Future-Proofing the Company Against Risk

Doing business in a complex and global world means we can no longer deal with risk from a deterministic viewpoint—creating a business strategy according to a current position or a single and predictable situation. What business needs now is a probabilistic approach to risks, one that future-proofs a company against all possible or probable scenarios and manages the related trade-offs.

There was a time when risk management for non-banking companies was a relatively straightforward process that was relegated to lower management because it was preventive, defensive and reactive: Be certain all the organization’s hard assets and transactions are adequately insured. Be cautious in committing the organization’s resources to new activities with the potential for an adverse impact on revenues or profit. Be ready to deal with an event that could negatively affect the organization’s assets, revenue or profits.

These days, risk management cannot be merely preventive, defensive, reactive—or just compliant. The stakes are too high, thanks to such powerful forces as globalization, heightened public exposure, business uncertainty and new government regulations (Sarbanes-Oxley, for example).

Companies are building relationships up and down a now global value chain, which makes them more interrelated and therefore more vulnerable to risks. Every time a company outsources, shares, pools, partners or swaps, it creates a new value chain interface that has to be managed properly. With every interface comes the need to pre-vent the firm from being compromised strategically for the future.

The Trouble With Risk

Ask executives if they have a risk management strategy and they will likely answer yes. Every firm recognizes the need for such strategies and typically develops them to ensure transparency, arm the company against the latest corporate scandal, and to nurture investor and public trust in the capital markets. Recall the media attention given to Enron, WorldCom and Parmalat.

So it’s no surprise that listed companies have been investing in an array of risk management philosophies, tactics, tools and techniques. To do otherwise would be irresponsible and hazardous. The results, however, have not always been commensurate with the expense. Despite major investments and efforts to implement a myriad of risk-management-related programs, companies are beginning to wonder if they are reaping the full benefits. That’s because many of these strategies are geared toward complying with regulatory demands rather than focusing on the strategic risks that threaten the organization’s existence—and future.

The goal we’ve established for our clients is to avoid the subtle trap of successfully managing mandated and operational risks while failing to recognize the critical strategic threats that can make or break the company. Managing a host of disparate risks can only be achieved through an integrated risk management strategy.

The Peril and Potential of Decisions

Integrated risk management is the ability to assess clearly both the peril and potential of every business decision. It requires that the organization identify and evaluate current or future events and situations for their potential to thwart the achievement of organizational goals and objectives. Integrated risk management recognizes that the biggest risk to an organization is not ignorance, poor planning or inattention, but the risk of not meeting its corporate strategic objectives.

To that end, we view risk as anything that can have an impact on corporate goals and targets. It could be something that goes wrong within or outside the organization, or an opportunity within or outside the organization that’s missed. Risk management is not about not taking any risks. Rather, it is the capacity and the organizational capability to assess the risk and return of each business decision.

A sound, integrated risk-management strategy is built on a holistic approach (see figure 1) . It is the ability to identify, understand and quantify a wide array of risks and their effect on the business, and to align decision-making to the corporate strategy.

To manage risk effectively, the organization’s directors, officers and other executives must ask themselves two questions:

• Are we looking at the right risks now?
• Do we have an integrated vision of all risks—operational (or tactical) and strategic—that must be considered?

Only you can answer these questions, but we can offer a structured, integrated approach to this essential process.

A Framework for Managing Risk

The framework shown in figure 2 illustrates all the dimensions to be included in an integrated risk management strategy. The first thing to do is discard the traditional method for quantifying each specific risk, as it obscures an essential overview of corporate risks in toto . Moreover, it doesn’t allow a view into the frequency and severity of corporate-wide risk, nor to appreciate the dominant strategic threats. What we propose is a way to assess and evaluate disparate strategic risks seamlessly, supporting more operational risk with the appropriate management processes and models. The following outlines the major components of the framework:

Gauging strategic risk. The first layer provides the ability to identify, understand and measure risks and their impact on the business, and to help align decision-making to the corporate strategy. A major limitation of traditional approaches to risk management is the lack of a solid analytical method to address different types of risk, especially strategic ones that cannot be explained easily under the mantle of past events.

For example, a global oil and gas company with production in a potentially unstable country asked us to help identify risks associated with its key international assets and to develop a policy for managing them. The company wanted to embed risk management processes into its management model to protect shareholder value and reduce its exposure to risks.

In the course of our work, we identified, modeled and quantified a number of risks, including the lack of raw material and production unpredictability. But we recognized that not every risk could be quantified using traditional tools. The strategic risk that a country may change its oil exploration royalty structure depends more on political and economic issues than it does on any statistical analysis of past events.

Therefore, we used Stochastic statistics—which deal with probable outcomes instead of certainties—and other modeling tools to evaluate the primary strategic risks. On the basis of these calculations, we developed policies to address key strategic and operational risks and put them in a balanced scorecard (see figure 3) . We also created a tool to help the business units model and manage their risks and monitor the risk policies.

This work illustrates the necessity of a holistic approach to gauging risk. As discussed earlier, any number of specific risks—from variations in the price of oil to the probability of an operational failure—can be assessed and assigned a calculated value. A business decision can be made on that basis.

But of all the specific risks to be considered, what has the most strategic value to the organization? That is, what could destroy the organization by denying it the ability to achieve its stated objective? Clearly, a business decision made on the specific (and predicted) risk in oil prices can be considered justifiable. But what if it fails to consider a strategic risk of much greater magnitude—a change in government-mandated royalty policies, for example? How can it be considered valid? Focusing on operational risk at the expense of strategic threats can put the entire company at jeopardy.

