Corporate Risk: What Does Management Really Know?


A short list of questions that every board member and senior manager should be able to answer.

Fortnightly Magazine - February 2005

“We pursue a disciplined approach to risk management" says the CEO of a major utility during the company's earnings call with analysts and investors. In this era of increased scrutiny over corporate governance, how can senior management and the board be certain that this statement is accurate, and where does the discipline begin?

Senior managers and board members cannot be expected to know every detail of risk management, but by asking a handful of questions, they should gain a comfortable understanding of the firm's risk-management strategy and control structure.

Asking the following questions of the risk management staff sends a clear signal to the organization that risk management discipline is not something to be delegated to the "financial guys," but is a high-level priority.

1. How do we decide how much risk is the right amount of risk?

Defining the appropriate risk tolerance for a utility is a difficult business. Different stakeholders have different tolerance for risk. For example, debt holders want less risk than equity holders. Risk tolerance is also a function of profitability: We are willing to take more risk when we are very profitable.

Capital adequacy standards that help banks determine risk tolerance have been slow in coming to the utilities. Standard and Poor's recently produced its own version of capital adequacy standards for utilities, which, when combined with various other financial ratios, provide a meaningful benchmark to help determine the appropriate risk tolerance for a utility. For example, if variations in spark-spreads result in a 20 percent chance that interest coverage may fall below ratio targets, then a hedging program should be initiated to reduce the probability of the interest coverage shortfall to a level consistent with the company's credit rating and risk tolerance.

2. Are our limits adequate and appropriate?

Since risk management techniques were developed in the banking sector to describe the risks surrounding financial products and traded derivatives, utility risk managers rightly applied them to their trading and hedging activities. Unfortunately, that left out the largest risk an average utility faces: operating a fleet of assets while serving a large and variable retail load base. Traditional risk measures and limits are unsuitable for such operations. Yet most utilities continue to try to bang a round peg into a square hole. Why?

The typical answer is that they don't have the ability to compare long-term plant and load risks to short-term trading risks. There is no doubt that this exercise is more challenging than applying simple value at risk (VaR) measures to a portfolio of transactions, but it is also infinitely more valuable. Risk limits around the generation and load position could be established to ensure that ongoing operations are hedged at the appropriate levels based on benchmark financial and rating agency ratios, while at the same time communicating the firm's risk tolerance to shareholders and ratings agencies.

3. How do we decide and communicate which risks we want to avoid and which risks we should keep?

Spark-spread risks, retail risks, equity risks, operational/reliability risks, credit risks, catastrophe risks, legal risks, regulatory risks. … With all of the risks facing today's utility, how is senior management supposed to know which risks to self-insure and which risks to shed? The task can seem daunting, but the leader of a well-run risk management program will clearly identify the organization's core competencies and then decide which risks he is better capable of managing than outsiders. For example, a utility's knowledge of the physical demand characteristics of its customer base and the physical constraints surrounding its fleet and its region typically give that utility a competitive advantage over potential outsiders in managing physical supply risks. Alternatively, the credit risk inherent in a 10-year power purchase agreement with an energy merchant may be something that a financial institution is better prepared to manage.

Reaching the desired risk profile by reducing these unwanted risks comes at a cost (think insurance premium), but the criteria used to evaluate the decision should be the comparison of the opportunity cost of self-insuring to the cost of insuring the risk through a third party and freeing up the firm's capacity to take more risk in other areas.

4. Does the commercial staff have the proper incentives to reach our desired risk profile?

The answer to the question depends on the company's ability to measure and assess the firm's allocation and use of risk capital (capacity to take risk). This process already has been developed in the banking and insurance industries and is mandated by international banking regulations. The process is more challenging for utilities but valuable nonetheless. Implemented correctly, the process introduces a framework for quantifying the risk-taking capacity of the firm by comparing it to established metrics such as rating agency and capital market financial ratios, and comparing the effect of different risk mitigation alternatives (, insurance vs. hedging vs. credit default swaps).

