Risk Management: The Agile Enterprise
Integrated business planning for mitigating risk.
By Jeff Rice and Stephen Franks
Business as usual is a thing of the past. Political transformation, increasing governmental mandates, fluctuating energy prices and increasing competition are just a few of the factors making business anything but usual. Today, virtually all business can be deemed “risky business.” While uncertainty impacts risk, it does not necessarily make business perilous. In fact, risk is critical to any business — for nothing can improve without change — and change requires risk. Conversely, an unwavering commitment to the status quo creates even more risk. Therefore, regardless of a company’s position on risk, it must be understood and managed.
While risk is inherent to any business, its impact can vary according to a number of factors including globalization, competition, input costs, compliance, weather, exchange rates, regulations and competition, just to name a few.
Risk can be segmented into two categories: direct and indirect. (Some companies use the terms internal and external.) Direct risks are those that the company has control over or can impact. Direct risks often pertain to the company’s labor force, supply chain, operations and competitive position. Indirect, or external risks, include factors beyond the company’s control. Interest rates, foreign exchange rates, weather and energy costs are examples of indirect risks.
Another factor affecting risk is efficiency. The age of specialization has introduced heightened levels of efficiency. For example, many manufacturing companies have successfully trimmed excess capacity to the point where production is optimally balanced with demand. While this alignment has reduced inventories and helped supply chains become leaner, it hinders a company’s ability to react when new situations, opportunities and threats occur.
Specialization, combined with functionally based operating departments (sales, operations and finance), can also mask the impact of uncertainty at the enterprise level. For example, the shop foreman might have the correct information needed for accurately estimating the downtime of a particular machine; however, he or she may not understand the machine’s impact on down-stream activities. This creates uncertainty for each person managing downstream processes. In addition to the uncertainty caused by the machine’s downtime, the managers must deal with the uncertainties within their respective silos.
Rarely, if ever, do these situations create isolated yield variances. In fact, typically the opposite is true as statistical variations increase exponentially along the supply line. Consequently, senior management cannot accurately determine which process improvements will yield the highest return, nor can they determine the optimal sequence for executing these improvements. As a result, capital allocations, which are also silo-based, fail to deliver the anticipated return.
React. Reduce. Remove.
Companies, regardless of size or industry, must routinely deal with risk whether through a formal process or an informal, ad hoc process. In other words, business leaders can manage risk or allow risk to manage them. While the levels of risk and related activities vary widely among companies, the foundation for creating effective risk management strategies must include analyses and planning.
Many companies choose to react to undesired outcomes “as they occur.” While this reactive approach is a widespread practice, it is becoming less appealing as business and market volatility continue to escalate. Additionally, the reactive approach to managing risk requires companies to alter their strategies excessively. This can dilute the company’s focus and needlessly increase costs by redefining operational plans each time significant variances occur.
Given sufficient capacity and flexibility, some companies may achieve satisfactory results through reactive risk management. However, in most cases, organizations lack the ability, knowledge and systems needed to continually change courses and re-plan with confidence.
Another approach to managing risk is to reduce the risk itself, as well as its potential impact on the company. While reducing risk decreases uncertainty, it typically requires greater resources than the reactive method.
The third approach to managing risk is to remove the risk itself or its impact. At first, removing risk may appear to be the best approach to risk management. However, removing risk (or its impact) is often too costly and dilutes return on invested capital.
As illustrated in Figure 1, each approach to risk management requires time and resources, most often capital, to determine predictability. The level of investment for each approach is represented by the size of the circles. Reacting to risk as it occurs obviously requires less time and fewer resources than the alternative approaches; however, predictability is proportionately lower.
More Risky Business
The most obvious and effective means of dealing with risk is to remove it completely. This may require substantial investments in plant and processes and may be difficult to achieve from a financial perspective. Nevertheless, enhancing a process to the point where risk is eradicated is certainly possible. For example, the Six Sigma business strategy focuses on eliminating risks resulting from product or process defects. Specifically, Six Sigma targets an efficiency rating of 99.9997 percent in terms of DPMO (defects per million opportunities). In other words, risks pertaining to defects are removed.
