Description
In February 2008, the board of the French bank Societe Generale learned that one of its traders had lost $7.2 billion dollars. Jerome Kerviel, the trader in question, had approval to risk up to $183 million.
Risk Taking: A Corporate
Governance Perspective
RISK TAKING: A CORPORATE GOVERNANCE PERSPECTIVE 1
ACKNOWLEDGEMENTS
Te genesis of this book lies in the teaching materials
prepared for IFC’s Risk Governance Workshops conducted
in 20 developing countries during the 2010–2012 time
period by the book’s authors. Te book and workshops
also bene?ted from the contributions of Torben Andersen
of Copenhagen Business School and Zur Shapira of New
York University’s Stern School of Business. Te contents of
the book re?ect this team’s years of risk management and
governance practice as managers, directors as well as their
academic scholarship.
More than 1,000 corporate directors and senior managers
participated in the workshop series. Te handbook has
been shaped by their views, experiences and other feedback
and re?ects the richness of wide and varied collective
experience. Te authors have shared speci?c examples from
the participants’ experiences in the handbook—as much as
con?dentiality constraints allow.
Numerous stock exchanges, regulators, central banks,
schools and other institutions partnered with us in hosting
the events. Te workshops would not have been possible
without their administrative support. Tey also provided
key intelligence on local conditions and helped us frame
materials to speci?c emerging market conditions.
IFC sta? in local o?ces and in Washington, D.C. gave
their time to help to make these workshops happen. Tese
extended team members are valuable contributors to this
?nal product in as much as their e?orts, contacts, and
knowledge contributed to the workshops and to the shaping
of the consulting teams’ views on risk-taking challenges in
emerging markets.
Te workshops were funded by contributions from the
governments of the Netherlands and Austria, and from
IFC. Without their commitment to development, these
workshops and this handbook would not have been possible.
Oliviero Roggi (Lead Faculty)
Chairperson, International Risk Management Conference
Corporate Finance Professor, University of Florence
Visiting Professor, New York University Stern Salomon
Center
Maxine Garvey (Program Leader)
Corporate Governance Unit
International Finance Corporation
Aswath Damodaran (Program Lead Faculty)
Kerschner Family Chair in Finance Education
Professor of Finance at New York University Stern School
of Business
June 2012
RISK TAKING: A CORPORATE GOVERNANCE PERSPECTIVE 3
I. Introduction ....................................................................................................................5
II. What is Risk? ..................................................................................................................7
III. Risk Governance, Risk Management, and Value Creation ......................................11
IV. Measuring Value: Risk-Adjusted Value .....................................................................17
V. Managing Risk: Enterprise Approaches ....................................................................27
VI. Tools for Better Risk Decision Making: Probabilistic Approaches .........................35
VII. Creating Value from Risk Taking ................................................................................39
VIII. Exploiting the Risk Upside: Strategic Risk Taking
and Building a Risk-Taking Organization ..................................................................43
IX. Conclusions ...................................................................................................................51
Appendix................................................................................................................................53
TABLE OF CONTENTS
RISK TAKING: A CORPORATE GOVERNANCE PERSPECTIVE 4
5 INTRODUCTION
I. INTRODUCTION
Objectives Of IFC’s Risk Governance
Program
In February 2008, the board of the French bank Société
Générale learned that one of its traders had lost $7.2 billion
dollars. Jerome Kerviel, the trader in question, had approval
to risk up to $183 million. Since 2005, however, Kerviel had
apparently ignored his limits and took on exposures as high
as $73 billion—more than the market value of the entire
?rm. Société Générale’s board, managers, risk management
systems, and internal controls failed to detect, much less
halt, the reckless bets. When ?nally discovered, the failure in
risk governance and management had cost Société Générale
and its shareholders clients, money, and reputation. Similar
failures of risk governance feature in scandals at UBS and
Baring, with the latter failing to survive.
In the 2008 economic crisis, several ?rms in emerging
markets also su?ered major losses due to failed risk
management and governance. Brazilian pulp producer
Aracruz, and meat processor Sadia, had extensive losses on
foreign exchange derivative contracts. Ceylon Petroleum
Corporation (CPC) in Sri Lanka stood to lose hundreds of
millions on commodity derivatives. In all of these cases, the
chagrined boards (and, in the case of CPC, the state as the
main shareholder) asserted that managers had acted without
proper authorization.
Losses and the collapse of ?rms due to failures in risk
handling and risk governance hurt the wider community
through loss of jobs, goods and services. Tese losses are
felt particularly severely in emerging markets where the
economies are vulnerable and jobs are scarce.
Risk Taking as an Essential Activity of
Enterprises
Taking risks and dealing with uncertainty are essential parts
of doing business. E?ective oversight of risk taking is a key
responsibility of the board. Directors must protect pro?table
activities (“the golden goose”) in the face of routine risks and
improbable disasters (“the black swans”).
Te word “enterprise” derives from the Latin “impresum,”
meaning “taking upon oneself,” and describes the act of
carrying out actions with the intent to attain a preset objective.
Te purpose of the enterprise is the satisfaction of individual
customer needs. Tis objective can be attained only if the
enterprise prepares itself with the productive factors required
for producing and delivering the products and services that can
satisfy these needs. Tis circumstance, in which entrepreneurs
must anticipate the needs of consumers, leads to a pervasive
aspect of enterprise management: dealing with the risks
incurred as the entrepreneur organizes production. Hence,
the enterprise is characterized by uncertainty in conducting
its operations: uncertainty is an inherent element of enterprise
risk. Te enterprise and the risk generated in operating it are
inseparable. Tere is no enterprise without risk. Rewards
earned by an enterprise compensate for such risk taking.
IFC’s Risk Governance Program
As part of IFC’s response to the ?nancial crisis of 2008,
IFC’s Corporate Governance Unit launched a risk
governance program. Te program was intended to enhance
the capability of boards of directors in emerging markets
for improved risk management oversight. Te aim was
to provide directors with tools to enhance each board’s
risk oversight structures, processes, and competence. Te
program consisted of two elements: a series of training
events across emerging markets and this handbook.
RISK TAKING: A CORPORATE GOVERNANCE PERSPECTIVE 6
By the end of 2011, the training team had conducted
workshops in 18 countries worldwide, working with
directors and others in numerous emerging markets,
drawing from multiple industries, public and private sectors,
real and ?nancial sectors, small and large ?rms, and rich
and poor countries. Te discussions covered many topics
on risk management, risk hedging, risk governance and
strategic risk taking. Tis book re?ects not only the content
prepared by the core teaching faculty for these workshops
but also the feedback and lessons shared by participants in
these engagements.
Target Reader: A Director’s Perspective on
Risk Taking
Te materials target decision makers, chie?y corporate
directors to help them make sense of an increasingly complex
and chaotic risk universe. Experienced directors with some
?nance training are the main audience for this book.
Te approach takes the view that a director’s chief
responsibility is to attend to the stakeholders’ value,
particularly shareholders’ value. Tus, the risk-taking
issues are discussed in terms of their impact on value. Te
approach also takes the view that decision makers/directors
should understand the analytical tools used in the “typical”
corporation. Understanding these tools makes oversight
more e?ective because directors can use their judgment to
decide when to act and what tools to apply in their enterprise.
Te contents are written with a broad scope to apply to as
many industries as possible. Te material covers traditional
corporate ?nance concepts and enterprise approaches.
Bankers, actuaries, and risk managers (particularly those
with a quantitative bent), will need resources beyond the
coverage of this book as they execute their speci?c tasks.
Section Outlines
In the ?rst two sections the book lays out the scope of risk
management by de?ning risk and exploring risk governance.
Te next few sections look at measuring and dealing with
risk and the di?erent tools used to incorporate risk into
decision making. Te ?nal portion of the manual advocates
for a broader view of risk management, demonstrates its
impact on the value of a business and suggests a template for
building a good risk-taking organization. Sections are tied
to simple steps in the generalized risk management process.
Sections start with a theme, followed by an examination of
the key issues relating to the theme. Sections conclude with
a set of tasks that can be used to convert the abstractions and
theories proposed to real world corporate governance tests/
measures for any organization.
Risk Management Steps Sections in Book
Step 1 Make an inventory of all of the risks that the ?rm is faced with –
?rm speci?c, sector, and market.
Section II: What is Risk?
Section III: Risk Governance, Risk Management,
and Value Creation
Step 2 Measure and decide which risks to hedge, avoid, or retain based
on impact on the value of the enterprise.
Section IV: Measuring Value: Risk-Adjusted Value
Section V: Managing Risk: Enterprise Approaches
Section VI: Tools for Better Risk Decision Making:
Probabilistic Approaches
Step 3 For the risks being hedged, select the risk-hedging products and
decide how to manage and monitor retained risks.
Section VII: Creating Value From Risk Taking
Step 4 Determine the risk dimensions in which you have an advantage
over your competitors and select an organizational structure
suitable for risktaking.
Section VIII: Exploiting the Risk Upside: Strategic Risk
Taking and Building a Risk-Taking Organization
7 WHAT IS RISK?
II. WHAT IS RISK?
Speaking of Risk
Tere is no consensus on a single formal de?nition of risk.
Given this lack of consensus, a de?nition from common
usage serves to start our discussion:
“Risk is a concept linked to human expectations. It indicates a
potential negative e?ect on an asset that may derive from given
processes in progress or given future events. In the common
language, risk is often used as a synonym of probability of a loss
or of a danger. In the assessment of professional risk, the concept
of risk combines the probability of an event occurring with the
impact that event may have and with its various circumstances
of happening.”
1
However useful this layman’s start, it does not fully lay out
the risk concept. For example, this de?nition does not clearly
distinguish between the concepts of risk and uncertainty. It
focuses only on negative implications of risk taking.
A Better De?nition of Risk
Risk, in traditional terms, is viewed as a negative. Te
dictionary de?nes risk as “exposing to danger or hazard.” Te
Chinese symbol for “crisis,” reproduced in Figure 1.1, o?ers a
better description of risk.
Te ?rst symbol is the symbol for “danger,” while the
second is the symbol for “opportunity,” making risk a mix of
danger and opportunity. By linking the two, the de?nition
emphasizes that you cannot have one (opportunity) without
the other and that o?ers that look too good to be true
(o?ering opportunity with little or no risk) are generally
not true. By emphasizing the upside potential as well as
the downside dangers, this de?nition also serves the useful
purpose of reminding us of an important truth about risk.
Where There is Upside, There is Downside
and the Opposite is True!
It should come as no surprise that managers become interested
in risk management during or just after a crisis and pay it
little heed in good times. Te Chinese de?nition of risk/crisis
points to the fact that good risk-taking organizations not
only approach risk with equanimity, but also manage risk
actively in good times and in bad times. Tus, they plan for
coming crises, which are inevitable, in good times and look
for opportunities during bad times.
Theme
To manage risk, we ?rst have to de?ne risk. In this section, we look at how risk has been
de?ned in both theory and practice. The section explores different risk classi?cations and
introduces the use of a risk pro?le for enterprises as a starting point for analyzing their risk-
taking activities.
Figure 1.1: The Chinese Symbol for “Crisis”
??
1
Source: http:www.wikipedia.com.
RISK TAKING: A CORPORATE GOVERNANCE PERSPECTIVE 8
Classifying Risks Faced by Organizations
Identifying risk (making it tangible) can help managers or
directors in their decision making. Te two lists of risks
provided here are not intended to be exhaustive, because
it is not possible to cover the full gamut of potential risks.
Instead, the idea is to help organizational decision makers
(managers or directors) begin to think more clearly about
the risks faced by their organization.
Note that there are many equally valid classi?cations, and
?rms can develop their own lists suitable to their particular
circumstances. Te most important thing is that decision
makers must understand the risks relevant to their enterprises
as they are making decisions.
CLASSIFICATION EXAMPLE 1
Using the the Basel II framework and adapting the
classi?cations to non-?nancial ?rms, this example divides
organizational risks into three categories: operational,
?nancial, and market-based.
1. Operating Risk
a. Operating and veri?cation (accuracy)
b. Business risk
2. Financial Risk
a. Internal risks
i. Insolvency
ii. Counterparty
iii. Financial structure planning
b. External risks
i. Interest rate
ii. Currency exchange rate
iii. In?ation
3. Market-Based Risk
CLASSIFICATION EXAMPLE 2
1. Financial Risk
a. Credit (default, downgrade)
b. Price (commodity, interest rate, exchange rate)
c. Liquidity (cash ?ow)
2. Operational Risk
a. Business operations (e?ciency, supply chain, business
cycles)
b. Information technology
3. Strategic Risk
a. Reputational (i.e., bad publicity)
b. Demographic and social/cultural trends
c. Regulatory and political trends
4. Hazard Risk
a. Fire and other property damage
b. Teft and other crime, personal injury
c. Diseases
What is a Risk Pro?le?
A major step in appropriate oversight of risk taking by a ?rm
is listing out all of the risks that a ?rm is potentially exposed
to and categorizing these risks into groups. Tis list is called
a risk pro?le.
Do most ?rms create risk pro?les? Not necessarily. In many
?rms, it is taken for granted that most everyone in the ?rm
(particularly those with experience) is already aware of the
risks that the ?rm faces. Tis can be a mistake and more
so with risks that are uncommon, since many managers
may never have experienced that risk. For boards and across
?rms as a whole it is useful to be clear and explicit about the
risk faced. Instead of assuming awareness, make sure that
everyone understands by spelling out the potential risks.
Emerging Market Example: Risk Pro?le of an Airline Company in Brazil*
*Developed by risk workshop participant
Operational Risks
Aircraft crash and aircraft
breakdowns
Strikes
Telephone, IT failure, utility
outages
Failure of sub-contractors
Employee turnover
Changes in code-share
agreements
Crime and social unrest
Fire
Pollution
Theft and fraud
Damage to the brand
Financial and Market Risks
Oil prices changes
In?ation
Interest rate changes
Exchange rate ?uctuations
Tax changes in Brazil
Changes in world’s aviation
laws
New trade agreements
Cash ?ow dif?culties
Bankruptcy
Stock price collapse
Debt covenant violations
9 WHAT IS RISK?
Once you have created your risk pro?le, acknowledging the
risk that your company is facing, the next step is to divide
the various risks into three groups:
• Risk that should be allowed to pass through the frm to
its owners
• Risk that should be hedged
• Risk that should be exploited
Tis phase is part of the broader process, known as risk
treatment. Later in this manual, we will present various ways
to conduct a risk treatment process.
Implications for Decision Makers
To manage risk correctly, we must acknowledge its positive
and negative e?ects. Risk management has to look at both
the downside of risk and the potential upside. In other
words, risk management is not just about minimizing
exposure to the wrong risks. It also is about increasing
exposure to good risks.
It is important that a ?rm’s decision makers build a
common understanding of the risks they face by developing
a risk pro?le, an explicit listing of potential risks. While
classi?cations and categorizations as suggested above are
useful, the discussion itself is more important, because it
helps establish a common language and understanding of
the risks faced by the enterprise.
Risk pro?les are an enterprise’s starting point for risk
analysis. Most ?rms will need to go beyond risk pro?les,
and conduct risk assessments, treatment, and monitoring.
However, for small, simple ?rms without the interest or
capacity to deepen the risk management process, a well-
developed, thoroughly-discussed, and strongly-internalized
risk pro?le is a good start. Tis is a better option than
completely ignoring the risk situation.
SECTION TASK: DEFINE RISK
1. How would you de?ne risk?
2. Ask a fellow director or manager to list the top ?ve risks
facing your enterprise. Is this list di?erent from the one you
would make? How and why?
RISK TAKING: A CORPORATE GOVERNANCE PERSPECTIVE 10
11 RISK GOVERNANCE, RISK MANAGEMENT, AND VALUE CREATION
III. RISK GOVERNANCE,
RISK MANAGEMENT, AND VALUE CREATION
Corporate Governance
IFC’s Corporate Governance Unit de?nes corporate
governance as the structures and processes for the direction
and control of companies. Corporate governance concerns
the relationships among the management, board of directors,
controlling shareholders, minority shareholders, and other
stakeholders. Good corporate governance contributes
to sustainable economic development by enhancing the
performance of companies and increasing their access to
outside capital.
RISK GOVERNANCE
Risk governance is a relatively new term. In the corporate
governance arena, there is no consensus de?nition, although
in the information technology ?eld, risk governance is a more
developed concept. However, for the purposes of discussion
in this book, we de?ne risk governance in ?rms as the ways in
which directors authorize, optimize, and monitor risk taking
in an enterprise. It includes the skills, infrastructure (i.e.,
organization structure, controls and information systems),
and culture deployed as directors exercise their oversight.
Good risk governance provides clearly de?ned accountability,
authority, and communication/reporting mechanisms.
Risk oversight is the responsibility of the entire board.
However, some boards use risk committees to help ful?ll
responsibilities. Te risk committee might be independent,
or the work might be combined with audit tasks and
assigned to an audit and risk committee. For further detail
on proposed structure and functioning of risk committees,
see the appendix.
Risk Management
RISK TAKING AND VALUE CREATION: RISK-ADJUSTED
VALUATION
Ultimately, the objective of managing risk is to make the
?rm more valuable. For directors and managers, this is the
primary objective, regardless of whether they view this as
value to shareholders or value to a wider group of stakeholders.
Fortunately, classical ?nance provides robust techniques for
valuing enterprises. Te most frequently used method is the
discounting of future cash ?ow to the ?rm at a risk-adjusted
cost of capital. For risk management purposes, many would
point out that using the capital asset pricing model (CAPM)
for calculating risk-adjusted capital has a double bene?t
of already accounting for all the risk that a ?rm’s decision
makers need concern themselves about—the market risk. All
other risks are ?rm risks and can be diversi?ed away by the
individual investor in the ?rm’s shares. As the shareholders
can handle ?rm risk by their own portfolio diversi?cation,
it does not add value for the board or managers to concern
themselves with these types of risks. From this viewpoint,
using CAPM in assessing projects, investments, and in
valuation provides a ready-to-use approach for guiding risk-
taking in ?rms. Firms without any formal risk management
Theme
The section addresses the ?duciary duties of a board member focusing on risk oversight. It
starts by de?ning corporate governance, draws on the Organization for Economic Coopera-
tion and Development’s Principles of Corporate Governance in discussing the role of direc-
tors, and presents ideas on the role and structure of risk committees. It closes by linking the
value of the enterprise to risk management.
Corporate Governance Perspectives
There are a number of predominant theoretical perspectives on
corporate governance:
• Agency theory—align the interests of internal agents
(executives/managers) who display strong self-interest with
those of the shareholders (owners). In effect this represents
a double agency dilemma (see ?gure)
• Transaction cost theory—reduce costs of transactional
hazards through internal corporate governance mechanisms,
which cannot be handled by external market mechanisms
• Stewardship theory—general human motives of
achievement, altruism and meaningfulness should be
managed and guided in the most opportune manner
• Resource dependence theory—highlights corporate
dependence on external relations and sees governance as
a vehicle to ensure continued access to essential resources
• Stakeholder theory—acknowledges agreements with
multiple stakeholders that can create incremental value and/
or lead to subsequent risk events if neglected or abused
Shareholders
(public company)
Board of directors
Managers
RISK TAKING: A CORPORATE GOVERNANCE PERSPECTIVE 12
13 RISK GOVERNANCE, RISK MANAGEMENT, AND VALUE CREATION
functions are well served by using the capital asset pricing
models in guiding their investment decisions as they reap its
double bene?t—valuation and risk management.
Enterprise approaches also use valuation techniques at various
points in the process to ensure that any decisions taken will
maximize value. Tese valuation e?orts also deploy the
discounted cash ?ows, often using the capital asset pricing
models as well. Whatever the valuation method used, the risk
analyst needs to estimate the e?ect of each risk on ?rm value
and determine the cost of reducing each risk. If risk reduction
is costly, the decision makers must decide whether the bene?t
to ?rm value justi?es the costs. Each ?rm must seek a value-
maximizing risk management strategy.
Enterprise Risk Management
Enterprise Risk Management (ERM) emphasizes a
comprehensive, holistic approach to managing risk, shifting
away from a “silo-ed” approach of separately handling each
organizational risk. ERM also views risk management as a
value-creating activity, and not just a mitigation activity.
ERM is still an evolving concept. Before its emergence,
organizations tended to isolate the management of risks.
For example, the treasurer managed currency exposures, the
sales or credit manager managed credit risk, and commodity
traders and purchasing o?cers managed commodity price
risks. Insurance risk managers handled the hazard risks.
Te personnel department managed the human resources
risks. Quality and production managers were responsible
for containing production risk. Marketing and strategy
Responsibilities of Board Members
The OECD Principles of Corporate Governance provide guidance
on the responsibilities of directors:
A. Board members should act on a fully informed basis, in good
faith, with due diligence and care, and in the best interest of
the company and the shareholders.
B. Where board decisions may affect different shareholder
groups differently, the board should treat all shareholders
fairly.
C. The board should apply high ethical standards. It should take
into account the interests of stakeholders.
D. The board should ful?ll certain key functions, including:
1. Reviewing and guiding corporate strategy, major plans
of action, risk policy, annual budgets and business plans;
setting performance objectives; monitoring implementation
and corporate performance; and overseeing major capital
expenditures, acquisitions and divestitures.
2. Monitoring the effectiveness of the company’s governance
practices and making changes as needed.
3. Selecting, compensating, monitoring and, when necessary,
replacing key executives and overseeing succession planning.
4. Aligning key executive and board remuneration with the
longer term interests of the company and its shareholders.
5. Ensuring a formal and transparent board nomination and
election process.
6. Monitoring and managing potential con?icts of interest of
management, board members and shareholders, including
misuse of corporate assets and abuse in related party
transactions.
7. Ensuring the integrity of the corporation’s accounting and
?nancial reporting systems, including the independent
audit, and that appropriate systems of control are in place,
in particular, systems for risk management, ?nancial and
operational control, and compliance with the law and
relevant standards.
8. Overseeing the process of disclosure and communications.
E. The board should be able to exercise objective independent
judgment on corporate affairs.
1. Boards should consider assigning a suf?cient number
of non-executive board members capable of exercising
independent judgment to tasks where there is a
potential for con?ict of interest. Examples of such key
responsibilities are ensuring the integrity of ?nancial
and non-?nancial reporting, the review of related party
transactions, nomination of board members and key
executives, and board remuneration.
2. When committees of the board are established, their
mandate, composition and working procedures should
be well de?ned and disclosed by the board.
3. Board members should be able to commit themselves
effectively to their responsibilities.
F. In order to ful?l their responsibilities, board members should
have access to accurate, relevant and timely information
Source: OECD Principles of Corporate Governance, 2004
RISK TAKING: A CORPORATE GOVERNANCE PERSPECTIVE 14
departments attended to the competitive risks. Tere
was limited e?ort to coordinate across the enterprise, to
understand where risks could multiply, where they cancel
each other out, or where they could be exploited for pro?t.
ERM addresses these issues, focusing on coordination and
value addition. For example, in a conglomerate in which one
division is long in currency A and another division is short
in the same sum in the same currency, responsible division
managers might decide to purchase separate currency
hedges. Tis represents a silo-ed approach, which does not
enhance value. Taking an enterprise-wide approach instead,
using ERM, renders such actions unnecessary, because the
conglomerate already has a natural hedge.
ERM’s coordinated function is often vested in a chief risk
o?cer and in increased risk governance, including board
oversight. Tis evolving portfolio approach is aided by
improved tools for risk measurement, pricing and trading.
Today, there are two widely-disseminated ERM approaches:
• COSO II ERM: Risk framework from the Committee of
Sponsoring Organizations of the Tread way Commission
that is geared to achieving strategic, operational,
reporting, and compliance objectives.
• CAS ERM Framework: Developed by the Casualty
Actuarial Society, the framework focuses on hazard,
?nancial, strategic, and operational risks.
Regardless of the framework used it is important that risk
decisions always tie in to the value of the enterprise to its
stakeholders, particularly to its shareholders.
RISK AVERSION, RISK POLICY, RISK TOLERANCE AND
RISK APPETITE
Te development of a risk policy is an importance task for
boards. Tis activity is related to the board’s corporate strategy
work, and involves specifying the types and degree of risk that
a company is willing to accept in pursuit of its goals. It is a
crucial management guideline in managing risks to meet the
company’s desired risk pro?le.
An enterprise’s risk policy re?ects the aggregate risk aversion
of its decision makers. In the enterprise approach detailed
later in the book, we will look at various managerial decision
points, when decision makers’ attitudes toward risk will drive
action. Tis attitude toward risk may or may not be codi?ed in
a formal risk policy.
Risk appetite and risk tolerance are newer terms in the risk
management lexicon. In recent years, these terms have been
used with increased frequency, particularly in the corporate
governance and accounting community. Te precise meaning
and metrics of the two terms are still evolving and considerable
inconsistency in their use remains. In contrast, the term risk
aversion has the bene?t of long use in the corporate ?nance
community, with consensus on the concept, its measurement,
and its implications for behavior. Fortunately, risk appetite and
risk tolerance concepts appear to be rooted in the more robust
concepts of risk aversion and risk policy.
Recently, the Institute of Risk Management attempted to
produce a clear de?nition of the terms “risk appetite” and “risk
tolerance” as follows:
Emerging Market Example: Tea and Coffee Plantation in Kenya
A commercial Kenyan farm producing tea and coffee for the
European, Asian, and American markets faces a range of
risks. These risks include the vagaries of weather, particularly
drought, changes in government policy, ethnic strife affecting
the workforce, commodity price ?uctuations, and exchange
rate ?uctuations. The farm is owned and operated by the
second generation of the founding family. The board consists
of the three siblings running the business, their accountant, and
the export sales manager. The directors have made a decision
that they will not retain any foreign exchange risks, because
the siblings believe that they lack the expertise to cope with
foreign exchange ?uctuations. They are con?dent that their
knowledge of Kenya enables them to assess, evaluate, and treat
the weather and political risks. As a result of their aversion to
foreign currency risk, their risk policy is to avoid or hedge this
risk almost completely. They sell their produce to a middleman,
a trading company that sets the contracts in Kenyan shillings.
In addition, non-deliverable forwards and forwards are used to
limit exposure on any inputs that need to be purchased in foreign
currency and on the occasional sales that are not sold through
the trading company.
15 RISK GOVERNANCE, RISK MANAGEMENT, AND VALUE CREATION
• Risk appetite: Te amount of risk an organization
is willing to seek or accept in pursuit of its long term
objectives.
• Risk tolerance: Te boundaries of risk taking outside of
which the organization is not prepared to venture in the
pursuit of long-term objectives. Risk tolerance can be
stated in absolutes, for example: “We will not deal with
a certain type of customer” or “We will not expose more
that X percent of our capital to losses in a certain line of
business.”
• Risk universe: Te full range of risks that could impact
either positively or negatively on the ability of the
organization to achieve its long term objectives.
SECTION TASK: Risk Governance, Risk
Management, and Value Creation
1. How does your board de?ne its responsibilities on risk-
taking?
2. How often does your board discuss risk issues?
RISK TAKING: A CORPORATE GOVERNANCE PERSPECTIVE 16
17 MEASURING VALUE: RISK-ADJUSTED VALUE
IV. MEASURING VALUE: RISK-ADJUSTED VALUE
Approaches for Adjusting Value for Risk
Theme
Pursuing value-maximizing risk strategies requires that decision makers assess risk-taking within
the context of a valuation methodology. For the discussion in this section, we use discounted
cash ?ows methodology, and two practical ways of adjusting risky asset values. In the ?rst, we
adjust the discount rates upwards for risky assets and reduce the present value of expected cash
?ows. In the second, we replace the expected cash ?ows with “certainty equivalent” cash ?ows,
which, when discounted back at the risk-free rate, yields a risk-adjusted value.
Risk-Adjusted Value
De?nition: The value of a risky asset can be estimated by
discounting the expected cash ?ows on the asset over its life at
a risk-adjusted discount rate:
where the asset has a n-year life, E(CF
t
) is the expected cash
?ow in period t and r is a discount rate that re?ects the risk of
the cash ?ows.
PROCESS TO ESTIMATE RaV
Step 1: Estimate the expected cash ?ows from a project/
asset/business. For a risky asset, consider/estimate cash ?ows
under different scenarios, attach probabilities to these scenarios
and estimate an expected value across scenarios.
Step 2: Estimate a risk-adjusted discount rate, comprised of
two components, the risk-free rate and the risk premium.
Risk-adjusted rate = Risk-free rate + Risk premium= Rf+
Beta (Rm-Rf)
Step 3: Take the present value of the cash ?ows at the
risk-adjusted discount rate.
Value of asset=
T
t=0
?
E(CF
t
)
(1+r)
t
Te value of an asset that generates cash ?ows can be written
as the present value of the expected cash ?ows from that
asset, discounted back at a discount rate that re?ects the risk.
Te value of a risky asset can be estimated by discounting
the expected cash ?ows on the asset over its life at a risk-
adjusted discount rate:
where the asset has a n-year life, E(CFt) is the expected cash
?ow in period t and r is a discount rate that re?ects the risk
of the cash ?ows. In this approach, the numerator is the
expected cash ?ow, with no adjustment paid for risk, whereas
the discount rate bears the burden of risk adjustments.
Alternatively, we can replace the expected cash ?ows with
the guaranteed cash ?ows we would have accepted as an
alternative (certainty equivalents) and discount these at the
risk-free rate:
where CE(CF
t
) is the certainty equivalent of E(CF
t
) and r
f
is
the risk-free rate.
Note that the key sets of inputs are the certainty equivalent
cash ?ows, which bear the burden of risk adjustment. Te
discount rate is the risk-free rate.
With both approaches, the present value of the cash ?ows
will be the risk- adjusted value for the asset.
Risk-Adjusted Discount Rate
To adjust discount rates for risk, we must use a risk and
return model. In this section, we will examine how best
to estimate the inputs for the simplest of these models (the
CAPM) but much of what we say about these inputs can be
replicated for more complex risk and return models.
THREE STEPS IN ESTIMATING VALUE
Tere are three steps in estimating value, using risk-adjusted
discount rates:
1. Estimate the expected cash ?ows from a project/asset/
business. If there is risk in the asset, this will require us
to consider/estimate cash ?ows under di?erent scenarios,
attach probabilities to these scenarios, and estimate an
expected value across scenarios. In most cases, though, it
takes the form of a base case set of estimates that captures
the range of possible outcomes.
2. Estimate a risk-adjusted discount rate. While there are
a number of details that go into this estimate, consider
that a risk-adjusted discount rate has two components:
Risk-Adjusted Rate = Risk-Free Rate + Risk Premium
3. Take the present value of the cash ?ows at the risk-
adjusted discount rate. Te resulting value will be the
risk-adjusted rate.
In the sections that follow, we focus on Step 2, and then use
an example to illustrate all three steps.
Value of asset= + + ...+
E(CF
1
) E(CF
2
) E(CF
3
) E(CF
n
)
(1+r) (1+r)
2
(1+r)
3
(1+r)
n
Value of asset= + + ...+
CE(CF
1
) CE(CF
2
) CE(CF
3
) CE(CF
n
)
(1+r
f
) (1+r
f
)
2
(1+r
f
)
3
(1+r
f
)
n
RISK TAKING: A CORPORATE GOVERNANCE PERSPECTIVE 18
19 MEASURING VALUE: RISK-ADJUSTED VALUE
ADJUSTING DISCOUNT RATES FOR RISK
If we start with the presumption that a business can raise
funds for investments from one of two sources (borrowed
money (debt) or owners’ money (equity)) we can boil down
the process for adjusting discount rates for risk into several
inputs, as shown in Figure 4.1.
With cost of equity, we need three inputs to estimate the
risk-adjusted rate: a risk- free rate, an equity risk premium,
and a beta. With the cost of debt, we need three inputs as
well: the risk-free rate, a default spread for the debt, and a tax
rate to use in adjusting the cost of debt for its tax advantages.
Input 1: The Risk-Free Rate
On a risk-free asset, the actual return is equal to the expected
return. Terefore, there is no variance around the expected
return. For an investment to be risk free, it must come with:
• No default risk: Since there can be no uncertainty about
the return on the investment, the entity promising the
cash ?ows can have no default risk.
• No reinvestment risk: A six-month Treasury bill rate is
not risk free for an investor looking at a ten-year time
horizon, even if we assume that there is no default risk
in the U.S. government. Tis is because the returns are
guaranteed only for six months and there is uncertainty
about the rate at which you can invest beyond that
period.
With these two criteria in place, two propositions follow
about risk-free rates.
Proposition 1: Time horizon matters. Te risk-free rates in
valuation will depend upon when the cash ?ow is expected
to occur and will vary across time. Tus, a six-month risk-
free rate can be very di?erent from a ten-year risk-free rate in
the same currency at the same point in time.