The backbone of this approach relies on the firm charging for the use of its risk capital just as it charges for the use of cash capital or credit capacity. Risk charges and hurdle rates provide a concrete comparison of risk to return and form the basis of the firm's risk-management strategy. Consider a simple example where management is considering purchasing insurance against an unplanned outage. At the same time, they are considering entering into a credit default swap with a major bank to protect one or more of their credit exposures. By assigning a charge for risk, 25 percent for example, staff can use a simple formula to compare the two. Both transactions have a risk reduction benefit (25 percent multiplied by the risk reduced) and a cost (premium). The alternative with the largest risk adjusted value (Risk Reduction x 25 percent - Premium) offers the most efficient use of the firm's risk capital. If the insurance purchase resulted in a risk reduction of $75 and cost $10, and the credit default swap resulted in a risk reduction of $50 for a cost of $5, then this approach would yield the following results and show that the insurance policy represents a more efficient form of risk reduction than the credit default swap:

Risk charges and an integrated approach to risk management allow management to assess which transaction delivers the best risk-management bang for the buck. Further, it shows analysts and rating agencies that the company is taking a proactive, rather than a reactive approach to risk management.

5. What is the right benchmark to use in evaluating performance, and are we beating the benchmark?

Once a company has an appropriate risk management framework and the ability to charge for risk as described above, the purpose of risk management can change from one of risk avoidance and control to the optimization of return on risk. This raises the question: What is an appropriate return on risk?

While simple in concept, this can become complex in execution. At least three methods can be used to answer this question:

1. The return on risk of current operations;

2. Competitor's return on risk;

3. Return on risk of alternate investments.

Method 1, return on risk of current operations, requires the company to look at its investments and risks historically to determine both the level of return and the level of risk taken. While this method is helpful in determining how various initiatives have performed, it provides little insight as to how the company's operations compare with those of their peers.

Method 2, competitor's returns on risk, can be gleaned from several sources of publicly available data, including annual and quarterly SEC filings, public plant information, and public auction results. This information can give management important benchmarks with which to compare their own performance to that of their competitors, just as P/E and other financial ratios do. Risk management activities can be adjusted accordingly, based on the results. Like any analysis based on publicly available data, the quality of the results rely on the accuracy of the reported data. Recent power and gas industry earnings restatements would skew analysis results.

Method 3, return on risk of alternative investments, allows management to benchmark their projects' returns on risk versus other investments such as corporate bonds, equities, or commodity investments.

Return on risk benchmarks are necessary to judge how efficiently the company is taking risk relative to its peers, and can be a valuable piece of competitive information used to position the company favorably in the eyes of lenders, shareholders, and analysts.

Once the organization's risk tolerance and appetite have been established, an appropriate governance structure must exist to support and control the risk-taking activities of the firm.\

6. Is our risk management organizational structure adequate to control the firm's risks?

Effective risk management demands the respect and cooperation of traders and commercial managers. Organizations may be designed to aid that process. An effective structure ensures the independence of the risk function while at the same time keeping it involved in day-to-day activities. Most utilities have an insufficient level of communication among risk management, senior management and the board. The most effective way to remedy this problem is to appoint an independent, empowered chief risk officer (CRO) who reports directly to the CEO and to the board. The CRO's responsibilities would include the following:

  • Proactive Analysis-Analyze and assess the risks of significant transaction activity, including capital structure and M&A decisions, long-term structured transactions (tolling deals, PPAs, etc.), and hedging policy prior to execution.
  • Risk Reporting-Ensure timely, complete, and consistent risk reports from the different business units (regulated, unregulated, trading).
  • Communication-Educate and communicate risk information to the board and senior managers at regularly scheduled meetings. This individual also should set the agenda for risk-management committee meetings.

Quality Assurance-Audit deal capture, mark-to-market valuations, risk-measurement models, risk reports, and risk disclosures for accuracy and adequacy.

Failure to appoint an individual for this position, to give the role sufficient authority, or to understaff the function can exact a high price; it signals to the organization that risk management is of secondary importance, and is something that can be done on an basis by the businesses, treasury, or CFO's office.

