CHAPTER 2
Risk Defined

WHEN ONE SETS OUT to systematically manage risk in a firm it helps to have a clear idea about what one means by 'risk', and what it is one hopes to achieve by its management. It also helps if this way of thinking about risk and risk management is widely shared by people across the organization, paving the way for a unified and enterprise-wide mindset. In this chapter we review the foundations of risk management in firms. Despite the highly subjective nature of risk, to make progress we need to establish some 'rock bottom' tenets according to which we can operate.

Most people would agree with us when we say that risk has to do with the possibility of something bad happening. Bad is usually taken to mean a failure, accident, loss, damage, or something similarly negative. But there is also a sense in which risk is a very personal and subjective thing. What you think is bad may not be bad to me. If I plan to go to the beach tomorrow, a bad outcome would be if it rains by the time I arrive there. But to a person who is anxious to have his garden watered, a downpour could be a blessing. Risk, as it has been said, lies in the eye of the beholder, and consequently needs to be defined in each specific context. There is no off-the-shelf version that can be applied everywhere and by everyone.

The subjectivity of risk, or that each of us has our own perception of risk, is not an issue as long as we are talking about individuals. In a free society, each of us may have our own beliefs and priorities, and manage risk accordingly. But in an organization, such as a firm, it becomes a problem if we cannot agree on what risk is, at least if we are looking to manage it with a specific purpose in mind. Effective risk management in an organization requires a shared view of what constitutes risk. Only then can we attempt to measure it and start integrating it into our work processes. Here we immediately run in to the subjectivity issue: not only does an organization consist of different individuals, it is also the case that how people view risk depends on their place in it. One part of the firm can view the world quite differently from the rest of it, and consequently they will not have the same ideas or preferences about risk. There are at least four layers in the company where risk preferences can systematically diverge: the corporate (headquarters), business unit, project, and individual levels. Depending on which perspective you take, risk can be understood in different ways. This tends to happen because the related goals and aspirations are not necessarily the same, despite the fact that they all belong within the same firm. Of all the parameters affecting what you think of as risk, the goal you have is often one of the most powerful. This means that whenever goals are different, as they often are throughout an organization, there is a potential conflict of interest with respect to risk management as well.

VALUE-CREATING RISK MANAGEMENT

The subjective nature of risk just described presents a problem for anyone who wishes to manage corporate risk. What we would like is a unified framework with clear definitions that can guide actions regardless of the decision situation at hand. To achieve that, we need to establish what kind of overarching purpose risk management really serves. In this book, we propose that the principal objective of risk management is to increase firm value in the long run. There are, as we shall see, some fairly convincing arguments to support this position. These days, there is additionally a lot of emphasis on corporate social responsibility, which would suggest that the scorecard is more multifaceted than just long-term value. The relationship between the pursuit of value and social responsibility is an important question that will be discussed at length both later in this chapter and in Chapter 4.

For now, we posit that risk management should primarily make sound business sense for the firm taken as a whole. This means that we can approach risk management the way we would any other business decision: by simply asking whether the advantages outweigh the disadvantages. With this in mind, we suggest analysing risk management in terms of its impact on the expected value of cash flow - or expected cash flow for short. This metric ensures compatibility with long-term firm value, because according to economic theory the value of a business is the sum of the surplus cash flows it expects to generate in the future, discounted back to present value. As will become clear in the pages that follow, expected cash flow offers a clear yardstick for how to evaluate proposals to mitigate risk.

Expected cash flow can be thought of as the probability-weighted forecast of cash flow. Consider a contract that promises a payment of $100 one year hence. But there is also a risk: a 10% probability that the counterpart fails to make good on his promise to pay the full amount. In this scenario we only get $50. The forecasted value of cash flow, which is the most likely outcome, and the point estimate that would appear in a spreadsheet, is still $100. The expected value of cash flow, however, is less: 90% × $100 + 10% × $50 = $95.

The fundamental observation that drives much of the analysis in this book is that risk costs money. The meaning of the statement 'risk costs money' is that, all else being equal, we are willing to pay less for an asset that is risky compared to one that is safe. This is already apparent from the difference between the forecasted and expected value of cash flow. The latter decreases when a risky outcome is introduced, whereas the point estimate is unaffected. But according to financial theory, transiting from an estimate of cash flow to a measure of value means that we also have to consider the discount rate. A discount rate is what converts a future dollar into a present value, reflecting the fact that a dollar to be received in the future is not equivalent in value to one here and now. In a one-period model,1 we can write the relationship between cash flow and value as follows (where k is the discount rate):

If we for now assume that the discount rate is zero, the value is equal to the expected cash flow of $95 in our simple example. Due to the presence of risk, an investor would then be prepared to pay only $95 rather than the forecasted value of $100. This is the essence of saying that 'risk costs' even when there is no payment related to it to be made here and now. The general principle is therefore clear: the presence of risky outcomes reduces the expected value of cash flow, and by extension value. To understand the impact of risk on long-term value we would just repeat this analysis in a model consisting of multiple cash flows stretching many years into the future, rather than just one as in the simplified one-period model in our example above.

At this point it should be noted that risk finds its way into the formula for firm value also through the discount rate. According to financial theory, the discount rate compensates first for the passage of time, meaning a real interest rate plus the effect of inflation. These are factors that erode the value of a future cash flow that has a certain fixed nominal value. One dollar today does not buy the same amount of goods and services as it did in, say, the 1970s, simply because of inflation. But the discount rate also contains a risk premium, which is not driven by idiosyncratic events like the risk of a non-payment (the loss of $50 in our example). Instead, the size of the risk premium is, according to the most widely used theory, supposed to be in proportion to the investment risk associated with the asset - capital asset pricing model (CAPM). Investment risk is understood in a very specific sense here, namely as the degree to which the return from investing in the asset changes with the return on a broad portfolio of assets, the so-called market portfolio. This sensitivity to the market return is referred to as the asset's beta coefficient: the higher the beta, the higher the risk-adjusted discount rate. The beta can be said to capture the extent to which the return on the investment is cyclical and co-varies with the broad swings in the economy. According to the theory, this kind of risk warrants a premium because it cannot be diversified away, no matter how many different stocks are added to the investor's portfolio.

We will not go into the theory behind the determinants of the discount rate in any further detail here. Our message is instead that firms should not concern themselves with this risk premium or try to use it as a way to legitimize an effort to manage risk. It is an excessively abstract and hard-to-measure concept, and it is a futile exercise to try to manage it. No solid argument exists that this could be a source of value creation anyway. Lowering the beta coefficient automatically means that the expected return is reduced too, because the theory assumes a linear relation between the two.

This is not to say that there are no possible benefits from risk management in terms of reducing the cost of capital. Debtholders, for example, may lower the interest rate they charge if they consider a firm to have made a credible commitment to manage its risks. The lower interest rate means that shareholders capture more of the surplus cash flows (operating cash flows less interest payments). Debtholders view risk management in a favourable light...