2. Foreword
B
usiness Risk Management…Holistic Risk Management…Strategic Risk Management…
Enterprise Risk Management. Whatever you choose to call it, the management of risk is
undergoing fundamental change within leading organizations. Worldwide, they are moving away
from the “silo-by-silo” approach to manage risk more comprehensively and coherently.
This heightened interest in Enterprise Risk Management (ERM) has been fueled in part by external
factors. In just the last few years, industry and government regulatory bodies, as well as institutional
investors, have turned to scrutinizing companies’ risk management policies and procedures. In
more and more countries and industries, boards of directors are now required to review and report
on the adequacy of the risk management processes in the organizations they govern.
And internally, company managers are touting the benefits of an enterprise-wide approach to
risk management. These benefits include:
Ⅲ reducing the cost of capital by managing volatility
Ⅲ exploiting natural hedges and portfolio effects
Ⅲ focusing management attention on risks that matter by expressing disparate risks in a
common language
Ⅲ identifying those risks to exploit for competitive advantage
Ⅲ protecting and enhancing shareholder value.
ERM is actually a straightforward process. And, in most cases, the requisite intellectual capital and
business practices needed to carry out ERM already exist within the company. But an accurate,
useful ERM process is based on sound analytics. Without valid measurements, managing risk is
effective and efficient only by chance.
In the following pages, we hope to add analytical rigor to the public discourse on ERM. Drawing
from our client experiences, we offer a rational, scientific approach — one grounded in sound
principles and practical realities.
“Risk,” by definition and by nature, cannot be eliminated. Nor do leading organizations wish it
gone. Rather, they want to manage the factors that influence risk so that they can pursue strategic
advantage. How to identify and manage these factors is the subject of this monograph.
It is our intention to periodically update this document. We would be most interested in readers’
comments and suggestions.
1
4. Introduction
Purpose of this monograph Ⅲ exploiting natural hedges and portfolio
Pressure to adopt ERM has increased from both effects
internal and external forces. Although optional
in most cases, a formalized risk management Ⅲ supporting informed decision making
culture and its benefits have gained recognition Ⅲ uncovering areas of high-potential adverse
and have fueled interest in the process. impact on drivers of share value
With this monograph, we intend to add analyti- Ⅲ identifying and exploiting areas of “risk-
cal rigor to the public discourse on ERM by based advantage”
presenting a scientific approach grounded in
sound business principles and practical realities. Ⅲ building investor confidence
Ⅲ establishing a process to stabilize results by
In this document, we will: protecting them from disturbances
Ⅲ define the ERM process Ⅲ demonstrating proactive risk stewardship.
Ⅲ discuss what motivates organizations to
adopt ERM Motivation for considering ERM
Ⅲ describe our conceptual ERM framework External pressures
and outline the process steps Some organizations adopt ERM in response to
Ⅲ detail a comprehensive, analytic approach direct and indirect pressure from corporate gov-
to ERM ernance bodies and institutional investors:
Ⅲ discuss methods by which organizations Ⅲ In Canada, the Dey report, commissioned by
implement ERM. the Toronto Stock Exchange and released in
December 1994, requires companies to report
on the adequacy of internal control. Following
Definition and objective of ERM that, the clarifying report produced by the
We define ERM as follows: Canadian Institute of Chartered Accountants,
“Guidance on Control” (CoCo report,
November 1995), specifies that internal control
ERM is a rigorous approach to assessing and addressing the risks from
should include the processes of risk assessment
all sources that threaten the achievement of an organization’s strategic and risk management. While these reports
objectives. In addition, ERM identifies those risks that represent have not forced Canadian-listed companies to
initiate an ERM process, they do create public
corresponding opportunities to exploit for competitive advantage.
pressure and a strong moral obligation to do
so. In actuality, many companies have
responded by creating ERM processes.
ERM’s objective — to enhance shareholder*
value — is achieved through: Ⅲ In the United Kingdom, the London Stock
Exchange has adopted a set of principles — the
Ⅲ improving capital efficiency
Combined Code — that consolidates previous
Ⅲ providing an objective basis for allocating reports on corporate governance by the
resources Cadbury, Greenbury and Hampel committees.
Ⅲ reducing expenditures on immaterial risks
* In this monograph, the emphasis is on shareholders rather than the broader category of stakeholders (which also includes
customers, suppliers, employees, lenders, communities, etc.). Though some observers prefer to define the scope of ERM to
include the interests of all stakeholders, we believe this is not pragmatic at the current evolutionary state of ERM and would
result in too diffuse a focus. While shareholder value is not directly relevant to some organizations (e.g., privately held and
nonprofit entities), the concepts and approaches developed in this monograph clearly apply to those organizations.
