Linking corporate governance and enterprise risk management ____________________ By Rolando C. Cabrera How can board of directors and senior executives help to define corporate governance within the context of enterprise risk management (ERM) programs? With the growing acceptance of ERM, the links between good governance and effective risk management are increasingly important. By the time a corporate crisis occurs, improved corporate governance becomes too late to address the problem. Headlines of corporate failures and business scandals remind us of what can happen when corporate governance goes out of shape. The important learning for boards and executives from these scandals and the resulting compliance requirements is that of maintaining focus on the real issues of governance and risk and not becoming lured into a false sense of security that something is being done that will make a difference. What we do to address these issues is good management and a failure to deal with these matters is bad management. The changing nature of risks Today’s risks are different. Business leaders face different kinds of risks, ranging from those that are insurable to business risks up to an array of risks that are systemic in nature and global in scope. These global risks are ‘nonbusiness’ risks with the potential to impact the firm’s business decisively, such as natural disasters like the earthquake in China, the severe flood in Iloilo, pandemics like SARS and avian ‘flu’, terrorism, oil price hikes and the harmful effects of climate change. All these dominate our current risk landscape. There are others which have not yet penetrated public consciousness worldwide such as violations of intellectual property rights, identity theft, and the loss of biodiversity. The list could go on and on. Complexity creates risk There are large corporations which have grown through mergers and acquisitions and therefore have to assimilate different people, processes, systems and cultures. Some firms have outsourced, vertically integrated or entered global alliances. All these strategies have contributed to the complexity and added new risks. Many of them are related to earnings drivers. As the enterprise grows and globalizes, these risks rise in severity and complexity. Greater interconnectivity and interdependence The increasing level of interconnectivity and interdependence is the most important factor that contributes to making today’s world more complex and turbulent. Remarkable advances in communications technology, the liberalization of trade and financial services have combined to trigger an unprecedented increase in global trade and financial flows. This has led to intense competition, an emphasis on ‘speed to market’ which stresses supply chain efficiency, far higher rates of invention and markedly shorter product lifecycles. In an interdependent world, the risks faced by any individual, firm, region or country depend not only on its own choices but also on those of others, thus making such risks more difficult to manage. For example, the risks faced by the Ninoy Aquino International Airport (NAIA) or Philippine Airlines (PAL) are tied to the security standards of other carriers and airports. In the case of a pandemic, an outbreak of a disease in one country that is poorly prepared raises the risks faced by other countries and businesses in those countries. Why our ability to assess risk gets distorted To assist us in making decisions in situations where there is great uncertainty, often due to complexity and volatility of a risk, we use many mental devices known as heuristics. We are able to make decisions fast by resorting to learned behaviors – principles and practices. Let us make their effects clear by focusing on five important ones: Availability – We often make decisions on the frequency of events occurring based on what we can readily remember, rather than on analysis of extensive data. Confirmation bias – Once we have made a decision about the probability of an event occurring, we look for confirmation of the correctness of our decision. Overconfidence – We see ourselves as always being right. Anchoring – We tend to base decisions and estimates on positions we are familiar with, and this serves as the anchor for all that follow. Representativeness - We create personal meaning by classifying things, events and phenomena on the basis of our experiences. The way we assess a risk varies because different people have different preferences, experiences and values. The automatic affective processes that enable us to protect ourselves against risk are the product of our evolutionary history which spontaneously dominates our intuitive responses to risk, such as the tendencies to: • Overestimate unknown risks; • Underestimate risks that we voluntarily assume; • Overestimate small risks and underestimate larger ones; and • Overreact to highly publicized risks. These conclusions are important in considering what we can and should do in dealing with the risks we are confronted with in managing our companies, making investment decisions or personal decisions. Turning business risks into opportunities It will be helpful to talk about the different types of events that occur in the business world – surprises, opportunities, and disasters. These events are categorized as follows: Surprise events: The event is not reported, in some cases because it was not monitored, captured, or analyzed. Suspected events: The event is monitored, captured, analyzed, and reported but too late for effective action. Surmounted events: The event is reported in time and effective action is taken. The difference between an event we call an opportunity and one we call a disaster