Risks other than fire, flood or spillage often are missed, badly analysed or given weak priority in a corporate culture, writes VICKI JAYNE.
Think risk management, and what comes first to mind are the destructive impacts of fire, flood, or spillage.
Less obvious, but equally lethal to business, are the destructive forces that brought down the United States energy-trading giant, Enron.
Its plunge from last year's sharemarket darling to its present liquidated hulk took mere months.
But the flawed and fraudulent financial practices that prompted the fall should have rung warning bells years earlier if proper risk management processes had been part of the company's culture, says Alan Jutsum, strategic risk manager for Willis Risk Consulting.
He has picked through the reports emerging from investigation of Enron affairs, and sees the company as the ultimate case study in what can go wrong with an organisation.
"It can be seen in terms of a failure in corporate governance or of inadequate internal and external auditing," says Jutsum, a speaker at next month's Third National Internal Audit Forum, in Wellington.
"My own interest is to look at how they did or did not apply risk management techniques - and I see that as a wake-up call for local business to review the scope of their own risk management processes."
Risk is often narrowly defined or treated in a piecemeal way, says Jutsum, once New Zealand Dairy Group's risk manager.
To be effective and return some value to an organisation, the issue of risk has to be applied in a structured way across the whole business.
"Failure to do so means risks are either missed, inadequately analysed or poorly prioritised," he says.
Obviously, the bigger and more complex the company, the greater the need for a structured approach.
Ironically, says Jutsum, Enron had a division ostensibly set up to provide finance and risk management services.
"But risk management was clearly not a way of life [for the company] and risk exposure cannot have been reported effectively," he says.
"Enron may have transferred risk, but this was done without risk management disciplines and, ultimately, at huge loss."
Among its questionable or bizarre practices: the company hedged some investment risk to entities that, while treated as separate for accounting purposes, were not financially independent.
In other words, it was buying its risk protection from itself - a practice that benefited certain of its executives enormously, but left the company badly exposed.
It had also extended its trading in energy-related commodities and derivatives to some fairly loopy extremes - for example, providing weather-related hedges for convenience stores selling soft drinks.
Enron also used accounting methods that inflated the value of transactions, but hid the liabilities.
That such practices caused concern in some quarters - but were allowed to carry on - reveals large flaws in the company's risk reporting and review processes, says Jutsum.
Even auditors Andersen turned a blind eye, and continued to be involved in both auditing and consultancy work.
By the time the whistle was blown on Enron's hidden liabilities, it was too late and share values tumbled, along with the company's credibility.
While New Zealand companies are not of a scale to fall as far or as fast, Jutsum says they share with Enron the failure to build risk management into organisational culture.
"Research we've done suggests there is a good level of risk management consciousness amongst managers in large New Zealand organisations. But for the processes to work, there has to also be a consciousness at operational or shop-floor level."
That involves good reporting and awareness throughout the company so everyone can identify and understand what are the risks to business and how they can be mitigated.
To identify risk, a company first has to define its critical assets, says Jutsum.
That isn't always as obvious as it appears. Physical assets may, for instance, have less value than intellectual capital, product brand or company reputation.
Determining what is most valuable is the first step to analysing risk, says Jutsum.
"Companies have to decide how to spend capital effectively. For instance, do they prioritise spending on improving health and safety, or environmental practices? That's not an easy call unless you've done your analysis on values and risks."
In Britain, undertaking risk management processes became mandatory for all publicly listed companies a couple of years ago and many businesses were deluged with risk information.
"This created confusion, not clarity, as few companies had tools to sort out the data," says Jutsum.
"Because risk is so broad and because businesses can be so complex, it is essential to have a framework that clarifies values and prioritises risk.
Jutsum said one reward of the open workshops his company runs for a management to assess its levels of risk is the "aah!" factor.
"Someone realises where the company could be exposed and can then look at ways to reduce that exposure."
So, how can a company deal with the risk of dishonesty?
"This should never be tolerated and, as with most good management practice, the tone is set at the top of the company," Jutsum says.
Protecting a company from fraudulent practice starts with the board of directors laying down clear ethical standards.
"Underneath that are the controls to ensure appropriate discipline is taken if those standards are breached - and the commitment to use them."
It is worth noting, says Jutsum, that the liability insurers for Enron directors and officers are looking to have the policy rescinded because the company's financial position was misrepresented.
"That could well leave Enron directors fully exposed to all liabilities that may come from disgruntled shareholders and angry debtors."
A salutary warning, perhaps, for directors and managers that it's better to manage risk than expect to fall back on insurance when unmanaged risks come home to roost.
* vjayne@iconz.co.nz
Business Information in Asia
Lessons flow from Enron's destruction
AdvertisementAdvertise with NZME.
