IT IT
CSA Sentinel - The Institute Of Internal Auditors  

IN THIS ISSUE

PUBLISHED BY THE INSTITUE OF INTERNAL AUDITORS
Volume 9 • No. 3 • October 2005
printPrint Article
printPrint Entire Issue

Catastrophic Risk: A Company's Worst Nightmare

Understanding factors that can destroy corporate value may help companies reduce their vulnerability to sudden risk shock.


By Mark Layton, Global Managing Partner
Rick Funston, National Practice Leader  
Deloitte &Touche LLP
Ajit Kambil, Director
Deloitte Services LP

The following is a summary of a recent white paper, "Disarming the Value Killers: A Risk Management Study" published by Deloitte Research.

Not long ago, risk management was considered a specialty niche, the province of academics and consultants and not a priority for mainstream business. But that bubble of complacency was burst through a succession of cataclysmic events — the dot-com bust, the Asian financial crisis, global terrorism, and a wave of business scandals. Today, most companies have become more attentive to risk management principles. Yet for many of these same companies, this increased awareness is still to be formulated into effective actions to address the threats. When it comes to managing risk, many companies are still asking, "What causes major loss of shareholder value?"  "How can we better protect ourselves?"

Some of the answers to questions regarding risk management have already been offered by regulators and government legislation. The U.S. Sarbanes-Oxley Act of 2002, for example, is intended to reduce the occurrence of inaccurate, or even fraudulent, financial reporting. Beyond that, however, there are several initiatives that an organization can undertake to protect itself.

In a recent study titled Disarming the Value Killers: A Risk Management Study, performed by the research arm of Deloitte Services LLP, researchers analyzed the possible causes of major loss of share value experienced by hundreds of large international companies over the last 10 years. Some of the results were expected, such as the major negative impact of the September 11, 2001 terrorist attacks in the United States. Yet other results yielded some surprises, finding that risks lurk in unexpected places and that certain events can have such devastating effects that many organizations never recover from the losses.

Managing Critical Risk Interdependencies

Value loss is often caused by several types of risk interacting to produce an even greater loss in value. Although many companies have invested in enterprise risk management (ERM), few adequately manage risk interdependencies and may fail to recognize and manage the relationships among different types of risks. Actions taken to address one type of risk, such as strategic risk, can often increase exposure to other risks, such as operational or financial risks.

Risk management strategies should include an analysis of how responses to one type of risk might trigger other types of risks. Management can gain a more comprehensive view of risk interdependencies by:

  • Assessing internal risk dependencies.
  • Building an integrated risk management function, championed and supported by senior management.
  • Understanding the risk profiles of key suppliers and customers to assess the potential impact of those vulnerabilities on the overall risk profile.
  • Avoiding taking actions to address one type of risk that unwittingly increases exposure to other risk categories.
  • Taking into consideration the organization's appetite for risk.

Although each of the companies in the research study experienced unique circumstances that contributed to their loss of value, there were several common risk factors that resulted in a negative effect on business value. Many of the largest value losses were the result of events that were considered extremely unlikely. Companies that go beyond traditional methods to take a more integrated and comprehensive approach to risk management may reduce the likelihood of suffering major losses in value.

Proactively Address Low-frequency, High-impact Risks

Companies that want to plan for rare, but high-impact, risks should employ "stress tests" to ensure that their internal controls and business continuity plans can withstand the shock of a high-impact event. Companies should proactively plan and acquire the strategic flexibility to respond to specific scenarios. Given the frequency of sudden and dramatic drops in share prices, even the largest companies need to take a serious look at current risk management practices.

Despite the potentially devastating impact of unlikely events, managers often emphasize the most-likely risks faced by a company when assessing its risk position. Probabilistic models like Value-at-Risk (VaR) are developed using likelihood and impact data for similar events. These models may be biased to focus on more frequent risks, overlooking low-probability events that can be extremely damaging. For instance, the U.S. September 11th terrorist attacks and the recent devastation of hurricane Katrina were unprecedented events with a major business impact. Such events cannot easily be classified into a probabilistic model, and usually data is not available to model these risks.

