Risky business

How do leading finance chiefs measure and tackle risk within their organisations?

We quiz David Horan, CPA, CGMA, the CFO at Dealer Services Corporation; Atul Patel, group FD at IT security firm NCC Group; Jeff van der Eems, COO of United Biscuits; and Jackie Hunt, CFO at Standard Life.

What are the biggest risks facing your organisation and how are you dealing with them?

Horan: Dealer Services Corporation (DSC) is an inventory finance company, lending to independent used car dealers in North America. We have more than 10,000 contracted dealer customers across the United States. Our customers are not large franchised dealerships. They are smaller, typically independent, not as well capitalised and susceptible to economic swings.

Beyond lending to these entrepreneurs, we see our job as helping them to become better businesspeople. Because we are granting credit, customers’ financial difficulties tend to lead to losses on our books. In order to mitigate that risk, we see ourselves as consultants, providing business knowledge to our customers, as well as technology and information. The more we are connected to their businesses, the better understanding we have of our risk and how we can manage it.

van der Eems: As a provider of many of Britain’s best-loved snacks, the biggest risk facing United Biscuits is the economic pressure being faced by UK consumers. We provide affordable treats to millions of consumers every day, but even these purchases come under pressure if consumers have less money in their pockets and face an increasingly anxious future.

Hunt: The volatility within the financial markets has been one of the key risk factors for us over the past few years. Not only does market volatility affect asset values, it affects consumer confidence, making customers less likely to make financial decisions. That type of economic uncertainty can impact on our business.

We’ve put a lot of emphasis on managing risk over the past few years. We’ve de-risked our balance sheet to make it less susceptible to market volatility and have refocused the group to focus on the areas where we can maintain our competitive advantage.

This has allowed us to achieve continued growth, and to retain one of the strongest balance sheets in our sector over the past four years.

Patel: The most significant risk we face is reputational. Our business is based on providing independent escrow and IT assurance to clients, so it’s critical that we continue to deliver a high-quality service.

What are the main risks facing your sector?

Horan: Typically, the used car market fares well during economic down cycles as consumers tend to move toward the less expensive used vehicle. But the downturn of 2008/2009 opened many eyes to a risk not previously experienced. After Lehman Brothers collapsed and the credit markets froze, lending to the end consumer in the subprime/near prime market disappeared. Simply, our dealers could not sell the cars that we had financed for them. It was not for lack of demand on the part of the consumer; it was just that our dealers could not get the end consumer financed. So consistent, reliable consumer lending is a risk in our industry.

van der Eems: Pressures on consumer discretionary income and rising commodity and input costs are causing ripples across the whole industry.

Hunt: The insurance industry emerged from the 2008 banking crisis relatively unscathed, but we have not been immune to the economic uncertainty we’ve seen in the years that have followed. On the back of all that uncertainty, I believe that regulation needs to be a carefully considered factor.

In the UK, the FSA’s Retail Distribution Review is due to be implemented in early 2013. This will be a hugely positive change for the industry, giving consumers greater confidence in the type of financial advice they receive. Separately, Solvency 2 is an EU-wide regulation that is due to be implemented in 2014 and focuses on making sure that insurers maintain a strong capital position against their liabilities. I’m very supportive of these changes—I believe they will ultimately benefit policyholders and consumers—but I’m also conscious that too much regulation can stifle business. Getting the regulatory balance right is of key importance so that the industry can continue to be competitive internationally.

Patel: Due to the nature of services we provide, we haven’t been impacted by the recession as much as others in the [tech] sector. However, what we have seen is the rise of a new risk that affects all sectors: cybercrime. Both commercial and public bodies have seen an increase in incidents of malicious hacking. Many of these attacks have been high profile, and media reporting of hacking has intensified. We’ve seen a significant increase in demand for our services in this area.

Has the importance of risk management within your company changed since the recession? If so, how? How much of your time and resources are now devoted to risk management?

