simple concept, that is, that a business needs to at least understand all the risks that it is currently facing or is likely to face in the future. Some of these risks, it will be able to measure and manage; whereas others it will need to react to. Let us start with what is perhaps the normal summary of risks and consider how this leads to enterprise risk management. Generally, risks may be analyzed into the following categories:

  • Credit risk
  • Market risk
  • Liquidity risk
  • Operational risk
  • Strategic risk
  • Reputational risk

As soon as you start with any such analysis, you need to ensure that all of the risks that your firm faces are analyzed and classified under these risk headings. Of course, these risks are all different and they could consequently be measured and managed differently. However, there is a problem with managing risks in silos and this results from the different ways in which they are managed. One of the challenges of effective risk management is to ensure that all risks are managed on a consistent basis enabling management to understand the nature of their risk environment in total.

There is also a concern that there could be a disconnect between the risk function and the management of the enterprise. It is incumbent upon risk professionals to provide their reporting and information in a format and with explanations that are intelligible by their audience and not by other risk professionals.

Returning to the risk analysis, let us consider each of these risks individually. You will then see the issue regarding modelling and data consistency.

Credit Risk

Credit risk is the risk that someone is not going to fully meet their financial or debt obligations. The firm may have sold goods or services to someone. There is then a risk that they will not make the payment in accordance with your payment terms. Credit risk is not just that they may not pay, it is also that they may pay late. If you lend money to a friend, you know you are unlikely to get it back. Again, that is credit risk except that the accounting in this case is debit cash, credit experience.

For credit risk to occur, you will need to be owed something; which, of course, does not need to be cash. If you are building a machine for a customer you may not be able to raise an invoice until the equipment is completed. However, the knowledge that you intend to sell the equipment to a customer means that you are already incurring credit risk even though the invoicing date has not been reached.

If you lend your car to a friend and they do not return it, then this again is probably credit risk. You have lost the monetary value of the car and this is still held by the former friend. In this case, the accounting treatment is debit cash, credit stupidity.

In terms of measuring credit risk, you need to know what you are owed, and this will typically need to be measured in monetary form. By looking at what has happened before, as shown in historic databases, perhaps supplemented by external information which could include agency data, the company is able to assess the likelihood that the customer will meet their obligations. This likelihood is passed on to the clients typically by providing a lower price or discount to the better credit quality customer, and this is what is referred to as differential pricing.

Essentially, credit risk management uses historic data to try to predict the future. That of course leads to the conclusion that credit modelling is at its best when future performance is clearly related to historical loss experience, a theme we will return to later in later chapters.

Market Risk

Market risk arises typically from a change in the price of something. It is not about a change to the market itself since that is actually included within strategic risk, as we shall see later. So, where does market risk tend to turn up? If a company has a commodity that forms part of their product, copper wire for example, or oil, then they will need to acquire the copper or oil before they make their product. The price they will have to pay will fluctuate, based upon the market movements. In the case of commodities there are markets on which these assets are quoted, which can provide a base price, the London Metals Exchange (LME) and the International Petroleum Exchange (IPE), for example.

By looking at movements in price of the specific commodity on the relevant exchange, the firm can see whether the cost of their commodity is rising or falling. The impact of reprising the commodity to market price is market risk, as indeed is the impact of any future change in the price.

Another place where this turns up is in the area of currency risk. Currencies vary considerably, as anyone going on holiday away from their own currency zone knows only too well. If a firm is in the U.S. dollar zone, that is they report in U.S. dollars and the majority of their costs and income is in dollars, then anything they do in a currency other than U.S. dollars is a foreign currency transaction.

If the U.S.-based firm is selling to Germany, they will perhaps have been required to quote their price in Euros. As the rate of exchange between the U.S. Dollar and the Euro varies, the firm will either receive more or less U.S. dollars as a consequence of currency movements. This loss is also market risk. To illustrate this risk, consider the following:

A U.S. company sells industrial equipment to a German company for €125 million. If there is Euro–Dollar parity (in other words $1 = €1), then the U.S. firm will receive $125 million, which is perhaps what they budgeted for. However, if the exchange rate changes to €1.25 = $1, then they will receive only $100 million, a market risk loss of $25 million or a margin loss of 20%.

So just as failing to receive the €125 million payment from the German company would be credit risk, an adverse movement in the Euro/dollar exchange rate would be market risk.

In terms of judging market risk, the required information is generally available on exchanges and markets, with it then being published in public information sources. There is no shortage of information about the past again the past is often used to predict the future. However, this is also supplemented by information about future expectations as shown in forward prices and contracts.

