A risk management framework is where a corporation generally begins its implementation of a formalized risk management strategy. There are a variety of pros and cons to have a financial risk management framework. Likewise, there are a wide variety of suggested frameworks available, and in this chapter we will also put forward our suggested framework. However, we believe it is only common sense that a framework should be developed by the managers of an organization to fit the specific risk management needs and objectives of their organization. As such, each risk management framework should be unique to the organization, rather than a cookie-cutter one-size-fits-all that is promoted by one organization or another.
Before putting forth what we believe are the essential elements in a financial risk management framework, it is useful to briefly discuss some of the pros and cons of risk frameworks in general. An understanding of the advantages and disadvantages is helpful as an organization considers what elements should be in their framework.
The major knock against risk frameworks is that they tend to become an entity onto themselves. That is, they become too large, too intricate, and too bureaucratic to be efficient tools for directing the risk management process.
A bloated risk framework has the potential to do much more harm than good. A bloated risk framework tends to “crowd out” risk thinking as managers start managing for the risk framework rather than managing for good risk management. In other words, the risk framework becomes the management objective rather than good risk management. This in turn leads to a shift in accountability away from the manager to the framework. How often have you heard that “all guidelines were followed” as an excuse for a risk miscue, when it was obvious that while the risk guidelines were followed, common sense was not. It is never a positive when managers can abdicate their responsibility and accountability for thinking, analysis, and making good decisions and instead simply default to a framework or a process. Strong frameworks and processes do have value—which we will discuss shortly—but they are very poor replacements for judgment.
A related effect is risk homeostasis, which is the effect that increasing the strength and power of your risk frameworks and processes actually, and paradoxically, has a tendency to lead to an overall increased level of risk. If it is believed that a strong risk framework is in place, the natural response of people is to change their risk taking behavior. Consider how different your driving habits would be if you were driving in a winter snow blizzard in a modern SUV with the latest in traction control and upgraded snow tires, versus how you would drive in the same snowstorm in an older model econobox with bald summer tires and without the benefit of electronic traction control. In all likelihood you would reconsider the necessity of making a journey in the blizzard if you only had the econobox car at your disposal. This is why we see that the probability of being injured is actually greater when driving an SUV versus an econobox car. This is the effect of risk homeostasis and it is one unintended consequence of having too strong a risk management framework.1
An extensive risk framework is also costly. It entails both explicit costs as well as hidden implicit costs. The explicit costs include management’s time, energy, and effort to set up and implement. Additionally, depending on the extensiveness of the system, there may be significant information technology and data feeds requirements. An overly costly framework may involve hiring full-time risk specialists. All of these costs will pay dividends only if the risk management requirements of the firm justify the expense.
The implicit costs of too extensive a risk management framework include having the system actually preventing new ideas from coming to the fore due to the perceived hassle of meeting the requirements of the risk management system. It may also encourage managers from seeking out the assistance of the risk management department if it is seen as a bureaucratic nightmare. An overbearing and bureaucratic risk framework could even discourage managers from expanding into profitable new markets or product segments.
Most ominously, an overly cumbersome risk management system may incent managers to find ways to circumvent the system entirely—which can be the most costly consequence of all. In many of the risk management workshops that we have conducted, the risk management department is frequently seen as the “Department of No!” This is obviously not what the desired reputation of a value-added department should be. If the culture around the risk framework is negative, then the culture around risk management activities will also be negative. Risk management should be seen as a positive that is allowing managers to more effectively do their central task of producing and marketing goods and services. A lean and simple risk management framework helps risk management be viewed as an asset for the manager, while an overbearing, cumbersome, and time consuming risk framework will make risk management an adversary to the line manager.
Obviously, not all of the consequences of a risk framework are negative. After all, we are recommending that an organization develop their own risk management framework before starting a financial risk management program. The major advantage of a risk management framework is that it provides a common structure around which a common shared understanding of risk management can be built and expanded upon as needed. This common thread brings economies of scale to the risk management process and helps the organization develop institutional experience and learning about the best risk management strategies and tactics for reaching its objectives.
