Research on Implementation Model of EnterprisesRisk Management Yan-fang Gao ,Yuan-yuan Chen
advertisement
Research on Implementation Model of EnterprisesRisk Management Yan-fang Gao1 ,Yuan-yuan Chen2 1 2 School of Economics, Wuhan University of Technology, Wuhan, China School of Postgraduate in Inner Mongolia University of Finance and Economics, Hohhot, China (nmgyf512@yahoo.com.cn) Abstract: Risks bring about opportunities as well as challenges to the enterprises. If corporations expect to achieve the fixed goal , they have to maximize the effectiveness of assets ,and minimize risks at the same time. That’s why companies must identify and assess all the significant risks, take response measures and ensure sustainable development by building an increasingly sophisticated risk management system. Keyword: risk assessment, response management, implementation, Since the serious financial scandal of Barings Bank, Enron, WorldCom and others had been exposed one after another, modern enterprise risk management has become a focus of the international concern. In October 2004, COSO, which was formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, namely the famous Treadway Commission, introduced a new report, “enterprise risk management :integrated framework”. In this framework, a more comprehensive concept that is risk management appeared to instead of risk assessment which existed as a factor in the former COSO report. Besides that, the board and the management administration are required to pay their attention on major risks areas. As one of main tasks of the management, risk management should ensure that there is a good and effective risk management process in the organization. I.THE SIGNIFICANCE OF IMPLEMENT OF RISK MANAGEMENT IN COMPANIES Enterprises are symbiotic with risks. In recent decades, similarly tragic stories staged in commercial arena: a company with amazing profits which once listed in the world’s top 500 enterprises has been given instantaneous heavy blow and even went bankruptcy; the blue chips in the stock market might become a junk stock one day. Because of a variety of uncertainties and the increasing of risks the enterprises face, a sound risk management has increasingly become an essential element for a modern company to survive. No business exists without risks, which means risks also can offer opportunities to enterprises, so a corporation has to deal with various difficulties and face with a variety of risks. The company will not be profitable if risks don’t exist. Obviously, from the point of view of enterprise’s profitability, a company’s strategy should bear more risks. In addition, risks cause challenges because they may endanger the company’s survival directly. If the corporations expect to achieve the stated objectives, get the maximum return of shareholders’ interests, and maximize the efficiency of assets with minimizing risks at the same time, companies must identify and assess all the significant risks, take response measures and ensure sustainable development by building an increasingly sophisticated risk management system. Risk management refers to a process of identifying and assessing the uncertainty that obstruct the company’s goal, and taking response measures to control those uncertainties in an acceptable range. The environments where the trend and indication of economic development are unpredictable are changing, and so are the customer preferences and demands, so it is essential for companies to foresee the risks arise from those changes. For those unforeseen emergencies, the management should make the risk management plan with a positive attitude. The idea of risk management is to analyze all the risks existing both in and out of the company, and then deal with those through formulating the management strategies, so as to increase the profitability. The complete and effective risk management system and procedure contribute to the management to deal with the various risks calmly and to the company survive and develop. II.THE IMPLEMENTATION PROCEDURE OF RISK MANAGEMENT A. Analyzing the risk environment The internal and external risk environment factors may have bad influence on a company to achieve its goals. The external risk environment factors are including state law, regulation, policy and economic environment changes, the development of science and technology, industry competition, market changes, natural disasters and so on. The internal factors contain the defects of governance mechanisms, the characteristics of business activities, the nature and management of assets, the failure or the interruption of information system, and the fact that staff’s qualities and skills cannot meet the requirement, etc. The management authorities must focus on the changes in factors about risk environment so that they can give further consideration to whether the changes and controls of organizational structure are in line with the situation. B. Identifying risks sufficiently The task of risks identification is to identify where the risks are and what cause them, and to make qualitative estimates of the consequences. Risk identification needs to answer the following questions: What are the potential risk factors in the business? What kinds of risks these risk factors can cause? How severe the consequences of these risks? 