managing risk and opportunity - governance strategic risk-taking - t j andersen, m garvey, o roggi...

Managing Risk and Opportunity

Managing Risk andOpportunityThe Governance of Strategic Risk-Taking

Torben Juul Andersen

Maxine Garvey

Oliviero Roggi

1

3Great Clarendon Street, Oxford, OX2 6DP,

United Kingdom

Oxford University Press is a department of the University of Oxford.It furthers the Universitys objective of excellence in research, scholarship,

and education by publishing worldwide. Oxford is a registered trade mark ofOxford University Press in the UK and in certain other countries

Torben Juul Andersen, Maxine Garvey, and Oliviero Roggi 2014

The moral rights of the authors have been asserted

First Edition published in 2014

Impression: 1

All rights reserved. No part of this publication may be reproduced, stored ina retrieval system, or transmitted, in any form or by any means, without the

prior permission in writing of Oxford University Press, or as expressly permittedby law, by licence, or under terms agreed with the appropriate reprographics

rights organization. Enquiries concerning reproduction outside the scope of theabove should be sent to the Rights Department, Oxford University Press, at the

address above

You must not circulate this work in any other formand you must impose this same condition on any acquirer

Published in the United States of America by Oxford University Press198 Madison Avenue, New York, NY 10016, United States of America

British Library Cataloguing in Publication Data

Data available

Library of Congress Control Number: 2013950541

ISBN 9780199687855

As printed and bound byCPI Group (UK) Ltd, Croydon, CR0 4YY

Links to third party websites are provided by Oxford in good faith andfor information only. Oxford disclaims any responsibility for the materials

contained in any third party website referenced in this work.

n CONTENTS

FIGURES xiTABLES xiiiBOXES xv

Introduction 1

Risk-takinga fundamental business activity 2Strategic risk governance 2Outline of book 3

1 Risk, Risk Management, and Risk Governance 5

Risk and risk-taking 5

Upside and downside of risk-taking 7

How people perceive and behave when coping with risks 7

Corporate governance 11

Corporate governance: avoiding greed, sloth, and fear 13

Risk governance 19

Risk governance vs. risk management 20

Hazard, nancial, project risk, and enterprise risk management 21

Traditional risk management (TRM) 21

Financial risk management (FRM) 22

Project risk management (PRM) 22

Enterprise risk management (ERM) 23

Strategic risk management (SRM) 23

Objective of risk governance and risk management 24

Role of the board in risk-taking 25

Risk aversion, policy, tolerance, capacity, appetite, culture, etc. 26

Risk appetite statements by the board 27

The Institute of International Finance (2009) 29

The Institute of Risk Management (2011) 30

The Society of Actuaries in Ireland (2011) 30

The Committee of Sponsoring Organizations of the Treadway Commission 31

Casualty Actuarial Society 2012 32

Conclusion 34

OUP CORRECTED PROOF FINAL, 5/4/2014, SPi

2 Risk, Uncertainty, and Proactive Risk-Taking 35

Risk and uncertainty 35

The risk environment 42

Sources of risk 44

Dealing with risk and uncertainty 47

Risk-return models in nance 56

The curse of the normal distribution 58

Measuring economic assets under Risk: Risk Adjusted Value 60

Risk Management 62

Standards and Frameworks 62

Conclusions 66

3 Value Based Enterprise Risk Management Practices 68

The enterprise risk management approach 68

Risk management and enterprise value 69

The enterprise risk management process 72

Risk policies and objectives 74

Risk assessment 74

Risk analysis 75

Risk evaluation 88

The effects of market imperfections 91

Risk treatment 91

Risk avoidance 92

Risk transfer 92

Risk diversication and other policies 93

Risk retention 94

Monitoring risks 95

Capital management, risk management, and retained risk 96

Retained risk and suppliers of nance 97

The standard model 97

The insurance model 98

Conclusion 99

4 Value Creation Through Risk Management 101

Strategic risk-taking 101

Risks in corporate decisions 106

Individual cognitive biases 109

Strategic risk-taking and value creation 113

Better risk-taking decisions 128

Conclusion 131


viii CONTENTS

5 The Strategic Risk-Taking Organization 132

Organizing strategic risk-taking 132

Problems, risk, and uncertainty 134

Responding by use of real options 142

Real options development 144

The value of risk-taking options 149

Organizational concerns in risk-taking 150

Risk management culture 153

Corporate risk culture 153

Aligning interests 156

Engaging the right people 156

Incentives for good risk-taking 157

A risk culture in tune with risk-taking 157

Integrating risk analysis in strategic decision-making 158

Operational risk management and control 159

Monitoring the risk prole 161

Conclusion 162

Postscript 164

Basic Elements of Good Risk Management 165

APPENDICESAPPENDIX 1 GOOD RISK COMMITTEE PRACTICES 169APPENDIX 2 THE CAPITAL ASSET PRICING MODEL (CAPM) 174APPENDIX 3 ASSESSING THE STRATEGIC RISK GOVERNANCE ENVIRONMENT 176REFERENCES 177INDEX 185


CONTENTS ix

n FIGURES

Figure I.1 Building a strategic risk governance framework 3

Figure 1.1 Default spreads on equity and corporate bonds 19602009 9

Figure 1.2 A simple view: management vs. governance 13

Figure 1.3 Three key governance conicts 14

Figure 1.4 Risk governance vs. risk management 21

Figure 2.1 The normal distribution 39

Figure 2.2 Financial and real exposures in the corporation 45

Figure 2.3 Generic elements of the risk management cycle 46

Figure 2.4 Essential drivers of risk 47

Figure 2.5 A Corporate risk management structure 50

Figure 2.6 Different risk categories 51

Figure 2.7 A changing environmental context 53

Figure 2.8 The risk prole of stock portfolios 57

Figure 2.9 Different statistical probability distributions 59

Figure 2.10 What affects the value of assets 61

Figure 3.1 Corporate nance and ERM objectives converge 70

Figure 3.2 An elaborated risk management process 71

Figure 3.3 The ISO 31.000 enterprise risk management process 73

Figure 3.4 A simplied enterprise risk management framework 73

Figure 3.5 A generic risk mapExample 77

Figure 3.6 The structure of the Probability-Impact matrix 79

Figure 3.7 An example of the Risk Score Method 80

Figure 3.8 Decision tree analysis of a pharmaceuticalcompanyExample 85

Figure 3.9 Capital requirements according to retained risk 88

Figure 3.10 The standard model of the nancial structure 98

Figure 3.11 The insurance model of the nancial structure 99

Figure 4.1 Characterizing the changing risk landscape 105

Figure 4.2 The rational analytical decision-making process 107

Figure 4.3 Ambiguities and biases in corporate decision-making 108

Figure 4.4 Systematic analysis of the business environment 112

Figure 4.5 Risk management and strategic management cycles 112


Figure 4.6 The complete strategic risk management process 114

Figure 4.7 The active risk and opportunity planning approach 115

Figure 4.8 Dealing with disruptive technologies 120

Figure 4.9 Analyzing responses to different environmental contexts 121

Figure 4.10 The value of effective risk management 123

Figure 4.11 Considering both downside losses and upside gains 124

Figure 4.12 Creating value from risk management 125

Figure 4.13 Improving the risk-return prole 126

Figure 4.14 The Risk management effects of innovation investment 126

Figure 5.1 Dealing with problems, risk, and uncertainty 136

Figure 5.2 A generic scenario approach 138

Figure 5.3 Payoff prole of call and put options 140

Figure 5.4 Real options in strategic investment decisions 143

Figure 5.5 Managing real options 147

Figure 5.6 Managing the value of exibility 149

Figure 5.7 Organizing the risk management process 152

Figure 5.8 Combining central and decentralized risk processes 159

Figure 5.9 Interacting strategic and operational risk processes 161

Figure P.1 The interactive role of the Risk Ofce 167

xii FIGURES

n TABLES

Table 1.1 Common features of the rogue trader 8

Table 1.2 Addressing the collective action problem 16

Table 1.3 The Corporate governance environmentcountries differ 17

Table 1.4 The role of directors according to the OECD 18

Table 2.1 Timeline for major advances in statistical data analysis 40

Table 2.2 Certain, risky, uncertain, and unpredictable decision situations 43

Table 3.1 The estimation phase 78

Table 3.2 The phases of the quantitative estimation process 82

Table 3.3 The high capacity airplane scenarios 84

Table 4.1 Creating value from effective risk management 128

Table 5.1 Possible responses to different risk categories 137

Table 5.2 Comparing nancial and real options 141

n BOXES

Box 1.1 Changes in risk perception over time 9

Box 1.2 Denitions of corporate governance 12

Box 1.3 Tea and coffee plantation in Kenya 25

Box 1.4 Aerospace Suppliers (AS) objective, risk appetite, andrisk tolerance 32

Box 1.5 Examples of risk tolerance statements 33

Box 2.1 Measuring riskfrom the Middle-Ages to today 39

Box 2.2 Classifying the risks faced by the rm 55

Box 2.3 Diversifying rm-specic risk in a stock portfolio 57

Box 2.4 Some risk management standards 64

Box 4.1 Managing strategic risk at LEGO System A/S 114

Box 4.2 Example: an Indian conglomerate exploits superioraccess to capital 119

Box 4.3 Risk management in different environments 121

Box 5.1 What is an option? 140

Box 5.2 Why real options are valuable 143

Box 5.3 Applying a real options logica company example 145

n PREFACE

Our ways met in early 2010 when theWorld Bank Group through the IFCCorporate Governance Unit decided to embark on a training program onrisk governance for board members and senior managers with the aim ofpromoting good risk management practices linking corporate risk-takingwith strategic decision-making. In preparing this work, we combinedcomplementary insights from the corporate governance, corporatenance, and strategic management elds in fruitful collaboration withinan academic frame spear-headed by Aswath Damodaran. We truly appre-ciate Aswaths engagement in this development process and his generosityin sharing ideas, models, and frameworks. Many of his perspectives areapparent in this book and we acknowledge this inuence with gratitude.

