Kay Rahardjo and Mary Ann Dowling
As companies attempt to address an ever-expanding variety of financial and operational threats to their balance sheets, today's complex and competitive business climate increases the probability (and consequences) of being wrong. In the face of these challenges, each organization's senior management must make a series of decisions not only to enhance the value of the company, but also to protect it from unfortuitous events that can dilute its value rather quickly.
Selecting the best decision-making framework to address the universe of risks facing a firm is a problem many companies are struggling with. The questions executives are asking include: What are my risks? What is their magnitude? What is my risk appetite? What risks should I retain? Which ones should I transfer to a third party?
Traditionally, various risks have been managed independently throughout organizations. For instance, one area is typically responsible for purchasing insurance to mitigate the financial impact of fire losses, product liability claims or severely injured workers. Another area will minimize the losses from fluctuations in foreign exchange and interest rates while yet another will take the responsibility for managing commodity risk. All of these specialized functions make decisions that are reflected somewhere on the balance sheet and, depending on the company's positions, can have a negative effect.
This approach is relatively inefficient since there is no way to measure these risks on a common basis, assess the interrelationship between the risks and analyze their potential firm-wide impacts. In contrast, looking at these risks on a portfolio basis allows a company to see how they interact and provides management with a better perspective on how the balance sheet will be affected if unanticipated events occur. Making the transition to a strategic approach to risk management requires a number of steps that include creating a business risk profile; determining management's objectives; developing and implementing a comprehensive strategy; and measuring the performance of the selected risk management tools and methods.
Business Risk Profile
To understand and address its risks, a company needs to identify them, quantify their magnitude and measure their potential impact. This requires looking within the different business units, identifying the universe of risks they face and drilling down within each category of risk to uncover the unexpected circumstances that can influence the assumptions or conditions in force when the organization's business plan was created.
After listing the various business risks, it is helpful to further categorize them by the impact they can have on your organization. The risk mapping process illustrated in Exhibit 1 can be a helpful tool in doing so. In a risk map, an organization's risks are charted into four quadrants depending on whether an event has a high or low probability of occurrence, and whether it could result in a highly severe loss or a low-severity loss. (This example is illustrative only - any company would have many more risks than these.)
Every risk has two aspects: size and tenor. The magnitude of each risk the organization maps will help dictate how it will be addressed. Exposures that fall into the upper right-hand quadrant will be the highly severe risks that can occur with a high frequency - the risks that will require the utmost in prevention or management. Those risks in the upper left-hand quadrant, which are less likely to occur, will also require a great deal of attention because, if and when they do occur, they will cost your company a great deal of money.
Other important considerations will be the exposures' time horizon and the cost of the vehicles used to manage each risk. If the horizon is far off, which increases an event's unpredictability, the cost of vehicles used to manage that risk will be higher. …