Risk Geography and Waterfalls? “Row, row, row your boat, gently down the stream”. Gently is pleasant and enjoyable, if you know where the rocks are, if you have an idea of the flow of water, and if there are no waterfalls. Knowing where the rocks are at each point along the river, where the bank is too wide, or where the fallen trees are, and then deciding the path, is all part Risk Management. Most important is knowing where and how to navigate the rapids, and not be thrown over the waterfall. Not seeing all the swirling currents, the rocks, and the potential drops is akin to missing material risks. Have you ever been faced with the occurrence of an event that was both material to the business, and yet was not on your radar (or risk register)? That rock in the river and that trumping, scraping feeling and sound when the boat hits that rock. It happens, and it is personally painful when it does. It is difficult to look an executive team in the eyes and say “we, I mean I, missed that one”. Once you’ve done that, the question is “what else are we missing?” Faced with that situation, and after being assured “we ALL missed it”, I asked myself what process I could put in place to reduce the likelihood of such a mistake in future. This has led me to thinking about systemic risks and Black Swans as much as thinking about “internal” risks that might have been missed. This post provides an outline of my methodology change to improve completeness of risk consideration, with a focus on material risks. Exploring the Black Swan world Over the past few weeks, I’ve published a number of posts on both Risk Management (operational level) and Global Economic conditions and Black Swans. What can, and should, Risk Managers be doing concretely to address these risks? (http://raasconsulting.blogspot.com/2018/08/flockingblack-swans.html) The first step of course is to acknowledge that there are potential systemic risks, and that the enterprise needs to be considering these, macro and micro. Internal resilience is as important as is a level of prudential preparation to weather external shocks. For example, would the entities investment portfolio as managed by the treasury function, stand up to a “Mark-to-Market” post a market event that resulted in bonds demanding a 5% additional return? Are banking agreements sufficient to ensure continuity of payments in the event of the failure of a key financial intermediary? Risk Appetite and Acceptance Risk Management cannot identify all risks, internal and external, and cannot prioritise those risks in a vacuum. Senior management (and the Board for validation) should be confirming the risk universe and should be determining the level of acceptable risk. This is the Risk Appetite, and provides a foundation for acceptance of the residual risk position acceptable to management and the Board. Of course, understanding the Risk Appetite for any particular risk requires understanding of the risk, identification of the gross potential impact, the current situation in relation to the control environment, and more importantly, the acceptable final risk position (“target” risk score). (http://raasconsulting.blogspot.com/2018/07/why-inherent-and-residual-risk-are.html) The “Target” risk score, or the Risk Appetite for a particular risk, should only be set and accepted by someone with the authority to accept that final risk position. Anyone else “accepting” that risk is doing so on behalf of the shareholders, and very probably is doing so significantly outside the level of authority that the shareholders have vested in that person. Thus the need for a Delegation of Risk Authority (http://raasconsulting.blogspot.com/2018/07/risk-acceptance-need-for-delectationof.html). Seeing the “Same Thing” One of the most difficult activities is the identification of all material risks, internal and external. Lists and brainstorming seem to be the most common ways that these sets of risks are identified. And of course generic lists by industry are readily available online, modifiable to your business. These lists reflect a range of risks at a period in time, from the perspective of the list compiler. The next step to get past the list and identify the hidden or out-of-mind risks. All risk identification must start with the objectives of the business, even before the structure of the business. From there, a common model is needed, that all participants in the risk identification process are either familiar with, or can easily map to their experience and knowledge of the business. While it cannot be said that all participants in the risk identification process will be familiar with all aspects of the Balance Sheet or Cash Flow statement, there is a very good probability that they will be very familiar with their areas, and how those areas impact discrete elements of the Balance Sheet of Cash Flow. Victoria, Iguazu or Angel A remarkable thing about waterfalls is that if you carefully measure all the water that comes in at the top, minus mist and vapour, the amount of water that comes out the bottom end is the same. So with Balance Sheets and Cash Flow statements. The totals in, minus items and added items, equals the amounts “going out”. A tool that I have found useful for the identification of risks, and to ensure a conversation about risk with senior management is the use of the waterfall diagram. Each element can be de-constructed to whatever level of detail is required, but the inputs, minus and plus interesting other “stuff”, equal the outcomes or outputs. The example above provides a very basic (and imaginary) Cash Flow statement for a commercial and industrial company. It would look fundamentally different for a financial institution or insurance business. But in each type of company, regardless of industry, after revenues and various costs, we have the output: Net Income. Every element along the way, to a greater or lesser extent, inputs and outputs, contribute to the eventual result. More important, if each element represents a set of definable business objectives, then each element provides us with a specific area of potential risks. In clarification, business objectives like “complaints per X-thousand customers” is a business objective that relates to specific elements such as SGA (Sales, General and Administration Expenses), or in Insurance and Financial Services entities, in their Compliance costs as well as SGA. Let’s add some geography A waterfall itself is influenced by factors well beyond the flows of water. The height of the drop, the width of the flow, the internal structure of the river and terrain around it all contribute. So we need to be considering all these facets when looking at our waterfall. Certainly we have experts internally on the flow and quantity of water, but how about understanding of the shoreline and associated geography (external factors). We also have people expert at the inner structure and working of the river itself (internal factors). Risk Identification and associate Risk Assessment need to consider all these factors, or critical risks (I must keep remembering to say “risks and opportunities”) will be missed, critical risks that have a fundamental baring on the likelihood of the business achieving objectives. While the metaphor may be imperfect, it does provide a framework. If we want to ensure that we have identified as many of the material risks as possible, then we need to look at each element of the Waterfall, and consider both the external and internal contributors to that element, and in so doing, identify the potential risks to the achievement of each of those elements. For a manufacturing and distribution company, the cost of distribution is a material component of the Cost of Goods Sold, and therefore any risks impacting distribution should be included. Consideration of the impact of the sub elements of distribution can be used to determine if the specific risk mitigation should be put in place. In the 2000s, a major FMCG (Fast Moving Consumer Goods) company did not adequately consider distribution costs, or more importantly, the impact of changes in fuel costs as an element of their distribution costs. When fuel costs rose, so did their distribution costs, significantly. The inclusion of the potential of an external risk (increased fuel costs) occurring may have suggested the need for mitigation in the form of forward hedging of fuel costs, or hedging of transportation costs for rail costs. Flipping the Waterfall diagram on its side, and we have an excellent tool to help us identify “missed” risks. While we did not use this exact presentation, we did use the waterfall diagram a year ago, and it helps us focus on, and in some cases identify, material risks. It also enables the people with the most knowledge of each waterfall element the opportunity to discuss that elements, the make-up and breakdown of the element, and to confirm the key risks. In addition, it supports challenge and common agreement of the material risks. In the example above, Internal and External components of the waterfall element are listed, and discussed to confirm that associated risks have been identified. Quantification of the materiality of the risks was a secondary task, but by using this methodology, it was easy for the participants to understand quickly how any change in the one of the waterfall elements impact the overall performance of the business. Of course, at the core of a successful risk identification (and confirmation - this should be done annually at least) is ensuring the widest range of people are involved. This most especially includes subject matter experts on each of the element of the waterfall, and representation from Internal Audit to ensure a common risk universe is agreed.