414

Strategic Risk Management:

the New Competitive Edge
Christopher J. Clarke and Suvir Varma

If you can make one heap of all your winnings

and risk it on one turn of pitch-and-toss,
. . . then you're a damn fool, as Kipling might have said.

Risk is a key strategic issue. Business is about risk

and the old adage, ``The bigger the risk, the greater
the reward'',1 is still widely believed. Unfortunately,
the rewards do not always follow. Investors, creditors and employees expect companies to turn in
consistently strong performances, providing them
with return interest or pay commensurate with various degrees of security. Without risk there can be
no reward. There may well be a normal distribution
of risk and returns performance. Most companies
will perform around the mode of the distribution.
However, some companies seem to comprehend risk
more effectively than others and this shows in their
long-term stock prices. Success can be the result of
luck or superior risk management. Some risks taken,
pay out huge returns. Microsoft's Windows and
Glaxo's Zantac anti-ulcer drug are two examples.
For others, poor risk management can destroy the
company. Nick Leeson's wild and unsupervised
speculations brought down the mighty and historic
Barings. The disastrously under-performing Canary
Wharf property development project in London's
docklands brought down Olympia and York, then
the world's biggest property company. The Bhopal
chemical plant explosion in India devastated Union
Carbide as well as the local population. The Exxon
Valdiz catastrophe severely dented Exxon's market
value. Leveraged hedge funds have recently threatened the world's nancial system with the collapse
and rescue of LTCM.2 Other hedge funds have conrmed the relationship between high rewards and
high risks. The Tiger Fund lost $5 billion in two
months and the Soros Fund is restructuring.3
Pergamon
www.elsevier.com/locate/lrp

PII: S0024-6301(99)00052-7

Risk Management has become a critical issue

as a result of globalization and the continued
quest for greater returns. Whilst most
companies now see risk as a key strategic
issue, risk is typically still treated tactically and
piecemeal. In this article, the authors argue that
an integrated risk management approach
allows companies to consistently deliver
superior performance while proactively
managing risks. The article outlines a
structured methodology for risk management
process evaluation and change. The
methodology has been developed through the
authors' work as risk management consultants
to various companies globally. # 1999
Published by Elsevier Science Ltd. All rights
reserved

Satisfying stakeholders' needs is more risky today

than in the past. This is partly due to globalization.
Dealing with suppliers and customers across the
world provides additional opportunities, but it
brings increased complexity and political and currency risks. Consequently, there is an increase in
the potential for unplanned events to occur. If corporate managements could manage risks better,
avoid catastrophes and achieve above-normal
returns, a company's stock price would soar. In this
article, we argue that an integrated strategic risk
management approach allows companies to consistently deliver superior performance while proactively
managing risks. Our approach is based on A. T.
Kearney's work with more than 50 national and
Long Range Planning, Vol. 32, No. 4, pp. 414 to 424, 1999
# 1999 Published by Elsevier Science Ltd. All rights reserved
Printed in Great Britain
0024-6301/99 $ - see front matter

415
multi-national companies, both nancial and industrial.
The tree of modern risk management has its roots
in a number of unrelated disciplines. Military risk
analysis led to the evolution of operational
research.4 Personal and commercial risks generated
the insurance and actuarial approach to risk management.5 Strategic risk analysis and the recognition
that the future may not be like the past gave birth to
scenario planning.6 Another approach is the use of
option pricing theory to view different alternatives.7
Currency, interest and credit risks generated a banking approach to risk management and various hedging instruments.8 Operational and environmental
risk management gave rise to contingency planning
approaches.9 With the millennium bug almost upon
us, the risks of computer failure are generating their
own management science.10 All of these focused
contributions add value to our understanding of
risk.