4
5. This code, effective for all accounting periods nization, leading to setting in place an enter-
ending on or after December 23, 2000 (and prise-wide approach to risk management:
with a lesser requirement for accounting peri-
Ⅲ The report, “Internal Control — An
ods ending on or after December 23, 1999),
Integrated Framework,” produced by the
makes directors responsible for establishing a
Committee of the Sponsoring Organizations
sound system of internal control, reviewing its
of the Treadway Commission (COSO),
effectiveness and reporting their findings to
favors a broad approach to internal control
shareholders. This review should cover all con-
to provide reasonable assurance of the
trols, including operational and compliance
achievement of an entity’s objectives. Issued
controls and risk management. The Turnbull
in September 1992, it was amended in May
Committee issued guidelines in September
1994. While COSO does not require corpo-
1999 regarding the reporting requirement for
rations to report on their process of internal
nonfinancial controls.
control, it does set out a framework for
Ⅲ Australia and New Zealand have a common ERM within an organization.
set of risk management standards. Their 1995
Ⅲ In September 1994, the AICPA produced
standards call for a formalized system of risk
its analysis, “Improving Business Reporting
management and for reporting to the organi-
— A Customer Focus” (the Jenkins
zation’s management on the performance of
report), in which it recommends that
the risk management system. While not bind-
reporting on opportunities and risks be
ing, these standards create a benchmark for
improved to include discussion of all
sound management practices that includes an
risks/opportunities that:
ERM system.
— are current
Ⅲ In Germany, a mandatory bill — the Kon
TraG — became law in 1998. Aimed at giving — are of serious concern
shareholders more information and control, — have an impact on earnings or cash flow
and increasing the accountability of the direc- — are specific or unique
tors, it includes a requirement that the man- — have been identified and considered by
agement board establish supervisory systems management.
for risk management and internal revision. In
The report also recommends moving
addition, it calls for reporting on these systems
toward consistent international reporting
to the supervisory board. Further, auditors
standards, which may include disclosures on
appointed by the supervisory board must
risk as is required in other countries.
examine implementation of risk management
and internal revision.
Institutional investors, such as Calpers, have
Ⅲ In the Netherlands, the Peters report in 1997 begun to push for stronger corporate gover-
made 40 recommendations on corporate gov- nance and to question companies about their
ernance, including a recommendation that the corporate governance procedures — including
management board submit an annual report their management of risk.
to the supervisory board on a corporation’s
objectives, strategy, related risks and control Internal reasons
systems. At present, these recommendations Other organizations simply see ERM as good
are not mandatory. business. For example:
Ⅲ In the U.S., the SEC requires a statement on Ⅲ The Board of Directors at a large utility man-
opportunities and risks for mergers, divesti- dated an integrated approach to risk manage-
tures and acquisitions. It also requires that ment throughout the organization. They
companies describe distinctive characteristics introduced the process in a business unit that
that may have a material impact on future was manageable in size, represented a micro-
financial performance within 10-K and 10-Q cosm of the risks faced by the parent and did
statements. Several factors broaden the not have entrenched risk management sys-
requirement to report on the risks to the orga-
5
6. tems. This same unit was the focus of the par- Ⅲ The Chairman of the Finance Committee of
ent’s strategy for seeking international growth the Board at a manufacturing company com-
— a strategy that would take the organization plained about reports from Internal Audit that
into unfamiliar territory — and had no estab- repeatedly focused on immaterial risks. His
lished process for managing the attendant concern led to formation of a cross-functional
risks in a comprehensive way. Risk Mitigation Team to identify and report
on processes to deal with risks within an ERM
Ⅲ The CFO of a manufacturing company with
framework. The team now reports directly to
an uninterrupted 40-year history of earnings
the finance committee on a quarterly basis.
growth embarked on ERM. This step fol-
lowed the company’s philosophy of “identify-
These organizations view systematic anticipation
ing and fixing things before they become
of material threats to their strategic plans as inte-
problems.” The movement was spurred by
gral to executing those plans and operating their
the company’s rapid growth, increasing com-
businesses. They seek to eliminate the inefficien-
plexity, expansion into new areas and the
cies built into managing risk within individual
heightened scrutiny that accompanied its
“silos.” And they appreciate that their cost of cap-
recent initial public offering.
ital can be reduced through managing volatility.
Ⅲ A large retail company’s new Treasurer, with
the support of the CFO, wanted to “assess the Some observers argue that investors do not put a
feasibility of taking a broader approach to risk premium on an organization’s attempt to man-
management in developing the organization’s age volatility. These observers maintain that
future strategy.” As part of this effort, she investors can presumably achieve this result more
hoped to “evaluate our hazard risk and finan- efficiently by diversifying the holdings in their
cial risk programs and strategies, to identify own portfolio. They argue further that investors
alternative methods of organizing and manag- do not appreciate, and do not reward, an organi-
ing these exposures on a collective basis.” zation that spends its resources on risk manage-
ment to smooth results on investors’ behalf.
FIGURE 1
Our research into the link between performance
consistency and market valuation, however, indi-
Low-Return Companies High-Return Companies
cates otherwise. We found that consistency of
earnings explains a high degree of difference in
23 share value (specifically, “market value added”)
Market Market
Value Value
15 among companies within an industry. This is
Added Added true even after allowing for other influences
3 4 such as growth and return (see Figure 1 and
Appendix A). Investors assign a higher value,
Low High Low High
Earnings Consistency Earnings Consistency all else equal, to organizations whose earnings
are more consistent than those of their peers.
