Develop PPT slides about Risk Management

IIR154-PDF-ENG.pdf

Home >Business & Finance homework help >Management homework help >Develop PPT slides about Risk Management

https://dx.doi.org/10.15581/002.ART-2817IESEinsight

F ew companies invested more effort in risk management than Country- wide Financial. In 2007, the Insti- t u te o f I n te r n a l Au d i to r s p r a i s e d

Countrywide for its comprehensive enter- prise risk management program, which in- vol ved 4 5 r isk mana gement professionals, supplemented by 112 internal auditors, as- s e s s i n g 5 3 0 r i s k m a t r i c e s , 9 , 5 0 0 r i s k s a n d 27,000 controls. “Countrywide’s program is truly best practice,” stated Inte rnal Auditor magazine at the time.

A year after that glowing pronouncement, Countrywide was acquired by Bank of America in 2008, having essentially gone bankrupt due to unwise risk-taking in the subprime lending market. How could a company with such an

exhaustive system of risk identification, as- sessment and evaluation succumb to the very thing that it had gone to such lengths to avoid?

O u r o b s e r v a t i o n s o f r i s k- m a n a g e m e n t practices point to a critical problem: manag- ers often turn risk management into a mas- sive paper-processing exercise. They become so busy identifying and evaluating every pos- sible kind of risk facing their businesses that they miss the forest for the trees.

Instead, we believe that managers should focus on the risks that really matter – namely, strategic risks that threaten their firm’s exis- tence. In this article, we suggest a different way to identify and manage risk, offering nine practical tips to help you manage your risks strategically.

By PHILIP BROMILEY and DEVAKI RAU

A Better Way of Managing Major Risks

STRATEGIC RISK MANAGEMENT

DEEP insight

15 ISSUE 28 FIRST QUARTER 2016

4 D

o N

ot C

op y

or P

os t

This document is authorized for educator review use only by MUHAMMAD ATHER ELAHI, Institute of Business Administration until Sep 2021. Copying or posting is an infringement of copyright. [email protected] or 617.783.7860

A Better Way of Managing Major Risks

16 FIRST QUARTER 2016 ISSUE 28 IESEinsight

Enterprise Risk Management: An Imperfect Science Conventional wisdom on risk management suggests that firms manage their risks most ef- fectively when they consider them as a portfo- lio. As portfolios generally have less risk than the underlying components, managing risks this way can result in lower risk-mitigation costs than managing risks individually.

For example, one business division might have a positive exposure to an exchange rate and another a negative, but taken together, the two could cancel each other out, leaving no corporate exposure to that exchange rate.

However, the risk of a portfolio depends critically on the correlations among the risks. Combining highly correlated risks offers little benefit in a portfolio, while combining uncor- related risks can result in a portfolio risk far below the risk of its constituent parts.

This approach – termed Enterprise Risk Management or ERM – involves assessing all the risks facing a firm, classifying them by their probability and impact, and determining which actions to take to mitigate or control them. A firm might identify operational risks at the subsidiary level, the business unit level

and the division level. After identifying these risks, the firm would assess the likelihood and consequence of their occurrence. It would then identify how to respond to these risks in the context of the firm’s internal environment, control systems, communication processes and so on.

Note that not all risks need to be treated as something to be mitigated or controlled. A firm with an advantage in addressing a specific kind of risk should explore ways to profit from that advantage.

Although attractive in principle, this ap- proach has problems. First, ERM entails enor- mous effort. The job of identifying risks arising from firm operations at a variety of levels can be an immense undertaking.

Take the three-dimensional matrix or risk cube (see Exhibit 1) frequently used to depict the various interrelated levels of risk facing an enterprise. The eight main components of risk times the four categories of business objectives times the four business levels yield 128 differ- ent managerial considerations – and that’s just for one kind of risk! Because there are so many enterprise risks, a firm can easily identify tens of thousands of potential risks, like Country- wide did.

