Tuesday, December 27, 2005

Why is risk management important?

December 27, 2005, www.rediff.com

Corporations operate in a dynamic environment. Hence the future remains uncertain to a large extent, allowing for fate to play a part in the results that are achieved by the companies.
However, the role of fate has reduced considerably over the years. With the help of probability theory and careful evaluation of the environment, companies are now able to predict, to some extent, the various risks that may have a critical impact on their business.
The primary objective of any company is to maximise shareholders' wealth. The shareholders appoint agents (read managers) who take various investing and financing decisions to achieve the firm's objectives. The main criteria are to maximise returns and minimise risks related to any decision.
The point of discussion in this article is the part of decision-making that deals with minimising risk. Ignorance or mismanagement of risk will result in loss of shareholders' wealth and loss of reputation apart from other undesirable consequences.
A number of cases have occurred in the recent past which very well brings to light the lack of foresight and pro-activity on the part of the management in managing risk.
'Risk management' therefore is an integral part of managing a business. From the recent devastation in the United States, we have come to realise that companies like Wal-Mart and Home Depot, which have active risk management programmes in place were much better poised to deal with hurricane Katrina than the government or other companies who have not yet embraced the advantages of risk management.
Companies face various types of risks. Some may be external in nature, which are not under the direct control of the management, like the political environment, the changes in exchange rates or the changes in interest rates. The others may be internal in nature which the management can control to a great extent, for example risks associated with non-compliance in financial reporting or non-compliance with labor laws.
A company would need to identify the risks that it faces in trying to achieve the objectives of the firm. Once these risks are identified, the risk manager would need to evaluate these risks to see which of them will have critical impact on the firm and which of them are not significant enough to deserve further attention.
The critical risks that could have adverse impact on the firm's business are then given maximum importance and strategies are formulated to deal with them or hedge against them.
The entire process of identifying, evaluating, controlling and reviewing risks, to make sure that the organisation is exposed to only those risks that it needs to take to achieve its primary objectives, is known as 'risk management.'
Risk management is a proactive process, not reactive. The best example is Shell Oil which has many offices in the New Orleans region but dealt with hurricane Katrina rather well due to the rigorous risk management procedures that it has in place.
Risk cannot be eliminated. However, it can be:
Transferred to another party, who is willing to take risk, say by buying an insurance policy or entering into a forward contract;
Reduced, by having good internal controls;
Avoided, by not entering into risky businesses;
Retained, to either avoid the cost of trying to reduce risk or in anticipation of higher profits by taking on more risk, and;
Shared, by following a middle path between retaining and transferring risk.
There are various tools available to the management to manage risks. Some of them being, derivative products like Forwards, Futures, Options and Swaps. The others involve having better internal controls in place, due diligence exercises, compliance with rules and regulations, etc.
Reserve Bank of India Governor Dr Y V Reddy has been stressing the need to disclose the risk management practices followed by the companies for sometime now and rightly so. It is very important for the investors to know if the companies in which they are investing are managing the risks as efficiently as they claim to maximise returns.
Infosys, for example, gives a detailed outline of the various risks facing their business, the policies of the company regarding each of them, the measures that are taken to deal with these risks, the implementation of strategies to manage risks and finally their review process.
However, there are large numbers of companies which are still ignorant or chose to ignore the importance of risk management and deal with situations as and when they arise. It is time the management of such companies sits up and takes note of the risks that their company faces.