DEFUSING THE BOMB
A new approach to risk management can help finance managers take the sting out of the next disaster.
By Lynne Curry

Hsiue Jung Sheng woke from a fitful sleep last September to hear his furniture rattling like castanets and feel his bed edging across the floor. By the time Taiwan's huge earthquake subsided, Hsiue was in his car and headed down the road to Taiwan Semiconductor Manufacturing Corporation (TSMC), the US$2.3-billion-a-year chip manufacturer, where he runs a comprehensive risk management program. In a very real sense, Hsiue was in his element. He had been preparing for a disaster of this magnitude for years, and now he would see whether the program he had built actually worked.

At the plants, the scene was serious, but under control. Alarms had triggered an evacuation of the factories, keeping employees out of harm's way. Checks revealed that TSMC's buildings had been largely spared, but some processing tools and a portion of the company's stock of silicon wafers had been destroyed. But because of Hsiue's careful preparation, TSMC never really shut down. Trucks were on the road after sunrise delivering orders, and it took a mere ten days to restore full operations. What's more, news of TSMC's quick recovery contributed to a 20 percent rise in its stock from the time of the earthquake to year-end. Analysts praised the company's resiliency compared to its local competitors.

Risk is like a bomb ticking and risk management diffuses the danger. Because of the huge problems that can affect Asian companies overnight - from earthquakes to the imposition of currency controls - a new approach to risk is gaining favor. For CFOs, it's not enough to look at risk as an isolated phenomenon, such as interest rate risk on the one hand and risk to operations on the other. A growing number of companies are looking at risk management as enterprise-wide, and are elevating risk as a key component of a finance chief's job. And that exercise is what saved TSMC from big trouble after a major disaster.

TSMC's shift to a new perspective on risk came under the direct guidance of CFO Harvey Chang. Three years ago, Chang decided it would be more efficient and less costly to bypass the insurance brokers and deal directly with the London reinsurance market. But TSMC's prospective reinsurers made one big demand. The chip maker had to investigate all of its risks - including the risk of business interruption - and show that it had developed effective methods to control them.

Inadvertently, the insurance deal had foisted a new way of thinking about risk on TSMC, one that had already come into vogue in North America and Europe. Taiwan Semiconductor had, of course, already hedged against risk in a dozen ways, from insurance policies to buying options to hedge against currency exposure. However, it had never set out to catalog every serious risk in the enterprise, or sought to elevate its control to a core unit answerable to the CFO.

Chang's first step was to hire Cigna and other insurers to investigate all the risks that TSMC faced. The team concluded that the greatest risk to the chip maker was an interruption of business. In the electronics industry, just-in-time manufacturing and speedy delivery remain the critical success factor in the entire supply chain.

Chang's decision to cover interruption of business and invest in a major contingency plan, however, was a costly one. This portion of the coverage is the largest component of the premium it pays to insurers. But when the earthquake happened, no one remembered the cost, and everyone, analysts and investors alike, praised Chang's decision to examine risk from an enterprise-wide perspective. "After an event occurs," says Chang, "it's too late. It's impossible to make all the decisions that need to be made." Andrew Watkins, partner, global risk management solutions at PricewaterhouseCoopers (PwC) in Hong Kong, agrees, but sees the matter from a wider perspective. "If you can manage risk, you can take the lead," he says. He sees a growing recognition in Asia of the importance of managing risk from an enterprise-wide perspective. "It has now become a boardroom issue."

A Fistful of Risks

For the time being, CFOs in the US lead the world in enterprise risk management. At the forefront of the movement are high-tech companies such as Microsoft, which has perhaps the most comprehensive and integrated risk management policy in the world.

Microsoft is a pioneer of the enterprise approach to risk management, dating back to the creation of the Microsoft Risk Management Group in 1997. Under the direction of former CFO Greg Maffei, assistant treasurer Jean-Franois Heitz (now treasurer) and then-risk manager Scott Lange, the group conducted a thorough risk assessment of the entire company. Today, the group watches no fewer than 144 separate risks, from market share and pricing wars to industrial espionage and workforce skill-sets.

One result of the assessment was an umbrella insurance policy, crafted to cover a variety of risks. But perhaps more important was the promotion of a heightened awareness of risk throughout the company. Microsoft wants managers in every function to understand the risk embodied in every decision they make. And to help them do that, the company developed a web-based knowledge tool called RISKS (Risk Information System for Knowledge Sharing). Residing on the corporate intranet, RISKS has eight major components, including a menu of risks organized by type: contacts for internal experts on risk subjects; anecdotes of lessons learned from dealing with risks; and best practices for minimizing risk in the design of business processes. Before launching any new projects, managers are encouraged to consult the system.

Meanwhile, to manage financial risk, Microsoft's treasury has pioneered hedging techniques and improved on existing ones. For example, starting in 1994 under then-treasurer Maffei, Microsoft was one of the first companies to write put warrants on its own stock in order to reduce the cost and risk associated with its stock-repurchase program.