Risk is a Strategic Issue, but is

Treated Tactically
However, our client work reveals a number of common failings in corporate risk management. Too
often, management focuses on the negative consequences rather than on such questions as, `How
does risk affect capital allocation? What risk-based
information do we need? How do we create a risk
culture? What are the best companies doing about
risk'? and `How do we ensure that our risk prole is
commensurate with returns and shareholder risk
appetites?'
Traditional risk management responsibilities and
responses are typically fragmented as a result of
their differing origins. Different departments deal
with different risks, using different approaches and
often at a very low level. Historically, a variety of
tools have evolved to support companies in managing discrete types of risk. For example, insurance
has traditionally been focused on hazard risks such
as re and theft. Financial derivatives evolved to
help banks manage commodity, currency and interest rate risks. Credit products are used to safeguard
against operational setbacks. Many companies seek
to manage risk by relying on forecasting from the
past and databases, but these are all insufcient.
There is a need for a holistic approach to understand enterprise-wide risk, rather than this piecemeal approach. In our experience, even in
sophisticated companies, management becomes confused and fails to adequately manage risks for the
company's advantage. Most companies have no
comprehensive mechanism to bring important risk
management and risk return issues to the board's
attention. The approach we suggest in this article

can be used by top management to guide the development of the risk management process, the organizational structure and the culture towards a best
practice approach, incorporating all aspects of risk.
It is a systematic approach to managing risk. It can
be viewed as enterprise-wide risk management
because it addresses all of a company's risks at an
enterprise or strategic level.

Denition

Risk management is a strategic business process.

Management needs to assess whether the company's
business activities are consistent with its stated strategic objectives, and how risk management is linked
to investment and growth decisions. It needs to
determine what risk-based returns the company
expects of its business activities. The board needs
an overall, bird's-eye view of risk exposures to
avoid surprises and to engender good governance.
Risk can best be understood in terms of its two
main elements: `stake' and `uncertainty' (see Figure
1). Each element usually has a gain and a loss potential. The stake may be a nancial gain or loss; an
improvement or deterioration in strategic position;
an improvement in or a damage to reputation; a
threat to a company's existence; or an increase or
decrease in its sense of security. The higher the
stakes, the greater the potential gains or losses.
Intel's development of the Pentium chip design for
the sub-$1000 PC had a high stake, as it cost hundreds of millions to develop. Many in the industry
felt that this segment did not require processing
speed. However, Intel's calculated risk paid off
handsome returns.
Uncertainty, in turn, varies by time and situation.
For example, forecasting from historic data only
works in periods of stability. These are intermittent.
In more turbulent periods or for the longer term,
scenario planning is a more appropriate approach.4
Risk management is shown as a strategic business
process in Figure 2. Information is continually gathered on the rm's environment. Using this input,
management evaluates, analyses and prioritizes the
dynamic risks facing it. It takes appropriate
measures to accept, share or reduce risks in accordance with stakeholders' appetites for risks and
value-based management principles, i.e. returns
commensurate with risks and cost-effective risk
management. Each of these steps is discussed in
detail below.
The process starts with a stream of inputs on the
rm's external environment. Most companies do not
have a consistent process to monitor the external environment in which they operate and consequently
remain unaware of all the risks being faced. The second step is to scan for opportunities and threats
based on the external environment analysis. The
prevailing business strategies must be re-aligned
Long Range Planning Vol. 32

August 1999

416

Large

Stake
Financial gain or loss
Strategic position
Reputation/image
Existence/health
Sense of security

Risk

Small
Low

Uncertainty Re-Gains or Losses

Nature of
Scale of
Likelihood of
Factors affecting

High

Validity of data
Validity of process
Risk tradeoffs

FIG. 1. Risk has two elements: stake and uncertainty.

based on the revisions in the environment. The process of monitoring, measuring and managing risks
may need to be modied based on the environmental scan. The recent Asian crisis has meant that
many rms now pay greater attention to counterparty credit risks and place less value on relation-

Inputs

Data on the
firm's
environment
Opportunities
Threats

ships alone. The latter have been a key component

of the so called `bamboo networks' supporting the
previous wave of Asian growth. In a recent survey
of small and medium enterprises in Australia,
results showed that most credit risks were still considered to be reduced by `the face and handshake'.11

Risk Management Process

Scanning for
Opportunities
Threats
Sizing

Evaluation
Stakeholder
appetites
Trade-offs

Risk
Strategy
Development
Options
Selection

Action
Planning

Evaluate and improve Performance and Process

Learning

FIG. 2. Risk management is a strategic business process.

