Integrated Performance Management: A Guide to Strategy Implementation

Managing Risk, Managing Value

By:Kurt Verweire

Edited by: Kurt Verweire & Lutgart Van den Berghe

Book Title: Integrated Performance Management: A Guide to Strategy Implementation

Chapter Title: "Managing Risk, Managing Value"

Pub. Date: 2004

Access Date: April 17, 2022

Publishing Company: SAGE Publications Ltd

City: London

Print ISBN: 9781412901550

Online ISBN: 9781446211618


Print pages: 69-84

© 2004 SAGE Publications Ltd All Rights Reserved.

This PDF has been generated from SAGE Knowledge. Please note that the pagination of the online

version will vary from the pagination of the print book.

Managing Risk, Managing Value Managing risk, managing value KurtVerweire AND LutgartVan den Berghe

‘Managing risk, managing value’ is the title of an executive briefing on enterprise-wide risk management, written by James DeLoach.1 The statement reflects very well the importance of new approaches to risk management when formulating and implementing a company's strategy. In a more volatile world, the challenge for companies is increasingly to take a proactive approach and to understand better the odds of the game. A company's share price is significantly influenced by the way it is able to anticipate and to manage an uncertain future. Some corporations have boosted their market value by carefully developing risk management strategies. Others have destroyed it by a lack of adequate risk management procedures. Risk management is becoming important in boardrooms as well. For example, the Turnbull Report tries to establish best governance practices by adopting a risk-based approach to designing, operating and maintaining a sound system of internal control.2 Therefore, a book on Integrated Performance Management should at least offer an overview of the new developments in the risk management field.

In this chapter, we start with a definition and description of some basic concepts on risk and risk management. We then focus on the traditional approaches towards risk management and explore the new developments towards strategic risk management.3

(Strategic) Risk and Risk Management: Some Introductory Concepts Risk and Strategic Risk Defined

As the statement above indicates, risk is central in our daily lives. Although everyone has a notion of the concept of risk, no universally accepted definition exists. Often associations are made between risk and uncertainty, risk and danger, risk and damage, and risk and the probability of profit (speculative risks). According to Harold Skipper (1998), professor of risk management and insurance at Georgia State University, risk is commonly used to refer to insured items (‘that building is a poor risk’), to causes of loss (‘we insure against the risks of fire, windstorm …’), and to the chance of loss (‘the risk of loss is high’).

Statisticians and economists associate risk with variability. A commonly found definition of risk is: ‘the relative variation of the actual from the expected outcome’. Or put differently: ‘a situation is risky if a range of outcomes exists and the actual outcome is not known in advance’ (Skipper, 1998: 6). This last definition of risk can also be translated to the strategic context: we can use the term strategic risk to indicate ‘unpredictability or down-side unpredictability of business outcome variables such as revenues, costs, profit, market share, and so forth’ (Bromiley et al., 2001: 261). Strategic risk can also be defined as the probability of not realizing the intended goals and targets. Along similar lines, James DeLoach defines business risk as ‘the level of exposure to uncertainties that the enterprise must understand and effectively manage as it executes its strategies to achieve its business objectives and create value’ (2000: 50). From these definitions, it is clear that strategic risk and business risk can be used as synonyms to denote overall organizational risk. In the remainder of this chapter, we focus our attention on strategic (or business) risk.

Sources of Strategic Risk

There are various sources of organizational (and strategic) risk and various ways to classify them.4Operations risk, one of the main internal risks, is the risk of a defect in one of the core operating or processing activities (or capabilities). For most companies, the management of operations risks is where the action is. Competitive risk, or external risk, is the risk associated with changes in the competitive environment that could impair the business's ability to create value successfully. Asset impairment risk is a third source of risk. An asset becomes impaired when it loses a significant portion of its current value due to a reduction in the likelihood of receiving those future cash flows. Market and credit risk, as defined in the financial services industry, are good examples of this risk category. The impairment of intellectual property rights is another example in this respect (Simons, 2000). DeLoach (2000) adds another category of risks: information for decision-making risks. These risks arise when information used to support business decisions is incomplete, out of date, inaccurate, late or

SAGE© Kurt Verweire and Lutgart Van den Berghe 2004

SAGE Books

Page 2 of 13SAGE Books – Managing Risk, Managing Value

irrelevant to the decision-making process.

One special category of risk deserves some specific attention: misrepresentation and fraud. This risk can be considered as an internal risk, but is different in nature from the operations risk or the information for decision-making risk. Misrepresentation and fraud generally occur because employees are put under pressure (e.g., to show increased profits in periods of economic downturn). Then, they may misrepresent their performance or that of their business, or misappropriate company assets. Bad decisions can be covered up and expose the firm to the loss of valuable assets, or might even destroy the business. Of course, in many cases the management itself gets caught in this web. Examples are numerous, but the Enron case – for a long time considered to be one of the best managed companies in the risk management literature – is perhaps the most painful one.

All these different sources of risk ultimately influence the franchise (or reputation) risk. This is the risk that the value of the entire business erodes due to a loss of confidence by critical stakeholders. As such, it is a measure of stakeholder vulnerability. The franchise risk is not a source of risk, rather it is a consequence of excessive risk in one of the sources of risk (Simons, 2000: 262).

There are many other typologies of ‘organizational risk’, and there is great confusion about the terminology as well. For example, in Figure 5.1, the term ‘business risk’ is used in a more specific context than we have done so far.

Figure 5.1 Another classification of ‘organizational risks’

Risk has also been investigated in great detail in the finance and insurance world. Figure 5.1 distinguishes between market risk, credit risk and liquidity risk. In finance books, you will also find other risks (such as default risk, interest rate risk, exchange rate risks, etc.). Another common classification that finance researchers make is between systematic risk and non-systematic risk (or firm-specific risk). Systematic risk is the risk that is attributable to macro-economic factors (e.g., political risks). Firm-specific risk reflects risks peculiar to an individual firm that is independent of market risk (Bodie et al., 1999). If we talk about strategic and business risk, we mainly focus on the firm-specific risks.

The finance people have significantly contributed to new insights in the risk management field, and have developed new tools and techniques to monitor and manage financial risk. Financial risk management has been developed since the early 1970s when new risks, such as floating currencies, soaring oil prices

SAGE© Kurt Verweire and Lutgart Van den Berghe 2004

SAGE Books

Page 3 of 13SAGE Books – Managing Risk, Managing Value

and spiking interest rates, emerged. In order to cope with the increased volatility, corporate risk managers have used derivatives to handle fluctuations in exchange rates, interest rates and commodity prices. These derivatives are powerful tools for managing financial risks and continue to play an extremely important role, despite some well-known disasters (e.g., Metallgesellschaft, Orange County, Procter & Gamble). The insights developed in the finance literature have been applied to the analysis of non-financial, or real, assets. Real option theory is now used to evaluate investment projects that have important follow-on opportunities that the firm may or may not exploit subsequently. Another important development in the field of financial risk management is situated in the reporting on financial risk. Value at Risk (VaR) has become a popular standard benchmark for measuring financial risk. This measure has been widely accepted in the financial sector, but major companies (such as Microsoft and Philip Morris) now report their VaR calculations in their annual reports. We refer to the specialized literature for more information on these and other developments in the financial risk management field.

An organization's Sensitivity to Risk

It is not only important to understand the different sources of risk, but also the sensitivity of the organization to these risks (on whatever level). The organization's sensitivity to risk is a function of three components. The first is the significance or impact of the enterprise's exposures (I). This is the impact of an event/set of conditions that could harm the company or the realization of an intended strategy. This impact can be financial or non-financial (e.g., damage to reputation). The second component is the probability (or likelihood) of those different events occurring (P). In many publications on risk and risk management, attention is paid to these two elements.

An organization's sensitivity to risk is also determined by its ability to manage the business implications of different possible future events, if they occur (M). The residual risk is a function of these different elements:

There will always be some residual risk (sometimes called basis risk), either voluntarily (e.g., because the company has not the appropriate resources to do so or because there is no viable business reason to do so) or involuntarily.

Risk Management: What is it all about?

