1
A Powerful Tool for Protecting the Business
Itâs 1,700BC, and youâre a merchant in the busy city of Babylon. You have several rolls of cloth you want to ship 200 miles (320km) down river to the distant town of Ur where thereâs a demand for your merchandise.
But what happens if the boat sinks, or is set upon by pirates? Until recently you suffered the loss. But now you can manage your risk. Thanks to the new code of Hammurabi, King of Babylon, there is a new service called âinsuranceâ. You can borrow money to buy your cargo. And the lender will cancel your loan if your ship is lost at sea. The Code of Hammurabi is the earliest known form of risk management.
History of Risk Management
Cargo insurance was introduced nearly 4,000 years ago. And until recently insurance was still the main way that companies managed risk. In turn, insurance companies sought to reduce their potential losses by encouraging businesses to make their premises safer.
This was the first age of risk management, as shown in Figure 1.1. Businesses considered only hazard risk (such as fire or IT failure). They also used risk reactively, to see how much insurance they should buy.
In the 1970s and 1980s, businesses started to introduce quality assurance, to ensure that products conformed to their specifications. This was epitomized by ISO 9000, successor to the British Standards Institution BS 5750, the quality standard, itself the successor to US military standard MIL-Q-9858 which had been launched in 1959.
In this, the second age of risk management, companies treated risk in a more proactive or preventative way.
Risk awareness was fostered by government legislation that aimed to make businesses think about the risks they posed to workers and customers. New concerns also emerged in the 1980s about environmental risks. And risks to shareholders caused by bad governance became an issue in the 1990s. In 1993, James Lam became the worldâs first chief risk officer (CRO), at the US financial services firm GE Capital.
Finally, the third age of risk management arrived in 1995 with the publishing by Standards Australia of the worldâs first risk management standard, AS/NZS 4360.
Figure 1.1 The three ages of risk management
RISK MANAGEMENT STANDARDS
After Australiaâs risk management standard, two others followed in quick succession. In 2001 Japan launched a risk management system (RMS) called JSI Q 2001, which introduced continuous improvement. And in 2002 the UKâs Institute of Risk Management (IRM) introduced its own risk management standard.
Finally the International Organization for Standardization (ISO) launched its ISO 31000 in 2009, based largely on the Australian standard.
Meanwhile, the New York Twin Towers disaster had taken place in 2001, and companies came to think more about business continuity. In 2003 the British Standards Institution launched PAS 56, a specification for business continuity, which ultimately emerged as ISO 22301, the international continuity standard.
PUBLIC COMPANIES AND FINANCIAL REPORTING
From the 1990s onwards, successive failures in public companies led to demands for greater accountability and more visibility of the companiesâ risks.
The scandals at Polly Peck, BCCI and Robert Maxwell led to the UK Governmentâs Cadbury Committee report in 1992. It recommended measures for better governance, such as the separation of the roles of Chairperson and CEO.
Following public concern about directorsâ rising pay, the Greenbury Report advocated controls on boardroom pay through the creation of remuneration committees.
In 1998 the UKâs Department for Trade and Industry launched a review of company law aimed at developing a more modern framework for doing business in twenty-first century. A year later the Institute of Chartered Accountants in England and Wales published the Turnbull Report. This called for stronger internal financial controls and better monitoring of risk.
The European Union (EU) was equally concerned. In 1999 it decided to harmonize accounts across Europe, so that investors in one country could understand and trust annual reports from a company based in another country. The EU Accounts Modernization Directive required, among other things, a report on âenvironmental and employee mattersâ. From then on, company reports were to be broader in scope.
But the scandals continued to erupt. In 2001 the $101bn energy business Enron was found to have committed massive accounting fraud. Its auditor, Arthur Andersen, was found guilty of criminal charges and collapsed. The scandal led to the USâs SarbanesâOxley Act of 2002 which demanded more risk management and better annual reporting. To meet this requirement, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) organization (a respected US-based private sector grouping that sets out best practice in enterprise risk management) launched a document called âEnterprise Risk Management â Integrated Frameworkâ. It outlined how public companies should implement risk management and report on it.
