Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.


Status message

This is subscriber-only content, you are viewing with temporary unrestricted access. For full access, begin your free, no obligation 5-day trial.

Risky Business: Assessing And Managing Risk

Harvey L. Pitt | June 2, 2004

Management's most important job is identifying, assessing and managing risk; how well it's perceived to perform this role is often reflected in a company's share prices.

After shocking corporate defalcations, high-profile prosecutions, Sarbanes-Oxley's passage and dozens of new regulatory requirements, focus on risk management has become clouded and diffused. This, in turn, often means management fails to address risk with directors and shareholders on a timely basis—or altogether—imperiling the value of a company's securities and ensuring embarrassment (or worse) when inevitable crises occur for which the company is unprepared.

While identifying, assessing and managing risk is, at least initially, a task for management, board members are responsible for understanding, and being comfortable with, management's risk-handling techniques and performance. There are several steps directors can take to ensure a continuous and effective process.

Objective Risk Identification

Companies identify risk many ways, but most involve subjective judgments on management's part. However, there are three "objective" risk identification tools available to directors:

  1. Financial analyses of peer and competitor companies;
  2. Third-party research reports; and
  3. Third-party perception reviews.

Many companies apply only a two-dimensional corporate financial reporting approach—analyzing the company's disclosures and financial statements as if the company operated in a vacuum. The recent experience of Royal Dutch/Shell cautions against that approach: Shell treated certain reserves as proved while its co-venturers on the project—Texaco-Chevron and Exxon-Mobil—didn't. A detailed comparison of a company's financial statements with those of its competitors and peers ineluctably stimulates discussion and provides useful insights.

Similarly, third-party research reports can highlight how knowledgeable outsiders view the risks and rewards of a company, and can provide a useful tool for directors to benchmark the company's risk analysis. Whatever their value for investment purposes, research analysts spend significant amounts of time reviewing information about companies they follow and their competitors. If the analysts' view of a company's risk profile is significantly different from management's view, that should be cause for concern.

It's also important to recall that the more insular the process by which risks are assessed and resolved, the less successful a company will be in preventing serious problems. Often, company outsiders—particularly those in the financial community—have a better grasp on risks facing a specific company, or the particular industry in which it functions.

Big Picture Focus

One inherent danger in risk analysis is, of course, that directors become mired in the roots of the trees, thereby ignoring the forest. It's key that directors identify meaningful risks and devote time to those.

In this context, it's useful to focus on four principal segments of a company's business: Markets in which it sells its products or services; the products or services it sells; the quality of its employees; and its financial strength and flexibility. Analyzing risks underlying each of these four aspects of a company's business can prevent directors from becoming overwhelmed.

  1. Markets. Management constantly must tailor its products and services to match consumer demand. Typical risk concerns include:
    • Monitoring growth of the overall market compared to growth in the economy;
    • Tracking market changes due to technological, environmental, political or societal factors; and
    • Identifying new potential markets and preparing exit strategies from markets no longer competitive.
  2. Products Or Services. Products or services must stay current with their markets. Typical concerns include:
    • Ascertaining whether advertising or marketing expense growth is used to compensate for cuts in services provided or research and development;
    • Determining if, and to what extent, capital expenditures are needed to maintain a competitive product or service;
    • Inquiring whether products or their manufacture pose environmental or health risks; and
    • Evaluating whether production facilities should be outsourced or moved.
  3. Employees. Some issues indicative of risks are:
    • Providing employees with training and a career path to keep them productive and loyal;
    • Management succession planning, especially the CEO and CFO;
    • Providing understandable and fair compensation;
    • Defining and promoting employees' ethical behavior; and
    • Whistleblower and regulatory compliance policies.
  4. Financials. Financial flexibility allows a corporation to deal with problems in other areas. Some areas of concern are:
    • Agreements dependent upon a company's stock price or debt ratings often cause perverse short-term behavior and long-term problems;
    • Tax efficiency may limit the ability to access funds when a company needs them most;
    • Concentration on short term financial goals, like earnings growth or ratings preservation, while ignoring long-term strategic issues; and
    • Current systems and procedures review, to insure the integrity and quality of financial information.

