1
Introduction
1.1 INTRODUCTION
If you can’t manage risk, you can’t control it. And if you can’t control it you can’t manage it. That means you’re just gambling and hoping to get lucky.
(J. Hooten, Managing Partner, Arthur Andersen & Co., 2000)
The increasing pace of change, customer demands and market globalisation all put risk management high on the agenda for forward-thinking companies. It is necessary to have a comprehensive risk management strategy to survive in today’s market place. In addition, the Cadbury Committee’s Report on Corporate Governance (1992) states that having a process in place to identify major business risks as one of the key procedures of an effective control system is paramount. This has since been extended in the Guide for Directors on the Combined Code, published by the Institute of Chartered Accountants (1999). This guide is referred to as the ‘Turnbull Report’ (1999) for the purposes of this book.
The management of risk is one of the most important issues facing organisations today. High-profile cases such as Barings and Railtrack in the UK, Enron, Adelphia and Worldcom in the USA, and recently Parmalat, demonstrate the consequences of not managing risk properly. For example, organisations which do not fully understand the risks of implementing their strategies are likely to decline. Marconi decided to move into a high-growth area in the telecom sector but failed in two distinct respects. Firstly, growth was by acquisition and Marconi paid premium prices for organisations because of the competitive consolidation within the sector. Secondly, the market values in the telecom sector slumped because the sector was overexposed owing to debt caused by slower growth in sales than expected.
1.2 WHY MANAGING RISK IS IMPORTANT
The Cadbury Report on Corporate Governance Committee Working Party (1992) on how to implement the Cadbury Code requirement for directors to report on the effectiveness of their system of internal control lists the following criteria for assessing effectiveness on the identification and evaluation of risks and control objectives:
• identification of key business risks in a timely manner
• consideration of the likelihood of risks crystallising and the significance of the consequent financial impact on the business
• establishment of priorities for the allocation of resources available for control and the setting and communicating of clear control objectives.
The London Stock Exchange requires every listed company to include a statement in its annual report confirming that it is complying with this code, or by providing details of any areas of non-compliance. This has since been re-enforced and extended by the Turnbull Report (1999). The Sarbanes-Oxley Act (2002) is similar to the Turnbull Report. This Act introduced highly significant legislative changes to financial practice and corporate governance regulation in the USA. The Act requires chief executive officers (CEOs) and group financial directors (GFDs) of foreign private registrants to make specific certifications in annual reports.
In today’s climate of rapid change people are less likely to recognise the unusual, the decision-making time frame is often smaller, and scarce resources often aggravate the effect of unmanaged risk. The pace of change also means that the risks facing an organisation change constantly (time related). Therefore the management of risk is not a static process but a dynamic process of identification and mitigation that should be regularly reviewed.
1.3 GENERAL DEFINITION OF RISK MANAGEMENT
The art of risk management is to identify risks specific to an organisation and to respond to them in an appropriate way. Risk management is a formal process that enables the identification, assessment, planning and management of risks.
All levels of an organisation need to be included in the management of risk in order for it to be effective. These levels are usually termed corporate (policy setting), strategic business (the lines of business) and project. Risk management needs to take into consideration the interaction of these levels and reflect the processes that permit these levels to communicate and learn from each other.
The aim of risk management is therefore threefold. It must identify risk, undertake an objective analysis of risks specific to the organisation, and respond to the risks in an appropriate and effective manner. These stages include being able to assess the prevailing environment (both internal and external) and to assess how any changes to that prevailing environment would impact on a project in hand or on a portfolio of projects.
1.4 BACKGROUND AND STRUCTURE
This book provides background knowledge about risk management and its functions at each level within an organisation, namely the corporate, strategic business and project levels.
Figure 1.1 illustrates a typical organisational structure which allows risk management to be focused at different levels. By classifying and categorising risk within these levels it is possible to drill down and roll up to any level of the organisational structure. This should establish which risks a project is most sensitive to so that appropriate risk response strategies may be implemented to benefit all stakeholders.
