Risk Management

Warning Signs

Why risk management is letting down companies and what to do about it.
Janet KersnarFebruary 2, 2009

Bart Le Blanc is certainly reassured by the fact that risk management has “always been an integral part” of the company where he works. Urenco, a privately held joint venture with German, Dutch and British owners, is one of a handful of uranium-enrichment companies that supply fuel for nuclear reactors. Its centrifuge technology in the wrong hands could be used to enrich uranium used in nuclear weapons. For obvious reasons, Urenco’s plants — three in Europe and one under construction in the US — are heavily regulated, requiring a permanently “proactive risk management mindset” to keep safeguards in place, says Le Blanc, Urenco’s CFO.

Yet the finance chief isn’t one to rest easy. The company is growing fast, with its global market share rising from around 15% five years ago to nearly 25% today. As a result, Urenco’s supply chain is being exposed to numerous new operational, as well as financial and strategic, risks. And with Urenco’s executive team drawing up major investment plans to propel the company’s growth even further, those risks are set to multiply.

The challenge isn’t lost on the CFO. Urenco’s executive team is “very much aware” that selling its growth plans — with $2 billion in investments over the next two years — to the board and investors requires “a different and a more proactive risk approach for not only this investment project, but also across the business,” Le Blanc says.

But what approach should that be? Le Blanc isn’t the only CFO searching for the answer. As a burgeoning profession in its own right, risk management has developed in leaps and bounds. But the discipline is not nearly as effective as many executives would like. “Risk management should be an inherent part of good management,” says Michael Power, director of the Centre for Analysis of Risk and Regulation at the London School of Economics. “But often it’s not.”

Consider, for example, the banking sector, where arguably the corporate world’s most sophisticated risk practitioners couldn’t prevent, let alone foresee, the current financial crisis. As a result, confidence in companies’ ability to identify and mitigate risks has been shaken, and stakeholders are looking for reassurance that they won’t be let down again. “What isn’t acceptable now is to roll forward old risk plans,” suggests Gerard Gallagher, head of business risk services at Ernst & Young. “Many are no longer valid.”

What’s more, the downturn has shown CFOs how rapidly the array of strategic, financial and operational risks can change, with devastating results. According to a recent survey by the Federation of European Risk Management Associations, nearly half of 555 executives polled said that their companies weren’t managing the full spectrum of risks. The survey also found a number of other shortcomings, ranging from a lack of clear policies or charter to weak centralised oversight. (See “Of Policies and Procedures” at the end of this article.)

So what has been holding the implementation of risk management back? One of the biggest restraints is complacency. Ever since Sarbanes-Oxley and the like came into force, risk management at many companies hasn’t gone beyond regulatory box-ticking — or as Jonathan Hayward, CEO of corporate governance consultancy Independent Audit, puts it, “the year-end Turnbull process,” referring to the UK’s risk-reporting regulation. “That makes my heart sink.”

No Excuses

The one thing CFOs shouldn’t do in their quest to smarten up risk management procedures is let the pendulum swing so that it “takes on a life of its own,” says Hayward. “That’s part of the reason why it’s gone wrong over the past decade — risk managers tried to establish themselves as something distinct. I’m not advocating not having chief risk officers, but the existence of a CRO can be used as an excuse for boards not being aware of what the risks are or which controls are in place.”

On this point, companies outside of the financial services industry should take heart, he says. Their risk management “is not so far down the road,” Hayward says, “and that’s partly an advantage.” Banks, he believes, have become over-dependent on data-driven quantitative analyses and esoteric mathematical models, while “corporations haven’t fallen into that trap.”

MAN, a €15.5 billion German commercial vehicles, engines and engineering company, is a case in point. Rather than relying on complex “mathematical models that bankers thought they could use to help manage themselves out of [the downturn],” CFO Karlheinz Hornung is armed with an arsenal of simple tools.

One of these that Hornung says he is “a big fan” of is a traffic-light system — MAN uses four levels, with the first signalling risks with the lowest potential for disruption, and the fourth signalling the highest risk. A risk will be reported to the board if it reaches the third or fourth light, “but I see any risk that is at the first or second light because it might escalate,” explains Hornung, who jokingly refers to himself as the company’s de facto chief risk officer.

A new aspect of MAN’s risk practice is what Hornung calls “scenario budgeting.” This sits alongside the traditional annual budget process and serves as an early-warning system, giving the company a range of plans to help it respond to changes in market conditions. The CFO describes it as “a key way to show [operational colleagues] that risk management isn’t just a legal obligation, but an instrument to help them manage their businesses better.”

In 2007 MAN’s scenario budgeting included a sensitivity analysis, keeping in mind the need to achieve a return on sales of at least 6.5%, regardless of whether demand for trucks fell. Sensing that some worse-case scenarios were becoming increasingly likely, action plans were drawn up months ahead of the eventual downturn. “We closed our plants for commercial vehicles for four weeks over Christmas, and we already had started implementing cost-cutting programmes,” Hornung says. “That’s what I call proactive risk management.”