Practical Steps

Identifying and managing risk is a continuous process. Here are several steps directors may wish to consider:

  1. Watch Behind, Think Ahead. Good risk analysis entails driving forward while looking in the rear view mirror. Information about the past is useful, but the primary concern is what could happen. It's important to look for problems rather than waiting for them to find the company; red flags aren't always immediately recognizable. For example, if a company experiences unusual profits or growth compared to its peers, that may not be good news—it may be a warning. Just because it appears things are going well doesn't mean they actually are.
  2. The Need For Three-Dimensional Financial Analyses. On a quarterly basis, directors should require the financial staff to present a detailed comparative financial analysis with selected peer companies. Analysis should concentrate on metrics that management identifies as driving the company, and should include standard measures, such as margin analysis; capitalization; revenue-, net-income, and earnings-per-share growth over a five-year period; and market ratios, such as price-to-earnings, price-to-cash-flow and price-to-book, as well as changes in capitalization over the last 12 months.

    This analysis will produce at least two critical benefits: First, it can highlight numerical differences, thereby identifying areas that warrant further exploration. Second, it can familiarize those who do the analysis with accounting similarities and differences inside an industry. Presenting numbers on a consistent basis among different companies forces an analyst to read SEC filings carefully and become familiar with the accounting nuances of different companies—information often more informative than numerical differences.

  3. Practice The Three R's: Read, Read, Read. Reading both positive and negative third-party analyst reports—and understanding the reasons for conclusions reached—as well as differences between similarly situated companies, should be high on any board's list of between-meeting activities.
  4. Perception As Reality. It's important not only to know the facts as management has learned them, but to know what knowledgeable financial outsiders think about the company. Gaining access to those insights provides a valuable check on management's perceptions.
  5. Trust, But Cut The Cards. To paraphrase environmentalist Edward Abbey, "It's not the board's task to answer questions, but to question answers." To be effective, directors must formulate the right questions and doggedly pursue anything that seems unclear or amiss.
  6. Take Control Of Information Flow. Directors can't afford solely to react to management's information presentations. Independent directors should appoint a lead director to work with management to formulate agendas and address issues. Directors should understand the differences between GAAP and tax accounting, the effects of assumptions on the balance sheet, and the reasons and sustainability of positive and negative performance. The only stupid question is one that isn't asked.
  7. Diligence And Proactivity. Even if directors fail to uncover a specific risk or if a crisis ensues, the situation can be salvaged—and (not inconsequentially) liability avoided—by demonstrating diligence and proactivity in trying to avoid problems that nonetheless arose. Directors should, therefore carefully document their diligence and proactivity.
  8. Disclose, Disclose, Disclose. Risk management's goal is quantifying potential effects of certain foreseeable events on a company's financial well being. If they're meaningful, the financial effects of these events should be communicated to shareholders.
  9. Integrate Risk Management With Corporate Governance And Control. A company's tone is set at the top. An integrated system ensures that everyone is using the same information. Increases in levels of incurred risk can be the result of failures in controls.
  10. Use Outside Experts. Outside experts that are independent of management can help boards design and implement an effective risk audit, and can provide a fresh perspective to risk management. Outside experts also can be helpful in risk mitigation if the unexpected happens. Sarbanes-Oxley encourages their use.

The key to identifying and responding to critical risk factors is constant and fulsome communication between management and the board, and between the company and its shareholders. Using simple tools, the risk analysis process can be initiated without great complication, and can be accomplished through the application of basic principles. Successful satisfaction of both will allow shareholders, management and boards to sleep peacefully.

What did you think of this column? If you'd like to react or respond, we urge you to write a letter to the editor.

This column solely reflects the views of its author, and should not be regarded as legal advice. It is for general information and discussion only, and is not a full analysis of the matters presented.