Most CEOs would identify with the need for a more rigorous framework for monitoring and ensuring good practices in the boardroom. However, at the other end of the corporate spectrum (the operational level), poor risk assessment can also damage corporate performance and reputation. The Barings scandal of the mid-1990s shook the financial world to its very core. Barings bank sustained a loss of $1.4 billion, attributed to its rouge trader, Nick Leeson. Leeson was vilified in the world press and subsequently served a jail sentence. The Baring’s report detailed how Leeson recklessly abused his position and also described the weaknesses in the internal control systems of the financial institution.
The business world took note and tightened the corporate reins, secure in the knowledge that this anomaly was ascribed in the main to a characteristic flaw in Leeson. It appears that following the initial close scrutiny of controls in the aftermath of the Barings debacle, financial institutions relaxed their stance on operational risk. How else can one explain the AIB Allfirst scandal? John Rusnak (another rogue trader) yet again abused weak control systems, which resulted in losses for AIB of $750 million. The Ludwig report, like the Barings report, pointed to weak internal controls compounded by the loose relationship between the parent company and the subsidiary.
These remarkable examples of mismanagement, have served to highlight the need to address corporate operational risk. Indeed, this risk is not confined to the financial services industry.
Recently the New York Times, a newspaper synonymous with quality reporting, revealed that one of its journalists had fabricated news reports over an extended period. The newspaper felt obliged to print the full extent of his phoney journalism as a gesture of atonement. Sadly, it may take years, if not an entire generation, for the paper to restore its reputation, such is the damage caused.
Consequently, the management of operational risk has been pushed to the top of many CEOs agendas in recent months and has been widely acknowledged as central to good corporate governance. Indeed, some would go so far as to state that operational risk is a fundamental part of the risk profile of a firm (Foot, 2002:314). This attention has identified key barriers that affect the ability of firms to control operational risk. These barriers include defining and quantifying firm-specific operational risks. As the task of managing operational risk is resource intensive, it is not addressed to the same degree across financial institutions. Larger firms have committed to strategically integrate operational risk management, while smaller firms have made a weaker pledge to guard against operational risk, as represented by their crude measurement techniques and the extent of resource allocation to this area (Garver, 2002). The problem with effective operational risk management is that this activity does not generate revenues and thus, is hampered by inadequate funding (McEachern, 2002).
To ensure that the management of operational risk is addressed universally, there have been suggestions that the appropriate solution is a regulatory response, for example mandatory international capital standards for financial institutions. Indeed, the suitability of dealing with operational risk at a regulatory level has been recognised by the recent Basle Committee proposals, which will be implemented by financial institutions in 2004. These proposals strive to protect financial institutions from operational losses by stipulating that capital at risk (due to operational functions and activities), form a component part of the overall capital base. Capital at Risk is identified by internal risk rating systems, specifically employed to set capital requirements (Garver, 2002). Others disagree with this legislative approach and suggest that this problem is best dealt with at a micro firm level.
At a recent roundtable1 established to discuss the various risks that challenge companies, Muermann and Oktem, (2002) suggested an eight-step programme to identify firm-specific operational risks. Their near-miss management approach is designed to provide insight into extreme loss events. They suggest behaviours to devise management responses to limit the incidence of low frequency, high impact occurrences. Paradoxically, they note that extreme profits can be an indicator of latent operational risk. They suggest putting these controls in place and continually reviewing them in light of changing technology and the benchmarks against which they are assessed. This approach is particular to each firm and stakeholders may have difficulty comparing the efficacy of operational risk management on this basis.
While the spectrum of corporate risk includes governance and operational concerns, other areas within this spectrum also have the potential to damage current and future earnings. Market risk, credit risk, reputational risk, and regulatory compliance risk (among others) are examples of the variety of corporate risks. These risks are typically managed in a singular way and now operational risk is added to that ever-growing list. This fragmentation is evident in the range of managerial functions that have a risk management focus. For example, internal auditing, corporate secretary, treasury functions, health and safety management, and most recently, the operational risk management function. It is not surprising then, that the management of operational risk which is difficult to predict and quantify and which adds significantly to costs, is seen in less than an enthusiastic light. So, the CEO’s choices appear to be either burdensome additional legislative requirements or another layer of management control and monitoring. There is however, another way.
The management of operational (and other) risk (s) can be conducted at the market level, explicitly through the intermediation of the insurance market. Corporations require access to funding of various types and one categorisation would make a distinction between deterministic (planned) financing and contingent financing. Insurance is a prime example of the latter. In the past, a financial manager would not have included insurance purchasing as part of his or her domain of responsibilities. Yet, when one defines insurance within a broader financial context, then immediately alternative strategies for the funding of insurable losses spring to mind. For example, a pre-agreed line of credit would serve to provide a source for financing losses but while it represents a better way of controlling the cost of losses2, it also has leverage implications. This broadening of the role of insurance has been one of the most innovative developments in the international insurance and reinsurance industries in recent years.
By integrating the various corporate risks, they can be treated holistically and transferred en masse to the insurance market. This alternative has many benefits; reduced corporate losses, a decrease in the management effort and time and the security of the firm’s reputation. A holistic treatment would;
(i) Identify and assess all risk exposures,
(ii) Formulate control strategies for each risk,
(iii) Integrate, where possible, the control strategies in (ii).
