The Management of Corporate Risk Factors: The Business Risk-Management and Enterprise-Wide Risk Management

Abstract

The management of risk factors requires three key elements: a common terminology for risk, in a continuous and future-oriented process of identification, research and measurement of risks and opportunities, and finally managers skilled in risk management and responsible for coordinating and continuously implement the risk strategy with pre-established risk objectives. These elements are applied consistently within the company. The work will focus on the current view of corporate risk and risk management. Finally we will focus on enterprise-wide risk management

Keywords: Risk management; Enterprise-wide risk; Business; Uncertainty.

The Management of Corporate Risk Factors

The management of risk factors requires three key elements: a common terminology for risk, in a continuous and future-oriented process of identification, research and measurement of risks and opportunities, and finally managers skilled in risk management and responsible for coordinating and continuously implement the risk strategy with pre-established risk objectives. These elements are applied consistently within the company to:

• Understand the nature of the main risks affecting performance measures to try to predict inconvenient situations;
• Determine the determining causes or drivers of the risks in order to be able to measure, control and monitor them;
• Evaluate individual and aggregate risks in terms of cash flow and EVA “at risk”;
• Determine the correlation between sustained risk and benefit obtained and the effectiveness of alternative strategies to analyse the risk in relation to risk parameters and limits;
• Analyze operational performance for different types of risk, investments, products and business units

In addition, performance measures are created to monitor risk management and control processes. Relevant information on business units must be gathered, evaluated and reported on a standardized basis to monitor the objectives set by the company. A continuous review process ensures the achievement of objectives, the satisfactory execution of strategies, in accordance with company policies and the identification of ever better solutions for risk management. In particular, companies have recognized the need to use a probabilistic view of the future rather than a deterministic one. The latter, in fact, leads to a scenario analysis that modifies the forecasts to reflect the effects of situations or events that may or may not occur in the future. For example, a deterministic approach can show the change in cash flow for a particular scenario without an assessment of the likelihood with which that scenario can occur. On the other hand, the analysis with a probabilistic approach tries to evaluate the performance over a period of time, taking into consideration the interactions of the underlying key variables. In addition to offering the extent of the variation of a particular scenario, it also provides the probability of occurrence. This approach is much more effective in evaluating performance when the underlying risk factors can be statistically modelled, but it is less effective than the deterministic one in evaluating extraordinary or unlikely events or situations on the edge in which uncertainty cannot be statistically evaluated.

The Current Vision of Corporate Risk

Because risk and opportunity are inextricably linked, past conventions and attitudes towards risk as a hazard or a threat have led to too narrow a view of the role of risk management in companies. Traditional approaches were fragmented, negative, ad hoc, short-sighted and treated risk management as a surplus or added element to the core business. Today, however, the approach to risk is integrated, positive, continuous based on the creation of value. Risk management and analysis are considered integral parts for the creation of value and for the achievement of company objectives.

Through the efforts of companies to try to anticipate the future to create value, a path is outlined that highlights the growing attention to risk management and control. In this chapter, the evolution of Risk Management will be described. The starting point is represented by the traditional Risk Management model, the transformation continues with the Business-Risk management model, up to that of Enterprise Wide Risk management. The three stages are briefly described on the following pages.

Preliminary Considerations to Risk Management

The birth of risk management, in its modern and widespread academic and professional meaning, is placed in the fifties in the United States. It is recognized that a large part of the risk management activity has its origins, technically, in the traditional management of insurance relationships. The emergence of risk management also from an institutional point of view, with the birth of the first professional associations, corresponds with an increasingly clear separation of insurance management ‘. At first this occurs in the contents, with the extension of the interest from insurable risks to non-insurable ones; secondly, the trend is strengthened through an approach that gives more and more importance to alternative risk treatment tools (retention and prevention). Risk management finds its deepest and most authentic roots essentially in the need to manage the risk system inevitably connected with the concrete manifestation of human economic activities on an optimal basis. In particular, this need had its precursors and then developed mainly in industrial companies, in which the “risk” component plays a decisive economic role. Hence, therefore, studies, surveys and analyses aimed at qualifying and rationalizing the structures and decision-making processes inherent in the business risk management strategies that gradually in a progressive growth have led to models – both theoretical and operational – globalizing the management of risks in the more general objective of maximizing the economic value of the company itself. Risk management is undoubtedly the child of technological development connected with the great processes of industrialization first and then advanced outsourcing. Clearly its cradle could only be where these processes were intensely taking shape. In fact, in the United States, risk management, business risk management took shape in the years between 1955 and 1960, originally as a technique to reduce the amounts of insurance costs. In reality, however, the need to deal with pure risks in a systematic and specific way was primarily and correctly posed by a French scholar, Henry Fayol, who therefore in many ways can fully be considered the precursor of this discipline. In a 1918 study, Fayol listed risk management among the six primary functions of a company’s management, specifically naming it the safety function, with the task of protecting the corporate resources used by the other five functions (technical, commercial, financial, administrative and directive). An idea, in short, as often happens, born and expressed at a theoretical level in Europe, then taken up, expanded, reworked, developed and implemented overseas. Risk Management has found its natural outlet in the U.S.A. around 1955, while, in Italy only at the beginning of the eighties did we start talking about Risk Management and it involved a few large companies including: Fiat, Olivetti, Zanussi, Alitalia, Augusta, Italtel, the Star, and the Plasmon. The figure of the Risk Manager in recent years has significantly changed. Today there are two types of Risk Manager: the functional Risk Manager and the functional and managerial Risk Manager. The functional Risk Manager performs the following tasks: analyses, establishes a program, suggests a risk coverage policy but does not negotiate with insurers and does not administer contracts. The Functional and Management Risk Manager, on the other hand, also carries out this second activity and represents the real professional figure. The Risk Manager must have the closest support in general management and the widest access to all the most disparate company data, in order to obtain the information that his size requires him to acquire. Therefore, the Risk Manager is placed in the position of top staff and has an important decision-making role. Currently, most companies perceive risk management primarily as the traditional model for managing dangers and financial choices to which a company is exposed through products and transactions and appropriate internal controls. Risks are regulated through insurance policies, contractual indemnities and the like to mitigate the negative effects of discrete or closely related events. These methods transfer the dangers of a financial nature to an independent and financially capable counterpart. Internal controls, on the other hand, are often applied to manage operational risks that are typically controlled by the company; the latter are aimed at preventing the risk of accidents. Insurance market products are used to manage risks for natural disasters, environmental liability, health and safety, product liability and other risky operations that generate loss of income, possible liability and human resource hazards. In traditional risk management theory, what has been learned in a given application field is often applied in other areas. In particular, there are three reasons why the traditional model is inadequate to the new economy:

Responsibility for risk management is often fragmented

A separate risk management approach, which strives for functional excellence, can only offer short-term protection from individual risks. Risk factors arising from day-to-day operations can only be managed, in the long run, by solutions of an operational nature, such as: changes in research and distribution, establishing meetings between branches in different countries to eliminate currency risks, etc.

The risk is seen in isolation

The application of classic Risk Management is sometimes based on an isolated view of risk, both as a type of risk and as a unit or activity potentially exposed to risk. This approach ignores the benefits of a comprehensive view of risk exposures. This observation is reinforced when we consider that the negative effects of incorrect risk management affect several business areas.

Risk Management is not a product or a contract

Insurance contracts are certainly useful for the life and survival of a company, but if the risks are not understood within companies, insurance may not be sufficient. For this reason, risk management must take place mainly within companies, not be administered by external consultants.