We also believe the current book has the potential to break newground through its unique triangulation of three academic disciplinesthat seem to complement each other very well around the intensiedfocus on strategic risk governance. Corporate governance considers theduciary and forward-looking business responsibilities of the board,corporate nance provides the foundation for the risk analytical tech-niques with a strong logic for risk decisions, and strategic managementlays out the frameworks that consider responsive actions in a changingrisk landscape girded with uncertainty and unpredictability.

The book reects a collaborative effort among us born from a long seriesof joint interventions although particular chapters are inuenced byprimary contributor(s) as noted: Chapter 1, Maxine Garvey; Chapter 2,Torben Andersen, Maxine Garvey, and Oliviero Roggi; Chapter 3, OlivieroRoggi; Chapter 4, Torben Andersen and Oliviero Roggi; Chapter 5, TorbenAndersen. The Introduction and Postscript were framed by Torben Ander-sen but the manuscript in its entirety was structured, discussed, and scru-tinized by us all.

It is our hope that this structured summary of these jointly developedand practiced strategic risk governance guidelines will prove useful todirectors, executives, and managers who take an interest in shapingeffective strategic risk management processes in their own organizations.

Copenhagen Torben Juul AndersenWashington DC Maxine GarveyFlorence Oliviero RoggiJune 30, 2013

Introduction

The corporate annals of the past decades are full of fascinating andcolorful stories about how once prominent and heralded enterprisesended up in bankruptcy and scandal, hitting the headlines of the globalbusiness press. This includes the diversion of funds from the Maxwellgroup of companies in the early 1990s, the trading losses that broughtBarings Bank to extinction in the mid-1990s, accounting frauds inWorldCom from the late 1990s, and the spectacular collapse of Enronin the early 2000s. We would hope these represented stories that we havelearned from, but this is not quite the case. History seems to repeat itselfover and over again.

In February 2008, the board of the French bank, Socit Gnralelearned that one of its traders, Jrme Kerviel, had lost $7.2 billion eventhough he only had approval to put $183 million at risk. But, apparentlyhe was able to ignore the limits and took exposures as high as $73 billion,exceeding the entire market value of the bank. The board, executives, andmanagers failed to react to the reckless bets despite risk managementsystems and internal controls. This risk governance failure cost the bank,its shareholders, managers, and clients, both money and reputationaldamages. In December 2008, Bernard Madoff was charged with investorfraud in his Wall Street rm, Bernard L. Madoff Investment SecuritiesLLC, which was engaged in a major ponzi scheme where they paidreturns to investors with proceeds from new investor money. The asso-ciated losses were estimated in excess of $50 billion hitting both privateand institutional investors around the globe.

Late in 2008, when the nancial crisis rippled through the world,several rms in emerging markets suffered major losses due to failedrisk management and governance. Hence, the Brazilian pulp producer,Aracruz, and the meat processor, Sadia, suffered multimillion losses onforeign exchange derivatives. Ceylon Petroleum Corporation (CPC) inSri Lanka lost hundreds of millions on commodity contracts. In all thesecases, the boards, and the government as main shareholder in the case ofCPC, asserted that managers had acted without proper authorization.Yet, the nal responsibility to the owners remained with the members ofthe board. Furthermore, the losses and collapses from failed risk hand-ling hurt other stakeholders and the wider community by way of loss ofjobs, goods and services.

Risk-takinga fundamental business activity

Taking risks and dealing with uncertainty in the competitive environ-ment are part and parcel of doing business. Arguably they are the veryfoundation for creating entrepreneurial progress and corporate value.This is a key observation that underpins this book. Hence, effectiveoversight of risk-taking is an important governance function and willremain a key responsibility of the board. Thereby, the board of directorsand the executive management team must both protect and enhanceprotable business activities in the face of the risks and improbabledisasters that may arise in an uncertain and unknowable future. Whileformal risk management approaches can facilitate this, we suggest thatproactive risk-taking activities are a necessary prerequisite for dealingeffectively with uncertainty and unpredictable conditions as a way ofshaping corporate value for the future.

Strategic risk governance

In this book, we bring together perspectives and insights from the threeacademic elds of corporate governance, corporate nance, and strategicmanagement to try to lay out the basic principles for good strategic riskgovernance practices. While strategic risk governance covers an emergingtopic, we see effective risk governance as consisting of three importantpractice elements: Corporate governance, enterprise risk management,and strategic decision-making (Figure I.1).

Corporate governance considers the role of the board in its duciaryrole towards the ofcial owners, the shareholders, and their obligationsto fend off major disasters while optimizing the value-creating potentialof the enterprise. Enterprise risk management is a formal framework thatoutlines the structure of the risk management process incorporatingvarious risk analytical tools and practices, and thus provides a founda-tion for identifying, assessing, treating and monitoring all the major risksthat could affect corporate performance. Strategic decision-making looksboth at the risk analysis that supports forward-looking strategic planningconsiderations as well the ongoing resource-committing investmentdecisions performed to execute the longer-term strategic aims of thecorporation. By applying proper practices to guide these three aspects ofstrategic risk governance, we believe much is achieved towards gainingbetter and more effective risk management outcomes.


2 MANAGING RISK AND OPPORTUNITY

The book makes a number of assumptions and heeds a number ofbasic principles. First and foremost, we argue that it is imperative toconsider both downside and upside risk exposures, and whereas variousrisk management frameworks already mention this, they do not provideconcrete suggestions on how to accomplish it. We try to ll that gap.Secondly, we see a changing risk landscape emerge in front of us whereenvironmental events become more intertwined and complex and evolvewith increasing frequency, thus leading to higher uncertainty and unpre-dictability. Thirdly, we argue that proactive risk-taking by engagedpeople throughout the organization is essential for the ability to dealeffectively with uncertainty and facilitates strategic responsiveness in theface of unpredictable business and market conditions. Fourthly, basicelements of the organizational structure become essential for effectiverisk management practices, including a corporate risk aware culture,involving decision processes, open information and communicationsystems, interactive management controls, and compensation systemsthat incentivize proactive risk-taking behavior.

Outline of book

As we sift through the debris of the recent economic crisis, we arereminded that most business disasters can be traced back to bad risk-taking. In particular, when managers overreach themselves and exposetheir businesses to the wrong types of risk, or too much of it. Theinvestors in these rms, i.e., stockholders and lenders, will bear the

STRATEGIC DECISION-MAKING

STRATEGIC RISK GOVERNANCE

ENTERPRISERISK MANAGEMENT

CORPORATEGOVERNANCE

Figure I.1 Building a strategic risk governance framework


INTRODUCTION 3

immediate costs of disaster, but the employees, the customers, and,eventually, the taxpayers and society in general will suffer as well.Hence, the governance role of overseeing risk and risk-taking processesin the corporation is important. In this book, we try to outline the properelements of good strategic risk governance practices, comprised of inputsfrom the corporate governance, corporate nance, and strategic man-agement elds organized in ve sequential chapters.

Chapter 1 denes risk, risk management and risk governance andargues that value creating risk-taking is essential for good risk handlingwhich exploits upside potential and covers for downside losses. Thedifference between corporate governance and management is spelledout, highlighting the role of each. Risk appetite linked to strategicplanning is introduced as part of the boards risk-taking oversight.

Chapter 2 discusses the roots of risk in insurance and nance andconsiders uncertainty as the source of entrepreneurial value creation.The analysis of external and internal risk factors is introduced as a way toconsider uncertainty in systematic risk classications. Approaches todeal with uncertain and unforeseeable events are discussed in the contextof various risk management frameworks.

Chapter 3 presents the enterprise risk management approach using atraditional risk adjusted valuation model to guide risk-hedging decisions.The various elements of the formal enterprise risk management processare presented including detailed descriptions of related analytical toolsand processes. The aggregate measures of corporate exposure are thenlinked to capital structure decisions.