Given the many definitions and sources of risk, it is no wonder that there exist many definitions of risk management. Matthias Haller, professor for risk management and insurance economics at the University of St Gallen in Switzerland, defines risk management as ‘an overall concept of thought and action with the following purposes:

• To recognize and assess essential risks in systems threatened by risks, such as families, companies, social institutions;

• To tackle these risks systematically with the use of suitable instruments; • To draw conclusions for the management and the organization' (Haller, 1999: 16).

Other definitions of risk management are similar: ‘risk management is any set of actions taken by individuals or corporations in an effort to alter the risk arising from their primary line(s) of business’ (Cummins et al., 1998: 30). The purpose is to reduce the possibility or impact of future events harming an organization or to control the probability that results will deviate from the expected (Zech, 2001). Risk management is performed at different organizational levels. This might explain why risk management means different things to different people. The functional level is more concerned with the operations risks. If we go higher in the organization, then we talk about strategic risk management (other terms are: integrated risk management, holistic risk management or enterprise-wide risk management).

Modern risk management has its roots in a number of unrelated disciplines, all of which have contributed to our understanding of the concept. Christopher Clarke and Suvir Varma describe it this way:

SAGE© Kurt Verweire and Lutgart Van den Berghe 2004

SAGE Books

Page 4 of 13SAGE Books – Managing Risk, Managing Value

Military risk analysis led to the evolution of operational research. Personal and commercial risks generated the insurance and actuarial approach to risk management. Strategic risk analysis and the recognition that the future may not be like the past gave birth to scenario planning. Another approach is the use of option pricing theory to view different alternatives. Currency, interest and credit risks generated a banking approach to risk management and various hedging instruments. Operational and environmental risk management gave rise to contingency planning approaches.

(Clarke and Varma, 1999: 415)

In the remainder of this chapter, we discuss some new trends in risk management in greater detail. But first, we describe the traditional approach towards risk management. All this can be summarized in Figure 5.2.

Figure 5.2 Evolutions in risk management

Traditional Risk Management Approaches

According to David Laster, senior economist at Swiss Re, a firm has four possible approaches to managing a given risk: (1) risk avoidance; (2) risk reduction; (3) risk transfer; and (4) risk retention. The first two approaches minimize a firm's exposure to risk and are sometimes referred to as risk control. The latter two approaches are known as risk financing. The goal of risk financing is to fund losses arising from risks that remain after the risk control (Laster, 1999).

Risk Avoidance

Risk avoidance is the first risk management technique. If the pay-offs of a strategy or investment are too uncertain, a firm can choose to abstain from that strategy or investment. In this respect, the firm considers that particular risk unacceptable. What is acceptable or unacceptable depends on combinations of both internal and external factors. A firm might set for itself risk tolerance levels. Once these tolerance levels are exceeded, the firm might decide not to continue with a particular strategy, investment or activity. The firm must also take industry practices and market realities into account. For example, a firm that is unwilling to tolerate major risks and ambiguities cannot hope for much success in rapidly changing fields like pharmaceuticals, biotechnology or electronic commerce (Laster, 1999).

Risk Reduction

Every firm faces core risks fundamental to its business that it cannot avoid. There are three ways this core risk can be reduced: (1) loss prevention; (2) loss control; and (3) diversification.

Loss prevention seeks to reduce the likelihood of a given type of risk occurring. The standard examples of loss prevention measures are security devices (e.g., smoke detectors, burglar alarms, airbags or security guards). As with any risk management technique, loss prevention has its limits.

SAGE© Kurt Verweire and Lutgart Van den Berghe 2004

SAGE Books

Page 5 of 13SAGE Books – Managing Risk, Managing Value

Loss control techniques are designed to reduce the severity of a loss (i.e., the impact of the risk) should it occur. Firewalls and sprinkler systems are loss control techniques in the case of a fire. Stop-loss orders, which automatically trigger a sell order once the value of a stock falls below a certain threshold are a control technique for equity investors.

Diversification is a third risk reduction technique and is about putting your eggs in different baskets. Diversifying product lines across different sectors or countries might reduce the overall risk of a company. According to portfolio theory, a diversified investment portfolio yields a better risk/return profile than a non-diversified one.

