Risk Management and Corporate Finance
Frank Moxon
Evolution Securities Limited
Introduction
It is tempting in today’s heavily regulated securities industry to think that risk is something to be eliminated or avoided in order both to achieve full regulatory compliance and maximize profitability. All business activities, however, involve some degree of risk and most entrepreneurial managers, at least, acknowledge that risks often need to be taken in order to gain a competitive advantage or to secure higher financial returns. Among the issues, therefore, facing senior management in any business enterprise are:
While senior management may not fully understand certain business activities under their control, as was clearly demonstrated in the Nick Leeson affair at Barings Bank, a well thought-out operational risk management system should enable them to control and mitigate risks in these areas.
There is a wide range of risks faced by any investment bank but those in corporate finance tend to be specific to that particular discipline. In contrast, many of the risks faced by staff trading in equities, bonds, and currencies or advising or acting as an agent for private, institutional or other investors are identical or at least fairly similar in nature. To this end, it is essential that in establishing an effective operational risk management system for a corporate finance business the experience and expertise of a firm’s central management team is optimized by the flexible application of the professional expertise of the firm’s senior corporate finance practitioners. If handled properly, this in itself can be an educational and performance-enhancing experience in its own right. In the words of General George Patton, “Don’t tell people how to do something. Tell them what to do and let them surprise you with their ingenuity.”
Other chapters in this book cover the main concepts behind the need for and the effective management and measurement of risk management procedures in general. During the remainder of this chapter, I intend, mainly, to restrict the subject to the issues faced by corporate financiers in particular.
Overall Risk Environment
There is often a tendency among corporate financiers to consider themselves to be in a far less-risky environment than their trading counterparts. After all, corporate finance is a profession governed by financial services laws and regulations, market rulebooks, and internal procedures manuals. The corporate financier is often aided by legal and other professional advisers and can usually count on his compliance department to act as an additional resource in times of doubt. As much as regulators might operate, often retrospectively, as policemen, they can also act as helpful consultants or interlocutors, for example, the UKLA readers involved in some Official List transactions.
To this fortuitous mix of “how to” guides and help on hand can be added other resources and structures provided by the corporate financier’s own firm. Staff have been selected using rigorous recruitment procedures and, as their time is served, acquire years of relevant transaction experience and other necessary life skills. They are then organized into transaction teams or other structures designed to maximize efficiency and skills coverage. They are regularly trained and attend continuing professional development courses. Senior members of the firm vet new transactions and the head of corporate finance maintains regular contact with corporate finance directors and their teams to ensure that all problems arising and the risks they bring with them are recognized and dealt with on an efficient and timely basis. As if this were not enough, engagement letters with corporate clients often contain sweeping indemnities in favor of the corporate financier’s firm. So, what could possibly go wrong?
Sadly, life is not so simple. Regardless of all these aids and benefits, corporate finance business involves a number of risks. At an internal staff level alone, these can present a number of issues for senior management to consider when formulating operational risk management systems. At one extreme is the rogue employee. He presents the, hopefully unlikely, scenario of an individual who overrides systems, either willfully or through incompetence, resulting in damage to the firm and its clients. This risk should be mitigated through careful selection procedures and internal transaction monitoring. At the other extreme is the scenario of the truly conscientious employee who is faced with a difficult professional decision within the bounds of his own operational competence and authority but who makes a wrong judgment call. This risk should be mitigated by internal transaction monitoring systems, adequate training, a clearly understood company policy on acceptable risk levels and a work environment in which consultation and risk reporting are considered by all to be an available benefit.
Nevertheless, both these extremes along a particular operational risk curve remain potential threats regardless of the preventative measures a firm may put in place. The US diplomat, Edward J. Phelps, reminds us, “The man who makes no mistakes does not usually make anything.” Risk can be mitigated but can rarely be eliminated altogether.
General Risk Areas
There are a number of risks facing the dealing and trading areas of broking firms or banks that do not necessarily affect directly their corporate finance counterparts such as currency risk, hedging risk or, per se, systematic risk. Nevertheless, other macro risks are relevant, including:
These are the sorts of risk that need to be taken into account in the macro sense when creating risk management systems for corporate finance departments. Next, some of the micro risk considerations are considered.
Specific Risk Areas
It is useful to start by reflecting on some fairly basic questions before responding to a request by the compliance department, the risk management department or senior management to assist with the development or refining of risk management systems and their application to corporate finance. It can be difficult for corporate financiers to wrestle with the fact that there are inherent risks to their business. In a peculiar way, precisely because corporate financiers are often by nature either control freaks or risk-takers, or an interesting combination of both, they can, in conceptualizing appropriate risk management systems, be their own worst enemies.
To this end, the sort of questions that should be framed before sitting down to design any corporate finance-related risk management system might include:
This is not an exhaustive list, if indeed such a thing exists. There is a slightly nebulous aspect to this general scoping process in that manifestations of risk in the form of problems or other negative outcomes are often quantitative. The damage can be measured in terms of a financial cost or loss. However, identifying and grading the sort of risks that a risk management system should manage has a qualitative aspect. It requires judgments to be made, often subjectively, on the potential issues involved.
