Risk stewardship

Risk stewardship: The next frontier in building shareholder value

Executive summary

The job of Chief Financial Officer has evolved dramatically over the last decade. Once seen as merely the chief accounting officer and technical expert, narrowly focused on the firm’s financial statements and capital structure, the CFO today operates more as a business partner with the Chief Executive Officer, with a much larger mandate for ensuring that the organization’s strategy is oriented toward building shareholder value (see “Not your Father’s CFO,” strategy+business, spring 2005). At the same time, company leaders are recognizing that risk management is an essential ingredient in strategic planning. Increasingly, many are finding that strategic risk management can enhance, as well as protect, shareholder value.

Today’s CFO must continue to serve in the traditional role of technical expert on capital structure, profit-and-loss, and balance sheet issues, as well as remain a respected adviser on external market issues and internal performance trends. In addition, however, the enterprise-wide challenges and opportunities that CFOs face as strategic activists will increasingly involve risk management. Within this context, senior leadership needs to consider three major questions about their risk management program: which risks to focus on, how to best implement risk management systems, and who should be driving the overall risk management program. We believe that the answer to the who question can be the CFO, when that individual is strategically oriented.

Seeing upside risks

Corporate missteps have wiped out hundreds of billions in shareholder value in recent years. CEOs have lost their jobs. Investors have lost their money. Employees, suppliers, and customers have lost their livelihoods. Most important, the marketplace has lost its confidence in the effective stewardship of corporate assets. The result has been an onerous wave of regulatory reform that threatens to hinder growth and innovation as boards and senior executives scramble to comply.

Lost in much of this debate is the fact that compliance problems have not been the leading cause of corporate missteps. According to Strategy& research and client experience, strategic and operational blunders have caused far greater shareholder value destruction, reflecting fundamental deficiencies in existing approaches to enterprise risk management. Not only does the Sarbanes-Oxley Act do little to address these problems, it may even hinder managements and boards by causing them to devote too many resources to compliance.

We recently completed a cross-industry benchmarking study of risk management practices at a dozen major multinationals, in industries ranging from pharmaceuticals to consumer goods to financial services. These were selected because of their reputations as leading practitioners in the field of risk management.

We discovered that even these exemplars have fallen short in developing a governance agenda and architecture that effectively anticipates some of the most significant risks to their business. While they may have advanced capabilities in one area of risk management — generally one closely related to their core business — their systems and processes are often not as well developed in others.

Almost universally, companies fail to look beyond the traditional downside risks to their business to consider the upside risks, such as missed growth opportunities. The challenge is developing a risk governance program that enhances as well as protects shareholder value.

The reason so many risk governance programs fall short is that they have been driven by the imperatives of the Sarbanes-Oxley Act and other recent regulatory requirements. The danger of this approach is that it can reduce risk management to a box-checking activity — an elaborate, expensive, and resource-intensive compliance exercise.

The reality is that more shareholder value has been destroyed in the past five years as a result of strategic mismanagement and poor execution than was lost in all of the compliance scandals combined. Strategy& recently analyzed 1,200 firms with market capitalizations over $1 billion for the six-year period from 1998 through 2004, and identified the poorest performers — the 360 companies that trailed the lowest-performing index for that period, the S&P 500. We found that only 13 percent of the value destroyed by these companies resulted from compliance failures; the other 87 percent was attributable to strategic and operational blunders, as shown in Exhibit 1.

Exhibit 1: Strategy& shareholder value destruction study: Reasons for loss of shareholder Value

Strategy& shareholder value destruction study

To enhance and to protect shareholder value, board directors and senior managers need to look beyond traditional categories of risk and anticipate the much larger menu of risks to the enterprise’s earnings drivers and culture. Of course, taking this more expansive view is difficult at even the most well-managed companies.

Assessment and agenda-setting

While the specifics of the risk management agenda will vary from company to company, our market experience suggests that two simple but critical questions need to be at the center of an effective risk governance program that fosters growth: What are the key risks the corporation faces? and How effectively does the corporation mitigate or capitalize those risks? To answer these questions is to get to the essence of risk management, and we have identified four building blocks to help corporate leaders address them.

1. Define risk broadly Most companies need to expand their definition of “risk” beyond such traditional categories as financial, legal, market, and natural hazard. They must also consider threats to earnings drivers, like customer churn, price pressure, and brand impairment, as well as cultural risks such as misaligned incentives, unethical behavior, and communications breakdowns. A comprehensive and systematic view of risk should include the perspectives of all stakeholders along every link of the value chain.

The leading risk management practitioners in our benchmarking study found that this value-chain approach helped them identify risks that were essential for board and management consideration, but that had not previously surfaced. Some risks identified included the advent of consumerism in health care and the cultural risk from merging two corporate lenders.

Further, this approach identified examples of conflicting views of risks among stakeholders. For example, for a telecom company, pending legislative change could negatively impact the land-line businesses but would be positive for the cellular business. In addition, this approach helped highlight where multiple risks affected a particular part of the value chain. Each risk identified was a threat that could severely erode shareholder value if not managed effectively.

2. Assess Shareholder Value Impact to Prioritize Risks No company has the resources to deal with each and every risk an organization faces. The primary failure of controls-based approaches such as the Committee of Sponsoring Organizations’ (COSO) Enterprise Risk Management — Integrated Framework is that they can turn risk governance into a box-checking exercise.

Creating a meaningful mechanism to protect and enhance shareholder value requires that the focus be placed on the risks that can most significantly affect the market capitalization of the company. When the issues being considered rise to the level of strategy, competition, or culture — and begin to include dialogue and interaction with senior executives — our experience shows that a “content” or output-focused approach is more effective.