Figure 4.1: Cost of Equity: Rate of Return Demanded by Equity Investors
Has to be default free, in the
same currency as cash ?ows,
and de?ned in same terms
(real of nominal) as the cash
?ow
Cost of equity
based upon
bottom-up beta
Weights should be market value weights
Cost of borrowing should be based upon
1. synthetic or actual bond rating
2. default spread
Cost of Borrowing = Riskfree + Default spread
Marginal tax rate, re?ecting
tax bene?ts of debt
Historical Premium
1. Mature Equity Market Premium:
Average premium earned by stocks over
T.Bonds in U.S.
2. Country risk premium= Country Default
Spread* (Equity/Country bond)
Implied Premium
Based on how
equity is priced
today and a
simple valuation
model
Cost of Equity: Rate of Return demanded by equity invstors
Cost of Capital: Weighted rate of return demanded by all investors
Cost of Equity = Risk free Rate + Beta X (Risk Premium)
Cost of Capital = Cost of Equity (equity/(Debt + Equity)) + Cost of Borrowing (1-t) (Debt/(Debt + Equity))
or
RISK TAKING: A CORPORATE GOVERNANCE PERSPECTIVE 20
Proposition 2: Not all government securities are risk free.
Most practitioners use government security rates as risk-free
rates, making the implicit assumption that governments do
not default on local currency bonds. Some governments face
default risk, so the rates on the bonds they issue will not be
risk free.
In Figure 4.2, we illustrate this principle by estimating
risk-free rates in various currencies. While we assume that
the government bond rates in Japan, Switzerland, and the
United States are the risk-free rates for the currencies in these
countries (the Japanese yen, the Swiss franc and the U.S.
dollar), we adjust the government bond rates in Colombia
and Peru for the default risk embedded in them. With the
euro, we use the German euro bond rate as the risk-free
rate, since it is the lowest of the ten-year euro-denominated
government bond rates.
It also is worth noting that risk-free rates vary across
currencies because of di?erences in expected in?ation;
currencies with high expected in?ation will exhibit high
risk-free rates.
Input 2: Beta(s)
Given that beta is a measure of relative risk, what is the best
way to estimate it? In conventional corporate ?nance and
valuation, the answer is to run a regression of returns on the
stock of the company in question against the market index.
Te slope of the regression is the beta. Tis is illustrated
for a Peruvian construction company, Grana Montero, in
Figure 4.3.
Regressing weekly returns on Grana Montero from August
2008 to July 2010 against the Peruvian Lima General Index,
the beta for the company is 0.349. We should be skeptical
about this number for three reasons:
• It looks backward. Since a regression is based on returns
earned by owning the stock, it has to be historical and
does not re?ect the current business mix and ?nancial
leverage of the company. Tus, the regression above, run
in August 2010, uses data from 2008 to 2010 to estimate
the beta for the company. Even if it is accurate, it gives
you a beta for that period rather than for the future.
• It is estimated with error. Te standard error of the beta
is 0.083, suggesting that the true beta for Grana Montero
can be much higher or lower than the reported value; the
range on the beta from this regression, with 99 percent
con?dence, would be 0.09–0.60.
2
• It is dependent on how the regression is structured and
whether the stock is publicly traded in the ?rst place.
Te beta we would obtain for Grana Montero would
be very di?erent if we used a di?erent time period (?ve
years instead of two), a di?erent return interval (daily
instead of weekly) or a di?erent market index (a di?erent
Peruvian Index or a broader Latin American or global
index).
0%
1%
2%
3%
4%
5%
6%
7%
Default Spread
Riskfree Rate
Peruvian
Sul
Colombian
Peso
US
dollar
Euro Swiss
Francs
Japanese
Yen
1
.
1
0
%
2
.
2
5
%
2
.
7
5
%
3
.
0
0
%
4
.
7
5
%
2
.
0
0
%
2
.
0
0
%
4
.
0
0
%
Figure 4.2: Estimating Risk-Free Currency Rates
Figure 4.3: Measuring Relative
Risk for Grana Montero
2
Coef?cients on regressions are normally distributed. A 99 percent con?dence interval is plus or minus three standard deviations.
21 MEASURING VALUE: RISK-ADJUSTED VALUE
As an alternative, it is worth thinking about the determinants
of betas, the fundamental factors that cause some companies
to have high betas and others to have low betas. Te beta
for a company measures its exposure to macroeconomic risk
and should re?ect:
– Products and services it provides and how
discretionary these goods and services are: Firms that
produce products or services that customers can live
without or can hold o? on purchasing should have
higher betas than ?rms that produce products and
services that are necessities.
– Fixed cost structure: Firms that have high ?xed costs
(high operating leverage) should have more volatile
income and higher betas than ?rms with low ?xed
costs.
– Financial leverage: As ?rms borrow money, they
create ?xed costs (interest expenses) that make their
equity earnings more volatile and their equity betas
higher. In fact, the beta for equity in a ?rm can be
written as a function of the beta of the businesses that
the ?rm operates in and the debt to equity ratio for
the ?rm:
Levered (Equity) Beta = Unlevered Beta (1 + (1- tax rate)
(Debt/Equity))
A better estimate of beta for a ?rm can be obtained by
looking at the average betas for the businesses that the ?rm
operates in, corrected for ?nancial leverage.
For example, Grana Montero, the Peruvian company, is
in three businesses: software and software consulting,
construction, and oil extraction. Using estimated betas
for each of these businesses and the revenues that Grana
Montero derives from each one as weights, we obtain the
unlevered beta for the ?rm:
Revenues % of
Firm
Unlevered Beta
for business
Construction 1453 77.58% 0.75
Oil Extraction 225 12.01% 0.90
Software Consulting 195 10.41% 1.20
1873 0.81
In August 2008, the ?rm had outstanding debt of 433
million Peruvian soles and equity market value of 2.4 billion
soles. Using Peru’s 30 percent corporate tax rate, we can
estimate the beta for the equity in the company:
Levered Beta = 0.81 (1+ (1-.30) (433/2400)) = 0.92
Given such a situation, when a ?rm is in multiple businesses
with di?ering risk pro?les, it should hold each business up
to a di?erent standard, or hurdle rate. In the case of Grana
Montero, for instance, the hurdle rates for investments will
be much higher in software consulting than in construction.
Input 3: Equity Risk Premiums
Te equity risk premium is the collective additional premium
that investors demand for investing in any equities or risky
assets. Two approaches can be used to estimate the number.
Te ?rst approach looks at the past and estimates how much
of a premium you would have earned investing in stocks as
opposed to treasury bonds or bills over long time periods.
In Table 4.1 we estimate for premiums ranging from 10 to
80 years.
Te problem with using historical risk premiums is
illustrated in the numbers in brackets in the table; these
are standard errors in the risk premium estimates. Tus,
even with an 80-year period (1928–2009), the estimated
risk premium for stocks over treasury bonds comes with a
standard error of 2.4 percent. With ten years of data, the
standard errors drown out the estimates.
Table 4.1: Estimated Equity Risk Premiums
Arithmetic Average Geometric Average
Stocks –
T. Bills
Stocks –
T. Bonds
Stocks –
T. Bills
Stocks –
T. Bonds
1928–2009 7.53%
(2.28%)
6.03%
(2.40%)
5.56% 4.29%
1960–2009 5.48%
(2.42%)
3.78%
(2.71%)
4.09% 2.74%
2000–2009 -1.59%
(6.73%)
-5.47%
(9.22%)
-3.68% -7.22%
RISK TAKING: A CORPORATE GOVERNANCE PERSPECTIVE 22
An alternative is to estimate a forward-looking premium, using
current stock prices and expected future cash ?ows. In Figure
4.4, for instance, we estimate an implied equity risk premium
for the Standard & Poor’s 500 stock index on January 1, 2010.
In January 2010, the equity risk premium for the United
States, and, by extension, other mature equity markets, was
4.36 percent. Tis number has been volatile, particularly in
the last few years, going from 4.37 percent at the start of
2008 to 6.43 percent in January 2009, and back to 4.36
percent in 2010. Based on the previous number, it seems
reasonable to use a 4.5 percent equity risk premium for
mature markets, at least for 2010.
An Adjustment for Country Risk
When a company operates in an emerging market, it is
exposed to signi?cantly more economic risk, arising from
both political instability and the nature of the underlying
economy. Even if we accept the proposition that an equity
risk premium of about 4.5 percent is reasonable for a mature
market, one might expect a larger risk premium when
investing in an emerging market.
One simple way to adjust for this additional risk is to add on
the default spread for the country in question to the mature
market premium. Tus, the total equity risk premium for
Peru, which has a sovereign rating of Baa3 and a default
spread of 2 percent, would be 6.5 percent. A slightly more
involved way of adjusting for country risk is to start with
the default spread and adjust this default spread for the
higher risk borne by equities in that market. Using Peru as
the example again, the standard deviation in weekly returns
over the last two years for Peruvian equities is 26 percent and
the standard deviation in the bond is 13 percent.
Additional risk premium for Peru = 2% (26/13) = 4%
Total equity risk premium for Peru = 4.5% + 4% = 8.5%
While neither one of these measures is perfect, they o?er
simple solutions to the country risk issue.
Input 4: Default Spreads
To calculate to the cost of borrowing for a ?rm, we must assess
the amount banks will charge to lend, over and above the risk-
free rate. Tis “default spread” can be assessed in several ways:
Figure 4.4: Estimated Equity Risk Premium for the Standard & Poor’s 500, January 2010
1115.10= + + + + +
43.29 46.40 49.74 53.32 57.16 57.16(1.0384)
(1+r) (1+r)
2
(1+r)
3
(1+r)
4
(1+r)
5
(r-.0384) (1+r)
5
43.29 46.40 49.74 53.32 57.16
In 2010, the actual
cash returned to
stockholders was
40.38. That was
down about 40%
from 2008 levels.
Analysts expect earnings to grow 21% in 2010, resulting in a
compounded annual growth rate of 7.2% over the next 5 years.
We will assume that dividends & buybacks will keep pace.
Expected Return on Stocks (1/1/10) =8.20%
T.Bond rate on 1/1/10 =3.84%
Equity Risk Premium=8.20%-3.84% =4.36%
After 5, we will assume that
earnings on the index will grow
at 3.84%, the same rate at the
entire economy (=riskfree rate).
January 1, 2010 S&P 500
is at 1115.10 Adjusted
Dividends & Buybacks for
2008 =40.38
23 MEASURING VALUE: RISK-ADJUSTED VALUE
• For the few companies that have bonds rated by a rating
agency, we can use the bond rating as a measure of default
risk and estimate the spread based upon the rating. For
example, the Walt Disney Company, the large American
entertainment conglomerate, has an A rating from rating
agency Standard & Poor’s. Based on this rating, the default
spread in September 2010 was roughly 0.85 percent. Adding
this to the ten-year bond rate at the time (2.5 percent) would
have yielded a 3.35 percent pre-tax cost to borrow.
• For frms with no bonds and no ratings, estimate the
interest rate that they likely would have to pay on a long-
term bank loan today. Tis rate would be the pre-tax cost
to borrow debt.
• In some cases, it is possible to estimate a synthetic bond
rating for a company, based on its ?nancial ratios. Tis
rating can be used to estimate a pre-tax cost of borrowing.
Default spreads change over time and re?ect both economic
uncertainty and investor risk aversion. Table 4.3 shows
September 2010 default spreads for bonds in di?erent
ratings classes.
Australia 4.50%
New Zealand 4.50%
Argentina 14.25%
Belize 14.25%
Bolivia 12.75%
Brazil 7.50%
Chile 5.85%
Colombia 7.50%
Costa Rica 8.25%
Ecuador 19.50%
El Salvador 19.50%
Guatemala 8.25%
Honduras 12.75%
Nicaragua 14.25%
Panama 8.25%
Paraguay 14.25%
Peru 7.50%
Uruguay 9.75%
Venezuela 11.25%
Albania 11.25%
Armenia 9.00%
Azerbaijan 8.25%
Belarus 11.25%
Bosnia and Herzegovina 12.75%
Bulgaria 7.50%
Croatia 7.50%
Czech Republic 5.85%
Estonia 5.85%
Hungary 6.90%
Kazakhstan 7.20%
Latvia 7.50%
Lithuania 6.90%
Moldova 15.75%
Montenegro 9.75%
Poland 6.08%
Romania 7.50%
Russia 6.90%
Slovakia 5.85%
Slovenia [1] 5.40%
Turkmenistan 12.75%
Ukraine 12.75%
Bahrain 6.08%
Israel 5.85%
Jordan 7.50%
Kuwait 5.40%
Lebanon 12.75%
Oman 6.08%
Qatar 5.40%
Saudi Arabia 5.85%
United Arab Emirates 5.40%
Canada 4.50%
Mexico 6.90%
United States of America 4.50%
Austria [1] 4.50%
Belgium [1] 4.95%
Cyprus [1] 5.63%
Denmark 4.50%
Finland [1] 4.50%
France [1] 4.50%
Germany [1] 4.50%
Greece [1] 6.08%
Iceland 7.50%
Ireland [1] 4.95%
Italy [1] 5.40%
Malta [1] 5.85%
Netherlands [1] 4.50%
Norway 4.50%
Portugal [1] 5.40%
Spain [1] 4.50%
Sweden 4.50%
Switzerland 4.50%
United Kingdom 4.50%
Equity Risk Premiums
January 2010
Table 4.2: Equity Risk Premiums, January 2010
RISK TAKING: A CORPORATE GOVERNANCE PERSPECTIVE 24
Table 4.3: Default Spreads, September 2010
Rating Moody’s/S&P Default Spread on Ten-Year Bond
Aaa/AAA 0.45%
Aa1/AA+ 0.50%
Aa2/AA 0.55%
Aa3/AA- 0.60%
A1/A+ 0.75%
A2/A 0.85%
A3/A- 1.05%
Baa1/BBB+ 1.50%
Baa2/BBB 1.75%
Baa3/BBB- 2.25%
Ba1/BB+ 3.50%
Ba2/BB 4.50%
Ba3/BB- 4.75%
B1/B+ 5.00%
B2/B 5.75%
B3/B- 6.25%
Caa/CCC+ 7.75%
Since default spreads can and often do change over time,
such information must be updated on a frequent basis to
re?ect current levels.
Input 5: Tax Rates and Weights for Debt and Equity
Two additional inputs are needed to calculate the cost of
capital. Te ?rst is a tax rate to use in computing the after-
tax cost of borrowing:
After-tax cost of borrowing = Pre-tax cost of debt (1- tax rate)
Since interest expenses save taxes on last dollars of income,
the tax rate that should be used is a marginal tax rate. Te
best source for this rate is the tax code (and not the ?nancial
statements of the ?rm). To illustrate, the marginal tax rate
in the United States is a cumulative value, based on a 35
percent federal corporate tax rate plus various state and
local taxes. In 2010, the cumulative rate was estimated at
approximately 40 percent.
Te weights for computing the risk-adjusted cost of capital
should be market value weights, since the business has to
raise debt and equity in the market to fund its projects at
market rates. It also is worth noting that the risk-adjusted
discount rate for an individual project may be based on
target weights for the entire business, instead of a re?ection
of the actual funding mix for the project.
Calculating Risk-Adjusted Rates: A
Hypothetical Disney Theme Park in Rio
In this example, we conduct an analysis for a hypothetical
theme park that Te Walt Disney Company would build
in Rio De Janeiro, Brazil in early 2009. Table 4.4 estimates
expected cash ?ows from the theme park to the company,
based on projections of revenues, operating expenses and
taxes.
To calculate risk-adjusted discount rates, we follow these
steps:
1. Since the cash ?ows were estimated in dollars, the risk-
free rate is the U.S. treasury bond rate at the time, 3.5
percent.
Table 4.4: Expected Theme Park Cash Flows
0 1 2 3 4 5 6 7 8 9 10
Operating Income $0 -$50 -$150 -$84 $106 $315 $389 $467 $551 $641 $658
Taxes $0 -$19 -$57 -$32 $40 $120 $148 $178 $209 $244 $250
Operating Income after Taxes $0 -$31 -$93 -$52 $66 $196 $241 $290 $341 $397 $408
+Depreciation & Amortization $0 $50 $425 $469 $444 $372 $367 $364 $364 $366 $368
-Capital Expenditures $2,500 $1,000 $1,188 $752 $276 $258 $285 $314 $330 $347 $350
-Change in Working Capital $0 $0 $63 $25 $38 $31 $16 $17 $19 $21 $5
Cash ?ow to Firm -$2,500 -$981 -$918 -$360 $196 $279 $307 $323 $357 $395 $422
+Pre-Project Investment $500 $0 $0 $0 $0 $0 $0 $0 $0 $0 $0
-Pre-project Depreciation $0 $19 $19 $19 $19 $19 $19 $19 $19 $19 $19
+Fixed G&A (1-t) $0 $0 $78 $109 $155 $194 $213 $234 $258 $284 $289
Incremental Cash ?ow to Firm -$2,000 -$1,000 -$859 -$270 $332 $454 $501 $538 $596 $660 $692
25 MEASURING VALUE: RISK-ADJUSTED VALUE
2. Te beta for the theme park business is 0.7829. Tis
was estimated by looking at publicly-traded theme park
companies.
