Managing the 'risks that matter'

By BEN PALMER and PAUL ROBERTS*

At a time when business has been facing a potential crisis in the power supply, risk management becomes uppermost in the mind of the business manager.

To the business manager, an event of epic proportions is looming and that event must be overcome if the business is to succeed to the expectations of the business owner, or indeed, if it is to even survive.

While, over the past month, the risk of a loss to the power supply has been increasing, such a risk is not the only one facing business. Indeed, risk is a fact of doing business.

And in the modern business world, with increasing uncertainty and complexity, it is not possible to exploit future opportunities without accepting risk. The key is to knowingly and purposefully accept risk, avoid those risks that should be avoided and to manage to those that cannot be avoided.

If, at this time, the management of risk is uppermost in the mind of the business manager, what risks should the manager be managing and how should it be undertaken?

We subscribe firmly to the view that the risks to be managed are “the risks that matter”. These risks can be described as those that impact shareholder value, for example those risks that impact share price, profit and profit sustainability, and service capability.

We are equally firm on how risk should be managed.

Our experience, both in New Zealand and overseas, suggests that risk is managed in one of two ways. Sadly by far the most predominant approach is the “ad hoc” method. Here, the responsibility for the management of risk is implied rather than being clearly defined.

The business generally has a view on the risks it faces, yet it has no formal process for their controlled identification, assessment or treatment. The risk event sparks the response. Generally, by this time, the response is too late or too costly to implement.

By far the better method is the “considered” approach. This approach has certain design principles that ensure the business is in a state of readiness should a particular event occur. “Risks that matter” are identified, assessed, treated and monitored as part of the day-to-day business activity. Shareholder value is protected and opportunities optimised.

So what are the design principles for an effective risk management system?

* Shareholder value-based: the risk management system should be focused on creating shareholder value.

* Embedded: the culture of the organisation should reflect the risk consciousness of its board.

* Supported and assured: the system should provide management with the assurance it needs that risks are being managed appropriately.

* Reviewed: the board should review the effectiveness of the system of risk management on a regular basis in light of current business performance and circumstances.

In order to determine how well placed you are to manage risks when they eventuate, you need to be able to affirmatively answer the following questions:

* Do you know your “risks that matter” to shareholder value and if so are you responding appropriately to these risks?

* How robust is your current risk infrastructure and culture and how efficient and effective are your responses to risks?

To put these questions into the context of the potential electricity crisis, are increased electricity prices or interruptions to electricity supply risks that matter to your business?

If so, how will your business continue in the event of an electricity supply interuption? And how will your business manage in an environment of increased power prices?

If you are managing the “risks that matter”, you will have known the answers to these questions for some time.

* Ben Palmer is a partner, business risk consulting, and Paul Roberts is principal, business risk consulting, with Ernst & Young.

Power to the People Supplement