Enterprise Risk Management

CHAPTER 1

Introduction

One evening in the autumn of 1995, I flew into Boston to have dinner with Denis McCarthy, then the chief financial officer (CFO) of Fidelity Investments. McCarthy was the person to whom I would report if I accepted an offer to become the first chief risk officer for the corporation. I asked him what the main objective would be for this new position. His reply: “We want to operate in an environment in control, not a controlled environment.”

I took that job with the understanding that Fidelity wanted to improve its risk management practices, but not at the price of destroying the entrepreneurial spirit and product innovation that had made it the largest mutual fund company in the United States.

Fidelity was not alone then and is not alone now. Every business faces the parallel challenges of growing earnings and managing risks. A thriving business must identify and meet customer needs with quality services and products; recruit and retain talented people; and correctly make business and investment decisions that will lead to future profit opportunities. However, the pursuit of new profit opportunities means that a business must take on a variety of risks. All of these risks must be effectively measured and managed across the business enterprise.

Otherwise, today's promising business ventures may end up being tomorrow's financial disasters. As I am fond of telling audiences when speaking on the importance of risk management: “Over the longer term, the only alternative to risk management is crisis management—and crisis management is much more expensive, time consuming, and embarrassing.” The majority of such audiences have experienced one or more crises in their time, and so this is a message that rings true.

Every business decision involves an element of risk. There are risks involved in making investments, hedging with derivatives, or extending credit to a retail customer or business entity. There are also risks involved when developing and pricing new products, hiring and training new employees, aligning performance measurement and incentives with business objectives, and establishing a culture that balances revenue growth and risk management.

Over time, individual business decisions and risks collectively build up into a company's overall risk portfolio, which will have a unique risk profile. This risk profile will determine the company's earnings, and earnings volatility, over the business cycle. Some decisions will be winners and some will be losers. Some risks will offset each other, some risks will be unrelated to each other, and some will compound each other. In order to manage risk effectively, a business must address not only its underlying risks, but also the inter-relationships between them.

As we will see from the numerous case studies discussed in this book, ineffective risk management can lead to reduced earnings or even bankruptcy. However, risk management means different things to different people. In this book, risk management is defined in its broadest business sense. Risk management is not just about using derivatives to manage interest rate and foreign exchange exposures—it is about using a portfolio approach to manage the full range of risks faced by an enterprise. Nor is risk management only about establishing the right control systems and processes—it is also about having the right people and risk culture. And although the term has come to have some negative connotations, risk management is not only about reducing downside potential or the probability of pain, but also about increasing upside opportunity or the prospects for gain.

Individual investors managing their portfolios must be careful when it comes to the amount of risk that they take on. If they take on too much risk, perhaps by making aggressive investments, the losses could exceed their risk tolerance, or be too uncertain for comfort. On the other hand, if they fail to take on enough risk by making conservative investments, they may earn returns that are stable, but inadequate for achieving their financial objectives.

Striking an optimal balance between risk and return is not only important to the individual investor, it is also an imperative for business management. The concept of “no risk, no return” is widely accepted in the business world. A corollary to that concept is “higher risk, higher return”, a positive relationship illustrated in Figure 1.1. This is how many people think about the trade-off between risk and return, and it has the virtue of simplicity. However, it is certainly not valid if risk is put into its proper perspective.

Figure 1.1 Risk and Absolute Return

A better way to think about risk and return is illustrated in Figure 1.2. The focus is no longer on the relationship between risk and absolute return, but about the relative or risk-adjusted return. A company in Zone 1 is not taking enough risk, and its capital is being underutilized. This company would be better off increasing risk through a growth or acquisition strategy, or reducing capital through higher dividends. In Zone 3, however, the company is taking too much risk. This company's risk level is above and beyond its risk absorption capability in terms of capital and liquidity resources, and/or its risk management capability in terms of people and systems.

Figure 1.2 Risk and Relative Return

In Zone 2, the company has found the sweet spot that optimizes its risk/return profile. The problem is that most companies do not even have good information on enterprise-wide risk exposures (which is to say, where they are on the horizontal axis), let alone where they are on the risk-adjusted return curve. To make matters worse, the net present value (NPV) and economic value added (EVA) models frequently used in strategic planning naturally favor higher-risk investments unless proper adjustments are made to account for risk. Over time, investments guided by these unadjusted models may inadvertently lead a company to drift into Zone 3.

A principal message of this book is that a company should develop an integrated approach to measuring and managing all of its risks in order to optimize its risk/return profile. A key management requirement for risk/return optimization is to integrate risk management in the business processes of the company.

We've seen, then, that risk is an inescapable part of doing business and argued that a business should strive toward its optimal risk-return profile. However, there is another question that deserves examination: why manage risk? Indeed, why read this book?

A company could conceivably agree that it bears risks but feels it inappropriate to manage them, rather than simply live with them. Risk management may seem to be irrelevant, too costly, or not in accordance with the interests of the company's stakeholders. Some academics have argued positions close to these, as we will see. Certainly, before a company invests money and other valuable resources into risk management (and before the reader spends any more time reading this book), the value proposition of risk management needs to be clearly established.

Perhaps the best way to answer the question “why manage risk?” is to borrow a popular technique used by diet and other self-improvement programs. That simple but effective technique is to paint a clear picture of the gain of action along with an equally clear picture of the pain of inaction. In the next section, we'll paint the happy picture—the benefits of effective risk management in terms of the expected benefits and gains. In the section thereafter, we'll paint the dire picture of the severe negative consequences—the pain—that may be suffered if effective risk management is not in place.

THE BENEFITS OF RISK MANAGEMENT

Numerous academic papers have established the theoretical basis for managing risk—arguing that it can reduce taxes, reduce transaction costs, and improve investment decisions.1 However, beyond the theory there are at least four practical reasons why risk management should be of paramount importance to the management of a firm. In this practical context, risk management should be defined more broadly to include internal controls as well as hedging.

Let's now take a look at these four reasons in turn.

Reason #1: Managing Risk Is Management's Job

One notion in modern finance theory is that managing risk, or more specifically hedging, is not necessary because an investor can reduce risk through a diversified investment portfolio. Regardless of what some theoreticians may argue, you will never in the real world hear a fund manager or individual investor tell a company's management: “Don't worry about managing risk or bankrupting the company—I have a large diversified portfolio.”

Managing the risks of a business enterprise is the direct responsibility of its management, not its shareholders. While modern portfolio theory is a major contributor to the theory and practice of finance and risk management today, the argument that the investor can better manage or diversify risks does not ring true in the real world. The average individual investor probably spends more time buying a new car than addressing the risks of his or her investment portfolio. Even the professional fund manager is several degrees away from the insider knowledge required for effective risk management, which includes:

• Historical data on...