Fig. 5.4. The Risk Jigsaw (adapted from www.erisk.com/Learning/RiskJigsaw.asp)

The model (Lam, 1999), which was developed based around the fi nancial industry, is nevertheless appropriate for all industries and is particularly relevant to electronically enabling a business. The model defi nes fi ve main areas of risk for a business:

1. ERM or enterprise risk management. This is an approach to fully integrating risk management into the way a company conducts its business. It involves assessing, measuring and managing the different types of risk to which an organization is exposed.

Depending on which component of an agri-industry supply chain is involved, the relative importance of the various risks associated with agricultural production and consequent agri-industry supply chain management will be important.

2. Operational risk. This is the risk of loss due to physical catastrophe (e.g. drought), technical failure and/or human error in the operations of a fi rm. It also includes the risk of loss due to fraud, failure of management and process error (see Chapter 9 in relation to eGovernance)

3. Market risk. This is the risk to the company’s fi nancial position from changes in market factors such as interest rates, foreign currency value and/or prices of commodities and equities.

4. Credit risk. This is the risk that a party might become unable, or less likely, to fulfi ll its contractual obligations. This is a constant risk for agribusinesses – particularly those involved in export.

5. Business risk. This is the risk that a change in the variables of a business plan will destroy the plan’s viability. It includes quantifi able risks such as the demand forecast risk and the unquantifi able risks such as innovation by competitors and technology developments.

Within these fi ve main areas the risk drivers can be further split into: strategic, operational, stakeholder, fi nancial and intangible (see Table 5.1). Associated with these fi ve main drivers are the in-house capabilities of managing the risks that are listed – and it is essential that all types of risk are assessed, planned for and managed when running a business.

Table 5.1. Main risk drivers within a business

Risk Driver

Strategic Operational Stakeholder Financial Intangible

Risks

Competitors Processes Partners Accounting Knowledge

Resource allocation

Physical assets

Suppliers Credit Intellectual property Programme/

project management

Technology and

infrastructure

Customers Cash management

Information systems

Governance Legal issues Management Marketing Databases Brand/

Reputation

Human resources

Employees Taxes Information for decision making Partnerships/

JVs

Environmental hazards

Government Regulatory compliance

Macro trends Community

Strategic planning Organizational structure

Risk Management

Risk management, in a business context, is about reducing the cost of risk, which includes the cost of managing risk. Risk management strategies ask the question, Is the risk appropriate for the return? It is important to note that risk management would not help the individual intent on jumping without a parachute in the example above! (i.e. recognition of the risk is necessary for effective risk management).

Risk management is an intricate process that combines market and external infl uences, asset performance capability and acceptable levels of risk to determine optimum direction (Fig. 5.5). The inputs to the process are highly dynamic and business processes and models need to be fl exible enough to respond to changing conditions.

Fig. 5.5. A diagrammatic illustration of the inputs to a risk management scenario

No business is risk-free, and risk management will not eliminate all risks. Risk management is about the 3Rs:Returns, Risks andRuin.

• Returns. People want a higher return on their investment in exchange for taking a greater risk. The best risk management strategy to implement is therefore to understand and know as well as is possible the chances of the possible outcomes.

• Risks. Here, the best risk management strategy is not to risk more than can be afforded.

• Ruin. By the time you arrive at this point, which is the result of losing more than can be afforded, risk management is essentially a thing of the past. The lessons learned will hopefully enable you to take greater account of risks and risk management in the future.

The 3Rs in practical terms can be reduced to understanding what the risks are, why they are risks and how they can be avoided or minimized. Table 5.2 outlines these basic points in a One-Minute Risk Management Strategy.

