PDF File: 

cfo3_3_76_wp_bearingpoint_huber.pdf

BearingPoint

After defining categories of risk, the next step is to assess the entire spectrum of riskthat could impact the organization.

In today’s business environment – increasingly global in nature and more competitive than ever – the failure to properly recognize and manage risk can undermine the strategic intents of the enterprise. The ability to recognize and manage risk effectively not only helps a company meet its many obligations and goals, but a thoughtfully planned and well-executed risk management approach can also give a company a decisive edge over its competitors.

Learning From the Missteps of Others: Two Extremes

Some leaders approach risk management through risk avoidance, thinking they are one and the same. But risk management doesn’t necessarily mean risk avoidance. On the contrary, the ability to recognize, anticipate and capitalize on certain risks in the marketplace has important implications. Effective risk management can not only protect business assets, it can also create meaningful business opportunities. One doesn’t need to look far to find tales of companies that have parlayed their entrenched risk aversion into the company’s nonexistence. As examples, the sagas of Digital Equipment and Wang offer cautionary tales. These companies moved too slowly to meet the complex needs of the rapidly changing markets in which they operated, and both paid a hefty price for failing to adequately identify and manage the risks they faced. Ultimately, Digital was acquired, and Wang filed for bankruptcy.

What about companies that take the opposite track – companies operating with great pride in their speed and agility in spite of the very real risks that come with such an approach? Recall the saga of the self-proclaimed “masters of the universe” at Enron, a company for which seeking to capitalize on risk was the order of the day. The leaders at Enron – driven by the hubris that ultimately led to their downfall and the company’s demise – thought they could prosper despite any risk or obstacle. In Enron’s case, involvement in more and more risky ventures eventually gave way to massive financial fraud, as those at the helm tried (in vain) to sustain Enron’s earnings and maintain the company’s marketplace position at any cost. Specifically, Enron failed to protect itself against the domino effect of excessive – and perhaps reckless – risk layering and paid a dear price for its ignorance and arrogance.

All business leaders must accept that risk is inevitable; they must implement processes and practices to understand and manage risk; and they must work to prosper from opportunities that arise from prudent risk management. By failing to institute a comprehensive enterprise risk and compliance (ERC) framework, many companies operate in a relatively haphazard fashion, reacting defensively to the various risks that arise and improvising responses as they go along.

The ability to cope effectively with potential threats and use them to gain competitive or strategic advantage is a hallmark of today’s visionary business leaders. Consider the following example. In the early years of Wal-Mart, Founder and Chairman Sam Walton embraced a risky strategy by locating some of his earliest retail stores in underserved rural areas. He assumed this risk, confident the approach to retail logistics and distribution he had pioneered would serve his fledgling stores well. Early on, he had invested heavily in technologies that allowed Wal-Mart to track inventory in near-real time – also a risky venture. When coupled with his signature decentralized distribution model, Walton’s use of advanced logistics technology allowed the rural stores to flourish. Whether Wal-Mart’s early success was based on an uncanny business sense or a bit of luck (or perhaps a little of both), Sam Walton was willing to identify and assess strategic risks and look for ways to use them to gain competitive advantage.

Categorizing Risk: A First Step in a Formalized Approach

Key to a risk assessment initiative is the identification of all relevant “risk domains,” which are classification schemes used to distinguish different categories of risk. Figure 1 shows that C-level executives see greatest risks both now and in the near future in the strategy, customer, process and supply chain domains. To use a sports analogy, a risk domain can be thought of as a playing field where various types of risks are played out and various types of responses take place. There are winners and losers in this arena, and some players join in the game while others remain on the sidelines as cautious observers.

On one playing field, we might have a game related to the competitive landscape in which the company operates. In this arena, patents and other intellectual property concerns, the need to meet ever-changing customer requirements, and innovation challenges come into play. On a nearby playing field, we may have geopolitical risk factors at work – political instabilities in various regions, threats of terrorism or a possible pandemic – captivating the crowd in the stands. On yet another field, the regulators are sharpening their pencils with an eye on the industries they regulate. Somewhere else, the legal community has issued a rallying cry to recruit participants for the latest class action effort.

This sounds simple, but in practice, neatly categorizing risk isn’t easy, and risks often cross over from one “field” to another. Although there are many ways to organize risk domains, one potential classification scheme involves the following eight categories:

• Strategic;
• Customer;
• Financial;
• Organizational;
• Technology;
• Personnel;
• Supply; and
• Process.

Figure 2 illustrates 40 different risk domains grouped into the eight risk categories listed above.

Once business leaders have identified appropriate risk domains for their organization, the next challenge is to figure out what strategies to employ – both within and across the relevant risk domains. In some cases, choices will need to be made; in others, the response will be dictated by internal or external factors.

To determine which risk strategies are appropriate, business leaders must understand what really occurs within a particular domain. Where does the risk within a given domain come from? When a risk is encountered, what are the potential outcomes or impacts for the enterprise? Business leaders can draw useful conclusions from outcomes related to risk, and gain valuable insights that lead to organizational, process and technol- ogy improvements and changes in strategic execution.

