strategic option plan B

Think your company does a decent job of assessing, prioritizing and preparing for their major strategic risks? The American Productivity & Quality Center’s latest research on best practices in enterprise risk management (ERM) will make you think twice.

On the one hand, the survey of nearly 100 large companies showed that 61 percent of participants believe they are doing OK. They have processes in place that aim to enumerate the potential impacts that their enterprise-level risks — a.k.a. strategic risks — could have on such areas as market share, revenue and product-delivery times. This is understandable, given that boards of directors are pushing ERM leaders to bolster their capabilities in response to pressure from investors and regulators to provide assurances that the company’s ERM processes are in good shape. Arguably, in the past boards cared more about boosting earnings than they did about the finer points of risk management.

But it’s my contention that many senior executives harbor a false sense of security when it comes to balancing risk and reward. Six out of ten survey respondents say that the identification of a major risk has limited or no impact on their strategic plan formulation. (See chart.) So, most companies do not systematically ensure that strategic plans are explicitly adjusted for risks that have been identified in the risk review. This is a worrisome vulnerability. How did it arise?

Our empirical evidence shows that a lot of organizations do their annual strategic planning before they do their annual ERM assessments. And most are loath to call a halt to a strategic pursuit once it has begun. Instead, the assumption is that the identified risks will be managed satisfactorily after the horses have left the barn.

Surely, some CEOs and CFOs do this purposefully. They don’t want the risk conversations to dampen planning activities. Either that, or they feel that ERM is too important to fold into another key management process. But APQC case study research suggests that allowing a space to exist between the two processes can lead to trouble. The business gladiators already on the field are probably not going to want to stop very long to assess whether risk mitigation strategies are well-thought through.

Thinking Unconventionally

Another concern underscored by the survey findings involves new forms of risks. Only 19 percent of organizations say that their ERM process is effective when it comes to identifying risks that they have not yet encountered but could encounter. While more than one half of the respondents indicate that they are somewhat effective at imagining new contours or types of risk, the problem remains that risks that are easily dismissed as remote have the capacity to inflict severe damage if they materialize. That’s why best-practice organizations develop group exercises to prompt decision makers to think unconventionally.

Many companies already use such tools as color-coded heat maps that sort out small versus medium versus large strategic risks. The maps also prioritize those risks according to likelihood, velocity (how quickly risks create loss events) and potential impact. Companies also put tons of effort into creating risk registers that place a potpourri of risks into neat categories. Some define external versus internal risks and ask themselves deep questions about what they can and cannot control — and what they could do if an uncontrollable risk were to materialize.

One example of such a risk comes in the form of riots that could threaten company employees and facilities in under-developed economies simmering with talk of government overthrow. Internal risks, on the other hand, are those that arise either partially or wholly from employees’ actions, whether sanctioned by management or not. Internal risks also tend to be divided into the traditional categories of strategic, operational and financial. Those can be broken down further; for example, integrity risks and cyber security.

But most companies don’t go the extra mile and conduct granular scenario and sensitivity analysis to gain a sense of the potential impacts on financial outcomes that could, for example, alter equity analysts’ views of a company’s desirability as an investment holding.

The true best-practice ERM leaders are trying to clarify how much actual shareholder value is at stake if a major risk materialized. During the recent recession, many organizations determined that long-standing risk management approaches were inadequate when it came to assessing risks to shareholder-value generation.

Just one example: a major power company in 2008-09 realized it had contractual obligations to a large municipality which could lose its commercial paper credit rating or bank revolver if it was hit by a rating agency downgrade. If the credit spigot suddenly went dry, the city would be unable to pay the power supplier. While the municipality might have been able to side-step bankruptcy for a while, a number of situations were imaginable. Conversations between the CEO, the CRO and the audit committee of the board went like this: “We are still contractually required to deliver power, so let’s quantify the risk to our revenue stream under various default scenarios for the city.” They also looked at the potential impact on reported earnings.

The old-school concepts and languages of risk grew out of internal audit and risk transfer. The questions asked tended to revolve around:

  • “Do we have internal control weaknesses [read: some frauds or innocent errors could slip through the cracks]?”
  • “If we see a currency risk emerging, can we put on some financial hedges to minimize our likely exposures?”

 

Today, large organizations still ask those questions. But they also need to look at the shareholder value at stake under various risk scenarios — and the possible effects on a range of financial ratios that could wreak havoc with debt covenants, capital raising efforts, and strategic partner assurances, among many others. And this is where finance has to play a vital role.

Mary C. Driscoll  is a senior research fellow at the American Productivity & Quality Center.

, , , , , , , , , , , ,

3 responses to “Companies Failing to Adjust Strategic Plans for Risks”

  1. Although there seems to be an increasing interest in enterprise risk management, my experience and observations are very much like Ms. Driscoll’s. Over the last couple of years, I’ve seen more companies retaining help from the Big 4 and other risk/internal audit consultancies to develop comprehensive risk registers. Large fees are paid for the risk consultants to either identify what is considered their client’s risk universe or facilitate client management in doing their own risk identification. Everything gets wrapped in a nice package complete with weighted risk ratings and pretty heat maps. Then after the annual risk assessment presentation to the Audit Committee or the full Board, the report is set aside with little or no actual actions committed to manage the risks beyond internal controls and insurance or hedging. Then everything is dragged out again for the next annual risk assessment update. There are companies that are doing much more, but it seems that even for those companies, the risk management process is more about creating and maintaining the risk register and the risk quantification estimates than actually integrating risk management behaviors and risk recognition into strategic and operational planning. There is no risk management program if nothing is actually being done to manage/mitigate the risks through both the strategic and day-to-day operational practices of the company and its personnel.

  2. To add my view point in conjunction with Mr.Archer’s thoughts, the challenge for the companies is just not about following up the assessed risks but also in satisfying that the risks from all corners are identified. Yes there are risks in more than one categories, thanks to Ms.Driscoll for pointing it down, but as far as I have read the industry, though the big 4s specialize in even the unknown categories, the companies who employ them don’t always open up for a complete study. The manufacturing concerns are more focused on addressing the risks in procurement and production that they don’t believe there can be information systems risks until its too late. Fraud, whether internal or external, can be one good explanation but not the only explanation.
    And, in how many scenarios have the companies thought that unusual transactions or relationships are open risks? And how many companies believe that too much of management involvement is a standing risk of override?
    More smart the companies grow in saying that we addressed the risks, the perpetrators are always two steps ahead.

Leave a Reply

Your email address will not be published. Required fields are marked *