|
Article Excerpt
UNDERSTANDING THE COSTS OF RISK RESPONSE IS A CRITICAL YET CHALLENGING PART OF DEVELOPING AN EFFECTIVE ENTERPRISE RISK MANAGEMENT (ERM) FRAMEWORK THAT GOES BEYOND THE INITIAL STEPS OF ASSESSING THE MOST IMPORTANT INHERENT RISKS FACING AN ORGANIZATION. THIS ARTICLE DESCRIBES THE DIRECT AND INDIRECT COSTS ASSOCIATED WITH REDUCING RISKS THROUGH INSURANCE, HEDGING, ALLIANCE FORMATION, AND CONTROLS IMPLEMENTATION. BY MORE THOROUGHLY UNDERSTANDING AND MEASURING THE COSTS OF RISK-REDUCTION STRATEGIES, ORGANIZATIONS ARE BETTER ABLE TO COMPARE THE NET BENEFITS ASSOCIATED WITH REDUCING RISKS TO A LEVEL MORE IN LINE WITH THEIR RISK APPETITES.
Enterprise risk management (ERM) is becoming an increasingly important aspect of managing a business in today's complex, dynamic, and intensely competitive global marketplace. Organizations assign the growing responsibilities to perform effective risk management practices to different positions, including management accountants and internal auditors. In 2004, for example, Larry White, then Chair of the Institute of Management Accountants (IMA[R]), noted that "all management accountants need to understand [enterprise risk management] work so they can help their companies analyze and manage financial and operational risk." (1) Not surprisingly, there are a growing number of consulting firms and share forums to assist organizations seeking best practices for understanding, assessing, and managing the risks faced in achieving strategic objectives.
Implementing an ERM framework often moves along fairly smoothly as executives identify and assess the top inherent risks (i.e., risks prior to responding to them internally) facing their organizations. The process often breaks down at the point of deciding the proper allocation of resources in response to the risks faced by the organization (i.e., risk responses). Such responses enable organizations to reduce inherent risks to a lower level, commonly referred to as residual risks. Existing ERM models, including the Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) Enterprise Risk Management--Integrated Framework, provide excellent guidance for organizations in early ERM stages, which include understanding and assessing inherent risks. Yet these models are less clear regarding the stage where risk responses are selected and analyzed collectively. In this article, we examine one of the key--although often ignored or underutilized--steps to capturing the full potential of ERM: incorporating the costs of risk response.
The quantification of risks and responses is complicated by various measurement issues, including the organization's determination of an appropriate time horizon and its definition of costs within the risk management process. For example, an unexpected event that causes an adverse impact on an organization's profitability also may have a negative effect on its cash flows and stock price over an extended period of time. One recent study found that public companies announcing a supply chain disruption between 1989 and 2000 experienced an average abnormal stock return of negative 40% over a three-year period starting one year prior to the announcement date. (2) Stock price volatility for these same firms increased 13.5% in the year following the announcement, reducing shareholder returns and providing evidence that the companies did not recover quickly from the negative effects of the disruptions. Therefore, the costs of risks and their associated responses can be incurred over several years and impact numerous stakeholders. We will discuss examples of and challenges to estimating both the direct and indirect costs associated with the most common risk-response options, which is critical in selecting the most appropriate responses.
ESTIMATING THE EFFECTIVENESS AND NET BENEFIT OF RISK RESPONSES
Assessing the effectiveness of a risk response requires measuring both the benefit and cost of the response. A basic ERM framework should also emphasize the identification of multiple responses for each critical risk and the selection of the most appropriate response(s) to each risk. In addition, the effects of risk responses on other risks (i.e., risk correlation) should be considered.
The most appropriate response is the one that yields the greatest positive net benefit. Quantifying the costs of responding to inherent risks is necessary in order to appropriately compute the net benefits realized from reducing exposure to significant risks. The net benefit of a risk response can be considered as follows:
Benefit of Response--Cost of Response, or
[Inherent Risk--Residual Risk]--Cost of Response
When the net benefit is positive, the response should be considered because it produces a benefit that exceeds the associated costs. (This will be discussed in greater detail later in the article.) When the net benefit is negative, however, the response should not be considered because its benefit is not sufficient enough to exceed the associated costs. It is likely that many companies unknowingly fall into this latter category, which can lead to improper risk-response decisions and, ultimately, can harm performance.
The following example illustrates the net benefit of risk response. Assume that the unit of measure for a key risk is "revenues lost" and that the estimated inherent risk (considering both the expected likelihood of the given risk occurring and the expected magnitude of its impact should it occur) is $23 million. Assume that a particular response is expected to reduce the inherent risk to an expected residual risk of $13 million, thereby producing a risk-response benefit of $10 million. Finally, assume that the particular response has a cost of $8 million. Therefore, the expected net benefit of the particular risk response is $2 million, or ($23 million--$13 million)--$8 million. Unfortunately, far too many companies underplay or ignore the costs associated with risk responses. Ignoring the response cost in the above example would falsely suggest to executives that the net benefit is $10 million, which is five times greater than the "true" net benefit--an error that would have significant decision consequences, particularly if the response costs exceeded $10 million.
If multiple responses are considered, then the response with the greatest positive net benefit should be chosen, assuming all else equal. Further, comparing the resulting residual risk (i.e., the risk that remains after the chosen response has...
|