"It was something I had to do at the time - the market was starting to heat up," recalls Maffei. The company periodically repurchases its stock to prevent dilution of earnings per share through the exercise of employee stock options. Selling put warrants on its stock partially defrays the cost of the buybacks. Moreover, the strike price of the puts is set at a level that the company would be willing to pay for its stock anyway. The warrants also have a "net share settle" option that allows Microsoft to issue new shares in lieu of cash.

The Risk Horizon

In Asia, the evolution of enterprise-wide risk management seems to be spinning off from a massive reorganization of risk management units at major banks. Following the Asian crisis, the major banks that suffered heavy losses due to currency and credit exposure invested in restructuring their risk management capabilities. This initiative was led in part by Chase Manhattan Bank, one of the few global banks not to be broadly hit by the currency meltdown, in part because it already had a system in the works. Chase had developed a global system of assessing risk throughout the bank, much like Microsoft's RISKS package, available to all line managers. It also consolidated its risk management practices into one overseeing risk management committee.

Most other major banks, including HSBC and Development Bank of Singapore (DBS), have followed suit and collected risk management under one arm. At DBS, for example, business units have primary responsibility for managing specific risk exposures, but the bank's risk management group is the central resource for quantifying and managing the bank's entire portfolio of risks taken by the group as a whole. Separate committees that oversee credit exposure, interest rate and liquidity risk, and capital adequacy all report to one central risk management committee.

Risk management at banks is fundamentally different from that used by corporations, however, because risk at banks can be measured in much shorter time horizons than in a company. For example, evaluating the underlying risk in a currency instrument is fairly easy to do when the time horizon is tomorrow or one week out. All methods to evaluate risk are based on historical data, and, as in measuring the weather, trying to figure out whether storms lurk is easier to do based on recent information. But corporations rarely face such investment and liquidity problems. The risk they encounter will be to the balance sheet and operations over a longer period of time, such as three months, six months or a year. A number of companies, including RiskMetrics, a spin-off of the US-based banking giant JP Morgan and a pioneer in risk management, are selling packages that offer risk management to companies. RiskMetrics, for example, recently unveiled its CreditRisk package, a program that assesses risk on long time horizons. RiskMetrics recently opened an office in Tokyo.

Getting Aggressive

But like many practices that have caught on in the US and Europe, enterprise-wide risk management is arriving in Asia in a piecemeal fashion. Perhaps, this is because Asian CFOs have heard this story before: the new concept in financial policy that costs a lot to implement, but has yet to yield measurable returns. Even Microsoft, so admired by risk managers, got blind-sided by political risk in the antitrust decision against it last spring. Local subsidiaries of multinational companies are moving their way into the practice ahead of their local competition, but even they are moving at a slower pace than their headquarters.

More aggressive than most are the Asia Pacific units of US-based companies Lucent Technologies, a dominant maker of telecommunications equipment and software, and Cisco Systems, one of the leading makers of computer networking equipment. These companies have adopted stringent, enterprise-wide controls to protect themselves, although not from an insurance coverage point of view. Instead, these companies continually assess financial, commercial and technical risks, particularly from customers, partners and suppliers. Rather than insure against a disaster, Lucent assesses its customers with the same rigor as a banker, imposing very specific criteria that customers must meet.

"Our risk management approach is more aggressive than a couple of years ago," admits Daniel Lovatt, CFO Asia Pacific at Lucent Technologies in Hong Kong. "If we are backing up a customer's debt, we have specific models [that we use to] drive a customer's business plan through. A wireless network is different from a landline network. We look at the debt equity structure, the subscriber growth in a country." The company, he explains, examines whether the customer has a national license, its plans compared with market expectations, its projections relative to independent standards, its marketing strategy, and whether the right kind of customer is being targeted. "All of this is to make a determination about whether we should finance the project," he says. "If we put a substantial amount of financing through the bank, then we need the same kind of understanding as a bank."

Cisco depends on its partners to deliver its products and services. When they cannot deliver, this "has a negative impact on the Cisco name, whether Cisco has anything to do with the delivery or not," observes Rod Lee, finance director, Asia Pacific at Cisco Systems in Singapore. "Cisco softens this risk by assisting our partners and doing everything we can to ensure that they are successful."

Lee maintains that Cisco "assesses everything that is not best in its class and that this goes a long way in mitigating operational, technological and financial risk." Any operation that is not web-enabled is examined closely. "Getting web-enabled by itself means you have to do some reengineering of your processes," he explains. "Cisco was one of the first companies to web-enable our partners and customers, so they can order and service through the web. This meant wholesale changes to our processes. During the reengineering, we significantly reduced our commercial, operational and technological risk."

Risk e-Business

Another factor spurring the move towards enterprise-wide risk - the movement of many businesses onto the Internet. With the growth of e-commerce, CFOs must deal not only with conventional physical risks like property, casualty and liability, but with issues such as the future of the Internet, hacking and computer security. "E-business is the major driver in risk management," says PwC's Watkins. "Because of the degree of change, it is transforming business. Wherever there is transformation, you have greater risk." The issue of Internet security has also heightened corporate awareness. "Hacking on the Internet has raised the profile of risk," says Watkins.