Chapter 4 discusses the changing risk landscape and shows how riskmanagement can help rms make effective decisions for better and morefavorable risk-return outcomes where the adverse effects of cognitivebiases are reduced. It is shown how effective risk outcomes derive fromprocesses that cover for excessive losses and advance upside gainsthrough proactive strategic risk-taking.

Chapter 5 distinguishes between problems, risks, and uncertaintiesthat require different risk responses. Scenario discussions and realoptions reasoning are introduced as possible analytical approaches todealing with uncertainty. Organizational structure and a risk awarecorporate culture are discussed as precursors to proactive risk behaviorsin dealing with unforeseeable events.

We hope you will nd the contents useful. Bon apptit!


1 Risk, Risk Management, andRisk Governance*

n SUMMARY

This chapter defines risk, risk governance, and risk management, and thus lays the

cornerstone for the argument that value-creating risk-taking is an essential activity in a

well-governed and well managed enterprise. Value creation requires exploiting the

upside risk without losing sight of the downside. The discussion, which starts with a

laymans definition of risk, presents a textured perspective on risk governance by

drawing on corporate governance concepts. We use the differences between corpor-

ate governance and corporate management to make plain the relationship between

risk management and risk governance and highlight how each activity creates value.

The chapter then reviews recent guidance from the corporate governance community,

linking risk appetite to strategic planning, and closes by advising a common sense

approach by boards to their oversight of risk-taking.

Risk and risk-taking

To manage risk, we rst have to try to understand risk. In this initialdiscussion of risk, we explore the denitions of risk and see how differentperspectives on risk lead to a richer ability to cope with it. We also look atwhy traditional denitions of risk fall short and at the consequences ofpoor or narrow risk denitions for risk management. This basic intro-duction to risk provides sufcient context for the discussion of riskmanagement and risk governance. However, it is only an initial forayinto risk concepts, which will be explored further in Chapter 2.Speaking formally of risk, there is no consensus about a single den-

ition of risk.1 Scholars from various branches of learning interested inthe risk phenomenon have tried to give a general denition of risk.However, there is probably no single synthesis capable of including allthe complexities of the concept, as well as clarifying the relationship

* Maxine Garvey1 Altman E. and Roggi O. (2012). Measuring and Managing Risks. Emerging Global

Standards and Regulation after the Financial Crisis. World Scientic Press.

between risk and uncertainty. Given this lack of consensus, a denitionfrom common usage serves to start our discussion:

Risk is a concept linked to human expectations. It indicates a potential negativeeffect on an asset that may derive from given processes in progress or given futureevents. In the common language, risk is often used as a synonym of probability ofa loss or of a danger. In the assessment of professional risk, the concept of riskcombines the probability of an event occurring with the impact that event mayhave and with its various circumstances of happening.2

For organizations, four elements/implications of this basic denitionare useful:3

Sociological and psychological element. The element of human expect-ations highlights a potential negative effect (injury) on an asset or aperson, which may derive from activities in progress or future events.

Traditional-insurance element. Risk understood as the aggregate ofpossible threats. This element presents a partial cross-section of riskbecause it only considers its negative outcomes (so-called pure riskssuch as re risk). These risks are generally represented by the presenceof two scenarios: (i) the rm does not experience any loss (there is nonegative effect on the companys prot, capital, or other nancialmeasure); and (ii) there is an unfavorable event that is able to generateextensive damage and severe repercussions for the entire enterprise.

Statistical-nancial element. Risk is understood as the standard devi-ation of a variable from its expected value. Seeing risk as a variability ofreturn draws upon the statistical sciences and it is one of the keystonesof the treatment of risk within the eld of nance.

Managerial element. The denition contains implications for man-agerial actions as risks are future uncertain events that may interferewith an entity realizing its strategic and nancial objectives.

However useful this laymens start, it does not lay out the risk conceptadequately. For example, this denition does not clearly distinguishbetween the concepts of risk and uncertainty and it focuses heavilyonly on negative implications of risk-taking. Both views lead to dysfunc-tions in risk-taking. The negative view leads to fear of risk, and arguingthat only measurable uncertainty comprises risk will lead managers toignore unusual risks to which they cannot attach a number.

2 http://www.wikipedia.com (2008).3 Roggi O. (2008). Rischio dImpresa, Valore e Insolvenza. Aspetti Teorici e Processi di

Gestione del Rischio. Franco Angeli.


UPSIDE AND DOWNSIDE OF RISK-TAKING

The statistical-nancial element discussed above views risk in terms ofrandomness and variability. Variability that is not unidirectional can beexpressed above or below expectations. This upside and downside viewof risks and risk-taking is important as dening risk in terms of onlynegative outcomes reduces risk management to just risk mitigation orhedging.4 To include discussions of the returns above expectation high-lights a key element of risk taking, that it offers opportunities for excessreturns. Any worthwhile denition of risk must capture this duality asboth danger and opportunity.Dening risk as a mix of danger and opportunity emphasizes that in

business you cannot have one (opportunity) without the other (danger orthreats) and that offers that look too good to be true (offering opportunitywith little or no risk) are deceptive. By emphasizing the upside potential aswell as the downside dangers, this denition also serves to remind us of animportant truth about risk. Where there is downside, there is an upside(and vice versa). Booms and busts will come and go, and robust enterprisesmust prepare for both. Managers that excel at risk-taking cope withrisk situations with sangfroid and look to manage risk actively in bothgood times and bad. They scout for opportunities during bad times and ingood times they plan for future crises, which will certainly come.So while we refer to risk as a generic concept with many nuances, our

discussion of risk throughout this book perceives it in terms of offeringboth opportunity and danger, upside and downside.

HOW PEOPLE PERCEIVE AND BEHAVE WHEN COPING WITH RISKS

The litany of corporate failures attributed to poor risk-taking tells a storyof bemusing behavior by people entrusted with shareholder investments.Some of the reported conduct bordered on fraud, but many billions werelost by individuals who inadvertently acted in a manner that deedrational thinking, especially when looked at with hindsight. Other studiesexplore the specic incidents, but in this section we focus on howhumans behave when faced with risk. Behavioral nance, social con-struction perspectives, and an exploration of corporate culture offerinstruction to shareholders and board members on how managers (andtheir staff) behave when they encounter risks.

4 Damodaran A. (2008). Strategic Risk Taking: A Framework for Risk Management.Wharton School Press, Pearson Education.

RISK, RISK MANAGEMENT, AND RISK GOVERNANCE 7

Behavioral nance tells us that humans are not merely economiccreatures, the rational information processing machines commonlydescribed in classical economics textbooks. Instead, humans oftenbehave badly in surprising and inconsistent ways.5 Several of theseidiosyncratic behaviors were seen repeatedly in recent crises. Forexample, we become risk-seeking demons when the chips are down.Generally under normal conditions, humans tend to be risk averse,with women and older persons being more risk averse than youngmen. However, this risk aversion is not constant by person. Individualsbehave in a more risk averse manner when the stakes are large than whenthey are small. Under some circumstances, humans can become desper-ately risk seeking. Individuals who have lost money tend to take enor-mous risks to recoup their losses. This, the break-even effect, often causeslosses to pile up as the hapless risk-taker seeks to break even on previouslosses. In another breakaway from risk aversion, humans are drawn totake risks if the potential gain is large in spite of the probability ofwinning being small (the long-shot bias). Consistent with these twotypes of risk-seeking behaviors, a quick review of press coverage ofbanks that suffered losses in the recent crisis would reveal many storiesof traders trying to recover initial losses by taking big, long-shot bets thatresulted in even more damage to shareholder wealth (Table 1.1).In another departure from rationality, losses are felt more keenly than

equal (but opposite) gains are enjoyed. This is called loss aversion.Further, whether a choice is seen as risky or not is very dependent onhow the matter is framed.6 Also, it is true that risk perceptions changeover time depending on the external economic conditions (Box 1.1). Thisimportance of context has signicant implication for managerial andboard level discussions as skillful presentations can obscure the trueperils that lie underneath. In another human quirk with risk-taking

Table 1.1 Common features of the rogue trader

Relatively young male traders seen as a star Internal pressure to bring high prots Risk-taking cultural environment Protable departments Initial warning signs are ignored Initial smaller loss which trader tried to cover-up leads to big gambles

5 See, for example, Shefrin H. (2008). Ending the Management Illusion: How to DriveBusiness Results Using the Principles of Behavioral Finance. McGraw-Hill.

6 Tversky A. and Kahneman D. (1981). The Framing of Decisions and the Psychologyof Choice. Science, 211.


BOX 1.1 CHANGES IN RISK PERCEPTION OVER TIME7

The higher the perceived risk, the higher the compensation the investor wants interms of future returns. The extra compensation required to invest in risky assets isexpressed by the difference between the risky bond rate and the risk-free ratereferred to as the default spread. Investors see more risk in equity and, therefore,will demand higher expected returns as compensation. The difference between theexpected return on equities and the risk-free rate is called the equity risk premium(ERP). Looking at the default spread of a Moodys rated Baa corporate bond withintermediate default risk and the equity risk premium in the United States over theperiod from 1960 to 2009, we notice dramatic changes in the risk compensationover time (see Figure 1.1 below).

