Truckloads of slaughtered turkeys in eastern England being transported to an incinerator to prevent the spread of avian flu; the twisted skeleton of a hurricane-ravaged oil rig in the Gulf of Mexico: two pictures that illustrate the importance of risk management and demonstrate that business risks may take very different forms, but their impact on stakeholders can be unexpected, sudden and extreme.
Although there are obvious advantages to businesses in trying to anticipate and avoid adverse risk, Enterprise Risk Management (ERM) has developed along two rather different paths. The first is that of complying with regulatory demands - some suggest to the letter rather than the spirit. The second path involves embracing risk management as a vital tool of good business management. At some stage these may converge. If they do, it could be because the rigour and pressure of legislation are ever-increasing and, certainly for larger businesses, has become unavoidable.
Risk management did not begin with Sarbanes-Oxley (see box) - indeed, the Act has distinct limitations in this regard. It is largely concerned with financial statements and financial controls. Risk management, in so far as it is addressed, is dealt within the context of IT controls. IT management has to understand the risks to the completeness and validity of the financial statements.
Nonetheless, such a resolute piece of legislation has made a significant difference. To an extent, it has stimulated the risk management processes of publicly listed companies in the US. In the UK, however, the Turnbull report of 1999 (revised in October 2005), which provided guidance to directors on internal controls, was much broader in its consideration of risks to businesses and its recommendations on management of those risks.
In particular, Turnbull required that listed companies should have a process for identifying, evaluating and managing significant risks to their business. Internal controls should be able to assess the nature and extent of risks, the categories of those risks and the likelihood of them materialising. It should be clear what abilities a company has at its disposal to reduce the incidence and impact of risks, should they occur.
Another key aspect of Turnbull was that it said that internal controls should be 'embedded' in the operation, organisation and culture of an organisation. Apart from its recommendations regarding formal reporting, it was this concept of embedded risk management culture that was revolutionary. And this is what reassures stakeholders. They need to know what controls are in place for the future, not whether they were in place during the previous reporting period.
Turnbull supplies the explanation of how companies listed on the London Stock Exchange should interpret the provisions of the Combined Code on Corporate Governance, which took effect in 2003. The international importance of this UK code should not be underestimated because many of the companies listed in London are international either in scope or their origin. Moreover, regulators in other jurisdictions have observed developments in London with a view to improving their own regulatory corporate governance regimes - not least exchanges in the US and Europe.
Surprisingly, quite a large number of companies still do not tell their stakeholders a great deal about the risks their businesses face. In its FTSE 350 Corporate Governance Review 2006, accountancy firm Grant Thornton reports that "whilst there is continued improvement in disclosures relating to the process of identifying risks, a sizeable percentage of companies, 23% of the FTSE 100 and 53% of the Mid 250, still do not give an indication as to what their principal business risks are".
This, of course, is not the same as saying that those companies do not analyse, understand or control the risks facing their business. Simon Lowe, Grant Thornton's head of risk management services, says: "In the accounts, directors have to identify and manage risk; they don't really have to disclose them. As long as they say they've got a process and they are satisfied with the process that they go through to identify and manage the risks, they don't really have to do any more." This does not necessarily instil confidence in stakeholders.
However, in this respect financial institutions and particularly banks, by virtue of the regulatory regimes under which they fall, may be further along the ERM curve than other types of business. This is understandable: for banks and insurance companies, analysing risk and related return is very much their stock-in-trade. Banks approach risk management from at least three angles. The first is standard business reporting as with any other business. The second concerns their duties to report to their regulators as regards their capital adequacy versus the risks in their portfolio of activities - lending, trading in financial instruments, leasing and so on. The third angle, increasingly practised by banks, is their calculation of what they term 'economic capital' as an internal planning tool.
Under the first Basle Accord, banks had to calculate how much capital they should hold in relation to certain types of credit risks. So lending to a highly rated government or business required no capital to support it, whereas lending on a much more risky piece of business would require much more. Basle I was a blunt instrument in some respects, but the result of aggregating all the risks and all the capital requirements produced a blended, so-called capital adequacy number that was either at the right level to ensure solvency of the bank should a risk go bad, or not, as the case may have been.
