Risk has traditionally been seen as something to be avoided – with the belief that if behavior is risky, it’s not something a business should pursue. But the very nature of business is to take risks to attain growth. Risk can be a creator of value and can play a unique role in driving business performance, and so strategies for corporate risk management must be developed to help guide the business as it decides which risks to take.
Risk management, then, is the identification, assessment and prioritization of risks or uncertainties in business. Any strategies for corporate risk management must be backed up by a risk management analysis and a plan for controlling or mitigating those risks.
But what are risks in corporate life? While the obvious come immediately to mind – the financial risk of running out of money or inheriting bad debt, or the risk of being unable to continue operations, for example due to workers going on strike or a force of nature closing a plant – it’s important to remember corporate risk doesn’t just encompass operational and financial risks, but also risks to the wider corporate strategy.
In fact, studies indicate that financial risks only generate about 10% of major declines in market capitalization, while operational risks account for around 30%; the other 60% of declines are a result of strategic risks, and yet the strategy comes in a poor third in risk-prioritization exercises.
Strategic corporate risks could include:
- Shifts in consumer demand and preferences
- Legal and regulatory changes
- Competitive pressures
- Merger integrations
- Technological changes
- Senior management turnover
- Stakeholder pressure
You’ll note that a lot of strategic risk closely aligns with the compliance and governance function of an entity, and so these teams must be involved and informed as strategies for corporate risk management are devised.
Building strategies for corporate risk management
Strategies for corporate risk management usually consist of two processes: setting the framework for the company’s risk management and setting the communication channels in the organization. Risk management is, though, useless unless you measure and know your risks first. You must also have a robust procedure for ongoing monitoring and a cycle of continual assessment.
Risk management planning encompasses three elements:
- Operational risk management, such as damage to property or other risks that can’t be planned for.
- Financial risk management, which emerges from the effects of markets on an entity’s assets; this includes risks to credit, price and liquidity.
- Strategic risk management, or thinking about the bigger picture and the future of the company.
Consider what happened to Kodak once digital cameras came along, and ask if that was a failure of operational risk management or strategic risk management.
One of the best available metrics of risk measurement is economic capital, which is the amount of equity required to cover any unexpected losses. The economic capital required to support an individual risk can be calculated and results aggregated across all risks. Dividing the anticipated after-tax return on each strategic initiative by the economic capital gives you a RAROC, or risk adjusted return on capital, figure – if the RAROC is less than the cost of capital, it will destroy value and is, therefore, a huge risk to the company.
Outside of economics, there are five steps to take when first assessing the risk and deciding on the best solutions for mitigation:
- Identify the risk: Risks can be internal or external, so include any events that could cause problems or benefits for the company.
- Analyze the risk: Thoroughly analyze the potential effects each risk will have on consumer behavior, the company or any endeavors underway.
- Evaluate the risk: Rank risks according to the likelihood of each outcome to see how severely a set risk could impact the company or its strategy.
- Treat the risk: Look at ways to reduce the probability of a negative risk and increase the probability of positive risks, preparing preventative and contingency plans as needed.
- Monitor the risk: Track variables and proposed possible threats, and calmly treat any problems that arise as your tracking system identifies changes.
Once the risk assessment is complete, assign a strategy to treat the identified risks. Generally, there are four ways to handle a risk:
- Avoid the risk, or forfeit all activity that carries the risk – though this also means forfeiting all associated potential returns and opportunities.
- Reduce the risk, or make small changes to reduce the weight of both risk and reward.
- Transfer or share the risk, or redistribute the burden of loss or gain by entering partnerships or bringing on new entities.
- Accept the risk, or assume any loss or gain entirely; this is usually put into play for small risks where any loss can be easily absorbed by the entity.
The role of the Board in strategies for corporate risk management
One of the central tenets of any Board is to oversee risk, but that job has become highly complex as market forces become more volatile and modern corporates grow into multinational behemoths. A strong enterprise risk management (ERM) process doubles as both an internal safeguard and a shareholder engagement tool. We’ve previously reported that an ERM framework is a great starting point for board discussion, but also acts as proof that the company is systematically analyzing and rigorously managing risk in case of investor and shareholder nerves – all things the Board cares about and is responsible for.
The COSO framework says the role of the board in risk oversight includes: reviewing, challenging and concurring with management on the proposed strategy and risk appetite; aligning strategy and business objectives with mission, vision and values; participating in significant business decisions; formulating responses to significant performance or portfolio fluctuations; and formulating responses to any deviation from core values; plus approving management incentives and remuneration, and participating in investor and stakeholder relations.
Remember, there must be a robust, unshakeable relationship between risk management and corporate governance in any entity. Falling out of compliance with local regulations is a big risk that must be managed effectively, and strategies for corporate risk management must include a focus on compliance.
How technology can help manage corporate risk
All of this leads up to one resounding conclusion: To keep on top of risks, and to manage them effectively, it pays to incorporate technology into your risk management practices. The right software platforms can automate regular tasks, act as central repositories for key information, and make roles, responsibilities and deadlines clear through process management.
It’s important to assess all three risk areas – financial, operational and strategic – to safeguard your company’s future growth and reputation, but it’s just as important to regularly check in with your risk assessments and to ensure progress toward mitigation is going according to plan. This is where technology can help streamline tasks, and where Diligent’s entity and board management software can help ease the burden on company secretaries, general counsels and legal operations teams.
Acting as that all-important central repository for all entity management information, Diligent software provides secure file sharing and communications, virtual data rooms, assessment tools and board management tools. Compliance workflows and calendars help keep risk management on track through notifications and RAG status, while entity relationship diagramming can reveal compliance risks that may not be obvious at first sight. All of this can help drive risk assessments and enhance risk management strategies.
Request a demo and see how Diligent can help your strategies for corporate risk management to stay on track and build toward growth.