It is quite clear that while investors have stayed risk averse through history (thepremiums would be zero, if that were not the case), both assessments of risk andthe price of risk have changed over time. Investors were charging far higher pricesfor risk in 1978 than they were in 1999, and again in 2008, after the banking crisis,than in 2007. In other words, the investment and general business climate changesover time and affects the way investors and corporate decision-makers perceive riskand value nancial assets and commercial ventures.

7.00%

6.00%

5.00%

4.00%

Prem

ium

(Sp

read

)

3.00%

2.00%

1.00%

0.00%

1960

1962

1964

1966

1968

1970

1972

1974

1976

1978

1980

1982

1984

1986

1988

1990

1992

1994

1996

1998

2000

2002

2004

2006

2008

Baa-T.Bond Rate ERP

Figure 1.1 Default spreads on equity and corporate bonds 19602009

7 This example draws on Aswath Damodarans website with permission(http://pages.stern.nyu.edu/~adamodar/New_Home_Page/home.htm: Damodaran Online:Homepage for Aswath Damodaran).


implications, everyone nds it easier to gamble with money they came byeasily (the house money effect). This is not only an individual-levelphenomenon, in organizational contexts, the appearance of excessiveslack and excess resources can lead to reckless risk taking.Social constructivists argue that organizations and societies are

engaged in conceptualizing risks into their perceived existence. Products,practices, and activities are seen as dangerous, or risky, through a processof developing shared meanings among people within an organization oracross a community. This constructivist approach differs from the realistapproach often observed in professional elds like medicine, economics,nance and engineering where risks often are conceived as objective,measurable, assessable and independent of the related social processes.Constructivists explore risk as social phenomena resulting from valuejudgments, belief systems, social biases, moral positions, shared pasthistory, and political processes. Societies decide, consciously and uncon-sciously, what, whom, and when something is risky and or not.8 Forexample, societal selection processes are what give rise to public concernabout war, pollution, immigrants, ethnic groups, and in seeing certainchemicals as dangerous and risky. Organizations are also systems ofshared meaning and their internal social interactions and culture shapethe context in which risk-taking occurs.9

The cultural context within which risk-taking takes place should beone of the main concerns of a board. The rms leadership creates andmanages the organizational culture and should set the tone from thetop.10 Organizational culture is the basic assumptions and beliefs sharedby members of an organization. It is a learned product of group experi-ence where the group has repeatedly shared success in solving theproblems of integration and survival. Cultural elements are both visibleand invisible. The most visible elements are the physical artifacts seen inrms, whereas the shared underlying assumptions (the deepest and reallevel of culture) are less so.Within organizations, there are subcultures where different depart-

ments may develop slightly different cultures. The business pressincreasingly speaks of risk cultures with organizations referring to thevalues that guide their risk-taking behaviors. The values provide anormative moral guide on how to deal with risk situations, particularlyaround uncertain, uncontrollable, and rapidly evolving events. Risk

8 Douglas M. andWildavsky A. (1982). Risk and Culture. University of California Press.9 Smircich L. (1983). Organizations as SharedMeanings, in Pondy L.R. et al. (eds.),Organ-

izational Symbolism, JAI Press.10 Schein E.H. (1985). Organizational Culture and Leadership. Jossey-Bass.


cultures would also include the behaviors related to risk-taking enforcedby the kinds of conduct that are rewarded and praised. When risk-takingsituations arise in the absence of written rules or clarity, the risk cultureacts as the dominant control and guidance mechanism.The main point is that risk is a complex concept and risk-taking has

both an upside and a downside. Furthermore, good risk-taking requiresthat both quantitative and qualitative factors are brought into the analysisbefore any actions are taken. The next section discusses corporate gov-ernance and the rest of the chapter explores good risk governance practice.

Corporate governance

Whenever people organize for a common purpose, governance becomesa concern. Essentially governance is concerned with the exercise ofpower by the organized group for the agreed purpose.11 In a nation ora rm with dysfunctional governance, the power and resources of thegroup are diverted to purposes not envisaged when the entity wasestablished. Often the diversion serves a particular sub-group, whichhas appropriated power.

Corporate governance often refers to the mechanisms used by sup-pliers of nance (debt holders and shareholders) to ensure that they willreceive a fair return on their investment.12 Ultimately, it is about theexercise of power in the corporation (Box 1.2). The use of this denitionsignals that this book cleaves to the nance-economics perspective ofcorporate governance. We nd this appropriate given our focus on valueand the use of risk adjusted cash ows in assessing value. However, thediscussion of corporate governance includes other theoretical approachesto corporate governance.Regardless of the denition of governance favored by particular prac-

titioners or academics, there is general agreement that governing acorporation and managing a corporation are distinct activities. BobTricker (2012) sliced to the heart of the difference when he argued thatif corporate management was about running a business then corporategovernance was about seeing that the business was well run.13 Both

11 Clarke T. (ed.) (2004). Theories of Corporate Governance: The Philosophical Founda-tions of Corporate Governance. Routledge.

12 Shleifer A. and Vishny R. (1997). A Survey of Corporate Governance, Journal ofFinance, 52.

13 Tricker B. (2012). Corporate Governance: Principles, Policies and Practices. OxfordUniversity Press.


managing and governing are vital activities in creating value and everycorporation needs managing as well as governing.Governing and managing a corporation are bound in a hierarchical

relationship. In a well-governed enterprise, the shareholders (or therepresentatives of their choosing) are the governing actors, enjoyingthe upper hand and providing oversight. Managers are responsible foroperational decision-making and action subject to this active oversight(Figure 1.2).A vivid line from a lm helps us visualize this relationship. The lms

protagonist declares: You see, in this world theres two kinds of people,my friend. Those with loaded guns and those who dig. You dig.18

Crudely applied, if the movie was about a well-structured corporate

BOX 1.2 DEFINITIONS OF CORPORATE GOVERNANCE

There are many workable denitions of corporate governance, which either addnuance to the nancial economics perspective or add other useful dimensions tothe governance concept, such as, explicitly taking a stakeholder approach. As withrisk, there is still no single consensus denition.

Corporate governance is concerned with the resolution of collective actionproblems among dispersed investors and the reconciliation of conicts of interestbetween various corporate claimholders.14

A corporate governance system is the complex system of constraints that framethe ex post bargaining over the quasi rents that are generated by an enterprise.15

Corporate governance is the system by which companies are directed andcontrolled.16

Corporate governance involves a set of relationships between a companysmanagement, its board, its shareholders and other stakeholders. Corporate gov-ernance also provides the structure through which the objectives of the companyare set, and the means of attaining those objectives and monitoring performanceare determined. Good corporate governance provides incentives for managers anddirectors to pursue objectives which are in the interest of the company and itsshareholders.17

14 Claessens S. and Yurtoglu B. (2012). Corporate Governance and DevelopmentAn Update. Global Corporate Governance Forum, International Finance Corporation,Washington D.C.

15 Zingales L. (1998). Corporate Governance. The New Palgrave Dictionary of Eco-nomics and Law, MacMillan.

16 Cadbury Report (1992). The Financial Aspects of Corporate Governance. BurgessScience Press.

17 OECD (2004). The OECD Principles of Corporate Governance.18 Said by Blondie in the movie The Good, the Bad and the Ugly (1966).


governance world, the shareholders would be holding the loaded gunsand the managers (and employees) would be digging.

CORPORATE GOVERNANCE: AVOIDING GREED, SLOTH, AND FEAR

A series of scandals, including Enron, Tyco, Parmalat, Satyam, LehmanBrothers, and others, made corporate governance a familiar term on thenightly news and in the daily newspapers.19 However, governance of thecorporation has been a challenge from the founding of the rst limitedcompany. It was Berle and Means that brought incisive thinking to thisissue and turned to academics to untangle the moral hazards arisingfrom the separation of ownership and control characteristic of thecorporate form. One essential issue is that corporate insiders need not(and often do not) act in the best interests of the owners and debtholders.20 In running an enterprise, the corporate insiders (i.e., execu-tives, managers, and employees) are the agents of the providers ofnancing, many of whom are not insiders. Corporate governance isconcerned with conicts between various claimants to the quasi rentsarising from the rm (Figure 1.3).What exactly do suppliers of nance have to fear from insiders,

particularly from managers? Recent scandals provide us with a litanyof potential sources of loss arising from managers stealing, self-dealing,awarding themselves excessive perks, empire building, using entrench-ment strategies, taking undeserved compensation, and hiding poor per-formance using accounting manipulations. These maladies are typical of

CorporateGovernance

Strategicmanagement

Corporatemanagement

Executive Management- Decision making and control

- Operational management

OversightAccountability

Supervision

Figure 1.2 A simple view: management vs. governance

19 Already the Asian crisis of 1987 had awakened interest in corporate governanceamong regulators, international organizations and academics after decades of inactivity inthis sphere.