Strategic Risk Management

Outputs

Implementation

Returns
commensurate
with risks
Avoidance of
catastrophes
Contingency
plans
Speed

417
Once the opportunities and threats are assessed,
management needs to decide what are its risk tolerance levels and its goals for risks and returns.
Companies such as Shell and BP have close to a
zero tolerance for environmental risk due to the potentially huge impacts on their reputations of
catastrophes, let alone the immediate nancial
impacts. Different investor groups usually have
different risk reward appetites. Widows and orphans
clearly wish to take fewer risks than vulture funds
and venture capitalists. The latter also expect higher
returns.
Management needs to develop a risk management
vision and strategy based on the risk environment
and stakeholders' risk appetite. The overall strategy
for risk management should include the risk management philosophy and organizational responsibility. Policy choices can range from a highly
centralized `controller' model (as evidenced by some
nancial institutions like J. P. Morgan) to a highly
de-centralized and autonomous risk policy (as evidenced by GE and its subsidiaries). From our benchmarking for clients, best practice companies have an
explicit and widely understood risk management
charter or policy document.
Like matter, risk cannot be destroyed. It can only
be changed from one form to another. This is shown
in Figure 3. There are clear trade-offs between risk
reducing activities. Risk can be reduced but only by

reducing returns or trading one kind of risk for

another.
Companies can attain signicant competitive advantage from superior risk competencies (see Figure
4). These include risk processes, culture, incentives,
training and organization. There are a number of
stake management competencies and competitive
advantages. Among these are the scale to absorb larger projects (as exemplied by Bechtel's ability to
undertake large infrastructure and development projects as it has a huge balance sheet and it spreads
risks through its large global portfolio of projects).
A second stake management competency is developing alliance skills to share the stake (as evidenced
by oil majors BP and Mobil which have combined
their European rening and marketing operations
through an alliance).12 However, it is important to
select the right allies. Those who selected Soharto
family members as their Indonesian business partners to reduce their political risk and increase
returns are now experiencing the opposite reality as
that dynasty falls. Other stake competencies include
superior technology to reduce the stake (e.g. ministeel mills cost much less than large one) and
speed. The latter diminishes the time that the stake
is exposed. Global power company Enron is faster at
deal making. Its project exposures are reduced as it
ofoads risk more quickly than many competitors.
There are also a number of management competen-

Hedging and Insurance

Management
Approaches and
Behaviors
To Risk

Alliances

Greater Analysis
Portfolio Spread

Smaller Scale

Focus on Core
Business

No Risk

Consequences of
Management
Approaches

No Returns
Lower Returns,
Opportunities for
Competitors,
Sub Scale Risks

Restricted to
Core Returns
Average Returns

Slower Returns,
Competitive Threats

Lower Returns, Danger

of Defection,
Lack of Control
Increased Costs,
Lower Returns

FIG. 3. Like matter, risk cannot be destroyed. It can only change from one form to another.
Long Range Planning Vol. 32

August 1999

418
Stake
Management
Competencies
Examples
. Scale to absorb
bigger projects

Ability to manage
high stakes

. Alliance skills to

Greatest
Competitive
Advantage

. Use of government

share stake

relations

. Unique technology
to reduce stake
. Speed

Examples

Limited ability to
manage stake and
uncertainty

. Influence on law
Ability to manage
high uncertainty

and regulation

. Superior databases
. Use of allies

Uncertainty
Management
Competencies

FIG. 4. Competitive advantage comes from superior competencies, i.e. risk processes, culture, incentives, training and organization.
cies that a company can use in order to reduce
uncertainty. A company can make use of personal
government relations and contacts (which is particularly prevalent in many Asian and developing
countries). Companies can also have an inuence on
law and regulation (as evidenced by accounting
rms working with regulators to have derivatives activities disclosed in annual reports in order to protect themselves from shareholder lawsuits). Another
uncertainty management competency is to use superior databases (e.g. credit scoring, as used by
credit card companies to reduce fraud and bad
debts). Lastly, companies can make use of allies to
reduce uncertainty (such as a local partner in
Chinese joint ventures; the ally has insights into
local culture and procedures which reduce uncertainty). Superior competencies also result from a
company's risk processes, culture, incentives, training and organization.

