Teradata Magazine | Cover Story: Risky Business No More

How much do we stand to lose if a big customer defaults on our credit agreement?

What is the potential impact on our business of an outbreak of mad cow disease or avian flu within certain regions?

Risk is a part of everyday life in the business world. But some would say businesses could not profit or thrive without it. That's because out of risk comes opportunity. The key is being able to successfully manage and understand the major risks to the business. Decision makers need to be aware of the scope, consequences and relevance of potential risks, which can come both from within and outside the enterprise. Effective risk management requires, above all else, information about what is going on across the business and the external environment in which that business is conducted.

Risk management is also being codified in the laws and regulations of many nations. A bevy of regulations—such as the Sarbanes-Oxley Act, the Basel II Accord and the USA Patriot Act—put the onus on companies to better track and manage potential risks. The laws themselves add a new layer of risk, since noncompliance can mean stiff penalties for the business.

For years, risk management was an arcane exercise practiced within the deep recesses of insurance companies and nuclear development facilities. However, organizations of all types are increasingly recognizing that they can use risk management tools and methodologies to recognize, prioritize and prepare for uncertainty. There is also a growing recognition that the ability to effectively manage risk has a direct impact on the bottom line.

The range of risks

What are some of the key areas ERM needs to address? The leading risk categories faced by enterprises of all sizes in all industries include the following:

Operational risks may consist of production problems, product quality issues, supply chain issues, capacity issues, inventory shortfalls, poor management controls, ineffective or underfunded R&D, supplier problems and weather-related losses or disruptions.

Financial risks encompass fraud, accounting problems, high debt, high interest rates, poor financial management, cost overruns and poor financial strategies.

Strategic risks include inadequate competitive intelligence, M&A miscalculations and shortfalls in demand.

Market/competitive risks comprise surprises in the marketplace, such as economic downturns, price undercutting by new competitors, new business models, failure to innovate, overseas competition, demand shortfalls, price pressure.

Customer risks cover potential customer defections or losses, failure or inability of customers to pay for goods or services in a timely fashion, or actions that damage the business, such as lawsuits.

Political and social risks may include industry-wide crises, political or economic crises, terrorism and public health crises.

Technology risks may arise from reliance on outdated systems, failed implementations of new systems, computer viruses, worms or hacking.

Reputation risks stem from unfavorable publicity around lawsuits, executive missteps, employee fraud, ineffective responses to regulations or government actions/investigations.

What is enterprise risk management?
Enterprise risk management, or ERM, lifts the practice of risk management from specialized niches to the top of organizations' agendas. ERM is still a relatively new discipline, and many organizations are just starting to understand its advantages. "Being able to identify and quantify potential risks associated with a transaction enables decision makers to better assess whether they are achieving desired returns," says Patricia Endres, partner with Accenture. "This discipline enables companies to achieve the optimal balance of risk and reward and better differentiate investment alternatives."

In the past, risk specialists were typically Ph.D.-level nuclear physicists, relates Debbie Williams, analyst with IDC. Risk management tools were custom-built and based on complex mathematical models. "There's still some pretty sophisticated math at the core of most quantitative techniques behind risk," she observes.

However, the complex algorithms underneath the covers should not deter businesses from making ERM part of their management practices. The challenge now, Williams relates, "is to convert these techniques into reporting tools. It has to be made understandable, and relevant to the business." To some extent, government mandates address some key risk management issues. But ERM can bring far greater value to a business than simply meeting compliance reporting mandates.

The goal of ERM is to track, quantify and respond to all potential categories of risk across the entire enterprise. Executives recognize the vulnerability of their businesses in the wake of events that shook the business world throughout this decade—the dot-com bubble, the 9/11 terrorist attacks, natural disasters and various accounting scandals. Even more importantly, organizations need to address the more mundane, but more likely, events that could occur on a day-to-day basis, such as bad publicity that could sink stock prices, a key partner going out of business or a systems crash that could disrupt transaction flows.

Typically, only parts of organizations practice risk management, activities which neither adequately nor holistically address the range of events that can alter an organization's profit picture. These include operational risks, financial risks, strategic risks, market or competitive risks, customer risks, political and social risks, technology risks and reputational risks.

While a single event may not directly affect the bottom line, a confluence of risk factors often spells trouble for organizations. A survey of 100 companies by Deloitte & Touche found that 80% of the companies that suffered the greatest losses in share value were exposed to multiple risks during the reporting period. These firms may have placed too much emphasis on one type of risk, such as strategic risk, and have had too much exposure to other forms of risk, such as operational or financial risk. Six out of ten had been exposed to a strategic, external, or operational risk, and about 40% reported financial risks during their periods of decline.

Fragmented risk management efforts inevitably lead to "a continued interest in tactical, rather than strategic, responses to risk," says H. Felix Kloman of Risk Management Reports. These can include "buying liability or property insurance; managing currency and interest hedges; reducing employee injuries; or protecting environmental resources," he says. Such fragmentation results in lack of communication, misguided compensation and conflicts of interest. He asks, "Who is watching the entire store?"

ERM looks at this whole picture, covering, as much as possible, the entire range of risks faced by organizations. ERM also helps decision makers prioritize the impact of risks on their business.

The value of risk
Risk is everywhere, but at the same time, the management of risk is one of the most compelling opportunities organizations have today for achieving innovations that will accelerate agility, growth and operational efficiency. However, ERM will vary greatly from company to company, depending on a company's "risk appetite." What one company deems an unacceptable level of risk may be perfectly acceptable to another. The ERM process helps decision makers assess these risks, and better target their organization's resources.

Everyone agrees that there are many operational risks that could affect a business's performance, and some risks may be negligible for some organizations, Williams points out. For example, business may be too good—also a risk—and cause the organization to hit the ceiling with its production capacity. "Ultimately, it may not matter if you still make more money," she points out. "But it will matter if you start losing money because you can't adequately serve your customers and they go somewhere else, or if you overpromise, or run afoul of compliance, and you are losing money as a result. That's what defines risk management."

The financial services industry—which has a direct stake in what happens to its money—has been at the forefront of contemporary ERM initiatives. Many banks have been concentrating on developing more advanced and comprehensive risk management methodologies in recent years and are extending the focus beyond market and credit risk to operational and business risk. In fact, at this time, "the three biggest risks for financial firms are market risk, credit risk and operational risk," said IDC's Williams. "And there are a lot of different pieces underneath those categories. Some of those we manage better than others. For example, credit risks in lending portfolios are covered by loan loss reserves and other kinds of mechanisms. But as for operational risks, some institutions have just disappeared, because they didn't anticipate rogue traders."

New regulations such as the next set of requirements published by the Bank of International Settlements' Basel Committee for Banking Supervision (BCBS) and known globally as Basel II are adding impetus to broader ERM initiatives. Many banks currently have processes for managing operational risk within specific departments or business units and are now looking at extending these practices across the entirety of their organizations. By the end of 2006, Basel II—which requires financial institutions have enough capital set aside to cover unexpected financial losses—will give operational risk the same weight as market or credit risk. Beyond Basel II, many financial institutions recognize that effective and innovative ERM provides dividends from both a competitive and strategic perspective.

In this heightened regulatory climate, a bank's senior management could be called upon at a moment's notice to provide details on potential areas of exposure. With an effective ERM effort, decision makers can access near real-time information from across all major product groups and provide an accurate picture of where the institution stands.

This approach has business benefits as well. In the bank scenario above, an ERM system supported by near real-time, event-based limit management can help reduce risky exposures among customer groups. It can also help financial traders see where customers are well within limits, and therefore keep growing the relationships. The managed limits can be set by countries, product groups, counter parties, business partner structures or industry sectors—or by any combination of those groups. Once those limits are established in the event-based system, triggers will alert employees when a limit is breached by a certain activity. Traders can conduct more deals without undue delay in the credit process.

Non-financial services companies are also beginning to examine ERM, and the rewards of effective organization-wide risk management can be just as compelling for these companies. For example, the greatest risk to a shipping company may not come from the hazards of maritime travel—such as stormy seas or equipment failures—but from the costly delays created by the reporting of inaccurate information to government agencies, such as port authorities. Not only are the fines and penalties severe, but discrepancies in reporting also can tie up a vessel in dock for weeks—leaving the crew idle, and customers waiting. An ERM initiative could help identify gaps in key information reporting.