Risk Transfer

When risks cannot be avoided or retained, they can be transferred to one party who is better equipped or more willing to bear them. Risks can be transferred to insurance companies: in exchange for an agreed-upon premium the insurer agrees to indemnify its client, up to a specific limit, in the event of a loss.

Another way that management can transfer risks is through hedging, which is the purchase or sale of goods or services for future delivery. Hedging converts an uncertain event into a certain one. For example, consider a French firm that exports most of its product to Great Britain. The firm is vulnerable to the fluctuations in the Euro/pound exchange rate. To offset its foreign exchange exposure, the firm might engage in transactions that bring it profits when the pound depreciates. Then the lost profits from business operations due to a depreciation of the pound will be offset by gains on its financial transactions.5

Risk Retention

Companies can also retain a variety of risks, whether voluntarily or involuntarily. Voluntary risk retention reflects a conscious decision to absorb certain risk exposures internally, because it is the most cost-effective way of addressing the risk. That is why many large companies have set up captives, which they use as an instrument of self-insurance. Involuntary risk retention occurs when a business fails to identify a given risk exposure and therefore bears the risk unknowingly. Be careful: a risk neglected is a risk retained!

Risk Control and Internal Control

What is the role of internal control in the traditional risk management process? To answer this question, it is necessary to reflect on what is internal control. There are many definitions of internal control. One of the most comprehensive frameworks on internal control was developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). They define internal control as ‘a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

• Effectiveness and efficiency of operations; • Reliability of financial reporting; • Compliance with applicable laws and regulations' (Committee of Sponsoring Organizations of the

Treadway Commission, 1992: 1).

Thus, the goal of an internal control system is to protect assets and to remove the opportunity for inadvertent error or wilful violations in transaction processing and performance measurement (Simons, 2000). The purpose of internal control, as described in this definition, is closely related to the goals of risk management. This is also acknowledged by the Canadian Institute of Chartered Accountants (1995). It argues that the effectiveness of control is dependent upon the extent that risk management goals are achieved: ‘Control is effective to the extent that the remaining (uncontrolled) risks of the organization failing to achieve its objectives are deemed acceptable. Control therefore includes the identification and mitigation of risks’ (Canadian Institute of Chartered Accountants, 1995: 2).

This means that internal control focuses on risk control, i.e., the avoidance and reduction of organizational risks. Risk assessment is one of the five components of internal control, as identified by COSO. These

SAGE© Kurt Verweire and Lutgart Van den Berghe 2004

SAGE Books

Page 6 of 13SAGE Books – Managing Risk, Managing Value

components should be present in every control framework, whether it is for a large multinational or for a small company. They are derived from the way management runs a business, and are integrated with the management process. COSO describes the five components as follows:

• The control environment sets the tone of an organization and influences the control consciousness of its people. It includes integrity, ethical values and competences of the people.

• Risk assessment is defined as the identification and analysis of relevant risks to the achievement of an entity's objectives. Based on this analysis, the entity can decide how to manage the risks.

• Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to the achievement of the entity's objectives. These activities occur throughout the whole organization, at all levels and functions, and include segregation of duties, audits, authorizations, adequate resources, reports …6

• Information and communication is a fourth component of internal control. Pertinent information must be identified, captured and communicated in a form and timeframe that enables people to carry out their responsibilities and to run and control the business.

• Monitoring is the process of assessing the quality of the internal control system's performance over time. It is the control of the control system. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two (Committee of Sponsoring Organizations of the Treadway Commission, 1992: 2).

These five components are interrelated, forming an integrated system that reacts dynamically to changing conditions. The internal control system should be intertwined with the entity's operating activities and is most effective when controls are built into the entity's infrastructure and are part of the enterprise.

Towards Strategic (or Integrated) Risk Management Strategic (or Integrated) Risk Management: What is it all about?

