Corporate Risk Management

Contents

Cover

Contents

Title Page

Copyright

Dedication

1: Introduction

1.1 Introduction

1.2 Why Managing Risk is Important

1.3 General Definition of Risk Management

1.4 Background and Structure

1.5 Aim

1.6 Scope of the Book

2: The Concept of Risk and Uncertainty and the Sources and Types of Risk

2.1 Introduction

2.2 Background

2.3 Risk and Uncertainty: Basic Concepts and General Principles

2.4 The Origin of Risk

2.5 Uncertainties

2.6 Sources of Risk

2.7 Typical Risks

2.8 Perceptions of Risk

2.9 Stakeholders in an Investment

2.10 Summary

3: The Evolution of Risk Management and the Risk Management Process

3.1 Introduction

3.2 The Evolution of Risk Management

3.3 Risk Management

3.4 The Risk Management Process - Identification, Analysis and Response

3.5 Embedding Risk Management into Your Organisation

3.6 Risk Management Plan

3.7 Executive Responsibility and Risk

3.8 Summary

4: Risk Management Tools and Techniques

4.1 Introduction

4.2 Definitions

4.3 Risk Analysis Techniques

4.4 Qualitative Techniques in Risk Management

4.5 Quantitative Techniques in Risk Management

4.6 Quantitative and Qualitative Risk Assessments

4.7 Value Management

4.8 Other Risk Management Techniques

4.9 Country Risk Analysis

4.10 Summary

5: Financing Projects, their Risks and Risk Modelling

5.1 Introduction

5.2 Corporate Finance

5.3 Project Finance

5.4 Financial Instruments

5.5 Debt

5.6 Mezzanine Finance Instruments

5.7 Equity

5.8 Financial Risks

5.9 Non-Financial Risks Affecting Project Finance

5.10 Managing Financial Risks

5.11 Risk Modelling

5.12 Types of Risk Software

5.13 Summary

6: Portfolio Analysis and Cash Flows

6.1 Introduction

6.2 Selecting a Portfolio Strategy

6.3 Constructing the Portfolio

6.4 Portfolio of Cash Flows

6.5 The Boston Matrix

6.6 Scenario Analysis

6.7 Diversification

6.8 Portfolio Risk Management

6.9 Cross-Collateralisation

6.10 Cash Flows

6.11 An Example of Portfolio Modelling

6.12 Summary

7: Risk Management at Corporate Level

7.1 Introduction

7.2 Definitions

7.3 The History of the Corporation

7.4 Corporate Structure

7.5 Corporate Management

7.6 Corporate Functions

7.7 Corporate Strategy

7.8 Recognising Risks

7.9 Specific Risks at Corporate Level

7.10 The Chief Risk Officer

7.11 How Risks are Assessed at Corporate Level

7.12 Corporate Risk Strategy

7.13 Corporate Risk: An Overview

7.14 The Future of Corporate Risk

7.15 Summary

8: Risk Management at Strategic Business Level

8.1 Introduction

8.2 Definitions

8.3 Business Formation

8.4 Strategic Business Units

8.5 Business Strategy

8.6 Strategic Planning

8.7 Recognising Risks

8.8 Portfolio Theory

8.9 Programme Management

8.10 Business Risk Strategy

8.11 Tools at Strategic Business Unit Level

8.12 Strategic Business Risk: An Overview

8.13 Summary

9: Risk Management at Project Level

9.1 Introduction

9.2 The History of Project Management

9.3 Definitions

9.4 Project Management Functions

9.5 Project Strategy Analysis

9.6 Why Project Risk Management is Used

9.7 Recognising Risks

9.8 Project Risk Strategy

9.9 The Future of Project Risk Management

9.10 Summary

10: Risk Management at Corporate, Strategic Business and Project Levels

10.1 Introduction

10.2 Risk Management

10.3 The Risk Management Process

10.4 Common Approaches to Risk Management by Organisations

10.5 Model for Risk Management at Corporate, Strategic Business and Project Levels

10.6 Summary

11: Risk Management and Corporate Governance

11.1 Introduction

11.2 Corporate Governance

11.3 Corporate Governance Approach in France

11.4 Corporate Governance Approach by the European Commission

11.5 Corporate Governance and Internal Control

11.6 Summary

12: Risk Management and Basel II

12.1 Introduction

12.2 Risk Rating System (RRS)

12.3 Borrower Risk Rating System and Probability of Default

12.4 Risk Rating and Provisioning

12.5 Risk Rating and Pricing

12.6 Methodology of RRS and Risk Pricing