A Visible Link

Another important aspect of proactive risk management is maintaining regular communication, both internal and external, on how to address burgeoning threats. Ian Robson, finance director of UK-based Ashtead Group, cites a quarterly internal risk forum set up last year to share best practice. The £1 billion (€1.1 billion) equipment-hire company doesn’t have a dedicated risk function, but risk management is integrated in operations within its two divisions — in the UK and the US — by assigning individuals oversight of specific areas of risk, such as health and safety, or legal. “We had a lot of good practices running in parallel in both the US and the UK,” Robson says, and the forum brings together those individuals and various executives, including the CFO, in order to draw “a visible link” between these various practices.

There’s also an external benefit. As Robson explains, the forum “has helped us clearly articulate to the outside world how risk management efforts work in our group.” And if he ever needed evidence to show the rest of the company why this is important, he got it during Ashtead’s third quarter results announcement in December.

In previous quarters, Ashtead delivered better-than-expected results but the executives, to their annoyance, felt this wasn’t always reflected in its share price. By the time December rolled around, results were still ahead of expectations but Robson could see that the impact of the recession was starting to show, particularly in areas where the firm was exposed to the construction industry. So during his analyst presentation he took a new approach, spending more time discussing the company’s financing risks — providing richer detail, for example, about the stability of its debt package. “The market wanted to know that, and agreed with us that we had a good story to tell,” says Robson. “We’ve seen quite a nice response in our share price since communicating that extra bit.” Ashtead’s share price rose 13% on the day of its presentation, and it has risen since by around 20%.

Encouraged by the response, Robson says he’s now turning his attention to how risk is discussed in Ashtead’s next annual report. “We’re always looking to improve our annual reports and one of the themes in the next report will be around business risk management and the responses we have in place,” he says. His conclusion? “Those who are prepared to bring visibility to what they face and how they manage that will be appreciated with investors.”

Enriching Discussions

Urenco’s Le Blanc learned this lesson from what now might seem unusual teachers: rating agencies, whose risk metrics have been under heavy fire of late. Four years ago, when Urenco needed to review its funding strategy, it started a series of discussions with Moody’s and S&P. The dialogue spanned several months before the two agencies felt confident enough to assign a rating to the company which, in Le Blanc’s words, has a number of “peculiarities.” Looking back, he says, “the dialogue with the rating agencies was very enlightening in helping us be far more focused on what the financial markets would expect for this relatively unique business to be seen as a strong credit.” Today — with ratings of A1 from Moody’s and A- from S&P — Le Blanc says he’s “committed to continuing the dialogue” on market expectations of risk, particularly now that the investment programme is well under way.

Developing a “broader based” enterprise risk management programme at Urenco was one outcome of the discussions with ratings agencies. “We purposely decided not to concentrate that in one big risk management department,” says Le Blanc. There is some central co-ordination for reporting purposes, but the CFO says that the management of, say, counterparty risks or project-management risks needs “to be within the business, where [they] originate.”

That leaves a large, proactive role for Le Blanc’s finance team on three fronts: preparing regular management and board-level risk reports; contributing to group analysis on the correlation of various risks; and, since 2008, risk-budgeting exercises that will take place every year, with quarterly adjustments.

The interaction between risk management and the budgeting process developed from discussions at board and audit committee meetings. As a way of formalising the board’s risk appetite, the exercise considers, for example, how much volatility in key performance indicators, such as Ebitda, is acceptable as a result of foreign-exchange movements. “It’s been enormously important in helping the different actors — from board level down — to actually be aware of not only these risks, but also various risk management tools,” Le Blanc explains. “Previously, when the firm was involved in currency hedging, it was done almost as a matter of course, without awareness of the risk, or the opportunities.” The aim now is to expand the exercise to analyse other risks, allowing Le Blanc’s team to identify new tools that could better manage the challengers raised by the board’s risk budgets.

It’s not only Urenco that hopes new or enhanced tools will help it build a better forecasting apparatus. Though risk management didn’t adequately prepare companies for the current downturn, they now hope that enhanced practices will help identify opportunities to prosper when conditions improve.

Janet Kersnar is editor-in-chief at CFO Europe.

So Close, and Yet So Far

Where does risk management sit within your company? A survey of nearly 400 risk practitioners by the Federation of European Risk Management Associations (Ferma) found that around 20% of respondents said risk management is separate from insurance and internal audit, 60% group insurance with risk management (but not internal audit), and only 8% combine all three functions in a single department. (See “Linked In” at the end of this article.)

These findings put Kemira, a €2.8 billion Finnish speciality chemicals group, in rare company. At Kemira, risk doesn’t report to CFO Jrki Mäki-Kala. Rather, risk management, insurance and internal audit fall to the oversight of Jukka Hakkala, the firm’s general counsel who sits on a 15-member strategic management board alongside Mäki-Kala. “Risk management is like its own function, but works closely with the business,” says Mäki-Kala. “I think that’s exactly what’s needed.”

Ferma’s researchers agree. Left in its own silo, they conclude, “risk management is more likely to address only operational risks.” However, at companies where risk management is combined with internal audit, more complex, global risks are addressed, Ferma believes.