If the removal of risk is not economically viable, companies may opt to cushion or “buffer” processes from high levels of variance. This is most often achieved by the creation of excess capacity, providing greater flexibility or using inventory as a buffer between successive operations.
The Kanban system, invented by Taiichi Ohno at Toyota in the 1950s, uses a chain of inventory buffers to mitigate risk and variance. While buffering can be effective, managers must understand the statistical fluctuations inherent in the system. Without this insight and understanding manufacturers cannot determine the optimal quantities needed to buffer each process.
Perhaps the Prussian Marshall Helmuth von Moltke said it best back in the mid-1800s: “First weigh the considerations, then take the risks.” While von Moltke’s succinct quote holds true today, business leaders are ill equipped when attempting to “weigh the considerations.” Businesses with ever-increasing value chains are more complex than in years past. As mentioned earlier, risk is easily managed when compartmentalized. But risk does not adhere to boundaries. Risk that began with a supplier of raw materials may quickly expand onto the shop floor; then into distribution; then the end customer, legal, compliance, and ultimately the bottom line.
|Sample types of organizational risks
|• Cost of Finance
• Foreign Exchange
As stated by von Moltke, risk management can be divided into two basic activities: weighing the available options or considerations, then taking the risk. Therefore the challenge resides in understanding the best choices within a portfolio of options. Prior to the age of specialization (and automation) business in general was far less complex. During these times companies could effectively manage risk using simple “if-then-else” logic. But complexity and volatility often work in tandem. As a result, today’s business environment requires new approaches to managing an ever-expanding assortment of risk.
Integrated Business Planning
As previously stated, managing risk is accomplished through one of three approaches: 1. react, 2. reduce or 3. remove. All three approaches or base solutions rely on a foundation of understanding. Each requires a comprehensive understanding of uncertainty. Then the potential impact of the uncertainty must be quantified in financial terms. Next the company must understand and quantify the potential impact of alternative choices, then compare each to determine the optimal course of action.
Before quantifying the risk, decision makers must understand the nature of the risk. This is accomplished through a cyclical process designed for continuous improvement. While many processes for managing risk have been introduced, most are similar to the Plan-Do-Check-Act cycle used by American statistician W. Edwards Deming.
The International Organization for Standardization presents a similar cycle in a draft of its risk management document, “ISO 31000 Risk Management: Principles and Guidelines on Implementation.” (More information is available at www.iso.org.)
As illustrated in Figure 2, after risks are assessed and evaluated, the appropriate risk treatment can be determined and implemented. Risk Treatment, as defined in ISO 31000, includes the following options:
a) avoiding the risk by deciding not to start or continue with the activity that gives rise to risk;
b) seeking an opportunity by deciding to start or continue with an activity likely to create or maintain the risk;
c) changing the likelihood;
d) changing the consequences;
e) sharing the risk with another party or parties; and
f) retaining the risk, either by choice or by default.
Selecting the right treatment requires proper evaluation of the risk and accurate modeling of alternate choices or activities. In other words, both the existing risk and the alternative actions must be quantified in order to determine if the alternative approach provides greater opportunities compared to the status quo.
|Enterprise optimizer risk management solution|
|• Holistic modeling of risk including financial and operational constraints
• Financial investigation of risk with analytical, simulation and optimization capabilities
• Scenario management and workflow to support executive review and decision-making
• Planning capability to execute strategic and operational decisions
Many solutions may require multiple treatments. For example, process network redesign may include outsourced providers, which changes the likelihood (c) and consequences (d) of the risk, as well as shares the risk with other parties (f). Multiple treatments may be found in a number of risk management activities including capital planning, inventory policy, segmentation and supplier hedging.
Understanding the Nature of Risk
In order to make effective capital planning and business decisions that mitigate the impact of risk, managers must understand the relevant risk factors, their interactions, aggregations and consequences. Obtaining this level of understanding requires managers to:
- create a comprehensive model of the processes
- model the risk
- quantify (predict) the impact of each element of risk
- analyze the operational and financial consequences of such aggregated risk
- understand what risk areas are the most critical, then simulate the potential actions as well as the required investments.
