Risky Business

Wednesday, June 1, 2011 - 08:22

Recent events can only serve to increase the pressure on organisations to get everything right when things go wrong. By Gillian Bullock

There was a time when risk management operated in a parallel universe to a company's core operations, where it was treated as a separate, rather than integral, part of the business.

But in the wake of the GFC, risk management has become increasingly important and is now often used as a prospective rather than a reactive tool in many businesses.

Of course, most companies have always conducted risk management, it's just that they did not necessarily put a name to it. Rather, it was just part and parcel of the day-to-day operation of the business with no particular person or team designated to handle risk across the organisation.

Back then - less than 20 years ago - chief risk officers (CRO) were few and far between. This is no longer the case, and today, increasing demand has resulted in the University of New South Wales this year introducing a master's degree solely in risk management.

Today's CRO can come from a variety of backgrounds including legal, technical and commercial. Their emergence is driven by demand from the boards and executive of companies who are becoming increasingly aware of having to get it right.

The spate of natural disasters in recent times - the earthquake in Christchurch, the floods in Queensland and Victoria and Cyclone Yasi - has made companies aware of how they need to have systems in place to cope with a crisis.

Of course, it doesn't have to be full-blown; you also need to deal with risks that are not of crisis proportions but still affect a company's performance.

Identifying uncertainty

It is estimated that the Australian risk-consulting market is worth between $650-850 million and is growing at 6 per cent a year.

Professor John Evans, Head of School, Actuarial Studies at the Australian School of Business, says risk management is about identifying uncertainty and managing it down to an acceptable level, taking into account the overall level of risk that is considered acceptable to a business.

Evans says you can't get the risk down to zero - nor would you want to as that is merely equivalent to a cash investment - but you can have controlled risk.

Catherine Friday, Risk Partner at Ernst and Young, believes that the definition applied to risk management is unimportant.

"It's what you do with it that is important," says Friday. "It's a lens for filtering what the potential obstacles are and how you will deal with them, a framework for making decisions quickly."

As such, Friday says that it is also increasingly being used in resource allocation.

"Risk management can tell you which projects to fast-track and what are the opportunity costs if you don't do something," she says.

Seven types of risk

There are generally seven types of risk facing any business. According to Richard Gossage, Partner, Risk Practice at PricewaterhouseCoopers, the central risk is enterprise wide, which is a holistic view. Spanning out from this are the six other risks: credit; market; liquidity and treasury; operational; regulatory; and insurance related.

Once you identify risk then the next stage is to quantify this to assess its relative importance. Evans says some boards can get agitated at the prospect of quantifying risk so he suggests using a traffic-lights analogy: a green light is where you would prefer the risk did not happen but it's not going to hurt you; amber is where you'd rather it didn't happen but it won't be fatal; and red is 'good night, can somebody turn out the lights'.

Monitoring performance

Once you have quantified the risk, then it is important to monitor performance on a regular basis. Monitoring is very important. As with any any performance measure, to manage your level of risk you need to know how you are tracking, and if you are off track, you need to understand why.

Without this monitoring and variance analysis and taking corrective action quickly, boards can find themselves surprised, says Gossage.

"Companies often have all steps in place but then don't do enough variance analysis," he says. "You need remedies in place to get you back on track.

"If you look at the majority of corporate failures and man-made disasters over the past decade, you will find that the underlying cause is a failure in risk management. It's like a lane flight. If the plane goes off track, say, because it is windy, the pilot has to monitor his position to his flight plan and take corrective action to get it back on track; it's the same principal with risk management. It needs to be a dynamic process."

Evans also insists that risk management is both top down and bottom up.

"You need the organisation's board or management to identify the big risks and their relative importance, but you also need a bottom-up approach as there are a lot of little risks that can become a big risk," says Evans.