|
|
|
|
 |
|
Home |  |
Contacts | |
Editorial | |
Advertising | |
Subscribe | |
Archives | |
Search | |
CMA Canada | |
|
|
|
|
Features
Table of Contents
Printer Friendly
A director’s guide to risk and its management By Anthony A. Atkinson, CMA, FCMA, and Alan Webb, CA
Given this apparent gap between what directors should and do know about risk management, this article identifies and discusses three important contributors to organization risk and how those risks might be managed. In particular, we will look at the control points and the information requirements for managing each of these four types of organization risk. The importance of risk management Although a complete review of the numerous sources of risk management guidance, recommendations and requirements for boards is beyond the scope of this article, a few examples will illustrate the importance of this issue in today’s regulatory environment. The 2001 report of the Joint Committee on Corporate Governance (CICA/TSX/TSX Venture Exchange) recommends that boards of companies listed on the TSX should oversee management’s system for risk management and should regularly monitor the environment for emerging strategic risks and opportunities. Similarly, the Ontario Securities Commission’s proposed policy on effective corporate governance released in January 2004 recommends that the board should assume responsibility for “identifying the principal risks of the issuer’s business, and ensuring the implementation of appropriate systems to manage these risks.” Both of these examples reflect “best practices” guidance that companies are not yet required to follow. However, in industries where fiduciary responsibility is particularly high (e.g. financial services), legislation (e.g. the Bank Act) specifically requires extensive risk management procedures — strong internal control. Similarly, the Canadian Deposit Insurance Corporation requires the board to review and approve organizational and procedural controls as part of its risk management responsibilities. The nature of risk Risk is uncertainty in achieving organization objectives. The fundamental nature and consequences of risk apply equally to for profit and not-for-profit organizations. In for profit organizations, risk is usually formalized as the uncertainty of financial returns. In not-for-profit organizations, risk is usually formalized as uncertainty in achieving the organization’s stated qualitative objectives — for example, a provincial health ministry may have the objective of improving some measure of the population’s health, and risk relates to uncertainty in achieving that target.
A fundamental proposition in financial economics argues that return compensates risk — the higher the level of firm specific or unsystematic risk, the higher the level of expected return. The primary roles of risk management are to identify the appropriate risk return trade off, implement processes and courses of action that reflect the chosen level of risk, monitor processes to determine the actual level of risk, and take appropriate courses of action when actual risk levels exceed planned risk levels. The control cycle It is useful to discuss organization risk within the context of the classic control cycle of plan, do, check, and act. It is senior management’s responsibility to plan, implement, monitor, and revise major strategic initiatives, all of which simultaneously create and affect organization risk. Therefore, as part of its responsibility, the board of directors needs to ensure that management has in place each of the four elements of the control cycle. This means that the board must ensure that management’s strategic plans are adequately based on appropriate, reliable, and complete information which, in turn, requires the board to undertake an assessment of management’s strategic plans, including their information basis and logic, and a discussion of that assessment with management. The board must verify that management has put in place control systems to ensure that its major initiatives have been implemented as planned. It must also ensure that management has put in place systems to monitor and evaluate the successful achievement of objectives. Finally, the board must ensure that management regularly compares planned and actual results, and appropriately re-evaluates strategy on that basis. To reiterate, management’s role is to ensure that it establishes and carries out the above control system steps (as outlined in Figure 1). It is the board’s responsibility to ensure that management has undertaken these steps and, in the case of the plan and act (plan revision) steps, that it has evaluated the information and the logic of management’s strategic plans and discussed this with management. Elements of risk There are three major contributors to organization risk — strategic risk, environment risk, and operational risk. Strategic risk relates to an organization’s choice of strategies to achieve its objectives. It is represented by a variance, holding constant the effects of any other sources of uncertainty, between a strategy’s actual outcomes and its target outcomes, as shown in Figure 2. Environment risk addresses uncertainties in the operating environment of the organization. Environment risk is shown as the exogenous uncertainty in Figure 2. Operational risk has two components: process risk, which addresses the ability or inability of a process to achieve its objectives; and compliance risk, which addresses the potential failure to operate a process as planned.
