Risk Management is the latest topic to get our Golden Rules treatment, this time with a convenient Infographic. We look at the different types of risk and how our cardinal principles of good corporate governance can guide identification and management of these risks.
A topical concern or a problem through the ages?
Risk management is in the news these days; in fact it has been in the news for two decades, a period covering the Dotcom boom and bust and the scandals of Enron and WorldCom, leading to SarBox and later the financial collapse of 2008 which led to DoddFrank.
It is notable that there were many learned papers published in the 1990s about corporate risk management, but they didn’t prevent Enron, which boasted of having the most sophisticated risk management systems in the market. There were more papers published in the early 2000s and the early implementation of SarBox. However, surprisingly, they didn’t prevent the sub-prime lending and securitisation scandals which prompted the blow-up of Lehman and the resulting financial disaster.
Now, of course, there are new initiatives, such as the latest Basel guidelines for banks on risk management, and increased capital requirements, coupled with earnest attempts to address perceived cultural failings, all of which will bring risk under control at last. Except that it won’t.
So we thought it might be instructive to apply our Five Golden Rules of good Corporate Governance to the issues of Enterprise Risk Management and consider how they map on to each other. To make things quick and easy to digest – and to give you a take-away – we have put together this helpful infographic.
The ACG Risk Assessment Matrix Infographic
Click on the image to open as a PDF which you can download free, or simply right click on the image file and click “save as”. Feel free to share it with your friends, colleagues and associates.
Let’s take a detailed look at the different parts of the infographic.
Different types of risk
If we look first at the various types of risk which managements and investors are considering these days, we quickly realise that there are systems on the market to address all manner of risks, some covering the whole business and some addressing small, but perhaps vital elements of the business. So it is convenient to try to group them into categories which are broadly recognised. Thus we can reasonably talk about the following five major categories of risk, with any number of sub-categories included within them:
- political risk
- business risk
- operational risk
- legal risk
- reputational risk.
Briefly considering each of these in turn:
Political risk clearly exists for organisations doing business in other countries, particularly those in emerging markets, with rapidly changing economies and potentially unstable regimes of government. The near destruction of the oil industry in Libya after the overthrow of Gaddafi is an example. But political risk also exists domestically as governments can change their policies and elections bring new governments into office with different economic and social approaches to the economy.
Business risk is usually seen as relating to the company’s markets changing for the worse, for instance the recent collapse in commodity prices, particularly oil and coal, which have caused severe problems for the big players in these energy markets. It also can embrace strategy risk, where a company’s chosen strategy turns out to be ill-advised or circumstances change in such a way as to make the chosen strategy no longer viable. For instance, it could be argued that the efforts of US big pharmaceutical companies attempting to keep their overseas pots of cash out of the hands of the Internal Revenue Service by tax planning deals with foreign pharmaceutical companies was a strategy that was invalidated by threats from the government to change the rules.
Operational risk is the broadest category. It obviously covers all the things that can go wrong in the day to day operations of the business, ranging from product failures and breakdowns in service to security breaches and problems with IT systems. But the most dangerous category is probably financial risk, embracing credit risk (customers not paying their bills or failing to repay their loans), interest rate risk (rates rising to the extent that the company’s earnings don’t adequately cover interest on borrowings), currency risk (exports becoming more expensive for customers due to foreign devaluation or domestic revaluation, business costs rising because the domestic currency has been devalued, borrowings in foreign currency becoming larger through revaluation of the foreign currency) and liquidity risk (the company being unable to refinance short term borrowings, perhaps through reasons outside its control and hence running out of cash).
Legal risk covers statutory risk (breaking the law of the land), constitutional risk (acting ultra vires, outside the rules of the company’s constitution which govern what the company is allowed to do), and regulatory risk (committing actions which break the rules governing the industry in which the company operates).
Reputational risk arises from actions or events which show the company in a bad light. These can be a second order effect of the impact of any of the other risks, of course, but can be potentially disastrous for the company. As the saying goes, it takes years to build up a good reputation but it takes only hours to destroy it.
Corporate governance and risks
So now, let’s look at our Five Golden Rules of good corporate governance and consider in turn which risks we can expect to find under each rule.
