Risk is a fact of business life. Taking and managing risk is part of what companies must do to create profits and shareholder value. But the corporate meltdowns of recent years suggest that many companies neither manage risk well nor fully understand the risks they are taking. Moreover, our research indicates that the problem goes well beyond a few high-profile scandals. McKinsey analyzed the performance of about 200 leading financial-services companies from 1997 to 2002 and found some 150 cases of significant financial distress at 90 of them.1 In other words, every second company was struck at least once, and some more frequently, by a severe risk event. Such events are thus a reality that management must deal with rather than an unlikely "tail event."
Directors confirm this view. A 2002 survey by McKinsey and the newsletter Directorship showed that 36 percent of participating directors felt they didn't fully understand the major risks their businesses faced. An additional 24 percent said their board processes for overseeing risk management were ineffective, and 19 percent said their boards had no processes.
The directors' unfamiliarity with risk management is often mirrored by senior managers, who traditionally focus on relatively simple performance metrics, such as net income, earnings per share, or Wall Street's growth expectations. Risk-adjusted performance2 seldom figures in these managers' targets. Improving risk management thus entails both the provision of effective oversight by the board (see sidebar, "Board oversight of risk management") and the integration of risk management into day-to-day decision making. Companies that fail to improve their risk-management processes face a different kind of risk: unexpected and sometimes severe financial losses (Exhibit 1) that make their cash flows and stock prices volatile and harm their reputation with customers, employees, and investors.
Companies might also be tempted to adopt a more risk-averse model of business in an attempt to protect themselves and their share prices. William H. Donaldson, the chairman of the US Securities and Exchange Commission (SEC), acknowledged this trend when he told an interviewer that he was concerned about a "loss of risk-taking zeal."3 It is the taking of risks that ultimately creates shareholder value. The right response, therefore, is to strike a balance that protects the company from the costs of financial distress while allowing space for entrepreneurship. Management should have the freedom to work in an environment where the potential rewards of any business decision are consciously weighed against the risks and where the company is happy with the level of risk-adjusted returns resulting from that decision.
In such an environment, companies not only protect themselves against unforeseen risks but also enjoy the competitive advantage that comes from taking on more risk more safely. The CEO of one Fortune 500 corporation, asked to explain his company's declining performance, fingered the "lack of a culture of risk taking"; its absence, he explained, meant that the company was unable to create innovative, successful products. By contrast, a senior partner of a leading investment bank with excellent risk-management capabilities noted, "Our trading operation has created a series of controls that enable us to take more risk with more entrepreneurialism and, in the end, make more profits."
In a few industries, companies have already begun to invest in developing sound risk-management processes. For example, many financial institutions--prodded by regulators and shaken by periodic crises such as the US real-estate debacle of 1990, the emerging-markets crisis of 1997, and the bursting of the technology and telecommunications bubble in 2001--have worked to upgrade their risk-management capabilities over the past decade. In other sectors, such as energy, basic materials, and manufacturing, most companies still have much to learn.
Know what you face
We define risk broadly to include any event that might push a company's financial performance below expectations. Typically, the measure used is capital at risk, earnings at risk, or cash flow at risk, depending upon whether the focus is on the balance sheet, the income statement, or cash flows.
Risk comes in four main varieties. The first, market risk, takes the form of exposure to adverse market price movements, such as the value of securities, exchange rates, interest rates or spreads, and commodity prices. Ford, for instance, was hit by market risk in 2002, when palladium prices tumbled and it had to take a $952 million write-down on its stockpile.
Credit risk is exposure to the possibility that a borrower or counterparty might fail to honor its contractual obligations. In 2002, for instance, The Bank of New York announced that it would increase its loan-loss provision by $185 million, to a total of $225 million, for the third quarter of 2002, largely because of loans it had made to telecom companies.
Operational risk is exposure to losses due to inadequate internal processes and systems and to external events. For example, Allfirst, a Baltimore-based subsidiary of Allied Irish Banks, lost $691 million at the hands of a single rogue trader whose practices went undetected for five years until he was caught in 2002.