The traditional risk management approaches are increasingly being incorporated in the organization's management. However, during the last couple of years a more integrated view on risk management has emerged. This new approach has been labelled either ‘integrated risk management’, ‘strategic risk management’, ‘holistic risk management’ or ‘enterprise-wide risk management’. All approaches have in common that they aim at measuring, controlling and managing the overall risk of a company across all risk categories and business lines, using a consistent methodology. Integrated risk management is a ‘structured and disciplined approach that aligns strategy, processes, people, technology and knowledge with the purpose of evaluating and managing the uncertainties the enterprise faces as it creates value’ (DeLoach, 2000: 5).

Traditional risk management in large corporations is fragmented and compartmentalized. Risk management resides with different people: the risk manager is responsible for pure risks, the treasurer manages financial risks and the chief financial officer tries to achieve an optimal capital structure. Each of these disciplines has its own techniques and its own language, which in turn reinforces specialization and fragmentation. The new approach aims at integration and addresses overall business risk. This requires coordination between the different risk management disciplines. Even if the individual managers are all masters of their respective specialties, their failure to communicate and coordinate with one another will result in a sub-optimal mix of financing, hedging and insurance. The example, described by David Laster, gives a good view on what risk management currently means in practice:

Consider how risk is often managed within a firm. The CFO determines the optimal capital structure with respect to debt and equity financing. Taking the structure as a given, the treasurer then devises a strategy for raising capital and hedging financial risks. Meanwhile, in a separate department, the risk manager determines the most expedient way of protecting against accidental and operational risks.

This conventional approach leaves ample room for improvements through coordination. A firm might, for example, be spending hundreds of thousands of dollars to insure its plant and equipment against accidental losses that would be far less devastating than a shift in exchange rates, against which it has little protection. By retaining additional hazard risk and using the savings in premiums to hedge some of its currency exposure, the firm can reduce its overall level of risk. Alternatively, if the insurance market is particularly soft, it might

SAGE© Kurt Verweire and Lutgart Van den Berghe 2004

SAGE Books

Page 7 of 13SAGE Books – Managing Risk, Managing Value

pay for a firm to increase its property/casualty coverage.

To make such decisions in a coherent manner, a firm must have a unified framework with which to view all of its risks. This will enable it to identify and measure its chief risks, or at least get a clear sense of risk management priorities and how much it should be prepared to spend to address them.

(Laster, 1999: 26)

As the focus of integrated risk management is on the enterprise-wide risk, it considers not only the negative side of the risk spectrum but also the positive side. Every company faces risks as it tries to capture the opportunities available in the environment. In fact, the business risks are those that the corporation willingly assumes to create a competitive advantage. The new approach towards risk management should provide the organization with the processes and tools they need to become more anticipatory and effective at evaluating, embracing and managing the uncertainties they face. Integrated risk management should enable the company to pursue strategic growth opportunities with greater speed, skill and confidence (Jorion, 2001).

Financial institutions have also noticed this shift in corporate risk management, and are developing new integrated solutions. These new solutions bring risk and capital together. Capital management has always focused on balance sheet optimization in order to minimize the cost of capital; risk management has focused on ensuring that cash flows are regular, predictable and as risk-free as possible, also with the purpose to minimize the cost of capital. Thus, risk management and capital management are two sides of the same coin. These new solutions, called Alternative Risk Transfer solutions, rely on more traditional risk mitigation and risk transfer approaches, but also take advantage of any internal risk hedging opportunities.

New Risk Management Philosophies: Higher Value Added

By setting these purposes, integrated risk management is approached from a totally different perspective: it becomes a tool for management to develop and assess the strategy of the organization. Furthermore, the focus now is on how to create value, rather than on risk control and loss prevention. This is perfectly illustrated in Figure 5.3.