And that’s only the start. Next, managers need to assess the likelihood and consequence of those risks occurring. To handle these risks as a portfolio requires that managers know the distributions and correlations of the possible outcomes. Outside of financial investments, managers seldom have sufficient data for these estimates. Often, the most they can do is guess the likelihood of a risk occurring on, say, a scale of 1 to 5. The benefits of treating risks as a portfolio depend on the correlations among the underlying risks, yet managers seldom have legitimate data to estimate such correlations accurately or meaningfully.

Finally, managers should ask the same question about ERM that they would ask about

In trying to identify all the risks a firm faces, managers can turn risk management into

an overwhelming paper-pro-

cessing exercise that distracts

them from focusing on the risks

that really matter – namely,

strategic ones that threaten the

firm’s existence. By not being

able to grasp the assumptions

and limitations of complex and

costly Enterprise Risk Manage-

ment (ERM) tools and models,

managers may be operating

under a false sense of security.

Based on their research on firm

risk-taking and risk manage-

ment, the authors offer nine

practical suggestions to help

managers make the risk func-

tion more meaningful and

relevant. A healthy dose of

skepticism, prudence and resil-

ience will go a long way toward

helping your firm see the forest

rather than the trees.

EXECUTIVE SUMMARY

Do firms want – or even need – to enumerate and evaluate each and every risk they could possibly face? Or do they just care about the big ones that might cause them to go bankrupt or face serious distress?

D o

N ot

C op

y or

P os

A Better Way of Managing Major Risks

17 ISSUE 28 FIRST QUARTER 2016IESEinsight

any other business practice: what is the return on investment for this activity?

We have little evidence that ERM practices actually reduce risk, let alone justify the cost of implementing ERM practices. Any manager can take steps to reduce risk. But the real man- agement challenge lies in judging the trade- offs between risk reduction vs. reduction in expected performance.

Strategic Risks: A Different Approach Given the inherent difficulty, if not impossi- bility, of ever fully identifying, assessing and evaluating all the risks that could ever have an impact on your business, we would argue that managers would do better to focus on strate- gic risks – those that pose the biggest threats to your company’s existence.

This shift of emphasis comes from an ex- amination of what firms really want from risk management. Do firms want – or even need – to enumerate and evaluate each and every risk the firm could possibly face? Or do firms just care about the big risks – the ones that might cause the firm to go bankrupt or face serious distress?

Let us distinguish between strategic and operational risks. Put simply, managers must

address strategic risks because they threaten the performance or survival of the firm, where- as managers should address operational risks when doing so improves expected returns.

Take a banking example. On the one hand, a bank need not be overly afraid of the risk per se associated with small loans (an operational risk) – though it should be concerned that the interest rate charged is sufficient that the loan has positive expected returns. On the other hand, the bank should worry about the overall risk of its loan portfolio or its trading activities because either of those constitutes a strategic risk that could kill the bank.

Likewise, in a production environment, the defect rate is a form of operational risk that should be managed when it pays to do so, but major product liability issues are strategic risks that could seriously damage the company.

Most firms really want risk management to help the firm avoid crises that threaten its survival. However, barring regulators and con- sultants, risk management is probably not the single most urgent or pressing concern weigh- ing on managers’ minds. Profits probably mat- ter more, since profits are real while risks are only estimates.

Moreover, the central ideas underlying the concept of risk are rather slippery. For exam- ple, how does one define “risk”? Is it the size of potential loss, the probability of potential loss or some combination of the two? Do your risk estimates depend on historical data (assuming such data exist) or the gut feelings of your man- agers? If your risk estimates depend heavily on managerial judgment, they will almost always be biased.

Forecasting is a case in point (after all, a risk assessment is essentially a forecast of risk). While forecasting can be quite accurate in well-understood, repeatable environments, it can be quite problematic in novel or less un- derstood domains. The track record for new product introductions suggests that 9 out of 10 fail, but 10 out of 10 were predicted to succeed. Likewise, most observers estimate that 5 out of 10 corporate acquisitions fail, when again 10 out of 10 were predicted to succeed, at least by the managers who made those decisions.