Failure to give the CRO sufficient independence and authority typically results in the business functions ignoring the CRO's recommendations and marginalizing risk management within the organization. Business unit and trading managers must respect the CRO and his authority for the position to be successful.

Finally, understaffing the risk management function typically ends in its ruin. An understaffed risk management group cannot keep up with its responsibilities to analyze multiple time-sensitive transactions, and the resulting frustration from the commercial teams means the group will not be involved in future transactions.

7. Can I personally summarize and quantify the firm's key risks based on the risk reports I receive?

If you are an executive who receives the weekly, monthly, or quarterly risk reports and aren't sure which end of the report is up, you are not alone! Risk reports developed by quantitative analysts typically require significant refinement to provide a meaningful, accurate, and comprehensible picture of the risks facing today's utilities.

Many companies have no formal non-market risk reports because those risks are more difficult to quantify and communicate. Outage risk, credit risk, and potential collateral requirements are just some of the significant risks that typically go unreported in the monthly or quarterly board package and represent some of the most significant risks facing the business.

Market risk reports typically focus on VaR as the relevant risk measure, but although VaR is a useful tool for communicating the risk of a group of trading positions, its usefulness is questionable when applied to physical assets. Senior management thinks in terms of cash flows and earnings when discussing physical assets, not mark-to-market values.

Risk reports that are not linked to corporate objectives are difficult for non-traders to interpret and understand. There are two alternatives facing senior managers and board members:

  • Go back to school in your spare time and get a Ph.D. in statistics; or
  • Ensure that the risk management group is communicating risk management information in a set of clear and comprehensible reports that facilitate decision making and input from senior management and the board.

Given the time demands on today's CEO, the former is less likely to occur than the latter, but in the current environment it is more important than ever for executives to understand the information being presented to them. Not understanding is not an excuse! It is incumbent on senior management to put the burden on the risk management staff to make their material understood.

8. How does our disclosure of risk management activity compare to our peers?

Traditionally, the "Quantitative and Qualitative Disclosures About Market Risk" section of a company's financial report has been viewed as the place where companies are required to disclose information about exposure to market risks and derivatives activities. Rather than look at risk disclosure as a burden brought to bear by FASB and the SEC, market leaders look at risk disclosure as their company's opportunity to:

  • Communicate to investors and analysts which risks the company has chosen to bear and which ones it has chosen to ignore;
  • Convey how the company plans to mitigate those risks it does not desire to keep; and
  • Inform stakeholders of how much of each risk it desires to reduce.

They also view risk disclosure as an opportunity for their company to link risk-management objectives to overall corporate financial objectives such as EBITDA, free-cash flow, and financial-ratio targets.

Although investors and analysts would like to have as much information as possible, disclosure should be limited so as not to reduce a company's competitive advantage. In this regard it is helpful to differentiate between strategic and tactical risk management activity.

Strategic risk management activity can be disclosed as much as possible without significant loss of competitive advantage. For example, a utility that has decided that it will not hedge its exposure to floating interest rates should be willing to disclose that strategic risk information to allow analysts and investors to better understand the impact of changes in interest rates on future earnings.

Tactical activity, however, should not be disclosed at a level of detail that would allow other market participants to take advantage of the company's position. The level of detail for disclosing information should be adequate to allow shareholders and analysts to properly assess a company's exposure to various risks, but limited enough that it does not convey information that could facilitate speculative trading against the company or a loss of competitive advantage.

Many utility CEOs pass off the development of risk management policy to "the financial guys"-the CFO or treasurer. In today's environment of ever-increasing scrutiny over corporate governance practices, CEOs and the board cannot plead ignorance to the trading and risk-management activities at the companies in their charge. The questions described herein are ones that every CEO should be able to answer in detail.

Once a CEO or CFO has an understanding of the topics addressed by these queries, he or she can confidently say, on behalf of his or her company, "We pursue a disciplined approach to risk management."