Although rare events are not always preventable, companies can improve the resilience of their operational and capital structures to better manage them. Stress tests and scenario analyses can be used to understand the potential negative impacts from rare events that are typically omitted in risk models. A stress test examines a company's ability to withstand specific scenarios and events, without having to develop a statistical model of them. They are a crucial addition to VaR models by allowing executives to answer the question: "What can go terribly wrong?" Scenarios for stress tests can be historical, in which a company simulates the market moves observed in a past crisis. For example, a company could ask how it might respond to an earnings shortfall resulting from a repetition of the 1997 Asian financial crisis.

Historical scenarios are attractive because all relationships between markets are specified at once. On the other hand, past market moves will never recur precisely. For this reason, many firms specify hypothetical scenarios, with events that have never previously occurred, such as responding to oil supply interruptions leading to prices in excess of $60 a barrel. Banks and brokerage firms often stress test their portfolios and likely responses to various scenarios.

In addition to stress testing responses to low-frequency events, firms should acquire greater capabilities to plan for, and respond to, specific scenarios. A firm can build the flexibility to respond to different scenarios by selectively investing in capabilities that can be exercised in the event that a specific scenario is realized. The ability to continue functioning after a major disruption is essential for companies that can afford little or no downtime in their business operations.

The study found a number of contributing causes to the hundred largest business value drops. Contributing events were often experienced by companies that perhaps did not adequately:

  • Manage drops in demand due to the industry-related or company-specific events.
  • Manage losses when specific valued customers had problems leading to falling demand or payments.
  • Correctly value and manage mergers.
  • Address country-specific economic risks, such as currency values.
  • Anticipate changes in government or policies.
  • Anticipate and manage possible terrorism threats.
  • Manage costs of operations.
  • Address product quality issues.
  • Manage inventory capacity and demand resulting in overstocks or stockouts.
  • Manage debt.
  • Use options, derivatives, and other financial risk management and investment strategies.
  • Recognize declines in values of intangible assets.
  • Anticipate losses from the failure of suppliers to meet their commitments.
  • Anticipate losses from weather-related events.

Provide Timely Information on Control Factors 

 "Internal auditors are a valuable asset to an organization, assisting management in identifying the causes of major losses and providing insight into how risk management techniques can help companies mitigate and address challenges posed by risk."

Eric Hespenheide
Global Managing Partner, Internal Audit
Deloitte & Touche LLP

A number of organizations in the study apparently lacked access to current information required for senior management to respond quickly to emerging problems. This naturally reflects poorly on the senior executives and their control of the organization, often leading to their departure. The shock felt by investors who suddenly learn about the existence or severity of problems that had previously been undisclosed has often driven share values down even further.

Companies need to improve their internal information systems and communication mechanisms to ensure that senior management and boards of directors receive accurate, near real-time information on the causes, financial impact, and possible solutions of control problems. With chief executive officers and chief financial officers of U.S. public companies having to attest to the accuracy of financial information to comply with Sarbanes-Oxley requirements, some companies have improved the ability of their information systems to provide more current visibility into their operations.

However, this increased knowledge does not necessarily translate into useful information for the board of directors. Board members are inundated with ever larger amounts and kinds of information provided by management. As boards of directors confront more complex governance tasks in a more uncertain and demanding environment, companies may have to redesign the way they gather, analyze, and present information to allow board members to discharge their responsibilities. Boards increasingly are likely to demand investments in information systems and staff so they can independently monitor and assess management initiatives, performance, and company operations.

The 20-page white paper, Disarming the Value Killers: A Risk Management Study, is available for download on Deloitte's Web site, http://www.deloitte.com/dtt/cda/doc/content/us_assur_Value%20Killers%20Report%20.pdf. (PDF, 533 KB)

Quick Poll

How has flextime work schedules impacted audit completion time for your agency?

Audits have been completed faster.

There has been no change.

Audits take longer to complete.

My agency does not have a flextime poilcy.



View Results