Strategic risk Strategic risk addresses the concern that major strategic alternatives may be ill advised given the organization’s internal and external circumstances. Strategists have developed the notion of strategic fit, which reflects the alignment between the organization’s internal potential (strengths) and its external opportunities. Misalignments occur when senior management pursues strategies that are either unfeasible, given the organization’s financial and human resources, or are inappropriate, given its external environment. Therefore, strategic risk assessment questions whether management has misread its environment or has developed an inappropriate strategy to deal with that environment. A good illustration of the first type of strategic risk was Nortel’s decision to acquire unproven technologies to promote growth in the period 1998-2001. A good example of the second type of strategic risk was Microsoft’s initial decision to treat the Web as a passing customer fad and its belated, although successful, entry into the Internet browser market. Management’s role is to develop and implement an organization’s major strategic initiatives. The control point for strategic risk is the board, which should ensure that management has acquired and used the appropriate information to support this strategic choice and that the choice appears sound, given the information developed. Environment risk There are three sources of environment risk: macro-environmental factors, competitive factors, and market factors. Macro-environment factors The strategic management tool STEEP (social, technological, economic, environment and political trends) summarizes the macro-environment factors that can affect an organization. STEEP involves the identification, quantification, and evaluation of the potential effects of each of the potential trends: Social trends: For example, since 2000, fast food organizations have added so-called healthy alternatives to their menus to reflect societal trends. Some analysts believe KFC’s slow or inadequate response to this trend cost it significant market share. Organizations can also overreact to apparent trends, however. By mid-2004 consumers seemed to be abandoning the low carbohydrate diets popular in 2002-3 and some organizations now had products that were expensive to develop and advertise that were no longer in demand. Technological trends: FedEx quickly recognized the strategic and operational importance of barcode scanning technology for tracking shipments. Competitors quickly followed when they understood that this technology improved the quality and decreased the cost of courier service. Posco, a South Korean steelmaker, spent more than $200 million to develop an information system that linked its 80 Korean steel mills. This information system allowed the company to process customer orders online and channel each order to the appropriate plant to minimize work in process inventories, maximize plant use, and reduce cycle time to customers. Economic trends: Organizations in the travel industry see their fortunes rise and fall contemporaneously with the economy. Others, such as organizations in the home renovation and graduate business education industries, appear to be counter-cyclical. Environment trends: Government regulations and societal expectations can have far ranging effects on organizations, including process and product design. Changes in consumer views of the importance of recycling led fast food restaurants to use paper-based packaging for their food in place of the environmentally unfriendly Styrofoam material they had used in the past. Political trends: Examples include organizations in regulated industries and organizations whose merger behaviour is subject to government review. An excellent current example is the effect of the Kyoto accord on organizations in the signatory countries. Competitive factors Michael Porter proposed a five forces analysis, shown in Figure 3, to identify the elements that can affect an organization’s competitive position, which, in turn, affects the organization’s ability to achieve sales and profit objectives, thus creating organization risk. These include the existing rivalry in the industry, power of suppliers, power of customers, ease of entry into the industry, and availability of substitutes. For example, increases in substitutes diminish an organization’s competitive position, thus creating organization risk.
Market factors Market factors create organization risk through their potential to change the competitive landscape. The three elements of market factors are: product life cycle, market requirements and competition. Product life cycle. The competitive dynamics in each stage of a product’s life cycle (planning and introduction, early growth, late growth and maturity, and decline) require that the organization adapt its competitive strategy to the product’s life cycle stage. Failure to adapt strategy in response to a life cycle stage change creates organization risk. A good example is the impact of Apple’s iPod on the portable music player industry. Essentially, this new technology moved existing technology from an early growth stage into a maturity/decline stage, creating important issues for competitors concerning whether to follow iPod to the higher price point, higher functionality product, or to remain where they were with existing technology. Market requirements. Four dimensions summarize customer requirements: price point, quality, functionality, and service. The potential for customer change in any of these dimensions creates customer risk if the organization is not prepared for such changes. A good example of the danger of misunderstanding customer requirements was the belief by North American automakers in the early 1970s that quality was not a significant customer requirement — reflecting the belief that warranties meant that customers did not have quality risks. This misunderstanding, combined with the North American automakers’ false belief that higher quality meant higher production costs, opened the door to Japanese imports that customers readily adopted because of their superior quality. Major competitor. Major competitors create organization risk through their ability to change the competitive dynamics of a market. Organizations that compete in the same consumer segments as Wal-Mart constantly monitor Wal-Mart’s planned moves into new markets. Organizations manage environment risk by continuously scanning each of the changeable environment elements and by identifying issues that must be addressed to sustain a competitive position. This formal scanning process is part of the strategic management approach known as SWOT, a continuous and thorough analysis of the organization’s strengths, weaknesses, opportunities, and threats given its current strategies and processes and the evolving trends in the external environment. The major control tool for managing environment risk is information gathering and assessment of that information by management, and the control point is a senior group responsible for organization planning and strategy. The