Print this
Lee Puschaver, a partner at Price Waterhouse, and Robert Eccles, president of Advisory Capital Partners, explain how taking too little risk is as dangerous as taking too much.

Managing Upside Risk

Lee Puschaver and Robert Eccles

Risk management in the full sense is about seeking the upside while managing the downside. A broader working definition of risk, focused as much on the upside as on the downside, is now emerging among executives who spend at least part of every working day focused on risk management.

It arrives on time: now that cost-cutting through reengineering has reached the point of diminishing returns in many companies, a renewed focus on revenue generation needs an accompanying focus on the evaluation of business opportunities that will generate those revenues.

Juniper Oil

A good example of the emerging upside emphasis in risk management comes from a company we will call Juniper Oil (all company names used herein are purely fictitious). New managers there developed sophisticated risk-assessment methodologies for their exploration business. The CFO at Juniper Oil emphasizes that the purpose of the methodologies is "not to minimize risk but to improve our understanding of the risks we are taking—the nature of our business is risky.” Executives at Juniper Oil want to understand the risk of each exploration project in a more rigorous and comprehensive way. Armed with that knowledge, they can make better decisions about capital commitments. They are not looking for methodologies to point them to lower-risk projects, because they know that risk and return are closely linked. What they need to understand better is whether the potential return, or upside, justifies the capital required, the duration of capital commitment and the probability of actually finding oil.

The impetus for developing these risk-assessment tools was the company's declining performance in replacing its oil reserves, coupled with a substantial increase in exploration costs. Juniper had to replace the old, intuitive mentality likened to "drilling a hole in the ground and hoping for the best” with a comprehensive analysis of the upside and downside of each project. Combining the expertise of specialists in geophysics, seismology and other fields, the managers created a rigid discipline that examines risk-weighted expected outcomes for each project. The project was led by a group informally known as the "risk cops,” executives who play a crucial advisory role in the company's decisions to commit capital to exploration projects. This overall effort generated a better probability of success in drilling projects, lower drilling costs and a dramatic improvement in the replacement rate (the ratio of discoveries to production).

Successful long-term risk management involves opportunity, hazard and uncertainty. Here's what we mean by this three-part definition of risk.

Opportunity: Managing risk on the upside is an offensive function; it concerns actions taken by management to achieve positive gains. Analysis of the upside creates insights used by management to increase the probability of success and decrease the probability of failure.

Hazard: Managing risk on the downside is a defensive function; it concerns preventing or mitigating the actions of employees and others that can generate losses, and increasing the effectiveness of the firm's responsiveness to adverse developments. This approach is based on policies, procedures and systems designed to prevent behaviors that can negatively impact company performance—including violations of company policies, external laws and regulations.

Uncertainty: Managing uncertainty is critically important for achieving the best overall financial performance. Drawing upon hedging techniques, budgets and other tools, it seeks to ensure that a company's actual performance falls within a defined range. Managing uncertainty requires executives to pull together the company's management systems—from management information through performance measurement to incentive programs—to establish and achieve the range. As a practical matter, it often also has defensive overtones because it usually trades off some upside gain in order to limit downside losses.

Each element of the three-part definition of risk broadly connects with one or more functions within companies. Although functional emphasis and management boundaries are inherently flexible, risk as hazard typically represents the perspective of managers responsible for compliance activities—specifically, the controller, internal audit group and insurance administrators. Risk as uncertainty is a governing perspective of the CFO and line management responsible for operations. Risk as opportunity often reflects the outlook of senior management and the planning staff, who largely address the upside element of risk.

Managing upside risk is the responsibility of executives who create the company's strategy and commit resources to pursue that strategy. Those who devise strategies are much more focused on opportunity than on hazard. The assessment of risks attendant to opportunities most often involves the CEO, senior management, strategic planning staff and business development staff. They ensure that the company is taking enough risk to achieve the return expected by shareholders. Taking too little risk is as much a management failure as taking too much.