most often depends on which of the categories the event falls into. Even an event like the eruption of Mt. Pinatubo, despite the devastation to the surrounding towns and provinces, can be seen as an opportunity, an opportunity for those who were evacuated out of danger to continue their lives. The event also provides the province of Pampanga with revenues from quarrying lahar. Ending business surprises doesn’t require a psychic. In fact no knowledge of the future is required. Turning risks into opportunities simply requires that managers receive a heads-up about the present – about what is happening right in their business and what can go wrong with their business objectives, goals and strategies. To win and compete in a global marketplace, companies need to develop the capacity to identify or capture the events, analyze and prioritize the risks to major earnings drivers and incorporate this learning into company strategy. This will help ensure that senior managers and directors receive critical and relevant information on an ‘early warning’ and ongoing basis. It will not only help senior management and the board avoid nasty ‘surprises,’ but it will also contribute to improved corporate performance and growth and ultimately, enhances shareholder value. Given the growing array of external business challenges and surprises and heightened concerns regarding directors and officers accountability, corporate leaders the world over are placing a premium on corporate governance and enterprise risk management practices. Corporate governance is an organization’s strategic response to risk The definition of risk in AS/NZS 4360:2004 stating that risk is “the chance of something happening that will have an impact on objectives” indicates that risk should be treated as part of each corporate objective. Thus, risk treatment for the mitigation of risks becomes controls and strategies which provide reasonable assurance that corporate objectives will be achieved within an acceptable degree of residual risk. This is governance. Corporate governance is the way in which an organization is controlled and governed to achieve objectives. Corporate governance holds the organization together in the pursuit of its objectives. Risk management provides the flexibility for an organization to respond to unexpected threats or business surprises and take advantage of opportunities. As such, risk management provides corporate resilience and with this resilience comes competitive advantage. The common factor linking risk management and corporate governance is the focus on achieving corporate objectives and enhancing shareholder value. So, we regard corporate governance and risk management as one and the same process. Embedding risk thinking in the corporate culture Risk thinking has to be made part of the company’s culture. In the 21st century, command, control and compartmentalization of organizations are no longer possible. Simply ‘preaching’ or issuing diktats to staff in an effort to raise awareness and bring people on board is not a viable strategy. All members of the staff need to understand the risks involved in doing business, the value of taking these risks in pursuit of opportunity and the way risks are being managed or mitigated. Appointment of a Chief Risk Officer (CRO) can help greatly in nurturing a culture of risk awareness. The CRO can focus on reducing vulnerabilities, thus, limiting the likelihood of disruption, and on building resilience. Resilience depends on the kinds of risks and threats a company faces, something that differs for each company and industry. Many global companies are moving in this direction, and the trend will probably strengthen as insights into global and other systemic risks become more prevalent. Building corporate resilience Corporate resilience comes from planning, flexibility and the creative management of risk. As the global footprint of firms expands, so too do the risks they face on a daily basis. Extended supply chains, technology interdependencies, IT vulnerabilities, mutating viruses, and even weather phenomena all combine to make doing business a risky business. Resilience in the face of increasing risk is the ability to avoid, deter, protect, respond, and adapt to market, technology and operational disruptions. This is becoming the linchpin of profitability, shareholder value and competitiveness. The challenge: Moving towards corporate resilience Given the evolution of risk, from traditional risk management to enterprise risk management, businesses need a new lens to plan for market, technology, and operational disruptions. This is best defined as corporate resilience, the ability to anticipate and protect against risks, as well as manage, mitigate and recover rapidly. Globalization, technological complexity, interdependencies, terrorism, climate and energy volatility, and pandemic potential are increasing the level of risk that societies and business organizations now face. Risks are also interrelated; disruptions in one area can cascade in multiple directions. The ability to manage emerging risks, anticipate the interactions between different types of risk, and bounce back from disruption will be a competitive differentiator for companies and countries alike in the 21st century. The most important role in corporate governance may well be that of recognizing and monitoring the seductive nature of risk. In any competitive area, there are only a few ways to increase profitability. One is to establish a sustainable competitive advantage. Another is to become more resilient. The third, which often happens unconsciously, is to take greater risks. Risk, after all, isn’t risky until one is injured or ruined by it. |