12.7 Grid Analysis or Standardising the Risk Analysis

12.8 Regulation in Operational Risk Management

12.9 Summary

13: Quality Related Risks

13.1 Introduction

13.2 Defining Quality Risks

13.3 Standardisation-ISO 9000 Series

13.4 Quality Risks in Manufacturing Products

13.5 Quality Risks in Services

13.6 Quality Control and Approaches to Minimise Product Quality Risks

13.7 Summary

14: CASE STUDY 1: Risks in Projects in the Pharmaceutical Industry

14.1 Introduction

14.2 The Pharmaceutical Industry

14.3 Filing with the Regulatory Authority

14.4 Identification and Response to Risks Encountered in DDPs

14.5 Summary

15: CASE STUDY 2:Risk Modelling of Supply and Off-take Contracts in a Petroleum Refinery Procured through Project Finance

15.1 Introduction

15.2 Financing a Refinery Project

15.3 Bundling Crude Oil Contracts

15.4 Assessing a Case Study

15.5 Bundle Solutions After Risk Management

15.6 Summary

16: CASE STUDY 3: Development of Risk Registers at Corporate, Strategic Business Unit and Project levels and a Risk Statement

16.1 Introduction

16.2 Levels of Risk Assessment

16.3 Amalgamation and Analysis of Risks Identified

16.4 The Project: Baggage Handling Facility

16.5 Risk Statement

16.6 Summary

17: CASE STUDY 4: Development of a Typical Risk StatementtoShareholders

17.1 Introduction

17.2 UUU Overview and Risk Register

17.3 Corporate Risk Register

17.4 Strategic Business Units Risk Register

17.5 Project Level Risk Register

17.6 Risk Statement to Shareholders

17.7 Summary

References

Index

End User License Agreement

List of Tables

2: The Concept of Risk and Uncertainty and the Sources and Types of Risk

Table 2.1 Risk–uncertainty continuum (Adapted from Rafferty 1994)

Table 2.2 Typical sources of risk to business from projects (Merna and Smith 1996)

Table 2.3 Internal and external stakeholders (Adapted from Winch 2002)

3: The Evolution of Risk Management and the Risk Management Process

Table 3.1 The hard and soft benefits of risk management (Adapted from Newland 1992, Simister 1994)

Table 3.2 The views of academics and practitioners regarding risk and risk management

4: Risk Management Tools and Techniques

Table 4.1 Risk management (RM) road map

Table 4.2 Monte Carlo simulation strengths and weaknesses

Table 4.2 Typical qualitative and quantitative risk assessment techniques (Burnside 2007)

Table 4.3 Impact weighting factors for PIG analysis

Table 4.4 Stress test strengths and weaknesses

5: Financing Projects, their Risks and Risk Modelling

Table 5.1 The weighted cost of capital

Table 5.2 Bond ratings (Adapted from Khu 2002, Merna 2002)

Table 5.3 Characteristics of bond and bank financing (Adapted from Office of Government Commerce 2002)

6: Portfolio Analysis and Cash Flows

Table 6.1 Individual and total project costs and revenues

Table 6.2 Worst, base and best case economic parameters for a batch of seven new projects

Table 6.3 Worst, base and best case economic parameters for a batch of eight refurbished facilities

Table 6.4 Worst, base and best case economic parameters for a portfolio of 15 projects

8: Risk Management at Strategic Business Level

Table 8.1 Legal differences between private and public limited companies (Adapted from Birchall and Morris 1992)

Table 8.2 Investments risks and descriptions (Adapted from Witt 1999)

12: Risk Management and Basel II

Table 12.1 BRR rating sheet

Table 12.2 FRR rating sheet

13: Quality Related Risks

Table 13.1 Types of quality problems and their problem solving techniques (Smith 2000)

Table 13.2 Common statistical tools used in quality control application (Hubbard 2003)

15: CASE STUDY 2:Risk Modelling of Supply and Off-take Contracts in a Petroleum Refinery Procured through Project Finance

Table 15.1 Refinery project characteristics

Table 15.2 Economic parameters of benchmark crude supply

Table 15.3 Summary of economic parameters of single crude supply (Note: The negative rate of return means that you cannot recover your initial investment by the end of concession period.)