3. Te risk premium was composed of two parts, a 6 percent
mature market premium (the premium used in 2009)
and an additional 3.9 percent risk premium for Brazil.
Country risk premium for Brazil = 3.95%
Cost of equity in US$= 3.5% + 0.7829 (6%+3.95%) =
11.29%
4. In early 2009, the company had a 6 percent pre-tax
cost of debt, based on its A rating, a 2.5 percent default
spread, and a 38 percent marginal tax rate:
After-tax cost of debt = (3.5% + 2.5%) (1-.38) = 3.72%
5. Te company uses a mix of 35.32 percent debt and 64.68
percent equity to fund its existing theme parks. Using
these inputs, we can estimate the cost of capital for the
hypothetical Rio project:
Cost of capital in US$ = 11.29% (0.6468) + 3.72%
(0.3532) = 8.62%
6. We discount the expected cash ?ows back at the 8.62
percent risk-adjusted discount rate to arrive at a value for
the theme park, net of costs, shown in Table 4.5.
Te risk-adjusted value for the Rio theme park is $2.877
billion.
Certainty Equivalents
In the certainty equivalent approach, we adjust the expected
cash ?ows for risk, rather than the discount rate, and use
the risk-free rate as the discount rate. Adjusting the risk of
expected cash ?ows is the most important aspect of this
approach. Tis adjustment can be calculated using several
methodologies, including:
• Compute certainty equivalents, using utility functions.
Tis is very di?cult to do and not worth exploring in
most cases.
• Subjectively estimate a “haircut”—decrease—to the
expected cash ?ows. Tis is arbitrary and can lead to
di?erent analysts making di?erent judgments of value,
based on their risk aversion.
• Convert expected cash fow to a certainty equivalent.
Tis approach is the most straightforward, but it requires
an estimate of the risk-adjusted cash ?ows as a ?rst step.
Once we have determined the risk-adjusted cash ?ows, we
can discount them at the risk-free rate.
Certainty Equivalent Value:
Rio Theme Park Example
To estimate the certainty equivalent cash ?ows, we used the
8.62 percent risk-adjusted discount rate that we obtained
for the company’s Rio project in conjunction with the 3.5
percent risk-free rate to adjust each cash ?ow. To illustrate,
the certainty equivalent for the $332 million expected cash
?ow in Year 4 can be computed as follows:
Certainty Equivalent for Year 4 = $332 =$274
Repeating this process with each cash ?ow yields the
certainty equivalent cash ?ows for each year. Discounting
all of the cash ?ows back at the risk-free rate of 3.5 percent
yields a risk-adjusted value for the theme park, as shown in
Table 4.6.
Table 4.5: Values for Hypothetical Rio Theme Park
Year Annual
Cash Flow
Terminal
Value
Present
Value
0 -$2,000 -$2,000
1 -$1,000 -$921
2 -$860 -$729
3 -$270 -$211
4 $332 $239
5 $453 $300
6 $502 $305
7 $538 $302
8 $596 $307
9 $660 $313
10 $692 $10,669 $4,970
Net Present Value $2,877
1.035
4
1.0862
RISK TAKING: A CORPORATE GOVERNANCE PERSPECTIVE 26
Te risk-adjusted value for the theme park is $2,877 million,
identical to the value that we obtained with the risk-adjusted
discount rate approach.
Implications for Decision Makers
Any ?rm involved in risky activities has to make a good faith
e?ort to estimate the amount of risk exposure for every part
of the business, as well as how this exposure translates into
a risk-adjusted discount rate. Tus, di?erent components of
the same business, with di?erent risk exposures, can have
di?erent risk-adjusted rates. Tese rates can be used in
risk-adjusting value, either as discount rates for expected
cash ?ows, or as adjustment factors in deriving certainty
equivalents.
While managers might believe that that risk and return
models are ?awed or that the estimates used in the models
are incorrect, this skepticism cannot be viewed as a reason
for not estimating risk-adjusted discount rates or using
arbitrary numbers.
SECTION TASK: RISK-ADJUSTED VALUE
Risk-Adjusted Discount Rates
1. Does your ?rm have a hurdle rate for assessing investments?
If so, do you know (roughly) what it is right now?
2. Has this hurdle rate changed over time? Why?
3. Is there only one hurdle rate for all investments or do you
have di?erent hurdle rates for di?erent investments? If you
use di?erent hurdle rates for di?erent investments, what is
the reason?
Risk-Adjusted Cash Flows
Do you adjust your cash ?ows for risk?
If so, how are they adjusted for risk?
• “Haircut” cash fows on risky investments
• No established approach but it gets done by individual
decision-makers
• It happens and I have no idea how it happens
• Other (please describe)
Table 4.6: Risk-Adjusted Value for Hypothetical Rio
Theme Park (in millions of U.S. dollars)
Year Annual
Cash Flow
Terminal
Value
Certainty
Equivalent
Present
Value
0 -$2,000 -$2,000 -$2,000
1 -$1,000 -$953 -$921
2 -$860 -$780 -$729
3 -$270 -$234 -$211
4 $332 $274 $239
5 $453 $356 $300
6 $502 $375 $305
7 $538 $384 $302
8 $596 $405 $307
9 $660 $427 $313
10 $692 $10,669 $7,011 $4,970
Net Present Value $2,877
27 MANAGING RISK: ENTERPRISE APPROACHES
V. MANAGING RISK: ENTERPRISE APPROACHES
Risk Management and Enterprise Value
ERM (or Corporate Risk Management) is a strategic support
activity. It creates business value through an integrated
process of identi?cation, estimation, assessment, handling,
and controlling of risk.
Classical ?nance assumes market e?ciency when assessing
the value of the ?rm. It only focuses on the “beta” to
estimate the risk embedded in the company, as we saw in
the discussion of the CAPM. In contrast, ERM recognizes
the imperfection of markets, imperfect diversi?cation of
the investment portfolio, and bankruptcy costs. It allows
an enterprise to create value by managing risks. ERM
takes a much broader perspective on risk. It introduces a
way to think about the enterprise processes that involves a
proactive approach to management by directors, managers
and employees. Despite di?erences in view about the beta,
ERM techniques use discontinued cash ?ow valuations to
aid decision making on risk treatment.
Theme
In this section we link enterprise approaches, also known as ERM, with the more established,
classical risk-adjusted value approach covered in the previous section and explain how this new
approach can contribute to value creation. The section details the steps of a typical ERM process,
with speci?c directions on how to apply these techniques.
Enterprise Risk Management (ERM)
“A comprehensive and integrated framework for managing
credit risk, market risk, operational risk and economic capital
and risk transfer in order to maximize ?rm value” (Lam
2003)
“Dealing with uncertainty for the organization.” (Monhanan
2008)
“RM is the identi?cation, assessment, and handling of risks
enacted through (coordinated) corporate actions to monitor,
control, and minimize the adverse effect of unfortunate
events or maximize the realization of opportunities.”
(Andersen 2010)
“Risk management is a central part of any organization’s
strategic management. It is the process whereby
organizations methodically address the risks attaching to
their activities with the goal of achieving sustained bene?t
within each activity and across the portfolio of all activities.”
AIRMIC 2010 (Risk Management Standard)
RISK TAKING: A CORPORATE GOVERNANCE PERSPECTIVE 28
Te corporate decisions targeted by ERM analysts are all
relevant in terms of value generation. ERM is an active
approach to risk governance that leads to better investments
(maximization of cash ?ow generated by investments)
and aims to reduce the cost of capital. In doing so it helps
maximize the company value.
As with the de?nition of risk there is no universal agreement
on the process to be followed in the implementation of
ERM. For the purposes of this section we use the AIRMIC
3
approach as a starting point and add a few re?nements of our
own. Others may wish to use frameworks such as COSO.
4
Regardless of the approach taken, whether AIRMIC, COSO
or another emerging standard, a good risk management
process must help the enterprise to:
• Defne risks acceptable to the enterprise as a whole—risk
policy
• Develop a list of actual and potential risks
• Assess both likelihood and consequences (impact) of the
previously identi?ed risks
• Build a value-based model that can estimate the impact
of risks on ?rm value through impacts on cash ?ows
and/or cost of capital
• Determine risks the company should retain, transfer, or
avoid
Te process certi?ed by AIRMIC requires the analysis to be
carried out in four sequential stages:
1. Identi?cation of risk management and enterprise
objectives
2. Risk assessment
3. Risk treatment
4. Risk monitoring
Corporate Finance and ERM Objectives Converge
SHAREHOLDER VALUE MAXIMIZATION
ACTIVE RM AIMS TO MAXIMIZE SHAREHOLDERS’ VALUE
Value of asset=
T
t=0
?
CF
t
(1+r)
t
MAXIMIZE EXPECTED
CASH FLOWS through
ACTIVE RM to generate
incremental positive cash
?ow, mainly through
tax optimization and
smoothing of earnings
MINIMIZE RISKS
through ACTIVE
RM ? lowering
cost of capital
and default risk
? default spread
The AIRMIC Enterprise Risk Management Process
Source: AIRMIC
The Organization’s
Strategic Objectives
Risk Analysis
Risk Identi?cation
Risk Description
Risk Estimation
Risk Evaluation
Formal
Audit
Risk Reporting
Threats and Opportunities
3
Association of Insurance and Risk Managers.http://www. airmic.com
4
Committee of Sponsoring Organizations of the Treadway Commission
Risk Assessment
Decision
Risk Treatment
Residual Risk Reporting
Monitoring
M
o
d
i
?
c
a
t
i
o
n
29 MANAGING RISK: ENTERPRISE APPROACHES
STEP 1: Identi?cation of Risk and Enterprise
Management Objectives
Tis is primarily a managerial phase. It begins with
determining the enterprise’s approach to risks, including
planning for the resources made available for risk
management and selecting the general criteria for treating
risks. Te enterprise selects a risk strategy compatible with
the degree of risk aversion that prevails. Te directors and
managers de?ne strategic objectives and operational goals
compatible with the risk aversion of the shareholders who
are looking to maximize enterprise value. In this context,
all ERM decisions should be made after responding to this
simple question: “What impact do top managers’ decisions
(hedging or retention action) have on the value of the
enterprise for its shareholders?”
STEP 2: Risk Assessment
Te second, largely technical, phase of the ERM process is
divided into two sub-phases:
• Risk analysis
• Risk evaluation
Te risk analysis consists of risk identi?cation and
estimation. In the identi?cation of enterprise risks we
must identify the potential sources of negative events that
are capable of compromising achievement of strategic and
operational objectives. Due to the potential losses that might
arise, the emphasis will be on identifying downside risk, but
the process should also elicit the upside risk and its bene?cial
e?ects on enterprise performance.
The Risk Management Process
1
Setting ?rm’s risk
management goals
and implementation
on the CG structure
2
Risk assessment
3
Risk treatment
4
Risk monitoring
2A. Risk Analysis 2B. Risk Evaluation
Risk Identi?cation/Description Risk Estimation
RISK TAKING: A CORPORATE GOVERNANCE PERSPECTIVE 30
Useful qualitative analytical tools for risk identi?cation
include brainstorming, questionnaires and risk assessment
workshops. Additional tools include review of publicly
available documents for industry benchmarks, as well
as investigation of previous incidents and auditing and
inspection documents. Business studies focused on internal
and external procedures and scenario analysis also can be
useful in gaining a better understanding of the potential risk
factors.
Once the risks are identi?ed, they need to be described. In this
second part of the identi?cation phase, the ERM team creates
risk maps in which the failure events are described using the
following characteristics:
• Name
• Qualitative description of risk
• Principal up/downside scenarios
• Probability of occurrence
• Identity of person in charge of managing identifed risks
• Measurement techniques to monitor identifed risks
• Preliminary evaluation of the economic impact of the
scenarios presented
Risk Identi?cation: De?nition and Tools
Risk identi?cation sets out to identify an organization’s
exposure to uncertainty.
Risk identi?cation requires intimate knowledge of the ?rm,
the market in which it operates, the legal, social, political,
and cultural environment, and sound understanding of its
strategic and operational objectives, including factors critical
to its success and the threats and opportunities related to
achieving of its objectives.
AVAILABLE TECHNIQUES INCLUDE:
• Brainstorming
• Questionnaires
• Business studies on business processes describing
both the internal processes and external factor
determinants
• Industry benchmarking
• Scenario analysis
• Risk assessment workshops
• Incident investigation
• Auditing and inspection
• HAZOP (Hazard & Operability Studies)
Emerging Market Participants Example: Major Risks (Risk identi?cation contributed by workshop participants)
Nigeria
Government policy changes
Physical security
Exchange rate ?uctuations
IT breakdown
Electrical power ?uctuations
Customer receivables
Receivables from state
Theft
Vietnam
In?ation
Foreign exchange changes
Regulatory changes
Flooding
Operational disruptions
India
Regulatory changes
Tax rates
Project failure
Unions
Environmental issues
Access to resources
Corruption
Nepal
Rebel insurgency
Political instability
Electrical power ?uctuations
Skilled labor
Zambia
Electrical power ?uctuations
Copper price changes
IT Failures
Flooding
Regulatory changes
Competition
Reputation
Uzbekistan
Earthquakes
Regional political instability
Regulatory changes
Cotton price changes
Gold prices
Political restrictions
31 MANAGING RISK: ENTERPRISE APPROACHES
Such a risk map is more detailed than the risk pro?le. However,
it should be noted that there is no single best practice for
mapping risks. Many ?rms can simply list risks related strategic
and operational objectives as part of a risk pro?le.
Risk Estimation
Once the risk map is known, the enterprise must quantify
the probability of the event as well as its impact on cash
?ows, estimating expected and unexpected losses and/or
upsides. Based on the nature of tools used, the estimation
methods are divided into three main groups:
• Purely qualitative estimates
• Semi-quantitative estimates
• Purely quantitative estimates
Purely Qualitative Estimates
Qualitative methods use descriptive words or scales of value
to illustrate the impact and the probabilities of an event.
Among the various methods used for qualitative estimates,
the Probability-Impact Matrix is among the most common.
Using the P-I Matrix for risk management involves creating
a matrix in which risks are identi?ed and classifying the
identi?ed risks.
Creating a P-I Matrix requires de?ning the following:
• A qualitative scale that indicates the probability of the
occurrence of a given event. Generally, these observations
are grouped into ?ve probability classes: almost certain,
very frequent, moderate, improbable, and rare.
• A qualitative scale representing the impact, that is, the
possible economic consequences from the occurrence
of the event. Generally, there are ?ve impact classes:
insigni?cant, low, moderate, severe, and catastrophic.
• A qualitative scale that assigns a risk rating to every
combination of elements (probability-impact). Tis can take
on four di?erent values: extreme, high, moderate, and low.
• Appropriate criteria for a risk rating assessment.
In Table 5.1, we provide an example of a P-I Matrix.
The Estimation Phase
Risk estimation can be quantitative, semi-quantitative or
qualitative in terms of the probability of occurrence and the
possible consequence.
• Qualitative methods: Probabilities and consequences
of events (catastrophic to insigni?cant) are estimated
according to qualitative scaling (analysts’ bias).
• Semi-quantitative methods: Qualitative scaling is
weigthed and transformed into a quantitive scale and a
P-I risk synthetic score is computed.
• Quantitive methods: Risk is estimated through
quantitive methods as such Scenario Analysis, Decision
Tree, Monte Carlo Simulation or according to the Value-
at-Risk Models. These methods rely on causal distribution
estimation (subjective and/or objective methods).
Table 5.1: Probability-Impact Matrix Structure
Probability Impact
Insigni?cant Low Moderate Severe Catastrophic
Almost certain (>50%) High High Extreme Extreme Extreme
Very frequent (20%–50%) Moderate High High Extreme Extreme
Moderate (5%–20%) Low Moderate High Extreme Extreme
Improbable (1%–5%) Low Low Moderate High Extreme
Rare (5000
High 5000 500
Moderate 500 50
Low
In February 2008, the board of the French bank Societe Generale learned that one of its traders had lost $7.2 billion dollars. Jerome Kerviel, the trader in question, had approval to risk up to $183 million.