Among the newest risk management services, PwC now provides web audits that validate the number of page views of a website and "click throughs". Marsh (Hong Kong), a subsidiary of US-based Marsh(formerly J & H Marsh & McLennan), a leading insurance broker, has recently introduced Net Secure, a comprehensive program that assesses the risks of corporate e-business strategies and provides up to US$200 million of coverage for e-business risks.

Risk is a familiar term to Asiacontent.com, a Hong Kong-based company that is listed on Nasdaq and has formed joint ventures with US Internet companies seeking to expand in Asia. "The Internet is highly risky, because the business model is not proven," says Deepak Desai, Asiacontent.com's CFO. "The risk people take is about the future of the Internet. What defines Internet companies is that they take risk." But Desai maintains that does not mean ignoring the discipline of conventional companies. "It is not like a traditional business, but it is not foolhardy," he says.

As Asiacontent.com is also in the publishing business, it has bought coverage from Lloyds of London for libel. "We have chat rooms and there are liabilities involved," says Desai. "We do have disclaimers on our websites. AIG and Lloyds offer this kind of coverage. It is unique, and is a little bit more expensive than normal coverage."

Like other companies, Asiacon-tent.com is not immune to security and technology risks, and has taken steps to mitigate a systems failure. "We haven't had the experience of the more famous websites that are more visible targets," says Desai. "But it may happen one day. We have tried to build a system that is as hacker-proof as possible. In the event that our system crashes, we have a contingency plan. If our servers are down, we can migrate to something else, or get them up and running quickly."

New Shears for the Hedge

Given all these new opportunities, it's not surprising that the line is blurring between banks and insurance companies when it comes to risk management-based products. Indeed, the competition between banks and insurance companies is giving birth to a new generation of risk management products. AIG, AXA, Swiss Re, Munich Re and Zurich Financial Services are among those now offering financial risk insurance, traditionally the exclusive territory of banks. Financial guarantees that used to be the banks' business are now available from insurance companies, for example. Sidney Ku, chief executive officer of Marsh (Hong Kong) says: "The cash collateral may be needed on a banking requirement for a loan. An insurance company can issue a commitment if the borrower can't pay. In lieu of a cash collateral, insurance companies offer financial guarantees."

This rash of innovation has begun providing benefits - and more financing options - to very traditional, high-capital investment industries such as shipping. Typically, ship owners obtain a 70 percent mortgage from the bank and pay 30 percent cash. With the assistance of Swiss Re, a leading reinsurance company, a shipping company can obtain a higher mortgage and make a smaller cash down payment using the ship as collateral for the bank. For Swiss Re, the shipping company's earnings or guarantees on its receivables serve as security.

Khushroo Wadia, financial controller at Precious Shipping, a Bangkok-based owner and operator of 41 largely dry-bulk ships, has yet to turn to this kind of product. His approach to risk management, in line with the more conservative nature of the shipping sector, is to simply ensure that he keeps a close eye on shipping rates. "We conserve resources and do not go overboard in terms of investment whenever the shipping business is in the upward part of the cycle," says Wadia. "Inevitably, the market will absolutely, certainly go down, and when it does, we will need all of our resources. We have volatility in earnings, because shipping is a very cyclical industry. We have tried to diversify and establish an earnings stream that is steadier and gives us a cushion." Shipping companies like Precious are warming more to another diversification of insurance companies - some now provide credit enhancement, which improves the financial standing of some companies by using the guarantee of a bank or insurance company with a triple A rating. This makes it easier for them to borrow from the capital markets or get loans.

Exporters are also getting benefits from the blurring lines between banks and insurance companies. For example, an Indonesian exporter seeking to raise cash recently issued four-year securities through its investment bank using its existing receivables, cash reserves and future receivables as collateral. Centre Solutions, a Bermuda-based wholly owned subsidiary of Zurich Financial Services, issued a bond to insure the payment of interest and principal on the securities. "The key risk in this transaction is whether the borrower will be able to generate the receivables in the future when the time comes," says Anthony Egerton, managing director of Centre Solutions Asia in Hong Kong.

Securitizing financial risk works in other ways as well. Companies are transferring their catastrophic risk to the capital market through their own special purpose vehicles to issue what are called "catastrophe bonds". Backed by an insurance company, these are bought by pension funds, hedge funds and other insurance firms for above-market returns. "If companies can access the capital markets for catastrophe risks, then it won't be long before the same technology is applied in other areas," says Tobey Russ, president of AIG Risk Finance (New York). According to analysts, this opens up companies' access to the capital bond market, which has funds in the trillions compared with the insurance market, which runs in the billions.

So far, companies that are exposed to the risk of earthquakes and windstorms in Japan are among those who have taken advantage of this instrument. Indeed, earthquakes, as Taiwan Semiconductor has learned, do not have to be total disasters. The key is learning to transfer risk - a skill that will remain in the boardroom spotlight for the foreseeable future.

Lynne Curry is a contributing editor to CFO Asia.