Table 15.4 Summary of probability analysis results for crude oils

Table 15.5 Solutions of mean return and standard deviation for combinations of five crude supply contracts

Table 15.6 Summary of economic parameters of five crude supplies

Table 15.7 Mean return and standard deviation for combinations of crude supply contracts after risk management

Table 15.8 Economic parameters after risk management

16: CASE STUDY 3: Development of Risk Registers at Corporate, Strategic Business Unit and Project levels and a Risk Statement

Table 16.1 Risk management technique at each level

17: CASE STUDY 4: Development of a Typical Risk StatementtoShareholders

Table 17.1 Corporate risk register for UUU

Table 17.2 Strategic business unit risk register

Table 17.3 Project level risk register

List of Illustrations

1: Introduction

Figure 1.1 Levels within a corporate organisation (Merna 2003)

Figure 1.2 Relationship of risk to possible losses and gains

2: The Concept of Risk and Uncertainty and the Sources and Types of Risk

Figure 2.1 The concept of risk (Merna and Smith 1996) (Reproduced by permission of A. Merna)

Figure 2.2 Typical risk parameters (Adapted from Allen 1995)

Figure 2.3 Financial risk timeline

Figure 2.4 The effective bid process

3: The Evolution of Risk Management and the Risk Management Process

Figure 3.1 The risk identification process

Figure 3.2 The risk quantification and analysis process

Figure 3.3 The risk response process

4: Risk Management Tools and Techniques

Figure 4.1 Typical summary of a risk register output

Figure 4.2 Risk mapping concept

Figure 4.3 Probability–impact tables (Adapted from Allen 1995)

Figure 4.4 Risk matrix chart

Figure 4.5 Typical decision tree (Adapted from Marshell 2000)

Figure 4.6 Typical sensitivity analysis diagram

Figure 4.7 Cumulative probability distribution

Figure 4.8 Probability–impact grid

Figure 4.9 Typical project cumulative cash flow and the types of risk management techniques used throughout the life cycle of a project

Figure 4.10 The value management stages. (More emphasis at corporate level is made at the pre-investment stage with detailed SBU and project level involvement during the investment phase)

Figure 4.11 Soft systems methodology (Adapted from Smith 1999)

Figure 4.12 Typical indifference map (Adapted from Coyle 2001)

Figure 4.13 Risk options (Adapted from Coyle 2001)

Figure 4.14 Typical Tornado diagram for project schedule elements

5: Financing Projects, their Risks and Risk Modelling

Figure 5.1 The hierarchy of corporate finance objectives

Figure 5.2 Typical cumulative cash flow stages of a project

Figure 5.3 Seniority of financial instruments

6: Portfolio Analysis and Cash Flows

Figure 6.1 Typical risk/return profile

Figure 6.2 Risk adjusted return/risk profile (Pressinger 2005)

Figure 6.3 Positively correlated cash flows

Figure 6.4 Negatively correlated cash flows

Figure 6.5 Interdependencies of projects within a portfolio

Figure 6.6 The lending ladder

Figure 6.7 Cumulative cash flow curves of a typical base case for discounted and non-discounted inflows and outflows of cash

Figure 6.8 Cumulative combined base case cash flow for (a) Project 1, (b) Project 2 and (c) Projects 1 and 2

Figure 6.9 Comparison of the red line (lower curve) cumulative cash flow

Figure 6.10 Cumulative cash flow-generating multiple IRRs

Figure 6.11 Risk envelope for project or portfolio

Figure 6.12 Trend chart of probabilities in terms of cumulative cash flow over time

Figure 6.13 Straight-line interpolation of base case cumulative cash flow

Figure 6.14 Mechanism for portfolio assessment

Figure 6.15 Cumulative cash flow for a portfolio of projects (worst, base, and best cases)

Figure 6.16 Sensitivity analyses for portfolio shown in Table 6.4 for economic parameters CLU, PB and NPV in relation to IRR

Figure 6.17 Probability analyses for portfolio shown in Table 6.4 for economic parameters for mean, best and worst cases in relation to IRR

7: Risk Management at Corporate Level

Figure 7.1 Multidivisional structure (Adapted from Johnson and Scholes 1999)

Figure 7.2 Typical corporate structure (Merna 2003)

Figure 7.3 Key corporate strategy components

Figure 7.4 Events leading to accidents

8: Risk Management at Strategic Business Level

Figure 8.1 The wrappers model

Figure 8.2 Typical SBU organisation (Adapted from Merna 2003)

Figure 8.3 SBUs and sub-SBUs

Figure 8.4 Matrix management of department resources (Adapted from Smith 1999)

Figure 8.5 Key components of programme management (Adapted from Sandvold 1998)