Risk Taking: A Corporate
Governance Perspective
RISK TAKING: A CORPORATE GOVERNANCE PERSPECTIVE 1
ACKNOWLEDGEMENTS
Te genesis of this book lies in the teaching materials
prepared for IFC’s Risk Governance Workshops conducted
in 20 developing countries during the 2010–2012 time
period by the book’s authors. Te book and workshops
also bene?ted from the contributions of Torben Andersen
of Copenhagen Business School and Zur Shapira of New
York University’s Stern School of Business. Te contents of
the book re?ect this team’s years of risk management and
governance practice as managers, directors as well as their
academic scholarship.
More than 1,000 corporate directors and senior managers
participated in the workshop series. Te handbook has
been shaped by their views, experiences and other feedback
and re?ects the richness of wide and varied collective
experience. Te authors have shared speci?c examples from
the participants’ experiences in the handbook—as much as
con?dentiality constraints allow.
Numerous stock exchanges, regulators, central banks,
schools and other institutions partnered with us in hosting
the events. Te workshops would not have been possible
without their administrative support. Tey also provided
key intelligence on local conditions and helped us frame
materials to speci?c emerging market conditions.
IFC sta? in local o?ces and in Washington, D.C. gave
their time to help to make these workshops happen. Tese
extended team members are valuable contributors to this
?nal product in as much as their e?orts, contacts, and
knowledge contributed to the workshops and to the shaping
of the consulting teams’ views on risk-taking challenges in
emerging markets.
Te workshops were funded by contributions from the
governments of the Netherlands and Austria, and from
IFC. Without their commitment to development, these
workshops and this handbook would not have been possible.
Oliviero Roggi (Lead Faculty)
Chairperson, International Risk Management Conference
Corporate Finance Professor, University of Florence
Visiting Professor, New York University Stern Salomon
Center
Maxine Garvey (Program Leader)
Corporate Governance Unit
International Finance Corporation
Aswath Damodaran (Program Lead Faculty)
Kerschner Family Chair in Finance Education
Professor of Finance at New York University Stern School
of Business
June 2012
RISK TAKING: A CORPORATE GOVERNANCE PERSPECTIVE 3
I. Introduction ....................................................................................................................5
II. What is Risk? ..................................................................................................................7
III. Risk Governance, Risk Management, and Value Creation ......................................11
IV. Measuring Value: Risk-Adjusted Value .....................................................................17
V. Managing Risk: Enterprise Approaches ....................................................................27
VI. Tools for Better Risk Decision Making: Probabilistic Approaches .........................35
VII. Creating Value from Risk Taking ................................................................................39
VIII. Exploiting the Risk Upside: Strategic Risk Taking
and Building a Risk-Taking Organization ..................................................................43
IX. Conclusions ...................................................................................................................51
Appendix................................................................................................................................53
TABLE OF CONTENTS
RISK TAKING: A CORPORATE GOVERNANCE PERSPECTIVE 4
5 INTRODUCTION
I. INTRODUCTION
Objectives Of IFC’s Risk Governance
Program
In February 2008, the board of the French bank Société
Générale learned that one of its traders had lost $7.2 billion
dollars. Jerome Kerviel, the trader in question, had approval
to risk up to $183 million. Since 2005, however, Kerviel had
apparently ignored his limits and took on exposures as high
as $73 billion—more than the market value of the entire
?rm. Société Générale’s board, managers, risk management
systems, and internal controls failed to detect, much less
halt, the reckless bets. When ?nally discovered, the failure in
risk governance and management had cost Société Générale
and its shareholders clients, money, and reputation. Similar
failures of risk governance feature in scandals at UBS and
Baring, with the latter failing to survive.
In the 2008 economic crisis, several ?rms in emerging
markets also su?ered major losses due to failed risk
management and governance. Brazilian pulp producer
Aracruz, and meat processor Sadia, had extensive losses on
foreign exchange derivative contracts. Ceylon Petroleum
Corporation (CPC) in Sri Lanka stood to lose hundreds of
millions on commodity derivatives. In all of these cases, the
chagrined boards (and, in the case of CPC, the state as the
main shareholder) asserted that managers had acted without
proper authorization.
Losses and the collapse of ?rms due to failures in risk
handling and risk governance hurt the wider community
through loss of jobs, goods and services. Tese losses are
felt particularly severely in emerging markets where the
economies are vulnerable and jobs are scarce.
Risk Taking as an Essential Activity of
Enterprises
Taking risks and dealing with uncertainty are essential parts
of doing business. E?ective oversight of risk taking is a key
responsibility of the board. Directors must protect pro?table
activities (“the golden goose”) in the face of routine risks and
improbable disasters (“the black swans”).
Te word “enterprise” derives from the Latin “impresum,”
meaning “taking upon oneself,” and describes the act of
carrying out actions with the intent to attain a preset objective.
Te purpose of the enterprise is the satisfaction of individual
customer needs. Tis objective can be attained only if the
enterprise prepares itself with the productive factors required
for producing and delivering the products and services that can
satisfy these needs. Tis circumstance, in which entrepreneurs
must anticipate the needs of consumers, leads to a pervasive
aspect of enterprise management: dealing with the risks
incurred as the entrepreneur organizes production. Hence,
the enterprise is characterized by uncertainty in conducting
its operations: uncertainty is an inherent element of enterprise
risk. Te enterprise and the risk generated in operating it are
inseparable. Tere is no enterprise without risk. Rewards
earned by an enterprise compensate for such risk taking.
IFC’s Risk Governance Program
As part of IFC’s response to the ?nancial crisis of 2008,
IFC’s Corporate Governance Unit launched a risk
governance program. Te program was intended to enhance
the capability of boards of directors in emerging markets
for improved risk management oversight. Te aim was
to provide directors with tools to enhance each board’s
risk oversight structures, processes, and competence. Te
program consisted of two elements: a series of training
events across emerging markets and this handbook.
RISK TAKING: A CORPORATE GOVERNANCE PERSPECTIVE 6
By the end of 2011, the training team had conducted
workshops in 18 countries worldwide, working with
directors and others in numerous emerging markets,
drawing from multiple industries, public and private sectors,
real and ?nancial sectors, small and large ?rms, and rich
and poor countries. Te discussions covered many topics
on risk management, risk hedging, risk governance and
strategic risk taking. Tis book re?ects not only the content
prepared by the core teaching faculty for these workshops
but also the feedback and lessons shared by participants in
these engagements.
Target Reader: A Director’s Perspective on
Risk Taking
Te materials target decision makers, chie?y corporate
directors to help them make sense of an increasingly complex
and chaotic risk universe. Experienced directors with some
?nance training are the main audience for this book.
Te approach takes the view that a director’s chief
responsibility is to attend to the stakeholders’ value,
particularly shareholders’ value. Tus, the risk-taking
issues are discussed in terms of their impact on value. Te
approach also takes the view that decision makers/directors
should understand the analytical tools used in the “typical”
corporation. Understanding these tools makes oversight
more e?ective because directors can use their judgment to
decide when to act and what tools to apply in their enterprise.
Te contents are written with a broad scope to apply to as
many industries as possible. Te material covers traditional
corporate ?nance concepts and enterprise approaches.
Bankers, actuaries, and risk managers (particularly those
with a quantitative bent), will need resources beyond the
coverage of this book as they execute their speci?c tasks.
Section Outlines
In the ?rst two sections the book lays out the scope of risk
management by de?ning risk and exploring risk governance.
Te next few sections look at measuring and dealing with
risk and the di?erent tools used to incorporate risk into
decision making. Te ?nal portion of the manual advocates
for a broader view of risk management, demonstrates its
impact on the value of a business and suggests a template for
building a good risk-taking organization. Sections are tied
to simple steps in the generalized risk management process.
Sections start with a theme, followed by an examination of
the key issues relating to the theme. Sections conclude with
a set of tasks that can be used to convert the abstractions and
theories proposed to real world corporate governance tests/
measures for any organization.
Risk Management Steps Sections in Book
Step 1 Make an inventory of all of the risks that the ?rm is faced with –
?rm speci?c, sector, and market.
Section II: What is Risk?
Section III: Risk Governance, Risk Management,
and Value Creation
Step 2 Measure and decide which risks to hedge, avoid, or retain based
on impact on the value of the enterprise.
Section IV: Measuring Value: Risk-Adjusted Value
Section V: Managing Risk: Enterprise Approaches
Section VI: Tools for Better Risk Decision Making:
Probabilistic Approaches
Step 3 For the risks being hedged, select the risk-hedging products and
decide how to manage and monitor retained risks.
Section VII: Creating Value From Risk Taking
Step 4 Determine the risk dimensions in which you have an advantage
over your competitors and select an organizational structure
suitable for risktaking.
Section VIII: Exploiting the Risk Upside: Strategic Risk
Taking and Building a Risk-Taking Organization
7 WHAT IS RISK?
II. WHAT IS RISK?
Speaking of Risk
Tere is no consensus on a single formal de?nition of risk.
Given this lack of consensus, a de?nition from common
usage serves to start our discussion:
“Risk is a concept linked to human expectations. It indicates a
potential negative e?ect on an asset that may derive from given
processes in progress or given future events. In the common
language, risk is often used as a synonym of probability of a loss
or of a danger. In the assessment of professional risk, the concept
of risk combines the probability of an event occurring with the
impact that event may have and with its various circumstances
of happening.”
1
However useful this layman’s start, it does not fully lay out
the risk concept. For example, this de?nition does not clearly
distinguish between the concepts of risk and uncertainty. It
focuses only on negative implications of risk taking.
A Better De?nition of Risk
Risk, in traditional terms, is viewed as a negative. Te
dictionary de?nes risk as “exposing to danger or hazard.” Te
Chinese symbol for “crisis,” reproduced in Figure 1.1, o?ers a
better description of risk.
Te ?rst symbol is the symbol for “danger,” while the
second is the symbol for “opportunity,” making risk a mix of
danger and opportunity. By linking the two, the de?nition
emphasizes that you cannot have one (opportunity) without
the other and that o?ers that look too good to be true
(o?ering opportunity with little or no risk) are generally
not true. By emphasizing the upside potential as well as
the downside dangers, this de?nition also serves the useful
purpose of reminding us of an important truth about risk.
Where There is Upside, There is Downside
and the Opposite is True!
It should come as no surprise that managers become interested
in risk management during or just after a crisis and pay it
little heed in good times. Te Chinese de?nition of risk/crisis
points to the fact that good risk-taking organizations not
only approach risk with equanimity, but also manage risk
actively in good times and in bad times. Tus, they plan for
coming crises, which are inevitable, in good times and look
for opportunities during bad times.
Theme
To manage risk, we ?rst have to de?ne risk. In this section, we look at how risk has been
de?ned in both theory and practice. The section explores different risk classi?cations and
introduces the use of a risk pro?le for enterprises as a starting point for analyzing their risk-
taking activities.
Figure 1.1: The Chinese Symbol for “Crisis”
??
1
Source: http:www.wikipedia.com.
RISK TAKING: A CORPORATE GOVERNANCE PERSPECTIVE 8
Classifying Risks Faced by Organizations
Identifying risk (making it tangible) can help managers or
directors in their decision making. Te two lists of risks
provided here are not intended to be exhaustive, because
it is not possible to cover the full gamut of potential risks.
Instead, the idea is to help organizational decision makers
(managers or directors) begin to think more clearly about
the risks faced by their organization.
Note that there are many equally valid classi?cations, and
?rms can develop their own lists suitable to their particular
circumstances. Te most important thing is that decision
makers must understand the risks relevant to their enterprises
as they are making decisions.
CLASSIFICATION EXAMPLE 1
Using the the Basel II framework and adapting the
classi?cations to non-?nancial ?rms, this example divides
organizational risks into three categories: operational,
?nancial, and market-based.
1. Operating Risk
a. Operating and veri?cation (accuracy)
b. Business risk
2. Financial Risk
a. Internal risks
i. Insolvency
ii. Counterparty
iii. Financial structure planning
b. External risks
i. Interest rate
ii. Currency exchange rate
iii. In?ation
3. Market-Based Risk
CLASSIFICATION EXAMPLE 2
1. Financial Risk
a. Credit (default, downgrade)
b. Price (commodity, interest rate, exchange rate)
c. Liquidity (cash ?ow)
2. Operational Risk
a. Business operations (e?ciency, supply chain, business
cycles)
b. Information technology
3. Strategic Risk
a. Reputational (i.e., bad publicity)
b. Demographic and social/cultural trends
c. Regulatory and political trends
4. Hazard Risk
a. Fire and other property damage
b. Teft and other crime, personal injury
c. Diseases
What is a Risk Pro?le?
A major step in appropriate oversight of risk taking by a ?rm
is listing out all of the risks that a ?rm is potentially exposed
to and categorizing these risks into groups. Tis list is called
a risk pro?le.
Do most ?rms create risk pro?les? Not necessarily. In many
?rms, it is taken for granted that most everyone in the ?rm
(particularly those with experience) is already aware of the
risks that the ?rm faces. Tis can be a mistake and more
so with risks that are uncommon, since many managers
may never have experienced that risk. For boards and across
?rms as a whole it is useful to be clear and explicit about the
risk faced. Instead of assuming awareness, make sure that
everyone understands by spelling out the potential risks.
Emerging Market Example: Risk Pro?le of an Airline Company in Brazil*
*Developed by risk workshop participant
Operational Risks
Aircraft crash and aircraft
breakdowns
Strikes
Telephone, IT failure, utility
outages
Failure of sub-contractors
Employee turnover
Changes in code-share
agreements
Crime and social unrest
Fire
Pollution
Theft and fraud
Damage to the brand
Financial and Market Risks
Oil prices changes
In?ation
Interest rate changes
Exchange rate ?uctuations
Tax changes in Brazil
Changes in world’s aviation
laws
New trade agreements
Cash ?ow dif?culties
Bankruptcy
Stock price collapse
Debt covenant violations
9 WHAT IS RISK?
Once you have created your risk pro?le, acknowledging the
risk that your company is facing, the next step is to divide
the various risks into three groups:
• Risk that should be allowed to pass through the frm to
its owners
• Risk that should be hedged
• Risk that should be exploited
Tis phase is part of the broader process, known as risk
treatment. Later in this manual, we will present various ways
to conduct a risk treatment process.
Implications for Decision Makers
To manage risk correctly, we must acknowledge its positive
and negative e?ects. Risk management has to look at both
the downside of risk and the potential upside. In other
words, risk management is not just about minimizing
exposure to the wrong risks. It also is about increasing
exposure to good risks.
It is important that a ?rm’s decision makers build a
common understanding of the risks they face by developing
a risk pro?le, an explicit listing of potential risks. While
classi?cations and categorizations as suggested above are
useful, the discussion itself is more important, because it
helps establish a common language and understanding of
the risks faced by the enterprise.
Risk pro?les are an enterprise’s starting point for risk
analysis. Most ?rms will need to go beyond risk pro?les,
and conduct risk assessments, treatment, and monitoring.
However, for small, simple ?rms without the interest or
capacity to deepen the risk management process, a well-
developed, thoroughly-discussed, and strongly-internalized
risk pro?le is a good start. Tis is a better option than
completely ignoring the risk situation.
SECTION TASK: DEFINE RISK
1. How would you de?ne risk?
2. Ask a fellow director or manager to list the top ?ve risks
facing your enterprise. Is this list di?erent from the one you
would make? How and why?
RISK TAKING: A CORPORATE GOVERNANCE PERSPECTIVE 10
11 RISK GOVERNANCE, RISK MANAGEMENT, AND VALUE CREATION
III. RISK GOVERNANCE,
RISK MANAGEMENT, AND VALUE CREATION
Corporate Governance
IFC’s Corporate Governance Unit de?nes corporate
governance as the structures and processes for the direction
and control of companies. Corporate governance concerns
the relationships among the management, board of directors,
controlling shareholders, minority shareholders, and other
stakeholders. Good corporate governance contributes
to sustainable economic development by enhancing the
performance of companies and increasing their access to
outside capital.
RISK GOVERNANCE
Risk governance is a relatively new term. In the corporate
governance arena, there is no consensus de?nition, although
in the information technology ?eld, risk governance is a more
developed concept. However, for the purposes of discussion
in this book, we de?ne risk governance in ?rms as the ways in
which directors authorize, optimize, and monitor risk taking
in an enterprise. It includes the skills, infrastructure (i.e.,
organization structure, controls and information systems),
and culture deployed as directors exercise their oversight.
