Defining Your Risk Universe
A Rights and Obligations Approach to Identifying Enterprise Risks
View in our
This brief document is provided to help organizations that are interested in a pragmatic, structured approach to defining or updating their risk universe. The document begins with a simple diagram of a Risk Universe Framework in the context of a Value Chain (top of page 2) to stimulate the risk identification thought process. The framework diagram is followed by descriptions of the various elements in the framework.
The document continues with two suggested methodologies for conducting workshops to reveal enterprise risks based on the ac-cumulated rights and obligations of the organization. The first methodology suggests an approach to identify enterprise risks based on the rights and obligations assumed by the organization in a series of “events” in chronological order, whereas the second meth-od applies an incremental approach to identify risks based on the rights and obligations accumulated at each element in the Risk Universe framework.
The document concludes with a suggestion for maintaining an ongoing ledger of the rights and obligations of the organization and associated risks, coupled with high level consequences of mismanaging the risk (which can be elaborated upon in risk profiles), and the mechanism for measuring and monitoring the risk. The ledger provides a useful tool for leaders to assess the scope of the organization while capturing the key elements of section 1A of 10K filings if applicable.
This framework is provided to help risk managers build and evolve their risk universe. A risk universe is an ongoing inventory of the risks facing your organization. These risks occur along the value chain. Environmental and competitive risks would most likely exist with or without your organization, whereas risks within the scope of your organization are dependent on the systems operating within the boundaries of your organization from inputs to outputs. Viewing the organization within this context reveals implicit and explicit objectives and associated risks.
To apply the framework, it is best to work in two or more cross-functional teams and have them approach the framework from different angles. Some suggestions follow, but first, the elements of the framework will be explained.
Objectives — Objectives are noted first because the framework represents the evolution of your organization and the related risks over time. For example, at its inception, your organization began with express or implied objectives, including, establish legal presence, conform to applicable regulatory requirements, secure customers, attract funding at a fair price, acquire facilities and talent, and formulize effective and efficient processes. Objectives evolve over time, usually to address opportunities and risks in the value chain, and as a result, impact the rights and obligations of the organization and the risk universe.
Environmental — Environment includes the legal and regulatory implications facing your organization which include all levels of government, as well as some non-governmental organizations (consortiums, professional organizations, etc.). Environmental risks are among the first that must be addressed and range from maintaining a business license, to complying with EHS, OSHA, and other applicable standards.
Competitive — Competitive addresses the markets for inputs and outputs which entail a variety of risks that determine the economic viability of the organization, and ultimately shape its scope, capital structure, partners and distribution channels.
Scope — Scope represents the activities in the value chain that the organization is directly involved in or exercises ownership which implies stewardship and decision making authority. This begins with responsibility for inputs which include capital, materials, services and labor and continues through outputs including goods and services and is influenced by decisions, contracts, policies and systems (e.g., debt versus equity, consigned inventory, warranties, and customer databases to name a few).
Conversion Systems — These comprise the inner workings of the organization and are boiled down to people, policies and processes, and technology which work in concert with each other to execute the objectives of the organization.
Strategic Influencers — Consists of the situations/circumstances, opportunities/threats, rights/obligations and as-sets/liabilities accumulated by the organization over time as a result of the intersection of Objectives and the various elements in the value chain framework. We promote maintaining a ledger of key happenings inside and outside the organization and classifying them in strategic influencer categories as well as value chain element for the purpose of monitoring risks in the context of organizational boundaries.
The exercises/methodologies below can be conducted individually or in groups at various organizational levels to help define the risk universe.Chronological Approach
In this approach, the team retraces the events necessary to recreate their organization from scratch, at a high level, and records each right/asset and obligation/liability accumulated along the way to identify the related risks. It may be helpful to define the events, and then for each event, note the applicable element(s) of the framework, with the associated rights and obligations.
- What is the event, situation or circumstance?
- What elements are involved?
- What rights/assets and obligations/liabilities resulted from the event?
