Transcription
MANAGEMENT ACCOUNTING GUIDELINEFinancial RiskManagement forManagementAccountantsBy Margaret Woodsand Kevin DowdPublished by The Society of Management Accountants of Canada, theAmerican Institute of Certified Public Accountants and The CharteredInstitute of Management Accountants.
NOTICE TO READERSThe material contained in the Management Accounting Guideline Financial Risk Management for ManagementAccountants is designed to provide illustrative information with respect to the subject matter covered. It does notestablish standards or preferred practices. This material has not been considered or acted upon by any senior ortechnical committees or the board of directors of either the AICPA, CIMA or CMA Canada and does not represent anofficial opinion or position of either the AICPA, CIMA or CMA Canada.Copyright 2008 by The Society of Management Accountants of Canada (CMA Canada), the American Instituteof Certified Public Accountants, Inc. (AICPA) and The Chartered Institute of Management Accountants (CIMA).All Rights Reserved.No part of this publication may be reproduced, stored in a retrieval system or transmitted, in any form or by any means,without the prior written consent of the publisher or a licence from The Canadian Copyright Licensing Agency (AccessCopyright). For an Access Copyright Licence, visit www.accesscopyright.ca or call toll free to 1 800 893 5777.ISBN: 1-55302-228-92MANAGEMENT ACCOUNTING GUIDELINE
CONTENTSPageEXECUTIVE SUMMARY .4INTRODUCTION .4DIFFERENT TYPES OF FINANCIAL RISK.5WHY MANAGE FINANCIAL RISKS? .7A RISK MANAGEMENT FRAMEWORK.7Risk Identification and Assessment .8Risk Response .9Risk Control Implementation.10Review of Risk Exposures.10QUANTIFYING FINANCIAL RISKS .10Regression Analysis .10Value-at-Risk.11Scenario Analyses .12TOOLS AND TECHNIQUES TO MITIGATE RISK .14Market Risk Tools .14Credit Risk Tools .18Tools to Manage Financing, Liquidity, and Cash Flow Risks .19Tools and Techniques to Control Risk: Summary .20The Need for Clear Hedging Policies and Understanding of Derivatives Trading .21CONCLUSIONS.22CASE STUDY.22GLOSSARY .25ENDNOTES .26BIBLIOGRAPHY .273
Financial Risk Managementfor Management AccountantsExecutive SummaryThis Management Accounting Guideline (MAG) summarizesthe basic principles of financial risk management. TheMAG first briefly outlines (a) the different types of financialrisk that firms may face, (b) the basic elements of a riskmanagement framework, and (c) the benefits of managingfinancial risks. The MAG’s core sections then focus on theinterlinked issues of risk assessment (or quantification) andpossible control tools. Risk assessment and control toolsare suggested for each type of financial risk, and real-worldexamples are used to illustrate the discussion. A casestudy of the financial risks and the financial risk management choices available to Pietrolunga, a fictitious specialistItalian lumber merchant, shows how the suggestedmethods may be applied in practice. A glossary of keyterms provides a quick source of reference.Underlying all of the material in this MAG is the premisethat the key aim of financial risk management is to assistmanagement in controlling risks that may affect theachievement of organizational objectives. There is nosingle ideal risk management package, but risks will bemanaged most effectively if sound judgment and commonsense are combined with the use of a judicious mix ofqualitative and quantitative controls.Financial risk management has ranked very high on thecorporate agenda since the early 1990s, but the largelosses experienced in the last couple of years indicatethat many firms are still a long way from managing theirfinancial risks effectively.IntroductionWhile some of the tools and practices described in thisMAG have been developed by risk managers for use inand by financial institutions, the primary target audiencefor this MAG is the financial manager in non-financialorganizations that face an array of financial risks andchallenges inherent in doing business in today’s globaleconomy.Risk management is concerned with understanding andmanaging the risks that an organization faces in its attemptto achieve its objectives. These risks will often representthreats to the organization – such as the risk of heavylosses or even bankruptcy. Risk management hastraditionally associated itself with managing the risks ofevents that would damage the organization.Organizations face many different types of risk. Theseinclude risks associated with (a) the business environment,(b) laws and regulations, (c) operational efficiency, (d) theorganization’s reputation, and (e) financial risks. These4MANAGEMENT ACCOUNTING GUIDELINEfinancial risks relate to the financial operation of a business– in essence, the risk of financial loss (and in some cases,financial gain) – and take many different forms. Theseinclude currency risks, interest rate risks, credit risks,liquidity risks, cash flow risk, and financing risks. Theimportance of these risks will vary from one organizationto another. A firm that operates internationally will be moreexposed to currency risks than a firm that operates onlydomestically; a bank will typically be more exposed tocredit risks than most other firms, and so forth.It is frequently suggested that the key driver of change hasbeen a series of economically significant and large-scalefinancial disasters. To give just a few examples: in 1993,Germany’s Metallgesellschaft AG lost 1.3 billion in oilfutures trading, and