The first in a series of Q&A discussiosn with influential members of the risk management community.

How is the risk profile of UK plc changing?

Chris O’Brien: You can’t look very far without thinking about the environment. For example, the hotel industry is thinking about foot and mouth disease and its impact on their trade, and last autumn we had severe flooding. Businesses should be thinking about the basics first of all: if you are flooded things look rather different. Every organisation has to do some risk brainstorming from time to time, and would benefit from using some external people to bring a different perspective.

Stephen Diacon: It depends what you mean by risk profile. When I write about risk, it is about risk as a process. It begins with a source of risk, then some exposure to that risk, and finally a level of tolerance to the source or the exposure. To answer how risk profiles are changing is to say what changes are there in the sources of risk, exposures to risk, and risk tolerance.

Clearly the sources of risk are well known – physical and liability issues – but there is a gradual recognition that the sources of risk have to be viewed in a holistic way. Businesses can no longer look just at individual sources of risk; they have to look at the whole portfolio of risk they face. I suspect we have seen a greater understanding of the risk portfolio, rather than fundamental changes in it. To understand how tolerant a business is to its risk portfolio, you need an understanding of its financial position and its risk-taking potential. That is quite complicated. Finally, shareholder sensitivity has made companies less risk tolerant.

Of course, there are some quite interesting arguments that say risk is not bad, and in fact that it is good: the old truism that businesses are in business to take risk, and therefore make decisions which have uncertain outcomes in the hope that they will generate a profit and a return for shareholders. Implicitly, business must be quite tolerant of risk taking. In practice, you start from a position where shareholders are quite tolerant of risk taking, but intolerance usually then arises because shareholders are unhappy with unexpected declines in performance.

Have supervisory factors such as Turnbull and Basel exacerbated that phenomenon?

Chris O’Brien: Controls and reporting should not steer companies into being more defensive about risk than is optimal; as Stephen says, they are in the business of taking risk. However, it is important that they report those risks, so shareholders and others have an understanding of them. It is very positive that we have had Turnbull on corporate governance leading companies to annual audited risk assessments, so that shareholders can understand their company’s risk portfolio. Accounting for financial instruments, particularly derivatives, is moving in the direction of putting things on the balance sheet, leading to reporting that readers understand. And more formal reporting is consistent with good management. That’s all very good, but the hope is that companies don’t react defensively.

Stephen Diacon: The main benefit of Turnbull is not the annual statement, but the fact that an auditable risk assessment process has been implemented, and that directors are legally bound by the statement. It gives shareholders confidence that they are being told everything, but it is the solution to an agency problem, not a risk problem.

Does the convergence of the risk management and corporate treasury functions actually address risk?

Stephen Diacon: Yes, of course. The logic for the shift is that a company’s risk tolerance is company-wide in the first instance, and not related to any particular sources of risk. Secondly, it is very much driven by the financial structure of the company itself. Those with high gearing ratios or low liquidity, or either very high or negative book to market ratios, have a low risk tolerance. Those are financial variables that can be managed only by the finance director. It links to a more modern understanding of what drives a firm’s share price, and a recognition that return on equity is related not only to systematic risk, but also to a company’s vulnerability to risk.

In that regard, is the Basel Accord’s recognition of operational risk a signpost for the future?

Chris O’Brien: There is some danger that the Accord would set capital requirements based on using ad hoc formulae to represent operational risks. Such formulae can never be perfect. But Basel will draw attention to operational risk, and give some incentive for companies to get it right. When capital is calculated based on a formula, there is a danger that factors in the formula will receive undue focus. Giving operational risk a place in the formula addresses the imbalance.

The principle is also behind some of what is happening in the insurance industry. Insurers should understand what risks they face, and carry out risk assessments to see which events might affect them and their solvency in different scenarios. A form of risk based capital assessment is the right way forward, but once again there is the danger that, when the RBC system is refined and imposed, ad hoc formulae will be used, and will distort the way companies behave. But methods of analysing risk are more refined than a few years ago, so the dangers of going down the RBC route are not as great as they would have been.

Is there wider application for RBC methodologies?

Chris O’Brien: Yes. Quoted companies should be making these risks visible to shareholders, and should have the risk management techniques to deal with them. The International Accounting Standards Committee is saying that the risks of financial instruments should be assessed properly, valued, and communicated to shareholders. Companies should have internal methods of risk evaluation and management, and rules saying these measures should be in the public domain are a good incentive.

Stephen Diacon: A counter argument is that reporting on that level provides information to competitors, who may take actions which destabilise the company. For example, supposing that you broadcast the fact that your company is vulnerable to changes in input prices. That might encourage competitors to try and corner the market on those inputs, and raise your costs. Risk information has a strategic dimension which is ignored in the Turnbull debate. Turnbull requirements seem to apply only to the interest of shareholders, and seem to ignore the fact that competitors might react.

Chris O’Brien: That is why there has to be balance, so that companies don’t get too defensive.

Stephen Diacon: Suppose a company announced that it was using futures contracts to handle risks. A competitor could force losses on them. I think this will become more of an issue as those Turnbull risk management statements begin to be dissected.

Chris O’Brien: It comes back to the balance of the right amount of risk to be taking, and in whose interest – executives with share options, customers, or shareholders.

Are sufficient commercial solutions on offer?

Stephen Diacon: The problem with conventional risk management measures is that they are rather piecemeal, often directed at individual sources of risk, but neglecting others. Furthermore, different risk management tools have a different impact on controlling risk, obviously, so they should be viewed as a series of tools in a tool kit, complimentary to each other.

Chris O’Brien: There is an important distinction between the risk of general processes and risks arising when you have changes. The regular production of a company operates regularly, people supervise it, and risk is easy to measure and manage. But major change projects have an entirely different risk dimension, many of which are related to technology. There are sad examples in the public sector, such as the new system to issue UK passports. If a project goes wrong, the exposure and consequences can be very different to process errors, so projects need different risk management techniques.

Are businesses coping well with technological risk?

Stephen Diacon: There is a lot of poor information about the speed of technological processes, and a need for companies to actively monitor developments in cyber business. This is an area where the University is trying to add value to the business community. We have created a cyber business centre which monitors developments in information and communications technology [at]. The users of technology seem to have the ability to outsmart the rest of us.

Chris O’Brien: Another danger that businesses face is that technology will become a distribution channel, and people will be ahead of them. Hence traditional companies have had to make sure they are up to speed. But that introduces the operational risk that systems are so complicated that they will fail, and take time to put right.

So balance is needed to ensure that companies are neither too defensive, nor threatened by too great an appetite for risk?

Chris O’Brien: Exactly.

Adrian Leonard is a freelance writer and editor, Tel: 01799 524 687, E-mail: