(First of two parts)
How can board of directors and senior executives help to define corporate governance within the context of enterprise risk management (ERM) programs? With the growing acceptance of ERM, the links between good governance and effective risk management are increasingly important.
By the time a corporate crisis occurs, improved corporate governance becomes too late to address the problem. Headlines of corporate failures and business scandals remind us of what can happen when corporate governance goes out of shape. The important learning for boards and executives from these scandals and the resulting compliance requirements is that of maintaining focus on the real issues of governance and risk and not becoming lured into a false sense of security that something is being done that will make a difference. What we do to address these issues is good management and a failure to deal with these matters is bad management.
The changing nature of risks
Today’s risks are different. Business leaders face different kinds of risks, ranging from those that are insurable to business risks up to an array of risks that are systemic in nature and global in scope. These global risks are ‘nonbusiness’ risks with the potential to impact the firm’s business decisively, such as natural disasters like the earthquake in China, the severe flood in Iloilo, pandemics like SARS and avian ‘flu’, terrorism, oil price hikes and the harmful effects of climate change. All these dominate our current risk landscape. There are others which have not yet penetrated public consciousness worldwide such as violations of intellectual property rights, identity theft, and the loss of biodiversity. The list could go on and on.
Complexity creates risk
There are large corporations which have grown through mergers and acquisitions and therefore have to assimilate different people, processes, systems and cultures. Some firms have outsourced, vertically integrated or entered global alliances. All these strategies have contributed to the complexity and added new risks. Many of them are related to earnings drivers. As the enterprise grows and globalizes, these risks rise in severity and complexity.
Greater interconnectivity and interdependence
The increasing level of interconnectivity and interdependence is the most important factor that contributes to making today’s world more complex and turbulent. Remarkable advances in communications technology, the liberalization of trade and financial services have combined to trigger an unprecedented increase in global trade and financial flows.
This has led to intense competition, an emphasis on ‘speed to market’ which stresses supply chain efficiency, far higher rates of invention and markedly shorter product lifecycles.
In an interdependent world, the risks faced by any individual, firm, region or country depend not only on its own choices but also on those of others, thus making such risks more difficult to manage. For example, the risks faced by the Ninoy Aquino International Airport (NAIA) or Philippine Airlines (PAL) are tied to the security standards of other carriers and airports. In the case of a pandemic, an outbreak of a disease in one country that is poorly prepared raises the risks faced by other countries and businesses in those countries.
Why our ability to assess risk gets distorted
To assist us in making decisions in situations where there is great uncertainty, often due to complexity and volatility of a risk, we use many mental devices known as heuristics. We are able to make decisions fast by resorting to learned behaviors – principles and practices. Let us make their effects clear by focusing on five important ones:
Availability – We often make decisions on the frequency of events occurring based on what we can readily remember, rather than on analysis of extensive data.
Confirmation bias – Once we have made a decision about the probability of an event occurring, we look for confirmation of the correctness of our decision.
Overconfidence – We see ourselves as always being right.
Anchoring – We tend to base decisions and estimates on positions we are familiar with, and this serves as the anchor for all that follow.
Representativeness - We create personal meaning by classifying things, events and phenomena on the basis of our experiences.
The way we assess a risk varies because different people have different preferences, experiences and values. The automatic affective processes that enable us to protect ourselves against risk are the product of our evolutionary history which spontaneously dominates our intuitive responses to risk, such as the tendencies to:
• Overestimate unknown risks;
• Underestimate risks that we voluntarily assume;
• Overestimate small risks and underestimate larger ones; and
• Overreact to highly publicized risks.
These conclusions are important in considering what we can and should do in dealing with the risks we are confronted with in managing our companies, making investment decisions or personal decisions.
Turning business risks into opportunities
It will be helpful to talk about the different types of events that occur in the business world – surprises, opportunities, and disasters. These events are categorized as follows:
Surprise events: The event is not reported, in some cases because it was not monitored, captured, or analyzed.
Suspected events: The event is monitored, captured, analyzed, and reported but too late for effective action.
Surmounted events: The event is reported in time and effective action is taken. (To be concluded)
(Rolando C. Cabrera is a Director and Senior Risk Management Advisor of Manabat Sanagustin & Co., CPAs, a member firm of KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. This article is for general information only and is not intended to be, nor is it a substitute for, informed professional advice. While due care was exercised to ensure the quality of the information contained in this article, readers should carefully evaluate its accuracy, completeness and relevance for their purposes, and should obtain any appropriate professional advice relevant to their particular circumstances. For comments or inquiries, please email manila@kpmg.com.ph or rcabrera@kpmg.com).