Professional Documents
Culture Documents
2 Making Risk Management A Valueadding Function in The Boardroom PDF
2 Making Risk Management A Valueadding Function in The Boardroom PDF
McKINSEY WORKING
PAPERS ON RISK
Confidential Working Paper. No part may be circulated, quoted, or reproduced for distribution
without prior written approval from McKinsey & Company.
11
McKinsey Working Papers on Risk is a new series presenting McKinsey's best current thinking
on risk and risk management. The papers represent a broad range of views, both sector-specific
cross-cutting, and are intended to encourage discussion internally and externally. Working
and
papers may be republished through other internal or external channels. Please address
correspondence
to the managing editor, Andrew Freeman, andrew_freeman@mckinsey.com
Introduction
During the past decade, unforeseen risk combined with either poor or good risk management
often had more impact on corporate performance than superior strategy or outstanding
execution. Some companies proved unlucky. Continental Airlines, for example, had
completed a remarkable turnaround and was enjoying considerable profitability when surging
fuel costs drove it back into the red. Southwest Airlines, in contrast, having hedged its fuel
prices all the way to 2009, was able to remain profitable in 2005.1 And still other companies
hit the jackpot. Lakshmi Mittal is now one of the worlds richest men, mainly because Mittal
Steel had rolled up marginal assets just before a dramatic increase in steel prices.
Taking risks is a part of being in business. Although the outcome of key uncertainties is often
dictated by luck, the impact of these outcomes is not. Good risk management can help
mitigate the impact of negative outcomes and help companies take advantage of positive
ones.
Todays board directors are well aware of the importance of managing risks explicitly,
especially as the meanings of good faith and reasonable care are continuing to evolve. It is
thus reassuring that boards appear increasingly confident about their abilities to handle risk
(Exhibit 1). It is the rare director who admits to not knowing whats going on with respect to
risk an admission not uncommon just 5 years ago. In fact, a recent survey indicated that
only 1 percent of directors report not having a process to identify, safeguard, and plan for key
risks compared in 2002 to 19 percent.2
Clearly, U.S. boards have come a long way in improving their approaches to enterprise risk
management (ERM). However, the concept of ERM as an offensive discipline a function
that can maximize enterprise value when fully leveraged is only starting to emerge. At many
companies, much remains to be done before ERM can deliver its full value-adding potential.
Based on McKinsey & Companys research and experience in enterprise risk management
and governance, we believe that many boards are operating with a false sense of security.
For these board members, ERM is still primarily about complying with new regulatory
standards, many of which they consider overly bureaucratic (e.g., Sarbanes-Oxley).
This working paper first examines the ERM landscape: current shortfalls, potential benefits,
and approaches. To the growing body of common wisdom about ERM, it then adds eight
recommendations designed to help boards understand, monitor, and manage risk more
effectively.
For example, analysts estimate that in 2005 Southwest had 85 percent of its fuel price hedged at $26
a barrel; at that time, Continentals cost per barrel had risen to well above $50.
This white paper summarizes viewpoints from McKinsey & Companys enterprise risk management
and governance work with leading companies, and from a joint research project with The Conference
Board: The Role of the U.S. Corporate Board of Directors in Enterprise Risk Management (The
Conference Board, New York, 2006). Cited here are responses to McKinseys survey for Director
Magazine (2002), as well as interviews with 30 board members and a written survey of directors (127
respondents) conducted by McKinsey in conjunction with The Conference Board and KPMGs Audit
Committee Institute from October 2005 to February 2006.
EXHIBIT 1
Exhibit
Exhibit
1
36
-44%
-69%
24
11
2002
2006
2002
2006
Close to 30 percent of directors interviewed express concerns about their fellow directors
understanding of key risks, though directors in the bank and insurance sectors report less
variation in risk knowledge than their peers in nonfinancial industries.
Directors we talked to at nonfinancial firms report significant variations in practices across
industries and believe significant opportunities still exist to learn from best practices. Nearly 75
percent of directors who sit on multiple boards report significant variations in ERM capabilities
across firms and industries. Again, banks and insurance companies in general earn high
marks for being at a more advanced stage of ERM development understandably so in light
of regulatory constraints and the complexity of their products.
This section is based on the legal analysis portions of The Conference Boards 2006 report, The Role
of the U.S. Corporate Board of Directors in Enterprise Risk Management, and is provided with the
permission of The Conference Board.
In re Caremark International Inc. Derivative Litigation, 698 A.2d 959 (Del Ch. Sept. 25, 1996).
See 2004 Federal Sentencing Guideline Manual, Chapter Eight (Sentencing of Organizations),
Amendment 673 (Supplement to Appendix C), at http://www.ussc.gov/2004guid/tabconchapt8.htm.
activities aimed solely at safeguarding enterprise value. At their companies, ERM is driven by
staff functions and ends up having little impact on their value-creation agendas. This picture is
changing, however, and 39 percent of our surveyed directors now recognizing ERM as a core
strategic function.
