The 2008 Market Crash
Risk & RIsk Categorisation
What is Risk?
Risk is a permanent characteristic of any organisation. Corporate risk can be defined as “the gain or loss that might be incurred by an uncertain future event” (Tricker 2019, p. 207). He goes on to suggest that risk can have two components. The first is the probability of a risk occurring, and the second is its effect.
Early governance codes were somewhat silent around risk and risk management. However, the 2008 Global Financial Crisis and the 2019 Covid Pandemic have highlighted the importance of risk assessment for today’s organisations. Risk management in the banking and finance industries is critical as their entire business model revolves around risk.
Risk cannot be avoided as it is a part of doing business. From a governance perspective, it is not a board’s role to eliminate risk. Still, to understand and assess risks the organisation may be exposed to and manage them on an ongoing basis.
Categorisation of Risk
Risks and their consequences can occur across all levels of organisations. Impacts will vary. The categorisation of risk allows us to treat it in a systematic way. Tricker (2019) contends there are three types of risk: strategic risk, management level risk and operational risk.
Strategic risk is that which emanates externally. The political, environmental or business landscape in which the organisation operates can be impactful. These risks can threaten the survival of an organisation and are, therefore, critical in nature. The board can prepare for such contingencies using SWOT or Porter’s five forces analysis.
Management Level Risk is a risk that arises at the management level. Examples include fraud, staff or skill shortages, and even reliable communications. The Agency Problem is also an example of a management-level risk where managers can act in their own interest instead of shareholders.
Operational Risks are those risks that can have a considerable impact on the day-to-day operations of the organisation. Cyber attacks, fire and theft are examples. The Australian Institute of Company Directors (AICD) identifies eighteen different types of risks in its Risk Management publication (AICD, 2020). Kaplan and Mikes (2012) suggest another categorisation structure of preventable risks, strategic risks and external risks.
The speaker, David Hillson, from The Risk Doctor argues for four main types of risk:-
The above becomes your head framework, and you are more specific beneath those.
Enterprise Risk Management Frameworks
The OECD 2010 Corporate Governance Report (cited in Tricker 2019, p. 208) considers the lessons learned from the 2008 global financial crisis. The report suggests that the risk appetites of the board needs to be aligned with the risk management system of the organisation. Furthermore, they suggest that:-
- the risk management function reports directly to the board
- that the risk management functions need to consider any risks arising directly from compensations and incentive systems in place and
- that the effectiveness of risk management is appropriately disclosed.
Another organisation that exists is the Financial Stability Board (FSB) which was formed at the 2009 G20 summit in London. In 2013, it published a report called “Thematic Review on Risk Governance” In Section V of the report (FSB 2013, p. 29) has extensive details on sound risk management practices as they apply to the board, the risk committee and the audit committee.
Risk management for Australian Companies is covered in the ASX Corporate Governance Council (2019) in Recommendation 7.1.
Yet another organisation covering risk is the International Corporate Governance Network (ICGN) who publishes Global Governance Principles. In 2010, they released the Corporate Risk Oversight Guide extending risk oversight functions into the governance area. Finally, the International Organisation for Standards (ISO) – ISO 31000 – Risk management covers risk management in ISO31000.
Board Responsibility in Enterprise Risk Management
It is not possible to run an organisation without some risk exposure. Consequently, the term risk management is more relevant than risk minimisation. Risk management is all about achieving an acceptable balance between risk and reward. The higher the risk, the higher the reward should be, but are high levels of risk palatable to the board?
To establish benchmarks for the board, it needs to develop a risk profile and risk appetite for the organisation. These documents are based around the organisation’s strategic objectives and need to be consistent with those objectives.
Risk appetite is defined as “…the amount of risk that an entity is willing to accept or retain to achieve its objectives” (Australian Government Department of Finance 2016, p. 1)
According to Tricker (2019, p. 211), a board needs to ensure:-
- the corporate risk profile is recognized;
- policies are established throughout the organization that reflect that profile;
- significant risks facing its company are recognized;
- risk assessment systems exist and are effective throughout the organization;
- risk evaluation procedures are developed and operational;
- risk monitoring systems are robust, efficient, and effective;
- business continuity strategies and risk management policies exist, are regularly updated, and are applied in practice.