Figure 5.3 Steps along the journey to enterprise-wide risk management

SAGE© Kurt Verweire and Lutgart Van den Berghe 2004

SAGE Books

Page 8 of 13SAGE Books – Managing Risk, Managing Value

James DeLoach (2000) sees different stages in the risk management perspective, with an associated value added for each step. Risk managementis a first stage and focuses on financial and hazard risks and internal controls. The focus is more on risk control and loss prevention, and it involves people from treasury, insurance and operations. Risk management tries to minimize unpleasant surprises (risk control and loss prevention) but pays no attention to the positive side of the risk spectrum. This changes when firms have reached the business risk management stage. The focus is now on the business risk and the linkage to the opportunity side is much clearer. The business managers are accountable risk by risk. In the last stage, which is labelled the enterprise-wide risk management stage, every decision that is made is meant to improve the organization as a whole. Enterprise-wide risk management becomes a disciplined and rational process of pursuing opportunities which can eventually lead to a greater exposure to performance variability, depending on the nature of the firm's business model.

The Different Steps in the Strategic Risk Management Process

It is quite clear that this new philosophy is not created overnight. Building capabilities in risk management is a continuous process, consisting of different steps. For the moment, there is no uniform framework of what the ideal integrated risk management process should look like. However, DeLoach's Enterprise-wide Risk Management (2000) provides some valuable lessons and useful ideas for companies which see enterprise-wide risk management as a powerful management process.

Figure 5.4 presents strategic (or integrated) risk management as a continuous process, which should ultimately result in better communication within the company, improved strategy formation and the leveraging of an organization's capabilities. Risk management should be aligned with an organization's strategy and processes. The best companies in this respect have specific and well-defined tasks, clear reporting relationships and designate risk-owners. Many publications on this topic favour a process view of enterprise-wide risk management (see, for instance, Clarke and Varma, 1999). However, DeLoach's framework is one of the most developed ones, and we therefore rely on his framework to explore the process in greater detail.

Figure 5.4 The Arthur Andersen enterprise-wide risk management process

SAGE© Kurt Verweire and Lutgart Van den Berghe 2004

SAGE Books

Page 9 of 13SAGE Books – Managing Risk, Managing Value

Strategic risk management generally starts with developing a common business risk language and setting clear goals, objectives and oversight structures. The lack of a common language inhibits communication and the sharing of best practices. Communication is central in the new approach towards risk management. Adopting a common language is a tool for facilitating an ongoing dialogue among the firm's managers and employees about risk and the processes affected by risk. The classification schemes, identifying the different sources of risk, are helpful instruments in developing a more systematic understanding of the risks of an organization. Apart from developing a common language, the top management should set clear goals and objectives for the risk management process. Business strategies should provide the context for understanding the risks the organization desires to take. Business policies add the tactical details to the implementation of strategies, and are useful in delineating desired and undesired risks. Top management should also set up clear and effective oversight structures and risk responsibilities. These might include: senior management working committees, a senior executive responsible for the overall organizational risk, job descriptions, authorization levels, clear reporting lines, and so on. In companies with an enterprise-wide risk management strategy, risk management structures go as high as to the board of directors, and the CEO is seen as the ‘comprehensive risk executive’.

A second step in the risk management process is to assess the risk and to develop risk strategies. Assessing risks includes: (1) identifying the risk; (2) sourcing why, how and where the risks originate; and (3) measuring the severity, likelihood and financial impact of the risk. Risk mapping is often used when assessing risks. The focus should be on the risks with a high impact and a high probability of occurring.

For the most important risks, the company should decide the appropriate risk strategy, as identified in traditional risk management: (1) risk avoidance; (2) risk reduction; (3) risk transfer; and (4) risk retention. It is clear that for some risks a company might choose to combine several of these different risk strategies.

SAGE© Kurt Verweire and Lutgart Van den Berghe 2004

SAGE Books

Page 10 of 13SAGE Books – Managing Risk, Managing Value

After the risk management strategies have been developed, a company needs to design and implement risk management capabilities. Capabilities include the processes, the people, reports, methodologies and technologies (both systems and data) needed to implement a particular strategy. All these different components should be aligned with each other.

The risk management process described so far needs to be monitored on an ongoing basis by using metrics, communications and periodic audits and evaluations. This monitoring should indicate where improvements are necessary and possible. This, in turn, should lead to improved risk management capabilities. The ultimate goal of this exercise is to develop information for better decision-making. In the ideal state, an enterprise-wide view ultimately leads the firm to integrating its business risk management information for decision-making with other information used in the business. The firm measures and reports what matters: all critical information relating to quality, cost, time and risk should be integrated in the performance management framework. In this way, risk management strategies have different functions:

• They support the firm's value creation objectives by reducing the performance variability inherent in its normal future operations;

• They protect accumulated wealth from unacceptable losses; • They leverage the firm's core competences to produce greater value.