The eight critical steps to risk management

ERM consists of eight interrelated components. These components are as follows:

Internal environment. The internal environment encompasses the tone of an organization and sets the basis for how risk is viewed and addressed by an entity's people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate.
Objective setting. Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity's mission and are consistent with its risk appetite.
Event identification. Internal and external events affecting achievement of an entity's objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management's strategy or objective-setting processes.
Risk assessment. Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis.
Risk response. Management selects risk responses—avoiding, accepting, reducing or sharing risk—developing a set of actions to align risks with the entity's risk tolerances and risk appetite.
Control activities. Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out.
Information and communication. Relevant information is identified, captured and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across and up the entity.
Monitoring. The entirety of enterprise risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations or both.

Source: "Enterprise Risk Management: Integrated Framework," Committee of Sponsoring Organizations of the Treadway Commission, 2004

ERM equals innovation
In 2004, in response to the spate of compliance mandates, the Committee of Sponsoring Organizations (COSO) of the Treadway Commission issued guidelines that acknowledged the growing potency of ERM as not only a compliance tool but as a vital change mechanism that presents new opportunities for growth. "Uncertainty presents both risk and opportunity, with the potential to erode or enhance value," the document stated, noting that ERM provides a path for more effectively dealing with uncertainty.

"The name of the game is not so much eradicating risk; it's making sure that the risk is aligned with the organization's risk appetite," says Williams. "It helps ensure that they're not taking more risk than they intend to take but also ensure that they are getting an adequate return on the risks they are taking. It's a matter of using risk information to adequately align the activities of the organization around profitable risk-taking activities."

ERM enables organizations to prepare and minimize the impact of unforeseen events, as well as sharpen their ability to meet objectives related to strategic direction, operations, reporting and compliance. ERM brings together efforts to link information with strategy and growth, as well as minimize risk. "You have to be vigilant about what is changing tomorrow, and you have to be able to adjust to that change," agrees Rajeev Rawat, president of BI Results. "You need an infrastructure that is agile, that can adjust to whatever changes take place within and outside the enterprise."

To get there, ERM needs to become a part of everyone's job, and part of the daily management of the enterprise. As organizations embrace ERM, they "will acknowledge that risk management is not the privileged province of specialists but the responsibility of all employees," according to Risk Management Reports' Kloman. "Risk management will become part of the organization's culture."

Organizations embracing ERM need a strategy that combines both management and technology, Williams adds. "You need to have intelligently designed processes and management policies in place that dictate how one reacts to information as they get it," she explains. "You need to consider your goals and your appetite for risk. You need a culture in place that supports the application of those policies and procedures."

For example, a vital and often over-looked element within an ERM-driven corporate culture is compensation structure. A sophisticated risk-analytics engine may deliver a color-coded dashboard to customer service representatives, showing the potential value of a customer to the organization. However, Endres asks, "How do you motivate the customer service representatives to correctly price the deal to justify the risk being taken? Compensation needs to be based on the quality of sales, not just on the volume. Risk is how we can measure the quality."

"If you don't change the compensation models and reward risk-based decisions and actions," she says, "then you will continue to face the risk of unprofitable sales in the form of future write offs."

The success of ERM also hinges not only on the quantity of information being delivered to decision makers but also their abilities to attach meaning to the data. "A system might produce a nice neat little report, but that doesn't imply a certain action as a result," says IDC's Williams. "The skill with which one interprets risk information and applies it and takes action is still what distinguishes leaders from losers in industry—not just having the better mousetrap in place. If you have 12 million transactions, and the number was 10 million yesterday, that doesn't tell you a heck of a lot."

Risk management means management—not technology, Williams emphasizes. But at the same time, an ERM effort will not succeed without technology. "Technology has the potential to help you to manage risk, and you really can't do a good job of managing without the technology. Risk management is just too complex, especially in large organizations. It would be like processing checks by hand. The size of most operations and the number of permutations of things that could happen are just too great. The systems can make an absolutely incomprehensible number of data points more comprehensible."

