Here’s a fact that bucks conventional wisdom: More shareholder value has been wiped out in the past five years as a result of mismanagement and bad execution of strategy than was lost through all the recent compliance scandals combined. This is a key finding of a recent Booz Allen Hamilton survey and analysis of the performance of 1,200 firms with market capitalizations of more than $1 billion for the five-year period from 1999 through 2003.
Consider the 360 worst financial laggards. Eighty-seven percent of the value lost by these firms was attributable to strategic missteps — management ineffectiveness in reacting to competitive pressures or in forecasting customer demand — and operational blunders, such as cost overruns and M&A integration problems. Only 13 percent of the value destruction suffered by these companies was caused by regulatory compliance failures or resulted from poor oversight of company operations by corporate boards.
Still, the media went for the headlines on compliance debacles. And the Sarbanes-Oxley Act (SOX) — a legislative attempt to rein in rogue corporate activities through stringent new rules for governance, data integrity, and disclosure — was passed to help U.S. businesses move on from the Enron saga. Obviously, compliance is vital, and the Sarbanes-Oxley legislation can help. But it will do little to improve most firms’ real risk profile.
Despite its reputation as a panacea for raising the bar on business governance, SOX is essentially a quality-control mechanism piggybacking on financial reporting systems. It does little to protect the primary strategic and operational elements that, according to our survey, are the primary cause of shareholder value destruction. Because of this, the impact of SOX on management reforms intended to improve corporate performance has been disappointing: To insulate their boards and senior executives from extensive scrutiny, firms have ended up sacrificing growth and innovation for regulatory acquiescence.
In reacting to Sarbanes-Oxley with an exaggerated fear of risk exposure, many companies are tempted to reduce risk management to an expensive “box-checking exercise” in regulatory compliance. However, companies need to do much more: They must be proactive in addressing risk by understanding and anticipating the full range of threats to their businesses. And they must embed risk management in strategic planning. These two processes are interdependent: Only when companies develop a risk management program that protects and enhances shareholder value can they eliminate unwanted earnings surprises and foster growth.
Recognizing that companies have to deal with SOX and manage for growth, executives must design a more robust and integrated strategic planning process built on a broad understanding of all risks to the business. Board directors and senior managers need to look beyond traditional risks — typically, capital credit and physical security — and anticipate earnings-driver risks and cultural risks, too. The specifics of such an ambitious risk management agenda will vary from company to company, but we have identified five components of an effective program:
Define what constitutes “risk” and develop early-sensing mechanisms. Most companies need to expand their definition of risk beyond market, legal, and natural hazards. They need to consider threats that could have a long-term influence on company performance, such as customer churn, price pressure, and brand impairment. They also need to address weaknesses in organizational behavior, and the management and cultural factors that influence it, such as misaligned incentives, unethical conduct, and communications breakdowns. Companies also need to institutionalize sensing mechanisms to anticipate emerging risks. An earnings-driver risk assessment, for example, identifies and sets priorities around key demand and supply-side risks.
Determine the risk agenda. After defining, identifying, and ordering risks, management needs to assess how capable the organization is of mitigating the most serious risks. Companies can establish an effective risk agenda by determining where high-priority risks are met with weak capabilities. This risk agenda can be used to align the actions of various company stakeholders, such as the risk committee, office of the chairman, and business or functional management.