Good risk governance provides clearly de?ned accountability,
authority, and communication/reporting mechanisms.
Risk oversight is the responsibility of the entire board.
However, some boards use risk committees to help ful?ll
responsibilities. Te risk committee might be independent,
or the work might be combined with audit tasks and
assigned to an audit and risk committee. For further detail
on proposed structure and functioning of risk committees,
see the appendix.
Risk Management
RISK TAKING AND VALUE CREATION: RISK-ADJUSTED
VALUATION
Ultimately, the objective of managing risk is to make the
?rm more valuable. For directors and managers, this is the
primary objective, regardless of whether they view this as
value to shareholders or value to a wider group of stakeholders.
Fortunately, classical ?nance provides robust techniques for
valuing enterprises. Te most frequently used method is the
discounting of future cash ?ow to the ?rm at a risk-adjusted
cost of capital. For risk management purposes, many would
point out that using the capital asset pricing model (CAPM)
for calculating risk-adjusted capital has a double bene?t
of already accounting for all the risk that a ?rm’s decision
makers need concern themselves about—the market risk. All
other risks are ?rm risks and can be diversi?ed away by the
individual investor in the ?rm’s shares. As the shareholders
can handle ?rm risk by their own portfolio diversi?cation,
it does not add value for the board or managers to concern
themselves with these types of risks. From this viewpoint,
using CAPM in assessing projects, investments, and in
valuation provides a ready-to-use approach for guiding risk-
taking in ?rms. Firms without any formal risk management
Theme
The section addresses the ?duciary duties of a board member focusing on risk oversight. It
starts by de?ning corporate governance, draws on the Organization for Economic Coopera-
tion and Development’s Principles of Corporate Governance in discussing the role of direc-
tors, and presents ideas on the role and structure of risk committees. It closes by linking the
value of the enterprise to risk management.
Corporate Governance Perspectives
There are a number of predominant theoretical perspectives on
corporate governance:
• Agency theory—align the interests of internal agents
(executives/managers) who display strong self-interest with
those of the shareholders (owners). In effect this represents
a double agency dilemma (see ?gure)
• Transaction cost theory—reduce costs of transactional
hazards through internal corporate governance mechanisms,
which cannot be handled by external market mechanisms
• Stewardship theory—general human motives of
achievement, altruism and meaningfulness should be
managed and guided in the most opportune manner
• Resource dependence theory—highlights corporate
dependence on external relations and sees governance as
a vehicle to ensure continued access to essential resources
• Stakeholder theory—acknowledges agreements with
multiple stakeholders that can create incremental value and/
or lead to subsequent risk events if neglected or abused
Shareholders
(public company)
Board of directors
Managers
RISK TAKING: A CORPORATE GOVERNANCE PERSPECTIVE 12
13 RISK GOVERNANCE, RISK MANAGEMENT, AND VALUE CREATION
functions are well served by using the capital asset pricing
models in guiding their investment decisions as they reap its
double bene?t—valuation and risk management.
Enterprise approaches also use valuation techniques at various
points in the process to ensure that any decisions taken will
maximize value. Tese valuation e?orts also deploy the
discounted cash ?ows, often using the capital asset pricing
models as well. Whatever the valuation method used, the risk
analyst needs to estimate the e?ect of each risk on ?rm value
and determine the cost of reducing each risk. If risk reduction
is costly, the decision makers must decide whether the bene?t
to ?rm value justi?es the costs. Each ?rm must seek a value-
maximizing risk management strategy.
Enterprise Risk Management
Enterprise Risk Management (ERM) emphasizes a
comprehensive, holistic approach to managing risk, shifting
away from a “silo-ed” approach of separately handling each
organizational risk. ERM also views risk management as a
value-creating activity, and not just a mitigation activity.
ERM is still an evolving concept. Before its emergence,
organizations tended to isolate the management of risks.
For example, the treasurer managed currency exposures, the
sales or credit manager managed credit risk, and commodity
traders and purchasing o?cers managed commodity price
risks. Insurance risk managers handled the hazard risks.
Te personnel department managed the human resources
risks. Quality and production managers were responsible
for containing production risk. Marketing and strategy
Responsibilities of Board Members
The OECD Principles of Corporate Governance provide guidance
on the responsibilities of directors:
A. Board members should act on a fully informed basis, in good
faith, with due diligence and care, and in the best interest of
the company and the shareholders.
B. Where board decisions may affect different shareholder
groups differently, the board should treat all shareholders
fairly.
C. The board should apply high ethical standards. It should take
into account the interests of stakeholders.
D. The board should ful?ll certain key functions, including:
1. Reviewing and guiding corporate strategy, major plans
of action, risk policy, annual budgets and business plans;
setting performance objectives; monitoring implementation
and corporate performance; and overseeing major capital
expenditures, acquisitions and divestitures.
2. Monitoring the effectiveness of the company’s governance
practices and making changes as needed.
3. Selecting, compensating, monitoring and, when necessary,
replacing key executives and overseeing succession planning.
4. Aligning key executive and board remuneration with the
longer term interests of the company and its shareholders.
5. Ensuring a formal and transparent board nomination and
election process.
6. Monitoring and managing potential con?icts of interest of
management, board members and shareholders, including
misuse of corporate assets and abuse in related party
transactions.
7. Ensuring the integrity of the corporation’s accounting and
?nancial reporting systems, including the independent
audit, and that appropriate systems of control are in place,
in particular, systems for risk management, ?nancial and
operational control, and compliance with the law and
relevant standards.
8. Overseeing the process of disclosure and communications.
E. The board should be able to exercise objective independent
judgment on corporate affairs.
1. Boards should consider assigning a suf?cient number
of non-executive board members capable of exercising
independent judgment to tasks where there is a
potential for con?ict of interest. Examples of such key
responsibilities are ensuring the integrity of ?nancial
and non-?nancial reporting, the review of related party
transactions, nomination of board members and key
executives, and board remuneration.
2. When committees of the board are established, their
mandate, composition and working procedures should
be well de?ned and disclosed by the board.
3. Board members should be able to commit themselves
effectively to their responsibilities.
F. In order to ful?l their responsibilities, board members should
have access to accurate, relevant and timely information
Source: OECD Principles of Corporate Governance, 2004
RISK TAKING: A CORPORATE GOVERNANCE PERSPECTIVE 14
departments attended to the competitive risks. Tere
was limited e?ort to coordinate across the enterprise, to
understand where risks could multiply, where they cancel
each other out, or where they could be exploited for pro?t.
ERM addresses these issues, focusing on coordination and
value addition. For example, in a conglomerate in which one
division is long in currency A and another division is short
in the same sum in the same currency, responsible division
managers might decide to purchase separate currency
hedges. Tis represents a silo-ed approach, which does not
enhance value. Taking an enterprise-wide approach instead,
using ERM, renders such actions unnecessary, because the
conglomerate already has a natural hedge.
ERM’s coordinated function is often vested in a chief risk
o?cer and in increased risk governance, including board
oversight. Tis evolving portfolio approach is aided by
improved tools for risk measurement, pricing and trading.
Today, there are two widely-disseminated ERM approaches:
• COSO II ERM: Risk framework from the Committee of
Sponsoring Organizations of the Tread way Commission
that is geared to achieving strategic, operational,
reporting, and compliance objectives.
• CAS ERM Framework: Developed by the Casualty
Actuarial Society, the framework focuses on hazard,
?nancial, strategic, and operational risks.
Regardless of the framework used it is important that risk
decisions always tie in to the value of the enterprise to its
stakeholders, particularly to its shareholders.
RISK AVERSION, RISK POLICY, RISK TOLERANCE AND
RISK APPETITE
Te development of a risk policy is an importance task for
boards. Tis activity is related to the board’s corporate strategy
work, and involves specifying the types and degree of risk that
a company is willing to accept in pursuit of its goals. It is a
crucial management guideline in managing risks to meet the
company’s desired risk pro?le.
An enterprise’s risk policy re?ects the aggregate risk aversion
of its decision makers. In the enterprise approach detailed
later in the book, we will look at various managerial decision
points, when decision makers’ attitudes toward risk will drive
action. Tis attitude toward risk may or may not be codi?ed in
a formal risk policy.
Risk appetite and risk tolerance are newer terms in the risk
management lexicon. In recent years, these terms have been
used with increased frequency, particularly in the corporate
governance and accounting community. Te precise meaning
and metrics of the two terms are still evolving and considerable
inconsistency in their use remains. In contrast, the term risk
aversion has the bene?t of long use in the corporate ?nance
community, with consensus on the concept, its measurement,
and its implications for behavior. Fortunately, risk appetite and
risk tolerance concepts appear to be rooted in the more robust
concepts of risk aversion and risk policy.
Recently, the Institute of Risk Management attempted to
produce a clear de?nition of the terms “risk appetite” and “risk
tolerance” as follows:
Emerging Market Example: Tea and Coffee Plantation in Kenya
A commercial Kenyan farm producing tea and coffee for the
European, Asian, and American markets faces a range of
risks. These risks include the vagaries of weather, particularly
drought, changes in government policy, ethnic strife affecting
the workforce, commodity price ?uctuations, and exchange
rate ?uctuations. The farm is owned and operated by the
second generation of the founding family. The board consists
of the three siblings running the business, their accountant, and
the export sales manager. The directors have made a decision
that they will not retain any foreign exchange risks, because
the siblings believe that they lack the expertise to cope with
foreign exchange ?uctuations. They are con?dent that their
knowledge of Kenya enables them to assess, evaluate, and treat
the weather and political risks. As a result of their aversion to
foreign currency risk, their risk policy is to avoid or hedge this
risk almost completely. They sell their produce to a middleman,
a trading company that sets the contracts in Kenyan shillings.
In addition, non-deliverable forwards and forwards are used to
limit exposure on any inputs that need to be purchased in foreign
currency and on the occasional sales that are not sold through
the trading company.
15 RISK GOVERNANCE, RISK MANAGEMENT, AND VALUE CREATION
• Risk appetite: Te amount of risk an organization
is willing to seek or accept in pursuit of its long term
objectives.
• Risk tolerance: Te boundaries of risk taking outside of
which the organization is not prepared to venture in the
pursuit of long-term objectives. Risk tolerance can be
stated in absolutes, for example: “We will not deal with
a certain type of customer” or “We will not expose more
that X percent of our capital to losses in a certain line of
business.”
• Risk universe: Te full range of risks that could impact
either positively or negatively on the ability of the
organization to achieve its long term objectives.
SECTION TASK: Risk Governance, Risk
Management, and Value Creation
1. How does your board de?ne its responsibilities on risk-
taking?
2. How often does your board discuss risk issues?
RISK TAKING: A CORPORATE GOVERNANCE PERSPECTIVE 16
17 MEASURING VALUE: RISK-ADJUSTED VALUE
IV. MEASURING VALUE: RISK-ADJUSTED VALUE
Approaches for Adjusting Value for Risk
Theme
Pursuing value-maximizing risk strategies requires that decision makers assess risk-taking within
the context of a valuation methodology. For the discussion in this section, we use discounted
cash ?ows methodology, and two practical ways of adjusting risky asset values. In the ?rst, we
adjust the discount rates upwards for risky assets and reduce the present value of expected cash
?ows. In the second, we replace the expected cash ?ows with “certainty equivalent” cash ?ows,
which, when discounted back at the risk-free rate, yields a risk-adjusted value.
Risk-Adjusted Value
De?nition: The value of a risky asset can be estimated by
discounting the expected cash ?ows on the asset over its life at
a risk-adjusted discount rate:
where the asset has a n-year life, E(CF
t
) is the expected cash
?ow in period t and r is a discount rate that re?ects the risk of
the cash ?ows.
PROCESS TO ESTIMATE RaV
Step 1: Estimate the expected cash ?ows from a project/
asset/business. For a risky asset, consider/estimate cash ?ows
under different scenarios, attach probabilities to these scenarios
and estimate an expected value across scenarios.
Step 2: Estimate a risk-adjusted discount rate, comprised of
two components, the risk-free rate and the risk premium.
Risk-adjusted rate = Risk-free rate + Risk premium= Rf+
Beta (Rm-Rf)
Step 3: Take the present value of the cash ?ows at the
risk-adjusted discount rate.
Value of asset=
T
t=0
?
E(CF
t
)
(1+r)
t
Te value of an asset that generates cash ?ows can be written
as the present value of the expected cash ?ows from that
asset, discounted back at a discount rate that re?ects the risk.
Te value of a risky asset can be estimated by discounting
the expected cash ?ows on the asset over its life at a risk-
adjusted discount rate:
where the asset has a n-year life, E(CFt) is the expected cash
?ow in period t and r is a discount rate that re?ects the risk
of the cash ?ows. In this approach, the numerator is the
expected cash ?ow, with no adjustment paid for risk, whereas
the discount rate bears the burden of risk adjustments.
Alternatively, we can replace the expected cash ?ows with
the guaranteed cash ?ows we would have accepted as an
alternative (certainty equivalents) and discount these at the
risk-free rate:
where CE(CF
t
) is the certainty equivalent of E(CF
t
) and r
f
is
the risk-free rate.
Note that the key sets of inputs are the certainty equivalent
cash ?ows, which bear the burden of risk adjustment. Te
discount rate is the risk-free rate.
With both approaches, the present value of the cash ?ows
will be the risk- adjusted value for the asset.
Risk-Adjusted Discount Rate
To adjust discount rates for risk, we must use a risk and
return model. In this section, we will examine how best
to estimate the inputs for the simplest of these models (the
CAPM) but much of what we say about these inputs can be
replicated for more complex risk and return models.
THREE STEPS IN ESTIMATING VALUE
Tere are three steps in estimating value, using risk-adjusted
discount rates:
1. Estimate the expected cash ?ows from a project/asset/
business. If there is risk in the asset, this will require us
to consider/estimate cash ?ows under di?erent scenarios,
attach probabilities to these scenarios, and estimate an
expected value across scenarios. In most cases, though, it
takes the form of a base case set of estimates that captures
the range of possible outcomes.
2. Estimate a risk-adjusted discount rate. While there are
a number of details that go into this estimate, consider
that a risk-adjusted discount rate has two components:
Risk-Adjusted Rate = Risk-Free Rate + Risk Premium
3. Take the present value of the cash ?ows at the risk-
adjusted discount rate. Te resulting value will be the
risk-adjusted rate.
In the sections that follow, we focus on Step 2, and then use
an example to illustrate all three steps.
Value of asset= + + ...+
E(CF
1
) E(CF
2
) E(CF
3
) E(CF
n
)
(1+r) (1+r)
2
(1+r)
3
(1+r)
n
Value of asset= + + ...+
CE(CF
1
) CE(CF
2
) CE(CF
3
) CE(CF
n
)
(1+r
f
) (1+r
f
)
2
(1+r
f
)
3
(1+r
f
)
n
RISK TAKING: A CORPORATE GOVERNANCE PERSPECTIVE 18
19 MEASURING VALUE: RISK-ADJUSTED VALUE
ADJUSTING DISCOUNT RATES FOR RISK
If we start with the presumption that a business can raise
funds for investments from one of two sources (borrowed
money (debt) or owners’ money (equity)) we can boil down
the process for adjusting discount rates for risk into several
inputs, as shown in Figure 4.1.
With cost of equity, we need three inputs to estimate the
risk-adjusted rate: a risk- free rate, an equity risk premium,
and a beta. With the cost of debt, we need three inputs as
well: the risk-free rate, a default spread for the debt, and a tax
rate to use in adjusting the cost of debt for its tax advantages.
Input 1: The Risk-Free Rate
On a risk-free asset, the actual return is equal to the expected
return. Terefore, there is no variance around the expected
return. For an investment to be risk free, it must come with:
• No default risk: Since there can be no uncertainty about
the return on the investment, the entity promising the
cash ?ows can have no default risk.
• No reinvestment risk: A six-month Treasury bill rate is
not risk free for an investor looking at a ten-year time
horizon, even if we assume that there is no default risk
in the U.S. government. Tis is because the returns are
guaranteed only for six months and there is uncertainty
about the rate at which you can invest beyond that
period.
With these two criteria in place, two propositions follow
about risk-free rates.
Proposition 1: Time horizon matters. Te risk-free rates in
valuation will depend upon when the cash ?ow is expected
to occur and will vary across time. Tus, a six-month risk-
free rate can be very di?erent from a ten-year risk-free rate in
the same currency at the same point in time.