Il Business Risk-Management

The shortcomings of a limited conception of risk have led many companies to a broader view of risk management in business. This broader approach effectively integrates the efforts of operational managers with the activities of risk managers. Business risk management does not perceive risk as a management accessory – or as something to be delegated to separate functional areas such as insurance agents, financial agents, etc. Often, understanding and managing risk becomes “part of the work of every person within the company”, “everyone is responsible”: this becomes the fundamental operating philosophy. Over the years, the growing uncertainty characterizing the environment in which companies operate and the consequent occurrence of risky events have caused a decrease in the level of performance within companies. Therefore, managers have become aware of the fact that different types of risk, which were not taken into account by the traditional risk-management approach, can alter company performance. Furthermore, it is not understood that many, although not all, of these risks can be managed and studied and that until then some of these were not managed effectively. For this reason, companies are starting to evolve towards a new approach: risk business management by implementing a more systematic risk assessment process, assigning responsibilities for the management of the most risky areas and applying specific risk management techniques and processes for all more critical risks. But the evolution towards business risk management goes beyond the management of unpredictable events. With the expansion of the sphere of influence, the tools of the insurance functions have also become more sophisticated. More specialized firms are increasingly applying risk modelling techniques such as Monte Carlo simulation and option theory, not only for financial risks but also for broader strategic uses. At the same time, the goal of business risk management also becomes that of trying to find the actual source of the risks.

A New Approach: Enterprise-wide Risk Management

Although there has been an evolution in risk management that led to the birth of business risk management, the objective was mainly limited to the management of individual risks and series of risks connected to each other. Furthermore, the link between risk and opportunity is no longer conceived as in the classic risk management approach, but it is certainly even clearer. Although the broader view of the concept of risk and the implications within the company offered by business risk management is a positive step forward, enterprise-wide risk management takes a further step. All companies face uncertain events, and management’s challenge is to determine the acceptable quantum of uncertainty to create value for stakeholders. In this perspective, enterprise-wide risk management moves, in fact this approach allows management to identify, assess and manage the risks deriving from uncertain events and is an integral part of the methods for creating and preserving value. Enterprise-wide risk management is a process, put in place by the board of directors, management and other operators of the company structure; used for the formulation of strategies throughout the organization; designed to identify potential events that may affect the business, to manage the risk within the limits of acceptable risk and to provide reasonable assurance on the achievement of business objectives. Although there has been an evolution in risk management that has led to the birth of business risk management, the objective was mainly limited to the management of individual risks and series of risks connected with each other. Furthermore, the link between opportunity and opportunity is no longer risk as in the classic risk management approach, but it is certainly even clearer. The still broad vision of the concept of risk and more access within the company offered by business risk management is a positive step forward, Enterprise-wide risk management (EW-RM) takes a further step. In fact, it allows management to address uncertainties and risks and opportunities, thus increasing the company’s ability to generate value. Management maximizes value formulates strategies and objectives in order to achieve optimal growth in a profitability objective and the resulting risks, and when it uses resources efficiently and effectively in achieving corporate objectives. A model of EWRM:

• Implements a common language that facilitates internal and external information exchanges;
• Provides a consistent reporting structure for the aggregation of risk measures and information;
• Promote the development of a systematic approach that identifies all business risks;
• Supports the allocation of resources by giving priority to risk management;
• Create a regulated process for choosing vital decisions to be made within the company, for example accepting / rejecting risk, selecting strategies and deciding future risk management developments.

EWRM is an anticipatory and interrelated approach that supports the business model in the value creation process. Avoiding negative risks and trying to manage the inevitable ones in the best possible way is of fundamental importance, in addition, business risk management tries to use risks in the best possible way to take advantage of them in accordance with company strategies and objectives. Risk is seen more as an ally than an enemy. In the EWRM, the opportunities designated by the corporate business model offer risk management a clearer context: supporting the company in managing the situations of uncertainty that may occur in the creation of a successful business model. Enterprise-wide risk management integrates business risk management activities with strategic management and business planning processes, in this way the organization of the company is able to:

• Identify opportunities for value creation, the most significant attraction of which is the risk / reward ratio based on a complete realization of the external business development reality.
• Create a business model that is sensitive and seize all opportunities.
• Understanding an understanding of solo risk extended to all levels of the company, and containing:
• The business activities and processes used for the implementation of the pre-established business model;
• With the information used to make decisions.
• Acquire the skills to effectively manage the risks corresponding to the business model of the company, including informed people, effective processes and supporting technology.
• Collect, analyze and synthesize relevant internal and external data to obtain consistent, useful and timely information for business risk management.
• Select and implement the best strategy to exploit the risks that are convenient for the company, and, simultaneously, eliminate or reduce the inconvenient risks; all this to increase the success prospects of the business model.
• Supporting the business units in achieving the performance objectives, in an enhanced and controlled development.

It should be noted that enterprise-wide risk management increases the possibility that management makes better decisions, in fact, by providing timely and accurate information, the company manager may be able to manage the various strategies optimally. The EW-RM consists of eight interconnected components; they derive from the way in which management manages the company and are integrated with operational processes. These components are:

• Internal environment: management formulates the basic philosophy of EW-RM and determines the level of acceptability of the risk. The internal environment determines in general terms the ways in which the risk is considered and faced by the people who work in the company.
• Definition of objectives: The objectives must be set before proceeding with the identification of events that may affect their achievement. The EW-RM ensures that management has activated an adequate process of defining objectives and that the chosen objectives support and are consistent with the corporate mission and are in line with acceptable risk levels.
• Identification of events: potential events that may have an impact on company activity must be identified. The identification of the events involves the detection of potential facts of internal and external origin that may jeopardize the achievement of the objectives. Furthermore, it is necessary to distinguish events that represent risks from those that represent opportunities, and from those that are a mixture of the two. Opportunities need to be evaluated by reconsidering the previously defined strategy or goal-setting process in place.
• Risk assessment: The identified risks are analysed in order to determine how they should be managed. Risks are linked to objectives and can jeopardize their achievement. The risks are assessed both in terms of inherent risk (risk in the absence of any intervention) and residual risk (risk after activating interventions to reduce it), determining the probability that the risk will occur and the relative impact.
• Risk response: Management identifies and evaluates possible responses to risk, which could be: avoiding, accepting, reducing and sharing risk. Next, management selects a series of actions to align the emerging risks with risk tolerance and acceptable risk.
• Control activities: Policies and procedures must be defined and implemented to ensure that responses to risk are effectively carried out.
• Information and communication: Relevant information must be identified, collected and disseminated in the form and in the times that allow people to correctly fulfil their responsibilities. Information is needed at every level of the hierarchical structure in order to identify and assess the risk and to respond to it. Effective communications must be activated so that these flow throughout the entire organizational structure: downwards, upwards and transversely. Staff must be provided with clear information on their assigned roles and responsibilities.
• Monitoring: The entire enterprise-wide risk management process must be monitored and modified where necessary. In this way, rapid reactions are activated, according to the changes that occur in the company’s operational context. Monitoring takes the form of continuous interventions, integrated into normal company operational activities, evaluations, or a combination of the two methods.

Before concluding, it should be noted that enterprise-wide risk management is a dynamic process. For example, the risk assessment requires a response that can influence the control activities and may highlight the need to review the information and communication needs or the monitoring activities in place. Therefore this process is not strictly sequential, in which one component affects only the next. Instead, it is an interactive and multidirectional process in which each component can affect only one other component, regardless of the sequence of the process. Each company will activate enterprise-wide risk management in its own ways, different from those adopted by other companies, even similar ones. In fact, companies, their risk management processes and their needs vary significantly depending on the sector in which they operate, their size, their culture and their management philosophy. Thus, while all companies must have all eight components to effectively manage risk, the concrete application of enterprise-wide risk management including the mechanisms and techniques adopted and the roles and responsibilities assigned, is often very different from a ‘ company to the other. We can conclude our overview by highlighting that enterprise-wide risk management includes all those elements of the management process that allow management to make well-founded decisions, but individual decisions, chosen from various alternatives, all considered valid, do not determine the effectiveness of the ‘EW-RM. However, while the specific objectives, risk responses and control activities selected are facts that concern the judgment of the management, what matters for the purposes of the EW-RM is that the choices made produce as a final result a lowering of the risk to an acceptable level and that there is a reasonable certainty of achieving the chosen objectives.