in the following year the US municipality, Orange County, was forced to file for Chapter 9bankruptcy following massive losses from speculating onderivatives. In 1995, Barings Bank in the UK failed due tounauthorized derivatives trading by an offshore subsidiary.And in 1998 the hedge fund Long Term Capital Management (LTCM) collapsed – demonstrating that having twoNobel Prize-winning finance experts on its board ofdirectors offered only limited protection from financialrisks. Then there was the fall of Enron in 2001 and theaccompanying collapse of Arthur Andersen, the majoraccounting firm that acted as Enron’s external auditors.The last couple of years have witnessed a considerablenumber of huge losses involving many of the world’sleading financial institutions. Indeed, recent eventssuggest that many firms – including many financialinstitutions that should really have known better – still havea lot to learn about effective financial risk management.The financial risk management disasters of the last fifteenyears or so have (a) made it clear that risk managementis fundamental to good corporate governance, and(b) prompted a number of responses relating togovernance and internal control. Among these, theCombined Code in the UK and the King Report in SouthAfrica. All see risk management as part of the internalcontrol process for which the board of directors isresponsible. Similarly, in the USA the Sarbanes OxleyAct (SOX) of 2002 requires companies to establish andmaintain an adequate internal control structure forfinancial reporting.Over this same period, company managers have alsoincreasingly recognized the potential for effective riskmanagement to add value to an organization, and thelanguage of risk management has started to permeate theday-to-day language of business. As a result, it is nowcommonplace to consider the risk implications of manybusiness decision-making problems, such as (a) makingbudgetary choices, (b) choosing between alternative
operating plans, and (c) considering investment proposals.Risk reporting and risk disclosure are also becomingincreasingly important as stakeholders wish to know moreabout the risks that their organizations are taking.Naturally, there is huge variation in the level of resourcesthat are devoted to risk management across organizationsof differing sizes. At one end of the scale, the riskmanagement function may be performed by a single riskchampion or a part-time risk manager. At the other end ofthe scale may be found a dedicated risk managementdepartment headed by a chief risk officer with a seat on theboard. But no matter how small or large the organization’sdedicated risk management function might be, the currentview of risk management is that everyone in an organizationcarries some responsibility for managing and controllingthe risks to which it is exposed. The board of directorsholds the ultimate responsibility; it chooses the organization’s risk management strategy and is responsible forputting into place the organization’s risk managementframework. Other managers directly support risk management by (a) identifying risks in their area of expertise,(b) taking ownership and responsibility for those risks,(c) promoting compliance with the organization’s controlsystems, and (d) engendering a culture of risk awareness.Although risk management is primarily concerned withmanaging downside risk – the risk of bad events – it isimportant to appreciate that risk also has an upside. Thisupside involves the exploitation of opportunities that arisein an uncertain world, such as opportunities to profit fromnew markets or new product lines. Risk managementis therefore concerned both with conformance – that is,controlling the downside risks that may threaten achievement of strategic objectives – and with performance –such as opportunities to increase a business’s overallreturn. In this way, risk management is linked closely withachieving the organization’s objectives, and involves themanagement of upside as well as downside risks.This MAG offers introductory advice on (a) the nature offinancial risks, (b) the key components of a financial riskmanagement system, and (c) the tools that can be used tomake decisions under uncertain conditions. The advice willneed to be fine-tuned to fit differing organizational contexts,but the underlying message and risk management framework universally provide a basis for discussion amongsenior management on the drafting of their ownorganization’s financial risk management strategies.After briefly discussing the different types of financial riskthat firms may face and the benefits of managing them,we outline the basic elements of a risk managementframework. The core sections of the MAG focus on (a) theinterlinked issues of risk assessment (or quantification)and possible tools of control, and (b) how these may beapplied to each of the main types of financial risk – namely,market, credit, financing, and liquidity risks. Risk assessment and control tools are suggested for each financial risktype, and real-world examples are used to illustrate thediscussion. A case study of the financial risks and thefinancial risk management choices available to Pietrolunga,a fictitious specialist Italian lumber merchant, shows howthe suggested methods may be applied in practice, and aglossary of key terms provides a quick source of reference.Different Types of Financial RiskFinancial risks create the possibility of losses arising fromthe failure to achieve a financial objective. The risk reflectsuncertainty about foreign exchange rates, interest rates,commodity prices, equity prices, credit quality, liquidity,and an organization’s access to financing. These financialrisks are not necessarily independent of each other. Forinstance, exchange rates and interest rates are oftenstrongly linked, and this interdependence should berecognized when managers are designing risk management systemsFinancial risks can be subdivided into distinct categories;a convenient classification is indicated in Figure 1 below.Figure 1: Categories of Financial RiskFINANCIAL RISKSMarket RisksEquity risksInterest ratesExchange ratesCommodity pricesCredit RisksCustomer risksSupplier risksPartner risksFinancing/Liquidity RisksFinancingMarket liquidityCashflows5
