Risk Geography and Waterfalls?
“Row, row, row your boat, gently down the stream”. Gently is pleasant and enjoyable, if you know
where the rocks are, if you have an idea of the flow of water, and if there are no waterfalls. Knowing
where the rocks are at each point along the river, where the bank is too wide, or where the fallen
trees are, and then deciding the path, is all part Risk Management. Most important is knowing where
and how to navigate the rapids, and not be thrown over the waterfall.
Not seeing all the swirling currents, the rocks, and the potential drops is akin to missing material
risks.
Have you ever been faced with the occurrence of an event that was both material to the business,
and yet was not on your radar (or risk register)? That rock in the river and that trumping, scraping
feeling and sound when the boat hits that rock. It happens, and it is personally painful when it does.
It is difficult to look an executive team in the eyes and say “we, I mean I, missed that one”. Once
you’ve done that, the question is “what else are we missing?”
Faced with that situation, and after being assured “we ALL missed it”, I asked myself what process I
could put in place to reduce the likelihood of such a mistake in future.
This has led me to thinking about systemic risks and Black Swans as much as thinking about
“internal” risks that might have been missed. This post provides an outline of my methodology
change to improve completeness of risk consideration, with a focus on material risks.
Exploring the Black Swan world
Over the past few weeks, I’ve published a number of posts on both Risk Management (operational
level) and Global Economic conditions and Black Swans. What can, and should, Risk Managers be
doing concretely to address these risks? (http://raasconsulting.blogspot.com/2018/08/flockingblack-swans.html)
The first step of course is to acknowledge that there are potential systemic risks, and that the
enterprise needs to be considering these, macro and micro. Internal resilience is as important as is a
level of prudential preparation to weather external shocks.
For example, would the entities investment portfolio as managed by the treasury function, stand up
to a “Mark-to-Market” post a market event that resulted in bonds demanding a 5% additional
return? Are banking agreements sufficient to ensure continuity of payments in the event of the
failure of a key financial intermediary?
Risk Appetite and Acceptance
Risk Management cannot identify all risks, internal and external, and cannot prioritise those risks in a
vacuum. Senior management (and the Board for validation) should be confirming the risk universe
and should be determining the level of acceptable risk. This is the Risk Appetite, and provides a
foundation for acceptance of the residual risk position acceptable to management and the Board.
Of course, understanding the Risk Appetite for any particular risk requires understanding of the risk,
identification of the gross potential impact, the current situation in relation to the control
environment, and more importantly, the acceptable final risk position (“target” risk score).
(http://raasconsulting.blogspot.com/2018/07/why-inherent-and-residual-risk-are.html)
The “Target” risk score, or the Risk Appetite for a particular risk, should only be set and accepted by
someone with the authority to accept that final risk position. Anyone else “accepting” that risk is
doing so on behalf of the shareholders, and very probably is doing so significantly outside the level
of authority that the shareholders have vested in that person. Thus the need for a Delegation of Risk
Authority (http://raasconsulting.blogspot.com/2018/07/risk-acceptance-need-for-delectationof.html).
Seeing the “Same Thing”
One of the most difficult activities is the identification of all material risks, internal and external. Lists
and brainstorming seem to be the most common ways that these sets of risks are identified. And of
course generic lists by industry are readily available online, modifiable to your business. These lists
reflect a range of risks at a period in time, from the perspective of the list compiler. The next step to
get past the list and identify the hidden or out-of-mind risks.
All risk identification must start with the objectives of the business, even before the structure of the
business. From there, a common model is needed, that all participants in the risk identification
process are either familiar with, or can easily map to their experience and knowledge of the
business.
While it cannot be said that all participants in the risk identification process will be familiar with all
aspects of the Balance Sheet or Cash Flow statement, there is a very good probability that they will
be very familiar with their areas, and how those areas impact discrete elements of the Balance Sheet
of Cash Flow.
Victoria, Iguazu or Angel
A remarkable thing about waterfalls is that if you carefully measure all the water that comes in at
the top, minus mist and vapour, the amount of water that comes out the bottom end is the same. So
with Balance Sheets and Cash Flow statements. The totals in, minus items and added items, equals
the amounts “going out”.
A tool that I have found useful for the identification of risks, and to ensure a conversation about risk
with senior management is the use of the waterfall diagram. Each element can be de-constructed to
whatever level of detail is required, but the inputs, minus and plus interesting other “stuff”, equal
the outcomes or outputs.
The example above provides a very basic (and imaginary) Cash Flow statement for a commercial and
industrial company. It would look fundamentally different for a financial institution or insurance
business. But in each type of company, regardless of industry, after revenues and various costs, we
have the output: Net Income.
Every element along the way, to a greater or lesser extent, inputs and outputs, contribute to the
eventual result. More important, if each element represents a set of definable business objectives,
then each element provides us with a specific area of potential risks. In clarification, business
objectives like “complaints per X-thousand customers” is a business objective that relates to specific
elements such as SGA (Sales, General and Administration Expenses), or in Insurance and Financial
Services entities, in their Compliance costs as well as SGA.
Let’s add some geography
A waterfall itself is influenced by factors well beyond the flows of water. The height of the drop, the
width of the flow, the internal structure of the river and terrain around it all contribute. So we need
to be considering all these facets when looking at our waterfall. Certainly we have experts internally
on the flow and quantity of water, but how about understanding of the shoreline and associated
geography (external factors). We also have people expert at the inner structure and working of the
river itself (internal factors).
Risk Identification and associate Risk Assessment need to consider all these factors, or critical risks (I
must keep remembering to say “risks and opportunities”) will be missed, critical risks that have a
fundamental baring on the likelihood of the business achieving objectives.
While the metaphor may be imperfect, it does provide a framework.
If we want to ensure that we have identified as many of the material risks as possible, then we need
to look at each element of the Waterfall, and consider both the external and internal contributors to
that element, and in so doing, identify the potential risks to the achievement of each of those
elements.
For a manufacturing and distribution company, the cost of distribution is a material component of
the Cost of Goods Sold, and therefore any risks impacting distribution should be included.
Consideration of the impact of the sub elements of distribution can be used to determine if the
specific risk mitigation should be put in place.
In the 2000s, a major FMCG (Fast Moving Consumer Goods) company did not adequately consider
distribution costs, or more importantly, the impact of changes in fuel costs as an element of their
distribution costs. When fuel costs rose, so did their distribution costs, significantly.
The inclusion of the potential of an external risk (increased fuel costs) occurring may have suggested
the need for mitigation in the form of forward hedging of fuel costs, or hedging of transportation
costs for rail costs.
Flipping the Waterfall diagram on its side, and we have an excellent tool to help us identify “missed”
risks. While we did not use this exact presentation, we did use the waterfall diagram a year ago, and
it helps us focus on, and in some cases identify, material risks.
It also enables the people with the most knowledge of each waterfall element the opportunity to
discuss that elements, the make-up and breakdown of the element, and to confirm the key risks. In
addition, it supports challenge and common agreement of the material risks.
In the example above, Internal and External components of the waterfall element are listed, and
discussed to confirm that associated risks have been identified. Quantification of the materiality of
the risks was a secondary task, but by using this methodology, it was easy for the participants to
understand quickly how any change in the one of the waterfall elements impact the overall
performance of the business.
Of course, at the core of a successful risk identification (and confirmation - this should be done
annually at least) is ensuring the widest range of people are involved. This most especially includes
subject matter experts on each of the element of the waterfall, and representation from Internal
Audit to ensure a common risk universe is agreed.