Table 5.2. The One-Minute Risk Management Strategy (Source: Mehr and Hedges, 1963, Risk Management in the Business Enterprise, Irwin Press)

One-Minute Risk Management Strategy

WHAT Assuring fi nancial solvency against possible risk at lowest cost WHY To ensure the continuing profi tability and viability of the organization HOW Understanding fi nancial statements provides the foundation

on which a sound risk management plan can be devised and appropriate risk management tools employed

GUIDING RULES yDon’t risk more than you can afford to lose yDon’t risk a lot for a little

yUnderstand the likelihood and severity of possible losses

Functional Activities of Risk Management

There are a number of functional activities associated with risk management – identifi cation of risks, analysis of risks, planning associated with management of risks identifi ed, tracking of risks, controlling risks and communication of risks and management strategies. These are defi ned in more detail in Table 5.3, and should occur continuously and simultaneously as depicted in Figure 5.6.

Table 5.3. A description of the functional activities of risk management

Function Description

Identify Search for and locate risks before they become problems Analyse Transform risk data into decision-making information. Evaluate

impact, probability, and timeframe, classify risks and prioritize risks Plan Translate risk information into decisions and mitigating actions (both

present and future) and implement those actions Track Monitor risk indicators and mitigation actions Control Correct for deviations from the risk mitigation plans

Communicate Provide information and feedback internal and external to the project on the risk activities, current risks and emerging risks.

Note: Communication happens throughout all the functions of risk management

Fig. 5.6. The functional activities associated with risk management

Risk Evaluation

A number of distinct factors help fi rms to evaluate a particular risk. These factors, which are defi ned below, include: exposure, volatility, probability, severity and the time horizon involved (Davis, 2004). It’s the interaction of these factors with two other notions – capital and correlation – that determines the effect of a specifi c risk on a specifi c company (Lam, 2000).

• Exposure is the maximum amount of damage that will be suffered if some event occurs.

All other things being equal, the risk associated with that event increases as the exposure increases. For example, a lender is exposed to the risk that a borrower will default.

Exposure can be controlled in a number of ways: for example, it might be reduced by transferring the risk to another company (such as an insurer), fi nanced (cushioned by capital) or simply retained.

• Volatility loosely means the variability of potential outcomes and is a good alternative to the word ‘risk’ in many of its applications. This is particularly true for risks that are predominantly dependent on market factors, such as options pricing. Generally, the greater the volatility, the higher the risk. For example, the number of loans that turn bad is proportionately higher, on average, in the credit card business than in commercial real estate. Nonetheless, it is real estate lending that is widely considered to be riskier, because the loss rate is much more volatile – and therefore harder to cost and manage.

• Probability – how likely is it that some risky event will actually occur? The more likely the event is to occur, the higher the probability and thus the greater the risk. The assignment of probabilities to potential outcomes has been a major contribution to the science of risk management. Certain events, such as interest rate movements or credit card defaults, are so likely that they need to be planned for as a matter of course and mitigation strategies should be an integral part of the business’s regular operations. Others, such as a fi re at a computer centre, are highly improbable, but can have a devastating impact.

• Severity – How bad might it get? Whereas exposure is typically defi ned in terms of the worst that could possibly happen, severity is the amount of damage that is, in some defi ned sense, likely to be suffered. Essentially, the greater the severity, the higher the risk. Severity is the partner to probability: if we know how likely an event is to happen, and how much we are likely to suffer as a consequence, we have a pretty good idea of the risk we are running. But severity is often a function of our other risk factors, such as volatility – the higher a price might go, the more a company might lose.

• Time horizon – a measure of how long you are exposed to a risk and how long it takes to reverse the effects of a decision or event. In other words the longer the duration of an exposure, the higher the risk. For example, extending a ten-year loan to the same borrower has a much greater probability of default than a one-year loan. Hiring the same technology company for a fi ve-year outsourcing contract is much riskier than a six-month consulting project – though not necessarily ten times as risky. The key issue for fi nancial risk exposures is the liquidity of the positions affected by the decision or event. Positions in highly liquid instruments, such as government bonds, can usually be eliminated in a short period of time, while positions in, say, real estate, are illiquid and take much longer to sell down.

Risk Management Strategy

A proactive risk management approach from a business perspective should, in essence, be similar to an internal ‘due diligence’ audit which refers to an audit of the operations, solvency, and trustworthiness of a particular fi rm (Concise Finance Encyclopedia, 2004). The term due diligence itself refers to the care a reasonable person should take before entering into an agreement or transaction with another party (Investopedia, 2005).

