Risk management minimises downside
Risk is inherent in any activity, particularly in a business venture. There is a saying that ‘when there is no risk, there is no gain’. Those, who do not want to expose their investments to any kind of risk, invest in risk-free securities like treasury bills, sovereign bonds, deposits in post offices and perhaps, in fixed deposits with banks. Those, who invest in equity capital of a company, aim for a return higher than the risk-free return and therefore, they do not expect management to take steps to eliminate risks. However they expect the management to manage risks.
The Indian corporate governance code (Clause 49 of the Listing Agreement) requires a company to lay down procedures to inform the board members about the risk assessment and minimisation procedure. These procedures should be periodically reviewed to ensure that executive management controls risks through means of a properly defined framework.
Risk management
The aim of risk management is to ‘minimize the down side and maximise the upside’. Risk is viewed as hazards as well as opportunities. Risk management endeavours to balance risk, growth and return. This requires the management and the board to define the risk appetite. Risk appetite is the amount of risk the entity is willing to take in pursuit of its objectives. It reflects the entity’s risk management philosophy, and in turn influences the entity’s culture and operating style. It is similar to the risk appetite of individuals.
We may generally state that individuals in their endeavour to create wealth take different levels of risks. For example, one may willingly take an assignment in politically or otherwise disturbed territory, while the other may not like to take such an assignment and may decide a lower target of wealth creation as compared to the target established by that other individual. Risk appetite is determined by the propensity to take risk and risk perception.
Propensity to take risk is driven by the expected reward from taking the risk and risk perception is based on accidental loss suffered by the individual or its acquaintances. Risk appetite differs between entities, even among those which are operating in the same industry. Strategic choice made by an entity should be consistent with the risk appetite established by the board.
Risk environment
Risk appetite is a part of internal environment. Internal environment is the background against which the risk management system operates. The environment determines the entity’s response to risks. Internal environment is influenced by the entity’s history and culture. It comprises many elements including entity’s ethical values, competence, development of personnel, management’s philosophy for managing risk, and how it assigns authority and responsibility.
‘Integrity and ethical value’ is the by-product of the entity’s culture. The risk management cannot rise above the standard of ‘integrity and ethical value’ of the entity. It is quite difficult to establish high standard of ethical values because of the conflicting interests of various stakeholders. The board has the responsibility of establishing ethical values within the entity.
Establishing right ‘corporate code of conduct’ by itself is not enough for establishing ethical values. It removes ignorance and confusion among employees and others about what is right and what is wrong. But it seldom establishes ethical values. Ethical values are established by the behaviour of the top management and the management style.
For example, if an entity does not have a ‘whistleblower policy’ and if it discourages reporting of unethical behaviours by employees, it is quite likely that the ethical standard in the entity would be low. Similarly, if unrealistic targets are established and achievement of targets is rewarded irrespective of how the targets are achieved, employees would be tempted to resort to unethical behaviour. For example, if the management keeps a blind eye on whether an order from a customer is procured through bribing and rewards the successful employee, employees get the signal that corruption in the entity is encouraged.
Such a behaviour increases the ‘reputation risk’ significantly and may hurt the long term interest of shareholders. It is the responsibility of the board members, particularly independent directors to understand and evaluate the management behaviour and the management style and to monitor the same, may be informally.
Value drivers and risks
Entities undertake activities that enhance shareholder value and protect interests of other stakeholders. We may call them value drivers. Every value driver has associated costs and risks. For example, for a particular entity ‘after-sales service’ is an important value drier. Associated risks are that the entity may fail to respond to customer’s call quickly, non-availability of components and parts might delay the service and competence might be in short supply because employees with right competence leave the job or the entity due to extensive site visits.
Risk management requires identification of risks associated with every activity and every strategic choice. This involves identification of events that might occur in future. Management should involve as many employees as possible and all stakeholder groups in the risk identification process.
Risk-assessment and risk-mapping
Risk-assessment involves estimation of the likelihood that an event will occur and the impact of the event on the value or profit of the entity if it occurs. Sophisticated quantitative methods may be applied in risk assessment. However, most entities do not apply sophisticated methods. They classify likelihood and impact in three categories: low, medium and high. They prepare three-three matrix to map risks. However, depending on the nature of the industry and the strategic choice made by an entity, it may plot risks/events in five-five or seven-seven matrix. Mapping of risks/events helps to develop risk responses.
Risk responses
Risk responses depend on the risk management philosophy of the entity, its risk-appetite and cost-benefit analysis. Typical risk responses are: avoidance (exit the activity); Reduction of the likelihood and/or impact by introducing control or by enhancing the capability of the process; sharing a proportion of risk through insurance, hedging, joint venture or outsourcing; and acceptance of the risk without any action to reduce the likelihood or impact of risk. The implementation of responses developed by the management should be monitored regularly.
Conclusion
Some experts think in terms of risk-management maturity cycle: risk naive, risk aware (silo-approach to risk management), risk defined (risk appetite is defined), risk managed (risk management system is established) and risk enabled. In a risk-enabled organisation risk-management is embedded in operations. It is important for the management and the board of directors to assess the present position of the entity in the risk- management maturity cycle.
The management and the board should agree to the road map to become a risk-enabled entity. Strategic choices should be aligned to risk-appetite and risk management system should be aligned to the strategy and strategy implementation process. Monitoring is an important element of enterprise risk management. In a dynamic environment, risk management system breaks down unless it is regularly recalibrated to keep it effective in a changing environment.