Too little or too much: What is the right amount of risk management for your company?

Commodity based businesses (including energy firms) are experiencing dramatic changes in economic and market conditions resulting in significant growth and consolidation activities. Within these dynamic conditions, your Risk Managers have a challenging role protecting your enterprise against a cataclysmic event. They must balance the need for practical, cost-effective approaches while mastering very complex problems. One consequence of this difficult balancing act is that risk management practices vary widely among firms in the same industry. Many firms underemphasize and under manage risk, while across the street similar companies may over complicate or over manage risk. However, the right balance can be struck by designing a risk management framework that considers strategy, people, process, and technology – in that order.

Developing the right fit for your risk management framework requires the following steps:

  1. Adapting your risk policy to integrate with your business strategy
  2. Matching your organization with your risk management needs and tolerances
  3. Tailoring your risk processes to your organization, and
  4. Supporting your risk management goals through your systems and technology
Diagram 1


Refer to Diagram 1 above which illustrates an evolving framework we used for one of our clients supporting the use of people, processes and technology to ”right size” a risk management framework for their trading organization.

Step One: Adapt an enterprise risk policy to your business strategy

The foundation of a good risk framework is close integration with your business strategy, goals and objectives. One policy does not fit all business models, and business models vary widely within the same industry sector. In our view this is one of the most important functions of the risk professional but is often underemphasized. The following key questions should be considered during this step – the “design” of your firm’s policy:

  • What are the greatest existential threats to your business? Not every business model is exposed to market, credit, and operations risks. Often several of these are dominant.
  • What risks should and should not be hedged? Most businesses have risks that cannot be hedged, sometimes existing alongside risks that should be mitigated. It is not always straightforward to identify these.
  • What are benchmarks against which risk should be evaluated? As an example, energy firms take very different approaches to defining and managing the crack spread inherent to the refining business. Although these approaches vary, we believe all refiners are improved by adopting a “policy benchmark” and assessing risk relative to that policy.
  • Would a new or revamped “book structure” improve your risk and performance measurements? These analyses should be granular enough to distinguish different business functions or elements of your business cycle or supply chain, since you cannot manage what you cannot measure.
  • Are you properly considering risk capital in your performance measures and rewards? All things being equal, you should reward efficient use of risk capital.

Business strategies and goals will continue to evolve and never remain as designed. Like your business strategy, your risk policy should undergo regular evaluation to adjust it as needed. A good rule of thumb is that risk policies and business risk changes should be reviewed on a monthly or quarterly basis. This review is the primary responsibility of a Risk Steering Committee and a key element of effective risk governance.

Reviews by your Risk Steering Committee should include several important questions:

  • What market risks have arisen or resulted from changes in your business strategy?
  • What counterparty credit risks do you face given changes in the industry and firm?
  • What new operational risks could impact the firm (including environmental, political, regulatory, reputational, “key-person”, misconduct, natural disasters, etc.)?

Risk management should also be a component of the strategic planning process. For example, one of our clients was a refiner utilizing a multi year roadmap to increase its trading and risk management (TRM) capabilities from hedging standard supply chain processes to more complex asset backed trading strategies. Their strategy roadmap included improved risk management capabilities in the form of additional organization roles, new business processes, and improved technical tools. They invested a total of $10 million over 5 phases implemented over 5 years, to increase gross margin by 50%. Thirty-five percent of the investment represented improvements to the company’s risk management capabilities, as these enabled the business strategy changes and the significant increase in margin while minimizing their business risks.

Such changes and capability improvements do not come quickly, often involving multiyear strategic plans. By pairing business and risk management milestones in these plans, teamwork and participation can be nurtured. Following are several examples of how our clients have encouraged front and mid office collaboration through joint goals or milestones:

  • Increasing trading volume contingent on completion of a specific risk analysis capability
  • Entering new markets only after completion of a rigorous risk management system implementation
  • Increasing trading bonus pools after implementation of risk adjusted performance measures

Step Two: Match organizational capabilities with risk management needs and tolerances

Once your enterprise adapts its risk policy to your evolving business model, your next step is to align your organizational capabilities with your risk management needs. For example, in an energy trading firm where we consulted, one option trader in the front office did not represent the total organizational cost of trading options. We recommended adding risk analysts who understood option pricing and exposure in the middle office, and accountants who understood option transactions and derivatives accounting in the back office. The addition of more personnel ensured the entire risk organization provided adequate risk management capabilities in order to stay on top of ever-changing risks. The focus was to provide adequate organization capabilities that were neither over nor under invested relative to the firm’s needs.

When a manufacturer where we consulted made the strategic decision to significantly extend its trading capabilities to augment its physical manufacturing operations, it resulted in the decision to assemble a full-time, risk analysis team. As the manufacturer started realizing its commercial ambitions, the leadership delegated hedging and trading responsibilities to a newly formed team of senior risk analysts in order to improve the financial performance of its assets. They understood strong risk management functionality begins with goal setting, utilizing analysts who have the capability to properly assess the risk of the firm’s current and planned business in accordance with the overall strategy of the organization.