This clearly reduces the cost of capital for these
Low-Growth Companies High-Growth Companies organizations.
32
In summary, organizations can use ERM to
22 enhance the drivers of share value: growth,
Market Market
Value 13 Value return on capital, consistency of earnings and
Added Added quality of management. ERM can identify and
5 manage serious threats to growth and return
Low High
while identifying risks that represent opportuni-
Low High
Earnings Consistency Earnings Consistency ties to exploit for above-average growth and
return. Achieving earnings consistency is, of
Companies with higher earnings consistency tend to have much higher stock valuations than course, a central goal of ERM. And institutional
their similarly situated competitors. Details and definitions are presented in Appendix A. investors increasingly define management quality
to include enterprise-wide risk stewardship.
6
7. Framework for ERM
Company information and procedures already Exploiting risk
in place can make the ERM process efficient
This “offensive track” includes analysis, devel-
and effective. Our conceptual framework for
opment and execution of plans to exploit
ERM consists of four elements.
certain risks for competitive advantage.
Assessing risk Keeping ahead
Risk assessment focuses on risk as a threat as
The nature of risk, the environment in which
well as an opportunity. In the case of risk-
it operates, and the organization itself change
as-threat, assessment includes identification,
with time. The situation requires continual
prioritization and classification of risk factors
monitoring and course corrections.
for subsequent “defensive” response. In the
case of risk-as-opportunity, it includes profiling The chapters that follow provide a fuller
risk-based opportunities for subsequent description of the above elements (outlined in
“offensive” treatment. Figure 2).
Shaping risk The larger part of the discussion in this mono-
graph is on the first two elements — risk assess-
This “defensive track” includes risk quantifica-
ment and risk shaping — as these create the
tion/modeling, mitigation and financing.
foundation for the remaining elements.
Accordingly, there will be more focus on the
defensive track of ERM.
FIGURE 2
The Conceptual Approach to ERM
II
Shape Risk
Ⅲ Quantify effects
Ⅲ Mitigate risk
Ⅲ Finance risk
I IV
Assess Risk Keep Ahead
Ⅲ Identify risk factors Ⅲ Monitor change
Ⅲ Prioritize Ⅲ risk factors
Ⅲ Classify Ⅲ environment
Ⅲ Profile risk III Ⅲ organization
opportunities Exploit Risk
Ⅲ Reenter prior steps
Ⅲ Analyze opportunities as necessary
Ⅲ Develop plan
Ⅲ Implement
The conceptual approach to ERM is straightforward.
7
8. A Rational Approach to Assessing Risk
Overview fore, managing risk, and particularly assessing
risk, requires focusing on its causes rather than
We approach risk assessment believing that
its manifestations.
managing risk effectively requires measuring
risk accurately — and that accurate risk measure-
ment requires well-formulated risk modeling. STEP 1
Such measuring and modeling: Identify risk factors
Ⅲ allow senior management to see a compelling In this initial step, a wide net is cast to capture
demonstration of the “portfolio effect,” i.e., all risk factors that potentially affect achieving
the fact that independent and/or favorably business objectives. Risk factors arise from many
correlated risks tend to offset each other with- sources — financial, operational, political/regu-
out the organization having to invest in latory or hazards. The key characteristic of each
explicit hedges is that it can prevent the organization from
meeting its goals. In fact, if a risk factor does
Ⅲ promote the proper allocation of capital
not have this potential, it is not truly a risk fac-
resources to risks that really matter
tor under an enterprise-wide interpretation of
Ⅲ permit sizing of investments in risk risk. Thus, the first “screen” through which a
remediation candidate risk factor must pass is materiality.
Ⅲ provide an objective framework for systematic
In identifying risk factors, we favor a qualitative
risk monitoring.
approach — gathering material from interviews
Do all risks that face an organization need with experts and reviewing documents. The
modeling? And isn’t model-building on this interviews typically span the organization’s:
scale daunting? Ⅲ Senior management
The answer to the first question is: “No.” Methods Ⅲ Operations management
to prioritize risk factors can screen for those that Ⅲ Corporate staff, including:
require modeling. These methods are qualitative;
Ⅲ Finance Ⅲ Treasury
we focus on these later in this chapter.
Ⅲ Legal Ⅲ Audit
The answer to the second question is: “Not typi-
Ⅲ Strategic Planning Ⅲ Human Resources
cally.” These models often have been built and
exist in some form somewhere in the organiza- Ⅲ Risk Management Ⅲ Safety
tion. This will be the focus of Chapter IV.
Ⅲ Environmental.