There is no reason to believe that manag- ers are better at estimating risks than they are at forecasting other non-repeated items like these. Even ignoring the distorting effect of

- -

- d n t - s

- k

Internal Environment Objective Setting

Event Identification

Risk Assessment

Risk Response

Control Activities

Information & Communication Monitoring

Str ate

Op era

tio ns

Re po

rtin g

Co mp

lian ce

The Standard Risk Cube THIS COMMONLY USED ERM TOOL YIELDS 128

DIFFERENT CONSIDERATIONS PER RISK.

EXHIBIT 1

Entity-Level

Business U nit

D ivision

Subsidiary

D o

N ot

C op

y or

P os

A Better Way of Managing Major Risks

18 FIRST QUARTER 2016 ISSUE 28 IESEinsight

incentives and organization-specific issues, research on behavioral decision theory con- sistently demonstrates that people, including professional analysts, are terrible intuitive statisticians. Depending on extraneous fac- tors, they systematically over- or underesti- mate the likelihood that a particular outcome will occur.

Even if your firm could collect relatively accurate data, free from any managerial bias, you would still face the problem of what to do with such information. Few managers have the technical expertise and competence required to identify and use the right tools to estimate risk from these data.

Given that managing risk has both direct costs (in forgone earnings) and indirect costs (in managerial time), executives need to think long and hard about how much risk manage- ment they need. Rather than trying to identify and manage a host of risks, you may be better off focusing on the strategic ones that could potentially sink your firm (see Exhibit 2). Here we offer nine tips to help you do that.

Philip Bromiley is the Dean’s Professor in Strategic

Management at the Merage

School of Business of the

University of California, Irvine.

He is the former Curtis L.

Carlson Chair in Strategic

Management and chair of

the Strategic Management

Department at the University of

Minnesota’s Carlson School of

Management. He is the author

of over 70 journal articles and

book chapters as well as two

books, Behavioral Foundations

of Strategic Management and Corporate Capital Investment: A Behavioral Approach.

Devaki Rau is an associate professor in the Department

of Management at Northern

Illinois University’s College

of Business. She previously

worked in the Indian software

industry. Her research

interests are organizational

learning, strategic decision-

making and top management

teams.

ABOUT THE AUTHORS

1 RECOGNIZE WHERE THE REAL PROBLEM LIES

Sometimes the problem is not risk manage- ment but management. Many observers attri- bute the recent financial crisis to inadequate risk management by banks and other financial institutions. In some cases, however, the prob- lem was not risk management per se but man- agement decisions that ignored or overruled warnings from the risk management function.

As previously mentioned, Countrywide had an extremely sophisticated risk management system. But it was Countrywide’s management who publicly stated that the company would match any loan made by a competitor.

The same goes for New Century Financial, another big provider of subprime mortgages in the United States. In their article “New Centu- ry Financial: Lessons Learned,” Michael J. Mis- sal and Lisa M. Richman note that it wasn’t that the risks weren’t being detected: they were. “In fact, a number of board members were open- ly disdainful of certain members of senior management, and challenged their integrity and competence.” The “unhealthy friction” between the board and senior management “inhibited an open flow of information … and restricted the ability of New Century to react nimbly and effectively to the rapidly deterio- rating subprime market.” Internal auditors at New Century repeatedly objected to the riski- ness of the loans being made, but management did not respond.

2 BE SKEPTICAL OF SOPHISTICATED RISK MODELS Wall Street banks, among the most sophisti- cated risk managers in the world, led us into the 2008 recession. These banks may have taken too many risks with subprime mortgages precisely because they relied on sophisticated risk-management systems that used formal, extremely elaborate models. These models gave managers an unjustified sense of security

Even if your firm could collect accurate data, free from any bias, you would still face the problem of what to do with such information. Few managers have the expertise and competence to estimate risk from these data.

D o

N ot

C op

y or

P os

A Better Way of Managing Major Risks

19 ISSUE 28 FIRST QUARTER 2016IESEinsight

about their risk assessments. Sophisticated models may appear to make

uncertainty magically disappear – particu- larly when the managers who use them gloss over or view with unquestioning reverence the details of the underlying analyses. Indeed, Wall Street banks and investment firms were hiring rocket scientists and similarly trained individuals who, with a very limited under- standing of the lending system, produced risk

models that the average manager had lit tle chance of understanding.