In Europe, meanwhile, Italian shareholders discovered that nearly âŹ4 billion of funds purportedly owned by dairy company Parmalat, and supposedly held in a Bank of America account, did not actually exist.
Partly in response to the EU Accounts Modernization Directive, the UK published its Operating and Financial Review (OFR) in 2004. This required companies to publish information in their annual report about their principal risks, as well as non-financial information about environmental and employee matters.
In 2006 the EU passed the 8th Directive which formally embedded risk management into public companies and âpublic interest entitiesâ such as banks. These businesses were to have an audit committee to whom the external auditors would report findings about weaknesses in internal controls. This directive ensured that what was good practice in many countries was applied all across Europe.
Today all organizations have to comply with a raft of legislation and are watched by regulators. There is no going back to the buccaneering days when companies could do as they liked. These measures ensure that large companies are better managed and that they have systems for identifying risks. This means that organizations are less likely to fail. However critics point out that such controls failed to prevent Western banks from precipitating the 2008 global recession.
THE EMERGENCE OF ENTERPRISE RISK MANAGEMENT (ERM)
The phrase Enterprise Risk Management (ERM) has come to the fore. It means managing risk systematically. A RMS ensures that the company manages its threats in a proactive, co-ordinated, cost-effective and prioritized way.
There is a certain inevitability about all this. ERM sits neatly alongside company-wide audits and enterprise resource planning (ERP) software that links all departments.
Nevertheless the power of risk management is limited. Every time a company scandal erupts, it becomes apparent that risk management is only as good as the integrity and commitment of the players. If regulators turn a blind eye or are captured by the industries they are supposed to manage, if rogue traders manage to hide big losses, or a powerful CEO browbeats the Board, all the risk systems will be of no avail.
Getting Corporate Strategy Right
As we will see in Chapter 20, the organization has to be in the right markets and have the right products. This is the most basic of all risks: finding that customers no longer want the service that the company offers.
In 1999, at the height of the dot com boom, Marconi (formerly GEC) got rid of its dull retail, defence and food businesses, and bought exciting telecomms companies instead. Two years later, the telecomms market collapsed, and Marconiâs share price fell 54 per cent in one week. In the six months to September 2001, it lost ÂŁ5.1bn. But itâs easy to be wise after the event.
Conglomerates were once seen as a way of reducing risk. If one market was doing badly, another would be performing well. Many companies diversified, only to find that they owned too many loss-making businesses that they were unable to turn around.
Since then, companies have tended to return to their roots. However, some conglomerates do well. In the past these have included GE, Virgin and Mitsubishi.
Diversified companies can use their core skills in marketing, management, strategy and raising capital to direct a range of businesses. However they tend to be short lived and depend on one individualâs management or entrepreneurial skills.
What are Business Risks?
As we have seen, there are two types of business risk. The first and more traditional type is hazard risk. It is found in fire, pollution or fraud. Companies used to protect themselves by buying insurance but, as we shall see, insurance is only one way to protect the company: there are many others.
The second type is entrepreneurial or opportunity risk. This happens when a company builds a new plant, launches a new product or buys a company. If the company gets its forecasts wrong, it loses money. There are ways of reducing entrepreneurial risk, as we shall see. In this book we donât seek to eliminate risk. Itâs a necessary part of the enterprise. Itâs a precondition for innovation; and without innovation the business will fail. An organization that tries to obliterate all possible dangers canât create value.
Risk applies to any management decision that could have a good or bad outcome. It follows that most management decisions and projects contain risk. Most risks are not catastrophic, but as Table 1.1 opposite shows, the major ones cause loss of life and great damage. Better risk management could have forestalled some of them.
In other cases, organizations have been overwhelmed by the forces of nature, whether tornados, earthquakes or war. At that point, the business needs a continuity plan, something we examine in Chapter 22.
Risk is also a future event that results from actions taken now. That is why managers should consider different options for any problem, and evaluate the consequences.
It is easy to focus on obvious risks, such as workplace accidents. Important though they are, the company must be alert to the big or unexpected risks. The company that is not expecting change is especially prone to suffer.
Risks often defy conventional thinking. For example, what is the most likely cause of death for a New York police officer? It is not being kil...