These elements will go a long way toward improving risk management but are unlikely to prevent all undue risk taking. Companies might thus impose formal controls—for instance, trading limits. Indeed, the recently adopted Sarbanes-Oxley Act, in the United States, makes certifying the adequacy of the formal controls a legal requirement. Yet since today’s businesses are so dynamic, it is impossible to create processes that cover every decision involving risk. To cope with it, companies need to nurture a risk culture. The goal is not just to spot immediately the managers who take big risks but also to ensure that managers instinctively look at both risks and returns when making decisions.
To create a risk culture, companies need a formal, company-wide process to review risk, with each business unit developing its own risk profile that is then aggregated by the corporate center. The reviews are a way of ensuring that managers at every level understand the key risk issues and how they should be dealt with. Drawing up a monthly heat map is one way of establishing a formal risk-review process.
But more needs to be done. By focusing on risk-adjusted performance, not just on traditional accounting measures, business managers will develop a better understanding of the risk implications of their decisions. For businesses that require large amounts of risk capital, suitable metrics include shareholder value analysis and risk-adjusted returns on capital. A risk-adjusted lens helped one credit card company understand, contrary to expectations, that returns from new customers and customers about whom it had little information were more volatile than returns from existing customers, even if these groups had the same expected customer value. Historically, that had been the key metric for approving new customers. Now the approval process also takes into account the higher risk that is associated with new customers.
Companies must also provide education and training in risk management, which for many managers is quite unfamiliar, and establish effective incentives to encourage the right risk-return decisions at the front line. Judging the performance of business-unit heads on net income alone, for instance, could encourage excessive risk taking; risk-adjusted performance should be assessed, too. Ultimately, people must be held accountable for their behavior. Good risk behavior should be acknowledged and rewarded and clear penalties handed out to anyone who violates risk policy and processes.
Finally, to convey the message that the potential downside of every decision must be considered as carefully as the potential rewards, CEOs should be heard talking about risk as often as they talk about markets or customers. The CEO’s open recognition of the importance of good risk management will influence the entire company.
Even world-class risk management won’t eliminate unforeseen risks, but companies that successfully put the four best-practice elements in place are likely to encounter fewer and smaller unwelcome surprises. Moreover, these companies will be better equipped to run the risks needed to enhance the returns and growth of their businesses. Without adequate risk-management programs, companies may inadvertently take on levels of risk that leave them vulnerable to the next risk-management disaster, or, alternatively, they may pursue "recklessly conservative" strategies, forgoing attractive opportunities that their competitors can take. Either approach will surely be penalized by investors.
About the authors
Kevin Buehler is a principal and Gunnar Pritsch is an associate principal in McKinsey’s New York office.