The Need for a New Approach

Corporations are beginning to see the need to reconsider risk management holistically. Whilst management in the relatively mature and stable food
industry shows a lower focus on risk management,
at the other extreme, rapidly changing or speculative
industries such as nancial services, mining/
exploration, information technology, and venture
capital already exhibit a `think risk' culture. The telecommunications and the power industries are
going through a period of globalization, privatization
and deregulation. Management in these industries is
shifting from an `avoid risk' culture to a `think risk'
culture (see Figure 5).
Strategic Risk Management

Yet risk is often badly managed. Our work with

over 50 large companies in risk management around
the world indicates that common corporate failings
include weak processes, e.g. leaving everything to
the CEO or entrepreneur; too narrow a focus, e.g.
focusing only on nancial trading or insurable risks;
inadequate data or analysis, e.g. relying only on
published data or credit ratings; focusing only on
the negative, or disaster avoidance; fragmenting risk
management by division, e.g. each division giving
the same customer different credit lines; and inadequate organization or teams.
Most companies do not have a comprehensive
risk strategy or vision. They have no clear risk organization responsibilities or culture. The approach
taken is fragmented, with operations, insurance,
treasury and human resources reacting ad hoc to
events as they arise. The relationship between risk
management and shareholder value is arbitrarily
kept separate. Risk management sophistication
ranges from mere risk identication, to consistent
measurement across risks, to linking risks and
returns. At the high end of the spectrum, companies
are able to demonstrate the strategic interrelationship between risks, returns and shareholder value.
Strategy is value-based, and business risk proles
drive capital allocation and, ultimately, shareholder
value (see Figure 6).
Weak risk culture sties performance and
adversely affects shareholder value. Entrepreneurs
taking a `damn the torpedoes, full speed ahead'
management style may reap huge returns, but they
also court disaster if their decisions are based on
insufcient analysis. Often, they win once or twice

419
'Think Risk'
Culture

Risk / Reward Trade-Off

Financial Services
Mining / Exploration
Pharmaceutical
Consumer Products

Venture Capital

Telecommunications
Airline

Power

Risk
Management
Capabilities

Technology

Defense Technology
Health Care
Telecommunications
Automotive

Power

Little or No
Focus on Risk
Management

Food
Risk Control Focus

Mature / Stable

Nature of Business

Changing Rapidly /
Speculative

FIG. 5. Industries need to reconsider risk management.

and then hit the rocks. As for those deciding not to
take any risks or to defer making a decision, the
consequences may be to miss the boat or lose out to
the competition. As a result, rms need to vary their

risk management style according to their strategy.

There is a pantheon of individuals who dared too
muchthe Reichmans, Freddie Laker, Robert
Maxwell, Tiny Rowland and others. One might label

Shareholder Value Objectives

Value Based Management

Maximization
of Cash Flows

Value Based
Strategy
Dynamic
Capital
Allocation
Capital
Allocation
Techniques

Quality of
Earnings
Linking Risk
and
Return(s)
Consistent
Measurement
Across Risks
Protection
Against
Unforeseen
Losses

Identification
of Risks
Risk Management Sophistication

FIG. 6. Typically, companies develop from left to right.

Long Range Planning Vol. 32

August 1999

420
1.

2.
Set
Direction

3.

Baseline and
Benchmark

5.5.

4.

Create the
Vision

6.
Design
Embed
Process
Continuous
Improvements Improvements

Implement Change

FIG. 7. Structured methodology for risk management process evaluation and change.
this as `the Napoleon tendency', i.e. the drive
through which victories reinforce risk-taking until,
ultimately, there is a Moscow or a Waterloo, where
too much has been bitten off.

Building a Risk Management

Competitive Edge
The approach, which we will describe below, can
help top management protect the company against
catastrophic losses and support superior risk returns
performance and shareholder value growth. Our six
step approach, developed through extensive work
with companies across a number of industries,
allows for the evaluation of the risk management
process and the implementation of change (see
Figure 7). Each step is described below. Multi-disciplined risk process teams are established to undertake these projects. Board involvement and
commitment are vital.

Step 1: Set Direction

This step focuses on developing an understanding

of the company's and its stakeholders' risk concerns
and on identifying the major areas of risk, such as
operations, enterprise, events, and market risks. The
key objective is to identify and aggregate the risks
facing the enterprise and the risk issues as perceived
by management and stakeholders (see Figure 8).
This step generally begins with a thorough review of
the infrastructure, decision-making channels and
operating systems. The risk appetites and cultures
of the management and stakeholders are identied
through interviews and focus groups. Areas of critical concern are discussed and priorities set. The
prioritization of risk factors generally involves looking at the stake, the uncertainty and the quality of
Strategic Risk Management

risk controls and processes already in place. At the

end of this step, management gets a clear understanding of the risk factors and a prioritization of
risk issues. A recent article in an Australian journal
on risk management stated that ``risk assessment
and acceptance was important because the organization could then focus on the risk and then work to
eliminate or reduce it''.1 In their book Seeing
Tomorrow, Dembo and Freeman make an important
contribution to the ways of evaluating risk appetites
which can be used at this stage.13 Based on the
work of a number of academics, they explore the
concept of `regret', i.e. how risk takers feel about not
winning or losing, and a number of other powerful
concepts.