Before we discuss the steps in risk assessment,
These interviews solicit informed opinion on:
we should distinguish risks from the risk factors
underlying them. Here we focus on the negative Ⅲ how the business works, and the way compo-
side of risk — as a threat, not as an opportunity. nents of the business — the interviewees’
In this context, risk is the possibility that some- realms of responsibility — mesh
thing will prevent — directly or indirectly — Ⅲ key performance indicators used to manage
the achievement of business objectives. Risk the business and its components
factors are the events or conditions that give rise
to risk. Loss of market share is a risk; lack of Ⅲ tolerable variation in key performance indica-
preparedness for the entry of new competitors tors over relevant time horizons
is a risk factor. Risk is not something that can Ⅲ events or conditions that cause variations
be directly managed or controlled. Risk factors, beyond the risk tolerances, and the probable
however — the causes of risk — can be. There- frequency and possible maximum effect of
these.
8
9. Often we find it helpful to supplement internal the organization’s key performance indicators.
interviews with interviews among the organi- We also examined the quality of the process, sys-
zation’s external partners, their counterparties tems and cultural controls in place to mitigate
(banks, insurers, brokers), analysts, customers, these factors. At this stage, the information is
and — on occasion — competitors. subjective, but quite sufficient. Now, the objec-
tive is to cull the list of these factors into a man-
We also review the organization’s strategic ageable number for senior management. The
plans, business plans, financial reports, analyst attributes of each factor can be combined in an
reports and risk stewardship reports. overall score that, when combined with subjec-
tive judgment on the timing and duration of the
From all these data and information, a picture financial impact, can be expressed as a “net pre-
emerges of the organization’s: sent value” score. In the example in Figure 3,
Ⅲ corporate culture this “NPV” score is on a scale of 1 (low) to 5
(high). Once scores are assigned, we can sort
Ⅲ objectives the risk factors from low to high and produce a
Ⅲ forms of capital (human, financial, market prioritized list.
and infrastructure)
A team of risk management experts typically
Ⅲ business processes (which convert the capital does this evaluation and scoring. They often col-
into cash flows) laborate with representatives of management. In
Ⅲ control environment addition, we find a follow-up questionnaire or
focus group(s) extremely helpful for cross-vali-
Ⅲ roles and responsibilities
dation purposes. In these, the interviewees view
Ⅲ key performance measures the collective results of the identification step —
the full list of risk factors, the consensus view on
Ⅲ risk tolerance levels
key performance indicators and risk tolerances,
Ⅲ capacity and readiness for change etc. Then, with this richer context and some
Ⅲ preliminary list of risk factors. facilitation, they can prioritize risks. We compare
the results of this exercise with those from the
Importantly, this approach starts with the busi- independent prioritization conducted by the
ness, not a checklist of risks — far different expert team, and the differences are reconciled.
from an audit-type approach. In other words,
this approach goes from the top down and not The number of risk factors that will ultimately
the bottom up. Such an organic method is pass through the prioritization screen is often
strongly preferable because preconceived known before the process begins. Given the
checklists of risk factors are usually incomplete. demands on senior management, expecting
Further, the most crucial risk factors are usually them to concentrate on a dozen or more “top
unique to each organization and its culture. priority” risk factors is unrealistic. Generally, six
This alone makes generic checklists far less rele- or less is manageable, but this depends on the
vant than a business-first approach. organization. Also, natural breakpoints in the
prioritized list and strategic links among the risk
factors can influence the ultimate number. The
STEP 2 short list should, however, contain items deserv-
Prioritize risk factors ing of consideration at the highest levels of the
The resulting list of risk factors (typically several organization — factors that should influence the
dozen long at this stage) is not yet useful or strategic plan and the affected business plans,
actionable, although each factor has passed the alter the day-to-day priorities of business unit
materiality screen. It now requires prioritizing. managers and affect the behavior of the rank
and file.
In Step 1 (Identify risk factors), we compiled
information on each risk factor’s likelihood,
frequency, predictability and potential effect on
9
10. STEP 3 is described below (see Figure 4). Additional
Classify risk factors refinements can be added as appropriate.
Still, any list of risk factors, however short and
In this scheme, high-priority risk factors are of
prioritized, is a sterile device. Organizing this
two types. One is characterized by the fact that
information to clearly indicate what type of risk-
the environment in which they arise is familiar
shaping action is necessary comes next.
to the organization, and the skills to remedy
We have used several classification schemes in those risk factors are already in-house. However,
our work, some more detailed than others, each for some reason, these risk factors had not been
tailored to the client organization. One general given the attention they deserve. We label these
scheme that may have nearly universal relevance “manageable risk factors.” Other risk factors
arise because the organization enters unfamiliar
FIGURE 3
When Prioritizing Risk Factors...
...subjective scoring is appropriate at this stage
Quality Aggregate
Risk Factors Likelihood Severity of Controls “NPV” Score (1-5)
A. Strategy
Informal planning, process and
communications allow surprises H H L 4.5
Market share and earning objectives
are not aligned H L L 3.0
.
.
.
B. Growth
Infrastructure is increasingly strained,
will be difficult to retain culture and values
with the changes that growth demands H H L 4.5
Increased size creates more opportunity
for mistakes M L M 2.0
.