Here’s a simple example: Suppose you make 10,000 products with a 5 percent chance of de- fects. Or you give out 10,000 loans with a 5 per- cent chance of default. Obviously, you would expect 500 defects or defaults on average, but how likely is it that you would encounter 600 or more defects or defaults?

If the defects or defaults are randomly dis- tributed, the answer is .00045 percent. In other words, if you assume a 5 percent defect rate or default probability, your models will assure you that the chance of you seeing 600 defects or defaults is virtually nil.

However, this analysis rests heavily on an assumed defect rate of 5 percent. If you err a little in predicting the defect rate, and the true defect rate is 6 percent, then 600 moves from impossible to the most likely outcome.

A similar problem occurs with indepen- dence. If borrowers default on loans random- ly, then the estimate holds. But if these were home loans and some defaults lower the value of houses, thereby triggering more defaults as individuals with financial troubles can no longer sell their homes, then defaults are not independent. Likewise, if machines make de- fects randomly, we have a good estimate, but if one malfunctioning machine results in many defects, then defects are correlated.

Few managers have the technical ability or time to evaluate risk-assessment models in depth. As a poor substitute, they should at least be skeptical.

3 BEWARE OF INCREASING RISK FOR PROFIT

One of the major problems with strategic risks is that they occur infrequently. If they didn’t, we would see a high percentage of firms going bankrupt every year. We have great difficulty estimating the probabilities of infrequent events.

S t ra t e g i c R i s k s

O p e ra t i o n a l R i s k s

Fi n a n c i a l R i s k s

Industry

Economy

Political Change

Competitors

Consumer Preference

Market Share

Reputation

Brand Equity

Strategic Focus

Investor Confidence

Customer Satisfaction

Product Failure

Supply Chain

Sourcing

Supplier Concentration

Outsourcing

Election Cycle

Catastrophic Loss

Process Execution

Policies and Procedures

Environmental

Contract

Regulatory and Legal

Human Resources

Health and Safety

Authority

Integrity

Leadership and Empowerment

Culture

Performance Incentives

Knowledge Capital

Cash Flow

Liquidity

Availability

Interest Rates

Foreign Exchange Rates

Credit Capacity

Credit Concentration

Credit Default

Accounting

Budgeting

Taxation

Pricing

Performance Measurement

Portfolio

Systems Infrastructure

Systems Access

Systems Availability

Data Integrity

Data Relevance

Not All Risks Are Equal THIS IS A LIST OF 50 RISKS IDENTIFIED BY ONE

CONSULTANT. THE REAL QUESTION IS: WHICH OF

THESE ARE THE STRATEGIC ONES FOR YOU?

EXHIBIT 2

Sophisticated models may appear to make uncertainty magically disappear – particularly when the managers who use them gloss over or view with unquestioning reverence the details of the underlying analyses.

D o

N ot

C op

y or

P os

A Better Way of Managing Major Risks

20 FIRST QUARTER 2016 ISSUE 28 IESEinsight

How does this matter for organizations? Consider a manager making decisions. If the outcomes of his or her decisions are positive (or at least nothing goes wrong), the manager might see no harm in taking more risks the next time. At an organizational level, markets might push firms into increasing amounts of risk, eventually making them take on as much risk as their peers, just to stay in business. In- crementally, the manager or firm can increase risk to undesirable levels.

In a safety example, NASA launches had in- dicators of design problems but nothing went really wrong. Consequently, the organization kept taking risks – until a manned mission exploded.

In a banking example, before the crash, if a mortgage lender was not as generous as the most generous competitor in the market, the lender did not make loans. Each time a lender became more generous – by lowering underwriting standards or increasing the loan to house value – competitors were forced to match. If they didn’t, they were essentially out of business.