EXHIBIT
Exhibit
2 2
The SHIFT
shift to
strategic
ERMERM
THE
TO
STRATEGIC
From
to
Compliance-focused
Extensive risk mapping
Value-focused
Focusing on few key risks driving
disproportionate gains/losses
Risk mitigation
Disconnected from strategic
and operational decisions
Risk optimization
Core to strategic and operational
decisions
Boards leading this evolution consider ERM central to managing risk/return trade-offs, one of
senior managements highest-value activities (Exhibit 2). Their ERM typically addresses
questions such as:
How much should we invest, and how should we invest, to minimize value losses from
extreme risk events (i.e., high-impact/low-probability ones that could destroy business)?
What level of cash-flow volatility would maximize enterprise value? In other words, how
much exposure do we want to unanticipated changes in the business environment that may
improve or deteriorate business performance?
What is the optimal risk/return profile for the company, and how does that translate into
business scope and set-up?
Exhibit 3
Many directors
believe
the THE
full board
should oversee risk management
MANY
DIRECTORS
BELIEVE
FULL BOARD
SHOULD OVERSEE RISK MANAGEMENT
Who on the board is responsible
for risk oversight?
Responsibility
shared
between
20
board and
committee
Not a board
responsibility
Undecided
44
Only a
committee
responsibility
29
50
There should
be a separate
risk committee
32
Full board
responsibility
Prefer not to
have a
separate risk
committee
21
When asked formally where risk management actually resides in the board, for example, 66
percent of the respondents said they assign risk strictly to the audit committee. Furthermore,
even though most directors say risk discussions take place in virtually every board meeting
and executive session, ERM or risk management is rarely listed as an agenda item.
This ambiguity stems partially from different working definitions of risk. Our follow-on
interviews made clear that most board members consider compliance-related risk within the
audit committees domain, and business risk (in the broader sense) among the full boards
responsibilities. The danger in this ambiguity of definitions is that it may lead some boards to
shirk their duties and give their audit committees more risk responsibility than is appropriate.
We are also hearing considerable debate about unburdening audit committees inundated by
Sarbanes-Oxley and creating separate risk committees. But is having a separate committee
the right answer? Well, . . . that depends.
For financial institutions whose business is all about risk taking, board members might be
better served by a risk committee fully devoted to understanding complex risk issues and with
specialized expertise that reports its findings to the full board. This structure has become
commonplace in many financial institutions (e.g., SunTrust, Capital One, Wachovia, St. Paul
Travelers, JPMorgan Chase, Duke Energy).
Conversely, in an oil and gas company, risks are residual. They are not the businesss central
purpose, as they are in the financial sector, but are connected to the value-generating activity.
In these instances, the discussions of risk may not require a separate committee but should
occur as various exploration projects are being evaluated by the full board, as well as annually
or semiannually during an integrated board-level discussion of risk.
As well, a few institutions have chosen to assign risk oversight to a different committee
altogether, one with broader responsibilities and separate from an audit committee (e.g., the
MetLife Governance Committee).
management, a centralized ERM supports, trains, and provides tools to line managers who
have to manage their risks.
10
EXHIBIT 4
Exhibit
Exhibit
4
Obtaining
an independent, practical assessment
OBTAINING AN INDEPENDENT, PRACTICAL ASSESSMENT
Dimensions of
risk management
EXAMPLE
EXAMPLE
Your company
Assessment
Substantial improvement
required
Average company in
industry
Best practice
1. Achieving full
risk transparency
Financial services
company
11
12
13
EXHIBIT 5
Exhibit 5
Board
self-assessment
example
BOARD
SELF-ASSESSMENT
EXAMPLE
Not at all
Structure and effectiveness of risk management infrastructure at both corporate and BU levels?
Completely
2
Are the committee charters and responsibilities appropriate and shared by all members?
Is the committee composition adequate?
C. Effectiveness of board meetings
Do the board meetings focus on the core issues (as opposed to, for example, the tactical
review of nonmaterial transactions)?
* * *
Strengthening a boards approach to risk management starts with an honest assessment of
capabilities and a realistic perspective on how current gaps could become problematic, given
todays challenging regulatory and legal environments. Fortunately, many boards have made
significant progress in developing robust programs. And some have reached a new level,
making ERM an offensive and a defensive tool that benefits from a more value-focused
approach with ERM at the core of strategic decision making.
14
EDITORIAL BOARD
Andrew Freeman
Managing Editor
Senior Knowledge Expert
McKinsey & Company,
London
Andrew_Freeman@mckinsey.com
Peter de Wit
Director
McKinsey & Company,
Amsterdam
Peter_de_Wit@mcKinsey.com
Leo Grepin
Principal
McKinsey & Company,
Boston
Leo_Grepin@mckinsey.com
Ron Hulme
Director
McKinsey & Company,
Houston
Ron_Hulme@mckinsey.com
Cindy Levy
Director
McKinsey & Company,
London
Cindy_Levy@mckinsey.com
Martin Pergler
Senior Expert,
McKinsey & Company,
Montral
Martin_Pergler@mckinsey.com
Anthony Santomero
Senior Advisor
McKinsey & Company,
New York
Anthony_Santomero@mckinsey.com