Horan: Since our launch in 2005, we have always focused strongly on technology and the power of information to mitigate risk. The recession strengthened our resolve to improve our techniques. We look at risk from two vantage points—internal data and external data—both of which are now providing real-time information.

From an internal data perspective, DSC has pioneered predictive analytics for our industry. We gather large amounts of performance-related data on our customers, most of which are predictive in nature. We partnered with an external firm to develop a scoring model that provides real-time alerts to our risk team. To complement our internal scoring, DSC also partnered with an external credit rating agency. We receive daily updates on our customer base, with key information such as major swings in credit scores, tax liens (government rights over proceeds from the sale of business to pay their tax liability) etc. The combination of the internal scoring model and the external, credit-related scoring gives DSC real-time, actionable items to mitigate risk issues.

van der Eems: Risk management has been an important part of United Biscuit’s governance for many years. I chair a risk operating council, which meets regularly and includes the top managers in the business. We have mapped out and assessed our key operational and strategic risk areas, assigned responsibility and developed mitigation plans covering each risk. Most importantly, we recognise business is fluid and there is a need to constantly evaluate and assess new areas of risk.

How much of a risk does the euro-zone debt crisis pose to your organisation? As Europe grows more volatile, what are you doing to reduce the company’s exposure to currency swings?

Hunt: The euro-zone crisis has had an impact on the financial services sector in a number of areas. Standard Life’s direct exposure to affected euro-zone countries has been minimal, however, with the last reported exposure sitting at less than £50 million (about $78.2 million). There has been significant price volatility in sovereign bonds, reflecting the increased credit risk that a sovereign might default on its debt obligations. In the absence of mitigating action, this could result in a mismatch between the value of an insurer’s assets and its liabilities, ultimately resulting in an erosion of its solvency margin. But Standard Life has managed this well, and our solvency margin remains strong.
Higher risk weighting of affected sovereign debt also increases the amount of regulatory capital that an insurance company must hold against related investments. The contagion effect spills over into other areas, impacting investments in both debt and equity markets. This can affect corporations who themselves have exposures to sovereign debt. The proliferation flows down to investments in third countries, or institutions within them, and impacts companies with large exposures to sovereign and corporate debt in the affected euro-zone economies.

We have seen that markets react quickly, sometimes in a knee-jerk fashion, and we have witnessed increases in spreads on any affected sovereign credit default swaps, interest rate swaps and FX pricing—each reflecting the perceived higher risk of default.
What is important in each of these areas is to identify the risks to the business and ensure that the appropriate risk management framework is deployed to identify, monitor, assess and control those risks.

We have responded to the euro-zone crisis in a number of ways. We proactively manage the benchmarks of our fixed-income portfolios and act very early to remove exposures to peripheral sovereign debt. We have restricted our holdings of cash and cash equivalents to banks that we assess to be of appropriate credit standing, and we monitor currency exposures on a regular basis to make sure that undue risks are identified and that corrective action is taken if needed.

Do you have a risk committee? If not, why not? If so, is it a nonexecutive committee, an executive director committee, a committee of functional experts or a hybrid of the three?

Horan: DSC has an entire risk department. We employ a vice president of risk to oversee both our credit underwriting and our collections teams. This individual is not only responsible for granting the credit, but also knows that he will be responsible for collecting should that decision prove to be a poor one. We are lending to small businesses, so risk is part of our daily work lives.

van der Eems: Our risk operating council (ROC) has been in existence for many years now, with me as chairman. The ROC consists of the top executive management in the business and includes the participation of our internal auditor, KPMG. We bring in internal and external subject experts on a regular basis and report our activities and findings to the board’s Audit Committee each year.

Hunt: We have a board-level risk and capital committee, which consists of four nonexecutive directors. That committee works closely with our group chief risk officer, as well as myself, chief executive David Nish and chairman Gerry Grimstone. The committee supports the board’s governance over strategic risk management and the use of capital. From its start-up in 2010, the committee has made significant developments and is now well established in its role. It provides quality support and analysis to help manage risk across the group.
We also have executive level enterprise risk management committees at group and business-unit level. These both meet monthly and are chaired by the relevant chief executive and supported by the chief risk officer.

