People tend to think that risk management is about controlling, about auditing, and about avoiding damage. Even if this is not completely wrong, it does not tell the full story about the modern approach to the topic.  Risk management is about doing business, about generating profits and sustainable competitive advantage for the firm and its stakeholders; this includes avoiding damage, but most of all, generating value from the risks that the firm decides to assume.  The title of this post, a sentence that I adapted from Thomas Coleman’s A Practical Guide to Risk Management, gives this exact idea; risk management is about being able to assume certain risks, generating value when the outcomes are favorable, without going bankrupt when the outcomes are unfavorable.

In order to develop this concept we first need to understand that risk is about volatility, about uncertain events, about future outcomes that can be different (better or worse) than expected.  This means that risk can generate unexpected losses or unexpected profits.  Moreover, if we assume a risk, thus facing the probability that a certain outcome could be better or worse than expected, we are assuming the potential losses but in return we are awarded with the possibility of enjoying the potential profits.

No firm could ever exist without assuming some level of risk.  A company that does not assume any risk should not generate any profit above the risk-free rate, and its investors will not receive anything higher than a risk-free rate in return for their investment.  Every firm needs to assume some risk in order to exist: the profit generated by the potential upside of the risk factors is the reward for bearing the negative effects of their potential downside.  Top managers should be well aware about which are the risks that are driving the firm’s value creation.  Risk is the justification of profit!  According to this, we can define a company as an entity that is able to generate profits by assuming risks; an entity that transform risks into value for its stakeholders.

One of the problems with the implementation of risk management models is that in most cases they have been originated –and some times they are still driven- by the regulators’ requirements.  This means that the focus is put on avoiding the downside, instead of aiming for a balanced equilibrium between taking downside risk to obtain upside profit. Several of the companies that I discuss this issues with, have risk management as an auditing / control process, instead of having it as a part of the firm’s strategy.  Risk management should be relocated, as some companies are already doing, and positioned as one of the main duties of top management and as an integral part of the strategy of the firm.

Once this important issue is understood, strategy can be formulated in terms of which risks we want to assume in order to build a sustainable leadership position. When the firm thinks in terms of risk taking, there is a crucial issue to consider; how is the company prepared to cope with the risks it is assuming?  A brief example could help to understand the issue.

At the beginning of the present century (around 2001/2002), the perceived quality of Korean cars in the US was quite low.  At that time, Hyundai decided to make a bold move; they offered an extended and transferrable 10 years/100.000 miles warranty on their cars.  The company was essentially saying that the risk of poor quality was on them; in case the car happened not to be reliable, they where going to take care of the problem.  The strategy proved to be very good; as a result, the perceived quality of the brand improved starkly, rapidly becoming one of the highest perceived quality car brands in the country.  In normal settings, the car owner assumes the risk of poor quality of a car, at least after a few years of the date of purchase. Hyundai decided to assume an extra risk and was rewarded for that, its image improved significantly and its sales followed suit.  Obviously, in order to succeed with such a strategy, there were several crucial issues that Hyundai needed to achieve; cars needed to have the adequate quality, the service network needed to be able to service all those cars efficiently, the financial department needed to have the resources to assume the task, etc. In some sense, the whole firm needed to make sure they had the resources needed for assuming the quality risk and all the risks associated to it, and transform them into value for the stakeholders.

Similar examples include oil companies expanding operations into high political risk countries, tech companies entering into new (disruptive) technologies industries, financial institutions financing people that has no creditworthiness in poor countries, vulture funds buying distressed financial assets, etc…  In each of these cases, the companies are assuming risks that could have been avoided, but they decided to add a specific risk to their risk portfolio, because they believed that they could transform this into value.  At the end of the day, this is the essence of the modern conception of risk management, choosing which are the risks that the company is going to assume and generating value form them, by profiting from the upside, controlling the downside!