Risk management

Smart moves in the transfer market

Many companies over-insure themselves. By taking a structured approach, procurement can help to optimise risk decisions and reduce insurance costs
 

Winter 2008-09

by Mauro Erriquez, Nicolas Reineke and Walther Kiep

The chances are that your company has an irrational attitude to risk. Although there is increasing recognition that the management of risk is an essential part of doing business, few organisations that we meet take a consistent approach to the broad range of risks that they face. This is a problem because in today’s market risks are getting bigger, happening more frequently and becoming more expensive to mitigate.

The rise of risk creates difficulties but it also creates opportunities for competitive advantage, which is why getting risk under control is a challenge for the whole company. The CPO and the procurement function have a particularly important role to play in this process, because they have a direct influence over some of the largest risk costs.

Traditionally, when companies thought about business risks, they conjured up visions of factory fires and floods destroying warehouses. In reality, these risks represent only a small fraction of the total risk exposure. Behind such high-cost, low-frequency risks there lurks a frightening pack of other risks, whose costs may be smaller but whose likelihood is much higher.

These other risks include those caused by the market, such as raw material price volatility. They include currency depreciation and credit default risks, both of which are particularly pressing concerns today. They include business risks, such as disruptive new technologies or the loss of customers. And they include a host of operational risks, such as unexpected loss of production capacity or quality problems.

All of these risks threaten a company’s health, but they are often treated in a dramatically different way. Whereas fires and floods are infrequent, their effects would be tangible and catastrophic. Companies typically transfer these risks to third parties by buying insurance. In fact, the prospect of this kind of risk is so frightening that it is common to over-insure against them.

Volatility risks, by contrast, are often more poorly understood. This is not surprising, because their effects can be complex. In recent years, US car makers, for example, have found themselves exposed to risks caused by the weak yen, not because their sales in Japan are particularly significant, but because a weak yen made it far cheaper for Japanese car producers to enter the North American market.

If companies do act against these volatility risks, they typically do so only partially, by hedging raw materials prices, for example, or through “invisible” hedging strategies achieved by fixing prices, volumes or durations during contract negotiations.

In our experience, poor understanding of these risks and the strategies available to mitigate them means that companies usually under-protect, but occasionally over-protect, themselves. Either approach can be extremely costly.

We see three typical problems in risk management:

• Wrong focus. Sometimes companies address an arbitrary subset of the real risks they face, by insuring against fire damage but not production downtime, for example, or by hedging against currency volatility but not raw material price fluctuations.

• Deliberate avoidance. Sometimes companies simply pretend that some risks don’t exist, by failing to insure against product recall costs, for example, or by considering the effect of raw material price volatility in their own production, but not at sub-suppliers.

• Overreaction. Occasionally, companies swing too far the other way, spending large amounts to insure against small-value risks or, as some auto-industry firms have done recently, 100 per cent hedging on essential precious metals.

In fact, unanticipated risks can overwhelm other aspects of corporate performance. Last year, one major US airline transformed the efficiency of its operations, saving $200 million per quarter. But it saw these dramatic gains wiped out by an increase in jet fuel costs of $250 million per quarter.

Volatility can work the other way too. The US dollar declined rapidly in 2004, which hurt many US companies with overseas supply chains. One large beverage maker, by contrast, successfully used its global footprint to hedge against currency fluctuations. As a result, it was in a position to benefit from the collapse of the dollar. Currency gains accounted for 115 per cent of the group’s revenue growth that year.

It has always been important to handle risks properly, but it is even more so today. Besides the increasingly complex laws and directives requiring companies to take appropriate steps to manage risks – some of which even carry criminal penalties – major risk events, such as wars and natural disasters, are becoming both more frequent and more costly (see figure 1 below).

Price volatility in raw materials has increased dramatically. At the time of writing, concerns about softening demand have reduced the price of many commodities from the record highs of earlier in 2008, but recent price volatility has been unprecedented. Analyst estimates expect this volatility to get worse in the coming years.

The traditional mechanisms of external risk transfer, such as insurance, are also likely to become more expensive. Insurance has always been cyclical, generally following fluctuations in the credit market. Today, that is bad news. Insurance companies have borne the costs of some major catastrophes in recent years, including hurricanes in the US and crop failure in Australia. Their returns on capital investments have plummeted too. 

The 2008 banking crisis has also had a profound effect on the cost and availability of other modern mechanisms for risk transfer. The price of credit hedging instruments has increased sevenfold since August 2007, while poor liquidity means banks cannot buy or sell some other risk instruments at all.

