Personal Website of R.Kannan
Indian Banking Today & Tomorrow - Risk
Assessment & Risk Management
|
Personal Website of R.Kannan |
| Home | Table of Contents | Feedback |
|
|
An Introduction
In his celebrated book `Against the Gods - The Remarkable Story of Risk', Peter L Bernstein says that in the dark ages risk was always associated with God. As the mankind progressed and business and markets grew, the art of risk management grew from primitive stages to the modern day rocket science. Risks in Business Simply speaking, a risk is any uncertainty about a future event that threatens your organization's ability to accomplish its mission. Business is a trade off between risk and return. There can be no risk-free or zero risk-oriented business. This is due to the fact that the concept of a "project" implies effecting current investment, for a future activity, and a future gain after the "project-construction period" is over, referred as the "gestation period". Changes in the intervening period can be either ways. When such changes are adverse, when there is time-overrun or cost escalation, the investment in the project comes to grief even before the project is completed. There can also be several unexpected developments both internal and from the external environment that can render your project calculations go awry. To most people, the word 'risk' has sinister connotations of gambling or recklessness. To an information age company however, taking risk is one of the most important critical success factors as it encourages innovation. To be innovative means trying new things, and trying something new means that you don't know whether you will succeed or fail and are therefore taking a risk. To others the zone of risk and risk-based functioning is a favourite hobby. We call them speculators. True at times Fortune does smiles at them, though sometimes only. There can be minimum risk in a captive controlled economy, where industry is protected by high tariff walls and banks by directed credit and directed interest rates, and directed investments. But along with such minimum risk, there would also be minimum growth of the economy. In India after total regulation for several decades, the economy witness around 3% average grwoth. The Indian economy has now been freed of State controls. Consequently in today's corporate world, it is a challenge for corporate leaders to run a business with the objective of maximizing shareholders' value. The changing environment, on account of on-going process of liberalisation and reforms all round, of easing of import restrictions, resulting in an emerging new economic order increases risks content whilst also unfolding new opportunities. In this environment while decision making is the prerogative of the management, sound risk management is also their prime responsibility - as it provides them with the frame work to proactively identify and manage risk associated with their decisions. Only by taking risks we could move forward; taking no risk at all may be very secure but it means standing still with the inevitable consequence of stagnation in a fast moving business world. Knowledge will grow where people are able to take risks. This is obvious when risk is taken which turns out to be a success but it is also true with failure. Failure will also gain knowledge if the reason for failure is known, recorded and disseminated to others in the community so that they do not make the same mistakes. Because of this it is vital that failure is acceptable in the community, otherwise people will cover up their mistakes instead of openly analysing and learning from them. Failure must be seen as a lesson to the community and not as one individuals' problem. We now come to question, "What is risk?" And what is a pragmatic definition of risk? Risk means different things to different people. For some it is "financial (exchange rate, interest-call money rates), mergers of competitors globally to form more powerful entities and not leveraging IT optimally" and for someone else "an event or commitment which has the potential to generate commercial liability or damage to the brand image". Since risk is accepted in business as a trade off between reward and threat, it does mean that taking risk bring forth benefits as well. In other words it is necessary to accept risks, if the desire is to reap the anticipated benefits. Risk in its pragmatic definition, therefore, includes both threats that can materialise and opportunities which can be exploited. This definition of risk is very pertinent today as the current business environment offers both challenges and opportunities to organisations, and it is up to an organisation to manage these to their competitive advantage. The objectives of a Risk Management Policy is to be defined taking into view thew pragmatic definition of "Risk". Risk management is a discipline for dealing with the possibility that some future event will cause harm. It provides strategies, techniques, and an approach to recognizing and confronting any threat faced by an organization in fulfilling its mission. Risk management may be as uncomplicated as asking and answering three basic questions:
Risk management does not aim at risk elimination, but enables the organization to bring their risks to manageable proportions while not severely affecting their income. This balancing act between the risk levels and profits, needs to be well-planned. Apart from bringing the risks to manageable proportions, they should also ensure that one risk does not get transformed into any other undesirable risk. This transformation takes place due to the inter-linkage present among the various risks. The focal point in managing any risk will be to understand the nature of the transaction in a way to unbundle the risks it is exposed to. Risk Management is a more mature subject in the western world. This is largely a result of lessons from major corporate failures, most telling and visible being the Barings collapse. In addition, regulatory requirements have been introduced, which expect organisations to have effective risk management practices. In India, whilst risk management is still in its infancy, there has been considerable debate on the need to introduce comprehensive risk management practices. Shri Kumar Mangalam Birla Committee Report has been instrumental in SEBI amending the listing agreement, which now requires the Audit Committee to review the company's risk management's policies and the Director's to separately report on risks and controls. Two distinct view points emerge - one which is about managing risks, maximising profitability and creating opportunity out of risks and the other which is about minimising risks/loss and protecting corporate assets. The management of an organisation needs to consciously decide on whether they want their risk management function to 'manage' or 'mitigate' Risks. Managing risks essentially is about striking the right balance between risks and controls and taking informed management decisions on opportunities and threats facing an organisation. Both situations, i.e. over or under controlling risks are highly undesirable as the former means higher costs and the latter means possible exposure to risk. Mitigating or minimising risks, on the other hand, means mitigating all risks even if the cost of minimising a risk may be excessive and outweighs the cost-benefit analysis. Further, it may mean that the opportunities are not adequately exploited. In the context of the risk management function, identification and management of Risk is more prominent for the financial services sector and less so for consumer products industry. What are the primary objectives of your risk management function? When specifically asked in a survey conducted, 33% of respondents stated that their risk management function is indeed expressly mandated to optimise risk. KPMG,one of India's largest professional services organisation (http://www.in.kpmg.com) undertook the first India Risk Management Survey to establish the profile of risk management practices in India's leading organisations. In addition to becoming a benchmark document in India on risk management, this survey is a part of an initiative by KPMG to conduct national surveys on a variety of topics including business ethics, corporate frauds, information security, etc. The key objective of the survey is to determine the overall level of awareness of the importance of risk management amongst the senior management and their attitude towards the critical Risks faced by them.
How important is effective risk management strategy for achieving the goals and objectives of your organisation? Most of us are aware of the importance, but only a few ventures to think of effecting steps for the mitigation of perceived risks. In the survey referred above, 80% of respondents believe that an effective risk management strategy is important to achieving the goals and objectives of the organisation. None of the respondents indicated that effective risk management is not important at all for their organisation. This indicates that the importance of risk management is well understood and appreciated in today's business environment. However, when we look at how many companies have formal risk management policies, the number is a low 20%. Further, only 37% of respondents have conducted comprehensive risk reviews in their organisations Referring further to the above survey, only one in five respondents said that they have a formal risk management policy in their organisation. This is in strong contrast with the riskiness of businesses, where 70% of respondents felt their business is fairly or very risky. The industry most likely to have a formal risk management policy is financial services (45%) and least likely is consumer products industry (12%). While the majority (67%) of respondents say that they perform strategic risk assessment prior to business planning and undertaking major investments, only 27% use risk-adjusted rates of return to assess investments and new projects. Do you formally apply strategic long-term risk assessment prior to business and investment planning? Do you risk-adjust your required rate of return? Only 37% of respondents say they have carried out a comprehensive review of risks. The frequency, however, varies significantly by industry. 56% of the organisations in electronics/technology and financial services sector have done such reviews, while only 17% in the construction/engineering and 25% in consumer products sector say they have performed a comprehensive risk assessment. This indicates a partial correlation between the perception of riskiness of business and carrying out a risk assessment. Has your organisation ever carried out an overall, comprehensive review of risks it faces, i.e., do you have a profile of key business risks? It is surprising to note that almost 40% of the respondents carried out a one-off risk review exercise as against a continuous one. The one-off risk reviews may not prove to be adequate in identifying and managing risks on an ongoing basis in this ever changing and volatile Indian corporate world. Further, just about 40% of the respondents have developed a risk framework for their organisation to categorise different types of risks. 