ERM requires that decision makers drill deep into their organizations' processes, says Rawat. "Financial information is just the tip of the iceberg," he points out. "On any given day, a large company manages millions of transactions. Those millions of transactions can be turned into some sort of decision, consolidation and performance measurement. Typically, this can represent as many as 400-500 measurable performance characteristics of a business. About 10% of those end up on dashboards, scorecards, or as key performance indicators. So, in order for you to do financial reporting right, you have to follow that entire value chain, to where you get the final reporting elements. And that's where you're beginning to see some lights come on in the executive suite."

Connecting the silos
Any time a company has suffered the consequences of unforeseen events, the root cause can be traced back to a lack of access to current information required for decision makers to respond quickly to emerging problems. In its study of 100 impacted companies, Deloitte concluded that addressing key risks effectively means improving internal information systems and communication mechanisms. An effective ERM effort needs "to ensure that senior management and boards of directors receive accurate, near real-time information on the causes, financial impact and possible solutions of control problems."

The greatest challenge to an effective ERM program lies within identifying and gathering relevant information from various silos across the organization. In many cases, data may reside in various formats, under separate owners, in separate systems across the enterprise.

"Risk and compliance data comes from many different sources," says Accenture's Endres. "The key is to begin with a focus on individual areas and building the data to support their needs, versus a 'build it and they will come' mentality. With sound data and systems design you can then begin to seek opportunities to consolidate the data and systems and gain the operational efficiencies. Processes must also be put in place that focus on ensuring the quality of the data, recognizing the differences in sources and interpretation. Users have to feel confident in the accuracy of the information and how it relates to their performance reports."

The success of an ERM effort depends on the organization's ability to move large quantities of data from these silos to a single point of access. "Enterprise risk management information stretches everywhere, from the back end to the front-office systems," says Endres. "Successful take up requires building a single version of the truth that people can trust in supporting the inputs to their management decisions."

With the success of ERM dependent on the ability to see and analyze what is happening at any given time or point around the organization, real-time or near real-time capabilities are essential. In some cases, decision makers need to be able to provide an accurate report on the firm's global exposure within hours at the request of a senior executive. For example, a regulator may want information—before the end of the day—about a company's exposures in certain regions. Many executives would be hard-pressed to find the relevant data, because it is spread across multiple silos.

One major bank had this challenge and was only able to report its risk position with 75% accuracy. The institution undertook an initiative to integrate its key data sources into an enterprise data warehouse, providing decision makers a comprehensive view of all essential exposures across product lines and business units. Since implementation of the system, managers can respond to senior management questions knowing that more than 99.5% of their data is now accurate.

Many decision makers recognize the value in creating a single corporate-wide repository for risk data. Integrated, holistic enterprise risk management needs to be supported by a single source of information. An effective ERM program should create a single view of all risks to the profitability or goals of the organization.

For a shipping company, any holdups in information could result in vessels being tied up at dock. Rawat, who was project manager to one shipping company's risk management effort, knows this firsthand. "They were required, for different vessels, to meet different regulations," he says. "What is the size of the hull? What is the capacity of the vessel? What kinds of products is the vessel certified to carry? What kind of ports is it registered at? All of these things have an impact on the cargo, its inspection process, the time it is in port. The kind of docks it can be in, the kind of labor that is applied to servicing the cargo. There are lots of regulations. And these things change by the kind of vessel that's being used."

On Rawat's project, vessels sat idle in ports about 15 days while these inspections were under way. "The risk was that wrong or incomplete information might be provided, which would lose more time, along with penalties," Rawat explained.

To better address these requirements, the company Rawat advised put a risk-analytics engine in place with an enterprise data warehouse environment. "They automated the process for decision making," he said. "The risk engine was customized with all of the rules that applied to a particular vessel. And they ended up achieving tremendous savings, which is they went from an inspection time of 15 days to one day. That meant their assets were freed up for 14 more days of billing. Their crew is functional and not waiting. Their customers were shipping." T

Joe McKendrick, research consultant and author, has contributed to such journals as Database Trends & Applications and Enterprise Systems.