Organizations of every ilk have been nudged by credit-rating agencies, pushed by regulators, and told by various accounting, audit, and consulting firms to adopt enterprise risk management (ERM). But can ERM make a noticeable impact on companies’ value or growth?
Perhaps if organizations would instead think of ERM as “entrepreneurial risk management,” the process would be seen for its value-creation as well as its value-protection aspects. During the last two decades, the quandary for investors in publicly traded companies has been that while the Risk Factors section of 10-K reports has become larger for companies, there’s still very little information about a company’s actual risk position, appetite, and tolerance.
At its most basic level, the ERM process is deceptively straightforward: identify and assess the critical risks across the entire organization, determine the best method to respond to those risks, and then report and monitor the results.
Many ERM programs are now several years old and have matured beyond basic levels. Some organizations have discovered that embedding ERM into their strategic planning broadens the scope of the process beyond the traditional goal of protecting value. ERM also supports the business plan for growth, although boosting the upside of taking risks is far more complex than trying to mitigate the downside of taking them.
One element of complexity beyond basic ERM has to do with the concepts of risk appetite and risk tolerance. COSO, the Committee of Sponsoring Organizations, for auditors and accountants, has defined risk appetite as “[t]he amount of risk on a broad level an organization is willing to accept in pursuit of value.”
Also defined by COSO is risk tolerance, or the “[a]cceptable level of variation an entity is willing to accept regarding the pursuit of its objective.” Arguably, these two definitions could be translated pragmatically as:
- How much can the firm afford to invest to achieve its goals?
- How much is the firm prepared to lose?
Those two critical questions are best addressed by the board, and only after the executive management and the board have an understanding and agreement about the firm’s risk position, also called risk attitude or risk philosophy.
The ISO 31000 standard uses the term risk attitude and defines it as “an organization’s approach to assess and eventually pursue, retain, take or turn away from risk.”
Another measuring rod, risk position, is the combination of a firm’s risk appetite and its risk tolerance. Risk appetite is a firm’s willingness and ability to invest in new projects. The outcome of that project may be positive or negative, but management expects a positive net present value. Research and development (R&D) and advertising a new product are classic examples of these investments.
In contrast, risk tolerance is a firm’s willingness and ability to pay to transfer a volatile situation. Here, the outcome may be a loss or no loss. The difference is in the extent of management’s desire to retain the volatility and take a chance on a big loss. Classic ways to cope with a lack of risk tolerance are the purchase of insurance and using derivatives to hedge unstable commodity prices.
To better understand risk appetite and risk tolerance, let’s look at Hewlett-Packard’s recently announced impairment charge of $8.8 billion related to allegedly fraudulent accounting at Autonomy, a technology company HP acquired in October 2011.
On November 20, HP reported there had been a series of questionable accounting and business practices at Autonomy prior to its acquisition by HP. In fact, HP’s risk appetite was demonstrated in the price it paid for Autonomy: $10.3 billion. HP or any other acquiring company should always be asking: “How much do we expect to gain from this investment if everything goes as planned?” and “How much can we afford to lose in the event the acquisition does not produce the expected financial results?”
The first question is a traditional investment inquiry: “What is the expected net present value of this project?” Completing a pro forma analysis of the best-case scenario will reveal what the expected upside of the risk may produce. With this outcome, the firm must ask if it is prepared with sufficient capacity, capital, and human resources to handle this situation.
The second question is a traditional risk-management inquiry: “What is the worst-case scenario, and is the firm prepared for this outcome?” If that outcome is a significant loss, the firm’s risk-tolerance limit will kick in and dictate when to transfer that contingency away. To make the cost of these transfers lower, most firms also retain smaller losses. The dollar value of the firm’s retention depends upon the size and strength of the corporate balance sheet.
The dollar amount of a firm’s risk appetite is not equal to its dollar amount of risk tolerance. Usually the risk tolerance is quite a bit smaller in comparison to the risk appetite. An example is that the amount set aside to cover severance agreements for potential layoffs is often much smaller than the total investment in a related new project.
Risk appetite and risk tolerance are made more complex by the operational reality that organizations like HP take on more than one risk at the same time. For example, Autonomy was not the only recent acquisition by HP. Earlier in 2008, HP wrote off $8 billion related to its acquisition of EDS. Likewise, the acquisition of Palm for $1.8 billion — where the operating system webOS originated — did not include the additional R&D expenses for the short-lived Touchpad. The 2011 HP annual report states that overall, R&D expense was more than $3 billion for the year. Obviously, R&D for a technology company is essential if it is to remain relevant. In fairness to HP, being in business is about taking risks.
The issue for investors to consider from the risk appetite and risk tolerance perspective is that it is difficult, if not impossible, to gain an idea about HP’s overall risk attitude, appetite, or tolerance levels from the current Risk Factors section of the company’s 10-K. In the 2011 Annual Report/10-K, that section encompasses pages 16 to 32 and provides a narrative about the 23 major risk factors that HP states could have a negative impact on its business activities, but does not contain any metric or indication of magnitude of those risk factors.
HP’s board has risk-oversight responsibilities. In carrying out its oversight, HP states that the board, with the assistance of the audit committee, reviews and oversees its ERM program, which is “designed to enable effective and efficient identification of and management visibility into critical enterprise risks and to facilitate the incorporation of risk considerations into decision making.”
The lack of numerical transparency in terms of HP’s risk appetite, risk tolerance, and risk position is at odds with the stated goal of the company’s ERM program to enable “management visibility into critical enterprise risks.” Possible remedies include:
- Constituting a board-level risk committee consisting of independent directors, one of whom should be a risk-management expert.
- Constituting an executive risk committee chaired by either the CEO or the CRO.
- Reviewing the ERM program to determine if in addition to its audit and compliance focus, a greater emphasis should be placed on strategic and operational risks and opportunities.
Taking risks is a positive for companies if those risks are properly analyzed and managed. Enterprise risk management is a process that should be employed when a company’s critical decisions are being considered.
Kristina Narvaez is president and CEO of ERM Strategies. John Bugalla is a principal with ermINSIGHTS. James Kallman, a finance professor at St. Edwards University in Austin, Texas, also contributed to this article.