Analyzing Your Risk Management System

By definition, a corporate (or business) risk is the probability that a certain event in the future will (a) happen and (b) cause financial losses – either directly or indirectly (e.g. sales, profits, cash flow, financial value, etc. will be lower than anticipated). For example ‘risk of a natural disaster’, ‘risk of competitor coming up with a superior product’, etc.

To achieve your strategic objectives and maximize your corporate performance, you will need to optimize your risks. Typically, higher expected returns require taking higher business risks that at some point may destroy your company; therefore, your job is to find the optimal combination of risks and returns that will yield the maximum financial value for your company.

Your financial value is determined by your free cash flows (FCF) and your business risks (reflected in your WACC – Weighted-Average Cost of Capital). Initially, increasing WACC increases FCF in such a way that overall financial value goes up.

But gradually increases in your business risks (and, therefore, in your WACC) cause smaller and smaller increases in FCF and at some point your financial value reaches its peak and then starts to go down (see the discounted cash flows formula for estimating financial value of a business entity).

The art and science of business management is finding exactly the right combination of FCF and WACC that will maximize your financial value. And as WACC reflects your aggregate business risks, to achieve this objective you will need to develop and deploy a solid risk management system.

As even one of the abovementioned events can easily sink your company, corporate risk management is one of the most important functions of corporate management. Surprisingly, it is one of the most neglected. Even in the financial sector, where it is mandated by law (we have all seen the catastrophic results of this in 2008 when financial crisis hit the global economy with a full force of a level 5 hurricane).

Very few real sector companies have formal, well-optimized risk management systems in place. Which often leads to corporate disasters, enormous financial and other losses and sometimes even to bankruptcy and even the demise of the business entity in question.

To avoid these disasters, you will must develop and implement an official, well-structured and highly efficient corporate risk management system – and make sure that it works and is always up-to-date.

This system is built around your corporate risks description database that includes the following fields:

·         Name of the corporate risk/event (e.g. corporate IT system failure)

·         Brief description of the corporate risk

·         Risk manager (every risk must have one and only one risk manager – and a highly competent one at that)

·         Business area that this particular risk is associated with (e.g. finance, IT, etc.)

·         Probability of occurrence

·         Estimated financial losses if the abovementioned event happens (which must be realistic, of course)

·         Estimated operational consequences (non-financial)

·         Importance (determined by the estimated financial losses and operational consequences and the probability of occurrence)

·         Risk monitoring process – visual diagram and description

·         Risk prevention process – visual diagram and description

·         Disaster recovery plan (what to do if the ‘risk event’ happens) – visual diagram and description

·         Estimated prevention costs (also must be realistic)

To have a solid corporate risks management system, you first have to develop a comprehensive risk management database that must be accurate and up-to-date. Unlike with many other corporate objects and functions (e.g. corporate culture, UVP, strategies, etc.), you may or may not have actual risk management system. But if you do, you need to make sure that your actual risk management system matches the declared one. And is optimal, of course.

Obviously, you must develop and implement highly efficient corporate processes for risk monitoring and prevention and a disaster recovery plan. And, naturally, your risk management system must be tightly integrated into your strategic and operational management process.