9: Risk Management at Project Level

Figure 9.1 Typical project management functions (Merna 2003)

Figure 9.2 Typical organisation for a multi-disciplinary construction project

Figure 9.3 The project risk cycle

10: Risk Management at Corporate, Strategic Business and Project Levels

Figure 10.1 Levels within a typical corporate organisation

Figure 10.2 The risk management process/structure

Figure 10.3 Downward approach to risk management (Merna 2003)

Figure 10.4 Upward approach to risk management (Merna 2003)

Figure 10.5 Risk management mechanism

Figure 10.6 Risk management cycle

Figure 10.7 Risk assessment for all levels of an organisation

Figure 10.8 The risk management model

13: Quality Related Risks

Figure 13.1 Risks encountered by poor quality (Edosomwan 1995)

Figure 13.2 Schematic representation of the consequences of quality improvement (Al-Derham 2005)

Figure 13.3 The financial loss incurred by the increase in the number of defective units (Al-Derham 2005)

Figure 13.4 A graph showing the decrease in the number of defective units as the prevention costs increase (Al-Derham 2005)

Figure 13.5 The effects of quality risks on the cash flow (Al-Derham 2005)

14: CASE STUDY 1: Risks in Projects in the Pharmaceutical Industry

Figure 14.1 The major stages of a typical drug development process

Figure 14.2 Typical cumulative cash flow over the patent life of 20 years. Over the first 6–7 years of the development process approximately 30% of the total development cost is expended

15: CASE STUDY 2:Risk Modelling of Supply and Off-take Contracts in a Petroleum Refinery Procured through Project Finance

Figure 15.1 Typical risks in the construction and operation of a refinery

Figure 15.2 Contractual structure of a refinery procured through project finance

Figure 15.3 Typical bundling of supply contracts and their product sales

Figure 15.4 Iran H sport market price distribution

Figure 15.5 Iran H distribution with supply contract

Figure 15.6 Change in construction cost on distillation plant

Figure 15.7 Decision variable examples

Figure 15.8 IRR cumulative frequency chart

Figure 15.9 Sensitivity spider chart when taking Daqing crude oil supply

Figure 15.10 Cumulative cash flow of benchmark crude supply

Figure 15.11 Efficient frontier

16: CASE STUDY 3: Development of Risk Registers at Corporate, Strategic Business Unit and Project levels and a Risk Statement

Figure 16.1 Risk register criticality value

Figure 16.2 Impact weighting factors for PIG analysis

Figure 16.3 Probability – impact grid

Figure 16.4 Risk register output at corporate level

Figure 16.5 Risk register at strategic business level

Figure 16.6 Risk register at project level

Figure 16.7 Risk register for risk statement

17: CASE STUDY 4: Development of a Typical Risk StatementtoShareholders

Figure 17.1 Organisational structure of UUU Corporation

Figure 17.2 Probability impact grid for risks at corporate level

Figure 17.3 Probability impact grid for the strategic business unit level

Figure 17.4 Probability impact grid for the project level

Corporate Risk Management

2nd Edition

Tony Merna

Faisal AL-Thani

Copyright © 2008 John Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester, West Sussex PO19 8SQ, England

Telephone (+44) 1243 779777

Email (for orders and customer service enquiries): cs-books@wiley.co.uk

Visit our Home Page on www.wiley.com

All Rights Reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except under the terms of the Copyright, Designs and Patents Act 1988 or under the terms of a licence issued by the Copyright Licensing Agency Ltd, 90 Tottenham Court Road, London W1T 4LP, UK, without the permission in writing of the Publisher. Requests to the Publisher should be addressed to the Permissions Department, John Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester, West Sussex PO19 8SQ, England, or emailed to permreq@wiley.co.uk, or faxed to (+44) 1243 770620.

Designations used by companies to distinguish their products are often claimed as trademarks. All brand names and product names used in this book are trade names, service marks, trademarks or registered trademarks of their respective owners. The Publisher is not associated with any product or vendor mentioned in this book.

This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold on the understanding that the Publisher is not engaged in rendering professional services. If professional advice or other expert assistance is required, the services of a competent professional should be sought.

