Risk: A threat to an organization that reduces the likelihood that the organization will achieve one or more of its objectives.
Threats from the environment may prevent an organization from achieving its objectives and can affect many levels of an organization. Management can make bad decisions or employees can squander or steal organizational assets (e.g., the finance clerk at the Salvation Army in Toronto in January 2006). Problems can also arise from ineffective efforts to deal with risk, such as management’s failure to identify and properly react to changes in the organization’s service delivery model (e.g., what new risks might arise from the incorporation of computer technology in literacy training). Problems within the organization may result in inaccurate information processing, lead to non-compliance with regulatory constraints, allow fraudulent activities to occur, or suggest a risk of organizational failure. Risk comes in many forms and we will discuss a general framework for managing risk in this column and flesh out these ideas in later columns.
Managers today are making efforts to manage risk proactively in many organizations, with a focus on avoiding problems before they occur, and minimizing their impact when they are unable to prevent them, rather than reacting with crisis management after the fact. To better ensure that risk is addressed by senior management and the boards of directors, organizations are adopting various approaches to risk management. One rather generic approach was developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in 2004 called “enterprise risk management” (ERM), which is defined as follows:
Enterprise Risk Management is a process, effected by an entity’s board of directors, management, and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. (p. 2)
Effective risk management recognizes that:
• Risks affect organizations in various ways (e.g., achieving strategy, performing effectively, reporting faithfully, and complying with regulations fully).
• Risks are interrelated (e.g., one risk event may trigger other risk events).
• Risks can only be managed through intervention by management or other stakeholders.
However, intervention in the case of one risk may create unintended consequences, often in the form of new or increased risks in other areas. This linkage necessitates that management adopt a cost/benefit view and balance the direct and indirect consequences of intervening to manage a specific set of risks.
The internal environment of the organization is critical because it underlies all other elements of risk management. Specifically, the internal environment reflects the attitudes, approach, and competence of management and the board toward risk management. If boards hire competent and honest management whose personal goals are aligned with the organization, many other forms of control may be reduced. However, undue reliance on management to “do the right thing” often creates incentives and opportunities for managers to act contrary to the wishes of the board, even if managers had no initial intent to “do the wrong thing” and were indeed fully committed to the mission of the organization.
Management, with oversight and input from the board, should design a portfolio of risk responses that is consistent with an appropriate appetite for risk. Once identified, risks to an organization can be dealt with in one or more of the following ways, depending on the nature of the risk and the resources available:
• Avoidance: The organization may attempt to avoid some risks by carefully circumscribing their activities (e.g., avoiding certain services or activities). For example, an international charity might only work in countries that are cleared for travel by the Department of External Affairs.
• Sharing: Risk sharing involves transferring, at a cost, all or part of a set of risks to another party. For example, the main way that many nonprofit organizations share risk is via insurance (paying premiums) to cover those risks that are a) identified and b) deemed insurable.
• Reduction: An organization may attempt to reduce many risks by designing and implementing proactive policies, procedures, and processes. This is the toughest area of risk management as it can result in creation of bureaucratic procedures to deal with risks that have a very low probability of occurrence.
• Acceptance: Some risks may be accepted as an inevitable, unavoidable result of the organization’s goals. For example, Doctors without Borders has to accept the risk that in some locations they provide services in there may be a threat of insurrection.
To illustrate these ideas, consider a credit union1 based in Kingston in 1997-98. A major identified risk common to many community-based credit unions is that they will make loans to individuals who will not be able to make the payments in the future. Community-based credit unions focus their risk management on the individual borrower by implementing a number of formal processes and policies to screen potential borrowers before making a loan, to evaluate collateral, and to monitor a borrower’s condition after a loan has been approved. Yet, unlike nation-wide banks, community-based credit unions are especially exposed to events that affect the entire community.
Consider how events that occurred in Kingston in 1997-98 may have affected our hypothetical community credit union: an ice storm ripped a path of destruction across Eastern Ontario and Western Quebec including the Montreal region. This was the first event of this magnitude in over 50 years and a distressingly large number of people in Kingston incurred large expenses to rehabilitate their properties and businesses, some of which were not covered by insurance (“Act of God” exclusion clauses can be quite broad) or government assistance. Some borrowers were therefore unable to make the payments on their loans. As a result, the credit union’s financial performance suffered greatly, with a large increase in delinquent and defaulted loans. While the institution may have effectively adopt—ed the strategy of accepting this risk, it may have failed to consider the risk of such a storm or of a similar community-wide negative event, which would impact their borrowers.
Now, imagine that the credit union survived this hit to their financial performance. Management would have to give serious thought to how to mitigate this type of risk in the future. One reaction could be to insure the risk by transferring some mortgage loans to other credit unions thereby creating a country-wide loan pool. This would allow the institution to diversify its loan portfolio and reduce its risk from any single catastrophic event like an ice storm. Another approach could have been to reduce its risk by insisting the customers have insurance that covered the full value of the asset with only very limited exclusions allowed in the policy. Another strategy that might be considered is to join a large organization of credit unions, yet that would have flown in the face of their raison d’être to be community-based. Yet, each of these potential mitigation approaches of themselves may trigger risks, which need not be apparent at the time of adoption. For example, what happens if a major credit union member of the loan pool goes bankrupt due to fraud and their loans in the pool have to be sold at a loss?
So, risk management and accountability in the governance context certainly has a role for insurance. However, to think that you have successfully managed your organizations risks by reviewing your insurance coverage and filling in the gaps may leave you more exposed than you think.
1. The credit union in question is completely fictitious. Any resemblance to any credit union operating in Kingston at that time is completely coincidental as the financial institution faced a weather-related systematic problem in another part of Canada.
Committee of Sponsoring Organizations of the Treadway Commission. (2004). Enterprise Risk Management — Integrated Framework. URL: http://www.coso.org/ documents/coso_erm_executivesummary.pdf [February 20, 2012].
Steven Salterio, PhD FCA, is Editor (in Chief ), Contemporary Accounting Research and Director, CA-Queen’s Centre for Governance as well as Professor of Business, School of Business, Queen’s University, 143 Union St., Kingston, on, Canada k 3n6. Email: email@example.com