Risk Management Reports March 1996

Volume 23, Number 3

Risk Management: Coming of Age

Two recent monographs mark a "coming of age" of the risk management discipline. It has emerged from its cocoon and is now the subject of active discussion by senior managers, not just treasurers, risk managers, and environmental, health and safety specialists.

"Corporate Risk Management" appeared in the February 10, 1996 issue of The Economist. It is a review of literature on the management of financial and investment risk attributable, in whole or in part, to the manipulations of derivatives that headlined the financial press in the past two years. Names such as Procter & Gamble, Gibson Greetings, Daiwa, Barings, Orange County and Metallgesellschaft sent waves of fear through organizations that errant managers, through duplicity, greed or ignorance, could sink a firm. Five of these losses exceeded US$ 1 billion (Orange County, Kashima Oil, Barings, Showa Shell Sekiyu, and Metallgesellschaft). The article cautions, however, that "many of the so-called derivatives disasters are in fact speculative disasters that might just as easily have happened if the investor had been punting in shares or equities."

The response is one of a more rigorous and strategic risk management, one with Board and senior management oversight. The Economist concludes:

1. "Risk management must be regarded as a core skill by every firm." This includes control systems to advise senior managers of the risks to which the organization is exposed, and assurance that strategic risk management is being properly implemented.

2. Risk management is not an ivory tower for arcane specialists. Managers, Boards, and shareholders, especially institutional, must understand the nature and scope of risks and the organizational responses.

3. Increased disclosure of risk assessments and responses is the best course of action, not increased regulation or aversion to employing financial instruments that can reduce risk if used properly.

4. Risk management must be a senior management strategic responsibility, not one assigned solely to the finance department.

The article acknowledges, however, that current risk assessment capabilities are weak: "This is partly because the technology for identifying risk exposures in non-financial firms is as yet fairly primitive, but more fundamentally because managers and boards too often regard risk management as a matter for financial experts in the corporate treasury department rather than an integrated part of corporate strategy " (editor's emphasis). I believe that "strategic risk management" is more than a "buzzword." It is already firmly in place in firms such as Bankers Trust, NatWest and Nova Corporation.

One of the intriguing aspects of a broader view of risk and response is that many of the so-called "catastrophes" that could beset an organization are non-correlative. It is unlikely that a market plunge will occur the same year as a drastic rise in interest rates, a monster earthquake or hurricane, or a class-action lawsuit. Too many firms try to fund for each of these contingencies separately, implying that they might happen together. A coordinated risk management approach can give a firm a more realistic view of all risks and may lead to lower overall risk financing costs.

The Economist poses three questions for strategic risk management: (1) How well do managers understand their firm's risk exposures?, (2) "Will hedging them make their shareholders better off?", and (3) "Is it possible in practice to hedge these risks adequately?" These questions echo the three key questions of risk management that I posed over eight years ago: (1) What can go wrong?, (2) What can we do about it?. and (3) How do we pay for it?

The problem of understanding risk exposures is compounded by the inability of existing accounting standards to measure them accurately. Today's accounts are "a curious cocktail of hard facts . . . and subjective judgments." We need the active collaboration of the accounting profession to develop new forms of risk analysis.

The primary message of this survey is that firms need to "understand all the main risks to which their future cash flows are exposed, not just the narrowly financial ones." Over-focus on one type of risk or another, be it environmental, derivative, legal liability, or physical damage, simply perpetuates the outmoded fragmented approach to the management of risk.

(For copies of "A Survey of Corporate Risk Management," contact The Economist Newspaper Group, Inc., Reprints Department, 111 W. 57th St., NY, NY 10019, or telephone (212) 541-5730. Individual reprints are US$ 3.75)

"Managing Business Risks:An Integrated Approach," is a Fall 1995 Research Report published by the Economist Intelligence Unit in cooperation with Arthur Andersen. It is the broader of the two monographs, incorporating a global and integrated view of risks and their management. In a sense, it is a companion to the new Australasian "Standard" on risk management discussed in the February 1996 issue of Risk Management Reports.

The hypothesis of this paper is that managers should recognize the complexity of risks in the modern economic world and adopt a comprehensive approach to their management. It defines "business risk" as "the threat that any event or action will adversely affect an organization's ability to achieve its business objectives and execute its strategies successfully." Verbose, but the point is solid. I prefer my definition of risk:"the compound estimate of the probable frequency, probable severity and public perception of harm." What is not included either of these definitions is a recognition of the positive as well as the negative consequences of risk, a point that the Australasian Standard makes.

Three elements, according to the authors, are essential to an integrated approach to the management of risks:

1. "Develop a common business risk language." I urged this idea in the February 1995 issue of RMR. The mixed media of " betas," "MFLs," "expected losses and confidence levels," and risks measured to 10-6 provide an infinitely confusing melange of risk assessments that baffle even experts.