Alternative Risk Transfer involves the use of conventional finance techniques and methodologies to manage risk exposures, usually or perhaps historically handled by the insurance sector. This trend has been complemented by the raised awareness of risk related issues3. The integration process, mentioned above, would formulate a measure of the cost of risk. Value at risk (VAR) concepts have been used in this context for a number of years and are an important measure, used in the financial appraisal of performance. For example, a 95 per cent VAR would indicate a loss frontier, that could be exceeded with a 5 per cent probability i.e. losses should be within this figure, 95 per cent of the time. Furthermore, integration of corporate risks would formulate control strategies that would exploit synergies across different exposures and maximise the risk absorbing capacity of the firm.
To illustrate this notion, assume a U.K. based drinks wholesaler buys large volumes of wine and therefore, is exposed to a variety of exchange rate risks. Additionally, the company is concerned with the increasing cost of liability insurance protection. Currency futures and public liability insurance are the appropriate hedging tools available in this case. Each may be bought at the point at which the firm can safely absorb losses. Typically, departments that operate independently from each other buy these hedges separately. An integrated approach would identify the ability to create an internal hedge by buying insurance from a Eurozone insurer with limits expressed in Euro. Thus, the increased cost of wine imports, due to an exchange rate change, could be offset by the recovery of insurance claims that are converted at the higher rate.
A more formal solution would respond to the need for an insurance product that exploits the total risk capacity of a firm. Thus, a liability loss or a currency related increase in costs (if one or the other occurs), does not present a problem. However if both occur, then a hedging instrument that integrates both loss-types is required. An insurance policy that will pay, not the amount of liability loss, but rather the cost of a currency option is one integrated approach that accomplishes this task.
The following example will illustrate this integrated approach to risk management. The key to creating a situation where an internal hedge is possible is when one managerial function is entrusted with the task of identifying all corporate risks, (internal and external). A corporate risk manager charged with this role could formulate strategies for managing these risks. Indeed, in some cases it may be possible to integrate risk exposures within one insurance product.
For example, assume that a company is concerned with potential losses arising from fraud, committed by an employee (an operational risk involving rogue trading). The company is also concerned that future commodity-price increases could push up the cost of raw material inventories (market risk). The corporate risk manager can cover these exposures by purchasing fidelity guarantee insurance and a commodity call option. The former can indemnify the company for losses relating to fraud and embezzlement, while the latter can protect against a price increase in commodities (like oil and rubber). This strategy involves the purchase of separate hedging products, increasing the costs to the company. Integrating the various exposures and examining the maximum loss the company is willing to sustain, can substantially reduce these costs.
To demonstrate this point, assume that the company is faced with a loss potential of Ä20 million from each exposure and has the capacity to internally absorb just a single loss of this magnitude. Ideally, it requires a financing instrument that would pay out Ä20 million if both of these exposures materialize within one time-period. A dual-trigger insurance policy would respond in this way. The premium would be calculated to cover the cost of a call option on the commodity risk and this cost is spread across a portfolio of insurable risks.
Let’s say that the frequency of a fraud claim is 0.1 and the cost of a commodity option is Ä3,000,000, then a dual trigger hedge would cost Ä300,000. The central idea is that an insurance policy will pay for the cost of an option, if the insured events both occur within the specified time-period. This concept integrates a variety of risk variables, optimises a firm’s ability to absorb losses, and produces significant cost economies. In the example above, the cost of procuring separate hedges would amount to Ä5,000,0004 versus a dual trigger hedge cost of Ä300,000.
To conclude, corporate risk management is a hot topic in recent times and with good reason. The growing complexity of international trade has seen an increase in associated risk exposures that require innovative and practical solutions. The regulatory and firm-specific approaches facilitate the identification and monitoring of various exposures, including operational risks. However, dealing with each risk separately has some disadvantages. For example, there are no cost economies and the overall profile of corporate risk exposures is fragmented. A market-based solution to this contemporary challenge is provided by the international insurance and reinsurance industries. Dual-trigger hedging products (options on options) for integrated risk exposures are innovative holistic methods of managing corporate risk.
Michael McMahon is a lecturer in risk management and Antoinette Flynn is a lecturer in accounting and finance at the Department of Accounting and Finance in the University of Limerick.
References:
Foot, M. (2002), ‘Operational risk management for financial institutions’, Journal of Financial Regulation and Compliance, Vol. 10, No. 4, pp. 313-316.
Garver, R. (2002), ‘Fed says big banks unprepared on op risk’, American Banker, Vol. 167, No. 225, pp. 1-2.
McEachern, C. (2002), ‘Not what it used to be; risk-management technology spending’, Wall Street and Technology, Vol.20, No. 12, pp. 36.
Muermann, A. and Oktem, U. (2002), ‘Near-miss management of operational risk’, Journal of Risk Finance, Vol. 4, No. 1, pp. 25-37.
1 Wharton School/Oliver, Wyman and Company, Risk Roundtable (2002).
2 The interest rate is agreed in advance and is not re-negotiable, unlike insurance costs.
3 For example, the Enron scandal has triggered a range of initiatives in several countries that address the area of corporate governance, e.g. the Hicks report in the U.K.
4 Ä2,000,000 fidelity guarantee insurance and Ä3,000,000 commodity option. |
