Ten Questions that will improve your Risk Management

I am not a big fan of recipes in management; recipes work fine in a lab, in situations in which everything is controlled, in social sciences, however, recipes tend to work for some time and then fail. As soon as some of the fundamentals change, recipes tend to lose effectiveness. In my opinion the only way of doing things right is by learning how to think about the problems in a correct way. One of the best ways to think and learn about something is by asking the correct questions and thinking about them.   This is what I pretend to do in this article by proposing a set of questions about risk management that we need to think about. If we do a good job in this “thinking process”, we should improve the risk management practice of the firm.

1) Do you know which are the risks faced by your company?
It is not easy to list all the risks faced by a firm. Most of the times the list of risks firms use is bluntly incomplete, and they are hit by a risk that was not considered in any scenario, but happens anyway. Risks –that are usually classified, by its origin, in financial, operational, political and strategic- need to be listed, and this list must be done by the firm, no outsider can do it for you. The best way of assuring that the list will be complete is by having a heterogeneous team of senior management discussing it; the group should have heterogeneity coming from position, department, seniority, etc. The risk listing is the essential starting point of any good risk management process, having an incomplete risk map is one of the most frequent mistakes; if the risk is not listed in this first step it will not be considered in the whole process, and this could be dangerous.

2) Have you ever made the effort in learning the determinants of the risks that your firm is facing?
Managers need to know and understand the risk their firms are facing. Understanding a risk entails the need of knowing its past behavior, and trying to understand its future path. The future behavior of some risk factors is very difficult to predict, but in some cases we could have some additional information by knowing and understanding their determinants. The determinant of a given risk factor is what causes this factor to move in a certain way. For example, the determinants of the Arab Spring that took down President Mubarak in Egypt in 2011, where the underlying forces that were at work in the Egyptian Society (social discontent, economic weakness, years that Mubarak has been in power, etc…), that caused the population to rise against its government. Knowing the determinants of the mayor risks helps managers to understand their risks and to do a better job in predicting the future path. It is crucial that each determinant has an assigned owner; somebody in charge of understanding it, following the news on the matter, and informing them to whoever is in charge of it. This is a crucial step in risk management and in my experience one of the least developed aspects in the corporate world.

3) Do you know the probability of occurrence and the impact of the risks that your company is facing?
It is quite common that risks are organized in a Heat Map using two dimensions; (i) the magnitude of the potential impact and (ii) the distribution or probability of occurrence. This is an important step for the risk management process, since it helps us categorizing the importance of each risk for the organization. These estimations have to be made by those managers that have a better understanding of the risks, and do not need to be expressed in a quantitative manner; a low, medium, high, with a very low and very high in each scale will be sufficient to have a visual classification of the risks.

4) Have you ever considered where are those risks affecting your company? Is it in your cash flow, in the firm value, in the firm’s reputation, in its ability to compete, in its ability to attract talent?
When estimating the impact of a given risk factor it is extremely important to make sure we analyze its effect on cash flows and firm value, as usual, but we also consider the effects on reputation, and on the firm’s ability to compete and attract talent. I am aware that the effects of risk might end hitting the cash flows and firm value anyway, but knowing if we want to protect cash flow or reputation will be crucial for designing hedging strategies.

5) Have you screened which are all the possible hedging strategies for the risks in your risk map?
We need to study all the possible strategies that will help us mitigating or diminishing the risks faced by a firm. We need to diminish the probability of occurrence or the impact of the risk. This can be achieved by: (i) operational decisions (operational is not supposed to mean low-level decisions, it means decisions regarding the business operation and strategy), (ii) insurance contracts, and (iii) strategies using derivatives. It is important to know all the available hedging strategies so we can have more information for our next crucial decision; the one about which risks to be assumed and which risks to be transferred.

6) Which are the risks that you want to assume and which are those you want to transfer to others? Which are the risks by which your firm generates value for its stakeholders?
Life is risk; without risk there is no satisfaction. A firm cannot exist without assuming certain risks; no investor would invest in a firm that does not generate any profit above the risk-free rate. According to this intuition, a firm is an entity that generates value for its stakeholders by assuming the right risks, and efficiently transferring the other ones. Firms that do not have a well designed and established risk management practice go through existence by randomly bumping into all the risks that they meet in their way, and their generation of profit is a random process representing the average between the value created by the upside and the value destroyed by the downside.

7) How much of each risk (I am considering those risks that you decided to assume) are you planning to assume? Have you set a limit to the potential losses?
When a manager decides that the firm will assume a certain risk, the next important step is to define the adequate level of maximum risk that the firm will assume. In other words, they need to decide how much volatility of that risk factor they will assume. For this step to be well defined we need to (i) assign an owner to all the determinants of the risk under analysis, and (ii) define the strategy for an efficient elimination of the additional volatility in case it is needed. In other words, a firm deciding to assume oil price risk, will need to assign owners to the determinants of oil prices volatility, and decide at which level of oil prices they will have an option that will eliminate the residual risk.

8) Do you have a formal system that allows the risk related information obtained or generated by the individuals in your organization, to reach the adequate destination?
One of the most common problems in risk management is to generate a formal channel for the risk information to flow. A successful model requires a change in people’s awareness regarding the important of risk management, and a channel through which the valuable information is conveyed. Doing the former without the latter will only produce frustration in the organization, and having only the formal system without any awareness will only produce bureaucracy. People needs to have a –simple- procedure manual that explains who is in charge of looking at what, and who should they inform when there are news regarding that matter. The manual should also set the hedging policies.

9) How embedded is your risk management process in your competitive strategy? Do you really understand that risk management is about making money while avoiding losses? What is the meaning of “Profiting from the Upside Controlling the Downside”?
Risk management should be a part of our strategic planning process. As we said above, a firm generates value by assuming the right risks, it essentially does it by profiting when variables behave better than expected, but not running into trouble when variables behave worse than expected. In other words firms should profit from the upside generated by “good volatility”, controlling the downside generated by “bad volatility”. For this it is crucial to have risk management as a part of the strategy, and not as a part of the auditing process. Auditing should be on board, but not in charge.

10) Who is coordinating all the risk management efforts in the organizations?
A good risk management practice needs a team leader. It needs to have somebody in the organization that is supervising the whole process. The person in charge of the coordination of the whole practice is the chief risk officer, or CRO. The CRO is a new function for most organizations that are still struggling to find the best way of coordinating the risk management efforts. It has to be a senior person, with the ability of understanding the various different tasks involved in risk management (that change across firms), and of supervising and coordinating different senior executives in their risk management tasks. It is a position that we will start seeing more and more in the years to come.

The discussion of these ten questions with firms’ senior management will help organizations to have a much greater awareness about the importance of risk management; the first step towards improving their risk management abilities.