Managing the upside always focuses on attaining a desired return on capital. While the methodologies of upside management vary, they all involve collecting information to create knowledge, which in turn can serve as the basis for controlled risk-taking.


StarGene, a biotechnology company, provides a good example. The company invests heavily in a portfolio of R&D programs to discover new drugs. The head of business development offered this observation: "I think about innovation in the context of risk.” With the need to innovate considered a given, the company must understand the inherent risks of doing so—it cannot choose the option of avoiding risk by foregoing innovation.

For StarGene, risk offers tremendous potential rewards. A single successful new drug can easily generate billions of dollars in revenues with an 85 percent gross margin over the life of the patent. Inevitably, such large opportunities carry a substantial downside. In the drug development process, only 7.5 percent of good ideas emerge as successful commercial products after the typical 11-year cycle needed to develop a new drug.

The degree of risk is exacerbated by the capital required during development. A biotech or pharmaceutical company will have spent between $120 million and $200 million by the time a drug wins approval by the Food and Drug Administration (FDA) and becomes commercially available. At any point during the decade-long development process, the drug can fail a critical test—even up to final Phase III clinical trials that test the drug on a large number of patients. By then, most of the development money will have been spent, but that investment does not guarantee approval.

The head of business development at StarGene explained that in these circumstances, the key to successful development is for the company to "weed out the lemons as quickly as possible.” At the urging of StarGene's CEO, he spent the past year creating a formal methodology to assess the probability of success of drug development projects. This methodology builds on processes the company is already using to review projects.

The business development staff compiled a comprehensive risk analysis for three points considered critical during the development cycle. The analysis is based on a vast amount of information concerning the technical, clinical and commercial prospects of a project. The conclusions are reviewed with senior management and the project team to help determine whether the project should continue to receive development dollars. StarGene's CFO expects that "over time these risk management techniques should shift our success rate.”

Juniper vs. StarGene

Both Juniper Oil and StarGene emphasize opportunity and must contend with hazards, but Juniper Oil focuses more on managing operating uncertainty than does StarGene. The difference reflects the particular characteristics of the energy and biotech industries. Juniper's products (crude oil, refined products, chemicals and natural gas) are commodities subject to changes in market price, and requiring significant refining and transport services. Further, Juniper is a global company working in many currencies. It also faces considerable downside risk from environmental, safety and political hazards.

In contrast, StarGene places more emphasis on opportunity risk, because its opportunities are enormous. Patents protect its proprietary products, which sell at high margins that justify large investments. Compared with Juniper, StarGene is a simpler company with a few small business units and much less international presence. These factors make StarGene less concerned with the uncertainties of its operating performance than Juniper. It also has fewer hazards to manage. StarGene, however, must comply with critical FDA regulations regarding drug development, manufacture and distribution. Its band of compliance activities for managing the downside is narrower—but deeper.

To integrate
Or not to integrate

It is particularly important for management to decide how integrated or dispersed its approach to risk should be. A highly integrated approach uses a common language, shared tools and techniques, and periodic assessments of the total risk profile for the entire company. An integrated approach is appropriate when risk factors are common across functional and business units, when functional and business units are highly interdependent, and when tools and techniques developed in one unit can be readily adapted to other units. Integration can also be crucial when management strives to achieve a shared corporate vision across the company. Integration does not just happen. It is invariably the result of deliberate management strategy.

A highly dispersed approach to risk management lets each functional or business unit create its own language for risk management and its own tools and techniques. No structured effort is made to examine company risk in the aggregate or to share practices across units. The dispersed approach is most fitting when risk factors vary substantially across functional and business units, when functional and business units operate quite independently, and when the tools and techniques developed in one unit cannot be readily adapted to other units. While management might deliberately adopt a dispersed approach, in practice it often arises from corporate inertia. This approach still requires management to allocate company resources across the many demands for capital.

