The essentials of managing risk at the enterprise level

As investor scrutiny expands beyond financial performance, the challenge for capital-intensive companies is to evolve enterprise-wide management systems for measuring, managing and reporting operating performance.

Corporate and accounting scandals, such as Enron and WorldCom, in the early 2000s precipitated significant changes in corporate governance and public disclosure of financial information. With a decade passed, most companies have established, or are well on their way to establishing, the necessary financial management discipline required to avert potential financial catastrophes. However, the risks that may adversely affect financial performance are far from being fully addressed from the perspective of investors.

Investor scrutiny is expanding beyond financial capital to include all forms of capital contributing to value creation, including manufactured, human, intellectual, social, and natural capital. With this expanded view comes the challenge of encompassing a broader array of corporate performance areas in the public disclosure of non-financial performance information. Often, significantly less mature management systems in these operational areas translate into less rigorous corporate governance, oversight, and disclosure. The net result is potentially significant material risks to long-term financial performance and corporate sustainability, which is increasingly the focus of interest by investors and other stakeholders.

The material risks associated with deficiencies in effectively understanding and managing all bases of capital for value creation are particularly evident in asset-intensive industries, including the energy, chemical and capital-intensive manufacturing sectors. Asset-intensive industries have risk profiles weighted more heavily toward operational risks because of the nature of their businesses. These risks are the direct result of the industrial environments in which their employees operate, the environmental and community impacts of their operations, and the massive resources consumed as part of doing business.

In many areas, companies have performed admirably. For example, US industry has seen a significant decline in total injury rates during the past decade, which reflects a steady, continuous improvement in safe operations. Nearly three million non-fatal workplace injuries and illnesses were reported by private industry employers in 2012, resulting in an incidence rate of 3.4 cases per 100 equivalent full-time workers, down from 5.0 cases per 100 equivalent full-time workers in 2003, according to estimates from the US Bureau of Labor Statistics.

However, these metrics fail to capture the impacts of catastrophic events, which have far broader implications than their direct impact on human or financial capital. Industrial accidents, such as the 2010 Deepwater Horizon oil spill, the 2010 Pike River Mine tragedy, and the 2011 Fukushima Daiichi nuclear accident, impact all bases of capital with a reach far beyond the four walls of a corporation. Ultimately, they have the potential to adversely impact entire industries and local economies.

It is only a matter of time until catastrophic events analogous to those in the early 2000s, that triggered substantial financial risk-management reforms, trigger equivalent reforms that cascade to all aspects of operational performance and risk management. In fact, some would argue that it's amazing that it has not happened already. Ideally, companies should be taking proactive steps now to effectively manage all of their operational risks more effectively in order to prevent such incidents and preclude the need for regulatory intervention.

Four steps to managing operational risk

Fortunately, the era of financial risk-management reforms provides a road map for how to expand and improve risk-management practices to encompass all facets of enterprise risk, especially operational risks for asset-intensive industries. There are four fundamental elements to establish an enterprise-level system for managing operational risk.

1. Corporate policies and procedures

Companies must articulate formal corporate-wide policies and procedures for achieving non-financial performance objectives. This means establishing corporate management systems that address all bases of capital-financial, manufactured, human, intellectual, social, and natural capital-and establishing standardized policies and procedures across the entirety of the business. These management systems provide a starting point for establishing operational discipline and a foundation on which companies can comprehensively manage enterprise risk.

For many companies, operational excellence programs that govern non-financial elements of corporate performance, including capital stewardship, personnel and process safety, environmental protection, third-party services, asset reliability and more, have been in place for decades. Yet, in many other companies, comprehensive programs that bring together disparate policies and procedures are only now starting to be developed. This disparity is indicative of the relatively early stage in which many companies find themselves with regard to establishing rigorous management systems analogous to their financial management systems.

This should not necessarily be a surprise, however. While formal financial disclosure regulations have been in existence for upwards of 80 years, non-financial disclosure guidelines and compliance regulations are often less than half as old and, in many cases, are just emerging. For example, the US EPA's Clean Air Act was signed into law in 1970, while China's Ministry of Environmental Protection introduced its first comprehensive plan to reduce air pollution only in 2012. In many cases, it is these programs that ultimately drove the creation of the management systems that are in place today. However, regulation should not be a necessary precursor to this operating discipline.

