38 Strategic Risk Management

 

 

 

 

 

1. Learning Outcome

2. Introduction

3.Concept of Risk

4.Enterprise Risk Management

5. Strategic Risk Management

6. Types of Strategic Risk

7. Strategic Risk Management Process

8. Approaches to Strategic Risk Management

9. Summary

 

1. Learning Outcome:

 

After completing this module the students will be able to understand:

•  Concept of risk and strategic risk
• Concept of enterprise risk management and strategic risk management
• Different types of strategic risk
• Risk assessment
• Risk management through different approaches

 

2. Introduction:

 

The different important phases of strategic management like strategy formulation, implementation, evaluation and control etc. involve a time horizon and are based on number of assumptions related to different aspects like market, finance, economy and so on. Over a period of time, there are changes in physical environment, especially in the country of investment, the economic activities of the industry, the market place and the financial arena, which leads to risk of success of strategy and achievement of overall objective of the organization. That is why the identification, measurement and management of such risk is very important to the success of organization.

 

3. Concept of Risk:

 

The term risk owes its origin to the classical Greek word “Rizikon” meaning root. The concept of risk is based on the degree of uncertainty. An event has many parameters associated with it. Depending upon their nature, some may be spatial and others may be temporal. When all the parameters are fixed, then the occurrence becomes a certainty. When some of those parameters are not clearly defined and the probability of their occurrence is not measureable,then event becomes uncertain. Between the two extremes of certainty and uncertainty, lies the risk (Figure-2). Greater the uncertainty involved, larger the risk associated will be. It is the probability of occurrence of a hazardous event that adversely impacts the company. It is a potential harm that is likely to accrue due to future event, the probability for which can be measured. Risk usually entails a negative impact. The degree of this impact can be measured in terms of cost of assets, loss of revenue, loss of human life, or loss of reputation to an organization etc. The potential harm may arise from a future occurrence of an event that may lead to exorbitant increase in the cost or by a failure to achieve an expected benefit. Risk can be of different types depending upon its source, impact and incidence. Some risks will not be a threat to overall health of a company or its ability to achieve its objectives. For example, a temporary data centre outage can result in a short-term problem, but once recovered, the organization will be back on its track. Similarly there can be some significant risk events resulting in the irreparable loss that can not only impair the organization’s ability to meet its objectives but are also threat to survival of the organization as well. So the risks are simply future problems that need to be avoided or mitigated.

 

4. The Enterprise Risk Management:

 

Certainly, risk management in the organization is not new. Different functional managers look at risk differently. HR looks at human capital risk e.g. retaining talent, minimizing turnover etc. Internal audit looks only at its set of risks. Finance manager looks at only financial risks and operational manager looks at risk involved in his area only (Figure-3).

 

Status was the same until past few decade or so when it was realized that all such risks are inter connected with each other. It was the early 2000s, when in the wake of high profile corporate failures, the concept of Enterprise Risk Management (ERM) emerged. It attempts to manage enterprise wide risk in an integrated fashion. In September 2004, the Committee of Sponsoring Organizations of Treadway Commission (COSO), which is recognized for providing guidance on critical aspects of organizational governance, business ethics, internal control, enterprise risk management, fraud and financial reporting, issued guidelines that defined enterprise risk management.

 

According to COSO, ERM is a process, affected by the board of directors, management and other personnel, involved in strategy setting and across the enterprise, designated to identify potential events that may affect the entity, and manage risk to be within the risk appetite, to provide reasonable assurance regarding the achievement of the objectives of entity. The publication of this definition of ERM was a milestone. Yet today companies still struggle with how to implement an effective ERM system. That may be because holistic performance management is still evolving and many companies lack a culture or mechanism for managing cross enterprise issues.

 

 

Three key components of COSO’s ERM definition relate to strategy and strategy implementation:

 

(a) ERM is directly related to strategy setting. For effective ERM, it must be embedded in strategy formulation and execution. (b) ERM is designated to identify events that may affect the effectiveness of its strategy. (c) ERM is to provide a reasonable assurance for achieving organizations strategic objective (Figure-3). So it becomes very clear that Strategy and ERM needs to be aligned and integrated. That is why, effective strategic risk management becomes essential for achieving the objective of organization.