Another area where market risk arises is in equities and bonds. Equities are shares in the ownership of a company normally traded on an exchange. Bonds are essentially loans or debts issued by a firm, which can be traded on a secondary market. Both of these instruments trade on exchanges such as the New York Stock Exchange (NYSE). The NYSE will show the trading price of the instrument in real time, so finding a current market value is not a problem.

Firms hold equities and bonds in two main places. They can hold them directly in their balance sheets or in their pension funds. You could mark these positions to market by working out how much you would actually receive for the position held today by revaluing using the current price on the exchange. The price will have either gone up or down, or stayed the same. Any difference that arises is the consequence of market risk. It is an important concept to understand that market risk is not always negative and that you can be paid for the risks that you are taking, even in an investment environment.

Liquidity Risk

Liquidity risk is another main risk category and is distinct from market risk. Whereas market risk is essentially looking at the impact of an asset or liability being reprised, liquidity risk is dealing with a much simpler concept, that of running out of money.

We all know what running out of money means. You have gone out for an evening with a certain amount of folding currency and some credit cards. Suddenly, you find that you have used all of your currency and your credit cards are being rejected. You have become illiquid.

In companies, this can happen in many ways and some of these are a little counterintuitive. Companies are funded in many different ways, including by the following:

  • Equity issuance
  • Bond issuance
  • Not distributing reserves
  • Loans
  • Overdrafts
  • Credit cards
  • Creditors

Any excess assets that the firm holds will be held in some form of investment or cash account.

If the firm is unable to pay its debts, then at some stage, it will have difficulties. It could potentially delay paying creditors or raise more funds from investors or its bank. If it is not able to do any of this it may have a real problem, but there may be other things they can do. It could be that they own a property and can sell this to an investor, leasing it back. The accounts receivable book could also be used to support funding through using either invoice discounting or factoring.

Cash is king in any business and its close management is always important. However, the growing business also requires support. As it grows it takes on more inventory or stock and has increasing debtors or accounts receivable, as well as creditors and accounts payable. Smaller firms are generally paid later by larger firms, which exacerbates the problems for the developing business since it needs to ensure that its staff and suppliers are paid on a timely basis.

The consequence of this is that it is the growing firm that often runs out of cash, rather than the failing firm, which perhaps bizarrely releases cash as it fails. As the firm declines, it uses up its inventory, which it does not replace. Its accounts receivables slowly do pay, but they are also not replaced. At the same time, it does not take on new accounts payable since it will not need new inventory. It is when things turn for the better that the firm tends to have liquidity problems.

How do firms manage liquidity? Market risk looks at the current asset prices and takes that price supplemented by future data if that is available. Credit risk looks at historic information supplemented by external data. This is not really available for liquidity risk.

To understand the liquidity that the firm is likely to need, it will need to understand the business that it is running and how it will change. It needs to know its costs and income in detail. Contractual data is not very helpful since we know that customers often do not pay on time. It is what will actually happen in terms of real cash movements that counts and this is what is referred to as behavioral analysis. What is the actual supplier, customer and cost behavior likely to be?

There is also one other form of liquidity risk to consider. Firms often keep a stock of what are referred to as liquid assets to deal with an emergency of some kind. Smaller firms tend to keep this in cash, held by a bank which it hopes will stay solvent. Other firms will hold a variety of financial instruments, including bonds and equities. The key issue here is to ensure that the asset would be liquid in the environment that is being considered. Greek banks historically have tended to hold Greek government bonds as their prime source of liquid assets. During the Greek banking crisis, when Greek bonds became illiquid, holding them for liquidity purposes was clearly ineffective.

So, there is a lot of thinking to be done in terms of liquidity risk, both in understanding the cashflows within your business and in thinking through what assets are likely to be liquid in the future?

Operational Risk

In the last few years, there has been a lot written about operational risk, which perhaps might make you think that it is a new type of risk. It is not. It is as old as time itself. Operational risk is primarily taken as a consequence of the activity that a firm is conducting. You do not go out to take operational risk, you just get it. When a caveman designed a spear, they attached a flint to a stake to throw at their prey. The binding of the flint to the spear is perhaps the key operation in this process. If the binding were to fail, then no spear, no dinner, and no caveman!

Operational risk looks at everything that we do and considers how much could go wrong. Inherent risk is the risk of everything going wrong without any controls. Effective implementation of controls can clearly mitigate operational risk and losses are evidence of residual risk. So:

inherent risk – controls = residual risk

The problem is how to manage operational risk. Too many firms have operational risk paranoia and implement controls that lose them value. If in a year you have a loss of U.S.$2,500, but to prevent the loss recurring would cost you U.S.$50,000, then clearly you should take the loss. Essentially, controls are losses that recur every year in the hope that they may mitigate an event that occurs; which they frequently do not.