2. "Develop effective organizational control structures." This encompasses "strategic" controls, like policies, resource allocation and performance measurement, and "tactical" controls, such as specific objectives, defining acceptable behavior, selecting competent people, establishing accountability, and assuring complete communication up and down through the ranks.

3. "Create a process view" that defines business objectives, assesses risks, designs and implements risk controls, measures performance and continually monitors the entire process. This emphasis on "process" rather than "function" characterizes this paper and reflects earlier advocates of process risk management such as Vernon Grose's Managing Risk:Systematic Loss Prevention for Executives (1987) and Peter Schwartz's The Art of the Long View (1991). It cites examples of best practices in risk management including Heineken N.V., Guinness Plc, ACT International, Northeast Utilities, BP Exploration, Analog Devices, Chase Manhattan Bank, Rio-Tinto Zinc, Baxter International, Digital Equipment and Motorola.

One possible paradox of risk management lies in the devolution of decision-making to employees through the "empowerment process." The paper correctly notes the new risks this may raise. Newly empowered employees and operating units may undertake activities and actions unanticipated by senior management, some of which will create harm. How does an organization establish clear boundaries or limits on the harmful results of unanticipated decisions? The answer lies in building a stronger sense of risk awareness and ownership at employee and unit levels. This means the development of "rules of the game," similar to sports, allowing, even stimulating, creativity and lateral thinking yet keeping risk within acceptable boundaries. This bias toward decentralization, coupled with risk awareness and a long view, means both creativity and strong risk management.

The paper argues that "a fragmented or unfocused approach to managing risk is inadequate in these turbulent times" and concludes that "global businesses need a new paradigm for business risk management." This paradigm is described as:

o "Risk assessment is a continuous activity.

o Everyone throughout an organization is concerned with identifying and managing business risks.

o Business risk assessment and control are focused and coordinated with senior management oversight.

o Control is focused primarily on the avoidance of unacceptable business risks, followed closely by the management of other business risks in order to reduce them to an acceptable level.

o A formal business risk controls policy is approved by management and the board, is widely distributed and clearly understood.

o Anticipate and prevent business risk at the source and then monitor business risk controls continuously.

o Ineffective processes are the primary source of business risk."

"Managing Business Risks" is available for US$ 295 from The Economist Intelligence Unit, 111 W. 57th Street, NY, NY 10019. Telephone: 800-938-4685

These two articles confirm the words of Paul Barnes, a professor at Griffith University in Australia, that "risk is a multidimensional concept." Risk managers of whatever persuasion, investments, environmental impairment, health and safety, public policy or insurance, must reach beyond their traditional intellectual and experiential "comfort zones" to grasp the whole of this discipline. When this happens, the discredited practice of fragmentation will be broken.

(insert box here with "Business Risk Model - A Common Language" - use two columns)

(shaded box)

Research . . . too much machinery, too much administration, and not enough brains and intuition. Research harbors a lot of second and third-rate people.

Robertson Davies, The Cunning Man, Viking Press,

New York, 1994

Direct Discussions

I listened recently to a fascinating, upbeat, optimistic, and even convincing presentation on the proposed Lloyd's "Reconstruction and Recovery Plan." It even acknowledged the past market excesses that caused losses over US$12 billion. When the speaker, however, noted that Lloyd's is and will remain a "broker market," I questionned the validity of the argument.

While many organizations are now demanding direct discussions and negotiations with their risk financing underwriters and direct payment of premiums to them, one of the world's oldest markets, struggling to survive, cannot seem to grasp the change that is taking place. I admit that the architects of the Plan need the financial support of the brokerage community to sell the Equitas solution. A scuttling of commissions at this point might well scuttle the recovery as well. Yet the future will be different: the demands of financial officers and risk managers require direct contacts and negotiations between buyers and underwriters which the new interactive technology will permit. The role and remuneration of traditional intermediaries will be reduced. Insurance quotations will be net of these costs.

Consider the stated "policy" of a major corporation (paraphrased): "We believe in honest and trusting relationships with all our service providers and risk financing partners. We seek and practice open dialogue with our insurers without the broker and we need this direct contact to maintain this trust relationship. We may also negotiate directly with markets but this will not be conducted without the involvement of and discussions with our brokers."

I would not be surprised to see Lloyd's take advantage of technology and the obvious interest of its customers after its summer 1996 re-launching, if that recovery is successful.

(shaded box)

The inexorable transition of Lloyd's from a market to something more resembling a food court of a shopping mall, sheltering under its franchising umbrella insurance companies rather than syndicates of merchant venturers, took a major step forward at the end of 1995.

