Achieving transparency

Running with risk

Risk is a fact of business life. Taking and managing risk is part of what companies must do to create profits and shareholder value. But the corporate meltdowns of recent years suggest that many companies neither manage risk well nor fully understand the risks they are taking. Moreover, our research indicates that the problem goes well beyond a few high-profile scandals. McKinsey analyzed the performance of about 200 leading financial-services companies from 1997 to 2002 and found some 150 cases of significant financial distress at 90 of them. In other words, every second company was struck at least once, and some more frequently, by a severe risk event. Such events are thus a reality that management must deal with rather than an unlikely "tail event."

Directors confirm this view. A 2002 survey by McKinsey and the newsletter Directorship showed that 36 percent of participating directors felt they didn’t fully understand the major risks their businesses faced. An additional 24 percent said their board processes for overseeing risk management were ineffective, and 19 percent said their boards had no processes.

The directors’ unfamiliarity with risk management is often mirrored by senior managers, who traditionally focus on relatively simple performance metrics, such as net income, earnings per share, or Wall Street’s growth expectations. Risk-adjusted performance seldom figures in these managers’ targets. Improving risk management thus entails both the provision of effective oversight by the board (see sidebar, "Board oversight of risk management") and the integration of risk management into day-to-day decision making. Companies that fail to improve their risk-management processes face a different kind of risk: unexpected and sometimes severe financial losses (Exhibit 1) that make their cash flows and stock prices volatile and harm their reputation with customers, employees, and investors.

Companies might also be tempted to adopt a more risk-averse model of business in an attempt to protect themselves and their share prices. William H. Donaldson, the chairman of the US Securities and Exchange Commission (SEC), acknowledged this trend when he told an interviewer that he was concerned about a "loss of risk-taking zeal." It is the taking of risks that ultimately creates shareholder value. The right response, therefore, is to strike a balance that protects the company from the costs of financial distress while allowing space for entrepreneurship. Management should have the freedom to work in an environment where the potential rewards of any business decision are consciously weighed against the risks and where the company is happy with the level of risk-adjusted returns resulting from that decision.

In such an environment, companies not only protect themselves against unforeseen risks but also enjoy the competitive advantage that comes from taking on more risk more safely. The CEO of one Fortune 500 corporation, asked to explain his company’s declining performance, fingered the "lack of a culture of risk taking"; its absence, he explained, meant that the company was unable to create innovative, successful products. By contrast, a senior partner of a leading investment bank with excellent risk-management capabilities noted, "Our trading operation has created a series of controls that enable us to take more risk with more entrepreneurialism and, in the end, make more profits."

In a few industries, companies have already begun to invest in developing sound risk-management processes. For example, many financial institutions—prodded by regulators and shaken by periodic crises such as the US real-estate debacle of 1990, the emerging-markets crisis of 1997, and the bursting of the technology and telecommunications bubble in 2001—have worked to upgrade their risk-management capabilities over the past decade. In other sectors, such as energy, basic materials, and manufacturing, most companies still have much to learn.

Know what you face

We define risk broadly to include any event that might push a company’s financial performance below expectations. Typically, the measure used is capital at risk, earnings at risk, or cash flow at risk, depending upon whether the focus is on the balance sheet, the income statement, or cash flows.

Risk comes in four main varieties. The first, market risk, takes the form of exposure to adverse market price movements, such as the value of securities, exchange rates, interest rates or spreads, and commodity prices. Ford, for instance, was hit by market risk in 2002, when palladium prices tumbled and it had to take a $952 million write-down on its stockpile.

Credit risk is exposure to the possibility that a borrower or counterparty might fail to honor its contractual obligations. In 2002, for instance, The Bank of New York announced that it would increase its loan-loss provision by $185 million, to a total of $225 million, for the third quarter of 2002, largely because of loans it had made to telecom companies.

Operational risk is exposure to losses due to inadequate internal processes and systems and to external events. For example, Allfirst, a Baltimore-based subsidiary of Allied Irish Banks, lost $691 million at the hands of a single rogue trader whose practices went undetected for five years until he was caught in 2002.

Finally, business-volume risk, stemming from changes in demand or supply or from competition, is exposure to revenue volatility. The leading US carrier United Airlines, for instance, filed for protection under Chapter 11 of the US bankruptcy code this year after falling demand hit its revenues.

Lining up the essential elements

To manage risk properly, companies must first understand what risks they are taking. To do so, they need to make all of their major risks transparent and to define the types and amounts of risk they are willing to take—goals often facilitated by the creation of a high-performing risk-management organization that accurately identifies and measures risk and provides an independent assessment of it to the CEO and the board. Although these steps will go a long way toward improving corporate risk management, companies must also go beyond formal controls to develop a culture in which all managers automatically look at both risks and returns. Rewards should be based on an individual’s risk-adjusted—not simply financial—performance.

Achieving transparency

To manage risk properly, companies need to know exactly what risks they face and the potential impact on their fortunes. Often they don’t. One North American life insurance company had to write off hundreds of millions of dollars as a result of its investments in credit products that were high-yielding but structured in a risky manner. These instruments yielded good returns during the economic boom of the 1990s, but the severity of subsequent losses took top management by surprise.

Each industry faces its own variations on the four types of risks; each company should thus develop a taxonomy that builds on these broad risk categories. In pharmaceuticals, for instance, a company could face business-volume risk if a rival introduced a superior drug and higher operational risk if an unexpected product recall cut into revenues. In addition, the company would have to consider how to categorize and assess its R&D risk—if a new drug failed to win approval by the US Food and Drug Administration, say, or to meet safety requirements during clinical trials.

A company must not only understand the types of risk it bears but also know the amount of money at stake. Less obviously, it should understand how the risks different business units take might be linked and the effect on its overall level of risk. In other words, companies need an integrated view. American Express, for example, might discover that a sharp slump in the airline industry had exposed it to risk in three ways: business-volume risk in its travel-related services business, credit risk in its card business (the risk of reimbursing unused but paid-for tickets), and market risk from investments made in airline bonds or aircraft leases by its own insurance unit.

One way of gaining a transparent, integrated view is to use a heat map: a simple diagram showing the risks (broken down by risk category and amount) each business unit bears and an overall view of the corporate earnings at risk. The heat map tags exposures in different colors to highlight the greatest risk concentrations; red might indicate that a business unit’s risk accounted for more than 10 percent of a company’s overall capital, green for more than 5 percent. (Exhibit 2 shows a risk heat map that flags high credit risk in two units.) To make risks transparent—and to draw up an accurate heat map—companies need an effective system for reporting risk, and this requires a high-performing risk-management organization.

A heat map is a tool to foster dialogue among the board, senior management, and business-unit leaders. It should be reviewed frequently (perhaps monthly) by the top-management team and periodically (for instance, quarterly) by the board to help them decide whether the current level of risk can be tolerated and whether the company has attractive opportunities to take on more risk and earn commensurately larger returns. Are high concentrations of risk generating high returns or simply depressing shareholder value? Can the company adequately manage the types of highly concentrated risks it bears? If some risks are deemed too great, should they be handled through hedging contracts, say, or mitigated in some other fashion? A technology company, for example, might decide that its R&D portfolio had too many high-risk blockbuster projects and too few projects to enhance its existing products.

Date: 2015-12-24; view: 710