Before the crash, lenders made winking references to “liar loans” (based on stated income) and “NINJA loans” (No Income, No Job or Assets) but a company that did not is- sue these had difficulty staying in the market. Such creeping risk could occur in a variety of domains – from ancillary commitments to p r o d u c t w a r r a n t i e s to p r o d u c t q u a l i t y, where quality is not immediately evident to the buyer.

4 TRY SCENARIOS

One approach to identify strategic risks is scenario analysis. You start by identifying a few key variables on which there is uncer- tainty. Then, you develop logically consis- tent scenarios based on the different values of these key variables, and evaluate the major

The point is not to develop detailed plans for every scenario, but to highlight major environmental risks in general, so that you can at least accommodate them in your strategic planning.

uncertainties in each case. Oil companies do this to anticipate the impact of drastically dif- ferent oil prices: what happens if crude is $50, $100 or $150 per barrel?

If you use scenarios to assess strategic risks, be aware of the general tendency to un- derestimate the variability. In July 2014, when crude cost $110 a barrel, few would have given it much chance to be $30 a barrel by January 2016, but this happened.

The point is not to develop detailed plans for every scenario, but to highlight major en- vironmental risks in general, so that you can at least accommodate them in your strategic planning.

5 HOLD PREMORTEMS

In most companies, naysayers aren’t welcome. People prefer can-do managers. If the senior management team leans toward X, rare is the person who will stick his head above the para- pet to voice arguments against X. And if X turns out to be wrong, no one likes the person who says, “I told you so.”

Writing in Harvard Business Review, Gary Klein proposes an alternative form of express- ing concerns without becoming the smug Monday-morning quarterback. The opposite of a postmortem – in which problems are dis- sected after they’ve occurred, when hindsight is always 20/20 – Klein’s premortem technique encourages people to point out all the ways that things could go wrong before any action is taken.

Under this “prospective hindsight ap- proach,” everyone assumes the failure of what- ever is being proposed, and they spend their time developing potential reasons for that failure. With such reasons identified, manag- ers can strengthen the plan. The premortem helps overcome the tendency of managers al- ways looking on the bright side.D

o N

ot C

op y

or P

os t

A Better Way of Managing Major Risks

21 ISSUE 28 FIRST QUARTER 2016IESEinsight

6 USE EXTERNAL COMPARISONS

Most risk analyses focus on the issue at hand and attempt to predict the future outcomes for that particular issue. However, such pre- dictions often have systemic biases. Most of us are familiar with the tendency to underes- timate how long tasks will take and how much they will cost. Much of this comes from esti- mating the minimum expected time, if every- thing goes according to plan, and not the actual expected time.

Managers can combat this tendency by us- ing a comparable reference group. In estimat- ing how long a project should take, create a list of roughly similar projects and look at how long they took. In estimating costs, do the same thing. These comparisons do not even have to be terribly close. Then you can adjust from your normal prediction, recognizing how long similar things have historically taken and how much they have cost.

7 PAY ATTENTION TO INCENTIVES

Risks in general, and strategic risks in particu- lar, stem from managerial decisions that de- pend heavily on incentives. While incentives have clear benefits, sometimes they work too well, especially when they are strong and the risk associated with the action is unmeasured or unmonitored.

Securities trading is a prime example. Suc- cessful risk-taking can result in hefty bonuses for individual traders, while the company bears the losses associated with unsuccessful risk-taking. An employee who has lost enough to end his or her career may take excessive risks, believing he or she has nothing to lose. Several banks have been destroyed by individ- uals doubling-down on small losses to create catastrophes.

Apart from excessive risk-taking, ill-con- ceived incentives can provoke the opposite

problem: risk aversion. In most companies, the middle manager who takes a big risk that pays off may get a nice bonus and perhaps a promo- tion, but if it turns out badly, he or she may get fired. With that kind of reward system, sensible managers will likely not take too many risks – even risks the company might want to take.

8 DON’T FORCE GROWTH

Sometimes strategic risks stem from a compa- ny in a traditional industry setting extremely aggressive growth targets, based not on sound business logic but on arbitrary ambition. To meet these targets, the firm may pursue ac- quisitions or other actions that increase its strategic risks.