Conclusion

To meet the expectations of shareholders and corporate stakeholders, and to achieve its objectives, the company is growth through change and through innovation in operating processes and technologies in a continuous search for new profit opportunities and new areas of business. These initiatives and changes, deriving from the inside as well as from the outside, expose companies to events that can endanger the creation of value over time. Not being able to completely eliminate risks, so as not to paralyze its business, the company has nothing to do but learn to manage the factors that generate, characterize and tame them. In these terms, risk management, and in particular business risk management, responds to the systematic application of coordinated procedures and methods, aimed at identifying, analysing, treating, dealing, identifying and finally communicating the recognized “key” risks (key risk), thus providing a dynamic process capable of guaranteeing a guaranteed balance between risks assumed, level of allocated capital, company activities and level of performance. In this sense, a new business action is set up, which takes note of the simple balance sheet data. The simulation, which in this context helps to carry out risk research, represents a solution that can be set up ad hoc in the different realities investigated. It can be realized according to two different approaches: deterministic or stochastic. The use of one or the other leads to the definition of two different simulation models:

• Traditional simulation based on well-defined and well-defined assumptions;
• Stochastic simulation, which combines the two approaches.

The advantage of a stochastic simulation-based approach is the ability to describe in detail the distribution of future outcomes, from which a variety of measures for risk can be obtained. This feature is particularly useful for companies whose financial results are represented by non-linear functions. In these cases, in fact, deterministic techniques may not provide the flexibility necessary to describe possible future outcomes in detail. The joint use of performance measures and stochastic simulation techniques (Monte Carlo method) for the construction of risk measures, therefore makes it possible to break down the different alternatives available, highlighting the relationships between decision-making variables – value drivers – and results highlighting the possible behaviour of the result variable as a function of the hypotheses on which the starting model is based. Based on these considerations, company management can make a decision with greater awareness on the cause and effect relationships between value drivers and possible outcomes. There are also some implications on managerial behaviour that can be determined by the adoption of this method. First of all, obtaining as a result of an evaluation process a distribution of results instead of a value allows the management to have greater awareness of the use of risks related to company performance within a predefined time interval. Furthermore, by using the economic-financial simulation within the performance evaluation processes, the management becomes able (potentially) to act on the variables that determine the value not only of the existing investments but also those that determine the future value of the company. However, there are some limits on which it is necessary to dwell briefly. The limits are mainly related to the way the model is built. First of all, it is necessary to carefully choose which are the value drivers related to both context and decision-making variables which must be modelled with a random variable. It is appropriate to find an adequate trade-off between the complexity of the model and its simplicity by modelling in a probabilistic key only the variables that are considered to have the greatest impact on the value creation processes. Furthermore, the rules of the simulation must be “defined a priori” and its parameters must not be modified in order to provide the justification for a decision that is deemed necessary, in any case, to be taken or rejected. Finally, in the construction of the model, one must always be aware that the purpose is to represent the operating methods of a company, and therefore always seek a close link with the business model adopted even at the expense of less depth and analyticity of the model itself.

