Hlavní práce77479_karj10.pdf, 1.6 MB Stáhnout

(1)

(2)

(3)

Acknowledgments

I would like to explicitly thank to my whole family which has allowed me to study at the Louvain School of Management and was supporting me through the whole study period.

Also, I would like to thank to my supervisor Prof. Loïc Decaux, who has advised me on the research path for the thesis which has been especially useful to me.

(4)

Abstract

This master thesis deals with the use of risk management and its techniques in the companies in the energy sector. The main objective is to evaluate the use of the methods and the approach of risk management used in companies compared to the theoretical research. The first chapter introduces the word risk, its origin, definition and classification followed by the description of risk management and its process as well as the development of the discipline. Next the energy sector specification is laid out and the importance of risk management in such industry explained. Through interviews with representatives from different companies the insights of the way risk management is done in the companies was presented and compared. While the theory highlights the importance of holistic risk management, the research discovered, that while there is a deep connection between strategy and risk management and the setting in each company is highly tailored to its needs, the practical situation does follow the theory only partially.

Key words: Risk, Risk Management, Risk Appetite, Risk Assessment, Energy Sector

(5)

1 Introduction

Every single person on this planet has some experience with risk. The word risk is usually associated with negative outcomes. There is a risk that you can have a car accident and get injured. Same outcome, injury, can happen when you are walking in the mountains and step badly on a rock. The very essence of business lies in risk, you are spending money to produce a product or offer a service and you face the risk that you will not make the money back and go under. Different companies deal with different risk which are specific to the field in which they are operating, however, there are certain methods and processes which are used in risk management when dealing with them. The risk management process consists of few steps which are all to be followed if a company wants to successfully manage its risk exposure and avoid negative outcomes. Risk management as a discipline has been evolving throughout the history of humankind, starting with sacrificing items or animals, moving to the use of insurance and different methods to deal with financial risks towards a holistic approach in which the risks are deeply intertwined with the strategy of an enterprise and are managed together. While there is no best system spread everywhere around the globe, the guidance by Committee of Sponsoring Organizations of the Treadway Commission (2017) and International Organization of Standardization (2018) seems to be the greatest choices for different companies. Companies in the energy sector are the owners of critical infrastructure, which, if interrupted, could cause significant losses to companies, and impact the whole public. The nature of energy companies’

operations is very forward-looking, as the contracts which they have the settlement at some time in the future. Due to the fact, that the prices of their inputs and outputs are fluctuating, the companies are using the option of using financial derivatives contracts to fix their exposure to financial risks. The aim of this thesis is to evaluate the ways in which the companies in energy sector are dealing with the different risks, how do they approach the risk management process, what methods do they use and whether the reality is following the theoretical research.

Interviews with the people are conducted to gain the necessary knowledge coming from specific companies doing business in the energy sector. First, the term risk is being defined and put into historical context, followed by the classification of the different risks the business can face.

Following chapter is focusing on the risk management, its process and evolution. Then, the specificalities of energy sector are being laid out, followed by the description of the interviewed companies and a discussion based on the information received.

(7)

2

2 Risk

2.1 Risk history, definition

Every single person on this planet is facing some risks in their lives. Almost every activity that we are doing has a risk associated with it. The origin of the word risk is probably connected to the maritime industry. The Italian risco stems from the expression which meant threat to the sailors and their ships. (Liuzzio, et al., 2014) Similar view is presented by Covello (1985), who mentions the original word rhiza coming from Greece describing the dangers of sailing near to a cliff. In the broadest sense, the risk is “the possibility of something bad happening at some time in the future; a situation that could be dangerous or have a bad result” (Oxford Advanced Learner’s Dictionary, 2021). From both the history of the word and its broad definition we can see the bias towards the negative aspect. When we talk about a risk in this specific way, we can say that we are talking about a pure risk. You are facing two outcomes, from which one is negative and the other is no change. Pure risk concept can be seen traditionally in the hazard risks. Example of this, as D’Arcy (2001) suggest, might be owning a car or a house – there can be an event happening, such as hailing, flood or a tornado, which will damage your property, or nothing can happen in which case the owner does not get anything. Society for Risk Analysis (SRA, 2020) as well look for the definition of the risk and mentions, that the word risk is usually connected with a future activity and define risk “in relation to the consequences (effects, implications) of this activity with respect to that human value. The consequences are often seen in relation to some reference values, and the focus is often on negative, undesirable consequences.” From this definition, we confirm the aforementioned bias, however, different perspective, according to Lam (2014), comes from the Chinese characters which are associated with the word risk, as these represent both danger and opportunity. This can be referred to as speculative risk, which can be connected to the financial risks. When purchasing a stock from a company, as described by D’Arcy (2001), we are hoping to gain money either from dividends or from the price change. We might have an expectation that the price is going to increase 10%

based on our information, however there is a risk that the future price will not be equal to the expected price, it can be higher, lower, but it can also be lower than the original price for which we have bought the stock resulting in a net capital loss.

A distinction needs to be made between the words risk, hazard, or uncertainty. Haldane and Nelson (Bank of England, 2012) show the difference between risk and uncertainty based on the knowledge of the statistical distribution. When it comes to uncertainty, this distribution is not

(8)

3

able to being calculated or unknown. The influential work of Kaplan and Garrick (1981) state that hazard is a source of danger, and the risk would be the chance, likelihood of this source manifesting into actual negative outcome. With this in mind, the authors connect risk with three different properties, which answer these questions:

• What can happen?

• How likely is it that that will happen?

• If it does happen, what are the consequences?

These properties answering the mentioned questions are scenarios, probability of that scenario and the consequence or evaluation measure of that scenario and the risk then would be defined as a set:

R= {(si, pi, xi)}; i= 1, 2,…N

where R is the risk, si is the scenario,pi is the probability andxi is the outcome. A similar view with just two components can be seen in Proske (2008), where risk R is the multiplication between negative consequence measure C and an indetermination measure P. C can be measured in many different ways, whether it is money, human, animal or environmental loss.

Same goes for the indetermination metric, which is usually measured statistically with a probability. For simplicity, the probability that will be referred to will be defined as: “the proportion or fraction of times that a particular event is likely to occur.” (Witte & Witte, 2017) The probability ranges between the number 0, the event being impossible to 1, the event being certain and the whole set of probabilities always need to be equal to 1. There are many ways on how to interpret probability and it is the case that when a risk is defined, the connection to probability is made, however, there is no specific interpretation to the definition or concept of the probability. Aven (2013) gives an example about the difference between frequentist or subjective probability, as the interpretation of probability will have an impact on the risk perception and its assessment or management. A consensus on what the risk definition exactly is will probably not be made in a short term, however, the there is a level of common understanding on what the risk is.

Like the sailors throughout the centuries, who had to embrace risk to be able to deliver shipment which would turn into great profit, businesses nowadays are facing many risks willingly to make money and create value. As Milkau (2017) sees it, the issue is that there is no possibility

(9)

4

of avoiding the risk. Even simple organisations will face accidents, the assets of such organisations can break and that is nothing unusual.

The amount of risks the business can face can be seen in the Figure 1 – there is a myriad of them. Of course, some risks are greater than others. In different industries the companies will face different risk, in this Figure the focus is on a car manufacturing company. Another situation will be in the financial industry, where the financial risks, such as credit risk will take the leading role.

Figure 1: Enterprise risks a business can face Source: Elkins (2005)

The fact that the business is doing well at a certain time does not mean that it will continue and strive in the future as well, as the world around us and especially the risks are changing constantly. It goes without saying that if a business owner is not able to tackle the risks his or her business is facing effectively, he or she will have, according to Barton et al., (2002) a higher chance of failing on the market and going under. Globalisation is not believed the be the cure for everything anymore and there are events happening which have impact on the whole world, examples of that might be the financial crisis in 2008, earthquake in Fukushima in 2011, the

(10)

5

unrest in the middle East or, recently, the COVID-19 pandemics. The World Economic Forum (WEF) monitors the situation and annually releases “The Global Risks Report” in which informs the readers about the greatest risks that the humankind is facing. They identify 5 different risk categories: Economic, Environmental, Geopolitical, Societal, Technology.

Figure 2 contains the greatest 5 risks the global world is facing every year based on the impact of a given risk. From the first glance on the table, we can see that the environmental risks account for the highest number of risks compared to others.

Figure 2: The top 5 Global risks by Impact (2014-2021) Source: WEF (2021)

However, if we were to look at the same table ranging from 2007 till 2014, we could see a significant difference. The focus was not dominantly on the Environmental risks, but mostly on the Economic ones. The whole world was shook from the severity of the financial crisis starting in the 2007 in the US mortgage market spreading worldwide through the financial system and

(11)

6

impacting a large portion of the economies. The previously overlooked systemic risk¹ manifested itself and regulators, financial institutions, but also other businesses were caught by a surprise by the events that took place after the initial market crash. The possibility of another crash remains in the heads of people; however, the Asset price collapse left the place of the top 5 greatest risks in the year 2011, which can be seen in the Figure 3.

Figure 3: The top 5 Global risks by Impact (2007-2014) Source: WEF (2021), WEF (2012)

2.2 Risk categories

Now that we have established the field on which the companies are conducting their business, we can move on to some of the formal distinctions of the risk, which can help a business categorize them in a way in which they can deal with them. Originally, the firms were concerned with the so-called hazard risks, such as floods or fire. Events such as these allow the firms to buy insurance to transfer the risk to a different entity for a certain amount. During the 1970s, the companies discovered different risks, which are called financial risks, which were connected

1“the danger that problems in a single financial institution might spread and, in extreme situations, such contagion could disrupt the normal functioning of the entire financial system”. (BIS, 2002)

(12)

7

mainly with the usage of derivatives. The next group of risks, according to McShane (2018) were the compliance-focused risks which stem from the scandals of companies and rising relevance of the accountant profession. As we have seen in the example with an auto manufacturer company, all the different risks were grouped into categories. It is important to put different risks into different categories, as it might help us with understanding of a particular risk and also with dealing with it. A common classification of risks in financial organisations would be the split into two groups, financial risks, and non-financial risks. Financial risks include mainly credit, market, and liquidity risk, while non-financial risks are mainly operational, legal, regulation or reputational risk. Mejstřík et al., (2015) mention, that it is important that the financial risks are usually easier to quantify than non-financial risks. Since this work is not focused mainly on the financial institutions, the risk classification that is going to be used, is taken from Toma & Alexa (2012), who list 7 business risks which are crucial for any company:

1. Operational risks 2. Financial risks 3. Strategic risks 4. Market risk 5. Country risks

6. Compliance risks (legal liability) 7. Natural risks (environmental risks)

Operational risks are usually connected with some error when it comes to the internal systems, humans, or software. Bank for International Settlements (BIS, 2012) defines operational risks as: “The risk that deficiencies in information systems or internal processes, human errors, management failures or disruptions from external events will result in the reduction, deterioration or breakdown of services provided.” A tool which is not properly stored can harm workers using it, system for making payments which are set-up and authorised by one person could be examples of operational risks.

(13)

8

Financial risks are generally associated with the flow of cash in the company, which can be influenced by the changes of prices on the financial market. Figure 4 shows some of the most important financial risks.

Figure 4: Financial risks Source: Horcher (2005)

Sometimes referred to separately from the financial risk as market risk, we can find foreign exchange, interest rate, commodity, and equity price risks, which are connected to the respective prices on the market. A typical financial risk is credit risk, which can be defined as:

“The risks that exist whenever payment or performance to a contractual agreement by another organization is expected, and it is the likelihood of a loss arising from default or

failure of another organization.” (Horcher, 2005)

Credit risk is one of the most dominant risks in the banking sector, and according to Bouteille (2012), it does not matter, whether the counterparty is not able to fulfil its obligation fully or partially, on time or with a delay or whether the payment is not made willingly or due to inability, it does not change anything, the credit risk is still there regardless of the conditions.

Another risk on the list which can be connected with the time dimension, is liquidity risk. If an asset is liquid, then there is usually no problem to purchase or sell it on the market. In a situation in which a business (e.g., bank) wants to settle its obligation and needs to translate some of its assets into cash for the payment, it is facing liquidity risk, as Lopez (2008) introduces, the risk that it will not be able to find a buyer on the market for acceptable price, which can lead to inability to fulfil the original obligation the bank wanted to cover.

The following risk type in the list that the businesses are facing are strategic risks. These risks are completely different in every business and are based on the industry in which the business

(14)

9

is dealing, but also with the decisions, vision, and mission of a particular organization.

Toma & Alexa (2012) state, that these risks arise from different business activities which can come both from inside and outside of the company. Examples might be mergers & acquisitions, changes in demand or consumer behaviour or new competitors in the industry.

There is no doubt that the country in which you are doing your business will have influence on it. Country risk, as defined in Toma & Alexa (2012) is related to the probability that the environment in which the company is operating will change and have an impact on the probability of continuing of the organisation’s function. There are many factors which you need to consider and could be categorised into economic, financial, political. The changes might be subtle, such as increase of the tax rate by a slight margin, however they can also reach higher magnitude in case of war or revolution/coup will have with a high probability of a negative effect on the doing of a company. Other components of the country risk, described by Howell (2014) could be: the level of corruption, the amount of military in politics, whether there is religious or ethnic tension in the country for the political factors. Among the economic factors we could include the GDP per head, its growth, inflation, or the state of the current account as a % of GDP. Last, but not least, the financial factors are connected to the foreign debt and foreign debt service as a % of GDP or the exchange rate stability.

Another category of risk on the list by Toma & Alexa (2012) is the compliance risk. This risk is associated with the obligation to comply with different rules, mainly laws and regulations.

An example of compliance risk could be the acceptance of the EU’s General Data Protection Regulation (GDPR), which deals with the right for personal data protection and the flow of such data. As Demetzou (2019) presents, the whole EU environment was influenced by this regulation which undoubtedly caused organizational and technical changes. The natural (environmental) risks are together with the compliance risks getting increased attention in the past years. The incidents which can happen can have serious impact both on property, goods, but also on the lives of people. Different events, such as floods, earthquakes, thunderstorms, or tornadoes occur relatively frequently, however, there is a low probability, that these events will have catastrophic outcomes, and this is why environmental risks also affect the world of business.

A different risk categorisation can be seen in Kaplan & Mikes (2012), who uses the three different risk categories: preventable risks, strategy risks and external risks. The distinction between these lies both in where they come from, but also in the way how these risks are

(15)

10

supposed to be managed. Preventable risks arise from inside of the organisation precisely from an inappropriate or incorrect behaviour of employees or managers. A typical example of this could be rogue traders, who have throughout the history caused their organizations losses in the billions of USD, as Wexler (2010) describes. The next category is tied with the business the company is doing. The authors mention, that strategic risks do not have to be inherently undesirable. The reward in terms of higher return coming from the strategy decisions is there to balance their undesirable outcome. External risks come from the outside and the company has little or no influence on these. For these risks it is important to accept that there is no way of preventing them, but rather focus on mitigation of the impact and in-time identification.

With the introduction of the classification of the risk, we can move on to the whole process which is connected with dealing with the risk, “managing” them, which is the discipline of risk management.

(16)

11

3 Risk management

According to the International Organization of Standardization (2018), risk management is: “coordinated activities to direct and control an organization with regard to risk.” On the first sight we can see that risk management is concerned with controlling an organization, and, therefore, there needs to be a linkage between the organization’s goals and the risks it is facing.

If we look at the risk management in a broader perspective and distance ourselves from the organization point of view, we can look at it from a personal point of view, risk management becomes an activity, that person is doing to protect himself from the risk. Since the dawn of civilization, people have faced many tragedies and they tried to protect themselves from them or to cope with them. One of the earliest formal views on risk management, according to Webster & Cokins (2020), was incorporated in the Code of Hammurabi almost 4 thousand years ago, which touched the concept of maritime insurance. Kloman (2010) describes the technique of ancient civilizations which came up with a set of divine protectors, to which they sacrificed certain items or animals to protect themselves from misfortune. Another example is coming from the 5^th century BC in China, where officials and priest were annually choosing maidens and sacrificing them in the Yellow river to satisfy the gods with the intention to avoid flooding.

In Egypt, they had a system of watching the level of the river Nile at a certain point of the year to predict whether there was going to be a cheerful year or not. As Covello (1985) sees it, all the societies in the past have feared other element, fire. As the years passed and the civilizations grew there has been an answer to different risk, which, unfortunately, usually came after a certain risk has manifested, certain damage has been done or catastrophe happened. This paradox can be visible on the example of fire insurance and switch of the building materials after the Great fire in London in 1666. Other examples include the story of unsinkable ship Titanic, the real danger of nuclear meltdown in Chernobyl, the explosion of the space shuttle Challenger, various oil spill overs in the sea, an earthquake in Japan and consequent tsunami damaging the nuclear reactor, big corporate losses, fraudulent behaviour (Société Générale in 2008), the fall of Enron or the last financial crisis from a decade ago (Mikes, 2011, Paté-Cornell, 2012, Kloman, 2010 and Power, 2004)

These events influence people deeply and the authorities in charge of creating new policies, as per Kousky & Kunreuther (2018) are usually prone to protect the consumers so that the aftermath of the event is not additional burden on them, even though these individuals or organisations have made certain decisions according to the risk accepted, which were far from optimal.

(17)

12

Peter Bernstein in his book about the history of risk and its management states that: “The essence of risk management lies in maximizing the areas where we have some control over the outcome while minimizing the areas where we have absolutely no control over the outcome and the linkage between effect and cause is hidden from us” (Bernstein, 1998)

In an example given by Haldane & Nelson (Bank of England, 2012) of a forester who wants to maximise the yields of his forest, while limiting the amount of risk, we can see this principle in practice. If there are no gaps between the trees, when a thunderstorm comes and lightning hits the trees, there is a chance, that fire is going to start and this fire will spread to adjacent trees, causing damage to the whole forest. However, if the forest is built in a way, which does not let the fire spread through the whole forest, the risk is limited to the place where the fire started with the drawback of lower yield from less densely populated area. Of course, the forester might not have any idea that such thing can happen until he experiences it for the first time.

3.1 Risk management process 3.1.1 Setting up the context

Figure 5: Risk management process Source: ISO (2018)

(18)

13

As we can see from the Figure 5 on the previous page, the risk management process has several steps. First, we need to take a look at the situation in which the business is right now, from the definition of the risk management, we can see, that it is result-oriented and therefore, we can take a look at the situation in which we are right now, for example car manufacturer in Japan and, as Hilson (2015) sees it, identify the risks, which are actually relevant to us. The end of summer tornado season in the US is without a doubt a risk which can lead to severe negative consequences, however, with most certainty, not for our business in Japan or with very little impact which would mean there is no reason to monitor such risk. However, if our job was to be in charge of an outdoor swimming pool in the area, we would be watching the situation and the weather radar very carefully. Into the first step also belongs the overall corporate culture, the risk aversion, what is more, there needs a link to be made with regards to the objectives and strategic goals of the company. (Quail, 2012, Power, 2009)

When expressing the risk appetite in a company, Quail (2012) recommends that there is a set of 4 questions which the management can ask themselves in regard to the objective which will help them understand better the situation in which they are and the trade-offs which need to be made:

• What’s our overall philosophy toward the achievement of this objective?

• How much uncertainty or volatility in terms of results are we willing to accept?

• When faced with multiple options, how willing are we to select an option that might place this objective at risk?

• How willing are we to trade off the achievement of this objective against other objectives?

We can clearly see the connection between the risk and the objectives. Of course, the company’s goal is to achieve those objectives, however, there might be several projects happening at the same time with different levels of importance for the management, some things might be connected to the main business of the company, while others might be the improving of some internal process to be more efficient. Since the objectives are in the future, it happens rarely that the prediction will be the same as the future situation in which the company will get, there needs to be some margin of error, but how big this margin can be? 5%? 10%? This is something that the management needs to decide, to see how big of a volatility are they willing to accept.

On top of the “project” risk appetite, The Committee of Sponsoring Organizations of the Treadway Commission in their paper (COSO, 2012b) state, that there needs to a company level

(19)

14

risk aversion definition. There is no such thing as an ideal level of risk appetite, every company is willing to accept a different level of risk, a company with lower risk appetite will be reluctant to open a factory in a volatile country where there might be high political risk which would probably lead to the loss of the whole investment. In finance, there is a saying that with a higher risk comes a higher reward, however, this is only true up to a certain point, after which the risk taking might become too excessive and the company is being hurt by the amount of risk it is maintaining. Of course, this might result in an excess return for the company in the good times, however, in a long run, the result of unnecessary high risk, as Lam (2014) describes, would be probably negative. This situation can be seen in the Figure below.

Figure 6: Risk level and return Source: Lam (2014)

To create a risk appetite, there are 3 simple steps which need to be followed which can be visible in the Figure below:

Figure 7: Risk appetite cycle Source: COSO (2012b)

(20)

15

The risk appetite cycle starts by the management with the board oversight, when they develop the overall risk appetite for the company. The methods which can be used for this are following:

facilitated discussions, discussions related to objectives and strategies and development of performance models. Facilitated discussions can develop into deeper understanding of the different views of management and board of directors on the risks that the company is facing and willing to take in order to achieve the goals and objectives. The next method, discussions related to objectives and strategies take the extra step and focus deeper on specific strategies and objectives which will give the much needed greater detail for both parties. The performance models are a quantitative measure of the risk appetite, there are models which are used to make sure that the company in a certain % of the possible scenarios would survive.

After developing the risk appetite, there needs to be a formal way how to communicate this to the whole company, as the whole company needs to be on the same page and just the existence of a risk appetite in a company is not enough, when it does not affect all the staff from top to bottom. Once everyone in the organization knows the risk appetite, the management over time monitors the situation, as decribed in COSO (2012b), the business and the risks associated with it and can decide to keep the risk appetite the same, however after a certain amount of time, when the company is growing and developing, they can decide to go for more aggressive way of working, or on the other hand, the situation on the market might be getting worse and being afraid of a failure, the management can choose a more conservative way and revise the risk appetite, after which again the news need to be communicated through the whole company. The timing of these changes of the risk appetite is not set in stone, however, the usage of annual basis for the review seems to be appropriate, as recommended by Webster & Cokins (2020).

The concept of a one whole-enterprise-wide risk appetite is flawed, according to Power (2009), who believes that the whole concept of risk appetite is more of a bureaucratic element which is difficult to present and incorporate for all the individuals throughout the whole company.

Figure 8 on the following page shows an example of a risk appetite scale adapted from Quail (2012). The author chose 5 different rating levels ranging from low risk aversion/being open to risks all the way to being severely risk averse. For each level, there is information about how tolerant the company is towards particular risk, what choice it should choose when it comes to selection between few options and how willing the company is to sacrifice when other objectives are also on the horizon. Of course that such scale needs to be tailored based on the internal communication and set-up by the management and board of the company, the rating

(21)

16

levels can be adjusted for higher number with less of a difference between each levels or vice versa.

Figure 8: Risk appetite scale Source: Quail (2012)

3.1.2 Risk assessment and its steps

The following steps in the risk management process is risk assessment. Risk assessment, according to SRA (2018) is: “the systematic process to identify risk sources, threats, hazard and opportunities; understanding how these can materialize/occur, trigger events/events sequences, and what their consequences can be, representing and expressing uncertainties and risk; and determining the significance of the risk using relevant criteria.”

It is clear from the definition, that the risk assessment process needs to be created carefully with a sound plan in mind, looking at the risks from different perspectives to make sure that the company catches all the possibilities for different risks to occur so that it can reasonably react to the severity of the situation.

(22)

17

Figure 9: Risk assessment flow diagram Source: COSO (2012)

As we can see from the Figure 9, in practice, the risk assessment has a few steps. In the literature the risk identification is sometimes separated from the risk assessment, for the purposes of this work the two are merged, as in the risk management process Figure the identification belongs to the risk assessment. In the Figure 9, the grey dashed rectangle represents the whole process including the risk identification. After the risk identification, the Developing assessment criteria is there, because there needs to be a way to compare risks. Without some sort of united language in which the risks are assessed it is impossible to choose how to react to different risks. As per COSO (2012) guidance, every company should choose the way in which it understands the risk, however, some of the common measures are impact, likelihood, vulnerability, and velocity.

Impact is the measure on how much a certain event influences the company. The likelihood could be presented in a company in a similar way which is presented in the Figure below, either with percentage or some sort of a frequency.

Figure 10: Likelihood scale Source: COSO (2012)

Vulnerability is an entity's sensitivity to a risk based on variables such as preparation, agility, and adaptability. When the buffers in terms of variables are not sufficient, the company has lower possibilities to react to a certain risk manifesting itself. Finally comes the velocity, which is the speed at which the company is affected from the risk event happening.

(23)

18

Methods for assessing risks are usually either qualitative or quantitative. Different methods are more viable for a different set of risks. As an example, financial risks might be easier to quantify than operational risks, therefore, for the financial risks, the quantitative methods might be a better option. Quantitative methods allow for numerical aggregation for the risk as well as the cost-benefit analysis of the different scenarios which might occur, however, the main drawbacks might be the costs which are associated with creating the model in the first place, as well as the risk of the assumptions being devoid of reality, which will skew the results heavily.

On the other hand, qualitative techniques should be easier to be created as well as understood by the staff without any specific quantitative knowledge. The easier interpretability could also be a negative, as there might not be a clear understanding of all the individuals on what for example “highly probable” means, as well as the difficulty to translate the data to something quantifiable. A good approach recommended by COSO (2012) would be to identify the risks in the first step with the qualitative techniques and then follow-up with some sort of a quantitative method, which will enable the company to look at the different numbers.

Each business is dealing with what we can call a portfolio of risks. And similarly, to the stock market, where there are companies which are thriving in good times or bad times and are somehow correlated with each other, the risks that the company is managing are influencing each other and are bundled together. One option for the company is to create a risk interaction map, where they plant the identified risks on x and y axis and inspect, whether a certain risk in the past has been influenced by other but also investigate the future, whether a connection can be made. Fault trees, event trees, and bow ties are three widely used diagrams. Fault trees are used to investigate occurrences or sequences of events that could result in a danger or an event.

Modelling sequences of events emerging from a single risk occurrence is done using event trees.

The last used diagram is bow-tie diagram, which combines a fault tree and an event tree.

The following step is the risk prioritization. This can be done either hierarchically or in the form of a heat map². The risks are being ranked by a certain criterion which is the choice of a company, usually by impact times probability or times vulnerability. However, when the risk assessment is done in more of a qualitative way, it is difficult to compare the different risks on a heat map. Despite that, the heat map can be a useful visualisation tool to see where each risk stands.

2 Sometimes also referred to as risk matrix

(24)

19

Below in Figure 11 you can see a risk heat map combined with opportunities heat map showing that some uncertainties are not pure risk with only negative consequences. As usual, the green part of the heat map signifies low risk, while the red one great risk.

Figure 11: Heat map Source: COSO (2012)

When a risk is assigned some value in terms of impact times probability, the risk is assigned a certain score. The company can have a table which states based on the score the appropriate reaction, however, even if this process is highly standardized, different people have a different understanding of the scales, therefore, “Major” risk or “Unlikely” likelihood can resonate differently in the minds of several individuals, as Hubbard (2020) points out, which might eventually lead to underestimating or overestimating the risk thanks to this confusion. Cox (2008) describes, that if the negative correlated risks are wrongly identified, the usage of risk matrices could be “worse than useless,” and lead to decisions that are worse compared to the random chosen ones. Therefore, the risk matrices are to be build upon a great foundation with well explained underlying assumptions and scales.

A great risk assessment, as presented by SRA (2018) needs to follow these criteria: it is solid (complies with the basic setting in which it has been created, the assumptions, rules etc.), relevant, useful, reliable, and valid. On top of this, it is recommended by COSO (2012) for this process to be easily understood and not overly complex, otherwise the effectivity of such process would diminish.

3.1.3 Risk assessment techniques

From the previous chapter, we can see that the risk assessment is a very thorough discipline, in which the company needs to go through few steps starting from the identification of the risks, setting up a criterion which is going to be used for the assessment, followed by the risk assessment itself while also examining the interactions between risks and the whole process is finished in the ranking or prioritizing the different risks. There are different techniques which

(25)

20

were developed to help with: delivering concise information for the support of the decisions being made under uncertainty, seeing different options comparability, better understanding, and anticipating risk, even extreme ones, detecting the factors of each risk, identifying the responses for existing risks, communicating them, and studying from both fiascos and triumphs to help manage risks in the future. (International Electrotechnical Commision, 2019)

Figure 12 shows some of the methods and its applicability in different steps of risk assessment based on the standard IEC 31010.

Figure 12: Risk assessment methods Source: IEC (2019)

(26)

21

The first methods described are going to be best used in the risk identification part. The picked methods to be explained are:

• Brainstorming

• Risk Questionnaires and Risk Surveys

• Scenario analysis

• Delphi method

• Failure mode and event analysis (FMEA)

• Ishikawa analysis (fishbone) method

The choice of methods was due to several reasons. Firstly, Brainstorming and Risk Questionnaires and Risk Surveys are a great initial look into the world of risk for a company which wants to investigate deeper their risk. Secondly, the methods are relatively simple to understand for everyone who is using them and are, usually complemented by a graphical view which makes the causality presented in them clearer. Additionally, other methods, such as FMEA or Ishikawa analysis have been used in the energy sector in the past, therefore, they are relevant for the purpose of this thesis. Aras & Özcan (2016) show that the Ishikawa analysis could be used to increase the quality of the service in the energy sector. FMEA has been used in relation to the generation of wind energy (Arabian-Hoseynabadi et al., 2009) as well as proved useful as Hekmatpanah et al., (2001) report, in the oil industry in Iran.

Brainstorming might sound like a buzzword at first which is being overused nowadays, however, it has its place both in strategic planning as well as risk management. During a brainstorming session, which is attended by people from different backgrounds and expertise, some risks which were not seen by people from one part of the company but seen from the other part can come to light, and even some risks which were previous unknowns have the possibility to emerge. The key for this is the assurance, that no ideas are going to be swept under the rug and the individuals presenting them discriminated, therefore, Institute of Management Accountants (IMANET, 2007) suggests, that there is a need for a great moderator/facilitator of the discussion.

Risk Questionnaires and Risk Surveys can also be a great tool which can be utilized for identifying risks. The questions can be asked both about risks arising from outside and within

(27)

22

the organization. The whole business environment, political, regulatory, or economic risk, different players in the supply chain process such as suppliers or customers, but also the company’s stakeholders can all be a source or a risk which can be identified through the use of a risk questionnaire. Below in Figure 13 we can see an example of how such questionnaire can look like.

Figure 13: Example of a risk questionnaire Source: Silva et al. (2020)

Scenario analysis is a powerful tool as it allows the management to explore the different what- if situations and their impact on the company. An example of how for example earthquake could severely impact a company. Imagine a situation in which this natural disaster levels a production facility for carries immediate damage in terms of the property, however, the supply chain disruption and the inability to serve customers if there is not backup can lead to much higher damage to the company.

Another method, called Delphi method, is different from the previous ones due to the fact, that the information gathered is coming from some sort of a group of experts, which do not necessarily need to come from within the company. Linstone & Turoff (1975) explain the way this method works. The experts answer questionnaires and after submitting the answer, they get a feedback and a summary of the whole group’s ideas from a facilitator, based on which they can alter their initial thoughts and revise them into a better solution. This cycle repeats based on some criteria and ends with some sort of a consensus between the experts. While this method

(28)

23

can sound good and simple on paper, if the facilitator does not interpret all the ideas correctly and does not encourage opposing opinions, then the analysis might skew towards a quick finding of a consensus, which might not be optimal. For this reason and from the danger of not choosing the right experts with relevant knowledge Rowe et al. (2011) warn from using this method uncritically, one of the solutions for this method suggested was the use of Delphi method combined with some other technique.

Failure mode and effects analysis (FMEA) is a method which is examining certain components in system or a process and explores the options which can develop from failures of these components. Generally, as Laszcz-Davis (2019) reports it is used for processes in which the human factor does not play a major role, therefore, simple tasks in which for example machines can malfunction and cause harm are the ideal candidates for using the FMEA. This method was popularized when it was being used by Ford in the last quarter of the 20^th century. In Ford this analysis was used in design and in essence, it is trying to answer to a question “What can go wrong and if it does, what are the consequences?” Based on the analysis, there is a risk measure which is used – risk priority number (RPN), which is calculated as a multiplication of chance of failure, chance of undetection and severity. Gilchrist (1993) adds, that with such quantification, it is possible to look at the different failures and prioritize the ones with the highest RPN. In the Figure 14 we can see the steps in FMEA. The search for possible failures can be seen starting the third box “Deduce failure modes”, followed by the assessment of the severity and probability of the event happening with the eventual goal to be able to react to these risks with the ultimate goal of reaching higher customer satisfaction, which is clear link to the corporate strategy.

(29)

24

Figure 14: FMEA process flow diagram Source: Anleitner (2010)

Another great technique for identifying possible sources of undesirable events is the Ishikawa analysis. The way this method is build can be seen in the Figure 15, first the “head” of the fish is created, there is an effect which is chosen, positive or negative, then a set of categories of different causes is used, in this example we can see Environment, Materials, Suppliers, Personnel, Process, Infrastructure. For each of the categories, questions, such as “How can this happen?” or “Why would it happen?” are being asked. As the standard describes (IEC, 2019), the team is trying to see factors which are influencing each of the category, whether positively or negatively.

(30)

25

Figure 15: Ishikawa (fishbone) diagram Source: IEC (2019)

Now that we have covered a handful of methods which are used in the risk identification part, we are going to look at the techniques which are used in the later stages of risk assessment:

• Fault tree analysis (FTA)

• Event tree

• Bow-tie method

The following chosen methods were picked for similar reasons as the group from the risk identification, mainly for the great graphical depiction as well as the use of the combination of the first two methods. Ericson (2005) describes that the Event tree analysis was developed for the purposes of a nuclear power plant safety in the 1970s. The use of FTA was documented by Jishkiriani (2020) in the electrical distribution system and Volkanovski et al., (2009) describe its use in the stability of the power system. Ibrahim (2017) highlighted the practical uses of the Bow-Tie method for the offshore petroleum industry.

The fault tree analysis another graphically clear analysis used in risk assessment. Is it a deductive method which excels at bringing the causes which can lead to undesirable events³ into the light and is possible to be used both qualitatively and quantitatively. On the contrary to FMEA, this method is also used in processes in which a human factor plays a role. The analysed

3 In the FTA these are called top events

(31)

26

system needs to be well defined, before creating a fault tree diagram, there must be clearly set up the steps in the process, what are the bottlenecks and boundaries, whether they are electrical, mechanical, or operational, how do the different steps in process interact and relate with each other. This preparation is then translated into graphical environment in term of the different logic gates, which can be seen in the Figure 16. When emergency generator does not start automatically, there might be several reasons why this event happens, in the Figure there are two options, however, these two options do not need to be the end cause and, therefore, as the standard (IEC, 2006) recommends, they are inspected further until we get from top to the bottom of the causes.

Figure 16: Fault tree analysis Source: IEC (2019)

The use of this method outside of the engineering world in a human service delivery was tested by Lacey (2011) and the result was that the FTA helped the adapting organization to develop a way to identify the risk causes structurally and systematically as well as integrate the risk management function with other functions at the organization.

The following described inductive method is called event tree analysis. This method analyses the risk starting from the opposite direction than the FTA. Following an occurrence of an initializing event, the ETA is used to identify and assess all the possible scenarios stemming from such event. Ericson (2005) describes this method, in which in the first step we look at the initializing events and then we assess all the subsequent events which take place after the start

(32)

27

of the accident. After this, we identify the subsequent events which can take place, they are called pivotal events and the next step is to create the event tree diagram, after which we see all the situations, which can happen with usually binary outcome, success, or failure, as well with the probabilities of these events happening. In the outcome, there is a clear path from the initial event all the way to the different outcomes in a form of a tree diagram, which can be seen in the Figure 17. Each of the outcome are well defined in terms of the different cumulative probabilities leading to the point (as an example, outcome B is defined as a result of initializing event happening, followed by a pivotal event 1 and 2 being successful while the 3^rd event experiencing a failure). Besides the great and simple visual representation of the failures, Ostrom & Wilhelmsen (2019) highlight, that the ETA can be used to model the successful event which can bring the benefit of better understanding of a certain process.

Figure 17: Event tree analysis Source: Ericson (2005)

Book (2012) describes Bow-tie method as a great visualisation tool with connects the causes of failures, the development of these events the system which is set to prevent this from happening as well as the ability to react and limit the impact if such event happens.

Figure 18: Bow-tie diagram Source: Rausand & Haugen (2020)

(33)

28

As we can see from the Figure 18 on the previous page, there are some events which are the causes of harm (left side) which can eventually lead through different scenarios to consequences for the company (right side). What is great about this method is that it is a good analysis both of the origin of the risk as well as the consequences in a nice visual way which is easy to understand. Rausand & Haugen (2020) report the advantage, that simultaneously, the diagram shows different ways in which the company can prevent these initiating events from happening (left side) and mitigate the after-effects (right side). As was stated before in the text, the Bow- tie diagram is a combination of the previously introduced methods, FTA and ETA, which can be seen in the Figure below taken from Aqlan & Lam (2015). Thanks to this combination of deductive and inductive methodology, a company can identify both how the risk can happen, but also the severity and impact these risks can have should they occur.

Figure 19: Bow-tie as a combination of FTA and ETA Source: Aqlan and Lam (2015)

3.1.4 Risk response strategies

Now that the company has a defined risk appetite and a way to identify, assess and prioritize the risks, it needs to “manage” them. Chapman (2011) describes 4 ways in which the company can treat the risks, which are:

• Reduction (treatment, mitigation)

• Removal (avoidance, elimination, exclusion, or termination)

• Transfer (reassignment, deflection)

• Retention (acceptance, absorption, or tolerance)

(34)

29

If we refer to the risk as a combination of the scenarios, their probabilities and outcomes, reduction of the risk can be done essentially in two ways: reducing the likelihood of a risk materializing or limiting the loss if the situation in which the risk materializes happen. This can be achieved by many different actions taken by the company. A lot of measures used here are more of an operational character. As Jankensgard & Kapstad (2021) describe, having a plan B when things go wrong or taking precautions to make sure an error does not happen does not seem like risk management, yet it is.

When an enterprise wants to remove a risk, it is best done at the beginning of a project which is risky. In the example about a company doing business in a third-world country with limited options to defend itself from political risk, it might be a better option to not begin the project and settle for a lower yield somewhere else than realizing after spending a significant amount of money that the factory is going to be annexed without any remuneration. Failure to foresee this situation can be very costly. Chapman (2011) mentions that there needs to be three tests done before any risk remove is done:

1. Opportunity – Are we losing a significant opportunity because of a wrong risk-reward assessment?

2. Business objective – If we select an alternative option, do we still fulfil the prime business objective?

3. Cost – Is it cost efficient to reduce the risk? What if the impact of risk materializing lower than the cost associated with removing it? Do we know all the costs associated with removing the risk?

Third response strategy is the risk transfer. This is one of the first historical methods being used in risk management. As Çaliyurt, (2021) describes, the insurance is used. We create a contract which will transfer the risk to someone else, some other entity or organization for some payment which usually includes the evaluation of the risk based on some statistical method and some level of a risk premium. Insurance contracts are usually being used as a solution for pure risks when there is only a downside to an event happening. MacFinn (2005) reports, that it is very efficient mean to deal with the pure risk as this contract was created to deal with this purpose.

Insurance has been used for centuries, starting from the maritime travels, nowadays covering almost any risk provided there are both parties who want to exchange the risk for appropriate payment. An issue with this might be that the organization which is transferring the risks will

(35)

30

no longer try to mitigate such risk and rely solely on the accepting party on remuneration based on the contract in case something happens. Surminski (2014) gives an example, when a company is trying to prepare itself for the possibility of flooding, it can only defend itself up to a certain point, there will always be some additional, residual risks, which is impossible to be mitigate. Chapman (2011) advocates here for the following four tests:

1. Objectives of the parties – The motivation for switching the risk between the parties 2. Ability to manage – This contract can work only if the new risk “owner” can manage

the risk, whether they can reduce or remove the risk.

3. Risk context – Is the risk stable or volatile? More volatile risk is usually more difficult to manage.

4. Cost effectiveness – Is the premium paid less than the cost connected to dealing with the materialized cost?

An alternative to the insurance option might be the use of financial derivatives. As Millo and Mackenzie (2007) define, financial derivatives “allow those who wish to reduce the risk embedded in their market position and to transfer it (i.e., sell it) to others who are interested in bearing bore risk, in expectation for increased return.” As we can see, the definition of financial derivatives is conceptually really close to the insurance contracts with the limitation on the financial market risk. There are many financial derivatives, examples might be forward or futures contracts, options, and swaps. Hull (2012) explains forward contract as a contract in which two counterparties agree to buy or sell a specific asset at a specific time in the future for a specific price.

The payoff function can be visible in the Figure 20, on the left we can see the long position, which occurs when we are buying a certain asset for a price K. If the market price at time T (ST) is higher than this contracted price, we are making a profit and vice versa. On the right side is the opposite situation, in which we agree in advance to sell the asset for price K at time T.

(36)

31

Figure 20: Forward contract payoff function Source: Hull (2012)

Below we can see the payoff functions of the four different possibilities for options. The difference between option and the forward is that at the end of maturity of an option contract (for European options), we only have the option to buy/sell certain asset for the contracted price if we are the ones who have bought the option. For this, there is usually an option premium which needs to be paid and if we do not use the option to buy the asset, this option premium is our loss. This corresponds to the two left graphs in the Figure 21 on the next page. The right side of the Figure 21 corresponds to the situation in which we have issued and option and sold it so someone and, usually, we are trying to gain money from the option premium when we are selling them to the counterparty. Hull (2012) continues, that of course, we are running into the risk of the loss with the undesirable movement of the price in this option, therefore, if a company wants to have the opportunity to benefit from a desirable movement of the price while having limited loss, it should only buy the options and not issue them.

(37)

32

Figure 21: Option payoff functions Source: Hull (2012)

If it is too expensive to do any of the above strategies or if there is no other option, the company needs to apply the risk retention. As presented by Champan (2011), there are three tests which must be followed:

1. Options – Did we discuss all the other possibilities/options?

2. Timing – Because the business environment is fluid and constantly changing, there might be no option right now, but in the future there might a different possibility to use for treating the risk.

3. Ability to absorb – Do we have a clear quantification of the impact should the risk materialize? Are there any follow-up events which connected with this risk would cause a significant damage to our company?

Aven (2018) names the ability of the company to absorb the losses resilience. Similar to a human body, by building up the immune system, it has a higher chance of not getting ill while in contact with a bacteria or a virus. The risk is unchanged; however, the impact or severity of the risk materializing is minimized. Therefore, the companies might try to increase their resilience towards a specific risk by creating a buffer, which then they can use for dampening the impact.

(38)

33 3.1.5 Monitoring, review & other

The following step in the risk management process would be monitoring and review. This holds for all the previous steps, it was mentioned in the first step, when creating a risk appetite, that this statement should be reviewed periodically. ISO (2018) highlights, that risk management process does not stop when all the risks are identified at a certain point and then the business is going. As Frigo & Anderson (2011) describe the environment in which the company operates is usually very complex and constantly changing, therefore, the whole risk management process from the start to finish needs to be appropriately monitored and changes, if needed, need to be addressed. Similar to other corporate functions, what is happening in the risk management process needs to be communicated in the company. There is a need for a clear recording and reporting system.

3.2 Risk management evolution

3.2.1 Risk management development

In the previous chapter we have discussed what the risk management is, what are the different steps in the whole risk management process or cycle and mentioned some of the methods in the risk assessment as well as the risk treatment strategies, in this part we are going to focus on the path how the discipline came to life, how it developed into the shape that it takes today. We have talked about the historical way of dealing with risks, examples were both human and animal sacrifices, which, fortunately, do not happen today in the modern developed world. The approach of risk management changed drastically, as Kloman (2010) sees it, with the increased use of the statistical methods, which allowed people to quantify some of the risks, if it is only the probability connected with them, and helped them understand in a better way how their business functions. First, I am going to introduce the traditional approach to risk, which relates to the introduction of different risk types and dealing with them one by one followed by a “new”

approach, which is trying to tie all the risks the company is facing together and deal with them in a holistic way.

3.2.2 Traditional approach

Companies found out that the traditional way of insuring hazard risk was insufficient due to the fact, that the protection of the insured goods was not in the centre of attention. Some other risks were not insurable, therefore companies needed to find a different way to deal with risks. In the 1970s companies tried different self-insurance methods, contingency plans, or risk retention practices. Hopkin (2010) describes that the focus was later mainly on project risk management

(39)

34

followed by new tools and techniques, which were mainly quantitative, to deal with credit and market risk. If we decompose organization into different part or business units and place responsibilities on the leaders of these business unit, we get the traditional approach to the risk management. As we can see from the Figure 22, the risks connected with financing are delegated to the head of treasury, the head of IT deals with the cyber risk etc.

Figure 22: Traditional risk management approach Source: Beasley (2020)

Another name for this approach would be silo or stove-pipe risk management. McShane (2018) introduces few of these silos, with the first one being connected with the hazard risks and the insurance connected with it. The second silo is the financial risk management, which became widely spread with the use of the Black-Scholes model for pricing of the options. Financial derivatives, explained in the previous chapter, were used to manage currency, credit, or commodity price risk. With all the financial scandals and fraudulent behaviour, a new silo emerged in the 1990s, which was concerned with the compliance risk. At the time the whole world had paid increased interest in the corporate governance. An addition to these silos would be the risks associated with the supply chain management, as it definitely plays a role in serving the company’s customers and it is in the best interest for all the sides to have a functioning supply chain.

However, this approach to risk management is inferior to the holistic risk management approach according to the literature. Some of the flaws of such approach could be the fact that the risks are managed by the business unit leaders which do not communicate with each other and do not take into account how their actions impact other different risks (Frigo & Anderson, 2011), another reason, presented by Laszcz-Davis (2019), could be that the different silos generate

(40)

35

white space between them, which results in the mismatch in the strategy and operations or in the duplication of the same administrative work. Hoyt et al. (2008) share a similar view and see the non-coordination between the different silos as its greatest flaw, even though the use of traditional risk management has certainly an effect on reducing the volatility of earnings when it comes to a specific risk, such as hazard risk.

3.2.3 Holistic risk management

As an answer to the flaws of the traditional risk management, the holistic risk management came into the light. The terms holistic risk management, strategic risk management, total risk management, enterprise-wide risk management and enterprise risk management will be used in this work interchangeably. Haimes (1992) mentions, that a good management needs to address things holistically and advocates for the creation of total risk management, which would be a systematic process which would be built upon the risk management and would try to holistically address the failures from four different sources: hardware, software, organizational and human.

The enterprise risk management is defined in the in the paper from Committee of Sponsoring Organizations of the Treadway Commission (COSO, 2004):

“Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

Another definition of holistic⁴ risk management can be found in the ISO 31000 says:

“Risk is effect of uncertainty on objectives, risk management is coordinated activities to direct and control an organization with regard to risk.”

From both definitions we can clearly see the connection to the strategy of an organization. There is a clear goal or objective which is defined and is desired to be reached, however owing to the business environment and the risks coming both from external and internal sources it might be impossible to reach such a goal. What is more, in the first definition the risk management process is included, starting from the scope, through the risk identification, assessment and treatment.

4 While it does not specifically say that it is holistic risk management, the standard heavily implies the holistic view.