Patel: We formally review and assess risk at our operational board meetings. We measure the potential impact of risks and identify mitigating actions to manage them. The outcome is then reviewed at our audit committee, which is made up of nonexecutives.

What measurement techniques do you use to assess your risk positions?

Horan: As mentioned, DSC has a strong focus on predictive analytics. We want to know that our customer is going bad before they do. This is not so that we can shut them down, but so that we can work with them to improve their situation. If that’s not feasible, then early knowledge puts us in a much better risk position.
We use an external company to mine our data and look for predictive characteristics. They look for links in a customer’s performance (for example, customers that present two or more non-sufficient funds (NSF) checks in a 90-day window tend to write off within six months) or characteristics (for example, car dealers that have a paved lot and fencing tend to write off at much lower rates than those that don’t). Then they relate these characteristics to past performance to help us identify future risk.

So we would monitor the customer with those two NSF checks more than other customers, because history tells us that this is a risk identifier.

There is a lot of information out there to analyse. We view predictive analytics as a means to aggregate the important pieces of information into a delivery system that focuses our attention on the largest areas of risk. It is too difficult and slow in today’s world to attempt to pull individual reports and connect the information manually. Using both internal data (our customer’s performance history with us), and external data (our customer’s performance history with other vendors via a credit reporting bureau) gives us a full risk profile and allows us to be proactive in respect to our risk decisions. The key distinction between predictive analytics and business intelligence is that the former uses an algorithm to attempt to look forward, whereas BI is more about information aggregation to report on the past.

van der Eems: United Biscuits uses a risk map to identify risks in terms of significance and likelihood. We then assign responsibilities for each risk and develop and audit mitigation plans. Furthermore, we constantly review and update our risk map.

Hunt: The group uses a range of internal risk and capital models. We use internally defined cash and capital risk metrics to assess risk exposures across the organisation’s range of businesses, activities and projects.
Standard Life carries out a groupwide programme of stress and scenario testing. This provides us with a full understanding of the risks we are running and their potential impact, consequential capital requirements and appropriate mitigating actions.

Patel: We use two scales – one measuring the probability of a particular risk occurring, and one measuring the potential impact on the business in terms of financial consequence if the risk materialises. These are then graphed and reviewed to understand the key risks to the business and mitigating actions identified. We have recently decided to score the risks, assuming that the mitigating action is put in place, i.e. looking at gross risk and net risk.


David Horan
Horan joined DSC in 2005 as the corporate controller and assistant treasurer. As controller, Horan designed and managed the accounting and treasury functions for DSC. Prior to DSC, Horan served as corporate controller for the auto auction chain ABC. He started his career with Comcast Cable before taking the corporate controller position for JD Byrider Systems.

Jeff van der Eems
van der Eems worked at PepsiCo for 12 years in a series of senior finance and strategy roles, rising through the ranks to become CFO for PepsiCo UK and Ireland, where he was responsible for Walkers Snackfoods, Pepsi-Cola, Quaker Foods and Tropicana. He was appointed CFO of United Biscuits in 2005 and promoted to COO a year later, following the acquisition of United Biscuits by Blackstone and PAI.

Jackie Hunt
Hunt was working as CFO of Norwich Union Insurance, a subsidiary of insurance group Aviva, when the opportunity for a deputy CFO position at Standard Life arose. She joined the company in 2009 and became CFO in 2010. She also chairs the Association of British Insurer’s financial regulation and taxation committee.

Atul Patel
A chartered accountant, Patel cut his teeth at PwC before joining its management consultancy division. He was a divisional finance director within Tribal Group, responsible for the government and health divisions, before joining NCC Group as group finance director in 2011.