Running with Risk

Tweet

Risk is a fact of business life. Taking and managing risk is part of what companies must do to create profits and shareholder value. But the corporate meltdowns of recent years suggest that many companies neither manage risk well nor fully understand the risks they are taking. Moreover, our research indicates that the problem goes well beyond a few high-profile scandals. McKinsey analyzed the performance of about 200 leading financial-services companies from 1997 to 2002 and found some 150 cases of significant financial distress at 90 of them.¹ In other words, every second company was struck at least once, and some more frequently, by a severe risk event. Such events are thus a reality that management must deal with rather than an unlikely "tail event."

Directors confirm this view. A 2002 survey by McKinsey and the newsletter Directorship showed that 36 percent of participating directors felt they didn't fully understand the major risks their businesses faced. An additional 24 percent said their board processes for overseeing risk management were ineffective, and 19 percent said their boards had no processes.

The directors' unfamiliarity with risk management is often mirrored by senior managers, who traditionally focus on relatively simple performance metrics, such as net income, earnings per share, or Wall Street's growth expectations. Risk-adjusted performance² seldom figures in these managers' targets. Improving risk management thus entails both the provision of effective oversight by the board (see sidebar, "Board oversight of risk management") and the integration of risk management into day-to-day decision making. Companies that fail to improve their risk-management processes face a different kind of risk: unexpected and sometimes severe financial losses (Exhibit 1) that make their cash flows and stock prices volatile and harm their reputation with customers, employees, and investors.

Companies might also be tempted to adopt a more risk-averse model of business in an attempt to protect themselves and their share prices. William H. Donaldson, the chairman of the US Securities and Exchange Commission (SEC), acknowledged this trend when he told an interviewer that he was concerned about a "loss of risk-taking zeal."³ It is the taking of risks that ultimately creates shareholder value. The right response, therefore, is to strike a balance that protects the company from the costs of financial distress while allowing space for entrepreneurship. Management should have the freedom to work in an environment where the potential rewards of any business decision are consciously weighed against the risks and where the company is happy with the level of risk-adjusted returns resulting from that decision.

In such an environment, companies not only protect themselves against unforeseen risks but also enjoy the competitive advantage that comes from taking on more risk more safely. The CEO of one Fortune 500 corporation, asked to explain his company's declining performance, fingered the "lack of a culture of risk taking"; its absence, he explained, meant that the company was unable to create innovative, successful products. By contrast, a senior partner of a leading investment bank with excellent risk-management capabilities noted, "Our trading operation has created a series of controls that enable us to take more risk with more entrepreneurialism and, in the end, make more profits."

In a few industries, companies have already begun to invest in developing sound risk-management processes. For example, many financial institutions--prodded by regulators and shaken by periodic crises such as the US real-estate debacle of 1990, the emerging-markets crisis of 1997, and the bursting of the technology and telecommunications bubble in 2001--have worked to upgrade their risk-management capabilities over the past decade. In other sectors, such as energy, basic materials, and manufacturing, most companies still have much to learn.

Know what you face

We define risk broadly to include any event that might push a company's financial performance below expectations. Typically, the measure used is capital at risk, earnings at risk, or cash flow at risk, depending upon whether the focus is on the balance sheet, the income statement, or cash flows.

Risk comes in four main varieties. The first, market risk, takes the form of exposure to adverse market price movements, such as the value of securities, exchange rates, interest rates or spreads, and commodity prices. Ford, for instance, was hit by market risk in 2002, when palladium prices tumbled and it had to take a $952 million write-down on its stockpile.

Credit risk is exposure to the possibility that a borrower or counterparty might fail to honor its contractual obligations. In 2002, for instance, The Bank of New York announced that it would increase its loan-loss provision by $185 million, to a total of $225 million, for the third quarter of 2002, largely because of loans it had made to telecom companies.

Operational risk is exposure to losses due to inadequate internal processes and systems and to external events. For example, Allfirst, a Baltimore-based subsidiary of Allied Irish Banks, lost $691 million at the hands of a single rogue trader whose practices went undetected for five years until he was caught in 2002.

 1 | 2 | 3 | 4  NEXT