Ethics: ethical dangers are likely to arise in the area of:
- Political risk, particularly in unstable or undemocratic countries, where corruption may be endemic and bribery is the accepted way to get business; the problems of GSK in China are a case in point
- Business risk, where the markets for particular goods or services may be unduly susceptible to corrupt practices; the issues around selling arms to foreign governments is an example
- Operational risk, where bribery or theft may occur at the level of business processes if tight internal controls are not present; a regular problem in cash businesses.
Consistent Goal: dangers of incompatible goals as between key stakeholders can arise in the area of:
- Political risk, where cultural differences lead to misunderstandings, such as the very different objectives of participants in the Bumi saga
- Business risk, where the assessment of the consumer demand for a company’s product or services turns out to be badly wrong; Tesco’s failure with its Fresh ‘n Easy business in California is a case in point. Alternatively, the company’s strategy to achieve its market goal may be at fault, and the strategy failure means that the goal has to be abandoned; perhaps Uber’s attempt to establish itself in China is an example, where it concluded that the better way forward was to merge its business there with the local incumbent, Didi
- Legal risk, where the goal of a company may clash with the law (Airbnb has been challenged in various locations about its business model), the regulatory authorities (examples too numerous to mention in banking) or its own constitution
- Reputational risk, where a company’s business aims ultimately wreck its reputation (a notorious example was Turing Pharma, which raised the price of its AIDS drug by 5000% and caused Hillary Clinton’s subsequent attack on the whole pharmaceutical industry for “price gouging”).
Strategic management: because strategy is the plan to achieve the goal or purpose of the company, the same risks are going to be encountered:
- Political risk, where the strategic plan may hit political problems, for instance when Enron agreed to build a giant plant in India, but a subsequent election brought to power a new regional government, which changed its mind about supporting the project, resulting in a disastrous change in strategy
- Business risk, where a market strategy fails, for instance, Blackberry sticking to its physical keyboards which its ultra-loyal fans adored, but which was outflanked by Apple’s touch screen devices
- Legal risk, where a company’s strategy is found to be illegal, or is later ruled to have broken laws or regulations (examples occur in extractive industries where a change in the law, or a re-interpretation of existing laws can stop the development of a mine or oil shale project on environmental grounds – an example is the travails of the Keystone pipeline project)
- Reputational risk, where a strategy can unexpectedly rebound on a company, to its detriment; an example is the cross-selling strategy of Wells Fargo which blew up dramatically over transgressions at the operational level.
Organisation fit for purpose: clearly the risks faced here are at the execution level, hence:
- Operational risks comprise the financial risks, which include ensuring that the company always has adequate financial resources and doesn’t hit a catastrophic mismatch of asset and liability maturities such as brought down Lehman Bros, or fraudulent trading which put an end to Barings; and hedges currency movements if this is important to its operating profits, like airlines; similarly important is keeping control over risks in the operating areas of the business to prevent improper or fraudulent behaviour, and protect against catastrophic failures in equipment or systems; a third, and increasingly important risk is security, particularly cyber security. A very recent example is the cyber attack on the Democratic Party’s private emails, whose content, later published, may well have changed the course of the US election.
- Legal risk, needless to say, is an important organisational concern in that the organisation must be structured and resourced to minimise the risk of transgressions. The banks, hit by multi-billion dollar fines, have greatly increased the staffing in their compliance departments as a result.
- Reputational risk: the organisation and its processes and procedures must be structured to catch improper conduct before it starts to do irreparable damage. Thus if Wells Fargo had paid more attention to the potential motivational consequences of its hard-driving cross-selling strategy, it would have picked up improper behaviour at the operational level at a much earlier stage.
Accountability and transparency: this is the organisation reporting on its day to day behaviour as well as its progress towards its long-term goals; hence the risks arising from inadequate performance in this area are similar to those of deficient organisation:
- Operational risks can arise from failure to account for performance in a transparent way to all the key stakeholders; thus top quality financial and accounting systems are vital as are quality control systems which monitor operational performance and keep management and boards properly informed; clearly the reporting systems at Olympus disguised for many years systemic wrong practice designed to show the company’s financial performance in a better light
- Legal and regulatory risks require transparent reporting to the board and to the authorities
- Reputational risks demand open and honest communication with key stakeholder groups and immediate and open responses when disasters occasionally happen. Thus the famous example is the response of Johnson & Johnson when some bottles of its Tylenol pain relief drug were contaminated, leading to several deaths. Its exemplary response saved the brand and is commended today, 25 years later.
