Enterprise Risk Management: From Incentives to Controls

Enterprise Risk Management\ From Incentives to Controls \ \ By JAMES LAM \ John Wiley & Sons, Inc.\ Copyright © 2003 James Lam\ All right reserved.\ ISBN: 0-471-43000-5 \ \ \ \ Introduction\ One evening in the autumn of 1995, I flew into Boston to have dinner with Denis McCarthy, then the chief financial officer of Fidelity Investments. McCarthy was the person to whom I would report if I accepted an offer to become the first chief risk officer for the corporation. I asked him what the main objective would be for this new position. His reply: "We want to operate in an environment in control, not a controlled environment." \ I took that job with the understanding that Fidelity wanted to improve its risk management practices, but not at the price of destroying the entrepreneurial spirit and product innovation that had made it the largest mutual fund company in the United States.\ Fidelity was not alone then and is not alone now. Every business faces the parallel challenges of growing earnings and managing risks. A thriving business must identify and meet customer needs with quality services and products; recruit and retain talented people; and correctly make business and investment decisions that will lead to future profit opportunities. However, the pursuit of new profit opportunities means that a business must take on a variety of risks. All of these risks must be effectively measured and managed across the business enterprise.\ Otherwise, today's promising business ventures may end up being tomorrow's financial disasters. As I am fond of telling audiences when speaking on the importance of risk management, over the longer term, the only alternative to risk management is crisis management-and crisis management is much more expensive, time consuming, and embarrassing. The majority of such audiences have experienced one or more crises in their time, so this is a message that rings true.\ Every business decision involves an element of risk. There are risks involved in making investments, hedging with derivatives, or extending credit to a retail customer or business entity. There are also risks involved when developing and pricing new products, hiring and training new employees, aligning performance measurement and incentives with business objectives, and establishing a culture that balances revenue growth and risk management.\ Over time, individual business decisions and risks collectively build up into a company's overall risk portfolio, which will have a unique risk pro-file. This risk profile will determine the company's earnings-and earnings volatility-over the business cycle. Some decisions will be winners and some will be losers. Some risks will offset each other, some risks will be unrelated to each other, and some will compound each other. In order to manage risk effectively, a business must address not only its underlying risks, but also the interrelationships between them.\ As we will see from the numerous case studies discussed in this book, ineffective risk management can lead to reduced earnings or even bankruptcy. However, risk management means different things to different people. In this book, risk management is defined in its broadest business sense. Risk management is not just about using derivatives to manage interest rate and foreign exchange exposures-it is about using a portfolio approach to manage the full range of risks faced by an enterprise. Nor is risk management only about establishing the right control systems and processes-it is also about having the right people and risk culture. And although the term has come to bear some negative connotations, risk management is not only about reducing downside potential or the probability of pain, but also about increasing upside opportunity or the prospects for gain.\ Individual investors managing their investments must be careful when it comes to the amount of risk that they take on. If they take on too much risk, perhaps by making aggressive investments, the losses could exceed their risk tolerance, or be too uncertain for comfort. On the other hand, if they fail to take on enough risk, by making conservative investments, they may earn returns that are stable, but inadequate for achieving the investor's financial objectives.\ Striking an optimal balance between risk and return is not only important to the individual investor, it is also an imperative for business management. The concept of "no risk, no return" is widely accepted in the business world. A corollary to that concept is "higher risk, higher return," a positive relationship illustrated in Figure 1.1. This is how many people think about the trade-off between risk and return, and it has the virtue of simplicity. However, it is certainly not valid if risk is put into its proper perspective.\ A better way to think about risk and return is illustrated in Figure 1.2. The focus is no longer on the relationship between risk and absolute return, but about the relative or risk-adjusted return. A company in zone 1 is not taking enough risk, and its capital is being underutilized. This company would be better off increasing risk through a growth or acquisition strategy, or reducing capital through higher dividends. In zone 3, however, the company is taking too much risk. This company's risk level is above and beyond its risk absorption capability in terms of capital, and/or its risk management capability in terms of people and systems.