Figure 4.1: Cost of Equity: Rate of Return Demanded by Equity Investors
Has to be default free, in the
same currency as cash ?ows,
and de?ned in same terms
(real of nominal) as the cash
?ow
Cost of equity
based upon
bottom-up beta
Weights should be market value weights
Cost of borrowing should be based upon
1. synthetic or actual bond rating
2. default spread
Cost of Borrowing = Riskfree + Default spread
Marginal tax rate, re?ecting
tax bene?ts of debt
Historical Premium
1. Mature Equity Market Premium:
Average premium earned by stocks over
T.Bonds in U.S.
2. Country risk premium= Country Default
Spread* (Equity/Country bond)
Implied Premium
Based on how
equity is priced
today and a
simple valuation
model
Cost of Equity: Rate of Return demanded by equity invstors
Cost of Capital: Weighted rate of return demanded by all investors
Cost of Equity = Risk free Rate + Beta X (Risk Premium)
Cost of Capital = Cost of Equity (equity/(Debt + Equity)) + Cost of Borrowing (1-t) (Debt/(Debt + Equity))
or
RISK TAKING: A CORPORATE GOVERNANCE PERSPECTIVE 20
Proposition 2: Not all government securities are risk free.
Most practitioners use government security rates as risk-free
rates, making the implicit assumption that governments do
not default on local currency bonds. Some governments face
default risk, so the rates on the bonds they issue will not be
risk free.
In Figure 4.2, we illustrate this principle by estimating
risk-free rates in various currencies. While we assume that
the government bond rates in Japan, Switzerland, and the
United States are the risk-free rates for the currencies in these
countries (the Japanese yen, the Swiss franc and the U.S.
dollar), we adjust the government bond rates in Colombia
and Peru for the default risk embedded in them. With the
euro, we use the German euro bond rate as the risk-free
rate, since it is the lowest of the ten-year euro-denominated
government bond rates.
It also is worth noting that risk-free rates vary across
currencies because of di?erences in expected in?ation;
currencies with high expected in?ation will exhibit high
risk-free rates.
Input 2: Beta(s)
Given that beta is a measure of relative risk, what is the best
way to estimate it? In conventional corporate ?nance and
valuation, the answer is to run a regression of returns on the
stock of the company in question against the market index.
Te slope of the regression is the beta. Tis is illustrated
for a Peruvian construction company, Grana Montero, in
Figure 4.3.
Regressing weekly returns on Grana Montero from August
2008 to July 2010 against the Peruvian Lima General Index,
the beta for the company is 0.349. We should be skeptical
about this number for three reasons:
• It looks backward. Since a regression is based on returns
earned by owning the stock, it has to be historical and
does not re?ect the current business mix and ?nancial
leverage of the company. Tus, the regression above, run
in August 2010, uses data from 2008 to 2010 to estimate
the beta for the company. Even if it is accurate, it gives
you a beta for that period rather than for the future.
• It is estimated with error. Te standard error of the beta
is 0.083, suggesting that the true beta for Grana Montero
can be much higher or lower than the reported value; the
range on the beta from this regression, with 99 percent
con?dence, would be 0.09–0.60.
2
• It is dependent on how the regression is structured and
whether the stock is publicly traded in the ?rst place.
Te beta we would obtain for Grana Montero would
be very di?erent if we used a di?erent time period (?ve
years instead of two), a di?erent return interval (daily
instead of weekly) or a di?erent market index (a di?erent
Peruvian Index or a broader Latin American or global
index).
0%
1%
2%
3%
4%
5%
6%
7%
Default Spread
Riskfree Rate
Peruvian
Sul
Colombian
Peso
US
dollar
Euro Swiss
Francs
Japanese
Yen
1
.
1
0
%
2
.
2
5
%
2
.
7
5
%
3
.
0
0
%
4
.
7
5
%
2
.
0
0
%
2
.
0
0
%
4
.
0
0
%
Figure 4.2: Estimating Risk-Free Currency Rates
Figure 4.3: Measuring Relative
Risk for Grana Montero
2
Coef?cients on regressions are normally distributed. A 99 percent con?dence interval is plus or minus three standard deviations.
21 MEASURING VALUE: RISK-ADJUSTED VALUE
As an alternative, it is worth thinking about the determinants
of betas, the fundamental factors that cause some companies
to have high betas and others to have low betas. Te beta
for a company measures its exposure to macroeconomic risk
and should re?ect:
– Products and services it provides and how
discretionary these goods and services are: Firms that
produce products or services that customers can live
without or can hold o? on purchasing should have
higher betas than ?rms that produce products and
services that are necessities.
– Fixed cost structure: Firms that have high ?xed costs
(high operating leverage) should have more volatile
income and higher betas than ?rms with low ?xed
costs.
– Financial leverage: As ?rms borrow money, they
create ?xed costs (interest expenses) that make their
equity earnings more volatile and their equity betas
higher. In fact, the beta for equity in a ?rm can be
written as a function of the beta of the businesses that
the ?rm operates in and the debt to equity ratio for
the ?rm:
Levered (Equity) Beta = Unlevered Beta (1 + (1- tax rate)
(Debt/Equity))
A better estimate of beta for a ?rm can be obtained by
looking at the average betas for the businesses that the ?rm
operates in, corrected for ?nancial leverage.
For example, Grana Montero, the Peruvian company, is
in three businesses: software and software consulting,
construction, and oil extraction. Using estimated betas
for each of these businesses and the revenues that Grana
Montero derives from each one as weights, we obtain the
unlevered beta for the ?rm:
Revenues % of
Firm
Unlevered Beta
for business
Construction 1453 77.58% 0.75
Oil Extraction 225 12.01% 0.90
Software Consulting 195 10.41% 1.20
1873 0.81
In August 2008, the ?rm had outstanding debt of 433
million Peruvian soles and equity market value of 2.4 billion
soles. Using Peru’s 30 percent corporate tax rate, we can
estimate the beta for the equity in the company:
Levered Beta = 0.81 (1+ (1-.30) (433/2400)) = 0.92
Given such a situation, when a ?rm is in multiple businesses
with di?ering risk pro?les, it should hold each business up
to a di?erent standard, or hurdle rate. In the case of Grana
Montero, for instance, the hurdle rates for investments will
be much higher in software consulting than in construction.
Input 3: Equity Risk Premiums
Te equity risk premium is the collective additional premium
that investors demand for investing in any equities or risky
assets. Two approaches can be used to estimate the number.
Te ?rst approach looks at the past and estimates how much
of a premium you would have earned investing in stocks as
opposed to treasury bonds or bills over long time periods.
In Table 4.1 we estimate for premiums ranging from 10 to
80 years.
Te problem with using historical risk premiums is
illustrated in the numbers in brackets in the table; these
are standard errors in the risk premium estimates. Tus,
even with an 80-year period (1928–2009), the estimated
risk premium for stocks over treasury bonds comes with a
standard error of 2.4 percent. With ten years of data, the
standard errors drown out the estimates.
Table 4.1: Estimated Equity Risk Premiums
Arithmetic Average Geometric Average
Stocks –
T. Bills
Stocks –
T. Bonds
Stocks –
T. Bills
Stocks –
T. Bonds
1928–2009 7.53%
(2.28%)
6.03%
(2.40%)
5.56% 4.29%
1960–2009 5.48%
(2.42%)
3.78%
(2.71%)
4.09% 2.74%
2000–2009 -1.59%
(6.73%)
-5.47%
(9.22%)
-3.68% -7.22%
RISK TAKING: A CORPORATE GOVERNANCE PERSPECTIVE 22
An alternative is to estimate a forward-looking premium, using
current stock prices and expected future cash ?ows. In Figure
4.4, for instance, we estimate an implied equity risk premium
for the Standard & Poor’s 500 stock index on January 1, 2010.
In January 2010, the equity risk premium for the United
States, and, by extension, other mature equity markets, was
4.36 percent. Tis number has been volatile, particularly in
the last few years, going from 4.37 percent at the start of
2008 to 6.43 percent in January 2009, and back to 4.36
percent in 2010. Based on the previous number, it seems
reasonable to use a 4.5 percent equity risk premium for
mature markets, at least for 2010.
An Adjustment for Country Risk
When a company operates in an emerging market, it is
exposed to signi?cantly more economic risk, arising from
both political instability and the nature of the underlying
economy. Even if we accept the proposition that an equity
risk premium of about 4.5 percent is reasonable for a mature
market, one might expect a larger risk premium when
investing in an emerging market.
One simple way to adjust for this additional risk is to add on
the default spread for the country in question to the mature
market premium. Tus, the total equity risk premium for
Peru, which has a sovereign rating of Baa3 and a default
spread of 2 percent, would be 6.5 percent. A slightly more
involved way of adjusting for country risk is to start with
the default spread and adjust this default spread for the
higher risk borne by equities in that market. Using Peru as
the example again, the standard deviation in weekly returns
over the last two years for Peruvian equities is 26 percent and
the standard deviation in the bond is 13 percent.
Additional risk premium for Peru = 2% (26/13) = 4%
Total equity risk premium for Peru = 4.5% + 4% = 8.5%
While neither one of these measures is perfect, they o?er
simple solutions to the country risk issue.
Input 4: Default Spreads
To calculate to the cost of borrowing for a ?rm, we must assess
the amount banks will charge to lend, over and above the risk-
free rate. Tis “default spread” can be assessed in several ways:
Figure 4.4: Estimated Equity Risk Premium for the Standard & Poor’s 500, January 2010
1115.10= + + + + +
43.29 46.40 49.74 53.32 57.16 57.16(1.0384)
(1+r) (1+r)
2
(1+r)
3
(1+r)
4
(1+r)
5
(r-.0384) (1+r)
5
43.29 46.40 49.74 53.32 57.16
In 2010, the actual
cash returned to
stockholders was
40.38. That was
down about 40%
from 2008 levels.
Analysts expect earnings to grow 21% in 2010, resulting in a
compounded annual growth rate of 7.2% over the next 5 years.
We will assume that dividends & buybacks will keep pace.
Expected Return on Stocks (1/1/10) =8.20%
T.Bond rate on 1/1/10 =3.84%
Equity Risk Premium=8.20%-3.84% =4.36%
After 5, we will assume that
earnings on the index will grow
at 3.84%, the same rate at the
entire economy (=riskfree rate).
January 1, 2010 S&P 500
is at 1115.10 Adjusted
Dividends & Buybacks for
2008 =40.38
23 MEASURING VALUE: RISK-ADJUSTED VALUE
• For the few companies that have bonds rated by a rating
agency, we can use the bond rating as a measure of default
risk and estimate the spread based upon the rating. For
example, the Walt Disney Company, the large American
entertainment conglomerate, has an A rating from rating
agency Standard & Poor’s. Based on this rating, the default
spread in September 2010 was roughly 0.85 percent. Adding
this to the ten-year bond rate at the time (2.5 percent) would
have yielded a 3.35 percent pre-tax cost to borrow.
• For frms with no bonds and no ratings, estimate the
interest rate that they likely would have to pay on a long-
term bank loan today. Tis rate would be the pre-tax cost
to borrow debt.
• In some cases, it is possible to estimate a synthetic bond
rating for a company, based on its ?nancial ratios. Tis
rating can be used to estimate a pre-tax cost of borrowing.
Default spreads change over time and re?ect both economic
uncertainty and investor risk aversion. Table 4.3 shows
September 2010 default spreads for bonds in di?erent
ratings classes.
Australia 4.50%
New Zealand 4.50%
Argentina 14.25%
Belize 14.25%
Bolivia 12.75%
Brazil 7.50%
Chile 5.85%
Colombia 7.50%
Costa Rica 8.25%
Ecuador 19.50%
El Salvador 19.50%
Guatemala 8.25%
Honduras 12.75%
Nicaragua 14.25%
Panama 8.25%
Paraguay 14.25%
Peru 7.50%
Uruguay 9.75%
Venezuela 11.25%
Albania 11.25%
Armenia 9.00%
Azerbaijan 8.25%
Belarus 11.25%
Bosnia and Herzegovina 12.75%
Bulgaria 7.50%
Croatia 7.50%
Czech Republic 5.85%
Estonia 5.85%
Hungary 6.90%
Kazakhstan 7.20%
Latvia 7.50%
Lithuania 6.90%
Moldova 15.75%
Montenegro 9.75%
Poland 6.08%
Romania 7.50%
Russia 6.90%
Slovakia 5.85%
Slovenia [1] 5.40%
Turkmenistan 12.75%
Ukraine 12.75%
Bahrain 6.08%
Israel 5.85%
Jordan 7.50%
Kuwait 5.40%
Lebanon 12.75%
Oman 6.08%
Qatar 5.40%
Saudi Arabia 5.85%
United Arab Emirates 5.40%
Canada 4.50%
Mexico 6.90%
United States of America 4.50%
Austria [1] 4.50%
Belgium [1] 4.95%
Cyprus [1] 5.63%
Denmark 4.50%
Finland [1] 4.50%
France [1] 4.50%
Germany [1] 4.50%
Greece [1] 6.08%
Iceland 7.50%
Ireland [1] 4.95%
Italy [1] 5.40%
Malta [1] 5.85%
Netherlands [1] 4.50%
Norway 4.50%
Portugal [1] 5.40%
Spain [1] 4.50%
Sweden 4.50%
Switzerland 4.50%
United Kingdom 4.50%
Equity Risk Premiums
January 2010
Table 4.2: Equity Risk Premiums, January 2010
RISK TAKING: A CORPORATE GOVERNANCE PERSPECTIVE 24
Table 4.3: Default Spreads, September 2010
Rating Moody’s/S&P Default Spread on Ten-Year Bond
Aaa/AAA 0.45%
Aa1/AA+ 0.50%
Aa2/AA 0.55%
Aa3/AA- 0.60%
A1/A+ 0.75%
A2/A 0.85%
A3/A- 1.05%
Baa1/BBB+ 1.50%
Baa2/BBB 1.75%
Baa3/BBB- 2.25%
Ba1/BB+ 3.50%
Ba2/BB 4.50%
Ba3/BB- 4.75%
B1/B+ 5.00%
B2/B 5.75%
B3/B- 6.25%
Caa/CCC+ 7.75%
Since default spreads can and often do change over time,
such information must be updated on a frequent basis to
re?ect current levels.
Input 5: Tax Rates and Weights for Debt and Equity
Two additional inputs are needed to calculate the cost of
capital. Te ?rst is a tax rate to use in computing the after-
tax cost of borrowing:
After-tax cost of borrowing = Pre-tax cost of debt (1- tax rate)
Since interest expenses save taxes on last dollars of income,
the tax rate that should be used is a marginal tax rate. Te
best source for this rate is the tax code (and not the ?nancial
statements of the ?rm). To illustrate, the marginal tax rate
in the United States is a cumulative value, based on a 35
percent federal corporate tax rate plus various state and
local taxes. In 2010, the cumulative rate was estimated at
approximately 40 percent.
Te weights for computing the risk-adjusted cost of capital
should be market value weights, since the business has to
raise debt and equity in the market to fund its projects at
market rates. It also is worth noting that the risk-adjusted
discount rate for an individual project may be based on
target weights for the entire business, instead of a re?ection
of the actual funding mix for the project.
Calculating Risk-Adjusted Rates: A
Hypothetical Disney Theme Park in Rio
In this example, we conduct an analysis for a hypothetical
theme park that Te Walt Disney Company would build
in Rio De Janeiro, Brazil in early 2009. Table 4.4 estimates
expected cash ?ows from the theme park to the company,
based on projections of revenues, operating expenses and
taxes.
To calculate risk-adjusted discount rates, we follow these
steps:
1. Since the cash ?ows were estimated in dollars, the risk-
free rate is the U.S. treasury bond rate at the time, 3.5
percent.
Table 4.4: Expected Theme Park Cash Flows
0 1 2 3 4 5 6 7 8 9 10
Operating Income $0 -$50 -$150 -$84 $106 $315 $389 $467 $551 $641 $658
Taxes $0 -$19 -$57 -$32 $40 $120 $148 $178 $209 $244 $250
Operating Income after Taxes $0 -$31 -$93 -$52 $66 $196 $241 $290 $341 $397 $408
+Depreciation & Amortization $0 $50 $425 $469 $444 $372 $367 $364 $364 $366 $368
-Capital Expenditures $2,500 $1,000 $1,188 $752 $276 $258 $285 $314 $330 $347 $350
-Change in Working Capital $0 $0 $63 $25 $38 $31 $16 $17 $19 $21 $5
Cash ?ow to Firm -$2,500 -$981 -$918 -$360 $196 $279 $307 $323 $357 $395 $422
+Pre-Project Investment $500 $0 $0 $0 $0 $0 $0 $0 $0 $0 $0
-Pre-project Depreciation $0 $19 $19 $19 $19 $19 $19 $19 $19 $19 $19
+Fixed G&A (1-t) $0 $0 $78 $109 $155 $194 $213 $234 $258 $284 $289
Incremental Cash ?ow to Firm -$2,000 -$1,000 -$859 -$270 $332 $454 $501 $538 $596 $660 $692
25 MEASURING VALUE: RISK-ADJUSTED VALUE
2. Te beta for the theme park business is 0.7829. Tis
was estimated by looking at publicly-traded theme park
companies.
