How to define and manage corporate risk

This post originally appeared on citopbroker.com

Every business should have a system for both defining and employing proper risk management measures.

This not only protects your company, but also ensures customers and investors are willing to trust you and your practices.

Read: Companies hide billions in pension liabilities

Rob Quail, director of enterprise risk management (ERM) at Hydro One, is gearing up to speak about how to effectively manage corporate hazards at the 2^nd Annual Enterprise Risk Management Canada Conference in Toronto.

So, Top Broker caught up with him to find out how he defines and deals with risk at his company.

Read: Lessons learned from Lehman Brothers

Q: What is your definition of risk tolerance?

A: I’m not a believer in risk tolerance as a limit. The idea that you say, “Our risk tolerance for financial risk is $50,” doesn’t make sense. I know that some companies express risk tolerances in terms of absolute limits against key performance indicators (KPI). I’m not sure this makes sense in practice.

We have a scale of one-to-five for each one of the KPIs that is an expression of our attitude toward that extent of failure, ranging from minor to catastrophic. So, in evaluating risk, one of the key things taken into consideration is where it sits on that scale.

Read: Risk management lessons

Q: Why is it important for an organization to have clearly defined risk tolerances? And how can that aid decision makers?

A: Ideally you want all decision makers, within the limits of their authority, making decisions that are consistent with the company’s expectations for risk, or the company’s attitude toward risk. You don’t want overly conservative risk taking behaviour because that can cause the company to fail at meeting its most basic goals.

That’s what leads to what people see as very bureaucratic, slow-moving, unresponsive organizations that miss out on opportunities. On the other hand, you don’t want cowboys running all over the place making unrestrained decisions.

Q: What are the practical ways organizations should be employing risk tolerances?

A: They should be used in every risk assessment. Whether or not the company has an approach like ours—we use risk workshops quite heavily—they should be applying risk tolerances and evaluating the significance of risks on a regular basis.

We also have a process at Hydro One that’s known in the marketplace as AIP: Asset Investment Prioritization. All of our asset investments, all the relative ranking of those things, and all the business cases for those investments are all justified in part by their potential to mitigate risk.

Also read:

Corporate boards must manage risk

Key person insurance protects companies

Risk management: Best practices for advisors (2005)

Industry needs to win back investors

Lower portfolio risk by screening for quality

Progress for responsible finance

Volcker on new CFA risk council

Infrastructure boost would spur growth

How safe is your yield?

The best ways to own Canadian banks