Step 2: Baseline and Benchmark

In this work step, the team evaluates risk and

returns and the appetites of investors and other stakeholders. We quantify major risk elements and priorities, analyse risk drivers, and map current
processes. It is important to quantify the risks. For
some risks such as nancial market-related risks,
this may appear to be a relatively simple exercise.
For more operational risks such as safety or technology risks, quantication often requires making
assumptions. We have found that using multi-disciplinary teams involving those actually on the
ground gives superior results to using assumptions
generated by planners at corporate headquarters.
Risk processes and risk performance are benchmarked against global best practice. We now have a
database on this. It is usually essential to go beyond
the immediately obvious competitors and to compare other industries where best practice lies.
A `value at risk' approach is often used. This calculates the probability of loss on a nancial portfolio rather than the possibility of losing the entire

421
Example
Credit Risk
Continuity of Demand or
Supply
Counter
Party Risk

Operational Control Risk

Demands

Equity Price
Risk
Project Risk
Operational
Risk

Enterprise
Risk

Market
Risk

Interest Rate
Risk
Foreign Exchange
Risk

Transaction
Risk
Event Risk

Liquidity Risk

Reputation Risk

Systems Risk

Legal and Regulatory Risk

Port Concentration Risk

Disaster Risk
Political Risk

Correlation Risk

FIG. 8. Set direction: identify major areas of risk.

portfolio. Unfortunately, in the LTMH hedge fund
case, this approach proved disastrous. The problem
was that it assumed both liquidity in the market for
hedging instruments and a normal distribution of
risk. It transpired that in the current emerging markets, crisis, the risks which were predicted to be in
the lower tail of a normal distribution of probabilities came to pass, Secondly, the liquidity in emerging market debt dried up almost entirely as a result
of the crisis. As the assumptions of the value at risk
model were broken, so too was LTMH.14
When South Korea's LG Group, a conglomerate,
recently decided to embark on a risk management
program, it chose to benchmark itself against Caltex,
an oil company in some areas.15 Next, performance
gaps and learning opportunities are identied, and
an assessment is made of risk exposures. This is
where clients realize and accept the size of the
mountain to be climbed.

Step 3: Create the Vision

Like the AWACS long-range airborne radar and control system for detecting enemy aircraft and vehicles, the vision of management should be to scan
the environment and to identify quantitative and
qualitative opportunities and threats, and to determine the most appropriate response, depending on
stakeholders' risk sensitivity. A risk management
vision is created, comprising the three key components of measuring, managing and monitoring

risk. Management may develop appropriate strategies, for example, decrease the stake, through sharing the risks and rewards with co-investors,
suppliers and customers. It may reduce the uncertainty, through bringing in partners with data and
who can control risk drivers. It can also prepare
scenarios and contingency plans. It can focus on
core business or spread its risks through a range of
businesses and geographies.

Step 4: Design Process Improvements

Based on the data gathered in earlier steps, management decides on the most appropriate improvement
options. Improvement options include designing
processes and documenting policies (if the problem
is ad hoc processes), and tighter process management and parallel processing (to remedy decision
delays). The top management team can use a risk
returns matrix to evaluate the overall risk position
of projects (see Figure 9). The risk matrix is used to
decide where each strategic business unit lies on
the risk axis. This can then be plotted against
expected returns.
The designing of process changes usually occurs
in four areas. Firstly, strategy and policy changes
need to be made. A clear risk management strategy
must be articulated by top management in the
visioning phase and this is converted to a risk management policy document and training plan in the
design phase. It is important to ensure that the overLong Range Planning Vol. 32

August 1999

422
Example
Risk Matrix
Returns
Risk
Matrix

High

Stake
High

Medium

High
Medium

Medium

Low

Medium

Low
High
Uncertainty

Low

Low

Medium
Risk

High

Avoid Pointing to Risk

FIG. 9. Design process improvements: top team evaluates the overall risk position of projects or
businesses.
all business policies are supported by the risk management policy. For example, a growth-focused
business objective will not work whilst maintaining
a minimal risk tolerance, as seeking growth will
inevitably lead to undertaking enhanced risk. The
policy manual outlines the risk objectives, tolerance
levels, acceptable procedures, specic risk-related
accountability and risk measurement and reporting
guidelines. Once the risk process design is nalized,
management endorsement and commitment is
needed to provide a mandate for the risk management program. Management also needs to review
the organization structure that will be used to support risk management. Centralized risk management
options tend to work for a `controller' company (as
evidenced by many nancial institutions), whereas
decentralized risk management models tend to work
for a `portfolio manager' company (as evidenced by
conglomerates such as BTR). Depending on the risk
vision, design changes relating to the formation of
risk committees/councils need to be made.
Risk measurement is the third area where changes
need to be designed. Effective tools to proactively
assist in monitoring and managing risks are crafted.
According to risk managers polled in the UK, one of
the greatest challenges is simply searching for the
risk-related information.16 Several of our clients
now use a PC-based risk dashboard that allows top
Strategic Risk Management

management to be appraised of the status of all

risks. The dashboard provides an overall picture of
various types of risk, e.g. country, project, credit,
trading, operating and environmental risks, as well
as allowing for a more in-depth view of each type, if
required (see Figure 10). In half an hour, the board
can go through all of the main risks and opportunities faced by the corporation in considerable
depth, or take an overview in just a few minutes.
Lastly, design changes must also focus on the operations and systems of the company. This includes
changes to the IT infrastructure, internal controls
and operating guidelines.

Step 5: Implement Change

This step is where the rubber meets the road. As in

all strategic processes, successful implementation is
the key to ensuring the long-term success of any risk
management programme. Implementation success
can be attained from focusing on two main areas:
people and processes. In terms of people, implementation requires the involvement and commitment of
senior management and employees. The working
teams that are responsible for the enterprise-wide
change effort must be balanced in their composition
and include corporate staff, risk experts for complex
risk areas, process champions and line mangers.
The entire effort should be driven by a risk manage-

423
Example Overall
Risk Monitoring

Risk Types

Country

Red
Yellow
Green

Country Risks 1 2
3

Trading

Operating

Project

Credit

Project

Credit Risk

Trading

Operating
Environmental

Environmental 1 2
3

Value at Risk

FIG. 10. Design process improvements: PC-based risk dashboard.

ment committee made up of key decision-makers
from across the enterprise. In terms of process implementation, we have found that it is best done
one step at a time. Initially, the focus is on the core
risk areas as dened in the baseline and benchmark
phase. Implementation is focused on developing a
common risk language that can be understood by
all. Armed with a thorough design of risk management processes, strong people to lead the implementation effort and a realistic implementation
schedule, implementation succeeds and penetrates
the organization. Training and communication programmes are an essential element of roll-out.

Step 6: Embed Continuous Improvements

Risk management excellence is a journey, not a destination. Continuous improvements must be

embedded: compliance is monitored; results
measured against plans; risk review programmes
institutionalized; best practice tracked; processes
and procedures updated; and returns measured
against market expectations. Risk management also
centres around people and rms must develop good
risk managers.
On this journey, we have identied four stages of
development for risk management from our research
with clients.
. At the entrepreneur stage, the approach is ad hoc
and there are no procedures. Each subsidiary
either does its own thing or the entrepreneur
handles everything, often in his or her head.

. In the next stage, bureaucracy is introduced.

Formal procedures are put in place, with the
focus on compliance, risk avoidance and standardization. This is an improvement but can lead
to slowness, rigidity and risk aversion.
. The process management stage sees improved
processes and empowered teams. However, risk
management is still separate from shareholder
value-based management, and this limits the
extent to which risk and returns can be aligned
and superior investment decisions made.
. The fourth, and most developed stage, is strategic
risk management. Here risk management is integrated with shareholder value management and
the company exhibits a healthy risk management
culture aimed at building the value of the company. This is the frontier to which we are striving.
Getting from stage one to being a strategic risk management
company
cannot
occur
overnight.
Companies need a risk management blueprint,
capable and committed leaders and employees and
effective processes in order to make the change. If a
risk management program is instituted properly and
with conviction, the resulting organization will be
stronger, nancially more secure and the envy of its
peers.