A suitably comprehensive risk framework prevents an ad-hoc series of risk management solutions arising throughout the firm. Starting with a framework allows for a coordinated and consistent process that will capture risk management synergies and efficiencies. Frequently, when risk management is done on an ad-hoc or even on an as-needed basis, there is more room for errors and mistakes to creep into the process. Additionally, ad-hoc risk management implementations tend to be redundant or even self-defeating due to the fact that it is difficult to track the overall level of risk and the overall level of risk management strategies in place without a central framework to coordinate the information.
A risk management framework also provides a checklist to help ensure that all of the necessary steps and processes have been followed or at a minimum considered. A good risk management framework allows the manager to have the confidence that a framework is ensuring that care of the routine tasks of risk management is taking place while the manager can focus their energies on considering the specifics of each risk management situation. Having a framework act as a checklist that ensures that the necessary steps have been considered is a simple, yet very effective aid to efficient risk management.2
Essentials of a Good Framework
A good risk framework has some very basic, intuitive, and simple elements. To begin, a good risk framework is one that is lean and simple. Lean and simple encourage adherence to the framework, and adherence to a framework, even if it is potentially missing some bells and whistles, is still far better than ignoring, or avoiding the most comprehensive yet unwieldy of frameworks. The framework should be practical and easy to ensure implementation for the various situations that the firm may face.
A good risk framework is also flexible and adaptable to the wide variety of financial risks that the firm may encounter. The system should be expandable to encompass future needs, and for that matter it should also be contractible if the needs of the organization for risk management decrease.
Critically, the risk framework should be tied to the risk management objectives of the firm. If the risk management framework is not in synch with the risk management objectives of the organization, then little else matters. Ultimately, this requirement means that the risk framework should be tailored to the firm. Off-the-shelf systems recommended by consultants are likely to be too broad, and too generic to suit the needs of the firm, and are also quite likely to have extraneous features that simply add to the cost and confusion of its use while adding little of positive value.
Despite the fact that a good risk framework should be lean, simple, flexible, and tailored to the organization, there are certain key elements that should be present in almost every financial risk management framework. These elements are listed here.
A Clear Objective for the Risk Management Function
Without a clear objective, it is nearly impossible to have effective risk management. This should be the first task in developing a risk management program and a task that is periodically revisited to ensure that it remains timely and appropriate.
While there are many excellent reasons to implement a financial risk management program, there needs to be a strategic objective if one hopes to do so in an effective and consistent manner. Many risk management objectives can be at odds with each other, and thus without a clear objective there are likely to be conflicts and inefficiencies. For instance, is the goal of the financial risk management program to eliminate financial risk? That is one possible risk management objective, but if so, it ignores the situations when an organization may want to take advantage of financial risk. (Remember, risk is the possibility that bad or good things may happen and there are a range of possible responses to risk.) As discussed in Chapter 2, there are a variety of risk management tools which permit an organization to choose different risk management objectives. These objectives need to be clarified at the very beginning.
The risk management objectives should be carefully thought through by management and approved by the Board. Risk management can be a major component of a company’s competitive strategy and as such it should be treated with the same amount of respect and thoughtful analysis as any other strategic or competitive decision.
We will devote more discussion to the setting of the financial risk management strategy in Chapter 10.
The identification of risks, both existing risks as well as potential risks, is an obvious and necessary component of any decent risk framework. You cannot manage what you cannot identify. It also relates to what we call the first law of risk management; the mere fact that you acknowledge that a risk exists automatically increases the probability and magnitude of it occurring if it is a good risk while also automatically decreasing the probability and severity of it occurring if it is a bad risk. Perhaps it is easier stated to say that merely being aware of the risks means the risk management battle is half won.
The process of identifying the risks is also key in that it forces the organization to be more aware of how financial risks affect the firm’s performance. Actively working to identify risks forces managers to think about how their organization works and the relationship of the various financial risks and the various linkages with the operations of the firm.
When identifying risks, it is critical to consider not only the existing risks, but also potential risks. A key element of risk is that it is a forward-looking activity. However, too often risk management systems are backward looking, collecting data on things that did happen, or are happening in the present, rather than focusing on what might happen going forward. Managers can only affect the future, and are helpless about changing the past. That is not to say that the past should be ignored. Understanding what happened in the past from a risk management standpoint aids in learning valuable lessons that can be applied in improving future risk management strategies and tactics.