To design their risk organization, we helped the leadership team evaluate alternative organizations to support different levels of commercial activity and “risk appetites.” They designed an organization capable of managing the increased trading and risk management activities before hiring the team’s senior members. The analysts ran regular risk management reports, which were communicated via email to everyone in the enterprise. Regular communication, coupled with training, ensured everyone understood, supported and could act on their risk assessments.

Below (Diagram 2) is a sample of the analysis we prepared to quantify the cost of expanding the risk management organization.

Diagram 2 of Risk Professional Cost per Trader


Three: Tailor risk management processes to organizational complexity

After building the organization, the focus moves to the design of the risk methodologies and processes. They should balance coverage of the business model with a clear understanding of the risk management processes which will be used by the entire organization. Depending on organizational complexities, qualitative methods may best manage some problems, while quantitative methods may be better suited or other requirements.

We have found that firms who operate physical assets, such as ships, pipelines and plants, in addition to firms operating safety, security, environmental and loss prevention assets and preventative maintenance, often find qualitative methods most effective. Moreover, firms with little risk of counterparty credit default do not need to run complex credit simulations. In this case, a risk management process could be as simple as monitoring credit utilization and agency ratings. On the other hand, firms with complex counterparty credit exposure need more sophisticated efforts of quantifying their credit exposure and opportunity costs. Firms with trading and marketing activities that are not complex or significant to the business model likely do not need to run probabilistic risk measures, such as Value at Risk (VaR)1 or other risk models. Position and financial exposure reports may adequately measure risk exposure.

Diagram 3


For more complex business models involving physical assets and/or numerous financial transactions, more advanced quantitative risk analytics may be warranted. Asset-based or supply chain businesses often require a benchmark and/or an advanced book structure, to enable the discrete measurement of the performance for each function. Otherwise, commingled activity and results make it difficult to judge the performance of each area.

Diagram 3 is an illustration we used with a refining client to separate their book structures into 4 areas: Crude Supply and Trading, Refining,Product Supply and Trading, and Renewables.

It was difficult to judge the performance of the co-mingled functions, but this simple structure allowed us to monitor the performance of these important business components. As they became more sophisticated, we added more books, for example, separating supply and trading before and after the refinery, storage, etc. This allowed finer differentiation of activities such as forecasting errors and inventory management. See the expanded book structures in Diagram 4.

Diagram 4


Four: Support risk management goals through systems and technology

Facilitating faster, better, and more accurate decisions is the primary goal for risk technology. If the technology does not help your team make better risk management decisions in a timely fashion, it is either inadequate or overdone. Keeping this in mind particularly helps small to medium size organizations, where overcomplicating risk technical solutions may pull limited resources away from other activities and can prove expensive.

With the exception of start-ups, spreadsheets should not be relied on as the official risk management system. While excellent for prototyping new methods, they are too weak as production tools, difficult to institutionalize and prone to error. However, spreadsheet prototypes are useful for familiarization with various risk analytics before moving to more formal, controlled systems. Before developing spreadsheet-based risk analysis prototypes,commit to replacing them with better systems at a future date.

Diagram 5


The processes and technology surrounding risk analytics is hard to right-size. Firms often under invest or over invest in risk analytics. Under investment is more common, as illustrated by a survey we conducted of 32 active energy risk management firms.

In this survey, almost half, 47%, of the surveyed companies are either under or over invested in risk systems and analytics. This is due, respectively, to an under or over appreciation of these tools. This is compounded when senior management in the firm has a limited understanding of these processes and systems.

Ironically, it is not difficult to demystify risk analysis and tools. We have found that combinations of visual prototypes and training are useful at all levels of the organization. Often this training is the most important part of risk system implementations, providing both analysts and C-level executives a solid understanding of the important principles, not the detailed mathematics, behind these tools.


An effective risk management framework must include:

  1. Risk policies tailored to your specific business model
  2. Front-to-back office organization capabilities that match risk management needs
  3. Risk management processes tailored to the complexity of the organization and
  4. Systems that support (not lead) risk management goals

Understanding your business strategy and adapting your risk management strategy to support it is the best basis for your risk management organization, processes and technology. Time must be spent to think through each component with a view of the future demands to ensure that flexibility is balanced with an adequate risk framework. The key is to create your risk framework around an “adequate” approach and not to develop a framework that is either too complex, or too simple. It doesn’t have to be complicated; successful risk management includes clear policies that anyone in the organization can understand, use and support. 

¹Value at Risk (VaR) is a measure of the risk of financial and physical assets. It estimates how much a financial or physical asset might lose, given normal market conditions, in a set time period such as a day. Firms and regulators in the financial industry traditionally use VaR, although the measure is also subject to wide criticism.