20 Berle A., Jr. and Means G. (1932). The Modern Corporation and Private Property.Commerce Clearing House.


poorly governed rms with widely dispersed, small shareholders. Thesemisbehaviors dominate the public perception of governance failures dueto the media focus on listed enterprises. The public has also been treatedto lurid headlines about corporate governance disputes in family rms,such as the feud between the Ambani brothers of Reliance Enterprises inIndia. This dispute arose, as is often seen in family rms, upon thefounders death as the heirs wrestled over ownership. Even if no-onedies, family members who are managers and controlling shareholdersfrequently clash with their relatives who are owners but not managers.State-owned enterprises also have their peculiar corporate governancefailures usually as a result of multi-agency conicts arising from citizen-shareholders and a lack of clear commercial objectives.Practitioners and academics take two broad approaches to coping with

moral hazards arising from the agency problems in corporations: align-ment of incentives; and monitoring.21 Performance based compensation,implicit incentives (e.g., threat of dismissal or reputation impairment),and product market competition help make managers work to ensure thewell-being of the rm and its shareholders. Good incentive devicesensure that managers, the rm, and shareholders gain or lose jointly.In practice, designing appropriate incentives proves the clich that the

devil is in the detail. Managers are paid in three ways: through salary;shares; and stock options plans. The latter two are often structured asperformance incentives. The press focuses on the level of pay but it is the

Managers Shareholders

Majority SHsNon-controlling

SHs ShareholdersOther

stakeholders

Figure 1.3 Three key governance conicts

21 Tirole J. (2005). The Theory of Corporate Governance. Princeton University Press.


structure of the compensation package that concerns governance spe-cialists. Bonuses are usually paid using accounting-based measures ofrm performance. The most popular bonus measures used by rmsinclude earnings per share, total shareholder return, return on equity,return on capital employed, and return on assets. However, accountingmeasures are subject to manipulation by managers and tend to encour-age a focus on short-term outcomes. Stock and stock options gainedpopularity for a longer-term orientation and lower susceptibility tomanagerial manipulation. However, they too have proved to have theirshortcomings. For example, when their stock options are underwater,managers may be tempted to take aggressive risks to try to bump upstock prices. It has been almost impossible to design an optimal incentivesystem that aligns the interests of managers and shareholders.The providers of nancing increasingly rely on monitoring by boards,

rating agencies, external analysts, bankers, bondholders, auditors, activistinvestors, corporate raiders, large shareholders, regulators, and otherparties to reign in corporate abuses and resolve conicts. Various asso-ciations of monitors have developed numerous codes, professional prac-tice norms, and rules to make monitoring foolproof. However, thecontinued ow of corporate governance failures indicates how difcultit is for external monitors to detect and act on poor conduct. Further-more, many of the monitors nd themselves with conicts of interestwhen performing their supposed independent roles. For example, priorto the enforcement of the Sarbanes-Oxley rules in the US, many account-ants earned such large fees from consulting to the rms they weremonitoring, that their auditing lost fervor and objectivity. Effectivemonitoring occurs only if the monitors remain committed and effective.In practice, the uncomfortable question of how to monitor the monitorsremains unanswered.Although corporate governance mechanisms are concerned with both

the rights of debt holders and shareholders, it is the latter group thatattracts the bulk of efforts to create incentives and to monitor. This isbecause shareholders are generally more vulnerable to moral hazard thandebt holders. Of course, shareholders also have more to gain as they haveresidual claims to upside gains from the rm. The debt holders can onlyregain their principal and the earned interest. Holders of debt often havecollateral and are protected by well-developed bankruptcy laws. Oftentheir legal contracts allow creditors to act individually to retrieve theirmoney from rms and their deviant managers.Despite the higher potential upside, shareholders have no collateral for

their investment. Once they have taken the plunge and paid over theircash, they obtain rights to vote for a board and other matters at the


annual general meetings as set out in their respective articles of associ-ation and charters. If they are unhappy with how the rm in which theyhave invested is doing they have a right to sell at the going rate to anotherpotential investor. If they wish to keep their stake but to unseat themanagers, they will have to persuade other shareholders to join theiraction in voting or in ling in the courts. Both paths are painful. Bothrequire resourcestime, and moneyto organize the required collectiveaction (Table 1.2). Varied corporate governance codes, laws, and regu-lations provide corporate governance mechanisms to help shareholdersto surmount this collective action problem.Countries have different devices for monitoring managers, varied

incentives for alignment of interests and a range of collective actionmechanisms. These combine with country culture, local legal and judi-ciary traditions, varied enforcement capabilities, corporate traditions,and other local features to produce idiosyncratic country-specic gov-ernance environments. These corporate governance environments fallwithin four general groupings: (i) Anglo-Saxon common law legal tra-ditions (e.g., Britain, the United States); (ii) Latin European civil law legaltraditions (e.g., France, Italy, and Spain); (iii) Northern European civillaw traditions (e.g., Germany and Scandinavia); and (iv) Asian corporategovernance traditions (e.g., Japan, Korea). Notwithstanding theseregional groupings, within each, there is wide variability between indi-vidual countries. However, strains of these four traditions are identiableworldwide as many former colonies adopted the legal traditions andcorporate governance environments of their former colonizers. Due totheir histories, the former Soviet republics have a different patchwork ofgovernance environments. China, with its powerful hybrid economy, hasits own novel corporate governance arrangements. These national insti-tutional environments, exogenous to each rm, determine the outcomeof corporate governance conicts as they determine shareholders anddebt holders rights (Table 1.3).

Table 1.2 Addressing the collective action problem

Electing a board of directors who represent shareholders interests and to which the CEO isaccountable

Facilitating takeovers or corporate raiders that temporarily concentrate voting power to removean inefcient manager

Ensuring active, continuous monitoring by the holder of a large block of shares Aligning managerial interests with shareholders through design of the managers compensationcontracts

Dening legal duciary duties clearly for CEO and directors and then facilitating lawsuits (usuallyclass action)


Studies show that the different legal systems provide very differentlevels of investor protection and the different levels of investor protectiondrive patterns of ownership of debt and equity in that country.22 Forexample, where there is the strong investor protection that is usuallyfound in common law countries, rms have widely-held shareholdings.Even more far-reaching, poor investor protection reduces corporate risk-taking.23 Managers (and insiders) in countries with weak investor pro-tection are able to appropriate a good chunk of corporate assets for theirown personal welfare. Often they invest more conservatively to protectthese private benets. They avoid even value-enhancing risk opportun-ities if there is any possibility that their private benets will be threat-ened. Conversely, strong investor protection encourages managers (andinsiders) to engage in more value enhancing risk-taking.Boards have carried increasing responsibilities for the collective action

mechanisms over the last decade. Twenty years ago, a newly appointed

Table 1.3 The Corporate governance environmentcountries differ

Possible Dimensions of National Governance Differences:

Disclosure requirements and accounting standards Securities regulations and stock exchange rules Shareholders rights, proxy rules Mergers and acquisitions practices Shareholding patterns Fiduciary duties of directors, ofcers, and controllingshareholders

Bankruptcy and creditors rights Financial media and analysts Credit rating agencies Role of state controlled enterprises Role of sovereign funds Role of family companies, ethnic, and network ties Labor relations and laws Financial sector practices Tax and pension policies Judicial and regulatory enforcement Understanding of corporate citizenship Competition on product and capital markets Market for managers, labor, and corporate control Universities and civil society

22 La Porta R., Lopez-de-Silanes F. and Shleifer A. (1999). Corporate Ownership Aroundthe World, Journal of Finance, 54.

23 Kose J., Litov L. and Yeung B. (2008). Corporate Governance and Risk Taking, Journalof Finance, 63(4).


corporate director could expect a cushy role with good perks, enjoyingcomradeship with managers. In this kind of boardroom, it was easy toforget that shareholders nominated directors to monitor the managers.However, the outrage at boards behavior (some of it unfair and mis-placed) arising after the corporate governance scandals worldwide haveled directors to sharpen their focus on their duciary duties to theshareholders.To support this change to increased accountability, many countries

and international organizations have delivered new corporate govern-ance codes outlining the specic responsibilities of directors. While thedetails vary, there is wide consensus that the directors role is one ofoversight, not to undertake operational duties. Directors approve cor-porate strategy and major decisions such as asset disposals, acquisitionsand mergers. They also oversee the compensation of managers, risk-taking, and the integrity of internal controls and nancial reporting(Table 1.4). The entire board has responsibility for oversight althoughthey often assign specic tasks to board committees for governance, risk,audit, and compensation.25

A director has a tricky job. She has to monitor the manager. This samemanager enjoys the benet of greater information ow about the rmthan she does. She has to act as advisor to the manager. She has duciary

Table 1.4 The role of directors according to the OECD24

A. Board members should act on a fully informed basis, in good faith, with due diligence and care,and in the best interest of the company and the shareholders

B. Where board decisions may affect different shareholder groups differently, the board shouldtreat all shareholders fairly

C. The board should apply high ethical standards. It should take into account the interests ofstakeholders

D. The board should fulll certain key functions, including reviewing corporate strategy, risk policy,monitoring governance practices, selecting key executives and aligning their remuneration,ensuring transparent board nominations, managing potential conicts of interest, ensuring theintegrity of accounting and reporting with appropriate systems of control, systems for riskmanagement, and compliance with law and standards

E. The board should be able to exercise objective independent judgment on corporate affairsimplying, e.g., assigning a sufcient number of non-executive board members and well denedcommittees of the board.

F. In order to fulll their responsibilities, board members should have access to accurate, relevant,and timely information

24 Extracted and summarized from the OECD principles (Principle VI, in particular,provides useful guidance on the responsibilities of directors).

25 Tirole J. (2005). The Theory of Corporate Governance. Princeton University Press.


duties to the shareholders. She has to help the manager make social andbusiness connections but she cannot materially benet from her con-nections to the board on which she serves. She cannot herself undertakemanagerial actions but can nd herself excoriated for the rms failures.Directors could argue, with more than a modicum of reason, that the jobis impossible to get right.In summary, good corporate governance arrangements restrain greed

without encouraging sloth and fear. Greed is seen when managers orlarge shareholders make decisions for their own benet, but whichimpairs the benets of the shareholder community. Sloth arises whenmanagers are so tightly controlled they lose their air for the risk-takingneeded to build value. Instead of displaying value seeking verve andenterprise, they apply themselves to administration and bureaucracy.Fear makes managers nervous and fearful of their investors, unable toattend creatively to execution of their jobs and reluctant to communicatefrankly with the suppliers of nance. Achieving good governancearrangements requires having balance between the various governancemechanisms and a sensible approach by all stakeholders.

Risk governance

As the economic recession of 2008 swept through the industrializedeconomies, it became clear that something had gone seriously awrywith how banks and other rms handled their risk-taking activities.26

The trouble at rms that were previously lionized as corporate exem-plars, such as, Citibank, Deutsche Bank, Royal Bank of Scotland, andUBS, revealed widespread weaknesses in how boards undertook theoversight of risk in their enterprises.Risk management and governance are complex and dynamic activities.

In many corporate failures, directors often lacked the knowledge and riskvocabulary to engage effectively in overseeing the senior executives. Thisweakness impaired their ability to execute their duciary duties and theirfailures threatened the very survival of the rms they governed.Risk governance is a relatively new term with little consensus den-

ition in the eld of corporate governance. However, for the purposesof discussion in this book, we will treat risk governance in rms asconcerned with how directors authorize, optimize, and monitor the

26 Several would argue that the nancial crisis was apparent since 2007 whereas othersnote 2009 as the nadir.


risk-taking within an enterprise. It includes the skills, infrastructure (i.e.,organization structure, controls, and information systems) and culturedeployed as directors exercise their risk oversight. Good risk governanceprovides clearly dened accountability, authority, communication, andreporting mechanisms.The risk oversight role is the responsibility of the entire board of

directors. However, some boards use risk committees to assist them infullling their responsibilities. The risk committee may be set up inde-pendently or its work may be combined with that of the audit task andassigned to a combined audit and risk committee (Appendix 1).

RISK GOVERNANCE VS. RISK MANAGEMENT

Earlier we looked at the difference between corporate governancepractices and corporate management and pointed out an essential dif-ference between oversight activities and operational activities.27 Riskgovernance and risk management bear a similar relationship to eachother (Figure 1.4). Risk governance responsibilities fall to the directors asa part of their duciary oversight duties.Risk management is not the same activity as risk hedging. Over time,

some interpretations of risk management started to mean risk hedgingwith the main objective of eliminating and dampening risk exposures.Perhaps three sources of inuence are to be blamed for this creepingredenition of risk management: human nature; the bankers; and agencyconicts.28 People remember losses (the downside of risk-taking) farmore clearly than they recall prot (the upside of risk-taking). Aftermarket downturns and natural disasters, we latch on to risk hedgingproducts and pay hefty fees to the purveyors of such pain-sparingproducts. Even in good economic times, bankers and others who createinsurance, derivatives, and swap products hawk them vigorously as riskmanagement products.29 As these are revenue generators for the nan-cial community, they have a vested interest in highlighting the virtues ofrisk hedging. From a corporate governance perspective, the tendency toinsure against risks could arise from the conict of interests between

27 This is a rough approximation as the corporate governance mechanism extendsbeyond oversight activities.

28 Damodaran, A., (2007). Strategic Risk Taking: A Framework for Risk Management.Wharton School Publishing, Pearson Education.

29 See, for example, Andersen T. J. (2006). Global Derivatives: A Strategic Risk Manage-ment Perspective. FT Prentice-Hall, Pearson Education.


managers and stockholders. As pointed out by Berle and Means (1932)this potential conict is inherent in the separation of management fromownership in most publicly-traded rms. Managers tend to try to protecttheir jobs by insuring against risk rather than seeking value-enhancingrisk-taking. They do this even if the suppliers of nancing gain nothingfrom the hedging activities.

Hazard, nancial, project risk, and enterprise riskmanagement

Over time several sub-disciplines have arisen in risk managementpractice, largely driven by the placing of these activities into differentorganizational departments and units. The risk management (RM) prac-tices thus cover several different activities including traditionalhazard, nancial and project risk management. However, the umbrellaenterprise risk management (ERM) and strategic risk management(SRM) approaches engage the entire organization, its senior executivesand board members as these risk activities require the highest levels oforganizational attention.

TRADITIONAL RISK MANAGEMENT (TRM)

Traditional risk management (TRM) is often undertaken by the insur-ance department, emphasizing pure risk coverage tools and techniques

RiskGovernance

RiskManagement

CEO / CROResponsible for operational

tasksHedging and treasury

Setting risk appetites and policycultivating risk cultures (Tone at the top Responsibility of entire board Audit committee Audit

and risk committeesRisk committees

Figure 1.4 Risk governance vs. risk management


including risk prevention, protection, and coverage through transfer tothird parties (insurance policies and other risk transfer instruments).30

This approach contributes to the creation of value, the guiding principleof corporate nance, by minimizing downside risk and includes pro-cesses known as crisis management, risk forecasting, and business con-tinuity. These techniques have the general objective of handling purerisks that may arise during the life of an enterprise.

FINANCIAL RISK MANAGEMENT (FRM)

Financial risk management (FRM) is typically undertaken by the treas-ury unit, mainly addressing the challenges of managing nancial risksoriginating from uctuating market conditions, e.g., interest rates, for-eign exchange rates, and commodity prices. FRM is most widespread anddeveloped in banks and nancial institutions, but it is also growingamong non-nancial enterprises due to the wide use of derivative instru-ments on foreign exchange and interest rates. The large variety of toolsintroduced to the derivatives market provides a number of new ways tocover prot risks with opportunities to reorganize the capital structure.

PROJECT RISK MANAGEMENT (PRM)

Project risk management (PRM) is typically used by technical specialistsresponsible for implementing large public and private projects, whereidentied risks are analyzed and handled. PRM is particularly applicableto construction, large public works, and advanced mechanical industriesincluding aeronautics, space- and naval engineering, but can also beapplied across commercial investment projects in any rm. The objectiveof the project is typically to build and manage a given structure, so thekey objective of PRM is often to limit downside risks generated duringthe project execution. When dealing with major structures that can bevery complex, there can be risks of service interruption caused bymeteorological events and geologic incidents. In addition, the projectmay be exposed to effects of postponed cash ows from unexpectedproject delays, etc.

30 This risk classication draws on Roggi O. (2008). Rischio dImpresa, Valore e Insol-venza: Aspetti Teorici e Processi di Gestione del Rischio. Franco Angeli.


ENTERPRISE RISK MANAGEMENT (ERM)

Enterprise risk management (ERM) is intended to provide a morecomprehensive and holistic approach to managing risk, thus avoidingthe pitfalls of a silo approach where different risks are handled separ-ately without considering interacting effects between them. Prior to morewidespread use of ERM, organizations tended to isolate the managementof different risks without assessing how they could affect each other. Forexample, the treasurer managed currency exposures, the sales or creditmanager managed credit risk, commodity traders and purchasing of-cers managed commodity price risks. Insurance risk managers handledhazard risks. Personnel managed human resources risks. Quality andproduction managers were responsible for containing production risk.Marketing and strategy departments attended to competitive risks, andso on. However, there was little effort devoted to an overview of aggre-gated exposures and coordinated risk management activities across theenterprise, where risks might augment each other (and multiply) orcancel out across diversied exposures.Hence, the aim of ERM is to create an overview of corporate risks and

coordinate risk management activities throughout the enterprise asneeded. For example, in a conglomerate where one division is long incurrency A and another division is short in the same currency, eachresponsible divisional manager may purchase separate currency hedges ifthe rm adheres to a silo approach. However, this is not value enhancingwhen viewed from an enterprise-wide approach because the conglomer-ate already has a natural diversication hedge. With good ERM this riskdiversication advantage will be enhanced and executed effectively.However, diversication from natural hedges is not the only effectobserved across complex organizations. In the recent economic reces-sion, we saw that many risks were positively correlated with reinforcingeffects under the extreme stress of nancial crisis. The coordinationfunction of ERM is often vested in a Chief Risk Ofcer (CRO) positionas head of a corporate risk ofce, which reects increased risk govern-ance activity with direct board oversight.

