Business Risk Management in International Corporations+
Business Continuity and IT Disaster Recovery Blogs
Business Risk Management in International Corporations
Nowadays, there is a large variability in business environment, cause by economic and political circumstances. It sheds new lights on the issue of risk management in business. Companies that want to stay in the market, must in dynamically way change their exposure to risk. The article presents analysis of business risk management models in international energy companies. Also, authors’ professional experience in this industry was used. It has allowed for compilation of knowledge referring to the literature and experience of business practitioners. The authors indicated crucial areas of companies which using good practices are able to respond to changes in a flexible way.
In 2014, researchers from University of Navarra – IESE Business School published an annual report on the amount of premiums for risk in 88 countries, based on statements of more than 8,000 experts from all over the world (Fernandez, 2014). Among the results, we should draw out attention on high rates in countries such as: Greece (15%), Argentina (11.8%), Egypt (12.9%), Ukraine (13.9%). They mean that potential investors investing capital in these markets expected a rate of return at least on the level of these indicators, what proves existence of significant risk in these markets, which must be covered by an appropriate premium. In practice, the amount of premium for risk, which is expected by the investor, is determined not only by level of uncertainty that is associated with forecasting of cash flow but also with investor’s tendency to take risk (Sierpi ska, 2004). In the same statement, countries such as Poland (6.3%), France (5.8%), Spain (6.2%) and USA (5.4%) seem to be inviting to owners of capital (of course in the context of the previous year). Continuous dynamics of changes in the economic and political sphere, such as current crisis in Ukraine (leading to turbulences in global currency markets and quotation of natural resources) prods us to re-reflect diversification of risks in current conducted business activities, taking case of previous global crisis in the year 2007-2009 into account (Brzezi ski, 2011). Forming reality, one should be a keen observer, to not involuntarily become a beneficiary of an extremely relevant observation, that the only surprise in terms of crisis of 2008 was the fact than it was a surprise to so many (Stiglitz, 2010). Although, the necessary level of government intervention to stabilize the system, puts into question a continued existence of the traditional free market capitalism (Roubini, 2011). Investors are willing to bear the risk in order to accumulate capital, which is the main objective of companies, existence. Over the years, rich in varied experiences, an approach to secrets associated with risk management in business has not changed. Thus, we should stick to the fundamental practices of risk management, but in relation to new situations and opportunities (Beans, 2010; Baík, Štefko, Gburová, 2014). According to the study conducted by McKinsey Quarterly, 79% of surveyed corporations cut costs in direct response to the financial crisis, but only 53% of the representatives of the highest authorities believed that these efforts have been successful (Heywood, 2010). It proves that many companies operated during the destabilization completely in the dark, concentrating its efforts in the area of costs reduction. Skillful risk management is based on the fact that during development of strategy, company also develops a risk management strategy. When developing the strategy, company should indicate the purpose of risk management, identify risks, make measurements, propose risk mitigation tools, monitor and control risk and create a homogenous system of risk management. In a word, risk management is not oriented on whole company, but in effective and efficient way supports implementation of developed strategy and picks up on those signals that indicate a need to modify assumptions, financial flows, programs and results. It is worth noting that the strategy adopted by a company determines the whole process of risk management. It assumes an adequate definition of risk, a objective of risk management, a measurement and system to reduce, monitoring and reporting synthetic and partial risk measures. All of these elements constitute a risk management strategy, which should be integrated with an overall strategy of a company. ‘Bridge’ between company strategy and risk management strategy should be ‘risk appetite’, which is the total value of exposure to risk that organization is willing to accept as a compromise between risk and profit. Risk appetite should be reflected in company’s strategy. It should be established in the phrase of strategy implementation and provides a basis for creation an adequate to earlier decisions in terms of risk appetite, system of risk management (Kasiewicz, 2012).
The aim of the authors of this study is to indicate the need for risk re-calculation, because of volatility of business environment (especially in terms of capital cost) and most importantly, to present real solutions adopted in this issue by international energy companies. Analyzing many documents, referring to series of analyzes and comparisons and based on practical knowledge in this area, the authors try to draw a reader’s attention to the importance of this issue in the modern approach to risk management in business.
2. Key risks management systems
Against the background of the events mentioned above, the concept of integrated risk management, often determined as an Enterprise Risk Management (ERM) increasingly gaining popularity. This concept is different from existing and involves a holistic approach to risk in the context of company’s’ strategy and objectives. Risk management is not one of the many functions, but it is spread throughout the organization in conjunction with all processes in the company. One of the characteristic objectives of ERM implementation in a company is to improve financial performance and achieve greater stability. The quality of this implementation can reflect so-called rating of risk management, which according to world research is correlated with company’s financial results (Krysiak, 2011). After 2010, this concept has become the subject of increased media activity. They drew attention to the fact that the percentage of companies implementing ERM continues to grow at the same time dedicating specialized departments to handle these issues. Also, rating companies implemented to their assessment elements concerning use of risk management by surveyed companies. Universities with collaboration with research centers and business representatives began to organize special courses concerning these issues (Hot, 2011).