Finally, business-volume risk, stemming from changes in demand or supply or from competition, is exposure to revenue volatility. The leading US carrier United Airlines, for instance, filed for protection under Chapter 11 of the US bankruptcy code this year after falling demand hit its revenues.
Lining up the essential elements
To manage risk properly, companies must first understand what risks they are taking. To do so, they need to make all of their major risks transparent and to define the types and amounts of risk they are willing to take--goals often facilitated by the creation of a high-performing risk-management organization that accurately identifies and measures risk and provides an independent assessment of it to the CEO and the board. Although these steps will go a long way toward improving corporate risk management, companies must also go beyond formal controls to develop a culture in which all managers automatically look at both risks and returns. Rewards should be based on an individual's risk-adjusted--not simply financial--performance.
To manage risk properly, companies need to know exactly what risks they face and the potential impact on their fortunes. Often they don't. One North American life insurance company had to write off hundreds of millions of dollars as a result of its investments in credit products that were high-yielding but structured in a risky manner. These instruments yielded good returns during the economic boom of the 1990s, but the severity of subsequent losses took top management by surprise.
Each industry faces its own variations on the four types of risks; each company should thus develop a taxonomy that builds on these broad risk categories. In pharmaceuticals, for instance, a company could face business-volume risk if a rival introduced a superior drug and higher operational risk if an unexpected product recall cut into revenues. In addition, the company would have to consider how to categorize and assess its R&D risk--if a new drug failed to win approval by the US Food and Drug Administration, say, or to meet safety requirements during clinical trials.
A company must not only understand the types of risk it bears but also know the amount of money at stake. Less obviously, it should understand how the risks different business units take might be linked and the effect on its overall level of risk. In other words, companies need an integrated view. American Express, for example, might discover that a sharp slump in the airline industry had exposed it to risk in three ways: business-volume risk in its travel-related services business, credit risk in its card business (the risk of reimbursing unused but paid-for tickets), and market risk from investments made in airline bonds or aircraft leases by its own insurance unit.
One way of gaining a transparent, integrated view is to use a heat map: a simple diagram showing the risks (broken down by risk category and amount) each business unit bears and an overall view of the corporate earnings at risk. The heat map tags exposures in different colors to highlight the greatest risk concentrations; red might indicate that a business unit's risk accounted for more than 10 percent of a company's overall capital, green for more than 5 percent. (Exhibit 2 shows a risk heat map that flags high credit risk in two units.) To make risks transparent--and to draw up an accurate heat map--companies need an effective system for reporting risk, and this requires a high-performing risk-management organization.
A heat map is a tool to foster dialogue among the board, senior management, and business-unit leaders. It should be reviewed frequently (perhaps monthly) by the top-management team and periodically (for instance, quarterly) by the board to help them decide whether the current level of risk can be tolerated and whether the company has attractive opportunities to take on more risk and earn commensurately larger returns. Are high concentrations of risk generating high returns or simply depressing shareholder value? Can the company adequately manage the types of highly concentrated risks it bears? If some risks are deemed too great, should they be handled through hedging contracts, say, or mitigated in some other fashion? A technology company, for example, might decide that its R&D portfolio had too many high-risk blockbuster projects and too few projects to enhance its existing products.
Deciding on a strategy
High concentrations of risk aren't necessarily bad. Everything depends on the company's appetite for it. Unfortunately, many companies have never articulated a risk strategy.
Formulating such a strategy is one of the most important activities a company can undertake, affecting all of its investment decisions. A good strategy makes clear the types of risks the company can assume to its own advantage or is willing to assume, the magnitude of the risks it can bear, and the returns it demands for bearing them. Defining these elements provides clarity and direction for business-unit managers who are trying to align their strategies with the overall corporate strategy while making risk-return trade-offs.
The CEO, with the help of the board, should define the company's risk strategy. But more often than not, it is determined inadvertently, every day, by dozens of business and financial decisions. One executive, for example, might be more willing to take risks than another or have a different view of a project's level of risk. The result may be a risk profile that makes the company uncomfortable or can't be managed effectively. A shared understanding of the strategy is therefore vital.