\ In zone 2, the company has found the "sweet spot" that optimizes its risk/return profile. The problem is that most companies do not even have good information on enterprise-wide risk exposures (which is to say, where they are on the horizontal axis), let alone where they are on the risk-adjusted return curve. To make matters worse, the net present value and economic value-added models frequently used in strategic planning naturally favor higher-risk investments unless proper adjustments are made to account for risk. Over time, investments guided by these unadjusted models may inadvertently lead a company to drift into zone 3.\ A principal message of this book is that a company should develop an integrated approach to measuring and managing all of its risks in order to optimize its risk/return profile. A key management requirement for risk/return optimization is to integrate risk management in the business processes of the company.\ We've seen, then, that risk is an inescapable part of doing business and argued that a business should strive toward its optimal risk/return profile. However, there is another question that deserves examination: why manage risk? Indeed, why read this book?\ A company could conceivably agree that it bears risks but feels it inappropriate to manage them, rather than simply live with them. Risk management may seem to be irrelevant, too costly, or not in accordance with the interests of the company's stakeholders. Some academics have argued positions close to these, as we will see. Certainly, before a company invests money and other valuable resources into risk management (and before the reader spends any more time reading this book), the "value proposition" of risk management needs to be clearly established.\ Perhaps the best way to answer the question "why manage risk?" is to borrow a popular technique used by diet and other self-improvement programs. That simple but effective technique is to paint a clear picture of the gain of action along with an equally clear picture of the pain of inaction. In the next section, we'll paint the happy picture: the benefits of effective risk management in terms of the expected benefits and gains. In the section thereafter, we'll paint the dire picture of the severe negative consequences-the pain-that may be suffered if effective risk management is not in place.\ THE BENEFITS OF RISK MANAGEMENT\ Numerous academic papers have established the theoretical basis for managing risk, arguing that it can reduce taxes, reduce transaction costs, and improve investment decisions. However, beyond the theory there are at least four practical reasons why risk management should be of paramount importance to the management of a firm. In this practical context, risk management should be defined more broadly, to include internal controls as well as hedging.\ Let's now take a look at these four reasons in turn.\ Reason #1. Managing risk is management's job. One notion in modern finance theory is that managing risk, or more specifically hedging, is not necessary because an investor can reduce risk through a diversified investment portfolio. Regardless of what some theoreticians may argue, you will never in the real world hear a fund manager or individual investor tell a company's management, "Don't worry about managing risk or bankrupting the company-I have a large diversified portfolio."\ Managing the risks of a business enterprise is the direct responsibility of its management, not of its shareholders. While modern portfolio theory is a major contributor to the theory and practice of finance and risk management today, the argument that the investor can better manage or diversify risks does not ring true in the real world. The average individual investor probably spends more time buying a new car than addressing the risks of his or her investment portfolio. Even the professional fund manager is several degrees away from the "insider knowledge" required for effective risk management, which includes:\ * Historical data on risk/return results, volatilities, and correlations\ * Current risk exposures and concentrations in the business\ * Future business and investment plans that may alter the firm's risk profile\ Given the complexity of the above information, as well as the lack of full transparency to outsiders, the shareholder cannot be expected to make optimal risk/return decisions. Measuring and managing enterprise-wide risks is a great challenge even for the enterprise's management, which has superior access to information and support from risk management professionals. The most that shareholders can do is to elect an independent and risk-astute board that will represent their interests, and walk away with their investment dollars if they are not happy with management's performance. In the meantime, it remains management's job to ensure that the company achieves its business objectives and is not exposed to excessive risks.