Even when the dust settles, economic downturns will not be a thing of the past. Business cycles – which entail ups and downs by their very definition – are here to stay. If companies are willing to accept that, the key question becomes: How can organizations adopt reliable risk management – through the business cycle – to deliver sustainable performance?
I use the term reliable scrutiny to suggest that seemingly outstanding performance during boom times should be looked at with as much vigor as performance setbacks or outright losses during downturns. It does not imply, however, that risk is to be entirely avoided. Risk is, and remains, the bedrock of enterprise. It allows for innovation and managed risk taking; a blend of tested and untested initiatives. Equally, the term sustainable performance does not refer to the performance of firms that have seen excessive returns during the boom years, but have only been able to survive by accepting bailouts. Sustainable performance has to be what the term suggests – viable in time. Reliable scrutiny and sustainable performance constitute the key elements in this article. They come together in what I will call enterprise governance, and they have an important temporal dimension: through the business cycle and for the long term.
Companies tend to let their guards down or become complacent when business is good and when performance is meeting or beating expectations. But they often have the opposite reaction when things are not going so well – when targets are not being met, or worse, when the firm faces losses. Then companies tend to overreact or over-tighten their belts. This is perhaps quite an innate, natural reaction. But it is also an outcome of the management-by-exception approach that companies sometimes practice too blindly. This directs attention primarily, if not exclusively, to problem areas, assuming that all is well where and when performance meets or beats expectations. Some risk management practices, ironically, also have a built-in tendency toward such lopsidedness, particularly purely quantitative tools that don’t go far enough back in time, and therefore tend to look best when they should be looking worst – at the end of a boom. Regardless of the source or driver of such tendencies, the key point is that the level of scrutiny tends to move inversely and asymmetrically to performance.
Let’s discuss the inverse relationship between scrutiny and performance first. In the aftermath of a crisis, we hear calls for government action. Everyone is eager to listen to risk managers. The business press is filled with risk management articles. This is as true since the onset of the current crisis as it was following the corporate debacles – such as the collapse of Enron and WorldCom – earlier in this decade. These earlier scandals spawned a slew of corporate governance and internal control policy developments around the world. But when the crisis has passed and the boom times return, the tone changes. Shareholders enjoy high returns and the appetite for scrutiny of all kinds quickly wanes, or worse, is dismissed as a “drag” on performance.
But not only do scrutiny and performance tend to move inversely to one another; the reaction to poor performance appears to be asymmetrically stronger than is the level of healthy skepticism when performance is strong. In other words, the tendency inside many firms to investigate unusual profit is smaller than the tendency to investigate unusual loss. But as postmortems of crises suggest, unusual profits are often where the seeds of future distress are sown. The unusual profit may be a sign that managers have been too aggressive, been taking too much risk or been excessively focused on the short term.
Put together, then, companies tend to oscillate between under- and over-scrutiny triggered by strong versus poor performance, respectively. Under-scrutiny often prevails during expansions, when there is a top-line focus driven by aggressive, rose-tinted growth plans, can-do attitudes, minimally required compliance and control weaknesses. It often results in empire building through risky investments and ill-advised acquisitions. Over-scrutiny, on the other hand, is manifested by tightening the screws during contractions through cost cutting, lack of investments (even worthwhile ones), balance sheet cleanups and divestments (sometimes at huge discounts) driven by too much risk aversion, over-compliance in the face of potential litigation and other stifling, protective attitudes. Neither seems ideal.
As an illustration, consider the matrix depicted in Figure 1. On the right-hand side of the matrix, when times are good and capital is readily available, companies are upbeat and risk-tolerant, complacent or under-scrutinizing.
In other words, their risk appetite is high and they tend to emphasize growth. This can often be reckless growth, however, which may show good bottom-line performance effects in the short term because some cost savings have quick effects while other costs are amortized or taken out as one-off items. The value-creating synergies on which such empire building is presumably based often fail to materialize in the longer term, however. Hence, there is an important temporal dimension to this, which is depicted along the vertical dimension of the matrix.
Whereas the less-than-ideal scrutiny and higher-than-desirable risk taking during the expansion drive may result in sub par returns in the long term, the performance effects in the short term often look good. Although wielding the ax might seem to fix the bottom line in the short term, it might come back to haunt the firm by putting its future at risk.
On the left-hand side of this matrix, when the going gets tough and performance is weak or not meeting expectations, companies often revert to being too risk-averse – that is, their risk appetite is low and their risk taking declines. To deal with their performance challenges, companies often go for the low-hanging fruit – they cut costs, cut R&D, and tighten their hurdles to accept capital projects, thereby often under-investing in otherwise promising projects. Again, the short-term results of such actions often show quickly with good effect due to the lower costs and one-time charges that are dismissed as exactly that, but the long-term effects are more dubious, often hampering long-term potentials for value creation, effectiveness and competitiveness. Although wielding the ax might seem to fix the bottom line in the short term, it might come back to haunt the firm by putting its future at risk.