 

5. Strategic Risk Management:

 

Increase in the significant risk exposures has given rise to a focus on strategic risks and strategic risk management. Strategic risks are those risks that are most consequential to the organization’s ability to execute its strategies and achieve its business objectives. These are the risk exposures that can ultimately affect shareholder value or the viability of the organization. Strategic risk management is organization’s response to strategic risks. Strategic risk management can be defined as “the process of identifying, assessing, planning and managing the risk in the organization’s business strategy—including taking swift action when risk is actually realized.” (Figure-5) Strategic risk management is focused on those most consequential and significant risks to shareholder value that requires the time and attention of management and the board of directors of the company.

 

 

It involves understanding the strategy clearly, all the risks involved in adopting and executing the strategy. It involves evaluating how a wide range of possible events and scenarios will be affecting the formulation and execution of strategy; and the ultimate impact on company’s value. It requires the organization to identify tolerable level of risk as a guide for strategic decision making. It is continuous process that should be embedded in strategy formulation and execution. Effective strategic management is built around a clear understanding of how much risk the organization is prepared to take in order to meet its strategic objectives and a timely and reliable evaluation of how much risk it is actually taking. Thus, board of directors need to improve their focus on risk by integrating risk management into their routine strategic evaluation. The success of strategic risk management depends upon that how well the strategic planning and risk management is integrated and coordinated; and how well the performance measures are aligned with risk management.

 

6. Types of Strategic Risk:

• Country Risk
• Human Component risk
• Financial Risk
• Industry Risk
• Market Risk
• Transitior Risk
• Stagnation Risk
• Unique Competitior Risk
• Brand Risk
• Project Risk
• Operational Risk

 

 

6.1 Country Risk: It can be an area of concern when business is being started in a foreign country. It can be either in form in Government’s control over raw material, licensing or some other key business issue. It can also be caused due to changes by political influence rather than company’s influence. For example, nationalization was adopted by many socialistic governments at some point of time and then was reversed due to exigencies in the market economy.

 

6.2 Human Component Risk: Many changes have been observed in the labour and management relationship since industrial revolution. The birth of trade unionism and collective bargaining as a source of strength for labour has brought sea changes in the labour management thoughts (Figure-7). The application of turnaround strategies, restructuring, downsizing, business process reengineering etc. have faced many risks in term of human component such as safety nets for retiring employees, retaining existing employees to help them gaining new skills etc.

 

6.3 Financial Risk: Inflow of the capital in form of foreign direct investment may face the political risk at the strategic level. Policies favoring FDI may have toil against the policies favoring nationalization or strict government control. Inflow of capital through foreign institutional investors may face different risks caused by changes in the interest rate, political and national exigencies. For example, the different interest rates in the different countries has introduced a risk that FIIs pull out funds from a country or enter another country in a big way, leading to a volatility in interest rates and their differentials. A thin margin of profit may lead to movement of FIIs from one country to another.

 

6.4 Industry Risk: This risk arises when a company itself faces extinction suddenly, due to unavoidable reasons. Every industry is known have a life cycle comprising different stages like introduction, growth, maturity and decline (Figure-9). Sometimes a company may have a fractured life and may face a sudden death. Mass customization has become the reality and industry has to face up the situation. Threats caused by the internal rivalry among existing companies have also added to the

 

6.5 Market Risks: Market volatility has always been a reason for deviation from the desired course. Markets are no longer protected and have resulted in diverse business risk of demand supply imbalances, unexpected technological changes and new exigencies in the corporate governance. The price mechanism has also changed. The belief that, price takes care of all the factors of production, is no longer correct because inefficiencies of any factor cannot be passed to the consumer. Customer behavior has become an important component of the value chain that needs to be carefully coordinated and thus adds to the risk.

