IN THIS ISSUE
Catastrophic Risk: A Company's Worst Nightmare
The following is a summary of a recent white paper, "Disarming the Value Killers: A Risk Management Study" published by Deloitte Research.
Not long ago, risk management was considered a specialty niche, the province of academics and consultants and not a priority for mainstream business. But that bubble of complacency was burst through a succession of cataclysmic events — the dot-com bust, the Asian financial crisis, global terrorism, and a wave of business scandals. Today, most companies have become more attentive to risk management principles. Yet for many of these same companies, this increased awareness is still to be formulated into effective actions to address the threats. When it comes to managing risk, many companies are still asking, "What causes major loss of shareholder value?" "How can we better protect ourselves?"
Some of the answers to questions regarding risk management have already been offered by regulators and government legislation. The U.S. Sarbanes-Oxley Act of 2002, for example, is intended to reduce the occurrence of inaccurate, or even fraudulent, financial reporting. Beyond that, however, there are several initiatives that an organization can undertake to protect itself.
In a recent study titled Disarming the Value Killers: A Risk Management Study, performed by the research arm of Deloitte Services LLP, researchers analyzed the possible causes of major loss of share value experienced by hundreds of large international companies over the last 10 years. Some of the results were expected, such as the major negative impact of the September 11, 2001 terrorist attacks in the United States. Yet other results yielded some surprises, finding that risks lurk in unexpected places and that certain events can have such devastating effects that many organizations never recover from the losses.
Managing Critical Risk Interdependencies
Value loss is often caused by several types of risk interacting to produce an even greater loss in value. Although many companies have invested in enterprise risk management (ERM), few adequately manage risk interdependencies and may fail to recognize and manage the relationships among different types of risks. Actions taken to address one type of risk, such as strategic risk, can often increase exposure to other risks, such as operational or financial risks.
Risk management strategies should include an analysis of how responses to one type of risk might trigger other types of risks. Management can gain a more comprehensive view of risk interdependencies by:
Although each of the companies in the research study experienced unique circumstances that contributed to their loss of value, there were several common risk factors that resulted in a negative effect on business value. Many of the largest value losses were the result of events that were considered extremely unlikely. Companies that go beyond traditional methods to take a more integrated and comprehensive approach to risk management may reduce the likelihood of suffering major losses in value.
Proactively Address Low-frequency, High-impact Risks
Companies that want to plan for rare, but high-impact, risks should employ "stress tests" to ensure that their internal controls and business continuity plans can withstand the shock of a high-impact event. Companies should proactively plan and acquire the strategic flexibility to respond to specific scenarios. Given the frequency of sudden and dramatic drops in share prices, even the largest companies need to take a serious look at current risk management practices.
Despite the potentially devastating impact of unlikely events, managers often emphasize the most-likely risks faced by a company when assessing its risk position. Probabilistic models like Value-at-Risk (VaR) are developed using likelihood and impact data for similar events. These models may be biased to focus on more frequent risks, overlooking low-probability events that can be extremely damaging. For instance, the U.S. September 11th terrorist attacks and the recent devastation of hurricane Katrina were unprecedented events with a major business impact. Such events cannot easily be classified into a probabilistic model, and usually data is not available to model these risks.
Although rare events are not always preventable, companies can improve the resilience of their operational and capital structures to better manage them. Stress tests and scenario analyses can be used to understand the potential negative impacts from rare events that are typically omitted in risk models. A stress test examines a company's ability to withstand specific scenarios and events, without having to develop a statistical model of them. They are a crucial addition to VaR models by allowing executives to answer the question: "What can go terribly wrong?" Scenarios for stress tests can be historical, in which a company simulates the market moves observed in a past crisis. For example, a company could ask how it might respond to an earnings shortfall resulting from a repetition of the 1997 Asian financial crisis.
Historical scenarios are attractive because all relationships between markets are specified at once. On the other hand, past market moves will never recur precisely. For this reason, many firms specify hypothetical scenarios, with events that have never previously occurred, such as responding to oil supply interruptions leading to prices in excess of $60 a barrel. Banks and brokerage firms often stress test their portfolios and likely responses to various scenarios.
In addition to stress testing responses to low-frequency events, firms should acquire greater capabilities to plan for, and respond to, specific scenarios. A firm can build the flexibility to respond to different scenarios by selectively investing in capabilities that can be exercised in the event that a specific scenario is realized. The ability to continue functioning after a major disruption is essential for companies that can afford little or no downtime in their business operations.
The study found a number of contributing causes to the hundred largest business value drops. Contributing events were often experienced by companies that perhaps did not adequately:
Provide Timely Information on Control Factors
A number of organizations in the study apparently lacked access to current information required for senior management to respond quickly to emerging problems. This naturally reflects poorly on the senior executives and their control of the organization, often leading to their departure. The shock felt by investors who suddenly learn about the existence or severity of problems that had previously been undisclosed has often driven share values down even further.
Companies need to improve their internal information systems and communication mechanisms to ensure that senior management and boards of directors receive accurate, near real-time information on the causes, financial impact, and possible solutions of control problems. With chief executive officers and chief financial officers of U.S. public companies having to attest to the accuracy of financial information to comply with Sarbanes-Oxley requirements, some companies have improved the ability of their information systems to provide more current visibility into their operations.
However, this increased knowledge does not necessarily translate into useful information for the board of directors. Board members are inundated with ever larger amounts and kinds of information provided by management. As boards of directors confront more complex governance tasks in a more uncertain and demanding environment, companies may have to redesign the way they gather, analyze, and present information to allow board members to discharge their responsibilities. Boards increasingly are likely to demand investments in information systems and staff so they can independently monitor and assess management initiatives, performance, and company operations.
The 20-page white paper, Disarming the Value Killers: A Risk Management Study, is available for download on Deloitte's Web site, http://www.deloitte.com/dtt/cda/doc/content/us_assur_Value%20Killers%20Report%20.pdf. (PDF, 533 KB)
The Institute of Internal Auditors - 247 Maitland Avenue • Altamonte Springs, Florida 32701-4201 U.S.A.
+1-407-937-1100 • Fax +1-407-937-1101 • www.theiia.org
All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.