Additionally, it is important to identify the strategic financial risks. It is generally relatively easy to identify and measure the financial risks based on transactions (such as foreign sales transactions, or interest rate risk due to financing obligations), but it is a more subtle, but perhaps more important task to identify the hidden and less overt strategic financial risks. Examples of strategic risk are the effects that exchange rates could have on a company’s competitive position relative to its foreign-based peers, or the effect that a change in commodity prices could have on a firm’s supply chain and pricing strategies.
When managers think of managing financial risk, the step of measuring the risks is generally considered to be the most quantitative and the one requiring the most specialist mathematical knowledge. While it is indeed the fact that advances in the measurement of financial risks has developed some highly sophisticated mathematical techniques, the reality is that even simple measures of quantifying the size of the risks goes a long way in helping to manage those risks.
As management guru Peter Drucker is alleged to have said, “what gets measured, gets managed” is certainly true for risk management. Conversely, it is also generally, but not always, true that what does not get measured does not get managed. However, in recent years, there has been an overreliance on the measurement and not enough energy spent on the management of the risk. The goal of risk management should be the management of risk, not just the measurement of risk. While we agree that being aware of the risks is half the battle of risk management, it is most certainly not sufficient. Regulators in particular seem to have an obsession on risk measurement and mistakenly conflate measurement with risk management.
Choose and Implement Risk Action
The decision phase of how to best manage the risks is obviously the centerpiece of any risk management process. Recalling the definition of risk (the possibility that bad or good things may happen), it is important when making a choice on managing risks to consider the full range of risk responses. Recalling from Chapter 2, the full range of risk responses are: (i) Avoid or Eliminate, (ii) Mitigate, (iii) Tolerate but Monitor, (iv) Ignore, (v) Embellish, and (vi) Embrace. The choice of risk response will determine the type and style of the risk management technique or tool chosen. Too often, firms just automatically assume that risks should be avoided or eliminated, and enter into a costly and counterproductive risk management strategy. We have also seen companies adopt two or even three different risk management strategies as they could not make a choice as to which of the risk responses was appropriate! For example, one firm we dealt with, simultaneously used three different tactics when dealing with currency risk. Being unsure how to hedge, they would leave one-third of the risk unhedged, would hedge another third with forwards, and would use option strategies for hedging the third portion of the exposure. It was the equivalent of not being able to make up your mind when ordering ice-cream, and thus getting a mixture of every flavor. An expensive and totally ineffective way to manage risk.
If the firm has a clear risk management objective, the choice of the risk response should be relatively straightforward. If the firm does not have a well-defined and well-delineated financial risk management objective, then the risk response decision is likely to be muddled at best.
After the risk response has been chosen, the tool or tactic(s) for managing the risk should be chosen. This includes whether it will be an operational strategy or something like insurance, selling off the risk, or a derivative management tool. The choice of tactic or tool will also have a series of choices that follow. For instance, if a derivative management strategy is chosen, the firm needs to choose what type of derivative, whether it will be an over-the-counter derivative, or an exchange traded derivative, the terms of the derivative (such as notional amount, strike price, or tenor), and who the counterparty for the derivative will be.
The choice of risk action thus involves both strategic as well as operational decisions. A risk management tactic that ignores this reality is likely to be ineffective at best and counterproductive at worst.
Monitor and Assess Risk Management Effectiveness
Most companies with a financial risk management program do monitor their risk management, but in our experience few can tell whether or not their risk management actions are being effective and helping to forward both the risk management objective as well as the strategic objective of the firm. As with measurement, risk monitoring is often done in large part as a regulatory exercise, not as the business improvement function that it should be.
There are two parts to this step of the risk management process. One is to monitor the risk management function. This would be aspects such as what are the cost and the value of the hedges, what is the concentrations of the counterparties to the hedges, what are the size and timing of any cash flows related to the hedges, when do the hedges expire or need to be renewed or updated, what is the overall level of hedges relative to the exposure, as well as other possible related metrics that need to be continuously checked and monitored. The second part of this step is to assess whether the hedges are performing the function that they were put in place to accomplish. Are the hedges helping to manage the risk and achieve the operational and strategic objectives of the firm?