Juniper Oil takes a dispersed approach to this problem. The exploration business unit uses sophisticated risk management methodologies for oil-drilling projects. The corporate controller, with help from corporate and divisional financial executives, supports a corporate risk management committee chaired by the CFO. This committee focuses on commodity price risk. A separate group that conducts analyses of political risk reports to the head of corporate planning. Juniper Oil does not have a CRO; the CFO said the company is "not ready for it yet.”

At the same time, Juniper wants to benefit from a more integrated approach to risk management by developing a more common framework and transferring knowledge, tools and techniques among business units. The corporate controller plans to extend the reach of the corporate risk management committee beyond commodity prices to include all other types of risk, including political, technological and operating risks. He believes that the company needs a more holistic framework than the one currently in use. As the first step in this direction, the controller plans to link the risk cops mentioned earlier with the political-risk analysts.

Another move toward integration was the formation of an ad-hoc risk committee. Its membership includes the head of corporate planning, who explained to us that this committee aims to develop "more standardized and comprehensive practices by wedding the technical and nontechnical aspects of risk management.” A need to move beyond outmoded ways of thinking drove this effort. As the head of corporate planning put it, "People are using experience from their past for a very different future.” The committee makes good use of input from operations already using innovative techniques, especially exploration and political-risk analysis. Yet Juniper's approach differs from that of the CRO of Stonehenge, who has targeted an integrated risk management framework for his entire company. A more dispersed method meets Juniper's current needs, so management favors gradual evolution over aggressive change.

We found a fascinating variation on these strategies at GlobalBanc Inc., a multinational financial services company with a banking heritage. Compared with the diversified approach at Juniper, GlobalBanc has embraced an integrated approach led by a sophisticated, company-wide metric called the risk-adjusted return on capital (RAROC). Based on research on market and economic forces, the RAROC framework considers four risk categories: credit, market, country and business. The company understands that risks change, so management periodically uses statistical techniques to adjust the relative weight of the four categories. Projects and their profit potential are evaluated within the context of risks to be taken; the greater the risks, the greater the capital assigned to the project. To go forward, projects must generate revenues exceeding their costs, which include a charge for capital used (the charge is priced at GlobalBanc's cost of capital). The program works, thanks to company-wide agreement to describe all GlobalBanc activities using RAROC and the four risk categories. The GlobalBanc CFO says the system instills the basics of "risk and reward.”

Excerpted from "In Pursuit of the Upside: The New Opportunity in Risk Management,” PW Review, December 1996. Authors' note: Since publication of this article, the interest we first uncovered is clearly growing. Management teams are exploring the implications of broader strategic business risk frameworks that increase their enterprises' creative insight while also providing a structural coverage methodology. They are seeking self-renewing processes that leverage the collective wisdom of their personal growth and can contend with new situations as they present themselves.

Write for Us!

Questions from the floor:
A forum for end-users who would like a particular risk management question answered. For example: "How can my company hedge a dollar move in both directions?” or "How can we make sure our money managers are following our mandated risk management guidelines?” We'll get answers from the best experts we know and publish them in future issues.

Software reviewers:
We need people willing to spend an afternoon or evening becoming familiar with a particular piece of software. Later, we'll interview you at length on the strengths and weaknesses of the program.

Letters to the editor
Reaction, support, admonishments, suggestions for improvement.

Derivatives comix
A conversation between a dealer and an end-user in comic book format that helps readers understand the fine points of derivatives sales and trading practices.

A no-holds-barred examination of your personal experience in the derivatives market. You can remain anonymous, but you must tell a vivid story that reveals both the positive and negative aspects of the business.

Feature stories, columns, etc.:
We're always looking for columns or new article ideas on topics that haven't received enough attention. The ideas must be comprehensible to a wide audience of derivatives users.

Fax your contributions to 212-366-0551
or write to: 145 Hudson, Suite 700, New York, NY 10013