References

1. S.I.M: Risk management: a reader study, Asim. New York. 1973.
2. Banks E. The simple rules of risk. Willey. 2002.
3. Bernestein P. Against the Gods. The remarkable story of risk. Wiley. 1998.
4. Bertini U. Introduzione allo studio dei rischi nell’Economia Aziendale, Pisa, Cursi. 1969.
5. Bertini: Il governo dell’impresa tra “managerialita” e “imprenditorialita” in Scritti di Politica Aziendale. Giappichelli, Torino. 1991.
6. Bertini Il. sistema d’azienda, Giappichelli, Torino. 1990.
7. Boniello C. Cauchy the theory of groups and the theory of polyhedral. Int J Advanced Engg Management Res. 2021; 6: 38-47.
8. Boniello C. Business risk is a crucial node for the success of the business. J Advanced Engg Management Res. 2022; 7: 31-40.
9. Boniello C.: The Business Risk International Journal of Advanced Engineering and Management Research. 2021; 6: 29-36.
10. Boniello C. The concept of the causes and effects of risk in some Italian and foreign scholars of the twentieth century. J Advanced Engg Management Res. 2022; 7: 66-71.
11. Boniello C. The Methodologies for identifying corporate risks. J Advanced Engg Management Res. 2021; 6: 141-151.
12. Boniello C. The success of the company through the knowledge of business risks. J Advanced Engg Management Res. 2021; 6: 58-67.
13. Boniello C. Risk and uncertainty in business economics: towards a business concept. Int J Econ Bus Management Res. 2022; 6: 156-165.
14. Boniello C. Business risk: the first systematic studies on risk and on uncertainty in economic theory. TESS Res Econ Bus. 2022; 1: 106.
15. Boniello C. Cuozzo: Marketing Is a Valid Ally for Business Success: From the Origins of Marketing to its Evolution during Covid-19, TESS Res Econ Bus. 2022; 1: 107.
16. Borghesi A. La gestione di rischi di azienda, Padova, Cedam. 1985.
17. Carter RL, Doherty NA. Insurance and risk retention, Handbook of risk management. Kluwer-Harrap Handbooks, London. 1974-1984.
18. Cassola C. Il rischio e l’organizzazione dell’industria moderna, Milano, Sandron. 1926.
19. Chessa F. La classificazione dei rischi e il rischio d’impresa in Rivista di Politica Economica. Fascicolo II Roma. 1927.
20. Crockford GN. An introduction of risk management. Woodhead-Faulkner, Cambridge. 1980.
21. Crockford GN. The bibliography and history of risk management: some preliminary observations Geneva Papers. 1982.
22. Crockford GN. The changing face of risk management. Geneva Papers. 1976.
23. Culp C. The risk Management process. Wilwe. 2001.
24. Finetti BD. Il rischio e le decisioni economiche, Rivista Bancaria, Milano. 1953.
25. Cagni PL. Il sistema aziendale tra rischio d’impresa e rischio economico generale, Cacucci. Bari. 2002.
26. Fazzi R. Il contributo della teoria delle funzioni e dei rischi allo studio dei comportamenti imprenditoriali. Cursi, Pisa. 1957.
27. Ferrero G. Impresa e Management. Milano Giuffre. 1987.
28. Forestieri G. Risk management, Strumenti e politiche per la gestione dei rischi puri dell’impresa, Egea. Milano. 1996.
29. Galbraith IK. L’eta dell’incertezza. Mondatori, Milano. 1978.
30. Green P, Tull DS. Research for Marketing Decision, Prentice – Hall, Englewood. 1966-1975.
31. Greene MR, Serbein OS. Risk management: text and cases, Reston Pubblishing Co Reston. 1981.
32. Head GL. Continuing evolution of the risk management function and education in the United States. 1982.
33. Hesponse RF, Strassmann PA. Stocastic tree analysis of investment decision. Management Sci.
34. Knight FH. Rischio, incertezza e profitto, La Nuova Italia, Firenze. 1960.
35. Knight FH. Operational Risk, Willey. 2001.
36. Leinter F. Die Unternehmungsrisiken. Berlin. 1915.
37. Leti G. Statistica descrittiva,il Mulino, Bologna. 1983.
38. Mendenhall W, reinmuth JE, Beavere RJ. Statistic for Management and Economic, Belmont, Duxbury Press. 1993.
39. Misani N. Introduzione al risk management. Milano. EGEA. 1994.
40. Mongoldt H: Die Lebre von Unternebmergewinn, Leipzig. 1855.
41. Oberparleiter K. Die Bedeutung des Grosshandels und seine Funktionen im osterreichischen Wirtscaftsleben. Wien. 1955.
42. Oberparleiter K. Funktionen und Risiken des Warenhandels. Wien. 1955.
43. Sadgrove K. The complete guide to business risk management. Gower. 1977.
44. Sassi S. Il sistema dei rischi d’impresa, Vallardi. Milano. 1940.
45. Schroech G. Risk management and value creation in financial institution. Wiley. 2002.
46. Shimpi PA. Integrating Corporate Risk Management. New York, Texer. 2001.
47. Smullen J. Risk Management for Company Executives, Financial Times/Prentice Hall. 2000.
48. Tversky A, Kahneman D. Casual Schemas in Judgements under Uncertainty, in M. Fishbein (a cura di), Progress in Social Psychology. Erlbaum, Hillsdale. 1980.
49. Zappa Gino: Il reddito di impresa, Milano, Giuffre. 1950.