The Hierarchy of Risk: A New Approach to Risk Management
Click to Print This Page
Risk culture is comprised of those values and behaviors, on the parts of both management and employees, which define an organization’s awareness of and approach to risk. As the financial crisis continues, the most successful firms have been those possessing risk cultures with high awareness, quick escalation, and strategic flexibility. There are echoes of behavioral finance in the way an organization’s view of risk may be skewed by its current investment appetite, its compensation and incentives, and its degree of knowledge of historical risk. Complicating this risk culture is quantitative modeling of limited historical data, decreasing transparency due to financial product innovation, and overreliance on credit ratings.
Neither risk committees nor corporate boards can be relied upon to deal with these complications adequately. What’s required is the adoption of a viable alternative to the current and seriously flawed standard for qualitative risk management, the ERM (enterprise risk management) framework. The “hierarchy of risk” framework, which provides a flexible, multidimensional schema for analyzing quantitative and qualitative risk events, may be that alternative.
“Two American executives are shipwrecked on a desert island. To get back to civilization they decide to form three committees.” That’s a joke that frequently comes to mind during the continuing debate over governance standards in the aftermath of the global recession. It’s reported, for instance, that New York Democratic Senator Charles Schumer will shortly introduce the Shareholder Bill of Rights Act of 2009. Among other things, the act would require listed companies to create risk committees, comprised entirely of independent directors responsible for the companies’ risk management practices (Latham & Watkins 2009).
This raises questions as to the type of risks for which the committee would be responsible (financial versus nonfinancial), and as to the committee’s risk purview. A committee focused exclusively on risk mitigation will not recognize the strategic opportunities created from risk management. This new governance framework may in fact stifle innovation, limit risk taking, and ultimately slow the growth and profitability of today’s corporation. The act would have a wide impact on the overall governance system, as the historical role of risk management has been with the audit committee, especially since the passage of SOX (Sarbanes–Oxley Act) in 2002.
Forming a risk committee might not enhance a company’s risk management program—as a matter of fact, UBS and other major financial firms that suffered during the meltdown did have such committees in place. And studies conducted since the adoption of SOX have found no evidence that risk committees enhance governance or allay risk, indicating that other elements are key to effective corporate governance (Turley and Zaman 2004).
On the other hand, Spanish banks, which have avoided major financial damage, do have active risk committees, led by independent directors who meet as frequently as once a week to review various risk issues, including credit, market, and operational risks. But Spain’s exceptional risk performance is also credited to the country’s central bank, which prevented the banks from setting up off-balance-sheet vehicles and required additional capital reserves during the boom period (Larsen 2009). Establishing a separate risk committee is not the silver bullet of risk management, but a necessary component in an overall approach to governance and risk culture.
SOX revolutionized corporate governance practices, not because of intense board oversight, but because the increase in the litany of rules and regulations accelerated the declining effectiveness of boards (Larcker and Tayan 2008), a decline that is clearly visible in the wealth destruction events of 2008. Clearly, the increasing complexity of laws, the institution of certifications for chief executive officers, and the compliance control structures of SAS (Statement on Auditing Standards) 70 have not created value for shareholders, but have clouded the purpose and objectivity of boards. Boards have shifted from guiding strategy and advising management to self-managing their fiduciary liability. More and more, they’ve relied on the help of outside counsel and third-party experts in their oversight responsibilities. Boards are trapped within their own governance systems, unable to break the bonds of financial reporting oversight to guide today’s public companies effectively.
Compounding the ineffectiveness of boards is the increasing reliance on quantitative risk management techniques. While the crisis has exposed the model risk of quantitative risk management tools, organizations have neglected nonfinancial risk areas—strategic, regulatory, reputational, legal, and so on. In 2004, COSO (Committee of Sponsoring Organizations of the Treadway Commission) unceremoniously dumped these qualitative risk categories into the ERM framework without considering the impact on those crucial risk areas. Lacking an alternative formalized approach to qualitative risk management, and in light of the increasing appetite for risk oversight, ERM became the de facto standard, a decision many firms today regret.
THE THREAT OF ERM
ERM is one of the many control-centered by-products of the Enron and WorldCom fraud era. Readily adopted by public companies after the passage of SOX, ERM was considered an expansion of internal control oversight that provided “a more robust and extensive focus on the broader subject of enterprise risk management” (COSO 2004). In 2006, a Conference Board report found that “banking and financial services tend to have more developed enterprise risk management processes and may therefore set the standard by which other industries will be measured” (Brancato, Hexter, and Tonello).
ERM failed the financial services industry when it became a victim of its own success, creating “risk of control,” an attempt to constrain uncertainty that ended up impeding anticipation and flexibility. A 2007 critique of the COSO ERM framework demonstrated that, although the framework was a useful first step, its widespread adoption created “false security and a greater role vulnerability to events not previously identified as threats” (Williamson). Specifically, the critique found that ERM gives firms unjustified confidence in the positive identification of threats, encouraging them to allocate capital and resources to known or expected risk areas, and compounding a firm’s error when unexpected risks arise.
ERM increases imprudence among senior management, exposing firms to new threats with greater volatility. Overreliance on process rather than on judgment shifts responsibility from management to the system, reducing overall accountability. “Entrenching a single approach to risk management, whether through regulation, political pressure, or the fashion of expected best practice, could increase fragility and systemic threats within markets” (Williamson 2007). That’s advice especially relevant in today’s environment.