STRATEGIC RISK MANAGEMENT (SRM)

It is natural to think of strategic risk management (SRM) as an extensionof the ERM concept and as a way to emphasize the importance ofmanaging operational and strategic risk factors to achieve longer-termcorporate objectives. Hence, the SRM approach is involved in identifying,measuring and handling both pure and nancial risks but also takes a


special interest in speculative strategic risks with particular concerns forproactive risk-taking initiatives. TRM and FRM are focused on a limitednumber of pure andmarket-related risks and, therefore, constitute subsetsof the techniques presented under the name of ERM which has broaderconcerns for enterprise-wide risk effects. PRM has a more limited andfocused range of actions related to specic project activities that may,however, be linked to the rms strategy execution. Hence, SRM can beseen as the highest level of corporate risk-taking consideration, comprisingTRM and FRM as well as PRM and ERM approaches while supportingdirectors in their concerns for risk governance.Wewill discuss these issuesfurther in subsequent chapters.

OBJECTIVE OF RISK GOVERNANCE AND RISK MANAGEMENT

Ultimately, the objective of governing and managing risk is to make therm more valuable. For directors and managers, this is the primaryobjective, regardless of whether they view this as value to shareholdersor value to a wider group of stakeholders. Fortunately, classical nanceprovides robust techniques for valuing enterprises. The most frequentlyused method is the discounting of future cash ow to the rm at a risk-adjusted cost of capital. For risk management purposes many wouldpoint out that using the capital asset pricing model (CAPM) for calcu-lating risk-adjusted capital has the double benet of accounting for allthe risk that a rms decision-makers arguably need to concern them-selves with, namely the market risk. The argument is that all other risksare rm specic risks that can be diversied away by the individualinvestors in the rms shares. As the shareholders can handle rm riskthrough their own portfolio diversication, it should not add value to beconcerned with these types of risks. From this viewpoint, CAPM can beused in assessing projects, investments and business activities as a ready-to-use approach for guiding risk-taking within the rm. In subsequentchapters we will relax this assumption and discuss situations whereattention to rm risks is part of the value creating potential of rm-specic risk-taking initiatives when responding to changing businessconditions.Enterprise approaches to risk management also use valuation tech-

niques at various points in the process to ensure that the risk decisionstaken will have positive value effects. These valuation efforts typicallydeploy the discounted cash ow methodology used in the capital assetpricing models. In adopting these valuation methods, the risk analystsneed to estimate the effect of each risk on rm value and determine the


cost of managing each of these risks. Hence, if a risk reduction initiativeis costly, the decision-makers must decide whether the benet to rmvalue can justify the costs of risk handling.

Role of the board in risk-taking

An important task for boards related to their corporate strategy work isthe approval of risk-taking business initiatives and formulating therelated risk-taking policies. A rms risk-taking policy must be alignedwith its strategic aims, capital budgeting plans, and nancial and com-pensation structures. A risk-taking policy involves specifying the typesand degree of risk a company is willing to accept in pursuit of itsoverarching goals. It is thus a crucial guide for executives that mustmanage risks to meet the companys desired risk prole and performancetargets (Box 1.3).31 The board is also instrumental in driving the devel-opment of an appropriate risk culture, which regulates the spirit of risk-taking behavior, particularly in new and rapidly evolving situationswhere a written policy is not yet promulgated.

BOX 1.3 TEA AND COFFEE PLANTATION IN KENYA

A commercial Kenyan farm, producing tea and coffee for the European, Asian, andUS markets, faces a range of risks. These risks include the vagaries of weather,particularly drought, changes in government policy, ethnic strife affecting theworkforce, commodity price uctuations, and exchange rate uctuations. Thefarm is owned and operated by the second generation of the founding family.The board consists of the three siblings running the business, their accountant andthe export sales manager. The directors have taken a decision that they will notretain any foreign exchange risks as the siblings are of the view that they do nothave the expertise to cope with foreign exchange uctuations. They are condentthat their knowledge of Kenya enables them to assess, evaluate and treat theweather and political risks. As result of their aversion to foreign currency risk,their risk-taking policy is to avoid or hedge this risk almost completely. They selltheir produce to a middle-man trading company that sets the contracts in Kenyanshillings. In addition, forward contacts are used to limit exposure on any inputs thatneed to be purchased in foreign currency.

31 A rms risk prole is a snapshot at a specic time of perceived risk exposures fromthe perspective of its managers.


The attitude towards risk-taking among decision-makers in an enter-prise (or more formally their risk aversion) will be reected, in aggregate,in the corporate risk-taking policy, whether this policy is explicitly statedor is implied through behavior. In discussing the enterprise risk man-agement approach later in the book, we will look at various managerialdecision points where the decision-makers attitude to risk will drive theactions taken.For directors to meet their obligations in guiding risk-taking, they

must have sufcient grasp of risk issues to engage the managers andexecutives in the rm. The board members in the risk committee musthave a high level of competence in skills related to risk-taking. Each of thedirectors should understand the breath of risks that confront the enter-prise and how these risks reinforce or cancel out. Further they should beable to assess risks from the perspective of multiple stakeholders.

Risk aversion, policy, tolerance, capacity, appetite,culture, etc.

One of the most perplexing features of the risk governance and manage-ment world since the nancial crisis of 2008 has been the rapidlyexpanding nomenclature around risk oversight by boards. Risk appetite,risk appetite framework, risk tolerance, risk culture, risk limits, and riskcapacity are newer terms in the risk-taking lexicon that have come intovogue recently or undergone a change in usage, particularly among thecorporate governance and accounting community. The precise meaningand metrics of these terms are evolving and thus there is still consider-able inconsistency in their use.32 In time, academics in nance, econom-ics, and management will come to the aid of practice by developing morerobust constructs backed by theoretically and empirically rigorous work.The term risk aversion has the benet of long use in the corporate

nance community and thus there is consensus about the concept, itsmeasurement and its implications for behavior. Fortunately, the currentgovernance usage of risk appetite and risk tolerance appears to berooted in the more robust concepts of risk aversion and risk policy.Individuals show various attitudes to risk, they may dislike risk (risk

32 In February 2013, the Financial Stability Board announced an effort to develop acommon nomenclature for terms used in risk appetite statements. The result of their effortsis expected by the end of 2013.


averse), be neutral to risk (risk neutral), or they may love taking risks(risk loving).33

However, risk appetite is one of the terms now used within thegovernance community in a different way than it has been used foryears by economists. The economists developed theoretical (based onmodels) and a-theoretic (based on statistical analysis of market data)economic risk appetite indices to test market sentiment for risk-taking.34

This view of risk appetite is a macroeconomic perspective rather than themicro-perspective in which the governance community is starting to usethe term. These market indices measure the willingness to take risks,with the risk appetite depending on: (i) the risk aversion or the degreeinvestors are repelled by uncertainty about consumption in the future;and (ii) the perception of the factors that drive the uncertainty aboutfuture consumption. Risk aversion is a personal characteristic and thus isfairly stable as it reects deep preferences. However, risk appetite uc-tuates as investors respond to macroeconomic uncertainty about thefundamental factors that drive asset prices. When the market has lowrisk appetite then the cost of capital rises, restricting business investment.When the risk appetite is high, booms in credit and assets prices areevident. Economists measure risk appetite using changes in risk pre-mium and by making inferences from changes in investors portfolios.The International Monetary Fund, the Bank of International Settle-ments, Bank of England, Goldman Sachs, JP Morgan, etc., all trackmarket sentiment using risk appetite indices. Of course, the macroeco-nomic view of risk appetite as a market aggregate is related to the riskappetites of individuals and rms that make up that market.