Historically, risk management has been assumed by the audit committee. Audit committees deal with history, and the risk issue is future based, so there is a disconnect in how the committee views the events under its mandate.
As a result of globalisation, the digital economy and stretched supply chains, the need for risk committees have increased dramatically. The increase is because of the level and nature of risks organisations are now exposed to in their dealings.
The ASX Corporate Governance Principles and Recommendations (p. 26) says that:- “the board of a listed entity should have a committee or committees to oversee risk, each of which has at least three members, a majority of whom are independent directors; and is chaired by an independent director.”
Earlier, the performance and conformance responsibilities of boards were examined. It should now be evident that risk management is also a function of each area.
Tricker (2019, p. 217) identifies the process of risk analysis shown in the following figure:-
Identifying potential risks requires thought and investigation. Starting with the question about what it is that might considerably impact upon your organisation would be a good start. These could be simple things such as power blackouts, communication breakdowns, staff leaving etc. All are risks that need to be considered. As mentioned earlier, SWOT analysis or Porter’s 5 Forces can be helpful also.
It is also worth looking to the past to see if any events created problems for the organisation. Could these occur again?
One danger for organisations of all sizes is that they only put policies in place for areas where it is mandated by law. These are generally at an operational level and mainly around health and safety. Such an attitude can leave the organisation exposed strategically to many other risks and is not good governance practice.
David Hillson speaks on Risk Identification techniques.
Assumptions Analysis for the Present Risk Potential
Brainstorming Analysis for Future Focused
Checklists to capture the past and learn from that.
You can’t identify all risks. Some will happen without your ability to foresee them.
Assessment and Evaluation of Risks
Risks can be assessed on two bases. The likelihood of the risk happening and then the impact it could have on the organisation. Of course, no-one can predict the future with complete accuracy, however the very consideration of the risk can provide the opportunity to make an educated assumption. Some risks can be highly probably with low impact. Other risks can be highly improbably but could carry huge impact.
Once risks have been identified and assessed, it is appropriate to map them on a matrix to reflect the likelihood and the impact.
Of the ten risks mapped, number one is in the high probability and high impact area. It is therefore the most significant risk facing the organisation.
Developing Risk Policies
On completion of the risk assessment and identification process, the board or management will commence putting risk mitigation strategies and policies in place. If these are completed by management, they will need to go to the board for approval as they form a part of the governance process. As mentioned earlier, the board must establish its risk profile and appetite. All the policies developed must be consistent with the board’s views on those matters.
Tricker (2019, p. 223) states that there are four potential responses to risk when putting risk policies in place:-
- Avoid the risk – abandon the project that involves the risk
- Mitigate the risk via further investment or expenditure – e.g. arrange staff training, purchase standby equipment or duplicate critical components.
- Transfer the risk – take out insurance to protect the investment
- Retain the risk – essentially backing yourself; you can manage it.
Risk policies can be potentially costly to implement because of the investment in mitigation. The board must assess the risk against the potential benefits and costs and ensure that the organisation’s risk profile is considered in all decisions.
Tricker (2019) emphasises that all risk assessment and management aspects are critical aspects of corporate governance. Additionally, there are corporate disclosure requirements around risk management that boards need to be aware of and follow.
Risk assessment and management is one of the most important functions of a board. In an ever-changing world, risks are always dynamic and require constant re-assessment. In particular, the mapping of risk and placement on a heat matrix is an extremely valuable exercise. Risks can then be dealt with on the basis of priority.
The first assessment for this subject was due during the week. It involved comparing two publicly listed companies and considering the various theories around corporate governance. It was interesting to understand how some companies are very shareholder-focused, and others are more stakeholder-focused. Based on the reading, it is considered that stakeholder-focused companies have a greater level of sustainability and corporate social responsibility.