The question then is, how can companies have the discipline in good times to watch both the top and bottom line – that is, to not overreach their growth, and the courage in bad times to not only cut costs, but to also redeploy assets and redirect investments for the long term? In other words, how can companies’ scrutiny be calibrated through the business cycle to make them appropriately risk-conscious? This is depicted in Figure 2.
Note that in Figure 2, the color in the top quadrants has not turned green, as in the bottom of that figure. Rather, it is still a shade of amber to denote caution. This illustrates that companies should not seek to, or believe that they can, eliminate risk entirely. Measured risk taking is critical in driving long-term performance, and this inevitably involves uncertainty. Risk is, after all, what drives a wedge between a good decision and a good outcome, where it must be accepted that even good decisions made under appropriate scrutiny and sensible restraint will not always have good outcomes. But the more risk-conscious firms are through the business cycle, the more likely they are to effect good outcomes.
The notion of enterprise governance is a conceptual framework to summarize the above points, bringing reliable scrutiny and sustainable performance together under one umbrella, thereby emphasizing how firms might think about aligning them.
As shown in Figure 3, enterprise governance entails what is called business governance, which has to do with performance, both short- and long-term, hence the term sustainable performance (as opposed to its myopic variant). On the left, there is corporate governance, which relates to conformance, risk management or scrutiny, again both in the short and long term, hence the term reliable scrutiny. Regardless of the exact labels one wishes to use, the essence of the framework is that it consists of three elements: performance and scrutiny, both cutting across time – that is, with a concern for the long term, hence the emphasis on “reliable” scrutiny and “sustainable” performance.
Despite the level of abstraction, the framework resonates with formal risk management approaches such as COSO’s Enterprise Risk Management (ERM). When studying ERM’s formal definition, one will see that it posits risk management as a tool to provide “reasonable assurance regarding the achievement of entity objectives,” which clearly marries risk (assurance) and performance (objectives). By doing so with reference to “risk appetite” and emphasizing “reasonable” assurance, it also suggests that risk is to be managed, not eliminated. As such, risk management is not only about ensuring that bad things do not happen, but equally about making sure that good things do happen. Moreover, COSO’s definition also mentions the “board of directors, management and other personnel” – indicating that risk management needs to pervade the organization rather than being just a top management exercise or solely the concern of an appointed committee. Students of performance management would equally allude to several of these aspects as conditions for sustainable performance. Even though performance and conformance may be separable, they are not independent. Regardless of whether one takes a primarily performance management view or a primarily risk management view, it is hard to consider one without the other, especially if one has a long-term orientation.
However, research suggests that companies often still treat performance and risk management separately. For example, one study suggests that companies implement ERM primarily as a reaction to regulatory pressures and corporate governance requirements.1 In other words, they don’t seem to do it primarily because it makes good business sense, but rather because they feel pressured to do so. But when asked about the benefits of risk management, these same sample companies hint primarily at performance benefits, such as allowing them to make better-informed decisions, to obtain greater management consensus, to improve management accountability, to better meet strategic goals and to use risk as a competitive tool. Not surprisingly, they also mention some compliance benefits, such as better governance practices and better communication with the board. They even mention some “cycle-busting” benefits, such as reduced earnings volatility and increased performance. In other words, whereas many companies’ motivation to engage in risk management is reluctantly compliance-driven, this study suggests that the benefits are primarily performance-related. These findings also suggest that risk and performance management should not work against each other or be counter-cyclical. Instead, scrutiny and profitability and scrutiny and earnings stability (the opposite of earnings volatility) appear to mutually enhance each other.
Unfortunately, there isn’t a simple solution on how to handle or prevent an economic downturn. But I do hope to have exposed the tendency that risk and performance management may become misaligned. Awareness of this phenomenon perhaps even may seem too trivial to suggest. But asking the tough questions, even when nobody else does because they are too consumed by their current successes, appears harder than it sounds. Examples are not hard to find. In respect to the current crisis, it would have been good to ask questions about whether “millennium finance” really was the panacea it was believed to be. Instead, however, “Banks which decided not to invest in these instruments [complex financial products whose risks were either underestimated or misunderstood] were often pilloried for being boring.”2 Healthy scrutiny should also be encouraged throughout the organization. Risk management is not just about structure and systems, but also about organizational culture. If there is no healthy scrutiny in the organization, then everyone just assumes that someone else has considered the risks – a common fallacy that further inflates the bubble.
Enterprise governance is about principled performance – how you perform is as important as meeting goals. Clark Abrahams, Chief Financial Architect at SAS, talks about the culture of enterprise governance (governance, risk and compliance) in his blog. In this post, Abrahams outlines five steps for building the foundation for a culture of enterprise governance, risk and compliance. You can also learn more about enterprise governance, risk and compliance by reading this article.
*Previously published by CMA Management, May 2009 and by the Chartered Institute of Management Accountants in their journal Financial Management. Adapted and republished here by permission.
1 Gates, Stephen, “Incorporating Strategic Risk into Enterprise Risk Management: A Survey of Current Corporate Practice,” Journal of Applied Corporate Finance, Vol. 18, No. 4, pp. 81-90, Fall 2006.
2 Mervyn King, Governor of the Bank of England (BBC: Governor Attacks City Risk-taking, 28 April 2008).