To avoid the problems presented by the rise of risk, and to ensure that they are managing all their risks in the most effective way, companies need to fundamentally change the way they consider and act on it. This transformation needs to encompass many aspects of corporate behaviour, but it starts with a shift in mindset. Only by thinking about risk in a different way can companies stop treating it as an afterthought or an unfortunate cost and start to understand the fundamental role that risk plays in the success, or failure, of all of their activities.

First, companies need to stop thinking deterministically and start thinking probabilistically. They need to consider the full range of likely outcomes when planning for risk. Second, they need to move away from thinking only about risk mitigation to thinking about risk optimisation. Many risks have an upside as well as a downside. If a company’s risk strategy prevents it from benefiting from that upside – for example, by locking it into fixed-price contracts as prices fall – it will lose out.

Third, they need to ensure that they are not making intuitive decisions about risk, based either on fear or overconfidence. Instead, they must make decisions based on the best available data. In most cases, this does not mean merely historical trend analysis but requires a detailed microeconomic analysis of each category. Lastly, they need to ensure risks are not considered in isolation or that responsibility is handed over to technical risk specialists. Rather, the management of risk should be the responsibility of every part of the business. The role of the CPO in this expanded responsibility is a significant one.

A new way of acting

There is a basic psychological problem underlying many organisations’ poor handling of risk. People have a tendency to worry a lot about very serious, but extremely unlikely, risks such as natural disasters. By contrast, more common, but less serious, risks tend to be underestimated. Rationally, the cost of all risks can be measured in the same way: as the sum of losses, the risk control costs, risk financing costs and administration. This measure is known as the total cost of risk (TCR).

Companies can use TCR to ensure they are giving all risks the attention they deserve. They also need a process that will allow them to make balanced decisions about which risks to pass on, which to hold and how best to manage them. The transformation to a truly risk-aware business takes place in five distinct steps (see Briefing, opposite page).

As part of the process of getting risks under control, companies need to adopt mitigation strategies to reduce their exposure to undesirable risks. There are four fundamental ways to do this. Their availability and cost-effectiveness varies by industry and by risk, so choosing an appropriate mitigation approach is a key element in each company’s risk strategy.

• Move risks downstream. Sometimes companies can pass risks on to their customers. Food companies did this in 2008 when they passed on much of the cost of rising ingredient prices directly to customers. Not all industries have that option. Car makers, for instance, have been unable to pass on rising steel prices to their customers for fear of losing sales.

• Mitigate risks internally. Companies can often reduce their structural exposure to risks. One option is to invest in risk-reducing technologies; another is to take design or portfolio decisions to reduce the effect of material price volatility. UK breakfast cereal manufacturer Weetabix, for example, responded to recent record wheat prices by introducing an oat-based product to the market.

• Move risks outside. For many categories of risk there are publicly available mechanisms to transfer risks to third parties with an appetite for them. These include insurance policies and more sophisticated instruments such as hedges and credit default swaps. The purchase of these risk transfer instruments is, increasingly, a responsibility of the procurement function.

• Move risks upstream. Many classic procurement techniques can help to move risk to suppliers. Contract negotiations, identifying new sources of supply and backward integration into the supply chain can all help to transfer risks upstream. In fact, the shape of purchase contracts has a direct effect on a company’s risk exposure. Recognising this is one important way that procurement can help to shape a company’s risk profile.

How CPOs can contribute

Procurement influences several types of business risk. As a result, the function can play a critical role in optimising a company’s approach to risk. It can do this in two fundamental ways:

• Optimise the risk transfer to other organisations by rigorously applying the same tools it uses in any other category to the purchase of insurance products and other risk instruments.

• Control the organisation’s exposure to variability risks in purchased products and materials.

In the current climate, these routes provide CPOs with an effective mechanism to help control overall risk exposure quickly and cost-effectively. In many companies, the two levers can work in harmony: smart purchasing of insurance can dramatically cut the cost of transferring risk to third parties, while smart application of those savings in the form of hedges can dramatically increase the organisation’s ability to withstand many of the risks that it cannot transfer.

There are other good reasons for starting risk optimisation efforts with a review of insurance purchasing. Gains made here are quick and usually substantial, which helps to gain exposure and traction for longer-term risk management efforts. They are also a flexible way of controlling a company’s overall risk exposure.