We design businesses where people are careless and controls help them remain careless. Nobody goes to work with the intention of making a mistake. Nobody says I will make one mistake at 10:15 a.m., another just after lunch at 2:10 p.m., and one just before I leave in the evening at 4:55 p.m. Nobody works like that, but we have firms that are designed to be like that. If nobody ever made a mistake, you would never need a control. Controls are for bad people. If you purely implemented a career development policy of exiting failing staff, then you would find that they might be more careful.

So, we can measure residual risk from loss records except not every operational loss has the word loss in front of it in your records. How do you record an overrun on a computer system or excessive overtime, for example? They are both costs that should not have been incurred, yet they are only shown in accounting records as costs, not losses.

But the greater problem here is in measuring the loss you would make without a control being in place, the inherent loss. If you take away the control, then you will have the loss that you were trying to prevent, which does not sound like a great idea. Think about business continuity planning. You are worried about the loss of your building so you design a business continuity plan, but could you test it? Clearly what you could do is secretly design an explosion at your office at, say, Tuesday at 3:30 p.m. All of your staff that should be there will be there, and of course they will all be killed, which is suppose is just collateral damage. You will then be able to work out exactly what the loss would be, but only there was someone left to do the calculation. If you do choose to adopt this approach, I would recommend that you contact the local press first to let them know that the explosion is not a terrorist event, just your firm testing its plans again!

Instead we use scenario planning and control and risk self-assessment to try to imagine what the loss would be, but we do not really know. Poor loss data. Poor estimation of potential losses. Poorly costed controls. Poorly managed risk.

That leaves us with two main categories of risk to consider, which are also often poorly managed—strategic risk and reputational risk.

Strategic Risk

Does your firm even have a strategy? Who is responsible for it? Does your Board (if you have one) really spend time thinking of strategy or are they really just doing the day-to-day, what might be referred to as tactics?

Strategic risk is the risk that the firm adopts the wrong strategy, which includes the risk of not doing something as much as of doing something. A lethargy strategy is watching everything change around you and failing to grab the opportunity that may then be grabbed either by a new market entrant or a competitor.

Businesses such as Blockbuster Video had a great business and brand based upon renting out videos, but failed to see the change coming in the market that was driven by the emergence of the internet and the availability of downloading of music. Banks (remember them?) failed to see the growth of nonbanks and peer-to-peer lenders.

Since not having the wrong strategy is such an important issue for a firm, it is perhaps surprising that it is often dealt with so poorly. Strategy is a skill that is not within the training of most business managers, so unsurprisingly, they make a bit of a mess of it. Too often we promote people to the level of their incompetence, but that is another story.

Strategic risk is hard to evaluate with any degree of accuracy. Out of all the strategies available to you, why did you select this one? How wrong might you be? The paucity of data and the difficulty of assessing these impacts is perhaps one of the reasons why strategic risk is rarely evaluated effectively.

That just leaves us with reputational risk to consider.

Reputational Risk

What is a business? It is essentially a series of processes and activities that a firm chooses to undertake to meet its strategy (if it has one). Most of these could be copied by another competitor firm without too much trouble. If you consider a services firm such as a law firm or accountancy firm, what are they? What makes them special? Do they do anything that their competitors do not do or could not copy? What then makes you pay more or prefer one firm over another? The key elements of the value of the firm are:

  • The brand
  • Any trademarks
  • The customers
  • Any intellectual property
  • The staff

What these have in common is that none of these appear in the accounts. That an accountancy firm is a brand just as Coca Cola is a brand might be depressing for the accountants, but is a fact of life. What this means is that a reputation that has taken years to build can be shredded in a few days; just remember Arthur Andersen, for example.

If reputation is key, then reputation needs to be protected. Banks used to have strong reputations; now they are less popular than traffic wardens. I used to be proud to say I worked in the banking industry. Now I would rather say I worked as an undertaker. At least nobody is then likely to ask me any more questions, and of course, I could not take my work home with me. Problem with repeat business though . . . .

Who in your firm is responsible for its reputation and what do you do to protect it? How do you manage it or how could you improve it? Reputational risk is easy to measure by using a simple metric, as follows:

  1. An event must happen (although it does not need to be under your responsibility).
  2. It must become public.
  3. And the public must care.

Clearly, the first time someone gets something wrong, there is one level of loss, but if it then repeats, it is much worse. When BP used the Gulf of Mexico as an oil storage facility, this was a disaster both ecologically and in terms of reputation. Were this to recur for BP, this could critically damage their reputation whereas if it happens to one of their competitors then their brand would probably improve.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset