Home > Risk > A Tale of Two (Risk) Cities

A Tale of Two (Risk) Cities

December 27, 2021 Leave a comment Go to comments

Let me tell you a story because it is the time of year for fables.

A Scottish company (Dundee Ltd) is growing rapidly after only a couple of years in existence and needs to find a supplier that has the capacity to scale up to meet increasing demand.

The CEO approaches RA Ltd. (known in the industry for its risk averse philosophy and for being limited in other ways), which is based in Newcastle,.

RA responds with caution, as we might all expect. While they are very interested in having a major new customer that could grow its revenue by 20% if Dundee’s forecasts are reliable, they can see significant risks, including:

  • They would have to invest in new tooling to meet Dundee’s design requirements. While they expect that their margins on sales to Dundee would be double their existing level, there is a risk that the tooling costs would not be recovered if Dundee either fails to purchase in the quantities they are forecasting, cancels after one year or less, or there are problems manufacturing to Dundee’s quality requirements.
  • If Dundee hits its projected sales numbers and gives them the purchase orders it is forecasting, they will quickly run out of capacity. They will have to not only expand their footprint at a substantial cost, but also hire significantly more people. What happens if the Dundee business fades away later and they are left with significant excess capacity?
  • The credit that Dundee is asking for exceeds their credit limits and their risk appetite. Even asking for prepayment is insufficient to pass the risk appetite requirements; Dundee has indicated they would only make a 10% deposit rather than full prepayment, and then only for the first three months’ orders. The credit Dundee needs is expected to increase rapidly, further violating risk limits.
  • A commitment to Dundee would make it very difficult to take on other new customers. In addition, investors and regulators might be concerned about the company’s over-reliance on sales to a single customer.

RA’s CEO listens to his CFO and Chief Risk Officer. They are very concerned about breaching the risk appetite that has been set by the board. “What will the auditors tell the board when they find out? What will the regulators say?”

The CEO decides not to take the risk and tells Dundee that they can only accept purchases that are prepaid and only to the extent of its existing capacity.

Dundee’s CEO is disappointed and informs RA that she will have to think about it and get back to him. (No point in burning bridges.)

She then contacts another potential supplier based in Blackpool, RP Limited (that has a reputation for being risk-practical).

RP is about the same size as RA, with similar capacity and ability to meet Dundee’s current needs. Like RA, it would have to invest in new tooling and may have to expand at a cost and risk if Dundee’s sales projections are accurate.

RP’s CEO listens attentively to Dundee’s CEO and says she will have to get back to him but is very interested.

The CEO calls a meeting of her direct reports, including the CFO and CRO. They talk about both the pros, which are significant, and the cons, which are also significant.

The CRO confirms what the CEO fears, which is that the risk will exceed their stated credit limits and the risk appetite approved by the board.

However, the RP CRO is business practical. While the rest of the executive team flesh out how they could manage the additional sales volume, what it would take to get the new tooling in place, and so on, the CRO uses his laptop to run the (risk) numbers.

The CRO signals the CEO that he wants to share the results of his analysis.

He explains that the projected return on the deal is significant, and the team can probably take a number of steps (such as obtaining funding from Dundee for the tooling, which is not uncommon) to mitigate the risks to some extent.

Overall, he is comfortable taking the risk.

The opportunity outweighs the risks.

He comments that COSO explains in its ERM Framework that there are times when the risk appetite should be exceeded or modified, and this is probably one of them. (He takes the opportunity to share his view that a risk appetite statement is of limited value, and he would like to talk about that subject with the CEO later.)

After the meeting, the CEO calls the chair of the board and they agree that this is an opportunity that the company should take. With leadership from the CRO, management can take reasonable steps to manage the related risks. This is one of those cases where even high risks should be taken!

The chair undertakes to call the rest of the board members to confirm, while the CEO gets back to Dundee to start contract negotiations.

Which company is more likely to succeed?

Which CRO would you be?

What should the CAE at each company do?

I welcome your thoughts.

  1. December 28, 2021 at 12:58 AM

    As (real) risk management is about intelligent risk taking, I’ll surely be the RP risk officer. I predict company RA will see a slow and painfull decline to oblivion.

    Risk appetite has to be linked to decisons, and knowing the likelihood of success is vital for any decison making – a step RA does not (dare to) take.

  2. December 28, 2021 at 4:15 AM

    Which company is more likely to succeed?
    RP is more likely to succeed. As ever, the company which is best able to predict benefits and risks, maximise the former and minimise the latter and then weigh the (now enhanced) benefits against the (now mitigated) risks is most likely to succeed.

    Which CRO would you be? Neither, I’d rather be a manager/director or CAE

    What should the CAE at each company do?
    > Ensure the company has clearly defined overall objectives and set the objectives of this project to be consistent with those objectives, being prepared to modify either if they are out-of-date with the requirements of their investors.
    >Ensure all relevant personnel have been involved in identifying the benefits and risks of the project and contributed to enhancing the benefits and mitigating the risks, for example by considering any government grants available, outsourcing some work, allowing only one order to be unpaid at any one time.
    >Check that all the necessary financial calculations have been independently checked.
    >Ensure all relevant information has been collected and checked for accuracy.
    >Verify that the proposal document to the board includes: objectives of the project; the benefits and risks affecting the outcome of the project; action required to enhance benefits and mitigate risks; Possible scenarios depending on the decision made; an analysis of benefits against risks on which the board can base their decision
    >Examine board papers to ensure the decision taken was in accordance with defined authorisation procedures.
    >Check the decision taken has been communicated to all relevant personnel together with the next stage of action.
    >Amend the audit plan to include audits of the project as it progresses (RP) or set up a strategy to change RA’s aversion to risk (or look for another job)

    • Norman Marks
      December 28, 2021 at 6:52 AM

      Well said, David.

      I would add that the CAE for RA has work to do to change the perception of internal audit. He or she also needs to concerned with the risk-averse culture, talking to the CEO and the board about changing it.

  3. Dani
    December 28, 2021 at 7:17 AM

    This is not the time to be thinking about audit – nor, do I see a clear role for the CAE in this situation. The decision has to be made on sound business rationale, not audit implications. As long as the decision is made, regardless of which decision is made, it must be well documented with supporting risk analysis/assessment. It must be management who makes the business decision, not audit influencing it. Why do we pay the C-suite the big bucks anyway? Audit cannot be used as an excuse for a decision. That’s not leadership in the vaguest sense.

    • Norman Marks
      December 28, 2021 at 7:43 AM

      Dani, doesn’t the CAE have a role to play when the leadership is excessively risk averse?

    • December 28, 2021 at 10:28 AM

      Dani, how can audit be used as an excuse for a decision? The role of audit is to ensure that appropriate action is has been/is being taken to maximise benefits and minimise risks. In other words to make sure decisions are based on sound business rationale.

  4. December 31, 2021 at 9:45 AM

    Norman (and everyone else), Happy New Year. Thanks for keeping the brain cells firing.

    • Norman Marks
      December 31, 2021 at 9:51 AM

      Thanks and the same to you, David

  5. Vance Jochim
    January 5, 2022 at 9:18 AM

    Norman – I find it very hard to read your submissions because the font is TINY. Can you increase the font to at least 14, plus use BLACK font, not light grey.
    Vance Jochim

    • Norman Marks
      January 5, 2022 at 10:22 AM

      Vance, sorry but the fault and solution are with your display. The font is black (at least in the editor) and WordPress standard size. The editor doesn’t allow me to increase the font size.

      Did you recently “upgrade” to Windows 11? That has changed the display on my system and its much harder for me to read too.

  1. December 27, 2021 at 3:10 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: