“Row, row, row your boat, gently down the stream”. Gently is pleasant and enjoyable, if you know where the rocks are, if you have an idea of the flow of water, and if there are no waterfalls. Knowing where the hazards are at each point along the river, where the bank is too wide, or where the fallen trees are, and then deciding the path, is all part of Risk Management. Most important are knowing where and how to navigate the rapids, and not being thrown over the waterfall.
Not seeing all the swirling currents, the rocks, and the potential drops is akin to missing material risks.
Have you ever been faced with the occurrence of an event that was both material to the business, and yet was not on your radar (or risk register)? That rock in the river and that thumping, scraping feeling and sound when the boat hits that rock. It happens, and it is personally painful when it does. It is difficult to look an executive team in the eyes and say “we, I mean, I missed that one”. Once you’ve done that, the question is “what else are we missing?”
Faced with that situation, and after being assured “we ALL missed it”, I asked myself what process I could put in place to reduce the likelihood of such a mistake in future.
This has led me to thinking about systemic risks and Black Swans as much as thinking about “internal” risks that might have been missed. This post provides an outline of my methodology change to improve completeness of risk consideration, with a focus on material risks.
Exploring the Black Swan world
Over the past few weeks, I’ve published a number of posts on both Risk Management (operational level) and Global Economic conditions and Black Swans. What can, and should, Risk Managers be doing concretely to address these risks?
The first step, of course, is to acknowledge that there are potential systemic risks, and that the enterprise needs to be considering these, macro and micro. Internal resilience is as important as is a level of prudential preparation to weather external shocks.
For example, would the entities investment portfolio as managed by the treasury function, stand up to a “Mark-to-Market” post an event that resulted in bonds demanding a 5% additional return? Are banking agreements sufficient to ensure continuity of payments in the event of the failure of a key financial intermediary?
Risk Appetite and Acceptance
Risk Management cannot identify all risks, internal and external, and cannot prioritise those risks in a vacuum. Senior management (and the Board for validation) should be confirming the risk universe, the risk hierarchy, and should be determining the level of acceptable risk. This is the Risk Appetite, and provides a foundation for acceptance of the residual risk position acceptable to management and the Board.
Of course, understanding the Risk Appetite for anyparticular risk requires understanding of the risks, the identification of the gross potential impact, an assessment of likelihood of occurrence, the current situation in relation to the control environment, and more importantly, the acceptable final risk position (“target” risk score).
The “Target” risk score, or the Risk Appetite for a particular risk, should only be set and accepted by someone with the authority to accept that final risk position. Anyone else “accepting” that risk is doing so on behalf of the shareholders, and very probably is doing so significantly outside the level of authority that the shareholders have vested in that person. Thus the need for a Delegation of RiskAuthority.
Seeing the “Same Thing”
One of the most difficult activities is the identification of all material risks, internal and external. Lists and brainstorming seem to be the most common ways that these sets of risks are identified. And of course generic lists by industry are readily available online, modifiable to your business. These lists reflect a range of risks at a period in time, from the perspective of the list compiler. The next step to get past the list and identify the hidden or out-of-mind risks.
All risk identification must start with the objectives of the business, even before the structure of the business. From there, a common model is needed, that all participants in the risk identification process are either familiar with, or can easily map to their experience and knowledge of the business.
While it cannot be said that all participants in the risk identification process will be familiar with all aspects of the Balance Sheet or Cash Flow statement, there is a very good probability that they will be very familiar with their areas, and how those areas impact discrete elements of the Balance Sheet of Cash Flow.
Victoria, Iguazu or Angel
A remarkable thing about waterfalls is that if you carefully measure all the water that comes in at the top, minus mist and vapour, the amount of water that comes out the bottom end is the same. So with Balance Sheets and Cash Flow statements. The totals in, minus items and added items, equals the amounts “going out”.
A tool that I have found useful for the identification of risks, and to ensure a conversation about risk with senior management is the use of the waterfall diagram. Each element can be de-constructed to whatever level of detail is required, but the inputs, minus and plus interesting other “stuff”, equal the outcomes or outputs.
The example above provides a very basic (and imaginary) Cash Flow statement for a commercial and industrial company. It would look fundamentally different for a financial institution or insurance business. But in all companies, regardless of industry, after revenues and various costs, we have the output: Net Income.
Every element along the way, to a greater or lesser extent, inputs and outputs, contribute to the eventual result. More important, if each element represents a set of definable business objectives, then each element provides us with a specific area of potential risk. For example, a business objective like “complaints per X-thousand customers” relates to specific elements such as SGA (Sales, General and Administration Expenses), or in Insurance and Financial Services entities, in their Compliance costs as well as SGA.
Let’s add some geography
A waterfall itself is influenced by factors well beyond the flows of water. The height of the drop, the width of the flow, the internal structure of the river and terrain around it all contribute. So we need to be considering all these facets when looking at our waterfall. Certainly, we have experts internally on the type, flow and quantity of water (internal factors), but how about our understanding of the shoreline and associated geography (external factors).
Risk Identification and associated Risk Assessment need to consider all these factors, or critical risks (I must keep remembering to say “risks and opportunities”) will be missed - critical risks that have a fundamental baring on the likelihood of the business achieving its objectives.
While the metaphor may be imperfect, it does provide a framework.
If we want to ensure that we have identified as many of the material risks as possible, then we need to look at each element of the Waterfall, and consider both the external and internal contributors to that element. In so doing, we identify the potential risks to the achievement of each of those elements.
For a manufacturing and distribution company, the cost of distribution is a material component of the Cost of Goods Sold, and therefore any risks impacting distribution should be included. Consideration of the impact of the sub elements of distribution can be used to determine what specific risk mitigations should be put in place.
In the 2000s, a major FMCG (Fast Moving Consumer Goods) company did not adequately consider distribution costs, or more importantly, the impact of changes in fuel costs as an element of their distribution costs. When fuel costs rose, so did their distribution costs, significantly. Net Income suffered badly.
Flipping the Waterfall diagram on its side, and we have an excellent tool to help us identify “missed” risks. While we did not use this exact presentation, we did use the waterfall diagram a year ago, and it helps us focus on, and in some cases identify, material risks.
It also enables the people with the most knowledge of each waterfall element the opportunity to discuss their elements, the make-up and breakdown of the elements, and to confirm the associated key risks. In addition, it supports challenge and common agreement of the material risks.
In the example above, Internal and External components of the waterfall element are listed, and discussed to confirm that associated risks have been identified. Quantification of the materiality of the risks was a secondary task, but by using this methodology, it was easy for the participants to understand quickly how any change in the one of the waterfall elements impacts the overall performance of the business.
Of course, at the core of a successful risk identification (and confirmation - this should be done annually at least) is ensuring the widest range of people are involved. This most especially includes subject matter experts on each of the element of the waterfall, and representation from Internal Audit to ensure a common risk universe is agreed.
The result is likely to be a much better aligned assessment of risk against business objectives.