Risk, return and shareholder value are inextricably linked and investors expect firms to take risks in order to deliver returns. But investors do not generally expect firms to take risks beyond their core expertise. For example, a company that manufactures car parts has manufacturing skills, so investors would expect it to take relevant business risks. They would not expect the firm to speculate in FX (a financial risk) beyond small risks that may arise as a result of taking manufacturing decisions, however.
The feedback loop – the reviewing of risk management outcomes compared to plan – is vital within the risk management framework
Risk management may be defined as ‘the systematic approach to setting the best course of action under uncertainty by identifying, assessing, understanding, acting on and communicating risk issues’. It is about encouraging the taking of selected risks and about minimising other risks, but, in either case, it is also about control, and a risk management framework provides the foundation and organisational arrangements for managing risk throughout the organisation.
Organisations need to have a consistent and integrated approach to all forms of risk, so they should have a framework in place such as the following:
This is the identification and classification of an organisation’s exposure to risk. Risks may arise from external influences (such as changing demand for the organisation’s products or volatile FX rates) or from internal influences (such as plant failure).
Although primarily concerned with the financial consequences, risks may arise from almost any (financial or non-financial) activity within the organisation. Once identified, risks may be classified according to whether they are commercial, financial or operational, and logged in a risk register. Some organisations use different classifications (or ‘taxonomies’), such as geographical.
An initial assessment that enables risks to be prioritised, so that those risks with most potential to damage the organisation are addressed first. A useful way of quantifying the risk is to plot each on a matrix according to the likelihood of each risk occurring and its potential impact.
Risks are quantified in more depth in order of priority to establish the probability of potential loss and the materiality (financial cost). Evaluation techniques, such as scenario analysis, stress testing, sensitivity analysis and value-at-risk, are used to calculate probabilities and potential impacts, both for single risks and groups of risks combined.
Once risks have been evaluated, responses can be planned and implemented. In principle, risks can either be avoided or accepted. A risk can only be genuinely avoided by not entering into the business that generates that risk. The risks that are accepted can be retained, reduced or transferred/transformed. The organisation is expected to take core business risks, so these risks are retained, but managed.
Risks peripheral to the core business risks can be reduced (through internal methods of diversification, control or business tactics), or transferred to external parties (through the use of derivatives (as in hedging), insurance or subcontractors). In practice, risks are transformed, frequently into counterparty risk (which may be more acceptable to the organisation), rather than transferred completely.
Ensures that risks are being managed as agreed. Deviations between targets and actual performance are analysed to identify the causes and information is fed back into the risk management process.
The feedback loop – the reviewing of risk management outcomes compared to plan – is vital within the risk management framework so that risk management practice evolves to keep pace with internal and external developments.
Managing risk is about creating value out of uncertainty and senior managers will regard effective risk management as being essential for the organisation to achieve its objectives.
Many financial risks are an inevitable consequence of accepting business risk. Increased volatility of financial risks (many of which fall into the traditional treasury areas of liquidity, interest rates or exchange rates) has led to a greater profile for treasury in risk management.
Details may vary by organisation, but any framework for managing risk should offer a focused, systematic and integrated approach that recognises that all decisions involve management of risk, whether in routine operations or for major initiatives involving significant resources.
Sarah Boyce is associate director of education at the ACT
