“A ship in harbor is safe, but this is not what a ship is built for.” William G.T. Shedd
The moment the corporate ship sets sail, it embraces risk. There are bound to be storms, rough seas, unexpected events - the question is not whether risk exists but if the organization is prepared, specifically whether it has:
- awareness of all the risks inherent in its business, both systematic (market related) and idiosyncratic (unique to itself)
- adequate controls to minimize the occurrence of controllable events
- mechanisms to alert it early in case of uncontrollable events
- resilience to deal with events when they occur.
Historically, risks have been approached very differently. The initial attitude to risk during World War II was to counter “pure risk” (binary outcomes with loss or no loss) through insurance. Other forms of corporate risk emerged between the 1950s and 1980s with models such as CAPM, Black & Scholes, Merton’s default risk and VaR. If the focus is on corporate firms rather than financial services firms, the key turning point was the Enron scandal after which regulatory risk dominated with SarbanesOxley and other regulations.
In the last two decades, with rapid globalization and market-disrupting technologies, there has been a significant rise in frequency of black swan events (an unexpected event that has a major impact). The earlier limited view of financial, operational, and regulatory risk has been blown away by the full-fledged concept of “Enterprise Risk Management” (ERM) from the time Gustav Hamilton proposed the “risk management circle.” Companies are realizing that the view of risk needs to be more holistic.
This historic shift is posing new challenges to companies. Boards require a top level view of the risks inherent in an enterprise. CEOs are looking to their CFOs and CROs to give them a summarized snapshot of what risk they carry. While earlier, the relationship between the risk function and businesses was not robust, CEOs now want the risk function to enable their businesses. This has led to the need for risk reporting to be integrated into regular financial and business reports rather than being standalone.
There is also a shift in the concerns for the CRO. According to an Economist Intelligence Unit Survey while CROs are currently most concerned about regulatory risks, board communication, and business continuity their future concerns will be:
- Having an integrated picture of risk across the enterprise
- Extending risk to the larger business strategy
- Predicting risk
They also identify integrating systems and processes as the biggest challenge leading to a lack of data to accurately assess risks. While ERM is prevalent in theory, in discussions with many companies, we find that implementation of this has been negligible.
All the above brings Risk Analytics into the spotlight. From data integration to high-level visibility to root cause analysis and early warning signals, Analytics is slowly making inroads into the risk world of non-financial companies. Due to the constantly changing risk environment, Analytics is being used to keep the finger on the pulse of the enterprise, and throw up red flags early so that the ship can course correct in time.
Many decades earlier, Management Accounting changed the way Financial Accounting was viewed. This time, Analytics is changing the way Risk is viewed.
In my future blogs, I will discuss the ways in which risk can be viewed through an analytical lens, and some commonly used analytical techniques for risk management.