Insurance is still by far the most popular risk instrument for non-financial companies. A survey of more than 200 industrial CFOs worldwide by Deutsche Bank found that 83 per cent used insurance as a risk transfer mechanism. By contrast, less than a third used commodity derivatives and fewer still used more sophisticated products such as credit derivatives (see figure 2 above).

Even aggressive procurement functions tend to have a conservative approach to purchasing insurance. This conservatism is understandable: nobody wants to admit that they increased the excess on a fire insurance policy the week before the factory burned to the ground. Unfortunately, such an approach also results in unnecessary expenditure as companies spend too much insuring too many risks. Typically, insurance expenditures account for between 0.3 and 0.5 per cent of a company’s turnover.

There are three levers available to companies to optimise their cost of insured risks. The first is quite widely adopted via insurance brokers. By making the best use of their purchasing power, by simplifying supply structure, bundling products with suppliers and negotiating aggressively, it is possible to save significantly on insurance purchases.

As in other spend categories, however, leveraging purchasing power only delivers around one-third of the total savings available in insurance. Best-in-class companies go much further, by making fundamental changes to the nature of the products that they buy and to the processes they use to administer those products. One global chemicals company, for example, cut its
€65 million global insurance expenditure by a quarter by centralising insurance purchasing and adopting a TCR approach to all insurance purchases.

The biggest opportunity for companies like this in the purchase of insurance is to reduce the number of risks transferred to insurance companies in a make-or-buy decision. In general, companies will insure a broad range of risks, from catastrophes to minor inconveniences.

The advantage of holding risks in-house comes from the fact that risk transfer to an insurance company is inherently inefficient. Between 40 and 50 per cent of insurance premiums actually cover the cost of risk for the insurance company. The rest is absorbed by profits, taxes, marketing and administration. Not transferring risk gives companies opportunities to avoid many of these costs. By ensuring that they carry risks at the highest level they can afford, it is often possible for companies to cut their TCR by 20-30 per cent.

The steps that a procurement function should take in order to optimise its insurance purchasing processes exemplify the modern approach to risk management:

1. Identify and understand the risks. For previously insured risk, gaining an understanding is particularly straightforward. Companies will have records of their historical insurance costs, together with the number and value of claims. This data, together with information on business changes that might affect future claim patterns and contractual conditions that might reduce the freedom to modify insurance purchasing practices, enable a company to evaluate the TCR of currently insured risks.

2. Decide which risks are “natural”. A company is unlikely to be the natural owner of some risks that it currently buys insurance for, but because the cost of transfer to an insurance company is inherently inefficient, it is cheaper for a company to hold the maximum risk it can afford.

3. Determine risk capacity. Fully determining risk capacity requires a company to analyse all of its cash flows and determine what cannot be placed at risk, as described above. There are rules of thumb available, however. Initial estimates of risk capacity as 5 per cent of earnings before interest and taxes, or 10 per cent of cash flow, can be used in the early stages of analysis.

4. Embed this understanding into processes. When it has identified the insured risks it can bear itself, a company can take steps to make provision for those risks internally. Simply by increasing the retained risk in casualty insurance to
€5 million per claim, one European automotive supplier cut its TCR in this area by 25 per cent to €12 million a year.

5. Align governance and organisation. Taking on more risk internally often requires significant organisational changes. Cash-rich companies might choose to handle the new risk from existing cash reserves but, depending on corporate structure and local regulations, many organisations choose to establish a captive insurer or re-insurer to hold the risk for them. A captive insurance company can also promote efficiency in transferred risk by opening direct access to wholesale reinsurance markets.

These steps are relatively quick for companies and their procurement functions to implement. The analysis phase typically takes two to three months, with implementation taking a further three to four months. Starting the programme six to eight months before insurance contracts are due for renewal allows sufficient time for decisions to be made and structures to be put in place to continue uninterrupted cover.

One major European provider of logistics and related services used these levers to considerable effect. The €50 billion company had an initial insurance cost of around €170 million a year. After deciding its risk-bearing capacity, based on financial performance, the company established an internal captive insurer to manage retained risks and give it direct access to reinsurance at low cost for the transfer of major risks. These steps reduced the company’s annual insurance expenditure – measured as TCR – by 30 per cent, to €120 million, while maintaining the same level of income and balance sheet protection for major risks.

