Koch Industries didn't become the nation's second-largest privately held company without taking risks, but the $100 billion conglomerate puts a premium on risk management, and its approach includes a strong information-technology (IT) component. Software helps the company analyze a variety of exposures, such as swings in commodity prices and foreign-currency rates, both individually and in the aggregate, according to chief risk officer (CRO) Michael Hofmann. The system (from Algorithmics Software) enables staffers throughout the company to perform what-if scenarios, such as the potential effects of different pricing schemes on margins and cash flows.
But the software "doesn't substitute for thinking," Hofmann says. That's a subtle but important distinction about what risk-management systems can and can't do. Such systems help managers "understand what the risks are, where the risks are, and how to mitigate that exposure throughout corners of the company," says Chris McClean, an analyst at Forrester Research.
Given the enormous attention that failed risk-management practices on Wall Street have received, you might think the software category would have suffered a reputational blow as well, but that doesn't seem to be the case. In fact, even though many companies are curtailing their IT spending this year, the market for operational-risk-management systems is fairly strong, says McClean. In the battered financial-services industry, spending on risk-management systems is projected to grow at 11.5 percent from 2009 to 2010, according to Robert Iati, partner and global head of consulting at TABB Group, a financial-markets research and advisory firm that focuses on capital markets.
There is a huge range of risk-management software on the market. Some systems are designed specifically for financial-services firms to monitor credit and market risk, while others are geared toward evaluating a variety of operational risks faced by companies in many industries, says Gartner analyst Douglas McKibben. Some products can be applied as stand-alones, while others are components of broader governance, risk, and compliance (GRC) software packages.
Most risk-management systems are designed to collect data from other systems, with the data source determined by what kind of risk is being assessed. For investment banks, equity and foreign-exchange trading systems may be the primary source. For companies outside of financial services, such as power companies or retailers, the systems can be customized to create risk models or risk profiles that suit a company's needs and then reach into other systems or external data sources; for a retailer the system might analyze the risk to customers' buying behavior posed by interest-rate increases. Some systems employ Monte Carlo–type simulations to predict possible outcomes from thousands of potential variables, such as how a 20 percent drop in the Dow Jones Industrial Average might affect the credit ratings of business partners in the commercial construction industry.
Vendors offer varying degrees of functionality and sophistication. The Algorithmics software, for example, enables financial managers to test how changes in risk drivers such as interest rates or inflation would affect a customer's investment portfolio over time, says Andy Aziz, executive vice president of risk solutions at the vendor. Like other packages, the software can notify users when their company is about to reach a predetermined limit on a financial exposure, such as sell-side thresholds on a stock.
Islands of Risk
Just like any other kind of analytical software, risk-management systems are only as effective as the type and quality of data that goes into them. Software is usually selected to meet the specific needs of individual business units, and data is formatted to address their particular risk triggers, says David Rogers, global product marketing manager for risk at software vendor SAS Institute. That makes it difficult to exchange risk data across the business.
Even a system that performs as advertised has to be used properly. In early 2008, Bermuda-based reinsurer Tokio Millennium Re implemented software from DFA Capital Management to monitor portfolio risk, including Tokio's holdings of U.S. Treasuries and other assets, says CRO Ed Jordan.
When company officials began using the system (called ADVISE) to generate four-year budget forecasts for the parent company in Japan, the system indicated that Tokio Millennium Re was facing the potential for a significant foreign-exchange loss for 2008. "There was a lot of [internal] debate" as to whether that would actually occur, recalls Jordan, "and there was the belief that if we did expect such a loss, we should hedge against it."
Instead of heeding the forecasts and acting to mitigate foreign-exchange risk, company officials in Bermuda decided to turn off that piece of software functionality. Tokio Millennium Re ended up getting stung with a loss very close to the amount projected by ADVISE, says Jordan. "It's raised awareness that we need to manage this risk a little better," he says.
Many risk-management systems are designed to reveal potential losses quickly, or can be customized to do so. An operational-risk-management system can be "as real-time as the clients make it," says Tom Bolger, international product marketing manager for Methodware, a provider of GRC software, although he adds that few if any of Methodware's customers require hourly alerts from their systems. On the other hand, many financial users want more real-time monitoring than current credit- and market-risk systems can provide, and vendors need to deliver additional functionality to provide this capability, notes TABB Group's Iati.
More Than a Number
Some users of risk-management software say the systems have helped them spot hazards created by the current financial crisis. Last May, UHY Advisors Texas began using SAP risk-management software to monitor financial and operational risk. Previously, E-mail "was the most ubiquitous risk-management tool we used," says Norman Comstock, a managing director at the tax and business advisory firm. "We decided it was time to take our own advice" and begin using risk-management software, just as UHY advises its customers to do, says Comstock.
Still, it would be foolish to depend on any single source to monitor and mitigate enterprise risk, says Greg Zaffiro, managing director with Platinum Partners Value Arbitrage Fund. "At the end of the day, you certainly wouldn't want to rely completely on one output number from a risk-measurement system," he says. The software "tells you what might happen in the future," says Kim Balls, vice president of life product development at software vendor DFA Capital Management. "It tells you what you should do, but it doesn't take action for you."
Despite indications of robust sales, corporate shoppers are cautious, and sales cycles are longer than they were a year ago, notes McClean. The cost to buy and install an operational-risk-management system can range from $75,000 to $3 million, depending on the number of users and the functionality of the system, with most deals falling in the $300,000-to-$350,000 range. Installing a system can take as little as one month for a small company to several months for larger companies with more-complicated reporting structures.
Thomas Hoffman is a freelance writer in Warwick, New York.
A Universe of Risks
As one example of how broad "risk management" is, consider that the World Economic Forum's Global Risk Network analyzes 36 distinct types, encompassing everything from biodiversity loss to a collapse of the nuclear nonproliferation treaty. Among the risks scoring highest this year in terms of both likelihood and severity:
• Asset price collapse
• Slowing Chinese economy
• Chronic disease
• Global governance gaps
• Fiscal crises
• Retrenchment from globalization