Other Wiley Editorial Offices

John Wiley & Sons Inc., 111 River Street, Hoboken, NJ 07030, USA

Jossey-Bass, 989 Market Street, San Francisco, CA 94103-1741, USA

Wiley-VCH Verlag GmbH, Boschstr. 12, D-69469 Weinheim, Germany

John Wiley & Sons Australia Ltd, 42 McDougall Street, Milton, Queensland 4064, Australia

John Wiley & Sons (Asia) Pte Ltd, 2 Clementi Loop #02-01, Jin Xing Distripark, Singapore 129809

John Wiley & Sons Canada Ltd, 6045 Freemont Blvd, Mississauga, ONT, L5R 4J3, Canada

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books.

A catalogue record for this book is available from the British Library

Library of Congress Cataloging-in-Publication Data

Merna, Tony.

Corporate risk management / Tony Merna and Faisal AL-Thani. – 2nd ed.

p. cm.

Includes bibliographical references and index.

ISBN 978-0-470-51833-5 (cloth : alk. paper)

1. Risk management. 2. Corporations—Finance—Management.

3. Industrial management.

I. AL-Thani, Faisal F. II. Title.

HD61.M463 2008

658.15’5—dc22

2008004969

Tony Merna – to my loving mother; an inspiration

Faisal AL-Thani – to my family

1

Introduction

1.1 INTRODUCTION

If you can’t manage risk, you can’t control it. And if you can’t control it you can’t manage it. That means you’re just gambling and hoping to get lucky.

(J. Hooten, Managing Partner, Arthur Andersen & Co., 2000)

The increasing pace of change, customer demands and market globalisation all put risk management high on the agenda for forward-thinking companies. It is necessary to have a comprehensive risk management strategy to survive in today’s market place. In addition, the Cadbury Committee’s Report on Corporate Governance (1992) states that having a process in place to identify major business risks as one of the key procedures of an effective control system is paramount. This has since been extended in the Guide for Directors on the Combined Code, published by the Institute of Chartered Accountants (1999). This guide is referred to as the ’Turnbull Report’ (1999) for the purposes of this book.

The management of risk is one of the most important issues facing organisations today. High-profile cases such as Barings and Railtrack in the UK, Enron, Adelphia and Worldcom in the USA, and recently Parmalat, demonstrate the consequences of not managing risk properly. For example, organisations which do not fully understand the risks of implementing their strategies are likely to decline. Marconi decided to move into a high-growth area in the telecom sector but failed in two distinct respects. Firstly, growth was by acquisition and Marconi paid premium prices for organisations because of the competitive consolidation within the sector. Secondly, the market values in the telecom sector slumped because the sector was overexposed owing to debt caused by slower growth in sales than expected.

1.2 WHY MANAGING RISK IS IMPORTANT

The Cadbury Report on Corporate Governance Committee Working Party (1992) on how to implement the Cadbury Code requirement for directors to report on the effectiveness of their system of internal control lists the following criteria for assessing effectiveness on the identification and evaluation of risks and control objectives:

identification of key business risks in a timely manner

consideration of the likelihood of risks crystallising and the significance of the consequent financial impact on the business

establishment of priorities for the allocation of resources available for control and the setting and communicating of clear control objectives.

The London Stock Exchange requires every listed company to include a statement in its annual report confirming that it is complying with this code, or by providing details of any areas of non-compliance. This has since been re-enforced and extended by the Turnbull Report (1999). The Sarbanes-Oxley Act (2002) is similar to the Turnbull Report. This Act introduced highly significant legislative changes to financial practice and corporate governance regulation in the USA. The Act requires chief executive officers (CEOs) and group financial directors (GFDs) of foreign private registrants to make specific certifications in annual reports.

In today’s climate of rapid change people are less likely to recognise the unusual, the decision-making time frame is often smaller, and scarce resources often aggravate the effect of unmanaged risk. The pace of change also means that the risks facing an organisation change constantly (time related). Therefore the management of risk is not a static process but a dynamic process of identification and mitigation that should be regularly reviewed.

1.3 GENERAL DEFINITION OF RISK MANAGEMENT

The art of risk management is to identify risks specific to an organisation and to respond to them in an appropriate way. Risk management is a formal process that enables the identification, assessment, planning and management of risks.

All levels of an organisation need to be included in the management of risk in order for it to be effective. These levels are usually termed corporate (policy setting), strategic business (the lines of business) and project. Risk management needs to take into consideration the interaction of these levels and reflect the processes that permit these levels to communicate and learn from each other.

The aim of risk management is therefore threefold. It must identify risk, undertake an objective analysis of risks specific to the organisation, and respond to the risks in an appropriate and effective manner. These stages include being able to assess the prevailing environment (both internal and external) and to assess how any changes to that prevailing environment would impact on a project in hand or on a portfolio of projects.

