José Esteves. Professor. IE Business School
27 February 2007
The recent spate of business scandals has tarnished the public image of many large companies, underscoring the importance of enterprise risk.
The latest rash of international corporate scandals has increased awareness among big businesses of the need to proactively manage corporate risks. The latest scandal involving phone tapping at Telecom Italy makes the recent Hewlett-Packard case look like child´s play. The highly-respected management team at Hewlett-Packard publicly acknowledged that it had made use of a series of rather unethical business practices, which has hurt its credibility and reputation in the eyes of public opinion, investors and clients.
Other well-known scandals involving Enron, WorldCom, Xerox and the space shuttle disaster—the latter case revealed the inefficiency of the risk management policy implemented by NASA and led to the death of seven people--highlighted the importance of enterprise risk management and led to a clear change in the focus of ERM. Indeed, investor disappointment in large corporations has increased by 10% in just three years.
Many companies continue to analyse risk in a functional or very specific way-- in other words, in silo form. Take the case of banking: Until recently, the concept of risk referred exclusively to the management of bank risks. However, the focus of ERM involves the integrated and systematic management of all the risks, both inside and outside of a company. ERM recognizes that any decision-taking process, action or strategic plan implemented by a company involves a number of inherent risks. Therefore it is essential to identify these risks and assess them in accordance with their probability and their impact, with the aim of reducing at least the most critical ones.
ERM tries to analyse all the risks from the same standpoint and treat them with the same set of tools. Without a common culture or a good risk management policy, many companies fail to clearly define what risk is. As a result, different departments end up assessing risks in different ways, using different criteria.
Indeed, many companies fail to evaluate the broader aspects of various types of risks. Instead, they assess them merely on a single departmental level, forgetting their possible impact on other corporate areas or on the company as a whole. With the help of technology, the integration of processes and people within a company is a reality, but one which paradoxically has enhanced risk rather than reduced it. There are also risks that when taken alone seem to have little impact on a company, but when combined with others can have a catastrophic effect.
Another very typical example of this is when the executives and managers of a company use free e-mail accounts, such as Hotmail or Yahoo, to send information to clients when their professional e-mail account inbox is full. Many analysts would consider this practice a low-risk or, worse, they wouldn´t even consider it a risk at all. Now, let´s analyse what might be at stake. Besides the possible security risk inherent to this type of e-mail account, imagine the media scandal that would ensue and the damage that would be incurred to the image of a bank if a press article mentioned the fact that its managers sent account statements to clients using Hotmail. Imagine how a bank’s professionalism would be perceived and what damage its image would suffer especially after so much money had been invested in corporate image if these types of ‘unimportant details’ were revealed in the press.
Such is the case of the CEO of a well-known Spanish bank who sent strategic plans using a free account. Many companies invest absolute fortunes on security systems to protect themselves from external attacks while they forget that many of the risks are actually on the inside. I assure you: this is not fiction, but rather a real situation in many of Spain’s large corporations. And although new regulations, such as the Sarbanes-Oxley Act, tackle these issues, risk management should never be reactive or the result of standards or legislation. Rather, it should be proactive and genuine, while based on business know-how and created through the development of a risk management culture within the company.
The risk of reputation and image loss is probably the risk most overlooked by companies. Today, pressure is growing on corporations to quantify all their risks. However, this calculation is very holistic. Whereas in Spain, the subject of ERM is still very new or in the distant future, it is critical on an international level and a priority for many global enterprises. In fact, many multinationals are creating the post of Chief Risk Officer. In Spain, as a best practice, we always wait for a scandal to erupt so that we can act after the fact, and in a rush........