Establishing a financial risk management function within any organization can be a daunting task. It can be even more difficult for the CFO at a smaller organization who is often times responsible for a multitude of functions with limited resources.  The first step, knowing where to begin, is often the most challenging.  Whatever the approach, the end result should be to ensure that the program is effective and meaningful to the organization.

At a fundamental level, risk management is the process by which the company defines the level of risk it is willing to take, the measurement of the amount of risk being taken and actions to align the latter with the former with the goal of maximizing shareholder value.  Fortunately, corporate risk management has matured significantly over the past two decades making tools for quantifying risk exposures more accessible than ever.  While these tools are useful for determining how risk is to be measured, judgement still needs to be made on what risks to measure and why to manage them.

To help formulate the “what” and the “why,” it is important to establish goals.  What does the company want to accomplish with its risk management program?  Given that a company’s objective is to generate profits by seeking risk, decisions have to be made about which risks to take and which to mitigate in that pursuit. A company may choose to mitigate risks not intentionally taken to generate profit and arise as a consequence of business activity conducted. For example, many firms are exposed to fluctuations in foreign exchange rates resulting from purchases or sales of core products sold. Because the company isn’t seeking exposure to foreign currencies to generate profit, it may choose to dampen the effect of exchange rate fluctuations on income by employing derivatives transactions. Before such decisions are made, however, management needs to be clear on what value is being created.  In other words, how is the reduction of earnings variability going to increase the value for shareholders of the company? At a high level, management should be defining strategies to allocate risk to activities in order to meet strategic goals set by the Board of Directors.

Once a goal has been established, the next step is to determine what risks the company faces and how big they could be.  In order to assess the magnitude of risk, tools need to be employed to quantify risk exposures.  . Over the decades, there have been several statistical measures developed and implemented to quantify the impact the change in financial price will have on the value of an asset, liability or portfolio.  Perhaps more important to non-financial corporations are the impacts to earnings or cash flows.  The most important thing to keep in mind is that there is no single measure that will satisfy all requirements when assessing risk.

Beyond the goal of why the risk management program exists, an overall process needs to be incorporated to inform specific plans of action.  For example, though some firms have gravitated toward an integrated approach to risk management, whereby risks are evaluated on a portfolio basis, many firms continue to evaluate risks at a transactional level.  The choice between the two approaches philosophy the company has regarding the trade-off between safety of capital and risk tolerance in the pursuit of commercial objectives.  Taking this one step further, the approach to risk management the company employs may be the firm instead of existing as a separate function. As an example, a firm with revenue or expense exposures to price variations originating from financial markets may choose to alter operations based on the impact on earnings or cash flows.  This sort of strategic analysis can help turn risk management into a valuable tool to improve performance by highlighting which activities are adding value and which are not.

If the decision has been made to manage risks, the plan of action will dictate where to start, how to go about it and what resources to use accordingly.  .  A common practice when hedging naturally is to match currencies of revenues and costs.  Finally, the frequency of hedging to manage risk should be evaluated through the prism of benefit and cost and will partly depend on how efficient the market is for the risk being managed.  In practice, different markets and instruments are used to manage various financial risks requiring that funding, legal regulatory concerns be considered.

As can be seen, there are a myriad of decisions that management must make when implementing a risk management program.  As mentioned earlier, the goals that drive the decisions and strategies are set by the Board along with the company’s tolerance of risk in pursuit of those goals.  Actions cannot occur in an unconstrained fashion, there must be a foundation that directs activities to align with the overall goals of the company.  This foundation is often referred to as risk governance and emanates from the Board of Directors as part of its fiduciary responsibilities.

In fulfilling its duty to the shareholders, members of boards of directors have four key responsibilities with regard to risk management.  First, the Board should be responsible for approving the risk management policies and controls which serve as the formal mechanism of processes and limits when bring risk consumption and tolerance into alignment.  Second, members need to ensure that capabilities exist within the organization to adequately monitor, manage and report risks.  Members themselves don’t need to understand the mechanics of each exposure or the quantitative underpinnings of risk models but make sure that management has the adequate skills to implement board policy decisions.  Third, Board members need to evaluate the performance of risk management activities.  Leaving aside the actual tools of measures to be used, evaluation is critical in determining whether activities undertaken to manage risks are consistent with the goals set.  For example, if the goal of the risk management program is to reduce variance of cash flows, the Board should evaluate if hedging activities are reducing cash flow variance and to what extent the value of the company has improved as a result.  Finally, the Board should maintain oversight of risk since it’s ultimately accountable for risk assumed by the company.  Oversight is achieved, in part, by making sure that the company’s risk management policy is fully explained and strictly enforced.  Often times, this function is delegated to a board committee (e.g. audit committee) which is accountable to the full board.

In summary, implementing an effective risk management program no longer needs to be overwhelming.  Asking fundamental questions can go a long way to reducing anxiety for the CFO of a small organization and putting them on the path for being able to make smarter risk-based decisions.

______

Author Bio:

Sunil Dalal has over 20 years of experience in trading and risk management primarily in the energy space. He has worked in and provided consultation to several organizations including banks, brokerages, hedge funds, private equity and corporates on the design and implementation of risk management functions. He also holds CFA Charterholder, CAIA Charterholder, FRM and CIPM designations. In addition to his professional accreditations, Sunil holds a B.A. degree in computational economics from the University of Texas at Austin.

If you want to know more about Sunil’s background please see his LinkedIn Profile here