Assessing Risk: The First Component of the ERC Framework

Once the organization has established the terminology and risk domain logic, it must implement a formal ERC framework. This gives business leaders greater understanding of the various risk domains that can impact business operations, profitability, shareholder value, business and brand reputation, marketplace position and other factors critical to success. An ERC framework includes four basic components: assess, design, implement and operate.

The first component of an overall risk management strategy is a thor- ough assessment of the entire spectrum of risk that could impact the organiza-tion, and the remainder of our discus- sion in this point of view will focus on assessment.

Business leaders must keep several characteristics in mind when designing and implementing a comprehensive risk assessment program. A rigorous and valid risk assessment process must be:

• Timely. The risk assessment process should be carried out frequently – either semiannually or quarterly for most companies – so that information gathered remains relevant in the face of ever-changing internal and external drivers.
• Repeatable. The process should be straightforward and should leverage technology whenever appropriate to increase the likelihood that periodic risk assessments will be carried out on a regular basis.
• Complete. The process should identify the relevant risk domains and specify the potential risks within each.
• Multidimensional. The process should not only assess specific risks within the prioritized domains, but it should also evaluate the company’s current practices and capabilities relevant to risk management within each domain.
• Transparent. Information gathered and analyzed should be readily available, easily understood and properly disseminated throughout the organization.
• Aligned. A risk assessment cannot be carried out in a vacuum; instead, it must be conducted in light of the company’s overall strategic intent. Additionally, assessment capabilities must be aligned with the business processes and operating model.

Putting Principles Into Practice

While keeping those characteristics in mind, business leaders must take the following action steps to support a thorough risk assessment process:

1. Understand and classify the strategic intent of the business unit that is being assessed.

   For some companies, the primary strategic intent for maintaining competitive advantage may be related to maintaining product leadership; for others, fostering customer intimacy or maintaining operational excellence may be a key driver. To realize each of these corporate goals, business leaders must use different business strategies.

2. Identify key participants in the risk assessment process.

   Since the goal is to gather detailed information on relevant risk domains, identify potential risks and assess cur-rent capabilities related to managing those risks, the participants should include managers and executives who not only have insight into the operational aspects of the business but also understand how those operational aspects support the strategic intent. In general, active participants should be drawn from four key groups: senior executive leadership (CEO and direct reports); business unit leadership; functional leadership (CFO and direct reports); and middle management (a cross section of staff and midlevel managers).

3. Establish a risk library associated with each of the risk domains to be assessed.

   A “risk library” is an inventory that includes detailed information on each specific risk identified. This information is essential to help stakeholders gain a more complete understanding of the many sources of risk and to identify all potential business impacts. To make the risk library as comprehensive as possible, business leaders should err on the side of identifying too many risk domains. Identifying too few domains can create an incomplete and misleading assessment of the current situation. Understanding the cause-and-effect relationships between specific risks and potential outcomes is critical to the assessment process.

4. Develop an understanding of the company’s existing risk management capabilities.

   An assessment of the company’s current capabilities as they relate to managing risk will help to identify capability gaps – an evaluation that is essential to strategic planning and organization, process or technology changes aimed at reducing the negative impact of identified risks. In general, business leaders should assess a company’s existing risk management capabilities across four key areas:

   • Risk governance (how policies, procedures and structure support effective risk management);
   • Risk management (the design and implementation of all processes associated with managing risk);
   • Risk measurement and monitoring (the ongoing monitoring processes in place and the strategies used to measure risk and communicate key findings to stakeholders); and
   • Risk return and valuation (how potential risks identified might impact the enterprise from a cost-benefit standpoint).

5. Conduct the risk assessment.

   When carried out properly, the effort will yield insight across the risk domains and help business leaders answer important strategic questions. Once analyzed, the data and insight gathered during this rigorous assessment process will do three things: provide a clear picture of the current and emerging risks that could affect the enterprise; highlight the strengths and weaknesses of the current practices for managing those risks; and identify the gaps that exist, allowing them to be rectified.

First Steps

Although establishing and implementing a comprehensive risk assessment process takes considerable effort, the potential payback can be direct and demonstrable. Effective risk assessment can help the company achieve revenue and growth targets, optimize costs, improve customer loyalty and increase employee retention.

As with most major corporate initiatives, getting started can be one of the biggest challenges. To initiate an ERC framework that begins with a credible, enterprisewide risk assessment, follow these five steps:

1. Establish a common language and communicate consistent definitions related to risk.
2. Develop an understanding of the company’s existing organizational strategies and strategic objectives, and determine how specific risks might impact those objectives.
3. Define and assess all risks, determine risk sources and impacts, and identify gaps in current risk management strategy and operational capabilities.
4. Conduct planning based on assessment results to identify areas of overinvestment and underinvestment.
5. Plan a sustainable assessment process, using the first assessment as a “pilot” that will become part of the overall ERC framework.

Once the fundamental mechanisms and procedures are in place, the risk assessment process should become an intrinsic part of the day-to-day opera-tions – not just a one-time exercise. Using a feedback loop can help to maintain risk assessment as an ongoing process incorporated into the overall ERC framework and will strengthen the enterprise’s overall ability to predict, prepare for and respond to risk across all domains.