"Mid-Ocean in New Wave," World Insurance Report,

January 12, 1996

The Highest Bidder

Is there more to life than price? Do we always sell to the highest bidder or buy from the lowest? Our financial gurus remind us that this is the essence of a market economy, but I continue to have a sense that other factors should be considered. I was delighted to see that the International Olympic Committee decide to accept the offer for the European television rights to the Olympics from 2000 through 2008 from a consortium of 65 public broadcasters in Europe, North Africa and the Middle East. Although its offer of $1.4 billion was 22% less than that of the commercial News Corporation, the non-profit group won. The Olympics spokesman noted that "sports is a public service available to all." Bravo! I encourage decision-makers to consider intangible issues such as community responsibility, loyalty, public benefit, etc. in their actions. The followers of Milton Friedman may castigate my "soft" thinking, but I believe that these issues are important in a balanced world. I hope some risk managers will take them into consideration when they next make financing decisions.

(shaded box)

Fifty years ago, we were still a nation of builders and dreamers; now whittlers and belittlers set the cultural tone.

John Updike, "Legendary Lana," The New Yorker,

February 12, 1996

Benchmarking

Receently a discussion of benchmarking for risk management on RiskNet reminded me that while much has been written on this subject, more heat than light has been produced. Jay Deragon, the executive director of Nashville's Quality Insurance Congress, suggests that benchmarking is a current "crazed phase" for risk managers, in which too many try to copy procedures rather than try to understand processes. It's easy to adopt someone else's successful practice or procedure, only to fail because you did not take the time to understand the underlying process for your own organization. That's not benchmarking, that's copying. As Jay Deragon notes, "Many want to measure something without defining exactly what it is they are measuring."

His questions before attempting any benchmarking:

o What is the process that is going to be compared?

o What does the proposed process look like?

o Have the input variables been identified, and are they measurable?

o When comparing one process to another, is it understood that they are either identical or very similar?

o What is the ultimate aim of performing benchmarking?

Deragon offers "Ten Pitfalls of Benchmarking." They are worth reading:for a copy contact him at Quality Insurance Congress, 26 Century Boulevard, Nashville, TN 37214. Tel: 615-872-3270 or email: Jay_Deragon@qic-bbs.com

Other resources and articles:

o The Cadbury Committee Report (see RMR April 1994)

o "Guiding Principles for Risk Management (see RMR June 1994)

o The Warren Report, April 1994

o Institute of Management Accountants Statement on RM Costs, 1993

o Towers Perrin/RIMS Cost of Risk Survey 1995

o Australasian Risk Management Standard (see RMR February 1996)

o "Benchmarking," Michael Levin, Business Insurance Oct. 26, 1992

o "Business Risks," Economist Intelligence Unit, (see RMR March 1996)

Finally, according to Arthur Andersen, the steps of benchmarking are:

1. Identify the process to evaluate.

2. Get top management support.

3. Establish a process review team.

4. Analyze your own performance.

5. Identify top companies.

6. Focus on best practices.

7. Identify best practices to implement.

8. Implement the best practices.

9. Monitor the process.

(shaded box)

A political system, a form of social organization, like any system in general, is by definition a form of the past tense that aspires to impose itself on the present, and often on the future as well . . . .

Joseph Brodsky, as quoted by David Remnick, "Perfect

Pitch," The New Yorker, February 12, 1996

History and Responsibility

Historian William McPherson argues that "without a known past, the idea of a future doesn't extend much beyond tomorrow" ("A Millennium on the Margins," Wilson Quarterly, Winter, 1996). How many of us belong to organizations and know little or nothing about their creation, infancy, trials, tribulations and successes? In short, how many of us know something about the history of our employers?

McPherson's point applies to all forms of organizations. Those with a written history, a sense of the past, give their current employees a pride in the continuity of the firm that helps assure a successful future. Those without it create "the fatal illusion of discontinuity with the past" in the words of Edward Tenner, in the same issue of Wilson Quarterly). A sense of and respect for the past creates a more stable future.

I argue that the risk manager is the prime custodian of the long-view within any organization. I used to mean the future, but I suspect this responsibility extends into the past as well. Why shouldn't the risk manager take responsibility for creating and maintaining an organizational history, a record of the past? Take advantages of natural milestones, the first decade, the first quarter-century, the first fifty years, and create this record. All new employees should have some insight into the stories of the organization, good and bad. This may be another way to instill a sense of continuity and personal responsibility, assuring the future.

(shaded box)

Observing, recording, and preserving the memory of both the large and small events of life is one of the oldest and most satisfying ways to bring order to consciousness.

Mihaly Csikszentmihalyi, "Flow:The Psychology of Optimal Experience," quoted in The New York Times, August

4, 1991