Organizations implementing ERM have begun to notice that their employees perceive risks only as a dangers, whereas if it is good managed, it becomes an opportunity for development (Hampton, 2009). Building ERM structure, we should specify 7 major components, they include:
- Risk identification – we assume that it’s possibility to occur is already included in risk definition, and lost opportunity is a bigger danger than business interruption,
- Identification of risk owner – it is an assignment of owner which has an appropriate experience and skills in exposure management to each risk category,
- Alignment of responsibility for risk – risks are grouped in such a way that they can be managed by one owner,
- Creating a central risk function – it is usually a person responsible for coordination of discussion about the risk.
- One should be placed high in the organizational hierarchy.
- Creating a ‘storehouse of knowledge’ about ERM – it is a system supporting decisions, designed to understand risk mechanism. This is a kind of repository created in order to share knowledge,
- Involvement of company’s Management Board – this component is based on the idea that Management Board should worry about management and that is why, it is necessary to create a transparent system of risk reporting,
- Use of standardized risk assessment process – only in this way it is possible to reduce or avoid exposure to risk (Hampton, 2009).
3. Overview of Enterprise-wide Risk Management
Awareness of risk presence in international business is deeply rooted in senior managers’ awareness. It is
compatible with company objectives that treat risk as a necessary, indeed an integral part of all companies, and taking a risk is deemed obligation, because the aim is to manage risk and not to eliminate it. ERM in this perspective is seen as a tool to manage a company in order to create and maintain its value and to encourage risk-taking considered economically and legally acceptable. This approach determines the need to develop a detailed methodology and adapt organizational solutions. The last aspect is typical for companies operating on several continents, which focus their efforts on introducing a consistent corporate governance in relation to all its departments (lusarczyk, Golnik, 2014; Pietrasie ski 2011). In this case, risk is defined as any doubts, events that may have a positive or negative impact on company stability, its reputation or on achieving its strategic, financial and operational objectives.
Corporate ERM is based on international norms and standards of risk management, such as:
ISO 31000 standard (Purdy 2010),
COSO 2: Managing company risks 2004 framework,
FERMA: 2003 risk management framework,
Although, it reserves that it does not seek precisely to perform all of them, however it provides further coordination within its business and geographic structures and all controlling activities. In other words, risk management involves a series of complex actions, which aim is to determine the appropriate behavior in the case of a risk (Staraby a, 2012). These are summarized in risk policy, which describes how it is managed. It sets the framework for implementation of individual activities and indicators for its measurement, because each risk sooner or later have to be covered by policy specifications. Monitoring effectiveness of risk management system must consist of the following elements:
- Precise determination of framework in the risk area
- Determination of limits of risk exposure in accordance with overall level of risk appetite accepted by capital group
- Explanation of risk management rules determining the owner and managing authority
It is extremely important to make sure that policy procedures are complete and operationally implemented, because during the annual risk review, the following elements are assessed: risk treatment in the previous period and its changes in analyzed period, significant events that occurred in the previous period in the light of the previous assessment, monitoring of risk management by control committees, maturity of ERM implementation and its audits, external consultants and rating agencies.
The following part of article presents concepts and definitions used in risk management of international capital group. It determines premises necessary to existence of proper risk reviews which are divided into three areas:
identification, assessment and ways to handle risk. Identification – among many risks, the aim of this process is to detect the most important risks by answering following question: What are the main risks that may hinder achievement of company’s objectives? During the risk review in a deeper perspective, it is recommended to constitute interdisciplinary teams at various levels of organization. They should make a brainstorming concerning risks connected with running a business. Participant of this works should be matched in a way to ensure maximum use of their unique expertise (Dima, Man, Grabara, Ciurea, 2010). When it reaches a sufficient level, process can be improved by individual conversation with the owner of a given risk. Besides, announced as well as random audits and controls should be made at every level of a given risk management. Identification of significant events allows to gather more reliable information about risk and probability of its occurrence. This allows to test control effectiveness, because it is possible to make simulation of risk, which occurred previously. It does not mean that all events should be identified. Only those which are most characteristic for a given area, industry or territorial unit. Risk officer of his representative should make conversations with all risk beneficiaries in the organization and based on this information he prepares list of potential risks in order to develop ways to manage them. There are proposed questions which can be used during these conversations
- Could you enumerate 5 top risks in your business area?