1.4 BACKGROUND AND STRUCTURE

This book provides background knowledge about risk management and its functions at each level within an organisation, namely the corporate, strategic business and project levels.

Figure 1.1 illustrates a typical organisational structure which allows risk management to be focused at different levels. By classifying and categorising risk within these levels it is possible to drill down and roll up to any level of the organisational structure. This should establish which risks a project is most sensitive to so that appropriate risk response strategies may be implemented to benefit all stakeholders.

Figure 1.1 illustrates the corporate, strategic business and project levels which provide the foundation for this book. Risk management is seen to be integral to each level although the flow of information from level to level is not necessarily on a top-down or bottom-up basis. Merna and Merna (2004) believe risks identified at each level are dependent on the information available at the time of the assessment, with each risk being assessed in more detail as more information becomes available. In effect, the impact of risk is time related.

Figure 1.2 illustrates the possible outcomes of risk. The word ‘risk’ is often perceived in a negative way. However, managed in the correct way, prevailing risks can often have a positive impact.

Figure 1.1 Levels within a corporate organisation (Merna 2003)

Figure 1.2 Relationship of risk to possible losses and gains

Risk management should consider not only the threats (possible losses) but also the opportunities (possible gains). It is important to note that losses or gains can be made at each level of an organisation.

1.5 AIM

The aim of this book is to analyse, compare and contrast tools and techniques used in risk management at corporate, strategic business and project levels and develop a risk management mechanism for the sequencing of risk assessment through corporate, strategic business and project stages of an investment.

Typical risks affecting organisations are discussed and risk modelling through computer simulation is explained.

The book also examines portfolio risk management and cash flow management.

1.6 SCOPE OF THE BOOK

Chapter 2 discusses the concept of risk and uncertainty in terms of projects and investments. It then outlines the sources and types of risk that can affect each level of an organisation.

Chapter 3 is a general introduction to the topic of risk management. It summarises the history of risk management and provides definitions of risk and uncertainty. It also describes the risk process, in terms of identification, analysis and response. It then goes on to identify the tasks and benefits of risk management, the risk management plan and the typical stakeholders involved in an investment or project.

Chapter 4 is concerned with the tools and techniques used within risk management. It prioritises the techniques into two categories, namely qualitative and quantitative techniques, and describes how such techniques are implemented. It also provides the elements for carrying out a country risk analysis and briefly describes the risks associated with investing in different countries.

Chapter 5 outlines the risks involved in financing projects and the different ways of managing them. The advantages and disadvantages of risk modelling are discussed, and different types of risk software described.

Chapter 6 is concerned with portfolios and the strategies involved in portfolio selection. Bundling projects is examined and cash flows specific to portfolios are analysed. Various methods of cash flow analyses are discussed.

Chapter 7 is specific to the corporate level within an organisation. It is concerned with the history of the corporation, corporate structure, corporate management and the legal obligations of the board of directors, corporate strategy and, primarily, corporate risk.

Chapter 8 is specific to the strategic business level within an organisation. It discusses business formation, and defines the strategic business unit (SBU). It is primarily concerned with strategic management functions, strategic planning and models used within this level. Risks specific to this level are also identified.

Chapter 9 is specific to the project level within an organisation. It outlines the history of project management, its functions, project strategy and risks specific to the project level.

Chapter 10 provides a generic mechanism for the sequence and flow of risk assessment in terms of identification, analysis and response to risk at corporate, strategic business and project levels.

Chapter 11 describes a number of corporate governance codes and how they address the need for risk management.

Chapter 12 introduces the Basel II framework and discusses, in particular, how probability default (PD) and loss given default (LGD) are addressed and other operational management issues.

Chapter 13 describes how quality management can be used to manage many of the risks inherent in organisations and how quality related risks can affect the profitability of an investment.

Chapter 14 provides Case Study 1 which investigates the pharmaceutical industry and illustrates the typical risks in a drug development process (DDP) and how many of these risks can be mitigated.

Chapter 15 provides Case Study 2 which shows the risks associated with the procurement of crude oil and the sale of refined products. This case study also addresses the risks in the supply and offtake contracts and utilises Crystal Ball as the simulation software for modelling and assessment of risks.

Chapter 16 provides Case Study 3 which describes the development of risk registers at corporate, strategic business unit and project levels and the development of a risk statement for a specific project.

The final chapter, Chapter 17, provides Case Study 4 which describes how the major risks at each level of a corporation can be identified and quantitatively analysed and then summarised to develop a risk statement for shareholders.