board’s role is to ensure that management has a systematic process for: gathering the necessary environment information; assessing the organization risk (actual or potential) implied by that information; and ensuring that management acts on the identified risks in an appropriate and timely manner. Operational risk There are two forms of operational risk — compliance risk and process risk. Compliance risk is the potential that an implemented procedure, control, or prescribed practice that is otherwise well designed will not operate as intended by management. Process risk is the potential that a procedure, control, or prescribed practice contains a design flaw that can create organization risk. Compliance risk Compliance failures have accounted for the most spectacular organization failures and losses in the last decade. These compliance failures have resulted in both legal damages being assessed and loss of corporate image — potentially affecting future profitability. Therefore compliance risk is a major source of organization risk and deserves the high level of attention it has attracted in the management control literature. This is perhaps the reason for regulator preoccupation with compliance risk in setting governance standards. The focus on independence between the auditor and management, and among board members and management, reflects the implicit target of lowering compliance risk — the point being that the possibility increases that auditors and board members may not perform as expected when they are beholden to (not independent of) management. While controlling compliance risk is important, regrettably few suggestions for governance improvement focus on methods to reduce strategic, environmental, and process risk. Compliance failures arise for two reasons: deliberate override or the failure of the people monitoring a system, through negligence or ignorance, to operate it as intended. The Barings Bank failure is an example of a deliberate override, as are most frauds. The failures of systems to operate as planned are subtler and may reflect many underlying causes. Governance system failures are often attributed to the failure of boards of directors to undertake their duty to monitor and advise management. For example, the board of directors of the New York Stock Exchange came under criticism for approving what many outsiders believed was an extravagant compensation package offered to the CEO. Industrial accidents are often attributed to employees who were inadequately trained. The Exxon Valdez ran aground, creating a massive environmental disaster at a time when only one ship’s officer was on the bridge — a direct contravention of company policy. There are three tools organizations use to manage compliance risk:
It is management’s responsibility to choose the appropriate type of compliance risk control system and to ensure that it is appropriately designed, implemented and operated. It is also management’s responsibility, either through systematic information gathering or random inspections, to frequently monitor and evaluate the ongoing efficacy of its imple-mented control systems. It is the board’s responsibility to ensure that management has identified the appropriate compliance risks and the procedures, controls or prescribed practices by which they will be managed. The board is also responsible for ensuring management performs its monitoring and continuing evaluation responsibilities both systematically and effectively. Ultimately, it is the board’s responsibility to ensure that management is effectively controlling compliance risk. Process risk Process risk arises through inadequate system design. It reflects incomplete consideration of the environment in which the system was designed to operate. Arthur Andersen ultimately failed because of its loss of credibility stemming from its association with Enron. Many observers of Andersen’s demise have attributed it to a process failure — local partners were permitted by corporate policy to overrule opinions provided by experts at corporate headquarters. In response to charges that its Explorer vehicles were unstable, Ford redesigned the vehicles with a wider wheel base. The tracks used to move vehicles along the assembly line were poorly positioned, causing damage to the tires of some vehicles, creating another recall and image problem for Ford. Occasionally risk is created because of a combination of both process failure and compliance failure. The World Nuclear Association concluded that “the Chernobyl accident in 1986 was the result of a flawed reactor design (a process failure) that was operated with inadequately trained personnel and without proper regard for safety (a compliance failure) (comments in parentheses added).
Since unforeseen events create process risk, it is possibly the most difficult to mitigate and organizations often engage in risk shifting through insurance or joint venture agreements to control process risk. However, it is important that management put in place systems to evaluate and control process risk. It is the responsibility of the board to ensure that management has undertaken this responsibility in a complete and effective way. Scenario analysis can be used to control process risk, which involves predicting how existing systems would respond to unanticipated events. In this regard, a board can play an important role by asking management “what if” questions concerning the potential for organization risk created by unanticipated events. Boards should insist that organizations that face continuous unforeseeable risks provide for such risks through appropriate accumulation of contingency funds held in liquid investments. Senior management and boards of directors share responsibility for managing organization risk. While management is responsible for identifying the appropriate level of organization risk and putting in place systems to monitor, assess, and react to unexpected risk, it is the board’s responsibility not only to ensure that management has implemented these systems, but also, particularly in the case of strategic risk to be actively involved in assessing risk levels directly rather than simply monitoring management’s efforts. Anthony (Tony) Atkinson Ph.D, CMA, FCMA, is a professor and Management Accounting Area Head in the School of Accountancy at the University of Waterloo. Alan Webb, Ph.D, CA, is the PricewaterhouseCoopers Fellow in the School of Accountancy at the University of Waterloo. |
A recent survey of public and private
company directors by the National Association of Corporate Directors in the United States suggests that
boards of directors consider risk management one of their most important responsibilities. However, results
from this same survey show that less than 30% of directors believe their boards are highly effective in
managing risk. Similarly, 36% of the directors who responded to a 2002 survey conducted by McKinsey and
Company indicated they did not understand fully the major risks their organizations face, and 42% did not
understand fully which elements of the business created the most value for shareholders.
