The report, authored by Kevin Buehler, Andrew Freeman, and Ron Hulme, shows there is a current movement occurring in the corporate approach to risk management that stems from changes in business in the 1970s. The first of these changes occurred when companies’ focus shifted from owning the most profitable or fastest-growing businesses to owning those in which they had a competitive advantage. The second change was the development of models that were able to put a value on risk transfer, changing how companies could buy, sell, and understand risk. These concepts have allowed the evolution of the current corporate approach to risk management in which companies are able to identify and focus on risks for which they have a competitive advantage using their knowledge of the value of different risks. The authors state that managing a company’s risk portfolio in this manner can make it possible for a company to generate higher returns on their equity and use capital far more efficiently.

This approach to corporate risk management involves a five-step process that forms a dynamic cycle, as the cycle begins anew with recognized changes in risk profiles. The five-step process should begin at the enterprise level but is also applicable within business units. A corporation cited in the article for embracing this process is TXU Corporation, an electric utility in northern Texas. TXU applied this process by embracing risks for which it was competitively advantaged, actively mitigating all other risks, and dynamically managing risk capacity. Over a period of about three years, TXU realized an increase of more than $32 billion in equity value and estimated that its risk-return restructuring process contributed about 75% of that value.

Step 1: Identify and Understand Your Major Risks

First, a company must identify its risks and gain some understanding of how those risks might work for or against it. In identifying risks, it is important to focus on the handful of key risks in a company. The authors state that, for most companies, there are four to six key risks that typically account for the majority of cash-flow volatility. These risks often include demand risk, commodity risk, country risk, operational risk, and foreign-exchange risk.

It is also essential to understand key risks and consider the full range of outcomes and probabilities of those outcomes in order to ascertain a company’s vulnerability to different risks. This includes analyzing those extreme events that, while rare, could have major impacts. It also involves considering how risk exposures could change as a company evolves and identifying risks that can be reassigned within a company rather than transferred to external markets.

Step 2: Decide Which Risks Are Natural

Assessing which risks are naturally owned by a company provides a clear risk strategy. If a company has a natural advantage for a given risk, it should retain that risk and possibly even acquire more, because it can create superior returns. However, risks for which a company does not have an advantage should be mitigated if there are reasonably efficient risk-transfer markets or transferred if those markets are not available.

Step 3: Determine Your Capacity and Appetite for Risk

Next, it is important to quantify operating-cash-flow risk by running a Monte Carlo simulation using risk probability distributions established during the process of identifying and understanding major risks. This helps determine where a company fits on the risk exposure distribution and identifies whether a company is overexposed to risk or overinsured against risk. Most companies will be at one of these two extremes without strong risk-analysis processes. If a company is overexposed to risk, there are some scenarios where it may have a cash shortfall. In contrast, if a company is overinsured against risk, it is not likely to have a shortfall of cash but will probably fail to use its capital efficiently to maximize returns.

Many companies will also want to manage their risk capacity for other types of enterprise risk such as overall equity value at risk or earnings at risk. In all of these analyses of risk capacity, linking that capacity to a company’s appetite for risk will aid in a better understanding of the company’s overall position.

Step 4: Embed Risk in All Decisions and Processes

Risk management should be embedded in a company’s operations and be a part of the culture and mind-set of the company. For this to happen, the relevance of risk-return management decisions and processes must be clear. There are four decision areas that benefit considerably from risk-informed approaches. The first area is investment decisions, where probability-based approaches help companies assess multiple scenarios and their likelihood of occurrence in making decisions. The second area is in commercial decisions, such as industrial purchasing and pricing decisions, where it can be helpful to use risk-book concepts to separate complex risks into buckets to more effectively match and measure exposure. The third area that can benefit is in financial decisions where it is useful to view these decisions in the context of enterprise cash-flow and value trade-offs. The fourth main area that benefits from this approach is operational decisions. Here, decisions involve significant risk-return trade-offs that benefit from an enterprise-risk perspective considering the entire probability distribution instead of a base, high, and low scenario.

Ideally, decisions would be made considering a firm’s overall level of risk to maintain an optimum risk exposure but there should at least be a strong risk culture informing decisions at all levels. This culture should include incentive systems encouraging individuals to value the whole enterprise and make decisions based on real long-term economic outcomes. An enterprise-wide approach requires a strong education and time commitment but tends to have a lasting positive impact on company performance.

Step 5: Align Governance and Organization around Risk

For an enterprise-wide risk management effort to be successful, it is important to have a clear risk-governance structure with commitment from a company’s board and management. This strategic risk management requires a company to be aligned from top to bottom with a common understanding of the company’s key risks and overall level of exposure. According to the authors, the most effective risk-governance structure is often centralized, with a powerful chief risk officer who reports to the CEO and board. Companies with this structure are often able to manage volatile risks that require close attention and to embrace risks for the opportunities they create.