Conclusion
Risk and turmoil are normal in all industries and
Long Range Planning Vol. 32

August 1999

424
geographies. Financial services, telecommunications, aviation, public works, energy and shipping
are deregulating aggressively. Cross-border trade
investment has increased signicantly, capitalizing
on broad-scale tariff changes initiated by the
ASEAN Free Trade Area, GATT/WTO, and APEC
activities. Technology is changing rapidly. Political
and nancial mineelds abound.
Companies affected by changes must be nimble in
their response. Yet, in such a highly uncertain environment, a quick move in the wrong direction will
be costly. The recent turmoil in global nancial mar-

kets demands changes in how we manage risks. As

stated by a senior Malaysian government ofcial
recently, ``The challenge for top management is to
proactively plan for the inevitable redirection of
strategy, rather than passively endure the unpleasant consequences of this crisis environment''.17 A
comprehensive understanding of the playing eld is
required, and an integrated risk management methodology must be used for identifying and evaluating
risks. From this, a strategy can be developed to
maximize shareholder valuebut this requires effective risk management.

References
1. I. Porter, Big or Small, All Can Win With Risk Management, Australian Financial Review,
June 17 (1997).
2. A New Approach to Financial Risk, The Economist, October 17, pp. 1516 (1998).
3. P. Martin, Hedge of the Abyss, Financial Times, November 11, p. 14 (1998).
4. A. Jones, The Art of War in the Western World, Harrap (1998), pp. 351353 gives a good
review of Lanchester's N-square-rule an early example of how mathematics was used to
calculate the chances of troops getting shot according to the number of attackers. These
models are now more advanced; see also Paul K. Davis, Interactive Simulation in the
Evolution of Warfare Modelling, Proceedings of IEEE, Vol. 83, No. 8, August (1995).
5. M. S. Dorfman, Introduction to Risk Management in Insurance, Prentice-Hall, Englewood
Cliffs, NJ (1994).
6. K. Vander Heijden, Scenarios: The Art of Strategic Conversation, Wiley, New York (1996).
7. T. A. Luchman, Strategy as a Portfolio of real Options, Harvard Business Review,
SeptemberOctober (1998).
8. K. Dowd, Beyond Value at RiskThe New Science of Risk Management, Wiley, New York
(1998).
9. A. M. Zevitt, Disaster Planning and Recovery, Wiley. See also Chris Chapman, Project Risk
Management, Wiley (1997).
10. I. C. Palmer and G. A. Pot, Computer Security Risk Management, Van Nostrand Reinhold,
New York (1989). See also Capers Jones, Assessment and Control of Software Risks,
Yourdon Press (1994).
11. Australian Securities Commission Survey, AAP Information Services, April 15 (1998).
12. D. Keefe, Don't Mention the D-Word, Energy and Power Risk Management, March 10 (1997).
13. R. S. Dembo and A. Freeman, Seeing TomorrowRewriting the Rules of Risk, Wiley, New
York (1998).
14. Turmoil in Financial Markets, The Economist, October 17, pp. 2123 (1998).
15. N. Reed, Facing up to Risk, Asia Risk, November (1996).
16. D. Keefe, The Search for Success, Energy and Power Risk Management, September 5
(1997).

Christopher J. Clarke,
Visiting Professor at
Henley Management
College, was formerly
Managing Director of
A. T. Kearney's
management
consultancy in
Southeast Asia.
Previously he was a
managing director in
investment banking.
He is a former
chairman of the
Strategic Planning
Society and has
degrees in Economics
and Management.
Corresponding
address: VP and MD
Southeast Asia, A. T.
Kearney Pte Ltd,
1 Temasek Avenue,
]35-01 Millenia Tower,
Singapore; e-mail:
gina.goh@atkearney.
com

17. Hedging can Minimize Risk of Malaysian Companies, Asia Pulse, June 4 (1998).

Suvir Varma is a
manager with A. T.
Kearney in their
Singapore office. He
has advised various
clients on risk
management.
Previously, he was in
commercial and
investment banking.
Strategic Risk Management