“Row, row, row your boat, gently down the stream”. Gently is
pleasant and enjoyable, if you know where the rocks are, if you have an idea of
the flow of water, and if there are no waterfalls. Knowing where the hazards are
at each point along the river, where the bank is too wide, or where the fallen
trees are, and then deciding the path, is all part of Risk Management. Most
important are knowing where and how to navigate the rapids, and not being
thrown over the waterfall.
Not seeing all the swirling currents, the rocks, and the
potential drops is akin to missing material risks.
Have you ever been faced with the occurrence of an event
that was both material to the business, and yet was not on your radar (or risk
register)? That rock in the river and that thumping, scraping feeling and sound
when the boat hits that rock. It happens, and it is personally painful when it
does. It is difficult to look an executive team in the eyes and say “we, I mean,
I missed that one”. Once you’ve done that, the question is “what else are we
missing?”
Faced with that situation, and after being assured “we ALL
missed it”, I asked myself what process I could put in place to reduce the
likelihood of such a mistake in future.
This has led me to thinking about systemic risks and Black
Swans as much as thinking about “internal” risks that might have been missed.
This post provides an outline of my methodology change to improve completeness
of risk consideration, with a focus on material risks.
Exploring the Black
Swan world
Over the past few weeks, I’ve published a number of posts on
both Risk Management (operational level) and Global Economic conditions and
Black Swans. What can, and should, Risk Managers be doing concretely to address
these risks?
The first step, of course, is to acknowledge that there are
potential systemic risks, and that the enterprise needs to be considering
these, macro and micro. Internal resilience is as important as is a level of
prudential preparation to weather external shocks.
For example, would the entities investment portfolio as
managed by the treasury function, stand up to a “Mark-to-Market” post an event
that resulted in bonds demanding a 5% additional return? Are banking agreements
sufficient to ensure continuity of payments in the event of the failure of a
key financial intermediary?
Risk Appetite and
Acceptance
Risk Management cannot identify all risks, internal and
external, and cannot prioritise those risks in a vacuum. Senior management (and
the Board for validation) should be confirming the risk universe, the risk
hierarchy, and should be determining the level of acceptable risk. This is the
Risk Appetite, and provides a foundation for acceptance of the residual risk
position acceptable to management and the Board.
Of course, understanding the Risk Appetite for anyparticular risk requires understanding of the risks, the identification of the
gross potential impact, an assessment of likelihood of occurrence, the current
situation in relation to the control environment, and more importantly, the
acceptable final risk position (“target” risk score).
The “Target” risk score, or the Risk Appetite for a
particular risk, should only be set and accepted by someone with the authority
to accept that final risk position. Anyone else “accepting” that risk is doing
so on behalf of the shareholders, and very
probably is doing so significantly outside the level of authority that the
shareholders have vested in that person. Thus the need for a Delegation of RiskAuthority.
Seeing the “Same
Thing”
One of the most difficult activities is the identification
of all material risks, internal and external. Lists and brainstorming seem to
be the most common ways that these sets of risks are identified. And of course
generic lists by industry are readily available online, modifiable to your
business. These lists reflect a range of risks at a period in time, from the
perspective of the list compiler. The next step to get past the list and
identify the hidden or out-of-mind risks.
All risk identification must start with the objectives of
the business, even before the structure of the business. From there, a common
model is needed, that all participants in the risk identification process are
either familiar with, or can easily map to their experience and knowledge of
the business.
While it cannot be said that all participants in the risk
identification process will be familiar with all aspects of the Balance Sheet
or Cash Flow statement, there is a very good probability that they will be very
familiar with their areas, and how those areas impact discrete elements of the
Balance Sheet of Cash Flow.
Victoria, Iguazu or Angel
A remarkable thing about waterfalls is that if you carefully
measure all the water that comes in at the top, minus mist and vapour, the
amount of water that comes out the bottom end is the same. So with Balance
Sheets and Cash Flow statements. The totals in, minus items and added items,
equals the amounts “going out”.
A tool that I have found useful for the
identification of risks, and to ensure a conversation about risk with senior
management is the use of the waterfall diagram. Each element can be
de-constructed to whatever level of detail is required, but the inputs, minus
and plus interesting other “stuff”, equal the outcomes or outputs.
The example above provides a very basic (and imaginary) Cash
Flow statement for a commercial and industrial company. It would look
fundamentally different for a financial institution or insurance business. But
in all companies, regardless of industry, after revenues and various costs, we
have the output: Net Income.
Every element along the way, to a greater or lesser extent,
inputs and outputs, contribute to the eventual result. More important, if each
element represents a set of definable business objectives, then each element
provides us with a specific area of potential risk. For example, a business
objective like “complaints per X-thousand customers” relates to specific
elements such as SGA (Sales, General and Administration Expenses), or in
Insurance and Financial Services entities, in their Compliance costs as well as
SGA.
Let’s add some
geography
A waterfall itself is influenced by factors well beyond the
flows of water. The height of the drop, the width of the flow, the internal
structure of the river and terrain around it all contribute. So we need to be
considering all these facets when looking at our waterfall. Certainly, we have
experts internally on the type, flow and quantity of water (internal factors),
but how about our understanding of the shoreline and associated geography
(external factors).
Risk Identification and associated Risk Assessment need to
consider all these factors, or critical risks (I must keep remembering to say
“risks and opportunities”) will be missed - critical risks that have a
fundamental baring on the likelihood of the business achieving its objectives.
While the metaphor
may be imperfect, it does provide a framework.
If we want to ensure that we have identified as many of the
material risks as possible, then we need to look at each element of the
Waterfall, and consider both the external and internal contributors to that
element. In so doing, we identify the potential risks to the achievement of
each of those elements.
For a manufacturing and distribution company, the cost of
distribution is a material component of the Cost of Goods Sold, and therefore
any risks impacting distribution should be included. Consideration of the
impact of the sub elements of distribution can be used to determine what
specific risk mitigations should be put in place.
In the 2000s, a major FMCG (Fast Moving Consumer Goods)
company did not adequately consider distribution costs, or more importantly,
the impact of changes in fuel costs as an element of their distribution costs.
When fuel costs rose, so did their distribution costs, significantly. Net
Income suffered badly.
Flipping the Waterfall diagram on its side, and we have an
excellent tool to help us identify “missed” risks. While we did not use this
exact presentation, we did use the waterfall diagram a year ago, and it helps
us focus on, and in some cases identify, material risks.
It also enables the people with the most knowledge of each
waterfall element the opportunity to discuss their elements, the make-up and
breakdown of the elements, and to confirm the associated key risks. In
addition, it supports challenge and common agreement of the material risks.
In the example above, Internal and External components of
the waterfall element are listed, and discussed to confirm that associated
risks have been identified. Quantification of the materiality of the risks was
a secondary task, but by using this methodology, it was easy for the
participants to understand quickly how any change in the one of the waterfall
elements impacts the overall performance of the business.
Of course, at the core of a successful risk identification
(and confirmation - this should be done annually at least) is ensuring the
widest range of people are involved. This most especially includes subject
matter experts on each of the element of the waterfall, and representation from
Internal Audit to ensure a common risk universe is agreed.
The result is likely to be a much better aligned assessment
of risk against business objectives.
No comments:
Post a Comment