Avoiding the pitfalls

Taking this new approach to insured risks is a powerful first step on the road to becoming a truly risk-aware company. Not only is it quick to execute, but for the CPO it has the critical advantage of freeing up cash that can be used in other ways. As organisations seek to balance their risk exposure, it is likely that this cash may come in useful in hedging against raw materials volatility or for other risk mitigation strategies.

In taking the next steps, companies should return to the five-phase approach to risk management. As they begin to tackle more complex and less-well understood risks, however, they must be careful to avoid a number of common pitfalls. The first is “paralysis by analysis”. Building a detailed picture of risk across the business is complex, but some companies spend months on data collection and analysis without taking action. In practice, companies should try to identify the biggest risks quickly so that work can begin on mitigating these while the full risk picture is still being painted.

The second pitfall is siloed thinking. Even where a risk mitigation programme is being driven by the procurement function, CPOs must be careful to ensure that they are including all aspects of the business in the process, both to gain the fullest possible picture of the risks they face and the company’s capacity to handle them, and to deliver access to the broadest possible range of mitigation levers.

The final pitfall comes from risk culture – the mindset and capabilities of the people throughout the company. All too often, companies make mistakes in their handling of risk because of entrenched bad habits or because they lack the skills to make truly informed decisions. Selectively investing in people with the specialist skills needed to handle risk will help them to progress to the point where a rational approach to risk is embedded into everything the company does.

In uncertain times, strengthening a company’s risk culture may be one of the most effective strategic decisions its managers can make. 

CHECKLIST: 

Five steps to better risk management

1. Identify and understand the major risks

Only with full transparency is it possible to have true understanding of the organisation’s risk exposure and then make informed decisions about how to manage it. Companies need to examine every aspect of their business, customers, partners and suppliers to identify the primary sources of risk.

2. Decide who is the ‘natural owner’ of the risk

Companies can now seek out not simply those businesses of which they are the natural owner (which represent a bundle of risks) but also those risks of which they are the natural owner. Such risks should be kept and, if possible, acquired. All others should be hedged or transferred.

This “natural ownership” advantage can come from privileged insight into a market – an oil company, for example, is better placed to understand refining capacity risks than an airline. It can come from the availability of natural offsets to that risk – substitute feedstocks in a chemical process, for example, or the availability of counter-cyclical markets. It can come from the ability to flex operations in order to absorb volatility. Finally, natural risk ownership can come from financial advantages. Some companies have investors with an appetite for particular risks, while others enjoy cost advantages in holding risks thanks to strong balance sheets or wealthy parent companies.

The natural ownership assessment yields a clear risk strategy for the company. Advantaged risks create superior returns and (subject to the risk-capacity issues addressed below) should not be hedged or transferred. In fact, the company should seek to acquire such risks, whether in risk transfer markets or embedded with assets or commodities in physical markets. Disadvantaged risks should be mitigated wherever there are efficient risk transfer markets.

3. Determine the organisation’s risk capacity

Once it understands which risks it could or should own, the organisation needs to understand exactly how much risk it can absorb. There are a number of established techniques for this, which vary in sophistication and complexity. The aim is always the same, however: to give the company’s leadership an understanding of how risk could impact their ability to achieve their business goals. This understanding allows them to make informed trade-offs. Should they minimise risk to ensure that the cash is available to support ongoing growth plans, for example, even though they lose some potential for short-term profits?

4. Embed risk in all decisions and processes

Knowing how much risk they face, and how much they can afford to take, companies can take the steps to match appetite for risk with supply. To do this, they must identify and prioritise the levers available to them to optimise risk exposure and take action to ensure that they own only the right amount of the right risks. Any significant business decision could affect a company’s risk profile. Management needs to keep this in mind at all times, ensuring that the company stays on track with its planned approach to risk.

5. Align governance and organisation

Truly effectively risk management requires a strong “risk culture” – a set of incentives, behaviours and norms that define how people behave within organisations. Ongoing risk management is a cross-functional challenge and some companies find it useful to establish a dedicated risk board, where representatives from procurement, product development, finance, sales and operations meet regularly to decide on risk strategy.

Mauro Erriquez (mauro_erriquez@mckinsey.com) is a senior associate and Nicolas Reinecke (nicolas_reinecke@mckinsey.com) is an expert principal at McKinsey & Company, based in its Frankfurt and Hamburg offices respectively. Walther Kiep (w.kiep@kiep-consulting.de) is CEO of Kiep Consulting in Frankfurt. Andrew Freeman, a senior expert in McKinsey's global risk practice in London also provided input to this article.