1. Risk factors and risk categories (1) The factors of Risk Risk factors are the potential causes and conditions of risk accidents. To a company, there are a lot of factors that can affect the risks, furthermore, the degrees of influence from the same factor are different dramatically in different types of enterprises, so the enterprises should identify the risk factors according to the importance of matters, which may affect enterprises adversely, shown as following: 1)Integrity and capability of the management 2)The impact of staff changes and abnormal pressures the company suffered 3)The extent of government regulation and the limits of national policies and regulation 4)Firm size and the assets’ liquidity 5)Market competition 6)Financial environment and microeconomic situation 7)The risks of financing and investing 8)Tax risks 9 ) The degree of information system’s computerization 10)The scientific and technological progress, and social and cultural changes 11)The natural environment of operating areas and the extent of decentralizing 12)Adequacy of the systems and procedures 13)Audit interval and results 14 )The agreement of audit found and the measures that were taken based on its findings 15)The transparency to the public (2) Risk types Overall, enterprise risks can be classified in different ways. In accordance with business types, the risks can be divided into following four categories: 1)Strategic risks Strategic risks are those factors that affect the whole development direction of the company, corporate culture, information, survival ability and corporate performance. They contain domestic and international macroeconomic policies, economic conditions, industry status, national industrial policies, the strategy and planning of a firm, and corporate strategic partner, etc. 2)Operational risks Operational risks are those risks which can lead to direct or indirect loss to a company due to the lacks or errors in operation procedures, staffs and systems, or even the external events. They are including the performance and management status of the company; the knowledge structure and professional experiences of the middle and senior management; the management of quality, safety, environmental protection, and information safety; natural disasters and other pure risks; the effect caused by the uncertainty of future market prices such as interest rates, exchanges rates, stock prices and commodity prices on a company to achieve its stated objectives; the capabilities of a company supervising , evaluating and improving its current business operation , etc. 3)Financial risks Financial risks refer to those financial uncertainties derived from the unpredicted and beyond controlled factors in financial activities, which may cause financial losses. They include corporate liabilities, contingent liabilities, the debt ratio, solvency; cash flow, accounts receivable and its proportion of total sales revenue, cash flow rate; product inventory, the proportion it accounts for the cost of sales, accounts payable and the proportion it accounts for the purchases and corporate profitability. 4)Legal risks Legal risks refer to the negative or unpredicted losses that caused by a company when it enjoys rights and fulfills the obligation improperly in its process of establishment and operation. They include business-related political and legal environment at home and abroad, major agreements and trade contracts signed by the company, the occurrence of major legal disputes; the intellectual property of an enterprise and its competitors. 2. The methods of identifying risk factors and various risks In practice, there are lots of methods used to identify risks, such as Brainstorming, Delphi Method, Scenarios Analysis and SWOT analysis method. (1) Brainstorming Brainstorming, which is known as collective thinking, is an intuitional prediction and identification method that can help to collect future information by creative thinking of experts. In brainstorming, multi-disciplinary experts might be invited to be participated. Under the guidance of a facilitator, the participants express their own views on risks about a particular area. When using this method to study risks issues, the facilitator is required to stimulate the experts’ inspiration in the speech at the beginning of meeting, so as to prompt experts to answer the questions quickly. Through the exchange of information and mutual inspiration, experts will be induced to generate the phenomenon called “Thinking resonance”, which means the ideas can be complementary and have the "portfolio effect". Therefore, more future information will be discovered and the results of prediction and identification will be more accurate. (2) The Delphi method The Delphi method, also called the expert survey, is a risk method where the experts identify risks based on their intuitive ability and come to an agreement on a particular issue. The process to identify risks with Delphi method is as following, firstly, selecting the areas and experts relevant to the topic by the risk team; secondly, establishing