\ Reason #2. Managing risk can reduce earnings volatility. One of the key objectives of risk management is to reduce the sensitivity of a firm's earnings and market value to external variables. For example, the stock prices of companies that are more active in, say, market risk management should exhibit lower sensitivity to market prices. This is borne out by the empirical evidence. For example, a study published in 1998 by Peter Tufano of the Harvard Business School ranked gold producers in terms of the intensity of their hedging activities. The conclusion was that the stock prices of those in the top quartile were about 23 percent less sensitive to gold price changes than those of the bottom quartile. Companies exposed to interest rates, foreign exchange rates, energy prices, and other market variables can better manage earnings volatility through risk management. Managing earnings volatility today is more important than ever given that the stock market severely punishes stocks that fail to meet earnings expectations. At the same time, the Securities and Exchange Commission (SEC) and other regulatory bodies are cracking down on "earnings management" practices that use accounting techniques to smooth out earnings. In this business environment, management must pay more attention to managing the underlying risks of the business.\ Reason #3. Managing risk can maximize shareholder value. In addition to managing earnings volatility, risk management can help a business enterprise to achieve its business objectives and maximize shareholder value. Companies that undertake a risk-based program for shareholder value management typically identify opportunities for risk management and business optimization that can add 20 to 30 percent or more to shareholder value. Such improvements can be achieved by ensuring that:\ * Target investment returns and product pricing are established at levels that reflect the underlying risks.\ * Capital is allocated to projects and businesses with the most attractive risk-adjusted returns, and risk-transfer strategies are executed to optimize portfolio risk and return.\ * The company has the appropriate skills to manage all of its risks, in order to protect against large financial losses or damage to its reputation or brand.\ * Performance metrics and incentives, at both the individual and business unit levels, are in congruence with the enterprise's business and risk objectives.\ * Key management decisions, such as mergers and acquisitions and business planning, explicitly incorporate the element of risk.\ Strategies for achieving these objectives, and case studies of how they work in practice, will be discussed in the main sections of the book.\ A 1998 study by George Allayannis and James Weston of the University of Virginia has supported the notion that active risk management contributes to shareholder value. Allayannis and Weston compared the ratio of market value to book value for companies that were more or less active in market risk management between 1990 and 1995, as measured by their hedging activities. They found that the more active companies were rewarded with an average increase of 20 percent in market value. Risk management adds value not only to individual companies, but also supports overall economic growth by lowering the cost of capital and reducing the uncertainty of commercial activities.\ Reason #4. Risk management promotes job and financial security. On an individual level, perhaps the most compelling benefit of risk management is that it promotes job and financial security, especially for senior managers. In the aftermath of the fall 1998 turmoil in financial markets, a significant number of chief executive officers (CEOs), chief operating officers, chief risk officers, and business group heads of financial institutions lost their jobs because of poor risk management performance. Senior executives in other industries have faced a similar fate in the wake of risk management problems. More recently, senior executives involved in corporate frauds and accounting scandals have appeared on national television being led away in handcuffs and face the potential of severe criminal sentences.\ In addition to "career risks," senior executives with a significant portion of their wealth tied up in company stocks and options have a direct financial interest in the success and survival of the firm. These incentives, if structured appropriately, work to put the "skin in the game" for managers, resulting in a strong alignment between management and shareholder interests.\ \ Continues...\ \ \ \ Excerpted from Enterprise Risk Management by JAMES LAM Copyright © 2003 by James Lam. Excerpted by permission.\ All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.\ Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site. \ \

PrefaceAcknowledgmentsSect. 1Risk Management in Context1Ch. 1Introduction3Ch. 2Lessons Learned15Ch. 3Concepts and Processes23Sect. 2The Enterprise Risk Management Framework41Ch. 4What is Enterprise Risk Management?43Ch. 5Corporate Governance57Ch. 6Line Management69Ch. 7Portfolio Management83Ch. 8Risk Transfer95Ch. 9Risk Analytics109Ch. 10Data and Technology123Ch. 11Stakeholder Management133Sect. 3Risk Management Applications147Ch. 12Credit Risk Management149Ch. 13Market Risk Management181Ch. 14Operational Risk Management207Ch. 15Business Applications235Ch. 16Financial Institutions241Ch. 17Energy Firms259Ch. 18Nonfinancial Corporations273Sect. 4A Look to the Future291Ch. 19Predictions293Ch. 20Everlast Financial307Index311