Accomplishing this requires a sophisticated and intelligent modeling environment; one that can utilize powerful simulation and optimization techniques. This enables a simulation process which maps the statistical fluctuations of each area of risk into the model. Once the model is created, managers benefit from the rapid execution of mathematical analysis against the model, as well as creating alternative scenarios. Users can conduct hundreds of scenarios, each using hundreds of constraints and millions of variables, without having to reconstruct the model. Using rapid scenario analysis enables managers to quickly identify which scenarios will deliver the optimal solution under a given set of circumstances. For example, automakers could model and quantify the financial impact resulting from a sudden rise in oil prices. In this example, a single model would be used to simulate market conditions, distribution costs, production costs and related variables. The model, which would provide insight for decision makers across the enterprise, could also be used in determining profitability by model, by customer and by channel.
|Scope of International Standard ISO 31000|
|International Standard ISO 31000 provides principles and generic guidelines on risk management. Any public, private or community enterprise, association, group or individual can use this International Standard. Therefore, this International Standard is not specific to any industry or sector. (Note: For convenience, all the different users of this International Standard are referred to by the general term “organization.”)This International Standard can be applied throughout the life of an organization and to a wide range of activities, including strategies and decisions, operations, processes, functions, projects, products, services and assets. This International Standard can be applied to any type of risk whatever its nature, whether having positive or negative consequences. Although this International Standard provides generic guidelines it is not intended to promote uniformity of risk management across organizations. The design and implementation of risk management plans and frameworks will need to take into account the varying needs of a specific organization, its particular objectives, context, structure, operations, processes, functions, projects, products, services, or assets and specific practices employed.
It is intended that this International Standard be utilized to harmonize risk management processes in existing and future standards. It provides a common approach in support of standards dealing with specific risks and/or sectors and does not replace those standards.
Printed with permissions from the International Organization for Standardization.
About ISO 31000
Organizations of all types and sizes face internal and external factors and influences that make it uncertain whether and when they will achieve their objectives. The effect this uncertainty has on organizations’ objectives is “risk.”
All activities of an organization involve risk. Organizations manage risk by identifying it, analyzing it and then evaluating whether the risk should be modified by risk treatment in order to satisfy their risk criteria. Throughout this process they communicate and consult with stakeholders and monitor and review the risk and the controls that are modifying the risk to ensure that no further risk treatment is required. This International Standard describes this systematic and logical process in detail.
While all organizations manage risk to some degree, this International Standard establishes a number of principles that need to be satisfied to make risk management effective. The standard recommends that organizations develop, implement and continuously improve a framework whose purpose is to integrate the process for managing risk into the organization’s overall governance, strategy and planning, management, reporting processes, policies, values and culture. Risk management can be applied to an entire organization, at its many areas and levels, at any time, as well as to specific functions, projects and activities.
Although the practice of risk management has been developed over time and within many sectors to meet diverse needs, the adoption of consistent processes within a comprehensive framework can help to ensure that risk is managed effectively, efficiently and coherently across an organization. The generic approach described in this International Standard provides the principles and guidelines for managing any form of risk in a systematic, transparent and credible manner and within any scope and context. Each specific sector or application of risk management brings with it individual needs, audiences, perceptions and criteria. Therefore a key feature of this International Standard is the inclusion of “establishing the context” as an activity at the start of this generic risk management process.
Establishing the context will capture the objectives of the organization, the environment in which it pursues those objectives, its stakeholders and the diversity of risk criteria — all of which will help reveal and assess the nature and complexity of its risks.
Jeff Rice (email@example.com) is the director of communications at River Logic, Inc. (www.riverlogic. com), a Dallas, Texas-based provider of Integrated Business Planning (IBP) and advanced business modeling solutions. Stephen Franks, Ph.D. (sfranks@ riverlogic.com), provides strategic advisory services within River Logic’s Consumer Packaged Goods and Supply Chain practices.