A risk management approach based around due diligence is thus the process of examining the fi nancial underpinnings of a business with the goal of understanding the risks associated with a deal such as a pending merger, equity investment or large-scale IT purchase. In a due diligence situation, issues that could be reviewed include corporate capitalization, material agreements, litigation history, public fi lings, intellectual property and IT systems. A risk management approach should therefore address the following areas:

• A comprehensive and regularly updated assessment of the drivers of risk impacting the business strategy, for example:

ΠFinancials Рensure their accuracy

ΠAssets Рconfi rm their value and condition

ΠEmployees Рevaluate each of them

Œ Sales – what’s working, what’s not and how to improve

ΠMarket and marketing Рwhat is driving the business? How can you improve it?

ΠIndustry in which it operates Рunderstand trends and new technologies

ΠCompetition Рwhat are they doing? Will you be able to compete and how?

ΠSystems Рare they effective and secure?

ΠLegal and corporate issues Рminimize potential for costly surprises

ΠCompany contracts and leases Рare they in order? Confi rm obligations

ΠSuppliers Рwill they continue to do business? Are there any hidden agendas or exposure?

• The creation of policies and procedures for managing each driver of risk in the business

• A risk assessment platform for creating transparency throughout the organization’s investment portfolio, especially in export activities

• An integrated and focused due diligence and internal audit program designed to treat risk as an opportunity

• The establishment of an early warning reporting framework to identify issues before they become problems.

Figure 5.7 illustrates the risk management approach discussed in the text as a framework linking leadership, people, risk drivers, management and outcomes.

Fig. 5.7. A risk management approach based on a due diligence philosophy (adapted from the European Framework of Quality Management – www.efqm.org)

Most organizations can handle identifi cation and analysis of their risks – the problems arise in planning how to respond to them. There are seven principles which provide a good planning framework for effective risk management (Hillson, 1999):

1. A global perspective. It is necessary to recognize both the potential value of opportunity and the potential impact of adverse effects.

2. A forward-looking view. This enables the identifi cation of uncertainties, allows anticipation of potential outcomes and management of resources and activities while anticipating uncertainties.

3. Open communications. It is important to encourage free-fl owing information at and between all business levels; to enable formal, informal, and impromptu communication;

to use processes that value the individual voice, thus bringing unique knowledge and insight to identifying and managing risk.

4. Integrated management. This approach makes risk management an integral and vital part of the business’s management strategy and involves adapting risk management methods and tools to the business’s infrastructure and culture.

5. Continuous process. This means identifying and managing risks routinely.

6. Shared product vision. There should be a mutual business vision based on common purpose, shared ownership, and collective communication while focusing on results.

7. Teamwork. Pooling talents, skills, and knowledge while working cooperatively to achieve common goals is the best way to achieve a solid risk assessment and management situation

If the risk response is to be effective Hillson (1999) indicates that the responses must be:

• Appropriate. The correct level of response must be determined, based on the ‘size’ of the risk. This ranges from a crisis response where the project cannot proceed without the risk being addressed, through to a ‘do nothing’ response for minor risks.

• Affordable. The cost-effectiveness of responses must be determined, so that the amount of time, effort and money spent on addressing the risk does not exceed the available budget or the degree of risk exposure. Each risk response should have an agreed budget.

• Timely. An action window should be determined within which responses need to be completed in order to address the risk. Some risks require immediate action, while others can be safely left until later.

• Achievable. There is no point in describing responses which are not realistically achievable or feasible, either technically or within the scope of the respondent’s capability and responsibility.

• Effective. All proposed responses must work! This is best determined by making a ‘post- response risk assessment’ of the size of the risk assuming effective implementation of the response.

• Agreed. The consensus and commitment of stakeholders should be obtained before agreeing on responses.

• Owned. Each response should be owned and accepted to ensure a single point of responsibility and accountability.

A good example of a company in the agribusiness world that has addressed these issues is Withcott Seedlings – see Byte Idea this chapter.