79% of respondents state that risk management in their organisation encompasses market, credit, strategic and operational risks. It is encouraging to note that strategic risk is on the agenda of 92% of the respondents. A breakdown of operational risks reveals that more than 70% of respondents are of the view that operational risks include customer, product, organisational, staff, process and physical risks. Customer risk is perceived to be the most important component of operational risk. perhaps a result of opening up of markets and easing of import restrictions. Winning and retaining a customer is one of the biggest challenges of any business. How frequently are you kept informed about risk performance indicators? A key component of risk management is to have an optimal balance between risk and control. However, very few organisations relate the degree of control to the level of risk. In particular, they have not recently considered which resources are being expended on controls in the light of the specific risks and ability to finance them. This may mean that some low-risk areas may be over-controlled, while some high-risk areas may be under-controlled. Has your organisation recently evaluated whether it is over-controlling in the light of your risks and ability to finance them? Monitoring of risk is viewed as the responsibility of an individual in many organisations. This may be related to the lack of management information on the key performance indicators of risk. Most of the respondents state that monitoring of risk is done as part of periodic management meetings, and also by way of keeping an eye on the competition, updates in technology, change in government policies, movements in markets, foreign exchange rates, etc. Only 49% of the executives receive data on risk, at least on a monthly basis. This means that organisations without real time reporting and a risk-aware culture may be slow to react to changing patterns of risk exposure and loss. Internal Audit plays an important role in risk management programmes. While 63% of respondents agree with the statement that it is fairly or very important in risk management, surprisingly, 28% of respondents believe the role of internal audit is largely limited to compliance alone. How important is the role of Internal Audit in your risk management programme? Is the role of Internal Audit mainly…? The Internal Audit profession has undergone a remarkable change over the years with internal audit actively contributing to success of an organisation. The Internal Audit mandate today in leading organisations includes creating risk awareness, developing a risk profile in conjunction with management, devising a strategy to manage the identified risks, etc. 88% of respondents say that overall responsibility for risk management is at the senior management level including CEO, CFO, COO and Directors. Though it is the top management who has overall responsibility for risk management, lower and middle management also need to manage risks at their levels. Leading edge organisations across the world are reaping the competitive advantage that arises from a culture where the tone from the top ensures that risk management is a genuine competency of all their people. Most organisations do not have an executive Risk Manager or a Risk Management Committee. For an organisation to manage its risks, it is imperative that the responsibility for risk management should be absolutely clear. Further, there should be tiers or 'lines of defence' to ensure that all its people are actively managing risks at their levels. SEBI has recently, through incorporation of Clause 49 in the listing agreement, widened the responsibility of Audit Committees to include review of risk management policies. The survey categorically proves that risk-awareness if felt by all, but verfy few proceed further to earnestly conduct a complete risk-analysis to evolve a sound policy of risk control and risk-management. This may be due to the fact that Indian business and industry have come to grips with the subject quite lately and recently. Risk management identifies future risks in order to plan control measures to prevent its occurrence, or to control the extent of damage, if it were to occur. Obtaining insurance cover is a generally followed risk covering method against all known and identifiable risks, like loss in transit of goods in domestic trade, political and commercial risks in export business, fire-risks etc. Financial risks are covered by a process known as hedging. Hedging helps to reduce risks associated with market exposure by taking a counter position in the futures market, i.e. buy stock, sell Nifty futures etc. The development of derivatives market is a device for hedging different kinds of financial risks. Another innovative tool for hedging financial risks is called "Interest-rate-swaps". This is explained as under. The Corporations in which individual investors place their money have exposure to fluctuations in all kinds of financial prices, as a natural consequence of their operations. Financial prices include foreign exchange rates, interest rates, commodity prices and injustice prices. The changes in the financial prices cause uncertainty in the projected revenues to the corporate sector. And the companies often attribute the cause in decline in incomes to falling commodity prices, raising interest rates, declining home currency value. Necessity is the mother of invention. Human quest to find the solution continues. In this process various financial instruments were invented. Interest rate swap is one of the risk tools that helps the corporate to hedge from uncertainties of the interest rate fluctuations. The Reserve Bank of India has taken a bold step towards rupee derivative trading allowing banks/financial institutions to hedge against interest rate risks through the use of interest rate swaps and forward rate agreements. Similarly the risk of exchange-rate fluctuations can be covered by entering into forward contract for buying/selling the foreign currency. RBI have issued comprehensive guidelines to cover Risks faced by financial institutions and banks. These are duiscussed subsequently. Before looking to risk analysis with reference to Banks, we will view a contributed article on "Enterprise-wide Strategic Risk Management". This relate to commercial business. The article is by two post-graduate students of IIFT, New Delhi. A second article also by another batch of two PG students of the same Institution is on "Risk Management for Managers". | |
|
| ||