So we can now map the risks on to our Five Golden Rules to produce a convenient matrix
Effective or ineffective risk management?
As we noted earlier, there are countless systems on the market for companies to install to monitor risk, but whereas they are very effective at, for instance, keeping aeroplanes in the air, they have been singularly ineffective at keeping companies in business. And the lessons we learned many years ago, and the conclusions we drew and which informed our approach to corporate governance, are still not being properly recognised. The core of our approach is summed up as being:
- to define corporate governance holistically
- to describe five core principles which must guide good governance
- to ensure that these principles are embedded in the policies, organisation and systems of the organisation
- to define metrics by which corporate governance performance can be measured, monitored and improved in a company
- to measure performance by using independent surveys of key stakeholder groups to avoid organisational “capture”
- to build a virtuous loop whereby the results of the surveys lead to improved practices and contribute directly to better business performance.
Thus, to take one example, Aviva, a large insurance company, publishes its approach to corporate governance and risk management and describes a three level defence against breaking its risk management framework, comprising:
- Management, as the first line of defence
- the Risk function, as the second line of defence
- Internal Audit as the third line of defence.
Surprise, surprise, this is the same three level defence advocated in the report by the Group of Thirty banks referred to in our article “Banking Culture Review – A worthy but Doomed Effort”.
Our criticisms of the ineffectiveness of this approach centred round its failure to define measurable metrics by which performance could be improved and its failure to specify effective ways in which such measurement can be carried out. Both these points are key to the ACG approach, and both are key to our philosophy which is to:
- put in place an independent system of monitoring which…
- …is linked to the company’s existing systems which drive the business performance and hence…
- …is designed not just to measure performance but to provide a means of improving it for the benefit of all the key stakeholders.
How it should be done
So we would say that the way to approach Risk Management is to look at it through the lens of holistic corporate governance.
Thus, at the highest level, we have to consider the riskiness of the company’s Goal by reference to the “risk appetite” of the company. And in assessing the risk appetite of the company, it is important to reflect the risk appetite of all the key stakeholders and arrive at a balanced view. With this holistic approach to risk management, it is unlikely that the employees of Royal Bank of Scotland would have approved of the “bet the farm” board decision to gear up to acquire a large part of ABN Amro, which brought the company down when the market collapsed in the subsequent financial crisis.
However, the opposite is also true, that taking a zero risk approach implies adopting very timid goals and, as the saying goes, “no risk, no reward”. Moreover, the desired goal may require a degree of risk, as it is impossible to filter out all possibility of risk, however much regulators may strive to do so. So the balance has to be carefully judged. An entrepreneur risking his or her own money is likely to have a much higher risk appetite than is appropriate for the board of an established multinational company with tens of thousands of employees and thousands of institutional shareholders.
At the detail level, the ACG survey would ensure that the questions on each of the key aspects of governance – ethics, goal etc – address the major risks that lie in that aspect of governance. In that way we can get an independent feedback on corporate governance and the risks in each area, and the results will provide the metrics to enable management to improve performance in each area, thereby improving the performance of the business as a whole.
This link to the company’s commercial objectives, will, of course, provide the answer to those who say that there is no firm evidence that corporate governance has any significant effect on a company’s performance. Compliance per se may not, but Applied Corporate Governance will do.
And this is what we mean by Applied Corporate Governance.
For more information about Applied Corporate Governance please get in touch or have a look at our CG handbook, or the ACG eManual, as we like to call it, a 6 day ebook course delivered to your inbox. The first instalment is free when you subscribe to our mailing list.
- Banking Culture Review: A worthy but doomed effort
- Corruption and Corporate Governance
- Shareholder Value and Corporate Governance
- The First Golden Rule: The Importance of Business Ethics
Please share if you found this post and the ACG Risk Assessment Matrix Infographic useful.