RISK APPETITE STATEMENTS BY THE BOARD

Relatively recently, that is, around 2008, the extended corporate govern-ance community has taken up the use of the term risk appetite, encour-aging and mandating boards to formally approve their rms RiskAppetite Statement. We expect this trend to intensify, making approvalof risk appetite statements a routine part of a boards annual work cycle. Itshould be noted that this is not necessarily a simple or straightforwardtask due to the somewhat ambiguous nature of the risk appetite

33 In classical economics, the Arrow-Pratt coefcient of risk aversion is often used tosummarize these attitudes.

34 Illing M. and Aaron M. (2005). A Brief Survey of Risk-Appetite Indexes, Bank ofCanada Financial System Review, June.


concept.35 However, discussions in the board about risk appetite willundoubtedly elevate risk awareness, which is useful in its own right.While there is no consensus, there is a distinct trend to view a rms

risk appetite as comparable to the risk objective required by investmentadvisors for individuals wishing to build an investment portfolio. Thepotential investor is asked (or their preferences are evaluated by ques-tionnaire) whether she or he is risk-seeking and thus suited to investingaggressively in equity and derivatives, or if they are conservative andwish to buy safer nancial instruments, such as, Treasury bonds. Simi-larly, risk appetite can be understood to be the amount of risk the rm iswilling to undertake to achieve its strategic objectives and to secure valuefor its stakeholders.Standard and Poors (S&P), the rating agency, and an inuential

monitor as seen from the agency theory perspective discussed earlier,perhaps triggered the widespread use of this term when they started toassess enterprise risk management frameworks in 2006 as a part of theirrating methodology for nancial rms. S&P announced that a strongERM would include a well-dened risk appetite framework. Furtherimpetus for nancial institutions to use this risk appetite approach alsocame from the Committee of European and Insurance and OccupationalPension Supervisors, who, in a consultation paper, asserted that a clearlydened risk strategy included a risk appetite statement and related risklimits. The Financial Stability Board (FSB) added to this direction whenin February 2013, after a peer review of risk governance, it recommendedthat national supervisory authorities provide specic guidance to theirnancial services rms on the key elements of a risk appetite framework.The FSB argued that risk governance frameworks should consist of threelines of defense: (i) the board and front ofce; (ii) the entity-wide riskmanagement framework; and (iii) an audit function that provides inde-pendent assessment of the risk governance framework.36 Non-nancialrms, many of whom also got into trouble during the Great Recessionhave also joined the move to using risk appetite statements.The risk appetite adopted by a rm should be tied to the rms strategy

as a part of good risk governance. However, the linkage mechanisms arestill unclear and are likely to differ by industry and by rm. In 2010, S&Pannounced that it now assessed the integration of the risk appetiteprocess with the rms strategy and culture. This new emphasis

35 Power M. (2009).The Risk Management of Nothing. Accounting, Organizations andSociety, 34.

36 See, Financial Stability Board. Thematic Review of Risk Governance: Peer ReviewReport. February 2013.


recognizes a shift within rms from using the risk appetite framework forprotecting value (coping with risk downside) to also creating value(exploiting the risk upside).For boards that are starting to craft risk appetite statements, there is a

dearth of good examples to follow. Many of the recently publishedmaterials on risk appetite are often contradictory as the governanceand risk practice communities feel their way toward more renedapproaches. Notwithstanding the relative disarray, a review of severalrecent practice-oriented contributions can provide some useful informa-tion on how this active conversation on risk appetite and its linkage tostrategic planning is developing. To this end, we provide summaries ofdiscussions of risk appetite offered by the Institute of InternationalFinance (2009), the Institute of Risk Management (2011), the Societyof Actuaries in Ireland (2011), the Committee of Sponsoring Organiza-tions of the Treadway Commission (2012), and the Casualty ActuarialSociety (CAS) (2012).

THE INSTITUTE OF INTERNATIONAL FINANCE (2009)

The Institute of International Finance (IIF) advised each rm to create adenition of risk appetite suited to its own unique business model. It offersits own denition as a rms view of how strategic risk-taking can helpachieve business objectives while respecting constraints to which theorganization is subject.37 Risk capacity was the maximum amount ofrisk bearable given the rms capital base, its liquidity, access to new debt,and regulatory environment. Setting an appropriate risk appetite required:(i) assessing corporate performance goals under both normal and stressedeconomic conditions; (ii) considering all the stakeholders affected by risk-taking; (iii) taking both qualitative and quantitative measures in account;and (iv) taking a holistic view of risks including contingent, off-balancesheet, counterparty, non-contractual, contagion, and reputational risks.Corporate performance goals are those that should be familiar to

companies from their strategic planning processes including return onequity, bond rating targets, and market share. Micro-prudential regula-tion plays a role in the goal setting via capital adequacy and other targets.The risk appetite statement provides both a limit and a goal. Forexample, Firm Alpha accepts putting at risk two quarters earnings overa particular time frame to achieve a particular ROE in a newly enteredproduct market X.

37 See, The Institute of International Finance. Risk Appetite in Reform in the FinancialServices Industry: Strengthening Practices for a More Stable System. December 2009.


In the wake of the crisis, the IIF cautioned boards to pay particularattention to liquidity risks in setting risk appetites. They argued that inthe pursuit of gain, a rm often consciously takes on market and creditrisk but the attendant liquidity risks are overlooked. They recommendthat the board approve a dened risk appetite in terms of liquidity risk todrive the rms allocation and pricing of this strategic resource.

THE INSTITUTE OF RISK MANAGEMENT (2011)

The Institute of Risk Management (IRM) produced denitions of theterms risk appetite and risk tolerance as follows.38

Risk Appetite: The amount of risk an organization is willing to seek or accept inpursuit of its long term objectives.

Risk Tolerance: The boundaries of risk-taking outside of which the organization isnot prepared to venture in the pursuit of long-term objectives. Risk tolerancecan be stated in absolutes, for example: We will not deal with a certain type ofcustomer, or Wewill not expose more that X percent of our capital to losses ina certain line of business.

Risk Universe: The full range of risks that could impact either positively ornegatively on the ability of the organization to achieve its long-term objectives.

THE SOCIETY OF ACTUARIES IN IRELAND (2011)

The Central Bank of Ireland issued a corporate governance code requiringcredit institutions and insurance rms to establish a board-approved riskappetite. In response, the Society of Actuaries in Ireland (SAI) offered aguidance note on setting a risk appetite and its relationship to the riskmanagement framework and strategic planning.39 The SAI denes riskappetite as the qualitative and quantitative statement that denes theorganizations general attitude to a desired risk level. Risk tolerance isthe maximum variation from this level that the rm is willing to accept.The rst step in setting the risk appetite is the analysis of the rms

business strategy. A risk appetite framework takes a risk-based view ofthe strategy and should answer questions such as:

38 See, Anderson R. (2011). Risk Appetite and Tolerance. The Institute of Risk Manage-ment (IRM).

39 See, The Society of Actuaries in Ireland. Constructing a Risk Appetite Framework: AnIntroduction.. March 2011.


What risks t with the rms overall strategic plan?What risk-taking limits can the rm accept and is it capable of monitoring?What risks do not t and therefore should be avoided by the rm?What risks are not sought but will become a part of doing business to which therm will need to be reactive?

The board setting the risk appetite needs to understand the risks (andrisk categories) faced by the rm as it pursues its strategic plan. It shouldunderstand how the risks interact by using correlation frameworks,scenarios, statistical copulas, or expert judgment. Using an appropriatemeasure, a risk objective is stated either at the individual risk level or therisk category level for a time horizon. This stated objective is riskappetite. For example, if capital is the measure, the target may be: (i)maintain a particular economic capital cover; (ii) maintain a certaincredit rating; and (iii) maintain sufcient solvency so as to withstand aspecic stress scenario. If the earnings are the target, then the objectivemay be: (i) maximum allowed earnings volatility; and (ii) minimumacceptable protability (measured as return on capital, margins) for anew or existing business. Once the objective is set and a tolerance forvariation selected, the board needs to review it, approve it, and monitorcompliance.

THE COMMITTEE OF SPONSORING ORGANIZATIONSOF THE TREADWAY COMMISSION

The Committee of Sponsoring Organizations of the Treadway Commis-sion (COSO) denes risk appetite as the amount of risk, at a broad level,that an entity accepts in pursuit of value. Risk appetite inuences theorganization culture and operating style, it guides resource allocationand helps align the infrastructure to respond and monitor risks.40 Risktolerances are tactical and apply the risk appetite to specic objectives.Operating within risk tolerances keeps the rm within its broader riskappetite. Risk tolerance communicates exibility while the risk appetitesets a rigid limit beyond which risk-taking is forbidden (see Boxes 1.4and 1.5 for examples).

40 See, Rittenberg L. and Martens F. (2012). Enterprise Risk Management: Understandingand Communicating Risk Appetite. The Committee of Sponsoring Organizations of theTreadway Commission.


COSO proposes that the boards oversight of the entitys risk appetiteencompasses: (i) discussing the entitys objectives and risk appetite; (ii)ensuring that the compensation plan is consistent with the risk appetite;(iii) monitoring risk identication by managers when the entity is pursu-ing strategies; (iv) looking actively for any unintended consequences whenpursuing objectives; and (v) reviewing the appropriateness of the riskappetite and tolerances.

CASUALTY ACTUARIAL SOCIETY 2012

The Casualty Actuarial Society (CAS) published a detailed set of casestudies demonstrating how risk appetite can be tightly linked to strategyin insurance companies.42 Their fundamental step in developing a riskappetite framework was seeking

managing risk and opportunity - governance strategic risk-taking - t j andersen, m garvey, o roggi...

Documents