 

6.6 Transition Risk: This risk may arise due to sudden technological obsolescence. This type of risk is more common in IT field when new products based on latest technology are introduced very frequently. The life of a technology which is normally a decade or so, suddenly finds itself out of market.

 

6.7 Stagnation Risk: The stagnation risk may be caused by sudden fall in the demand for products of a company due to recession or other reasons. This type of risk is more harmful for companies holding large inventories of raw materials and components. For example, when an automobile company is affected by stagnation, the business of different manufacturer supplying components will also suffer.

 

6.8 Unique Competitor Risk: This risk may arise due to sudden entrance of an unexpected competitor. This risk is a culmination of the big resource, high technology, and managerial skill that the new competitor possessed. For example, entry of big corporate houses like Reliance, Bharti and Birla Groups etc., in the retail trade has posed a risk for small shopkeepers and street venders.

 

6.9 Brand Risk: Every company builds its market share on the basis of its brand equity and brand loyalty. If due to any reason, such brand losses its sheen suddenly, the brand risk emerges and company may face virtual extinction. This unexpected happening can take place due to loss of confidence from the customer on the value of brand and may not be able to market its products for a substantial period of time (Figure-10).

 

 

6.10 Project Risk: This type of risk arises when a project fails to take off due to sudden and drastic changes in some of the basic assumptions. A project normally extends over a long period of time and entire economy of a project is based on many assumptions. In case, such assumptions are not fully tested or verified, the project may come to a sudden failure.

 

6.11 Operational Risk: Operation risk is the risk of loss resulting from inadequate or failed internal processes, people and systems or from any external events (Figure-11). It arises from execution of the normal day to day operations of the company. It is a risk associated with any failed process within the organization for example, any type of fraud in the organization, damage to the physical assets, any kind of business disruption and system failure etc.

 

7. Strategic Risk Management Process:

 

Assessment of the strategic risk is very much essential for the effective risk management. Strategic risk assessment is a systematic and continual process for assessing the most significant risk driven by company’s core strategies. Conducting an initial assessment of risk is always a valuable activity and should involve senior management and board of directors. If risk strategic risk assessment is not embedded and owned by management as integral part of business processes, the strategic risk management will rapidly lose its impact and will not add any value to the organization. Following steps may be undertaken by an organization for managing the strategic risk:

 

7.1 Understanding the Core Strategies: To gain a thorough understanding the strategies of company is an initial step for the risk assessment process. Some organizations may have well developed strategic plans and objectives, while others may be much more informal in their articulation and documentation of strategy. In either case, the assessment must develop an overview of the organization’s key strategies and business objectives. This step is critical, because without these key data to focus around, company will not be able to prioritize the risk. It helps in establishing a foundation for integrating risk management with the business strategy.

 

7.2 Collecting Data on Strategic Risk: After having a deep understanding of the strategies, next step is to collect the information and data related to strategic risk. Said information can be collected by conducting surveys and interviews of key executives, internal and external auditors and other people whose views can be significant to the types of risk involved such as compliance or safety. Views of these key individuals regarding potential emerging risks can also be considered.

 

7.3 Preparing Preliminary Strategic Profile: After analyzing the information collected in the previous step, the next stage is to draft a preliminary profile for strategic risk of the organization. The extent of information to be disclosed in the profile will be depending upon the needs of the organization. For some organizations, simple lists are adequate, while others may want more detail as part of the profile. At a minimum, the profile should clearly communicate a concise list of the top risks and their potential severity or ranking. Color coded reports or “heat-maps” may be useful to ensure clarity of communication of this critical information.

 

7.4 Validating the Strategic Risk Profile: The preliminary risk profile must be validated, refined, and finalized. Depending on how the data gathering was accomplished, this step could involve validation with all or a portion of the key executives and directors. It is critical, however, to gain sufficient validation to prevent major disagreements on the final risk profile.