a direct inquiry of contact with those experts and gathering their opinions by the letter of inquiry; thirdly, inducing these ideas and feedback to the experts in an anonymous way to consult them again. After several rounds of inquiry, and consulting, inducting and modifying the results repeatedly, the basically same view can be agreed by the experts. (3) Scenarios Analysis Scenarios Analysis is a systematic technology that applies to predicting and identifying the risks of a project with more variables. It assumes that all the key factors may occur, so various Scenarios are imagined; and then different results are put forward in order to take the appropriate measures of response in the future. Its basic principle is to design variable future prospects after the analysis of related issues within and outside the system according to the diversity of development trends, and to make description of the system development trends situation and pictures in a way which is similar to writing a screenplay. Scenario analysis can be particularly useful for the following: to alert policy makers to focus on risks or consequences that may aroused by certain measures or policies; to clarify the scope of risks need to be monitored; to study the effects key factors have on the future process; to draw attention to what kinds of risks the technology development will give rise to, etc. (4) SWOT analysis SWOT analysis is the analysis of advantages, disadvantages, opportunities and threats, it can ensure to review the project from each angle of the trend analysis so as to expand the breadth of risk concerned. S - Strength, namely the strengths of (advantages to) enterprises themselves, such as sufficient cash, the improvement of market share, skilled workers, strong capabilities of product development. W - Weakness is the enterprise's own weaknesses (disadvantages), such as the shortage of funds, the decline in market share, the situation business equipment or skilled workers cannot suited to new technologies or new materials, poor ability to develop new product. O - Opportunities, the opportunities are offered by external markets, such as good market prospects, the financial crisis of competitors, the increasingly rich of raw materials’ supply, the appearance of new materials or new technology. T - Threat, is the threat of external markets, such as that the market outlook is not optimistic, that competitors adopt new technologies or new materials early, that materials supply has become tighter, that material prices are increasing, and that consumers’ quality requirements are higher. The Weakness and Threat above are where the risks faced by business come from. C. Assessing risks appropriately There are lots of risks can be defined according to the risk assessment procedures. And the management and controlling of risks are based on the resources consumption, so in order to ensure resources to play an ideal role, the company needs to assess the risks which have identified to determine the order of the controlled risks. Besides that, the risk assessment results have an impact on the efficiency and effectiveness of the resources use by affecting its tactics directly. Typically, based on the consideration of cost-effective, the company will take different measures towards different risks. To decide what kinds of countermeasures should be taken is depended on the analysis on the possibilities and anticipated results of identified risks. Quantitative analysis and qualitative analysis can be used to assess risks. In quantitative analysis, the risk was assessed from two perspectives generally: risk probability and risk impact. The risk probability is the likelihood of risk, which relies on someone’s subjective experience. Risk impact, also known as risk seriousness, refers to the degree of impact risks may have on the enterprise, namely its losses. After clarifying the risk probability and risk impact, the Value at Risk can be estimated according to the following formula: Risk Value = Risk Probability ×Risk Impact It is clear that the size of Risk Value depends on Risk Probability and Risk Impact from the above formula. If risk probability is zero, risk values are zero no matter how much the degree of risk impact is; if risk probability is high while risk impact is zero, then the risk value is also zero; if both the risk probability and risk impact are high, the risk value is necessarily high, to which the risk management should be given high attention. The risk assessment process in Quantitative analysis is shown below Fig. 1: The risks in the first quadrant should be paid more attention to by the management because risk probability and impact are both higher; generally, since the risks in the second and third quadrant either have much influence on the firm or have higher possibility to High Inspection/ Preventing at Correction and Risks in the second monitoring the source Risks in the first quadrant quadrant (type A) (type B) The extent of risk impact Continuous Monitoring assessment without and adjusting Risks in monitoring the fourth Risks in the first quadrant quadrant (type C) (type D) Low Risk Probability Fig. 1 The risk assessment process