- What risks arise from these rights/assets and obligations/liabilities?
To illustrate, consider the event of “organizing”. Obviously, the Environmental Landscape element applies, and the rights accumulated would include the license to operate in a certain industry and location during a period of time. Certain obligations come with those rights, including periodic public filings, tax returns, and compliance with regulations. Failing to meet these obligations could result in some combination of fines, legal costs, and perhaps closure.
Subsequently, the organization would need to compete for funding from capital markets, which results in liquid assets that must be protected and the obligation to generate the required returns on equity and/or meet debt servicing costs and covenants. These obligations not only entail the risk of failing to meet the obligations, but reveal the importance of considering the obligations be-fore the event occurs, to ensure the risk is minimized through optimization of the capital structure. Also, there is a risk that once capital is obtained, opportunities to restructure financing are not identified and acted upon to enhance the value of the enterprise.
Another example would be obtaining premises, an important milestone for any organization. This event involves transacting with markets for rights to real estate that result in security and safety obligations among others. In this approach, objectives and risks almost define themselves, jumping off the page from your examination of the event, impacted elements, and resulting assets/rights and obligations/liabilities. In fact, most will be tempted to press forward with the exercise and also record the mitigation for the risk during the exercise. Without prescribing work habits, this is not encouraged because the teams might not know all the mitigating forces, and moreover, including mitigations in the exercise dilutes the focus, and could result in reverse engineering the risk universe thus impairing the objectivity of the exercise.
While it is not suggested that the mitigation be considered in the exercise, it is suggested that where applicable, the above information be appended with a risk indicator, or means by which the measurable risks can be measured, also noted in the alternative approach noted on the following page.
Illustrative Example of the Output from the Workshop:
In this approach, each element is considered independently beginning with the Environmental Landscape, and proceeding through the value chain. As each element is considered, the implied or express objectives, rights/assets, and obligations/liabilities are noted as well and converted to risks using the thought process described in the chronological approach. When considering each element, it may be helpful to ask questions specific to each element. For Environmental Landscape elements, the questions might include:
- What legal and regulatory forces govern us (implied objective is to satisfy legal requirements for a going concern)?
- What rights and assets are accumulated in this environment?
- What obligations and liabilities do the regulatory forces impose?
- What are the risks associated with these rights and obligations and how are they measured?
For Competitive Landscape elements, the questions might include:
- Who do we transact with for this element (e.g., raw material) (implied objective is continued access to fairly priced inputs)?
- Who do we compete with for raw material?
- What rights/assets and obligations/liabilities come with raw material transactions?
- What are the risks associated with these rights/assets and obligations/liabilities and how are they measured?
After each element is addressed and objectives and risks are revealed, it is important to revisit any incremental business objectives in the context of the elements in the framework to identify any additional risks on the planning horizon. For example, the objective of increasing market share while fairly broad, immediately points to the customer markets element of the framework, as well as the skills, systems and policies in place. Which customers will provide the growth and what new rights and obligations do they pre-sent for our organization in terms of skillsets (people), systems, and policies. Do the rights and obligations generate any incremental risks? And how is this risk going to be measured?
Either methodology should result in a comprehensive list of rights/assets and obligations/liabilities, and related risks and indicators. The logical next step in completing the risk universe is to document the consequences of mismanaging the risks. This information will highlight gaps in knowledge, and aid in prioritizing risks based on consequence, as well as identifying other key elements needed to generate a quality risk profile.
The Leadership Ledger is a simple tool with potentially powerful uses because it refreshes the organization’s understanding about the source of risks by connecting the objective of events to rights/assets and obligations/liabilities. As this understanding evolves, management can more effectively pinpoint non-EVA activities and reshape the scope and systems of the organization to increase its value. In addition, the ledger can be instrumental in constructing scenario maps to study the impact of changes in the various elements of the value chain on the value of the enterprise as a whole. Lastly, this process eases the formulation of the schedule 1A of the 10K filings.