In their paper “Just Say No to Wall Street: Putting a Stop to the Earnings Game,” Joseph Fuller and Michael C. Jensen document the case of Nortel Networks, which between 1997 and 2001 paid over $32 billion to acquire 19 companies in an attempt to satisfy analysts’ growth expectations. The telecom company’s strategy was to transform itself from voice transmission to data networking, but it over- extended itself, fueled by heady market valua- tions. In the end, most of those acquired com- panies were sold, shut down or written off. Nortel’s stock nosedived, it hemorrhaged staff and by 2009, the company had gone bankrupt.

9 BUILD A RESILIENT ORGANIZATION

Most organizations face an untold number of low-probability, high-impact events. Their low probabilities make identification and management of each potential event uneco- nomic and infeasible. That said, given the large numbers of these potential events, the odds of one of them occurring are quite high.

Instead of managing all these events, firms must build a capability to respond to unantici- pated events. In other words, they must build

Apart from excessive risk-taking, ill-conceived incentives can provoke the opposite problem: risk aversion. Managers will likely not take too many risks – even risks the company might want to take.

D o

N ot

C op

y or

P os

A Better Way of Managing Major Risks

22 FIRST QUARTER 2016 ISSUE 28 IESEinsight

Bromiley, P. and D. Rau. “Looking Under the

Lamppost? A Research Agenda for Increasing

Enterprise Risk Management’s Usefulness to

Practitioners.” In Contemporary Challenges in Risk Management: Dealing with Risk, Uncertainty and the Unknown, edited by Torben Juul Andersen, 50-62. Palgrave Macmillan, 2014.

TO KNOW MORE

a capacity for organizational resilience. Manag- ers will always face surprises. Instead of trying to anticipate all the low-probability but high- impact potential surprises, managers should focus on building systems and processes that allow their firms to recover quickly from them.

A legendary tale in this regard is the time when lightning struck a Philips plant in March 2000, causing a damaging fire that interrupt- ed the supply of chips for Ericsson and Nokia cellphones. Though both Nokia and Ericsson estimated a one-week delay in chip deliveries, Nokia went further, holding daily discussions with Philips engineers. In doing so, Nokia dis- covered that a week was an underestimate, and it quickly sought alternative suppliers. By the time Ericsson cottoned on, Nokia had locked up most of the alternative suppliers. The end- of-year results spoke for themselves: Ericsson reported losses, blaming component shortag- es, while Nokia increased its handset market share, thanks to quick thinking in the face of a freak event.

To build a resilient organization, try to keep some resources in reserve. Being too fat is not good, but neither is having no fat. In ad- dition, have systems that acknowledge and adapt to problems rather than hiding them. This implies a culture of transparenc y, so that covering up problems becomes difficult. Rather than scapegoating, firms need a culture where people feel free to admit mistakes with minimal fear of being penalized. Decentraliza- tion also allows adaptation to problems as and when they occur.

Draw on Past Experiences Throughout this discussion, it’s important to remember that while risks – strategic or other- wise – can be predicted (to some extent) and managed (also to some extent), they are risks precisely because they cannot be completely anticipated or controlled. Perhaps the biggest takeaway from this article is that we can never

completely eliminate risk – but we can build adaptability and resilience into our organiza- tions and management systems.

As a final thought, remember that if your firm is in business today, it has survived the worst recession since the Great Depression. In other words, your firm has survived the 70-year storm. Rushing to reduce future risks based on experience in the 2008 global finan- cial crisis could easily result in overreaction – an example of locking the barn door after the horse has bolted. Indeed, if your firm did not experience difficulties in the recession, it probably was not taking enough risk. Instead of rushing into a massive risk-management exercise, try to target your risk management activities to emphasize the strategic issues that will determine organizational survival.

To build a resilient organization, try to keep some resources in reserve. In addition, have systems that acknowledge and adapt to problems rather than hiding them. This implies a culture of transparency.

D o

N ot

C op

y or

P os