You are currently browsing the monthly archive for January 2011.
I have written before about enterprise risk management, which is an essential piece of both performance management and corporate governance. Every aspect of business entails risk. Everyone who makes a business decision is – whether consciously or not – making trade-offs between risk and reward. Assessing risk is tricky in business because it means different things to different people depending on where they work and their specific role in an organization. From a broad view, risk management becomes an “enterprise” issue for three reasons. One is to ensure that risk management is harmonized across the company and consistent with the corporation’s risk tolerance. A second purpose is to manage cross-functional risks – things that happen in one part of the company can have negative impacts on other areas. The third is to address the risk elements of what’s called the agency dilemma.
Economists long ago recognized the agency dilemma when the modern corporation separated the roles of its principals (that is, the shareholders) from management. The agency issue exists where the best interests of the principals are either not congruent or in conflict with the interests of the agents (the professional managers running the corporation). Agency issues are rife in any large-scale business, at times to the point of distorting business practices in whole industries. For example, motion-picture distribution companies might be better off if they were to handle a larger number of lower-budget films, but today’s industry is driven by producers and agents whose interests are best served by making blockbusters. For the producers and “above the line” talent, these projects have large potential payoffs while the outsized risks are mainly borne by others.
Much of the focus in the economics literature has been on the shareholder/senior management version of the principal/agent problem and the various mechanisms used to align their interests, such as stock-based compensation plans (increasingly with vesting provisions to encourage a long-term view) and other incentive-based plans. Indeed, one reason “performance management” has been the focus of so much IT investment is the need to have measurement capabilities and incentive plans that align the strategic interests of the corporation with the objectives of executives, managers and employees.
Yet the explicit focus of many performance measurement and incentive compensation plans has been on goal achievement with little regard to the risks. In this respect, the risk aspect has been more implicit, leaving it up to the employees to use their judgment or relying on supervisors to police risk-taking and set the tone for risk tolerance. Fortunately, most of the time this works well enough. Unfortunately – as recent disasters have demonstrated – it doesn’t always. And it strikes me that in most of the latter cases, one of the contributing factors has been the lack of attention to the risk aspects of the agency dilemma.
Just as shareholders’ concerns are not always going to be aligned with senior management’s, middle managers’ objectives may not always be well aligned with those executives. I think this is especially true when it comes to making decisions about risk. Reputational risk, for example, is usually of greater value to the senior managers (who are more closely identified with the company) than to those running business units or functional areas. For this reason, and because they almost always are evaluated explicitly on some sort of output measure (volume, profits, cash flow and the like), lower-level managers have every reason not to err on the side of caution. Senior executives also may (intentionally or not) court disaster by stressing output without measuring risk. In such a case, a line manager may forgo required maintenance in order to meet some rush order. Ninety-nine times out of 100 this doesn’t matter. But the one time it does, catastrophe ensues.
Thus when risk is not measured explicitly, midlevel managers are put into a position where they have a strong incentive to ignore or undervalue risks (from the shareholders’ and executives’ perspectives), even if senior executives would support a decision to, say, forego the rush order or negotiate some alternative. Part of this is human nature – it’s hard to disprove a negative. Without explicitly being able to demonstrate that they made the appropriate trade-off, a middle manager may be penalized for choosing the safer option. Over time, if employees learn that making a sensible trade-off only leads to grief, they stop making sensible decisions.
Compounding the problem is the difficulty of appropriately defining and measuring risk. One of the factors that inhibit explicit enterprise risk management is that, outside of several already heavily regulated industries, there is limited experience with establishing formal systems for measuring and monitoring business risks. Banks and insurance companies, for example, have centuries of experience developing analytical frameworks for risk management and devote a great deal of management horsepower to compliance. (Despite this, disasters happen with depressing regularity, but that’s another topic.) Consequently, organizations may not collect risk metrics and may not even understand or agree on what those metrics ought to be. The lack of data, in turn, can inhibit the development of formal enterprise risk management systems and processes. Yet despite this lack of experience, I suspect that it’s possible to assemble a sufficient number of risk metrics to make this part of a performance measurement system. For example, in the maintenance example, the appropriate control is to monitor a system that schedules the work and can raise cautionary flags when it is delayed. A built-in audit function also could be added to compare actual to budgeted maintenance spending and flag this if outlays lag expectations.