.
.
C. Company Reputation
Pressure to make numbers may prompt
behavior that will impair company’s
credibility with financial markets M H H 3.5
Adverse publicity (e.g., business practices,
ethics) can affect image across multiple brands L H H 2.5
.
.
.
. . Human Resources
D
.
.
J. Systems
.
.
.
Risk factors can be prioritized using a subjective process.
FIGURE 4
When Classifying Risk Factors...
...use a scheme that implies action
“Manageable” Risk Factors “Strategic” Risk Factors
Ⅲ Known environment Ⅲ Unfamiliar territory
Ⅲ Capabilities and resources on hand to address Ⅲ Capabilities or resources may not be in place
Ⅲ Fell between the cracks? Ⅲ Major change in market or business
Just get on with it Requires allocation of capital or shift in strategic direction
Proper classification clearly implies the appropriate risk-shaping action.
10
11. business territory (due, perhaps, to a major acqui- The proper response to manageable risk factors
sition, a powerful new competitor or a significant is to “just get on with it” — in other words, deal
change in customer buying patterns), or the with them. The relevant skills already exist; they
organization lacks the skills necessary to respond. just need to be refocused on these high-priority
These are considered “strategic risk factors” and items. Strategic risks, however, require greater
may require significant capital outlay and/or a analysis; this is covered in Chapter IV.
major change in strategic direction.
Manageable risk factors in our experience include:
Recap… and segue
The steps described above are illustrated below
Ⅲ “The R&D division is not keeping pace with (Figure 5). This graphic also illustrates the
the demand for new products.” follow-on steps — the risk-shaping steps — that
Ⅲ “Contingency planning is weak in the critical are the subject of the next chapter. The graphic
production facilities.” demonstrates that not all risk factors need to be
quantified and modeled, nor do all risk factors
Ⅲ “Mid-level employees are dissatisfied with their
need to be financed. Risk factors needing quan-
opportunities for advancement.”
tification are those that pass through the “triple
screen” — they are material, high-priority and
Strategic risk factors we have encountered include:
strategic. Risk factors that need to be financed
Ⅲ “The share value is dependent on continuing pass through the first two screens and cannot be
uninterrupted earnings growth; this growth fully mitigated through other means.
must come from top-line revenue growth; and
opportunities for top-line growth are limited Underlying our approach to risk shaping —
without branching out of the organization’s described in Chapter IV — is the premise that
product line and/or niche market.” modeling, quantifying and formulating the strat-
egy for mitigation and financing can be carried
Ⅲ “Needed infrastructure changes clash with the
out simultaneously.
current success formula and culture.”
FIGURE 5
Assess Risk
Strategic
Risk Factors
Classify
Identify Prioritize
High-Priority
Risk Factors Risk Factors
Risk Factors
Manageable
Risk Factors
Shape Risk
Strategic Model and Risk Factors
Risk Factors Quantify That Can Be
Mitigated
Mitigate
Manageable Residual
Risk Factors Risk Factors
Finance
Triple screening in risk assessment creates efficiency in risk shaping.
11
12. A Scientific Approach to Shaping Risk
Overview The third step involves developing risk remedi-
ation strategies to be evaluated using the sto-
In this section, we will describe our approach
chastic financial model. This basket of strategies
to shaping risk and provide illustrations of its
represents a portfolio of risk management
application. The approach to risk shaping relies
investment choices. In the final step, the ERM
heavily on Operations Research methods such
budget is allocated optimally across these strate-
as applied probability and statistics, stochastic
gies using portfolio optimization methods. Each
simulation and portfolio optimization. To our
step is described in greater detail below.
knowledge, no organization has implemented
this approach in its entirety as of the date of this
To illustrate this approach, we will introduce a
publication, although we know of several that
hypothetical company (let’s call it HypoCom)
use portions of it in their incremental pursuit of
facing a broad array of strategic risks and show
ERM. (In Chapter VI, we describe how some
how the company would implement this
of these organizations have gotten started.)
approach in shaping these risks. Assume that
HypoCom is a manufacturing company and has
The Four Steps in Our Approach the following profile:
Model Link Risk Develop Optimize Ⅲ Sells its product to retailers in the United States
the Various Sources to Portfolio of Investment
and Europe — with limited competition
Sources of Financial Risk Remediation Across Portfolio
Risk Measures Strategies of Strategies Ⅲ Has production plants in France, Mexico and
Indonesia that deliver products to retailers
through HypoCom’s own distribution network
In the first step, each source of risk is modeled
as a probability distribution, and the correlation Ⅲ Faces the following risks in the next fiscal year:
among the risk sources is determined. These Ⅲ fire at a warehouse
probability distributions are typically expressed
Ⅲ volatility in the price of the raw materials used
in terms of different operational and financial
in the production process
measures. The second step links these disparate
distributions to a common financial measure Ⅲ possible employee union strike at the plant in
(e.g., Free Cash Flow) through a stochastic France
financial model. These two steps represent the Ⅲ possible new competitor entering the market.
bulk of the analytical effort. At this stage, we
have a holistic financial model of the business While a real company, similar to HypoCom,
that can be used to: would face many risks, we have limited their
Ⅲ measure the volatility of the financial number here for the sake of simplicity. Please
metric(s) under current operating conditions note, however, that the risks were selected to
span those that are traditionally considered within
Ⅲ analyze the impact of risk management deci- the domain of risk management (hazard and
sions through “what-if ” scenarios. commodity price risks) and those that are not
(operational and competitor risks).