Managing strategic risk. Most major corporations have a system of key indicators linked to risk management—either via well-known tools, in-house solutions or variants thereof. The challenge lies in effectively incorporating the system into the organization’s management model. This is more difficult in a globalized marketplace, where the model must transcend a narrow understanding of the company’s structure, roles and responsibilities to consider new relationships.

One challenge is to select tools that, while capable of complying with one set of risks (process and regulatory requirements, for example), are versatile enough to support the corporate decision-making whose raison d’etre is strategic risk. Two questions must be considered:

• Can the organization recognize, evaluate and monitor risks of such disparate natures within one risk management program?
• Can a set of risk management tools be extended to strategic decisions?

Again, the answer to both questions is yes. Analytical tools, as discussed in our earlier example, can quantify the different kinds of risk and risk correlations, allowing the com-pany to hedge its bets, design provisioning policies and make investment decisions.

Next on the agenda is to measure risk exposure and the potential impact, and determine when to deploy a mitigation strategy. Let’s illustrate this with another client example. We assisted a pulp and paper conglomerate to identify its main strategic risks and develop policies to manage them preemptively, which could include: mitigation, investing in hedge mechanisms such as inventories and insurance, or doing nothing.

An error in the forest-seeding forecast was identified as a strategic risk, and, using a risk measurement model, we helped the company simulate the impact of several mitigation approaches. What would happen, for instance, to the forest-seeding forecast if the plantation area were increased? We concluded that a slight increase in the plantation area could significantly reduce the risk of not having an adequate supply of raw material in the future, and any additional increase in the plantation area would have a limited effect in further reducing this risk.

An interesting aspect of the simulation is how the results were used to adjust the business strategy. In this case, the firm made a slight adjustment to its production-planning formula. The firm knows how to measure if this mitigation strategy is working, so that it can limit its unnecessary exposure to the lack of raw material.

Another example comes from the financial services industry and our colleagues in Amsterdam who worked with a European-based insurance company. The insurer had experienced a number of years of profitable double-digit growth, but trends and rumors suggested that both future growth and value creation could be seriously at risk. A scenario analysis revealed the implications of different market trends and the possible effects of certain situations developing, such as a housing market freeze or rising competition. The scenarios were developed based on industry and market insights, desk research and intense working sessions with company executives.

“By asking the 'what-if’ question, our client was able to anticipate these events and preemptively define strategic and tactical actions to deal with them,” explains Nathan Burgers, an A.T. Kearney partner. “Also, the company can search key words in financial newspapers to gather information on when certain scenar-ios might play out.”

Importantly, this approach capitalizes on the difference between risk assessment and risk measurement. Measurement, as discussed earlier, is the quantification of risk. An assessment digs deeper to understand all the risks the organization is facing. It identifies key risks—those that can destroy value for the company—and their components. A meaningful assessment also monitors strategic risks, informing the organization about the frequency and severity of those risks.

Future-proofing the company. The final stage is integrating risk management with strategic planning to align strategies that more fully account for risks. This plan can take business management to new levels, where executives leave the deterministic world behind and make decisions within a probabilistic universe.

In a deterministic world, the organization determines its business strategy and budget according to its current situation or a single and predictable circumstance, with some “fat” included in a proposed budget to provide a margin of error. Here the organization is figuratively chasing its own tail by allowing the budget process to determine its business strategy.

By comparison, the probabilistic approach allows—and indeed encourages—the organization to consider several possibilities and trade-offs, with their identified lesser or greater risks and associated potential for greater losses or profits. Going back to our insurance-company example, company executives used the various scenarios to develop a structured and detailed view on market developments and a thorough understanding of the risks and implications for their business (see figure 4) . In the future, executives will update the underlying financial model with actual data to make realistic projections on revenue and growth and tweak the scenarios as the reality unfolds.

>

Of course, this approach to risk management requires a tremendous change in behavior. Rather than working with deterministic values and explaining why they fluctuate, executives are compelled to ponder continually changing business trade-offs and how to bring the company back to a position where it generates value. Uncertainties are considered beforehand and excuses to justify why targets were not achieved are no longer tolerated.

The Markets Will Respond

Properly identifying and ranking risks allows companies to select those to be monitored directly by the board of directors and those that might be delegated. Measuring risk using quantitative data requires using a shared set of criteria, thus ensuring that all executives have a uniform perception of the risks.

Once mechanisms are in place, executives can gauge their risk tolerance—how much risk they are willing to accept—and communicate to the organization what levels of risk are acceptable and where it makes sense to expose the corporation to risk. Companies can decide how much to invest in risk mitigation strategies, and assess when the cost involved in a specific risk is commensurate with the anticipated returns.

Markets respond to companies that implement integrated risk-management strategies. The most immediate impact will come from the level of transparency it provides to shareholders, analysts and risk management agencies—transparency that will in turn be reflected in how the market values the company.

Consulting Authors

Dario Gaspar is a partner in the firm’s operations practice. Based in the São Paulo office, he can be reached at This e-mail address is being protected from spambots. You need JavaScript enabled to view it .

Tom Perlingiere is a consultant in the firm’s financial services practice. Based in the São Paulo office, he can be reached at This e-mail address is being protected from spambots. You need JavaScript enabled to view it .

The authors wish to acknowledge the contributions of their colleague Daniel Medina in writing this article.