Get the most out of your Inc. online experience by registering and joining the Inc. community today. Get access to all Inc.com content and priority invites to free Inc. networking events in your area.

Login using:


Or login directly through Inc.com

Running with Risk

 

A company's particular skills determine the types of risks it assumes. While it might seem obvious that a company should take on only those risks it can understand and manage, this isn't always what happens. Many telecom-equipment companies, for example, financed customers during the Internet boom without possessing solid credit skills--and suffered as a result.

As for defining the level of risk companies will accept, one common approach for them is to decide on a target credit rating and then assess the amount of risk they can bear given their capital structure. Credit ratings serve as a rough barometer, reflecting the probability that companies can bear the risks they face and still meet their financial obligations. The greater the level of risk and the lower the amount of capital and future earnings available to absorb it, the lower the credit ratings of companies and the more they will need to pay their lenders. Companies that have lower credit ratings than they desire will likely need to reduce their risk exposure or to raise costly additional capital as a cushion against that risk.

The level of returns required will vary according to the risk appetite of the CEO and the board. Some might be happy taking higher risks in pursuit of greater rewards; others might be conservative, setting an absolute ceiling on exposure regardless of returns. At a minimum, the returns should exceed the cost of the capital needed to finance the various risks.

As with any strategy, a company's risk strategy should be "stress-tested" against different scenarios. A life insurance company, for example, should examine how its returns would vary under different economic conditions and ensure that it felt comfortable with the potential market and credit losses (or with its ability to restructure the portfolio quickly) in difficult economic times. If it isn't comfortable, the strategy needs refining.

The heat map gives a top-level indication of whether a company is sticking to its strategy and provides for corrective action. But both depend upon the next two elements of this risk-management program.

Creating a high-performing risk-management group

The task of the risk organization is to identify, measure, and assess risk consistently in every business unit and then to provide an integrated, corporate-wide view of these risks, ensuring that their sum is a risk profile consistent with the company's risk strategy. The structure of the organization will vary according to the type of company it serves. In a complex and diverse conglomerate, such as GE, each business might need its own risk-management function with specialized knowledge. More integrated companies might keep more of the function under the corporate wing. Whatever the structure, certain principles are nonnegotiable.

Top-notch talent. Risk executives at both the corporate and the business-unit level must have the intellectual power to advise managers in a credible way and to insist that they integrate risk-return considerations into their business decisions. Risk management should be seen as an upward career move. A key ingredient of many successful risk-management organizations is the appointment of a strong chief risk officer who reports directly to the CEO or the CFO and has enough stature to be seen as a peer by business-unit heads.

Segregation of duties. Companies must separate employees who set risk policy and monitor compliance with it from those who originate and manage risk. Salespeople, for instance, are transaction driven--not the best choice for defining a company's appetite for risk and determining which customers should receive credit.

Clear individual responsibilities. Risk-management functions call for clear job descriptions, such as setting, identifying, and controlling policy. Linkages and divisions of responsibility also need to be defined, particularly between the corporate risk-management function and the business units. Should the corporate center have the right to review their risk-return decisions, for example? Should corporate risk-management policies define specific mandatory standards, such as reporting formats, for the business units?

Risk ownership. The existence of a corporate risk organization doesn't absolve business units of the need to assume full ownership of, and accountability for, the risks they assume. Business units understand their risks best and are a company's first line of defense against undue risk taking.

Encouraging a risk culture

These elements will go a long way toward improving risk management but are unlikely to prevent all undue risk taking. Companies might thus impose formal controls--for instance, trading limits. Indeed, the recently adopted Sarbanes-Oxley Act, in the United States, makes certifying the adequacy of the formal controls a legal requirement. Yet since today's businesses are so dynamic, it is impossible to create processes that cover every decision involving risk. To cope with it, companies need to nurture a risk culture. The goal is not just to spot immediately the managers who take big risks but also to ensure that managers instinctively look at both risks and returns when making decisions.

To create a risk culture, companies need a formal, company-wide process to review risk, with each business unit developing its own risk profile that is then aggregated by the corporate center. The reviews are a way of ensuring that managers at every level understand the key risk issues and how they should be dealt with. Drawing up a monthly heat map is one way of establishing a formal risk-review process.

But more needs to be done. By focusing on risk-adjusted performance, not just on traditional accounting measures, business managers will develop a better understanding of the risk implications of their decisions. For businesses that require large amounts of risk capital, suitable metrics include shareholder value analysis and risk-adjusted returns on capital. A risk-adjusted lens helped one credit card company understand, contrary to expectations, that returns from new customers and customers about whom it had little information were more volatile than returns from existing customers, even if these groups had the same expected customer value. Historically, that had been the key metric for approving new customers. Now the approval process also takes into account the higher risk that is associated with new customers.

 PREV  1 | 2 | 3 | 4  NEXT