Again, to keep the example simple, we assume a
one-year time horizon. At the end of this section,
however, we discuss extending these steps to a
more typical multi-period decision horizon.
12
13. STEP 1 assumptions set by experts. Extending risk
Model various risk factors management to enterprise-wide risks suggests a
individually continuum of methods for developing probabil-
ity distributions. Such a continuum ranges from
Generate probability distributions relying entirely on data to relying on expert
In Chapter III we outlined the approach for testimony.
identifying which risk factors need to be mod-
eled. Each risk factor contains uncertainty about Figure 6 identifies methods for assessing proba-
how, when and to what degree it will manifest bility distributions along this continuum. Readers
itself. This uncertainty is represented as a proba- of this monograph are likely to be familiar with
bility distribution. No one approach for develop- methods based primarily on historical data (left-
ing probability distributions can be used for all most section of Figure 6). Therefore, instead of
the risks that an enterprise faces. describing them, we have included references to
source documents at the end of this monograph.
Risks that fall within the traditional domain of At the opposite end of the continuum, there are
risk management — for instance, insurable risks formal methods developed and used by decision
or risks that can be hedged in the financial and risk analysts to elicit expert testimony for
markets — are typically modeled using statistical assessing uncertainty. We have provided brief
methods that rely on the availability of historical descriptions of some of these in Appendix B. In
data. However, when the domain is extended to the middle of the continuum, stochastic simula-
enterprise-wide risks, it is unlikely that enough tion modeling predominates for combining his-
historical data exist to employ the same methods. torical data and assumptions set through expert
Here, it is more likely that assessment of the testimony. We will use this method to model the
uncertainty will be based entirely on expert tes- risk associated with an employee union strike at
timony. Also, some risk sources will have to be the HypoCom production plant in France.
modeled based on historical data combined with (continued on page 16)
FIGURE 6
Data Analysis Modeling Expert Testimony
Empirically from Stochastic Direct assessment
historical data simulation Influence of relative likelihood
diagrams or fractiles
Assume theoretical
Probability Density Preference
Analytical model
Function and use data among bets or
to get parameters Bayesian
approach lotteries
Regression over Decompose into Delphi method
variables that component risks
affect risk that are easier to
assess
A continuum of methods for developing probability distributions ranges from those relying on data to those that rely on expert
testimony. The positions of the methods identified above suggest which to use depending on the availability of data.
13
14. several methods exist for in longer lead times to market
HypoCom – developing developing the probability — the time from order place-
distribution. These are: ment to delivery. The strike
probability distributions Ⅲ Use empirical distribution
would then affect HypoCom’s
ability to satisfy orders and
Ⅲ Assume lognormal distribu-
for the four risks tion using the sample mean
lead-time commitments or
expectations; this would result
and standard deviation in a short-term loss of sales
Reisk 1
Fir
Ⅲ Assume a stochastic process
(e.g., jump diffusion) and use
simulation to generate distri-
or possibly market share.
The probability distribution
fire at a plant or ware-
A house can result in direct
and indirect loss of sales vol-
bution of price movement.
for the sales volume loss can
be developed in three steps.
An example of a stochastic First, determine the probability
ume. Direct losses result from distribution for the length of
process is the Schwartz-Smith
destruction of inventory and the strike. It’s quite likely that
two-factor model for the
work in progress. Indirect development of this distribu-
behavior of commodity prices
losses result from a prolonged tion will have to be based
(Schwartz & Smith 1999). The
interruption of production, almost entirely on expert
two-factor approach models
through loss of short-term testimony. As illustrated in
both the uncertainty in the
sales and perhaps through Figure 6, there are several
long-term trend and the short-
loss of market share. These methods for assessing proba-
term deviation from that trend.
risks have been insurable for bilities based on expert testi-
a long time. Reliable methods For the sake of this example, mony: the Delphi method,
exist for measuring the fre- we will assume that HypoCom eliciting preferences among
quency and severity of losses faces a lognormally distributed bets or lotteries, and directly
based on review of historical price with a 2% standard devi- assessing relative likelihood or
data and business interruption ation from the current price. fractiles (see Appendix B for
worksheets. We will assume details on these methods). The
that for HypoCom, the fre- labor relations manager(s) at
quency distribution is negative
binomial and the severity
distribution is lognormal
Ripsyke u3ion strike
Em lo e n
HypoCom can be interviewed
using one of these methods to
An employee strike at the determine the probability dis-
(see references in Chapter VII tribution for the length of the
plant in France results in loss-
for descriptions of these strike. For example, the result
es in sales volume. HypoCom
distributions). may be a triangular distribu-
services its European and U.S.
markets from production at tion as illustrated in Figure 7.