The latest round of guidance, named Basle II, begun in 2004, incorporates the same ideas and adds to them in terms of regulatory controls that banks are required to put in place. Not only must they hold the right proportion of risk-weighted capital as before (under Basle II's so-called Pillar I), they also have to have an adequate process in place for assessing and monitoring capital versus the risks they hold (under Pillar II). Pillar III deals with market risk matters; that is, risk arising from involvement in particular markets in which a bank may operate, such as bond markets or derivatives markets.
The question of whether banks would regulate themselves adequately without such requirements is a moot point. But this is the concern of many stakeholders in companies that do not operate in such highly regulated sectors. However, many banks are now turning the types of systems and calculations that they have to produce for regulatory purposes to their advantage by using them to calculate 'economic capital'.
This means applying software tools and careful judgment to each and every transaction in each and every business line, and asking how much capital each requires and whether the returns from that piece of business or business line are justified in relation to the risks involved and versus the cost of capital. In other words, is the business worth doing?
The answer is not necessarily that the most risky business will be jettisoned while the lowest risks will be held. This would result in a lower return on capital. The result of calculating economic capital is that it tells you how much capital you really need and just how risky your business is; also woven into the calculations is an estimate of the probability that a risk will actually occur. And this approach is fundamental to ERM in its widest context. It can be applied to every business.
But the nub of the matter is measuring risk in the first place. Cary Depel, chairman of the London-based Institute of Risk Management, explains: "The mantra 'if you can measure it, you can manage it' has a lot of validity. There is a lot of crossover now between risk management and finance. If between them, they generate as much hard data as possible about risk this enables them to build pretty powerful predictive models. This allows people in the business to do scenario planning with far greater ability to handle the situation when or if a peril impacts the business."
This approach, and the acceptance that risk management is something that can deliver significant benefits, both on the downside through risk avoidance and on the upside by helping to understand the chances of success, is what ERM is all about. In broad terms, risks fall into three generic areas:
Financial risks Those stemming from the particular type of business or individual transaction itself; for example, trade credit risks on particular customers
Operational risks Those arising from the way in which a company operates its business, such as the integrity of its internal systems or its disaster recovery arrangements
Global risks Those broad external risks to which the business is exposed; for example, complete failure of the financial system or risks from climate change or other natural disasters.
Having worked out where the risks lie and what the probability of their occurrence might be, the next stage is avoidance. Avoiding something as big as climate change, for example, is not easy, so the more practical approach is to either pre-empt or reduce the impact. Next follows mitigation: if a loss due to a risk is likely to happen, then what can be done to lessen the effects?Another approach is to have alternative ways to lessen the impact of risk - by having back-up facilities to which to transfer operational activities. Finally, there is transfer of risk to someone else; for example, through insurance.
How detailed a set of models is used in the ERM process really depends on the organisation. The US Committee of Sponsoring Organizations of the Treadway Commission (COSO) provides a useful graphic in its 'Enterprise Risk Management-Integrated Framework' (www.coso.org), which presents a more complex summary of how an organisation might go about planning its ERM. Consulting firms say that although some businesses take the route of making ERM a part of the compliance and disclosure function, and others take a more holistic and embedded approach, all listed companies now have it firmly on their good management agenda.
Simon Perry, a director in PriceWaterhouseCooper's risk assurance services practice, adds that one of the challenges is that many large businesses lack a single overview of their risks. "Many of our clients address risk in some capacity.
But while management is using risk management tools, internal audit has a view of risk in the organisation, the health and safety function has another view, there may be a risk management team that has a view of risk and they may all be slightly different and using slightly different methodologies. We say that what they need is one view of the truth, one view of what their risks really are and what they are doing about them."
The ultimate aim, as Grant Thornton's Lowe says, is to deliver measurable benefits to the business. Avoiding falling foul of compliance risk is a step in the right direction, but that falls far short of what risk management can bring to a business. "There is a real challenge now from non-executives and audit committees, as well as from executive management, to start turning what was seen as a process that needed to be followed for the purposes of accounts and compliance into something that delivers real value for the business. However, I don't think many companies have really cracked it yet."
ERM is a management tool that is here to stay. It would take only another major business failure, or perhaps a corporate pension fund collapse, to trigger a call for a change in the law and increased compliance legislation. And those are risks that probably no company director wants to take.