 

7.5 Developing Strategic Risk Management Plan: Once the risk profile is finalized, the next phase is to develop a strategic risk management plan depending upon the risk profile. While significant effort can go into an initial risk assessment and strategic risk profile, the real product of this effort should be an action plan to enhance risk monitoring or management actions related to the strategic risks identified. The ultimate value of this process is helping and enhancing the organization’s ability to manage and monitor its top risks.

 

7.6 Communicating the Strategic Risk Profile and Risk Management Action Plan: The next important phase activity is to communicate the risk profile and the risk management plan throughout the organization. The primary objective of this communication is to build an understanding among the people of organization regarding the top risks being faced by the organization and how to manage those risks. It helps focus personnel on what those key risks are and potentially how significant they might be. A second focus is the communication of management’s expectations regarding risk to help reinforce the message that the understanding and management of risk is a core competency and expected role of people across the organization. The risk culture is an integral part of the overall corporate culture. The assessment of the corporate culture and risk culture is an initial step in building and nurturing a high performance, high integrity corporate culture.

 

7.7 Implementing the Strategic Risk Management Plan: The real value resulting from the risk assessment process comes from the implementation of an action plan for managing and monitoring risk. These steps define a basic, high-level process and allow for a significant amount of tailoring and customization to reflect the maturity and capabilities of the organization. Strategic risk assessment is an ongoing process, not just a one-time event. Reflecting the dynamic nature of risk, these seven steps constitute a circular or closed-loop process that should be ongoing and continual within the organization.

 

8. Approaches to Strategic Risk Management:

 

Risk identification and assessment are the important stages before developing any risk management action plan. The action plan for managing the risk is always going to be different depending upon the nature of risk and the type of organization. Various approaches have been developed over a period of time for managing the risk. Some of these approaches can be discussed as follows:

 

8.1 Risk Avoidance: This principle is based on the possibility of totally avoiding the risk that has been identified. It can be done by not performing the activity which is having risk associated with it. If a particular activity or a product line has significant risk attached to it, company may simply decide not to continue or go for that activity or a product line in order to avoid the associated risk completely (Figure-14). Risk avoidance can be perfect option for managing risk but it is said that higher risk leads to greater returns. So taking no risk or complete risk avoidance may not be an ideal approach to follow by any organization.

 

8.2 Risk Optimization: Optimization or reduction of risk refers to creating a balance between risk attached to some operation and benefits of the operation. It includes all the measures to be taken to reduce the effect of hazard itself as well as the vulnerability leading to the hazard. It also includes the steps to mitigate physical, economic and social vulnerability.

 

8.3 Risk Retention: Risk retention refers to acceptance of loss or benefit arising out of a risk when it takes place. This strategy is viable when risks are small enough to be transferred at a cost higher than the loss arising out of the risk. On the other hand, the risk can be so big that it cannot be transferred or insured. This method is useful when probability of the occurrence of risk is very low and some reserved created over a period of time can take care of the loss arising out of it.

 

8.4 Combination of Risk: Combining the risk is possible when one company is facing many risks at a time. It becomes necessary to understand all such risks and their nature and relationship inter se. For example, in a capital market, there are various risks such as high volatility risk, lower liquidity risk etc. It is worthwhile to assess the risks caused by these different factors and combine them to mitigate the risk as the ultimate goal is to increase the return and reduce the risk. Principle of portfolio management is the best example of combination of risk.

 

8.5 Sharing of Risk: Sharing of risk is known as transfer of risk also. This principle refers to sharing of the risk to some other party who has developed expertise in such risk. That party may be an insurance company or any other party who is an expert in handling the risk. In such case company will have to pay compensation to the other party for sharing the risk. Sharing of risk can also be done through risk retention pool.

 

8.6 Hedging of Risks: Risk arising from the fluctuations in prices or foreign exchange rates may be covered by hedging them using the financial derivatives. Company can enter into forward contracts with some financial institutions to hedge the risk of said fluctuations. There are various special contracts like forward contracts, futures, swaps, options, and insurance policies are available to hedge such kind of risks (Figure-15).