2

The Concept of Risk and Uncertainty and the Sources and Types of Risk

Man plans, God smiles

(Hebrew proverb)

Fortune favours the prepared

(Louis Pasteur)

2.1 INTRODUCTION

Risk affects every aspect of human life; we live with it every day and learn to manage its influence on our lives. In most cases this is done as an unstructured activity, based on common sense, relevant knowledge, experience and instinct.

This chapter outlines the basic concept of risk and uncertainty and provides a number of definitions of them. It also discusses the dimensions of risk and the perception of risk throughout an organisation. Different sources and types of risk are also discussed.

2.2 BACKGROUND

Uncertainty affects all investments. However, uncertainty can often be considered in terms of probability provided sufficient information is known about the uncertainty. Probability is based on the occurrence of any event and thus must have an effect on the outcome of that event. The effect can be determined on the basis of the cause and description of an occurrence. For example, the cause, description and effect can be illustrated by the following:

‘Crossing the road without looking’ will most likely result in ‘injury’.

Figure 2.1 illustrates the concept of risk in terms of uncertainty, probability, effect and outcome.

Figure 2.1 The concept of risk (Merna and Smith 1996) (Reproduced by permission of A. Merna)

Once the probability, cause and effect of an occurrence can be determined then a probability distribution can be computed. From this probability distribution, over a range of possibilities, the chances of risk occurring can be determined, thus reducing the uncertainty associated with this event.

The authors suggest that uncertainty can often be interpreted as prophecy, since a prophecy is not based on data or experience. A prediction, however, is normally based on data or past experience and thus offers a basis for potential risk.

2.3 RISK AND UNCERTAINTY: BASIC CONCEPTS AND GENERAL PRINCIPLES

According to Chapman and Ward (1997):

All projects involve risk – the zero risk project is not worth pursuing. Organisations which better understand the nature of these risks and can manage them more effectively can not only avoid unforeseen disasters but can work with tighter margins and less contingency, freeing resources for other endeavours, and seizing opportunities for advantageous investment which might otherwise be rejected as too risky.

Risk and uncertainty are distinguished by both Bussey (1978) and Merrett and Sykes (1983) as:

A decision is said to be subject to risk when there is a range of possible outcomes and when known probabilities can be attached to the outcome.

Uncertainty exists when there is more than one possible outcome to a course of action but the probability of each outcome is not known.

In today’s business, nearly all decisions are taken purely on a financial consequences basis. Business leaders need to understand and know whether the returns on a project justify taking risks, and the extent of these consequences (losses) if the risks do materialise. Investors, on the other hand, need some indication of whether the returns on an investment meet their minimum returns if the investment is fully exposed to the risks identified. (Merna 2002) suggests:

we are at a unique point in the market where players are starting to recognise that risks need to be quantified and that information about these projects needs to be made available to all participants in the transaction.

Therefore identifying risks and quantifying them in relation to the returns of a project is important. By knowing the full extent of their gains and/or losses, business leaders and investors can then decide whether to sanction or cancel an investment or project.

2.4 THE ORIGIN OF RISK

The origin of the word ‘risk’ is thought to be either the Arabic word risq or the Latin word riscum (Kedar 1970). The Arabic risq signifies ‘anything that has been given to you [by God] and from which you draw profit’ and has connotations of a fortuitous and favourable outcome. The Latin riscum, however, originally referred to the challenge that a barrier reef presents to a sailor and clearly has connotations of an equally fortuitous but unfavourable event.

A Greek derivative of the Arabic word risq which was used in the twelfth century would appear to relate to chance of outcomes in general and have neither positive nor negative implications (Kedar 1970). The modern French word risqué has mainly negative but occasionally positive connotations, as for example in ‘qui de risque rien n’a rien’ or ‘nothing ventured nothing gained’, whilst in common English usage the word ‘risk’ has very definite negative associations as in ‘run the risk’ or ‘at risk’, meaning exposed to danger.

The word ‘risk’ entered the English language in the mid seventeenth century, derived from the word ‘risque’. In the second quarter of the eighteenth century the anglicised spelling began to appear in insurance transactions (Flanagan and Norman 1993). Over time and in common usage the meaning of the word has changed from one of simply describing any unintended or unexpected outcome, good or bad, of a decision or course of action to one which relates to undesirable outcomes and the chance of their occurrence (Wharton 1992). In the more scientific and specialised literature on the subject, the word ‘risk’ is used to imply a measurement of the chance of an outcome, the size of the outcome or a combination of both. There have been several attempts to incorporate the idea of both size and chance of an outcome in the one definition. To many organisations risk is a four-letter word that they try insulate themselves from.