- Is there a risk that is not indicated on the risk map in your area?
- In your opinion, what level of legal, financial and loss of reputation risks is reasonable for your area and what level is reasonable for a group?
- Is there any risk in your unit, which can be compensate elsewhere?
- What could be effects and probability of risk occurrence in your unit?
- Do you think that new action plans will allow for maintenance of ways to reduce risk?
Can you identify opportunities that were not included in plans due to their niche or assignment to another unit within the group?
Assessment – When risks, their causes and consequences have been identified, they must be assessed based on the criterion of impact and probability. Then assessment according to the third criterion, which is responsible for risk monitoring should take place. Although the assessment should be representative, it does not have to include many specifications, on the contrary it should be rather general. First of all, we should know if the risk is potentially disastrous or even minimal. Time framework specified by the group are divided into three time periods
- Short-term – 1 to 3 years,
- Medium-term – up to 6 years
- Long-term – over 6 years.
If it is possible, the medium-term period is preferred.
Determination of risk scenario may be necessary to determine effect on risk. During its defining, one needs to be aware that many of its variations are possible depending on whether we chose a reasonable pessimistic scenario or very pessimistic one. Financial impact is considered as a variation in relation to medium-term plans. According to the policy, its impact is assessed as a percent of annual EBITDA on a scale of 0 to 5, where 0 is the lowest and 5 is catastrophic in consequences. The aim of this scale is to compare an annual risk impact on operational activity results excluding amortization.
Regarding probability of occurrence of an event, it is advisable to compare several points of view. They are also assessed on a scale of 0 to 5, where 0 is the lowest and 5 is the highest probability. Assessments based on the worst impact and probability are not representative and cannot be used.
Risk indicators are objective measures allowing for assessment of exposure to risk or control effectiveness. Among the indicators, units should try to identify those that are most important.
Way to handle the risk – it applies to all actions taken to reduce risk. Risk mitigation strategy refers to specific risk, which is consciously chosen and adapted to the appropriate business unit. In addition to actions which aim is to reduce negative effects of risk, view about its transfer to some other sources based on diversification is promote. Leaving the risk without corrective actions is also acceptable, however it means that it can be measured and it falls within the acceptable norms. Some companies even specializes in discovery of new risks. They manage them skillfully, building in this way a competitive advantage. Measurement of risk monitoring
illustrates the extent to which risk management cause that the established optimal level has been reached. It may also happen that the risk is caused by external factors and the analysis shows a lack of maneuver on the part of company, then it becomes acceptable, but in this case there is intensification of actions monitoring and controlling this risk.
The article indicates that at present times, due to volatile financial markets, every-changing business environment an organization that operates on the international markets cannot function effectively and be competitive without continuous recalculation of risk. Companies are beginning to treat risk management as a regular part of the company’s policy. In order to manage organization efficiently, large multinational companies, especially those operating on different continents, in different social, political and legal conditions, develop specific mechanism and tools to estimate risk effectively. Identification and assessment of risks, which may hinder the company to achieve its objectives allow to determine the ways to handle the risk, and thus to build a risk mitigation strategy. Determining the level of individual risks allows policymakers to make decisions within the limits of acceptable legal and economic risks, without the risk of their negative impact on the company’s stability.
BRCCI – Business Resilience Certification Consortium International (www.brcci.org)
We are thankful to the author for allowing us to post this insightful article on our website. BRCCI provides a comprehensive training and certification program in business resiliency, continuity and IT disaster recovery planning:
1. 3-day CBRM (Certified Business Resilience Manager) is a comprehensive, all-in-one, 3-day Business Continuity Planning and Management Training and Certification course which is designed to teach practical methods to develop, test, and maintain a business continuity plan and establish a business continuity program.
2. 3-day CBRITP (Certified Business Resilience IT Professional) is a comprehensive training on how to assess, develop, test, and maintain an information technology (IT) Disaster Recovery Plan for recovering IT and telecommunications systems and infrastructure in the event of a disaster or business disruption. The training provides a step-by-step methodology to ensure a reliable and effective IT disaster recovery and continuity plan consistent with the industry’s standards and best practices.
3. 2-day CBRA (Certified Business Resilience Auditor) It provides 2 days of intensive, Business Continuity Audit training to enable students to determine the effectiveness, adequacy, quality and reliability of an organization’s Business Continuity Program. Students will learn an audit methodology to evaluate compliance of Business Continuity and IT Disaster Recovery Programs with the current industry’s best practices and standards including:
- ISO 22301: Business Continuity Management Systems – Requirements
- NFPA: Standard on Disaster/Emergency Management and Business Continuity Programs
- ITIL: Information Technology Infrastructure Library