Your Financial Statements Are Hiding Risk.
Companies that manage risk are safer and more secure, and their financial statements can be relied on. Companies that don’t manage risk are vulnerable and their financials are misleading.
You, as CEO, owe it to yourself to know if your financials are misleading. Your lenders will also be very interested, as well.
You’re showing assets on your balance sheet and the silent promise is that those assets will continue to be there even following a disaster. Also liabilities are shown and, subject to uncontrollable events, those liabilities should not dramatically, suddenly increase, or at least that is the wish of those reviewing your financial statements, and it is your wish as CEO as well. There is no assurance achieved by the audit process that either of these conditions are the case. In fact, companies that do not manage risk may look more profitable in the very short run, because they have reduced short run expenses by ignoring risk management.
Here’s a way to conceptually quantify what we’re talking about:
A firm needs capital to finance its daily operations – to cover payroll, rent, materials and all the other corporate activities. Call this Operational Capital. This is measured by traditional financial statements.
A firm also needs capital to finance risk — to pay for things that unexpectedly go wrong like fire, flood and lawsuits. This is called Risk Capital, and is not measured by traditional financial statements.
There are three sources of risk capital:
1. Cash that the firm has on hand. To be sufficient, it would have to be an awfully significant amount, and it would probably not survive because of competing demands for its use.
2. Off-balance sheet capital such as a credit line which would be tapped in the event of a loss which had to be financed. The loan would have to be paid back, however.
3. Insurance. With insurance the financial consequences of loss are transferred to an insurer in return for the premium.
Additionally, risk management is broader than just insurance. Losses can be prevented by safety or quality control efforts, and risk can be transferred to customers, business partners, subcontractors, etc. via contract. This reduces the need for risk capital.
The risks to which the firm are subject are potentially catastrophic. The entire facility could be destroyed, or the company could owe $50 million to a plaintiff at the whim of a jury. How is management of these risks reflected in financial statements? Not at all!
Financial statements do not consider the need for risk capital. A cursory look at an insurance schedule comprises the due diligence. Whether limits are adequate in relation to actual exposure and whether terms and conditions (the actual policy language — all 1000’s of pages) are adequate is a crap shoot. The other elements of a risk management program — the loss control and contractual transfer — would not be factored in at all either. Bottom line: risk is not even considered on a qualitative basis – not to mention quantitative.
When the convention of risk capital is not used to make comparisons between firms, they all look alike — the financials do not reflect the difference. As the saying goes: “All boats float alike when the weather is calm.” Risk always uses capital. If it is not funded it creates a deficit. Only after a disaster does the deficit finally surface – a metaphoric contrast to the company itself which is under water.
RISK ADJUSTED RETURN ON CAPITAL
Consider two companies that generate a 15% return on equity. One manages risk completely, while the other is subject to the mercy of the gods. Until something happens they appear to be equal according to the financial statements. Mysteriously, there is an abundance of notes to the financials, but nothing substantive on risk management or the lack thereof.
The true measure is return on “economic capital” the total of operational capital plus risk capital.
Firm activities will generate risk and a certain amount of capital is required to handle that risk. To the extent risk is prevented or transferred to other parties, less risk capital is required. If risk is financed via insurance, that is utilizing off-balance sheet capital and that reduces the need for on-balance sheet capital. (The premium is reflected as an expense on the income statement).
If both firms generate $.15 for every dollar of capital that is measured by the financials, then the return on equity is 15% (.15/1.00) for each. If Company A manages risk completely via loss control and insurance, then risk capital required is zero. The risk adjusted rate of return for Company A is truly 15%. Company B, though, doesn’t even attempt to manage risk. By default loss will have to be paid out of cash or loans. Assume risk capital of $.75 is required for every dollar of operational capital. The risk adjusted rate of return for Company B, then, is .15/(1+.75) = 8.5%.
So traditional financial statements show the two companies to have the same ROE. The risk adjusted financials, though, show the big difference between the two.
The SEC sporadically validates this concept by reacting to crises and advising public companies that they need to disclose how they are managing certain risks – terrorism and cyber risk being two recent examples. The SEC might not realize that just noticing and reacting to the risk of the event that just happened is not actual risk management. Two principles of risk management are that a) historic losses need a very long experience period to be valid predictors, the more severe and remote the loss, the longer it needs to be; and b) recency bias (the tendency to focus on what just happened) is a psychological phenomenon you should not be fooled by. But, again, we thank the SEC for illustrating financials are not complete without incorporating the risk component.
We are not necessarily advocating for a change in the way financial statements are produced – that is for the CPA world to decide. We are saying that the financials do not stand alone, and if your CFO is not reporting on risk management, you’re not getting the whole story.
Managing profits can’t be separated from managing “losses” – ( not losses in the accounting sense). Ignoring risk is to make profits and net worth dependent on luck. We know we can’t really rely on quarterly profits because numbers can be manipulated in such a short time frame. Even years of continuous profit and growth can be unreliable if risk is not managed. A truly robust firm is one that manages risk while at the same time producing the consistent financial numbers the CFO is so proud about.
CEO, don’t be lulled into complacency by misleading financials