Monitoring and assessing the risk management function implies taking a look back at what transpired and how well the risk management strategy worked relative to other alternatives. It is also ensuring that the tactics used achieved the objectives set out. Note, it is not an exercise in deciding whether the particular strategy chosen was optimal given the economic events that followed. It is deciding if the strategy chosen was optimal given what was known at the time that the risk management strategy was chosen. Hindsight is wonderful, but making judgments based on hindsight is impractical and misleading.
Effective Reporting and Communication
The risk management process should not be the purview of a select few. It should be a transparent process that is widely communicated and widely understood. Effective communication of the risk management strategy and outcomes has many benefits. Effective risk reporting helps with organizational learning about risk, engagement with risk, and is a key component of developing a positive risk culture.
A good risk report shows a timely indicator of the existing risks as well as expected risks. It also gives a clear indication of what risk management efforts are implemented and how effective they are. It also aids in making future decisions about risk management strategies.
The centerpiece of a risk report should be a risk dashboard. Risk dashboards will be discussed at more length in Chapter 10, but now it suffices to realize that a risk dashboard gives the key risk indicators for the firm. Just like a car’s dashboard, a risk dashboard gives only those key indicators that the management team needs to achieve their objectives, as well as warning signals (such as the check engine light) that point to the need for a more detailed look at an issue. While extensive risk reports are a tool for the risk professional, a slimmed-down risk dashboard report is likely to be a more effective tool for the general manager. Some companies spend so much time preparing comprehensive and detailed risk reports that they are well out of date by the time they can be read and understood by managers.
Other important elements of a good risk management framework are: appropriate training, appropriate accountability, and integration with the enterprise risk management system—if the organization practices enterprise risk management.
Appropriate training is required not only for frontline managers, but also for the senior management team and especially for the Board. In order to ensure a consistent approach to risk management, and to ensure that the risk management tactics are in line with the strategic objective set by the Board, operational managers, senior managers, and the Board need training that ensures all are consistent in their understanding of the risk management process, how to implement and assess the various elements, and how to communicate about risk effectively.
Although implementation of the financial risk management process may be accomplished through a dedicated risk management department which is appropriately staffed by risk management specialists, risk management is not a task that should only be understood by those experts. Leaving the risk management solely to a dedicated department means that opportunities for enhanced risk management will be almost certainly missed. A well-trained staff can alert the risk management function to opportunities, and by understanding what risk management can, and cannot accomplish, there will be better communication between the line and risk management. This enhanced communication in turn means greater acceptance of risk management, broader accountability for risk management, and that risk management will reciprocally be brought in earlier as operational plans are being formulated, thus allowing for risk management to be more fully integrated into the strategic planning process.
The Board and senior managers need extensive risk training so they too can better implement risk management into operations and the strategic planning process. Additionally, the Board needs a full appreciation of risk management so they can practice better risk governance, by asking better questions, getting better responses, and having better overall discussions of how risk management can improve the operations of the firm.
For the risk process, clear lines of accountability need to be set up. Although in a perfect world, everyone would be accountable for risk management, the reality is that it is not practical to do so. Clear lines for accountability in terms of who is ultimately responsible for the risk strategy, who is responsible for implementing risk tactics, and who is responsible for verifying the checks and balances needed to ensure compliance with the strategy and set tolerance levels are needed. In part, extensive training and appropriate risk communication systems will play a large role in setting up the appropriate checks and balances. However, without oversight and accountability, flaws will still be likely to go through the system unchecked without a specific oversight function. In large part, financial risk management has achieved its reputation as being too tricky or too fraught with potential for mistakes or fraud due in large part to an absence of appropriate oversight or accountability. The oversight does not have to be stifling; it just needs to be in place with clear accountability.
Finally, the risk management process should fit with the enterprise risk management system and processes of the organization. Not all organizations, particularly smaller organizations, have a full enterprise risk management system. However, for those that do, the financial risk management system should integrate seamlessly with it. This does not mean that the financial risk management system needs to be the same as the enterprise risk management system (in general they should be different), but they should integrate and be consistent and have compatible measurement and reporting systems, and consistent terminology.
With the increase in the importance of data analytics, and the increasing awareness of how risk management, both financial risk management and enterprise risk management, can so greatly help an organization achieve its objectives and gain competitive advantage, it is likely that the number of organizations implementing enterprise risk management systems will grow significantly in the future.3
The elements of our suggested risk management framework essentials are summarized in Figure 3.1.
Figure 3.1 Risk management framework essentials
Before concluding this chapter, it is instructive to look at a series of questions that should be asked about any financial risk management decision. These six questions can act as a guide to making financial risk management decisions. Of course, this list is not exhaustive, and each organization should think about what questions would be appropriate to add to deal with their own specific situations.
The first three questions to ask about a financial risk are: what can happen, when can it happen, and how much of an effect can it have? These questions form the fundamentals of the terms of the hedge instrument.
The next question to ask is how does the risk fit with the strategic objective? Does the risk have more potential to be a good risk or a bad risk? Is it a risk that is key for the strategic objective to be achieved? Is it a risk that can lead to competitive advantage or disadvantage? Does the risk provide some sort of tactical advantage or disadvantage? Is it a risk that is key to this firm, or is it a risk that other competitors need to deal with as well? Good financial risk management is always considering the ultimate objective. Risk management is to work solely for the good of the organization; not necessarily for the good of the risk management function.
When considering the strategic component of risk management, it is important to realize that stakeholders may have a different objective; in particular, financial stakeholders may be investing in the company solely because they want the company to embrace financial risks. For instance, many equity investors in gold mining companies are doing so specifically because they want the commodity risk exposure to gold prices. However, if the gold mining company has completely hedged their gold price exposure, investors will not be achieving the exposure that they invested for in. In part, this is another reason why an organization needs to be very clear in what the financial risk management objective is, and in being completely transparent in communicating that risk management objective.
Finally, in developing the risk management process, an organization has to take account of its capabilities in terms of financial risk management. Does it have the knowledge and understanding of the various risks and risk management instruments that it is trying to use? Does it have the systems and data analysis capabilities to appropriately manage their risk management positions? Can it measure with reasonable accuracy its hedge exposures? Does it have appropriate measures in place to account for and measure counterparty exposure? Often, organizations develop risk management tactics that are beyond their capability to implement and adequately monitor. The most famous example might be Procter and Gamble and the series of exotic swaps that they entered into in the mid-1990s to manage their interest rate exposure. Procter and Gamble were at the mercy of their financial counterpart Banker’s Trust in terms of assessing the value of their positions and how they should revise their positions to achieve their risk management objectives. The result was a financial debacle for Procter and Gamble, and in part led to the downfall of Banker’s Trust as a leading provider of risk management solutions.
Although sophisticated risk management techniques have their place, organizations should not get ahead of their capabilities. As a general rule, if a manager cannot explain what they are doing so other nonspecialist managers, and in particular Board members can understand both the advantages as well as the disadvantages of the proposed risk management technique, then that risk management technique should probably not be undertaken. Virtually all risk management debacles that have been so well documented, including the failings of Procter and Gamble, were almost always a direct result of the organization not having the proper level of understanding and the proper systems to implement such a strategy, and furthermore not having the self-esteem of their manager’s to admit to such. We will discuss much more about this in Chapter 10.
Risk frameworks have a variety of pros and cons. Generally speaking, the advantages of starting risk management with the aid of a risk management framework outweigh the negatives. However, many organizations develop too elaborate and too cumbersome a risk management framework. The result is a bureaucratic white elephant that instead of being a catalyst for risk management becomes a drag. Risk frameworks should be lean, flexible, and designed to help the organization achieve its risk management objectives in as efficient a manner as possible.
1For more on risk homeostasis, see R. Nason. October, 2009. “Is Your Risk System Too Good?,” RMA Journal. Also see R. Nason. 2017. “Is Your Risk Management Too Good?” In Experts Insight Collection. New York, NY: Business Experts Press.
2For more on the value of using checklists see, A. Gawande. 2009. The Checklist Manifesto: How To Get Things Right (New York, NY: Henry Holt and Company).
3For a guide to Enterprise Risk Management, see the companion book of R. Nason and L. Fleming. 2018. Essentials of Enterprise Risk Management (New York, NY: Business Experts Press).