Rliasli ikin2rice of
Vo t ty p
three plants (France, Mexico
and Indonesia). This strike
would result in a temporary
Second, develop a distribution
on lead times conditioned on
raw materials shutdown of the plant in the length of the strike. We
Historical price data for com- France. If the other two plants have developed a discrete-
modities can be obtained from have capacity to increase pro- event stochastic simulation
HypoCom’s own purchase duction quickly enough to sat- model of HypoCom’s distribu-
data or through financial isfy all demand, then there is tion network, using graphical,
markets if the commodity is little risk of loss in sales. But if animated simulation software
traded on a futures exchange. all three plants are already called ProModel®. The simula-
Given the availability of data, running at high utilization (a tion modeled stochastic
more likely scenario), then the arrival of demand based on
loss of one plant would result
14
15. FIGURE 7 historical data, production distribution with parameters
rates at each of the plants and min. = 0, most likely = 4 mil-
Triangular (0,3,10) the logistics of distribution lion, max. = 10 million.
Probability from the plant to regional dis-
0.25 tribution centers and then to
0.20
0.15
b
retailers. It incorporated a dis-
tribution policy of supplying
Rwsok p4titor
Ne i c m e
those distribution centers with Expert testimony provides the
0.10 the greatest backlog of orders. entire basis for the assess-
0.05 Inputs to this model are typi- ment of uncertainty associated
a c
0.00 0
cally easy to get; in fact, many with a new competitor. This
2 4 6 8 10
organizations already have a process entails interviewing
Duration of strike (days) stochastic supply chain model sales and marketing managers
Triangular probability distribution with parameters minimum, mode and used to optimize the logistics of HypoCom either individual-
maximum (a, b and c, respectively). The expected value is (a+b+c)/3 and of their distribution network.
the standard deviation is (a2 + b2 + c2 – ab – bc – ac)/18. This distribu-
ly or as a group. Any method
tion is used often as a rough model when there is little historical data. The effect of the strike was described in Appendix B could
simulated by shutting produc- be used here.
FIGURE 8 tion at the plant in France and
recording the increase in lead Here we develop a probability
Lead time (days) times. The chart of individual distribution on how new com-
35 lead times in Figure 8 is an petition affects sales volume
30
output from a simulation run. loss. It is helpful to dissect risk
25 events into conditional causal
20 We usually run simulations a events. For HypoCom, the
15 statistically valid number of causal events are illustrated
10 times to attain a high level of in Figure 10.
confidence in the results. An
5
empirical distribution of lead The probability of loss in sales
0
0 10 20 30 40 50 times based on these simulat- volume due to competition,
Time (days) ed data is shown in Figure 9. P(C), can be decomposed into:
The chart shows the impact of a strike on lead times from one of the sim- P(C) = Σi P(Ci | Ri, Ti) P(Ri, Ti)
ulation runs. The strike starts on the 20th day and can last anywhere from Finally, determine the loss in
1 to 10 days, based on the probability distribution in Figure 7. You can sales conditioned on the where i is the product index,
see that the impact of the strike is felt long after the strike is over.
increase in the lead times. P(Ri, Ti) is the joint probability
With information in hand on of an adverse change in regu-
FIGURE 9 the increase in the lead times, lation (Ri) and introduction
Probability the sales and marketing man- of new technology (Ti) and
16% agers at HypoCom would P(Ci | Ri, Ti) is the conditional
assess the effect on sales. One probability of a loss in sales
12 of the probability assessment volume for product i due to
methods for expert testimony new competition. If regulatory
8
described in Appendix B changes and introduction of
4
would be used here. The new technology are not highly
assessment would reflect con- correlated, then P(Ri, Ti) can be
0 tractual agreements with decomposed into the product
0 4 8 12 16 20 24
retailers as well as lead-time of P(Ri) and P(Ti).
Lead time (days)
expectations and the competi-
Discrete probability mass distribution generated from the lead-time tive environment. So the final Instead of assessing P(C)
data in Figure 8. The extended tail toward longer lead times is a con-
sequence of an employee strike. distribution on the decrease in directly, it is easier to ask dif-
the number of sales may be ferent experts to assess the
represented by a triangular
15
16. FIGURE 10 conditional and joint probabil- sales and marketing man-
ities. Company lobbyists are agers are interviewed to
interviewed to assess the assess the probability of a
Adverse
change in probability of adverse regula- new competitor, given the
regulation tion for a specific product, state of new regulation and
P(Ri), using one of two meth- technology, P(Ci | Ri, Ti). Of
New ods: preference among bets course, experts may be inter-
Product
competitor or judgment of relative likeli- viewed as a group using the
Introduction hood (see Appendix B). Delphi method (see Appendix
of new B) instead of separately. This
technology Managers of the Research process is applied over all
and Development function are products of interest and the
Given the product, the possibility for change in regulation or introduction interviewed to assess the results summed according to
of new technology could influence the loss in sales due to competition.