Market risks: These are the financial risks that arisebecause of possible losses due to changes in futuremarket prices or rates. The price changes will often relateto interest or foreign exchange rate movements, but alsoinclude the price of basic commodities that are vital tothe business.EXAMPLE 1: CADBURY’S SCHWEPPES’EXPOSURE TO FOREIGN EXCHANGERATE RISKThe confectionery giant, Cadbury Schweppes,recognized in its 2007 annual report that it has anexposure to market risks arising from changes in foreignexchange rates, particularly the US dollar. More than80% of the group’s revenue is generated in currenciesother than the reporting one of sterling. This risk ismanaged by the use of asset and liability matching(revenue and borrowings), together with currencyforwards and swaps.the borrower or counterparty, repayment sources, thenature of underlying collateral, and other support givencurrent events, conditions and expectations.” Additionally,the bank splits its loan portfolios into consumer orcommercial categories, and by geographic and businessgroupings, to minimize the risk of excessive concentrationof exposure in any single area of business.Financing, liquidity and cash flow risks: Financing risksaffect an organization’s ability to obtain ongoing financing.An obvious example is the dependence of a firm on itsaccess to credit from its bank. Liquidity risk refers touncertainty regarding the ability of a firm to unwind aposition at little or no cost, and also relates to the availability of sufficient funds to meet financial commitmentswhen they fall due. Cashflow risks relate to the volatilityof the firm’s day-to-day operating cash flow.EXAMPLE 4: A CREDIT TRIGGERCredit risks: Financial risks associated with the possibilityof default by a counter-party. Credit risks typically arisebecause customers fail to pay for goods supplied on credit.Credit risk exposure increases substantially when a firmdepends heavily upon a small number of large customerswho have been granted access to a significant amountof credit. The significance of credit risk varies betweensectors, and is high in the area of financial services, whereshort- and long-term lending are fundamental to thebusiness.A firm can also be exposed to the credit risks of otherfirms with which it is heavily connected. For example, afirm may suffer losses if a key supplier or partner in a jointventure has difficulty accessing credit to continue trading.EXAMPLE 2: AMAZON’S CREDIT RISKSAmazon, the global online retailer, accepts payment forgoods in a number of different ways, including credit anddebit cards, gift certificates, bank checks, and paymenton delivery. As the range of payment methods increases,so also does the company’s exposure to credit risk.Amazon’s exposure is relatively small, however, becauseit primarily requires payment before delivery, and sothe allowance for doubtful accounts amounted to just 40 million in 2006, against net sales of 10,711 million.EXAMPLE 3: CREDIT RISK MANAGEMENT INTHE BANK OF AMERICAIn its 2007 annual report (p.69), Bank of America statesthat it manages credit risk “based on the risk profile of6MANAGEMENT ACCOUNTING GUIDELINEBanks often impose covenants within their lendingagreements (e.g., a commitment to maintain a creditrating), and access to credit depends on compliancewith these covenants. Failure to comply creates the riskof denial of access to credit, and/or the need to takeaction (and costs involved) to restore that rating.For example, the 2005 annual report of Swisscom AGshows that the company entered into a series of crossborder tax lease arrangements with US Trusts, in whichsections of its mobile networks were sold or leased forup to 30 years, and then leased back. The leasing termsincluded a commitment by Swisscom AG to meetminimum credit ratings. In late 2004, however, adowngrading by the rating agencies took the company’scredit rating to below the minimum specified level.As a result, Swisscom AG incurred costs of SwissFrancs 24 million to restore that rating.EXAMPLE 5: HOW NOT TO MANAGEFINANCING RISK: NORTHERN ROCKThe UK bank Northern Rock provides a classic exampleof a company that succumbed to financing risk. Itsbusiness model depended upon access to large levelsof wholesale borrowing. But in late 2007, this fundingdried up during the “credit crunch” that arose out of theUS subprime mortgage crisis. Without access to loansfrom other commercial banks, Northern Rock was unableto continue trading without emergency loans from theBank of England to bridge its liquidity gap. However,even massive emergency loans were unable to restoreinvestor confidence in the bank, and the BritishGovernment eventually felt compelled to nationalize it.
