Part I
Enterprise Risk Management in Context
1
Introduction
A pessimist sees the difficulty in every opportunity; an optimist sees the opportunity in every difficulty.
(Winston Churchill)
Risk management has taken centre stage. It is now the most compelling business issue of our time. Shareholders have repeatedly suffered from erratic business performance. Recent history has shown that risk exposure has not been fully understood and risk management practice has been inadequate. Looking back, while economists have cited many reasons for the Asian financial crisis of 1997â1998, clearly foreign exchange risk was a major contributor. After the New York World Trade Center and Pentagon terrorist attack on 11 September 2001, enterprise risk management was found to be wanting. Business continuity planning had been inadequate. In particular, it was found that greater emphasis needed to be placed on IT disaster recovery, human resource management and communication. After the bankruptcies of Enron in December 2001 and WorldCom in July 2002, inadequate corporate governance and the âsoft underbellyâ of risk management were exposed, arising primarily from the lack of integrity of financial reporting, a lack of compliance with regulations and operational failures. In late August 2005 Hurricane Katrina struck, reportedly the costliest natural disaster in US history. Oil production, importation and refining were interrupted.1 Businesses were suddenly exposed to a surge in energy prices, continuity failures and shipping disruption. Costs of production rose and sales fell. More recently, failure to properly understand and manage risk has been cited as the root cause for the global financial crisis of 2007â2010. So severe was this financial tsunami that many economists have described it as the worst financial disaster since the Great Depression of the 1930s. Boards in the financial sector were accused of being greedy, reckless2 and dysfunctional and in some cases âsheepâ, falling into the trap of âgroup thinkâ due to an apparent absence of independent thinking. In addition, there had been a lack of appreciation of risk at both a business and a macro or industry level. Systemic risk in the financial industry had not been recognised, understood or addressed. Regulators on both sides of the Atlantic and the banks themselves failed to recognise the interconnectedness of banks and the potential domino effect of bank failure. If the financial crisis was not excitement enough, the media have had a field day with a number of high-profile and very damaging business ethics failures relating to bribery, insider trading, invasion of privacy and sexual harassment.
1.1 RISK DIVERSITY
Providing strategic direction for a business means understanding what drives the creation of value and what destroys it. This in turn means that the pursuit of opportunities must entail comprehension of the risks to take and the risks to avoid. Hence, to grow any business entails risk judgement and risk acceptance. A business's ability to prosper in the face of risk, at the same time as responding to unplanned events, good or bad, is a prime indicator of its ability to compete. However, risk exposure continues to grow greater, more complex, diverse and dynamic. This has arisen in no small part from rapid changes in the globalisation of business, speed of communication, the rate of change within markets and technology. Businesses now operate in an entirely different environment compared with just three years ago. Recent experience has shown that as businesses strive for growth, internal risks generated by a business itself can be as large as (or greater than) external risks. The adoption of expansion strategies, such as investment in emerging markets, developing significant new products, acquisition, major organisational restructuring, outsourcing key processes and major capital investment projects can all increase a business's risk exposure.3
A review of risk management practices in 14 large global corporations revealed that by the end of the 1990s the range of risks that companies felt they needed to manage had vastly expanded, and was continuing to grow in number (Hunt 2001). There are widespread concerns over e-commerce, which has become accepted and embedded in society with startling speed. According to the Economist Intelligence Unit (2001):
Many companies perceive a rise in the number and severity of the risks they face. Some industries confront unfamiliar risks stemming from deregulation. Others worry about increasing dependence on business-to-business information systems and just-in-time supply/inventory systems. And everyone is concerned about emerging risks of e-business â from online security to customer privacy.
As a consequence of the diversity of risk, risk management requires a broader approach. This sentiment was echoed by Rod Eddington, former chief executive officer (CEO) of British Airways, who remarked that businesses now require a broader perspective of risk management. He went to say that:
If you talked to people in the airline industry in the recent past, they very quickly got on to operational risk. Of course, today we think of risk as the whole of business. We think about risk across the full spectrum of the things we do, not just operational things. We think of risk in the context of business risks, whether they are risks around the systems we use, whether they are risks around fuel hedging, whether they're risks around customer service values. If you ask any senior airline person today about risk, I would hope they would move to risk in the true, broader sense of the term. (McCarthy and Flynn 2004)
All stakeholders and regulators are pressing boards of directors to manage risk more comprehensively, rigorously and systematically. Companies that treat risk management as just a compliance issue expose themselves to nursing a damaged balance sheet.
1.2 APPROACH TO RISK MANAGEMENT
This evolving nature of risk and expectations about its management have now put pressure on previous working practices. Historically, within both private and public organisations, risk management has traditionally been segmented and carried out in âsilosâ. This has arisen for a number of reasons such as the way our mind works in problem solving, the structure of business organisations and the evolution of risk management practice. There is clearly the tendency to want to compartmentalise risks into distinct, mutually exclusive categories, and this would appear to be a result of the way we subdivide problems to manage them, the need to allocate tasks within an existing organisational structure and the underlying assumption that the consequences of an unforeseen event will more or less be confined to one given area. In actuality, the fallout from unforeseen events tends to affect multiple business areas and the interrelationships between risks under the categories of operational, financial and technical risk have been overlooked, often with adverse outcomes. Patricia Dunn, former CEO of Barclays Global Investors and former non-executive chairwoman of the board of Hewlett-Packard (HP),4 has previously identified a failing in approach:
I think what Boards tend to miss and what management tends to overlook is the need to address risk holistically. They overlook the areas that connect the dots because risk is defined so âatomisticallyâ and we don't have the perspective and the instrument panel that allows us to see risk in a 360 degree way. (McCarthy and Flynn 2004)
Enterprise risk management (ERM) is a response to the sense of inadequacy in using a silo-based approach to manage increasingly interdependent risks. The discipline of ERM, sometimes referred to as strategic business risk management, is seen as a more robust method of managing risk and opportunity and an answer to these business pressures. ERM is designed to improve business performance. While not in its infancy, it is a slowly maturing approach, where risks are managed in a coordinated and integrated way across an entire business. The approach is less to do with any bold breakthrough in thinking, and more to do with the maturing, continuing growth and evolution of the profession of risk management and its application in a structured and disciplined way (McCarthy and Flynn 2004). ERM is about understanding the interdependencies between the risks, how the materialisation of a risk in one business area may increase the impact of risks in another business area. In consequence, it is also about how risk mitigation action can address multiple risks spanning multiple business sectors. It is the illustration of this integrated approach which is the focus of this book.
1.3 BUSINESS GROWTH THROUGH RISK TAKING
Risk is inescapable in business activity. As Peter Drucker explained as far back as the 1970s, economic activity by definition commits present resources to an uncertain future. The one thing that is certain about the future is its uncertainty, its risks. Hence, to take risks is the essence of economic activity. He considers that history has shown that businesses yield greater economic performance only through greater uncertainty â or in other words, through greater risk taking (Drucker 1979).
Nearly all operational tasks and processes are now viewed through the prism of risk (Hunt 2001). Indeed, the term âriskâ has become shorthand for any corporate activity. It is thought not possible to âcreate a business that doesn't take risksâ (Boulton et al. 2000). The end result of successful strategic direction setting must be capacity to take a greater risk, for this is the only way to improve entrepreneurial performance. However, to extend this capacity, businesses must understand the risks that they take. While in many instances it is futile to try to eliminate risk, and commonly only possible to reduce it, it is essential that the risks taken are the right risks. Businesses must be able to choose rationally among risk-taking courses of action, rather than plunge into uncertainty, on the basis of a hunch, gut feeling, hearsay or experience, no matter how carefully quantified. Quite apart from the arguments for risk management being a good thing in its own right, it is becoming increasingly rare to find an organisation of any size whose stakeholders are not demanding that its management exhibit risk management awareness. This is now a firmly held view supported by the findings of the Economist Intelligence Unit's enterprise risk management survey, referred to earlier. It discovered that 84% of the executives who responded considered that ERM could improve their...