in Quantitative analysis occur, the management needs to take ex post risk management measures such as examination and correction, that is not as good as the preventive measures in effect and prone to bring residual risks, which are risks that cannot be eliminated after taking countermeasures, that’s why the risks in these two quadrant require focus. TABLE I degree of High Due to the unimportance and small likelihood, the risks in the fourth quadrant may be disregarded. The risk assessment results can also be reflected qualitatively by risk analysis matrix, as shown below TABLE I: Schematic diagram of Risk analysis matrix influence possibility Almost certainly likely may unlikely Highly unlikely Very small small general serious Very serious Serious Serious High High High risk risk risk risk risk Moderate Serious Serious High High risk risk risk risk risk Low Moderate Serious High High risk risk risk risk risk Low Low Moderate Serious High risk risk risk risk risk Low Low Moderate Serious Serious risk risk risk risk risk When a company is facing high risks, immediate actions should be taken in response and the board of directors, the management, and the related agencies should be involved; If it is facing serious risks, the management and related departments need to pay close attention to the occurrence of such risks; If it is facing moderate risks, the risks should be managed by specific monitoring program; And if it is faced with low risk, they should be managed through routine procedures, and may not require specific use of resources. operation to develop new market so as to achieve higher strategic targets. When choosing risk countermeasures, companies should also consider the cost-benefit relationship, and then choose the appropriate risk response measures to control risk according to corporate risk tolerance. D. Choosing countermeasures to risks correctly Whether the risk management is successful or not is decided by the communication of risk information. Risks information communication requires that the information can be passed to the related internal staffs timely and effectively so that measures can be taken quickly. Take the Microsoft as an example: it transmits risk information to employee’s desktop directly by Corporate Intranet, and offers the definition of each risk, its positive and negative consequences, the place where the staffs can get the help about risk management and other risk management methods online. In addition, some of risk management information is also passed to other interested parties, such as the supervisors, board and audit committee who need to understand the risk management and others like suppliers, debtors who want to know about risk management of enterprises. The company needs to determine to take what kinds of countermeasures according to different risks: avoiding the risks? Accepting the risks? Reducing the risks? Transferring the risks? That depends on the nature of risks and risk assessment results. For example, the organization can accept the risks that have returned; meanwhile, the organization should take some control measures to reduce the risks to an acceptable level and achieve the desired return. In this process, the risk management’s main work is to analyze and evaluate whether the risk return is reasonable and the risks countermeasures are effective. The risk countermeasure is ineffective if the company cannot afford the risks. Risk countermeasures are including risk avoidance, risk retention, risk transfer, risk reduction and the use of risk. 1. Risk avoidance Risk avoidance is not to take positive measures to deal with the risks, namely choosing the methods like giving up, stopping or to rejecting to avoid the losses. 2. Risk retention Risk retention, as known as risk acceptance, means to keep the risks when they are inevitable or can bring good returns. 3. Risk transfer Risk transfer, which is called risk-sharing, means to transfer financial losses and legal responsibility to others by contracts, economic and financial instruments and others, so that to reduce the frequency of risk occurrence and the losses. 4. Risk reduction Risk reduction refers to the system control measures and methods which are used to achieve the target of risk control by finding the sources of risk accident that make losses, reducing the likelihood and frequency of losses to occur and the extent of losses when a company is facing the risks and determining neither to giving up nor to transferring them In control activities, the company limits and reduces the risk by designing business control procedures, many of the internal control procedures are designed for this purpose. 5. Use of risk Use of risk means that a company regards risks as an opportunity and takes advantage of difficulties in E. Monitoring the information communication system of risks III.PROBLEMS SHOULD BE PAID ATTENTION TO IN RISK MANAGEMENT A. Building the risk management system suitable for enterprise features In order to implement risk management effectively, the spirit of risk management should be deeply rooted in corporate culture and staffs’ hearts and risk management should be integrated into the routine operation by a perfect risk management system. The core of risk management is to make the management understand what kinds of risks the enterprise is facing, how these risks change with a changing business environment, what level of risks the enterprise should afford, and how to manage these risks. The level of enterprise’s capabilities to manage risk, as well as the strength of the risk management needs, usually have a great difference because of the different industry, size, corporate culture and management philosophy. What determines that enterprise risk management activities, such as tools, techniques, the role of enterprise risk management, and distribution of responsibilities, is different with another enterprises’, even though every entity need its compositions to maintain the control to their activities. A complete and effective risk management system should be able to achieve the following objectives: 1. Make sure that the corporate risk management strategy is consistent with business development strategy; 2. Clarify risk management responsibilities in different levels and ensure the implementation of the risk management system; 3. Build the collection, analysis and reporting system of risk information, provide the basis for the risk of real-time monitoring and response; 4. Prevent or mitigate the risks that may cause significant losses to the enterprise effectively, and guarantee the achievement of corporate strategic objectives; 5. Integrate risk management and business activities, and avoid additional costs B. Key elements to implement risk management The signs of effective implementation of risk management are that the information for risk management was possessed, common terminology and standards are existed, risk management and the process of corporate strategic planning were integrated, risk management data has been quantified as much as possible, risk management has been integrated into every department and business unit, every employee knows clearly about their responsibility in risk management, a company can track and comply with the activity’s costs, the complied doings help to reduce the risk of non-compliance, etc. Therefore, key factors in the successful implementation of risk management include: 1. Supports from senior managers; 2 The recognition of risk management on the implementation within various functional departments and staff; 3 risk management and corporate strategy have been integrated, and the risk appetite and the countermeasures are set and adjusted from the dynamic and the long-term perspective; 4 To enhance the validity so that to make the implementation of risk management informed by stakeholders in a timely manner, that means the management should transform information from various sources into the information which can be prone to action by refining , processing and other methods, and exchange information with the related users fully. REFERENCES: [1]IAM,“EnterpriseRiskManagement:Frame-works,Elements ,and Integration”, 2006 [2]COSO,“Enterprise Risk Management—Integrated Framework”, 2004 [3]Pei-pei An,,Chenghu Liu,“Studies on Risk Management of Modern Enterprises”(in Chinese). Economic Problems. no.7,pp. 70-72,2008 [4]Qiao-liang Zhang, Li Ju, “International Comparison and Revelation of Enterprise Risk Management Framework” (in Chinese) .Modernization of Management. no.6, pp. 26-28, 2008 [5]He-zhen Sun,“Reflections on the establishment of enterprise risk management system” (in Chinese).Management Strategy. no.4, pp.23-28, 2010 [6]Zhi-guo Peng, Lin Liu, “Enterprise Internal Control and comprehensive Risk Management” (in Chinese). China Modern Economic Publishing.2008 [7]Ting-rong Qin, Wei-jiong Chen,Xiang-lei Zeng,Risk management modeling and its application in maritime safety Journal of Marine Science and Application.no.4, pp.67-71,2008 [8] Wei-we Liu, Jun Wang, “Analysis and evaluation of enterprise risk management capability elements”. Journal of Southeast University(English Edition).no.1,pp.81-85, 2008 [9]Tie-dong Chen, Ming-you Guo, “Taking All-round risk Management Drive Enterprise Management Innovation”, Journal of Liaoning Provincial College of Communications,no.4,pp.68-70,2008 [10]Guo-hua Chi, Dong-ge Wang, “Study of Investment Risk Management in the State-owned Enterprises Based on Enterprise Risk Management-Integrated Framework”, scientific design making, .no.3,pp.39-46,2010 [11]Christopher T. Nietch, Michail Borst, Joseph P. Schubauer-Berigan, “Risk Management of Sediment Stress: A Framework for Sediment Risk Management Research”. Environmental Management.no.2,pp.175-194,2005 [12]Bang-chuan Pan, Hong Chi, Jian-guo Xu, Ming-liang Qi, “Decision-making model for risk management of cascade hydropower stations”. Journal of Southeast University(English Edition).no.S1,pp.26-30,2008 [13]Qin Zhang, Liu-jin Chen, “The Theory and Frame of Enterprise Risk Management”, Contemporary Economy & Management,no.7,pp.31-38,2009 [14]Si-xin Zhao, Ri-jia Ding, “Building for enterprise-wide risk management framework”, China Mining Magazine,no.8, pp.45-48,2010 [15] Lan-rong Yang, Jin-long Zhang , “A Case-Based System for Construction Project Risk Management. Journal of Systems”. Science and Systems Engineering,no.4,pp.35-40,2004