Why Manage Financial Risks?Firms can benefit from financial risk management in manydifferent ways, but perhaps the most important benefit isto protect the firm’s ability to attend to its core businessand achieve its strategic objectives. By making stakeholders more secure, a good risk management policyhelps encourage equity investors, creditors, managers,workers, suppliers, and customers to remain loyal to thebusiness. In short, the firm’s goodwill is strengthened inall manner of diverse and mutually reinforcing ways. Thisleads to a wide variety of ancillary benefits: The firm’s reputation or ‘brand’ is enhanced, as thefirm is seen as successful and its management isviewed as both competent and credible. Risk management can reduce earnings volatility,which helps to make financial statements anddividend announcements more relevant and reliable. Greater earnings stability also tends to reduceaverage tax liabilities. Risk management can protect a firm’s cash flows. Some commentators suggest that risk managementmay reduce the cost of capital, therefore raising thepotential economic value added for a business. The firm is better placed to exploit opportunities(such as opportunities to invest) through animproved credit rating and more secure access tofinancing. The firm is in a stronger position to deal with mergerand acquisitions issues. It is also in a strongerposition to take over other firms and to fight offhostile takeover bids The firm has a better managed supply chain, and amore stable customer base.These benefits show that it is difficult to separate theeffects of financial risk management from the broaderactivities of the business. It is therefore important toensure that all parties within the organization recognizeand understand how they might create or control financialrisks. For example, staff in the marketing departmentmight be trained on how to reduce financial risks throughtheir approach to pricing and customer vetting. Similarly,buying policies can create financial risks by, for example,creating an exposure to exchange rate movements.Consequently, it is important to establish an integratedframework for managing all financial risks.A Risk Management FrameworkOrganizations face many different types of risks, but theycan all be managed using a common framework1. Theframework summarized in this section therefore directlyapplies to financial risk management, and provides acontext for subsequent sections that (a) outline thedifferent types of financial risks, and (b) explain howfinancial risks may be identified and assessed beforeimplementing appropriate strategies and control systems.Figure 2: The Risk Management CycleEstablish risk managementgroup and set goalsIdentify risk areasReview and refine processand do it againUnderstand and accessscale of riskInformationfordecision makingImplementation andmonitoring of controlsDevelop riskresponse strategyImplement strategy andallocate responsibilitiesSource: Risk Management: A Guide to Good Practice, CIMA, 2002.7
Risk Identification and AssessmentCIMA’s risk management cycle, illustrated in Figure 2,shows that risk management forms a control loop thatstarts with defining risks by reference to organizationalgoals, then progressing through a series of stages to areassessment of risk exposures following theimplementation of controls.The first stage is to identify the risks to which theorganization is exposed. Risk identification needs tobe methodical, and to address the organization’s mainactivities and their associated risks. Risk identification maybe carried out via questionnaires, surveys, brainstormingsessions, or a range of other techniques such as incidentinvestigation, auditing, root cause analysis, or interviews.The aim is to use staff expertise to identify and describe allthe potential financial risks to which the organization maybe exposed.At the organizational level, the stages of the risk cycleare set against the background of a clearly articulated riskpolicy. Drafted by senior management, the policy indicatesthe types of risks senior management wants the organization to take or avoid, and establishes the organization’soverall appetite for risk taking. The starting point is therefore a general understanding of (a) the range and type ofrisks that an organization may face in pursuing its specificstrategic objectives, and (b) the scale and nature of anyinterdependencies between these risks. This overview canthen be used as the basis for constructing a more detailedrisk management strategy for each risk category – in thiscase, financial risks.The scale of each identified risk is then estimated, using amix of qualitative and quantitative techniques. (We willhave more to say on these techniques below. For the timebeing, however, we focus not on the techniques themselves, but on how estimates of these risk exposures areput to use.) After this, risks are prioritized. The resultingrisk ranking should relate directly back to overall corporateobjectives. A commonly used approach is to map theestimated risks against a likelihood/impact matrix, such asthat illustrated below. Often, both likelihood and impactwould be classified into high, medium, or low. The morelikely the outcome, and the bigger the impact, the moresignificant the risk would become. And it is especiallyimportant to identify and assess those risks that have thepotential to severely jeopardize the organization’s ability toachieve its objectives, or even to threaten its very survival.Based on the cycle illustrated in Figure 2, the coreelements of a financial risk management system are: Risk identification and assessment Development of a risk response Implementation of a risk control strategy and theassociated control mechanisms Review of risk exposures (via internal reports) andrepetition of the cycleThe estimated risks can then be prioritized using alikelihood/impact matrix, such as that illustrated in Figure 3.Figure 3: A Likelihood/Impact PACT86MANAGEMENT ACCOUNTING GUIDELINEHigh