This, of course, is challenging. How do managers, for example, compare the risk of a three-day delay due to supply chain disruption with brand risk? The only way to do so is to assess risks on the basis of what they are supposed to be protecting: shareholder value. Our work demonstrates that each risk can be tied directly to its potential impact on the company’s market capitalization. Once a common unit of measurement has been implemented, management can readily prioritize and focus attention on the key risks that have the most significant impact.

3. Assess Capabilities Does a risk remain a risk if the company has identified it and has the capabilities to manage it? There is a major difference between “gross risk,” which is the potential impact of a risk on market capitalization and “net risk,” which is the company’s actual susceptibility to that risk. It is critical to understand both. The gross risk reveals what is at stake; the net risk demonstrates how effectively management has mitigated or capitalized the risk.

For example, medical costs are a huge risk in the health insurance business. They account for some 75 percent of the cost structure, and forecasts of future cost trends affect how a health insurer sets its prices. Thus, they are the single most important potential risk to the company’s market value. However, if the company has both sophisticated medical cost analysis and forecasting skills, in addition to medical cost management processes, compared to competitors, the net risk can be effectively contained.

4. Determine the risk agenda Once risks have been identified and prioritized, and capabilities have been assessed, management can define the “risk agenda” — which capabilities the company will focus on building. We like to use a simple framework with our clients, as shown in Exhibit 2, which allows the board and management to readily see its risk exposure by comparing the relative importance of a risk with the capabilities the company has to manage that it.

Exhibit 2: Risk exposure framework

Risk exposure framework

In our experience, the risk agenda has two components. The first is protecting value by fixing weak capabilities that address high-materiality risks. In this realm, we would expect a company to have capabilities at least as good as its competitors. For example, if price pressure from suppliers is a high materiality risk, establishing the capability to source products on a basis equal to the competition would reduce the company’s risk to the systemic level: The company and its competitors are equally exposed to price variation, all else being equal.

The second component is identifying competitive differentiation opportunities. For example, if the company’s competitive strategy is to differentiate on cost, building leading-edge sourcing capabilities to mitigate supplier price pressure is justified, even if the materiality of the risk is moderate.

In addition, by assessing the capabilities against the materiality of associated risks, companies may also find that they have overbuilt capabilities that address risks that are no longer material, and can refocus investments toward more critical capabilities.

Enterprise-wide risk ownership

A significant decision for company leaders today is to decide who will “own” the risk management agenda. This individual must interact with the other members of the company’s leadership team, the business-unit heads, and the audit committee of the board, as well as with technical experts in a wide range of specific risk disciplines.

To be effective, the risk owner must be able to help the leadership achieve new insights and to catalyze action on the risk agenda. This individual should have both deep risk management expertise and a strategic and operational understanding of how the business works — ideally through experience in an operating role in one of the company’s business units.

Equally importantly, the risk owner must have the seniority, authority, and skills to affect decision making across the organization. The risk owner needs to see himself or herself — and be seen by others — as a change agent and leader helping the business make better decisions, not just an information collector or technocrat.

Often this combination of skills does not reside in a single person or team, and most companies moving toward an integrated strategic risk agenda find that the incumbent risk manager does not have the breadth or seniority to take on a more strategic role. Some are responding by creating a new senior position — such as a chief risk officer — to facilitate integration across the enterprise. Others are adding this role to the portfolio of an existing senior leader, such as the chief strategy officer or the CFO.

Many Chief Financial Officers are already overseeing the increasingly tight linkage of risk management to the firm’s strategic agenda. “A more appropriate notion of value creation — post-9/11, post-Enron, post-Worldcom, post-Tyco, and so on — starts with the realization that risk matters as much as return does,” says Thomas A. Fanning, CFO of Southern Company, the United States’s second largest electric utility by market capitalization. In other companies, however, there is no leadership for an integrated, enterprise view of risk: CFOs continue to take a more traditional, functional, and compliance view of risk, while heads of strategy focus narrowly on upside potential. Or, even worse, siloed risk teams try to fight fires in remote corners of the organization without understanding what issues need to rise to the board and what risks would benefit from broader systemic solutions. As a result, the strategic risk management programs at many companies are often left underdeveloped, creating missed shareholder value creation opportunity for the company, the board and the C-suite.

We believe the Chief Financial Officer engaging in the role of strategic activist is well positioned to drive the strategic risk agenda, orient it toward increasing shareholder value, and engage with the board of directors. Risk, result, and value are, after all, completely interconnected concepts. The CFO already manages result and value at many companies: why not risk as well? The traditional tasks given to the CFO — accounting and compliance — will continue to be essential, and they provide a unique vantage point for addressing the new challenges of risk.

The CFO has a view of the organization from 30,000 feet aboveground, providing an enterprise-wide perspective. And the activist CFO has an innate ability to understand what makes each business in the portfolio tick, and where risks lie. In addition, the CFO’s traditional responsibilities bring a tremendous amount of independence and objectivity to the risk-management process. The ability to create transparency and dialogue between functional and business-unit leadership will become crucial in this new era.

Chief Financial Officers have come a long way from the days when they were regarded as narrowly focused, box-checking specialists in finance and controls. Today’s CFOs are actively engaged in devising and executing strategy and overseeing operations in partnership with the CEO. The rise of strategic risk management as a board-level concern offers them an opportunity to drive the strategic risk agenda and make sure that it contributes to the overall imperative of increasing shareholder value. Many strategic activist CFOs are seizing this opportunity; while those who choose to walk away from it will be circumscribing their future role in the leadership of the company.

Related Strategy& thought leadership