Figure 1.1 illustrates the corporate, strategic business and project levels which provide the foundation for this book. Risk management is seen to be integral to each level although the flow of information from level to level is not necessarily on a top-down or bottom-up basis. Merna and Merna (2004) believe risks identified at each level are dependent on the information available at the time of the assessment, with each risk being assessed in more detail as more information becomes available. In effect, the impact of risk is time related.
Figure 1.2 illustrates the possible outcomes of risk. The word ‘risk’ is often perceived in a negative way. However, managed in the correct way, prevailing risks can often have a positive impact.
Figure 1.1 Levels within a corporate organisation (Merna 2003)
Figure 1.2 Relationship of risk to possible losses and gains
Risk management should consider not only the threats (possible losses) but also the opportunities (possible gains). It is important to note that losses or gains can be made at each level of an organisation.
1.5 AIM
The aim of this book is to analyse, compare and contrast tools and techniques used in risk management at corporate, strategic business and project levels and develop a risk management mechanism for the sequencing of risk assessment through corporate, strategic business and project stages of an investment.
Typical risks affecting organisations are discussed and risk modelling through computer simulation is explained.
The book also examines portfolio risk management and cash flow management.
1.6 SCOPE OF THE BOOK
Chapter 2 discusses the concept of risk and uncertainty in terms of projects and investments. It then outlines the sources and types of risk that can affect each level of an organisation.
Chapter 3 is a general introduction to the topic of risk management. It summarises the history of risk management and provides definitions of risk and uncertainty. It also describes the risk process, in terms of identification, analysis and response. It then goes on to identify the tasks and benefits of risk management, the risk management plan and the typical stakeholders involved in an investment or project.
Chapter 4 is concerned with the tools and techniques used within risk management. It prioritises the techniques into two categories, namely qualitative and quantitative techniques, and describes how such techniques are implemented. It also provides the elements for carrying out a country risk analysis and briefly describes the risks associated with investing in different countries.
Chapter 5 outlines the risks involved in financing projects and the different ways of managing them. The advantages and disadvantages of risk modelling are discussed, and different types of risk software described.
Chapter 6 is concerned with portfolios and the strategies involved in portfolio selection. Bundling projects is examined and cash flows specific to portfolios are analysed. Various methods of cash flow analyses are discussed.
Chapter 7 is specific to the corporate level within an organisation. It is concerned with the history of the corporation, corporate structure, corporate management and the legal obligations of the board of directors, corporate strategy and, primarily, corporate risk.
Chapter 8 is specific to the strategic business level within an organisation. It discusses business formation, and defines the strategic business unit (SBU). It is primarily concerned with strategic management functions, strategic planning and models used within this level. Risks specific to this level are also identified.
Chapter 9 is specific to the project level within an organisation. It outlines the history of project management, its functions, project strategy and risks specific to the project level.
Chapter 10 provides a generic mechanism for the sequence and flow of risk assessment in terms of identification, analysis and response to risk at corporate, strategic business and project levels.
Chapter 11 describes a number of corporate governance codes and how they address the need for risk management.
Chapter 12 introduces the Basel II framework and discusses, in particular, how probability default (PD) and loss given default (LGD) are addressed and other operational management issues.
Chapter 13 describes how quality management can be used to manage many of the risks inherent in organisations and how quality related risks can affect the profitability of an investment.
Chapter 14 provides Case Study 1 which investigates the pharmaceutical industry and illustrates the typical risks in a drug development process (DDP) and how many of these risks can be mitigated.
Chapter 15 provides Case Study 2 which shows the risks associated with the procurement of crude oil and the sale of refined products. This case study also addresses the risks in the supply and offtake contracts and utilises Crystal Ball as the simulation software for modelling and assessment of risks.
Chapter 16 provides Case Study 3 which describes the development of risk registers at corporate, strategic business unit and project levels and the development of a risk statement for a specific project.
The final chapter, Chapter 17, provides Case Study 4 which describes how the major risks at each level of a corporation can be identified and quantitatively analysed and then summarised to develop a risk statement for shareholders.