The numbers relate to individually identified risks, and riskimpact may be expressed in either financial (quantitative)or nonfinancial (qualitative) terms. A private sectorbusiness may express impact in terms of forecast income,profit, or cash flow. On the other hand a public sectororganization may measure impact in terms of its ability toprovide services to a prescribed level.Let us suppose that risk number five in the grid relatesto the likelihood and risk of the impact on bad debts of arise in interest rates. For a company retailing small-ticketconsumer goods, the anticipated likelihood is shown ashigh – probably because of prevailing economic conditions– but the impact is relatively low. The accompanying riskregister will include more specific details of the risk, suchas specific interest rate forecasts, as well as the estimatedmonetary impact and the assumptions underlying itscalculation. In the case of a mortgage provider operatingunder the same economic conditions, this same risk maybe identified as having a much higher impact because ofthe size of the potential defaults and the fact that lending isits core business. In other words, the component risks andalso the resulting matrix of likelihood and consequenceswill vary from business to business, and are subject to adegree of subjective judgment. As long as this subjectivityis recognized, the grid provides a useful tool for rankingrisks and determining the appropriate levels of monitoringand control.Many firms find it useful to record their risk information ina risk register. Such a register would include informationon the type of risk, its likelihood of occurrence, its likelyconsequence, its potential monetary impact, and itsrelationship (if any) with other identified risks. The riskregister, which would also include information such asforecasts of key variables, the assumptions on whichcalculations are based, and the institution’s response toeach risk, would be regularly updated.Risk ResponseThe organization then needs to respond to the risks it hasidentified. An example would include setting out a policydefining the organization’s response to a particular risk, andexplain how that policy fits in with its broader objectives.It would also (a) set out the management processes tobe used to manage that risk, (b) assign responsibility forhandling it, and (c) set out the key performance measuresthat would enable senior management to monitor it. Inmore serious cases, it might also include contingencyplans to be implemented if a projected event actuallyoccurred.The organization should take account of the effectivenessof alternative possible responses. This requires that itbe possible to identify the level of “gross” risk prior toa response, and the level of “net” risk left after it. Theorganization should also take account of the costs andprospective benefits of alternative responses, as well astake account of how any response would relate to its riskappetite and its ability to achieve its strategic objectives.The possible responses can be categorized into threecategories, as illustrated in Figure 4.Internal strategies imply a willingness to accept the riskand manage it internally within the framework of normalbusiness operations. An example would be a decision touse the customer’s currency for pricing of all exports, andusing internal netting processes to manage currencyexposures.Risk sharing strategies relate to strategies that mitigate orshare risks with an outside party. An example would be aforward contract, which ‘locks in’ a particular future priceor rate. This prevents losses from unfavourable currencymovements, but locks the buyer into a fixed futureexchange rate. Another example is a joint venture.Figure 4: Risk Strategies and ToolsInternal Strategies:Accept and manage as a normal operating risk Natural Hedging Internal NettingRisk Sharing Strategies:Risk sharing arrangements involving outside parties Risk Transfer Strategies:Risk transfer while maintaining upside benefits Options Insurance SecuritizationForwardsFuturesJoint VenturesSwaps9
Risk transfer involves paying a third party to take overthe downside risk, while retaining the possibility of takingadvantage of the upside risk. An option, for example,creates the opportunity to exchange currency at a preagreed rate, known as the strike price. If the subsequentexchange rate turns out to be favorable, the holder willexercise the option, but if the subsequent exchange rate isunfavourable, the holder will let it lapse. Thus, the optionprotects the holder from downsi
A glossary of key terms provides a quick source of reference. Underlying all of the material in this MAG is the premise that the key aim of financial risk management is to assist management in controlling risks that may affect the achievement of organizational objectives. There is no single ideal ri