Rowe (1977) defines risk as ‘The potential for unwanted negative consequences of an event or activity’ whilst many authors define risk as ‘A measure of the probability and the severity of adverse effects’. Rescher (1983) explains that ‘Risk is the chancing of a negative outcome. To measure risk we must accordingly measure both its defining components, and the chance of negativity’. The way in which these measurements must be combined is described by Gratt (1987) as ‘estimation of risk is usually based on the expected result of the conditional probability of the event occurring times the consequences of the event given that it has occurred’.

It follows then that in the context of, for example, a potential disaster, the word ‘risk’ might be used either as a measure of the magnitude of the unintended outcome, say, 2000 deaths, or as the probability of its occurrence, say, 1 in 1000 or even the product of the two – a statistical expectation of two deaths (Wharton 1992). Over time a number of different, sometimes conflicting and more recently rather complex meanings have been attributed to the word ‘risk’. It is unfortunate that a simple definition closely relating to the medieval Greek interpretation has not prevailed – one which avoids any connotation of a favourable or unfavourable outcome or the probability or size of the event.

The model shown in Figure 2.2 suggests that risk is composed of four essential parameters: probability of occurrence, severity of impact, susceptibility to change and degree of interdependency with other factors of risks. Without any of these the situation or event cannot truly be considered a risk. This model can be used to describe risk situations or events in the modelling of any investments for risk analysis.

The use of a risk model helps reduce reliance upon raw judgement and intuition. The inputs to the model are provided by humans, but the brain is given a system on which to operate (Flanagan and Norman 1993).

Figure 2.2 Typical risk parameters (Adapted from Allen 1995)

Models provide a backup for our unreliable intuition. A model can be thought of as having two roles:

It produces an answer.

It acts as a vehicle for communication, bringing out factors that might not be otherwise considered.

Models provide a mechanism by which risks can be communicated through the system. A risk management system is a model, it provides a means for identification, classification and analysis and then a response to risk.

2.4.1 Dimensions of Risk

A common definition of risk – the likelihood of something undesirable happening in a given time – is conceptually simple but difficult to apply. It provides no clues to the overall context and how risks might be perceived. Most people think of risk in terms of three components: something bad happening, the chances of it happening, and the consequences if it does happen. These three components of risk can be used as the basis of a structure for risk assessment. Kaplan and Gerrick (1981) proposed a triplet for recording risks which includes a set of scenarios or similar occurrences (something bad happens), the probabilities that the occurrences take place (the chances something bad happens), and the consequence measures associated with the occurrences.

In some ways, this structure begs the question of definition because it is still left to the risk assessors to determine what ‘bad’ actually means, what the scenarios or occurrences are that can lead to something bad, and how to measure the severity of the results. The steps involved in defining and measuring risk include:

Defining ‘bad’ by identifying the objectives of an organisation and the resources that are threatened.

Identifying scenarios whose occurrence can threaten the resources of value.

Measure the severity or magnitude of impacts.

The severity or magnitude of consequences is measured by a value function that provides the common denominator. The severity can be measured in common units across all the dimensions of risk by translating the impact into a common unit of value. This can be a dimensionless unit such as the utility functions used in economics and decision analysis or some common economic term (Kolluru et al. 1996).

The issue here is selecting an appropriate metric for measuring impacts and then determining the form of the effects function. This form has to be capable of representing risk for diverse stakeholders and of expressing the impacts to health, safety and the environment as well as other assets.

One response, still surprisingly common, is to shy away from risk and hope for the best. Another is to apply expert judgement, experience and gut feel to the problem. In spite of this, substantial investments are decided on the basis of judgement alone, with little or nothing to back them up.

2.5 UNCERTAINTIES

Risk and uncertainty as distinguished by both Bussey (1978) and Merrett and Sykes (1973) were discussed earlier in this chapter. The authors Vernon (1981) and Diekmann et al. (1988), however, consider that the terms risk and uncertainty may be used interchangeably but have somewhat different meanings, where risk refers to statistically predictable occurrences and uncertainty to an unknown of generally unpredictable variability.

Lifson and Shaifer (1982) combine the two terms by defining risk as:

The uncertainty associated with estimates of outcomes.

Uncertainty is used to describe the situation when it is not possible to attach a probability to the likelihood of occurrence of an