Another contributing factor to the neglect of enterprise risk management is the absence of this important factor from purveyors of “balanced scorecards.” This technique emerged as a way to address the unintended negative consequences of simplistic performance measurement systems that focus on one or a few metrics. They are “balanced” because they incorporate metrics that model the kinds of trade-offs that managers want employees to make. If, for example, call centers only measure call times, customer satisfaction will suffer because agents will attempt to get them off the phone as soon as possible, regardless of whether their questions have been answered or their issues have been addressed. A balanced scorecard would include first-call-resolution percentage as a compensating metric.
Some companies have developed sophisticated systems that properly balance objectives so employees are rewarded for making the right trade-offs. Still, few include risk explicitly; I think “risk” ought to be a separate category alongside the typical array of “financial,” “internal business processes,” “customer” and “learning and growth.” Incorporating risk explicitly in performance management systems helps manage the agency dilemma. Because managers are explicitly evaluated on risk, they have incentive to apply the proper balance in day-to-day decision-making. Moreover, this approach addresses the agency dilemma since those further up in the hierarchy can be alerted when risk thresholds are exceeded.
Robert Kugel – SVP Research
I recently commented on why I believe companies must manage taxes more intelligently. One dimension of this is optimizing tax risk exposure. Most corporate tax codes are notoriously complex and at times ambiguous, leaving room for companies to interpret their application. These interpretations fall on a scale of “conservative” to “aggressive,” in which companies weigh the risk of penalties and other negative outcomes against that of paying more taxes than necessary. It strikes me that few of the companies that should be paying attention to these sorts of trade-offs are doing so. I suspect there are a couple of important reasons.
First, though, I should note that there are plenty of companies that needn’t bother with trying to optimize their tax exposure. All small and almost all midsize companies do not have enough money at stake to make a formal effort worthwhile. They address the issue well enough in an ad hoc fashion. And, regardless of their size, companies that have simple entity structures, that are in industries governed with relatively less complex tax regimes, or that operate in a limited number of tax jurisdictions are unlikely to find enough value in actively managing their tax risk exposure. However, this still means many larger and some midsize corporations could be handling their tax risk exposure more intelligently.
So why don’t those companies do a better job of managing their tax risk exposure? I believe at least four intertwined reasons are at work. One is that the penalty for aggressive interpretations has been limited. Governments have been “punching below their weight” in tax enforcement, so they don’t always challenge aggressive stances. When they are, the aggregate downside relative to paying more in the first place is usually quite acceptable. Until this changes, it’s unlikely that companies will believe it’s worthwhile to change. Second, the process of managing direct taxes is a highly manual process in a majority of larger companies. In part because enterprise resource planning (ERP) and accounting systems typically are not provisioned to be tax aware (because executives don’t believe it’s worth the investment), tax departments believe it’s too difficult to automate the tax planning and provisioning process. These transactions systems do not collect and/or are not able to handle the tax jurisdiction dimensions of transactions, which can be extremely complex in large, multinational companies. A workaround to the lack of tax awareness in ERP/accounting systems is a “tax database of record”, which also can reduce the administrative costs of the tax function. A third, related reason is that without hard data, it’s too difficult to prove the negative: What would the effective tax rate have been if a company was willing to take more risk? Thus, it’s tough to determine that there’s sufficient upside to trade off a higher risk profile with lower taxes.
However, I believe the main obstacle to managing tax risk more effectively (that is, achieving the right balance between safe and aggressive for the specific company) is that tax is a highly specialized and – to be blunt – an obscure function in just about all organizations. Until senior executives start to believe that there’s enough of a return in optimizing tax risk exposure, the resources to do so will be hard to come by. Tax departments that want to become a strategic asset in their company will need to demonstrate that there’s value in more intelligent tax planning and provisioning.
Robert Kugel – SVP Research