2. Standardized risk-management practices

Companies need to establish proactive risk management across all of their management systems. Only through a comprehensive view of the organization and the application of standardized risk-management practices can management understand the corporate risk profile.

A key challenge is that senior management often lacks the detailed knowledge underlying any given potential hazard, which means that they are not necessarily able to discern meaningful differences or errors in risk assessments that have been performed across the business. This can lead to skewed comparisons of risk that in turn lead to improperly informed decisions. For example, two facilities with similar operations should be similarly assessing the frequency and consequence of a control system failure at their manufacturing facility. If two different risk rankings are given for what is fundamentally the same issue, this leads to inconsistent control strategies being applied.

This situation is further complicated when trying to assess the relative importance of significantly different risk types across financial, operational, legal, IT, and other categories. Foreign-exchange risk, supply-chain risk, and the risk of potential loss of containment for a storage tank are substantively different. However, the financial implications for the company are not. As a result, it is essential that companies employ standardized risk-assessment methodologies and employ a systematic means for assessing financial liabilities at the enterprise level.

With a holistic view of its risk profile, management can far more effectively marshal resources to mitigate the critical risks that represent the most potentially damaging threats to the business.

3. Hierarchy of controls

As risks are prioritized, careful consideration needs to be given to ensure that the most feasible and effective controls are employed, not simply the most convenient. Looking at established practices in health and safety as a point of reference, the widely accepted framework used for accident prevention, known as the hierarchy of controls, provides valuable insight into how to achieve this objective.(See figure below.).

The hierarchy of controls is an effectiveness rating system used to select the most feasible and effective control for hazards in order to reduce risk. The key concept is to employ the highest level of control that is pragmatic for the level of risk exposure.

Controls at the top of the hierarchy reflect risk reduction through design, and are generally the most effective at reducing risk. The effectiveness of these controls reflects the fact that they fundamentally eliminate a hazard, make a substitution that does not produce a hazard, or modify processes to reduce sources of risk. For example, if a storage tank is deemed environmentally hazardous in its location next to a river, the company may choose to site the tank in a different location, build a containment wall around the tank, or increase the frequency of inspections of the tank. Each of these controls represents the varying degrees to which the risk is mitigated.

Alternatively, administrative controls, which are near the bottom of the hierarchy, are not considered as effective as they typically reflect efforts to more simply limit exposure to hazards. Administrative controls are almost always the most convenient short-term solution to managing risk. For instance, controlling the number of hours workers are in an operating environment which includes exposure to hazardous chemicals is an administrative control, whereas making a chemical substitution to eliminate the chemical exposure itself could eliminate the risk entirely. As such, administrative controls should predominantly be used only until long-term control strategies can be enacted or in conjunction with higher-level controls.

4. Checks and balances

A critical lesson learned during the financial accounting scandals of the early 2000s was the importance of checks and balances, more specifically the difference between controls and oversight, within corporate financial risk-management systems. Many companies had formal policies and procedures in place that prohibited the types of activities that can lead to scandalous outcomes. However, they were not institutionalized and adequately enforced. Defining controls is not enough; there needs to be diligent monitoring of their performance with ongoing feedback into the management team-and the management system-to ensure risks are reduced as intended.

As companies look to the future, a mindful awareness of past lessons learned and deliberate consideration of how those lessons can be applied to new challenges presents great opportunity to get ahead of the curve. The financial world that all corporations operate in is becoming increasingly sophisticated, while investors and other stakeholders are increasingly interested in the fundamentals that drive business performance. This applies to not only financial fundamentals but also operational fundamentals and the risks that may adversely affect their performance over the short, medium, and long term. As a result, comprehensive enterprise-level, risk-management strategies are essential to delivering sustained long-term financial returns.

Jeff Ladner Senior Director, IHS Operational Excellence & Risk Management
Connect with Jeff on LinkedIn