The effectiveness of ERM was compromised by its own dominance. As an institutionalized risk management system, ERM created an entry barrier for alternative frameworks that would have identified ERM’s limitations. However, risk management’s continuing struggle to integrate both quantitative and qualitative risk mitigation has managed to give rise to a developing set of “governance, risk, and compliance” approaches. Although none of these can rival ERM yet, the crisis events of 2008 have created a competitive environment that will lead to the development of a new comprehensive framework. This, unfortunately, will require time and patience.
THE HIERARCHY OF RISK
The “hierarchy of risk” framework is a feasible alternative to ERM that channels risk events into three key dimensions: reputational risk, financial risk, and competitive impact risk. The core of risk management exists in silo approaches to risk areas: credit, market, operational, compliance, counterparty, and so on. Like ERM, the hierarchy of risk maintains a discrete view of risk by integrating information for reporting. Unlike ERM, however, the hierarchy of risk channels risk information for analytical impact on strategy. It avoids ERM’s one-dimensional view of risk and views risk as events that require multiple angles of analysis. For example, the hierarchy of risk approach may identify a credit risk event as a counterparty risk, a reputational risk, and ultimately a strategic risk to the firm.
The hierarchy of risk measures risk events through analysis at the senior business management level, during the harvesting of business-unit or product-level reporting of various risks. As information escalates through the governance system of subcommittees and working groups, the hierarchical framework synthesizes the analysis into the dimensions of reputational, financial, and competitive impact risk.
Reputational risk is a subjective assessment of the potential effect, both positive and negative, that a risk event can create. While many firms view reputational risk as solely a communication and public relations issue, recent studies, as well as recent history, have demonstrated that reputation is an intangible asset that may be responsible for up to 95% of market value (Stuller 2009).
Financial risk is an analysis of a risk event’s expected financial impact—legal costs, operational expenses, expected gains in market share. While generally easier to calculate than the other risk dimensions, financial risk analysis is more susceptible to heuristic biases such as overconfidence, anchoring, and representativeness.
Competitive impact risk reflects the key competitive advantage that the firm deploys to create shareholder value. This dimension of the hierarchical approach requires a firm to identify the key risks with regard to its competitive advantage in the industry. For example, for a low-cost producer, operational or supply chain risk may be critical; for heavily regulated industries, such as financial services, legal and regulatory risk may take precedent.
The risk dimension analysis synthesizes the company’s reputational, financial, and competitive impact risks and analyzes that synthesis against the company’s strategic goals and objectives. This analysis escalates to the board level, allowing for an integrated view of strategic risk. The management of strategic risk is not confined to revenue development goals, but confronts any threat to the long-term success of the firm: by identifying risks to its competitive positioning, or by providing guide management on its risky innovation and growth development. The hierarchy of risk framework is designed to free boards from operational and oversight distractions and to focus on the drivers of shareholder value.
STUMBLING BLOCK = STEPPING STONE
Risk management’s relationship to shareholder value will only increase in importance. To escape the trappings of governance systems and enhance the effectiveness of today’s boards, companies must adapt their risk management practices. Their new risk management systems must recognize that risk is both opportunity and misfortune. A little less confidence and a little more pessimism in risk mitigation processes may help us avert the next financial crisis.
Five Components of the Hierarchy of Risk
- Link risk with performance. Risk involves both the cost of capital and the return on capital.
- Recognize that risk is both a threat and an opportunity. Many companies have reversed their fortunes by adapting to shifting client and market demands.
- Identify and escalate, through the company’s governance structure, the analysis of the multiple “faces” of risk. Remember that a single event can have multiple risk dimensions.
- Reaffirm the organization’s risk culture and risk appetite by effectively communicating risk identification and strategic decisions taken on risk events.
- Risk management is not a static decision. The system must remain flexible and adaptive. Challenge underlying risk assumptions.
Brancato, Carolyn Kay, Ellen Hexter, and Matteo Tonello. 2006. “The Role of the US Corporate Board of Directors in Enterprise Risk Management.” Conference Board.
COSO. September 2004. “Enterprise Risk Management: Integrated Framework.”
Drew, Stephen A., Patricia Kelley, and Terry Kendrick. 2005. “CLASS: Five Elements of Corporate Governance to Manage Strategic Risk.” Kelley School of Business, Indiana University.
Farrell, John Michael, and Angela Hoon. May 12, 2009. “What’s Your Company’s Risk Culture?” BusinessWeek.
Larcker, David F., and Brian Tayan. January 15, 2008. “Models of Corporate Governance: Who’s the Fairest of Them All?” Rock Center for Corporate Governance, Stanford Graduate School of Business.
Larsen, Peter Thal. May 3, 2009. “Spanish Banks Lead the Way in Risk Management.” Financial Times.
Latham & Watkins, LLP. May 2009. “Senator Schumer’s Shareholder Bill of Rights.” Corporate Governance Commentary, Proxy Access Bulletin no. 1.
Stuller, Jay. May–June 2009. “How They See You.” Conference Board Review.
Turley, Stuart, and Mahbub Zaman. 2004. “The Corporate Governance Effect of Audit Committees.” Journal of Management and Governance, vol. 8. 305–322.
Williamson, Dermot. 2007. “The COSO ERM Framework: A Critique from Systems Theory of Management.” International Journal of Risk Assessment and Management, vol. 7, no. 8. 1089–1119.
–John MacKessy is the founder of Prism Risk Advisors, in which capacity he draws on a wide breadth of regulatory and investigative experiences, including participation in global compliance investigations and government-appointed monitorship teams, as well as perspectives gained as a compliance and risk officer for several financial institutions.
This article originally ran in the Summer 2009 issue of the Investment Professional.