A company's particular skills determine the types of risks it assumes. While it might seem obvious that a company should take on only those risks it can understand and manage, this isn't always what happens. Many telecom-equipment companies, for example, financed customers during the Internet boom without possessing solid credit skills--and suffered as a result.
As for defining the level of risk companies will accept, one common approach for them is to decide on a target credit rating and then assess the amount of risk they can bear given their capital structure. Credit ratings serve as a rough barometer, reflecting the probability that companies can bear the risks they face and still meet their financial obligations. The greater the level of risk and the lower the amount of capital and future earnings available to absorb it, the lower the credit ratings of companies and the more they will need to pay their lenders. Companies that have lower credit ratings than they desire will likely need to reduce their risk exposure or to raise costly additional capital as a cushion against that risk.
The level of returns required will vary according to the risk appetite of the CEO and the board. Some might be happy taking higher risks in pursuit of greater rewards; others might be conservative, setting an absolute ceiling on exposure regardless of returns. At a minimum, the returns should exceed the cost of the capital needed to finance the various risks.
As with any strategy, a company's risk strategy should be "stress-tested" against different scenarios. A life insurance company, for example, should examine how its returns would vary under different economic conditions and ensure that it felt comfortable with the potential market and credit losses (or with its ability to restructure the portfolio quickly) in difficult economic times. If it isn't comfortable, the strategy needs refining.
The heat map gives a top-level indication of whether a company is sticking to its strategy and provides for corrective action. But both depend upon the next two elements of this risk-management program.
Creating a high-performing risk-management group
The task of the risk organization is to identify, measure, and assess risk consistently in every business unit and then to provide an integrated, corporate-wide view of these risks, ensuring that their sum is a risk profile consistent with the company's risk strategy. The structure of the organization will vary according to the type of company it serves. In a complex and diverse conglomerate, such as GE, each business might need its own risk-management function with specialized knowledge. More integrated companies might keep more of the function under the corporate wing. Whatever the structure, certain principles are nonnegotiable.
Top-notch talent. Risk executives at both the corporate and the business-unit level must have the intellectual power to advise managers in a credible way and to insist that they integrate risk-return considerations into their business decisions. Risk management should be seen as an upward career move. A key ingredient of many successful risk-management organizations is the appointment of a strong chief risk officer who reports directly to the CEO or the CFO and has enough stature to be seen as a peer by business-unit heads.
Segregation of duties. Companies must separate employees who set risk policy and monitor compliance with it from those who originate and manage risk. Salespeople, for instance, are transaction driven--not the best choice for defining a company's appetite for risk and determining which customers should receive credit.
Clear individual responsibilities. Risk-management functions call for clear job descriptions, such as setting, identifying, and controlling policy. Linkages and divisions of responsibility also need to be defined, particularly between the corporate risk-management function and the business units. Should the corporate center have the right to review their risk-return decisions, for example? Should corporate risk-management policies define specific mandatory standards, such as reporting formats, for the business units?
Risk ownership. The existence of a corporate risk organization doesn't absolve business units of the need to assume full ownership of, and accountability for, the risks they assume. Business units understand their risks best and are a company's first line of defense against undue risk taking.
Encouraging a risk culture
These elements will go a long way toward improving risk management but are unlikely to prevent all undue risk taking. Companies might thus impose formal controls--for instance, trading limits. Indeed, the recently adopted Sarbanes-Oxley Act, in the United States, makes certifying the adequacy of the formal controls a legal requirement. Yet since today's businesses are so dynamic, it is impossible to create processes that cover every decision involving risk. To cope with it, companies need to nurture a risk culture. The goal is not just to spot immediately the managers who take big risks but also to ensure that managers instinctively look at both risks and returns when making decisions.
To create a risk culture, companies need a formal, company-wide process to review risk, with each business unit developing its own risk profile that is then aggregated by the corporate center. The reviews are a way of ensuring that managers at every level understand the key risk issues and how they should be dealt with. Drawing up a monthly heat map is one way of establishing a formal risk-review process.