probability of introduction of the formula indicated above.
new technology, P(Ti). Finally,
Determine correlation among testimony. In some cases, it may be easier to
risk sources develop correlations between risks implicitly by
It is not enough to develop probability distribu- analyzing their correlation with a common link-
tions on individual risk sources. One primary ing variable. This process also ensures that a
benefit of managing risks on an enterprise-wide correlation matrix is internally consistent.
basis is being able to take advantage of natural
hedges and to explicitly reflect correlation among For HypoCom, we would expect a negative
risks. Therefore, it is necessary to develop a correlation between the commodity price
matrix of correlation coefficients among pairs movements and a new competitor entering the
of risks that would be used in the next step to market. If the commodity price increases, it cre-
link the individual risk sources to a common ates a greater barrier to entry into the market
financial measure. for a new competitor and vice versa. However, a
union strike is probably positively correlated
It is unlikely that relevant data will exist to develop with competition. Finally, there may be some
correlation among risks that span an enterprise. slight correlation between a union strike and
Thus, it is likely that this will have to be devel- the incidence of fire.
oped based on professional judgment and expert
It is unlikely that correlations would be deter-
mined with a high degree of precision. Rather,
FIGURE 11
it is more likely that they could be judged in
Commodity Union New
fuzzy terms such as high, medium or low.
Fire Price Strike Competitor These terms suggest some natural ranges for
Fire 1.0 0.0 0.2 0.0
correlation coefficients such as: high correlation
= .70 to .80, medium correlation = .45 to .55,
Commodity
low correlation = .20 to .30. Within these
Price 0.0 1.0 0.0 -0.5
ranges, there should be little sensitivity on the
Union Strike 0.2 0.0 1.0 0.7 results. The inclusion of correlations should
New have a significant impact on the results, but the
Competitor 0.0 -0.5 0.7 1.0 error within these ranges should have little
Correlations among risks are modeled using correlation coefficients
impact. Using these as guides, a Correlation
among risk pairs. For example, the risk due to commodity price fluctua- Coefficient Matrix can be developed for
tions is negatively correlated with a new competitor entering the market. HypoCom as shown in Figure 11.
16
17. STEP 2 rics. See Figure 12 for an illustration of this. The
Link risk factors to common elements should be broken down to the level of
financial measures the operational and financial measures used for
modeling the individual risks in Step 1.
Select financial metrics
The prior step provides a set of probability distri- Some elements of the FCF model may be sto-
butions representing enterprise-wide risks. Note chastic without consideration of the risks from
that the probability distributions were expressed Step 1. For example, there is some inherent
in terms of different units. We modeled the uncertainty in product demand and price as well
union strike as a probability distribution on lead as cost of goods sold. These measures may fluc-
time and then sales volume. Commodity price tuate based on supply and demand economics.
risk was modeled in terms of the price of raw These inherent uncertainties are included in the
materials. Other risks would be modeled in terms base FCF model. The probability distributions
of the operational and financial measures that from Step 1 are then added to the corresponding
they directly affect. In this step, all these risks are elements of the model. Finally, the Correlation
combined and linked to one financial measure. Coefficient Matrix (from Step 1) is added to
the model to reflect the interaction among the
Managers of different organizations vary in their sources of risk. The resulting stochastic pro forma
preference and propensity for the financial mea- financial model links all the risks to FCF, the
sures by which they manage the business. The financial measure by which the risk remediation
financial measure will also vary depending on the strategies will be evaluated in the next two steps.
objectives and goals of the organization. Above
all, it is important that there is general agree-
Measure current level of enterprise
ment on the financial measure selected. For this
risk before mitigation strategies
document, we will use Free Cash Flow (FCF) to
Before proceeding to risk remediation strategies,
capture the impact of risk on both the income
however, it is worth taking note of the value of
statement and balance sheet.
the model thus far. At this point, we have a
financial model that can be used to determine
Develop a financial model to link the current level of volatility in FCF. This infor-
risks to financial metric mation by itself would be extremely valuable in
Once a financial measure is selected, we can then budgeting and financial planning. This analysis
model the aggregate impact of the sources of risk helps move managers’ thinking away from the
on the financial measure. We can construct a pro one-dimensional certainty of typical budgets and
forma FCF model by decomposing each element toward the range of possible outcomes and man-
in the calculation of FCF into its constituent met- aging probable rather than definite outcomes.
(continued on page 21)
FIGURE 12
Free Cash Flow
Operating Cash Flow Investment
Operating Income SG&A Taxes Working Capital Fixed Assets
Revenue Cost of Goods Sold
Volume Unit Price
Free Cash Flow is decomposed into its elements: Operating Cash Flow and Change in Investment, which are further decomposed. Each element is
broken down into its constituents until all operational and financial measures used for the distributions in Step 1 are isolated.
17