3. Te risk premium was composed of two parts, a 6 percent
mature market premium (the premium used in 2009)
and an additional 3.9 percent risk premium for Brazil.
Country risk premium for Brazil = 3.95%
Cost of equity in US$= 3.5% + 0.7829 (6%+3.95%) =
11.29%
4. In early 2009, the company had a 6 percent pre-tax
cost of debt, based on its A rating, a 2.5 percent default
spread, and a 38 percent marginal tax rate:
After-tax cost of debt = (3.5% + 2.5%) (1-.38) = 3.72%
5. Te company uses a mix of 35.32 percent debt and 64.68
percent equity to fund its existing theme parks. Using
these inputs, we can estimate the cost of capital for the
hypothetical Rio project:
Cost of capital in US$ = 11.29% (0.6468) + 3.72%
(0.3532) = 8.62%
6. We discount the expected cash ?ows back at the 8.62
percent risk-adjusted discount rate to arrive at a value for
the theme park, net of costs, shown in Table 4.5.
Te risk-adjusted value for the Rio theme park is $2.877
billion.
Certainty Equivalents
In the certainty equivalent approach, we adjust the expected
cash ?ows for risk, rather than the discount rate, and use
the risk-free rate as the discount rate. Adjusting the risk of
expected cash ?ows is the most important aspect of this
approach. Tis adjustment can be calculated using several
methodologies, including:
• Compute certainty equivalents, using utility functions.
Tis is very di?cult to do and not worth exploring in
most cases.
• Subjectively estimate a “haircut”—decrease—to the
expected cash ?ows. Tis is arbitrary and can lead to
di?erent analysts making di?erent judgments of value,
based on their risk aversion.
• Convert expected cash fow to a certainty equivalent.
Tis approach is the most straightforward, but it requires
an estimate of the risk-adjusted cash ?ows as a ?rst step.
Once we have determined the risk-adjusted cash ?ows, we
can discount them at the risk-free rate.
Certainty Equivalent Value:
Rio Theme Park Example
To estimate the certainty equivalent cash ?ows, we used the
8.62 percent risk-adjusted discount rate that we obtained
for the company’s Rio project in conjunction with the 3.5
percent risk-free rate to adjust each cash ?ow. To illustrate,
the certainty equivalent for the $332 million expected cash
?ow in Year 4 can be computed as follows:
Certainty Equivalent for Year 4 = $332 =$274
Repeating this process with each cash ?ow yields the
certainty equivalent cash ?ows for each year. Discounting
all of the cash ?ows back at the risk-free rate of 3.5 percent
yields a risk-adjusted value for the theme park, as shown in
Table 4.6.
Table 4.5: Values for Hypothetical Rio Theme Park
Year Annual
Cash Flow
Terminal
Value
Present
Value
0 -$2,000 -$2,000
1 -$1,000 -$921
2 -$860 -$729
3 -$270 -$211
4 $332 $239
5 $453 $300
6 $502 $305
7 $538 $302
8 $596 $307
9 $660 $313
10 $692 $10,669 $4,970
Net Present Value $2,877
1.035
4
1.0862
RISK TAKING: A CORPORATE GOVERNANCE PERSPECTIVE 26
Te risk-adjusted value for the theme park is $2,877 million,
identical to the value that we obtained with the risk-adjusted
discount rate approach.
Implications for Decision Makers
Any ?rm involved in risky activities has to make a good faith
e?ort to estimate the amount of risk exposure for every part
of the business, as well as how this exposure translates into
a risk-adjusted discount rate. Tus, di?erent components of
the same business, with di?erent risk exposures, can have
di?erent risk-adjusted rates. Tese rates can be used in
risk-adjusting value, either as discount rates for expected
cash ?ows, or as adjustment factors in deriving certainty
equivalents.
While managers might believe that that risk and return
models are ?awed or that the estimates used in the models
are incorrect, this skepticism cannot be viewed as a reason
for not estimating risk-adjusted discount rates or using
arbitrary numbers.
SECTION TASK: RISK-ADJUSTED VALUE
Risk-Adjusted Discount Rates
1. Does your ?rm have a hurdle rate for assessing investments?
If so, do you know (roughly) what it is right now?
2. Has this hurdle rate changed over time? Why?
3. Is there only one hurdle rate for all investments or do you
have di?erent hurdle rates for di?erent investments? If you
use di?erent hurdle rates for di?erent investments, what is
the reason?
Risk-Adjusted Cash Flows
Do you adjust your cash ?ows for risk?
If so, how are they adjusted for risk?
• “Haircut” cash fows on risky investments
• No established approach but it gets done by individual
decision-makers
• It happens and I have no idea how it happens
• Other (please describe)
Table 4.6: Risk-Adjusted Value for Hypothetical Rio
Theme Park (in millions of U.S. dollars)
Year Annual
Cash Flow
Terminal
Value
Certainty
Equivalent
Present
Value
0 -$2,000 -$2,000 -$2,000
1 -$1,000 -$953 -$921
2 -$860 -$780 -$729
3 -$270 -$234 -$211
4 $332 $274 $239
5 $453 $356 $300
6 $502 $375 $305
7 $538 $384 $302
8 $596 $405 $307
9 $660 $427 $313
10 $692 $10,669 $7,011 $4,970
Net Present Value $2,877
27 MANAGING RISK: ENTERPRISE APPROACHES
V. MANAGING RISK: ENTERPRISE APPROACHES
Risk Management and Enterprise Value
ERM (or Corporate Risk Management) is a strategic support
activity. It creates business value through an integrated
process of identi?cation, estimation, assessment, handling,
and controlling of risk.
Classical ?nance assumes market e?ciency when assessing
the value of the ?rm. It only focuses on the “beta” to
estimate the risk embedded in the company, as we saw in
the discussion of the CAPM. In contrast, ERM recognizes
the imperfection of markets, imperfect diversi?cation of
the investment portfolio, and bankruptcy costs. It allows
an enterprise to create value by managing risks. ERM
takes a much broader perspective on risk. It introduces a
way to think about the enterprise processes that involves a
proactive approach to management by directors, managers
and employees. Despite di?erences in view about the beta,
ERM techniques use discontinued cash ?ow valuations to
aid decision making on risk treatment.
Theme
In this section we link enterprise approaches, also known as ERM, with the more established,
classical risk-adjusted value approach covered in the previous section and explain how this new
approach can contribute to value creation. The section details the steps of a typical ERM process,
with speci?c directions on how to apply these techniques.
Enterprise Risk Management (ERM)
“A comprehensive and integrated framework for managing
credit risk, market risk, operational risk and economic capital
and risk transfer in order to maximize ?rm value” (Lam
2003)
“Dealing with uncertainty for the organization.” (Monhanan
2008)
“RM is the identi?cation, assessment, and handling of risks
enacted through (coordinated) corporate actions to monitor,
control, and minimize the adverse effect of unfortunate
events or maximize the realization of opportunities.”
(Andersen 2010)
“Risk management is a central part of any organization’s
strategic management. It is the process whereby
organizations methodically address the risks attaching to
their activities with the goal of achieving sustained bene?t
within each activity and across the portfolio of all activities.”
AIRMIC 2010 (Risk Management Standard)
RISK TAKING: A CORPORATE GOVERNANCE PERSPECTIVE 28
Te corporate decisions targeted by ERM analysts are all
relevant in terms of value generation. ERM is an active
approach to risk governance that leads to better investments
(maximization of cash ?ow generated by investments)
and aims to reduce the cost of capital. In doing so it helps
maximize the company value.
As with the de?nition of risk there is no universal agreement
on the process to be followed in the implementation of
ERM. For the purposes of this section we use the AIRMIC
3
approach as a starting point and add a few re?nements of our
own. Others may wish to use frameworks such as COSO.
4
Regardless of the approach taken, whether AIRMIC, COSO
or another emerging standard, a good risk management
process must help the enterprise to:
• Defne risks acceptable to the enterprise as a whole—risk
policy
• Develop a list of actual and potential risks
• Assess both likelihood and consequences (impact) of the
previously identi?ed risks
• Build a value-based model that can estimate the impact
of risks on ?rm value through impacts on cash ?ows
and/or cost of capital
• Determine risks the company should retain, transfer, or
avoid
Te process certi?ed by AIRMIC requires the analysis to be
carried out in four sequential stages:
1. Identi?cation of risk management and enterprise
objectives
2. Risk assessment
3. Risk treatment
4. Risk monitoring
Corporate Finance and ERM Objectives Converge
SHAREHOLDER VALUE MAXIMIZATION
ACTIVE RM AIMS TO MAXIMIZE SHAREHOLDERS’ VALUE
Value of asset=
T
t=0
?
CF
t
(1+r)
t
MAXIMIZE EXPECTED
CASH FLOWS through
ACTIVE RM to generate
incremental positive cash
?ow, mainly through
tax optimization and
smoothing of earnings
MINIMIZE RISKS
through ACTIVE
RM ? lowering
cost of capital
and default risk
? default spread
The AIRMIC Enterprise Risk Management Process
Source: AIRMIC
The Organization’s
Strategic Objectives
Risk Analysis
Risk Identi?cation
Risk Description
Risk Estimation
Risk Evaluation
Formal
Audit
Risk Reporting
Threats and Opportunities
3
Association of Insurance and Risk Managers.http://www. airmic.com
4
Committee of Sponsoring Organizations of the Treadway Commission
Risk Assessment
Decision
Risk Treatment
Residual Risk Reporting
Monitoring
M
o
d
i
?
c
a
t
i
o
n
29 MANAGING RISK: ENTERPRISE APPROACHES
STEP 1: Identi?cation of Risk and Enterprise
Management Objectives
Tis is primarily a managerial phase. It begins with
determining the enterprise’s approach to risks, including
planning for the resources made available for risk
management and selecting the general criteria for treating
risks. Te enterprise selects a risk strategy compatible with
the degree of risk aversion that prevails. Te directors and
managers de?ne strategic objectives and operational goals
compatible with the risk aversion of the shareholders who
are looking to maximize enterprise value. In this context,
all ERM decisions should be made after responding to this
simple question: “What impact do top managers’ decisions
(hedging or retention action) have on the value of the
enterprise for its shareholders?”
STEP 2: Risk Assessment
Te second, largely technical, phase of the ERM process is
divided into two sub-phases:
• Risk analysis
• Risk evaluation
Te risk analysis consists of risk identi?cation and
estimation. In the identi?cation of enterprise risks we
must identify the potential sources of negative events that
are capable of compromising achievement of strategic and
operational objectives. Due to the potential losses that might
arise, the emphasis will be on identifying downside risk, but
the process should also elicit the upside risk and its bene?cial
e?ects on enterprise performance.
The Risk Management Process
1
Setting ?rm’s risk
management goals
and implementation
on the CG structure
2
Risk assessment
3
Risk treatment
4
Risk monitoring
2A. Risk Analysis 2B. Risk Evaluation
Risk Identi?cation/Description Risk Estimation
RISK TAKING: A CORPORATE GOVERNANCE PERSPECTIVE 30
Useful qualitative analytical tools for risk identi?cation
include brainstorming, questionnaires and risk assessment
workshops. Additional tools include review of publicly
available documents for industry benchmarks, as well
as investigation of previous incidents and auditing and
inspection documents. Business studies focused on internal
and external procedures and scenario analysis also can be
useful in gaining a better understanding of the potential risk
factors.
Once the risks are identi?ed, they need to be described. In this
second part of the identi?cation phase, the ERM team creates
risk maps in which the failure events are described using the
following characteristics:
• Name
• Qualitative description of risk
• Principal up/downside scenarios
• Probability of occurrence
• Identity of person in charge of managing identifed risks
• Measurement techniques to monitor identifed risks
• Preliminary evaluation of the economic impact of the
scenarios presented
Risk Identi?cation: De?nition and Tools
Risk identi?cation sets out to identify an organization’s
exposure to uncertainty.
Risk identi?cation requires intimate knowledge of the ?rm,
the market in which it operates, the legal, social, political,
and cultural environment, and sound understanding of its
strategic and operational objectives, including factors critical
to its success and the threats and opportunities related to
achieving of its objectives.
AVAILABLE TECHNIQUES INCLUDE:
• Brainstorming
• Questionnaires
• Business studies on business processes describing
both the internal processes and external factor
determinants
• Industry benchmarking
• Scenario analysis
• Risk assessment workshops
• Incident investigation
• Auditing and inspection
• HAZOP (Hazard & Operability Studies)
Emerging Market Participants Example: Major Risks (Risk identi?cation contributed by workshop participants)
Nigeria
Government policy changes
Physical security
Exchange rate ?uctuations
IT breakdown
Electrical power ?uctuations
Customer receivables
Receivables from state
Theft
Vietnam
In?ation
Foreign exchange changes
Regulatory changes
Flooding
Operational disruptions
India
Regulatory changes
Tax rates
Project failure
Unions
Environmental issues
Access to resources
Corruption
Nepal
Rebel insurgency
Political instability
Electrical power ?uctuations
Skilled labor
Zambia
Electrical power ?uctuations
Copper price changes
IT Failures
Flooding
Regulatory changes
Competition
Reputation
Uzbekistan
Earthquakes
Regional political instability
Regulatory changes
Cotton price changes
Gold prices
Political restrictions
31 MANAGING RISK: ENTERPRISE APPROACHES
Such a risk map is more detailed than the risk pro?le. However,
it should be noted that there is no single best practice for
mapping risks. Many ?rms can simply list risks related strategic
and operational objectives as part of a risk pro?le.
Risk Estimation
Once the risk map is known, the enterprise must quantify
the probability of the event as well as its impact on cash
?ows, estimating expected and unexpected losses and/or
upsides. Based on the nature of tools used, the estimation
methods are divided into three main groups:
• Purely qualitative estimates
• Semi-quantitative estimates
• Purely quantitative estimates
Purely Qualitative Estimates
Qualitative methods use descriptive words or scales of value
to illustrate the impact and the probabilities of an event.
Among the various methods used for qualitative estimates,
the Probability-Impact Matrix is among the most common.
Using the P-I Matrix for risk management involves creating
a matrix in which risks are identi?ed and classifying the
identi?ed risks.
Creating a P-I Matrix requires de?ning the following:
• A qualitative scale that indicates the probability of the
occurrence of a given event. Generally, these observations
are grouped into ?ve probability classes: almost certain,
very frequent, moderate, improbable, and rare.
• A qualitative scale representing the impact, that is, the
possible economic consequences from the occurrence
of the event. Generally, there are ?ve impact classes:
insigni?cant, low, moderate, severe, and catastrophic.
• A qualitative scale that assigns a risk rating to every
combination of elements (probability-impact). Tis can take
on four di?erent values: extreme, high, moderate, and low.
• Appropriate criteria for a risk rating assessment.
In Table 5.1, we provide an example of a P-I Matrix.
The Estimation Phase
Risk estimation can be quantitative, semi-quantitative or
qualitative in terms of the probability of occurrence and the
possible consequence.
• Qualitative methods: Probabilities and consequences
of events (catastrophic to insigni?cant) are estimated
according to qualitative scaling (analysts’ bias).
• Semi-quantitative methods: Qualitative scaling is
weigthed and transformed into a quantitive scale and a
P-I risk synthetic score is computed.
• Quantitive methods: Risk is estimated through
quantitive methods as such Scenario Analysis, Decision
Tree, Monte Carlo Simulation or according to the Value-
at-Risk Models. These methods rely on causal distribution
estimation (subjective and/or objective methods).
Table 5.1: Probability-Impact Matrix Structure
Probability Impact
Insigni?cant Low Moderate Severe Catastrophic
Almost certain (>50%) High High Extreme Extreme Extreme
Very frequent (20%–50%) Moderate High High Extreme Extreme
Moderate (5%–20%) Low Moderate High Extreme Extreme
Improbable (1%–5%) Low Low Moderate High Extreme
Rare (5000
High 5000 500
Moderate 500 50
Low