But more needs to be done. By focusing on risk-adjusted performance, not just on traditional accounting measures, business managers will develop a better understanding of the risk implications of their decisions. For businesses that require large amounts of risk capital, suitable metrics include shareholder value analysis and risk-adjusted returns on capital. A risk-adjusted lens helped one credit card company understand, contrary to expectations, that returns from new customers and customers about whom it had little information were more volatile than returns from existing customers, even if these groups had the same expected customer value. Historically, that had been the key metric for approving new customers. Now the approval process also takes into account the higher risk that is associated with new customers.
Companies must also provide education and training in risk management, which for many managers is quite unfamiliar, and establish effective incentives to encourage the right risk-return decisions at the front line. Judging the performance of business-unit heads on net income alone, for instance, could encourage excessive risk taking; risk-adjusted performance should be assessed, too. Ultimately, people must be held accountable for their behavior. Good risk behavior should be acknowledged and rewarded and clear penalties handed out to anyone who violates risk policy and processes.
Finally, to convey the message that the potential downside of every decision must be considered as carefully as the potential rewards, CEOs should be heard talking about risk as often as they talk about markets or customers. The CEO's open recognition of the importance of good risk management will influence the entire company.
Even world-class risk management won't eliminate unforeseen risks, but companies that successfully put the four best-practice elements in place are likely to encounter fewer and smaller unwelcome surprises. Moreover, these companies will be better equipped to run the risks needed to enhance the returns and growth of their businesses. Without adequate risk-management programs, companies may inadvertently take on levels of risk that leave them vulnerable to the next risk-management disaster, or, alternatively, they may pursue "recklessly conservative" strategies, forgoing attractive opportunities that their competitors can take. Either approach will surely be penalized by investors.
Sidebar: Board oversight of risk management
A company's board of directors should understand and oversee the major risks it takes and ensure that its executives have a robust risk-management capability in place. To assure appropriate oversight, the board must address a few key issues.
Board structures. The board must decide whether risk oversight should be vested in an existing committee (such as the audit or finance committee), in a new committee, or divided among a number of committees. The audit committee might seem the natural choice, but as it already faces expanded responsibility to ensure the accuracy of financial reporting, it might not be able to cope with a further expansion of its charter.
Board risk reporting. Reports to the board and its committees must go beyond raw data by setting out, for example, what the key risk-return trade-offs might be. Data alone probably won't reveal the real issues or promote proper debate.
Education and expertise. Training programs might be needed for current and new board members. Boards should also look at whether they need new members with risk-management expertise.
Board processes. Boards need to review the effectiveness of their own risk-management processes periodically. They should look at committee structures and charters, how well board members understand risk policies, and the value of their interactions with management on risk. Some companies use a formal self-assessment tool that allows directors to rate the effectiveness of board-level risk-management processes in areas such as risk transparency and reporting, committee meetings, and risk expertise. Reviews should take place about once a year.
Kevin Buehler is a principal and Gunnar Pritsch is an associate principal in McKinsey's New York office.
1For this analysis, we defined financial distress as a bankruptcy filing, a ratings-agency downgrade of two or more notches, a sharp decline in earnings (50 percent or more below analysts' consensus estimates six months earlier), or a sharp decline in total returns to shareholders (at least 20 percent worse than the overall market in any one month).
2Measures of risk-adjusted performance revise accounting earnings to take into consideration the level of risk a company assumed to generate them.
3Financial Times, July 24, 2003.
Copyright © 1992-2003 McKinsey & Company, Inc.
More from The McKinsey Quarterly
Just-in-Time Strategy for a Turbulent World
Uncertainty and rising levels of risk make it impossible for companies to determine the future. But a portfolio-of-initiatives approach to strategy can help ensure that companies take full advantage of their best opportunities without taking unnecessary risks.
Making the Most of Uncertainty
In extremely uncertain environments, shaping strategies may deliver higher returns, with lower risk, than they do in less uncertain times.