Strategic Risk Management: A Continuous Process

The process as presented here describes an ideal state of enterprise-wide risk management. Hardly any company has reached this stage, either because of a lack of vision, resources or capabilities. Arthur Andersen is aware that developing enterprise-wide risk management does not happen overnight. The process described here is an iterative process, where an organization continuously improves its risk strategies. The higher the focus on improving performance, the more organizations will try to remove all significant inefficiencies, including in their risk management practices.

For each type (or group) of risk, the management must evaluate the relative maturity of the firm's risk management capabilities (for the most important risks the company is facing). This maturity model (see Figure 5.5) was originally developed for software development by the Software Engineering Institute (SEI) and Carnegie Mellon University, but it is an effective framework for discerning risk management capabilities and targeting desired capabilities. (We will again refer to this model in Part III of this book.) The management must make a conscious decision about how much capability is needed to continuously achieve its business objectives. Of course, management must also consider the costs and benefits of increased risk management capabilities.

Figure 5.5 Different stages in a maturity continuum

SAGE© Kurt Verweire and Lutgart Van den Berghe 2004

SAGE Books

Page 11 of 13SAGE Books – Managing Risk, Managing Value

Once these issues have been addressed, each firm must then decide where on the continuum it wants to be with respect to each type of risk that it intends to manage. Some risks are more important than others. Different risks require different degrees of capability to accomplish management objectives.


In this chapter, we have presented an overview of the most recent trends in risk management. It has become clear that (strategic) risk is a multidimensional concept and risk management has its root in a number of different disciplines. Here too, integration is increasingly becoming important. The new trend towards strategic (or integrated) risk management is the most prominent example in this respect. We have described the Arthur Andersen approach in greater detail, as it is one of the most extensive approaches found in the risk management literature. One of their main conclusions is that integrated risk management should be an integral part of Integrated Performance Management. It has to become more integral to the process of managing a business, not some appendage whose relevance is questioned (DeLoach, 2000: 209).


1 This executive briefing is based on one of the best publications on strategic (or integrated) risk management we have met so far: James DeLoach (2000). This publication offers valuable insights and frameworks for an innovative risk management approach.

2 The Turnbull Report is the abbreviated name given to guidance provided by the Institute of Chartered Accountants in England and Wales to enable UK companies to implement the internal controls required by

SAGE© Kurt Verweire and Lutgart Van den Berghe 2004

SAGE Books

Page 12 of 13SAGE Books – Managing Risk, Managing Value

the Combined Code on Corporate Governance.

3 We know that the term strategic risk management is sometimes used to indicate the management of external risks. We use the term more broadly and see it as a synonym of integrated or enterprise-wide risk management.

4 Useful classifications can be found in Simons (2000) (where distinction is made between operations risk, asset impairment risk, competitive risk and fraud and misrepresentation); DeLoach (2000) (where distinction is made between externally-driven risk, internally-driven risk and decision-driven risk); and Shimpi (1999) (which classifies financial/market risk, operational risk, political risk and legal liability risk).

5 Hedging is a common financial instrument. Consequently, all financial textbooks devote sections on this concept. We found a good overview in Bodie, Kane and Marcus (1999).

6 For a good overview of different internal control categories, we refer to Simons (2000), who distinguishes between structural safeguards (segregation of duties, defined levels of authorization and independent audits), systems safeguards (accurate and complete records, secure databases and timely management reports) and staff safeguards (adequate expertise for accounting and control staff, rotation in key jobs and sufficient resources).

• risk management • risk • risk (business) • risk transfer • hedging • management • firms

SAGE© Kurt Verweire and Lutgart Van den Berghe 2004

SAGE Books

Page 13 of 13SAGE Books – Managing Risk, Managing Value

Is this the question you were looking for? Place your Order Here