Risk, for lack of a better word, is good. Without it, there would be no successful businesses. Or, rather, there would only be successful business, as being successful would be so easy that any start-up would have an idyllic path to quarterly revenue bonanzas. Risk is vital to the business world so that those organizations that are able to overcome their challenges can show the rest how it is done.Historically, most companies that have grown into household names have managed their risks well. Well enough anyway. The thriving company has mitigated its true, existential threats through a business model that ensures that, say, manufacturing costs, no matter the occasional unforeseen price spike, will never outpace earnings or through vigilant leadership that ensures that a rival will not dominate the market to the point that the company can no longer compete.
Typically, however, the risk manager has not been involved in this strategic level planning. The ultimate strategy and future plans of the company are determined by the CEO, the board and (maybe) a handful of other senior executives. The rest of those involved in charting the course for the future are often consulted on a need-to-know basis to work out the specifics of the operation, helping to refine the operational processes in their area of expertise. But they are rarely asked to assess the big picture.
In the past, that method has, much of the time, worked fine. But the game has changed. The risks companies face today have multiplied. CEOs and boards have always faced a large number of threats, but they knew where to look for them and were generally able to take a glance back, gauge the situation and keep their foot on the gas, focusing -- as always -- on the road ahead.
But in 2010, risks no longer always come from where the CEO has been trained to look. Well, they still come from there -- but they come from everywhere else, too. There are a full 360 degrees to monitor now, and the distinction is akin to the difference between a car driving down a calm, four-lane road with expected intersections and a flying car navigating a chaotic, unregulated airspace where traffic may come from all sides.
For a company like Toyota that is undergoing a prolonged consumer confidence crisis, its problems were rooted in faulty manufacturing and complacency towards safety. But whereas in the past the main fallout of these failings may have been legal liabilities resulting from the accidents that occurred and the costs of conducting a product recall, the greatest asset at risk today is Toyota's reputation. The lawsuits can be covered and the recalls can be paid for. But if the typical car buyer, someone who has a wider selection of safe cars to choose from than ever before, decides that Toyota is a brand he no longer trusts, and if auto sales do not return to the company's prior expectations, then even a seemingly sound business strategy of international market share acquisition and forward-thinking hybrid innovation may not make a difference.
Such reputation concerns are among the most frightening risks that companies are just now learning how to manage -- just ask AIG or BP -- but they are far from the only major emerging threat. Supply chain disruptions, climate change and extreme weather, global and local regulatory uncertainty, counterparty default and dozens of other risks now pose greater challenges to companies than ever before.
Enter strategic risk management. Now, risk managers are becoming involved in the senior-level decision-making process, and leaders are relying on their analysis to not just protect shareholder value -- but to help create it. Because it is only by avoiding known pitfalls that the company can navigate its way towards greater profits and success. The company needs to know where the pitfalls are before deciding on a strategic direction and the risk manager is in a natural position to point them out to leadership.
It is the next natural evolution of risk management. First, risk managers were insurance buyers. Then they were the stewards tasked to protect the company's operational exposures by more creative means. Next came enterprise risk management (ERM), and the scope of risks that they were tasked with managing became wider -- as did the net they were given to explore risks throughout the organization. But even with a greater license to work more closely with all areas of the operation and implement new loss control protocols, many found that their authority did not match the task. How can you manage every risk -- particularly emerging threats -- when you do not truly understand the long-term direction of the company?
Including risk management into strategic-level planning allows the function to better serve the organization. If a strategic shift or major new operation begins, the CEO can then tell the risk manager "figure out how to minimize these new risks." The risk manager can then go out and tactically approach all of the related risks and mitigate each of them. It is what risk managers have been doing for a long time, and it is something at which they excel. Take a potential problem and make it less likely to become one. Just another day at the office.
But involving the risk management department from the beginning makes more sense and allows the people who best understand the potential perils of the company to help guide leadership decisions. Risk management can be valuable at all levels of the organization, but if a company only allows it to effect change below the leadership level, the company is not maximizing a resource that can both prevent major losses and drive earnings by telling the board which risks are the good risks.
Conceptually, it is a lot like chess. A casual player -- even a very good casual player -- generally plays the game thinking only about how to maximize each move. Tactically, each move might be fine. But the lack of a strategic, coordinated attack lowers the chance of winning and will always hold the player back -- particularly when faced with tough competition. Without a larger plan, even the best tactical moves offer merely a temporary advantage. At the end of the game, those earlier decisions, no matter how beneficial they seemed at the time, will only prove to have been in the player's best interest if they helped him protect his king and, ultimately, checkmate the king of his opponent.
For the risk manager, the strategic view should be similar. First, protect assets by insulating the core, long-term objectives from the largest risks the company faces. Then, find ways to use that knowledge to increase shareholder value.
To truly do that, however, the risk manager needs a clear understanding of the corporate strategy and approach to risk -- something that can only truly be attained through discussions with the board and senior leadership.
Ultimately, taking risks is what creates shareholder value. Innovation and entrepreneurship simply must be balanced against the potential downside. As long as the top leadership is comfortable with the risks presented by the most informed opinions of those in the organization, the agreed-upon risk appetite level, in and of itself, does not matter. Both high-risk and risk-averse companies have been very successful. All that matters is that everyone understands the strategy and that the strategy is based on an informed understanding of how high the risk levels are.