Selecting Appropriate Key Risk Indicators (KRIs)
Having established what sort of risks are involved in a corporate finance business, at both a macro and a micro level, senior management must come up with a risk management system which is realistically operable while adequately fulfilling its key purpose. This is often an optimizing rather than a maximizing process. Some simplification is also required at times in order to ensure that objectives are met. Too much detail can confuse both operational and risk management personnel if it results in the means becoming an end in itself.
On the one hand is the detail. By their very nature, risk management systems need to cater for the “impossible” and “unlikely” scenarios. Do not be afraid therefore to think the unthinkable. “The reason the mainstream is referred to as a stream is because of its shallowness” (George Carlin). Yet, if the systems are designed in the first instance to identify risk at a very precise level of detail, there is a danger of inventing thousands of key risk indicators, none of which is ever likely to arise let alone be recorded. A broad category such as “due diligence failure” may make a better KRI than a more specific derivative such as “due diligence failure: person A did not accurately fill in form B.”
KRIs are the basic reporting units on which a risk management system is based. Across most departments in a financial services group, there are some common areas for KRIs such as bad debts and counterparty risk (in its more general sense). Most of these can have either a large number of readily identifiable forms or a small number of less likely manifestations. Corporate finance can present problems for those attempting to design an appropriate risk management module for it with prior knowledge of only similar modules for trading and dealing departments. There are hundreds of ways, I suspect, in which a trade can be badly executed but thousands in which a corporate finance transaction can go awry.
For this reason, it makes for a more manageable system if KRIs can be few in number but broad in scope. Consider that in an optimally functioning risk management system, KRIs serve not only as a reporting requirement but also as a management tool.
Examples of useful corporate finance KRIs include:
Again, this list is not exhaustive. It is important not only that all key areas of risk are covered by KRIs but also that the reporting system allows for, and that staff involved in the process are aware of, the provision of further information in respect of the incident that has necessitated the reporting of a KRI event. If a KRI report is issued because a corporate client has resigned, the reporter should provide details as to why the client has resigned.
As with all corporate finance-related issues, the designers of the risk management system also need to take into account the fact that corporate finance sits on the secret side of the Chinese Wall. Access to the detail contained within the risk reporting and monitoring system may need to be made available to staff on two or more levels of restricted access, depending upon the compliance department’s view on appropriate access to unpublished price sensitive or otherwise privileged information.
Further Points on Setting and Interpreting KRIs
In designing and effectively operating a risk management system in corporate finance, it is well to remember that each of us is, after all, only human. The design, commissioning, and operation of such a system are not always an infallible process and further adjustments will inevitably need to be made throughout the life of the system. The useful interpretation of the data collated by the system is also subject to human error. These failings include such things as self-deception, probability calibration issues, cognitive dissonance, and hindsight bias.
Self-deception is the trait that makes us think something will never happen because it has never happened before. This can manifest itself in a number of ways. Probability calibration issues arise where something is forecast not to happen. Unfortunately for us, a study by Kahneman and Riepe1 showed that only two professions showed good probability calibration skills. Neither one was financial-services related. The theory of cognitive dissonance2 is based on an observed tendency for humans to ignore facts contrary to their own beliefs and even to seek evidence on a selective basis in order to confirm the original, unscientific view. Clearly, these types of failings can make it difficult either to frame the right sort of KRIs or to interpret them properly and therefore learn from the data collected in order to prevent repetitions of the same problem.
Hindsight bias acts in a similar manner. It is too easy either to blame someone in a situation where the risk was actually unavoidable or, on the other hand, to overlook or waive concerns about a risk because it is considered that the next manifestation of it is likely to be detected earlier. An associated failing is a tendency to only prepare for or seek to identify those risks that are perceived as more likely to occur, simply because they are related to the most frequently occurring problems in our recent experience. As an old Chinese proverb says, “A man who has been bitten by a snake is afraid of a piece of rope.”
Conclusion
Although corporate finance often embraces risk and despite the skill of its practitioners and the fact that they have recourse to all manner of professional advice and other assistance, it does still require a degree of risk management monitoring, over and above that normally performed by, say, the compliance department.
Risk management in corporate finance is based on the same principles as any other financial services risk management system. However, the specifics are necessarily different to those of trading and dealing departments and require careful thought not just to identify key risks but also to ensure that the system is not undermined either by too much detail in the level of KRI reporting or an excessive degree of generality.
Planners of such systems therefore need to utilize the skills of those they seek to police. The thought processes required by corporate financiers in order to participate in the task are, in my experience, a useful educational tool and likely to ensure the overall success of the system both as a reporting function and as an effective management program.
Finally, in implementing a risk management system, real success depends upon more than simply creating a well-designed, beautifully crafted mechanical system. The system comprises not just a few thousand carefully considered words and a bespoke ORM computer program but also the people who use it and maximize its performance. There is another old Chinese proverb that advises: “If you are planning for one year, plant rice. If you are planning for 10 years, plant trees. If you are planning for 100 years, educate people.”
A Securities and Investment Institute Master Class on Behavioural Finance by Mark Tapley of the London Business School contributed significantly to the ideas presented here on some of the pitfalls of setting and interpreting KRIs. I am also indebted to a number of my colleagues at Evolution Securities, in particular Zoe Hine, Ngaire Stone, Mitchell Gibb, and Laurence Blake who patiently reviewed this chapter and also provided helpful comments and advice.