Chapter 35 presented a case study on ERM at Malaysia’s Media company Astro. The focus of this case study is to convey how ERM can be used to assess portfolio performance. Since this is the last di
CHAPTER 35
ERM at Malaysia's Media Company Astro
Quickly Implementing ERM and Using It to Assess the Risk-Adjusted Performance of a Portfolio of Acquired Foreign Companies
PATRICK ADAM K. ABDULLAH
Vice President, Enterprise Risk Management, Astro Overseas Limited
GHISLAIN GIROUX DUFORT
President, Baldwin Risk Strategies Inc.
This case study focuses on the implementation and use of enterprise risk management (ERM) to screen proposed investments, assess the risk-adjusted performance of a portfolio of foreign investments, and make key investment decisions at Astro Overseas Limited, the company responsible for all international investments (subsidiaries and joint ventures) for Astro Holdings Sendirian Berhad (herein known as “Astro”). We start by providing some background information on Malaysia, on its corporate governance code and practices, and risk management practices at Astro. We then describe how Astro Overseas Limited uses ERM to assess and filter potential investments, and subsequently, how ERM is implemented at successful investments. Finally, we explain how Astro Overseas Limited combines information from the risk profile and financial performance of each investment, and reflects the performance on a dashboard together with all other investments in its portfolio to make better risk/return investment decisions.
MALAYSIA
Situated between 2 degrees and 7 degrees to the north of the equator, Malaysia is a diversely populated federal democracy of 29.3 million1 Malays, Indians, Chinese, and many other ethnic groups2 who speak Malay (the official language), English, various Chinese dialects, Tamil, Telugu, and Malayalam. Its major religions are Islam, Buddhism, Taoism, Hinduism, Christianity, and Sikhism. The life expectancy of its citizens ranges from 73 years (for men) to 77 years (for women), and the literacy rate is 89 percent.3
Geographically, Malaysia is almost as diverse as its culture (see Exhibit 35.1). Eleven states and two federal territories—Kuala Lumpur and Putrajaya—form Peninsular Malaysia, which is separated by the South China Sea from East Malaysia, where we find the states of Sabah and Sarawak on the island of Borneo and a third federal territory, the island of Labuan.
Exhibit 35.1 Map of Malaysia
Source: U.S. Central Intelligence Agency's World Factbook.
Malaysia's main industrial sectors are rubber and palm oil processing and manufacturing, light manufacturing industry, logging, and petroleum production and refining. Its main exports are electronic equipment, petroleum and liquefied natural gas, wood and wood products, and palm oil. The country's gross domestic product (GDP) per capita is equivalent to U.S. $8,800, and its currency is the ringgit (1 RM being equivalent to 0.3140 USD).4
The country's capital, Kuala Lumpur, is at the center of the Multimedia Super Corridor (MSC), Asia's equivalent of the United States' Silicon Valley. That is where we find the head office of our company, Astro Malaysia Holdings Berhad, more precisely located at the All Asia Broadcast Center, in Technology Park Malaysia.
THE ASTRO GROUP
Established in 1996, the Astro Group is a leading and growing integrated consumer media and entertainment group present in Malaysia, Southeast Asia, and regional foreign markets, with operations in four key areas of business: pay TV, radio, publications, and digital media.5 It has established partnerships in different countries with A&E, Google, Lionsgate, MSNBC, and other leading media companies. Through Celestial Pictures, Astro also owns and distributes the Shaw Library, the world's largest Chinese film library. It owns Adrep as well, a national radio airtime management and sales company operating in China.
The Astro Group is comprised of Astro Malaysia Holdings Berhad (AMH), which was listed in the main board of the Malaysian Stock Exchange in 2012, and Astro Overseas Limited (AOL) overlooking all international investments.
AMH focuses on Pay-TV, Radio, Publications, and Digital operations in Malaysia and has a customer base of over 4 million residential pay TV customers or approximately 56 percent penetration of Malaysian TV households. Astro Radio operates Malaysia's highest-rated stations across key languages.
AOL holds investments in a portfolio of companies involved in Pay-TV, radio, content aggregation, creation and distribution, digital and multimedia services, and includes companies in Australia, China, Hong Kong, India, Indonesia, Singapore, Vietnam, Saudi Arabia and the MENA region, United Kingdom, and North America (see Exhibit 35.2).
Exhibit 35.2 AOL's Regional Investments
CORPORATE GOVERNANCE IN MALAYSIA
The 1997 Asian financial crisis exposed many weaknesses in the region and spurred multiple reforms, including a drive to improve corporate governance.6 Malaysia introduced its first corporate governance code in 2000 and revised it in 2007. In 2011, its Securities Commission established a “Blueprint” to achieve excellence in corporate governance, and in 2012 delivered a new “comply or explain” code.7 According to its risk management guidance, the board of directors should:
Establish a sound framework to manage risks.
Understand the principal risks of all aspects of the company's business.
Recognize that business decisions involve the taking of appropriate risks.
Achieve a proper balance between risks incurred and potential returns to shareholders.
Ensure that there are systems in place that effectively monitor and manage these risks.
Determine the company's level of risk tolerance and actively identify, assess, and monitor key business risks to safeguard shareholders' investments and the company's assets.
Disclose in the annual report the main features of the company's risk management framework and internal controls system.
According to the 2013 ASEAN Corporate Governance Scorecard published jointly by the ASEAN Capital Markets Forum and the Asian Development Bank,8 the performance of Malaysia's Top 100 companies (PLCs) in terms of conformity to recommended corporate governance principles and practices “is commendable and at the same time presents opportunities for more improvement.” Among the areas for improvement identified by the report was the “lack of disclosure of key risks (other than financial risks).”
ENTERPRISE RISK MANAGEMENT AT ASTRO
In the aforementioned corporate governance context, Astro's listed vehicle, AMH states in its Annual Report 2013: “The Board is committed to applying and upholding high standards of corporate governance to safeguard and promote the interests of the shareholders and to enhance the long-term value of the Group. To this end, it has adopted the principles and recommendations set out in the Malaysian Code on Corporate Governance 2012.”9
The annual report states that the board is charged with, among other responsibilities, the review and approval of changes to management and control structures, including ERM. “The Board is committed to the implementation of Group Risk Management (GRM) as an integral part of the Group's planning practices and business processes, encapsulating the continuous identification, assessment, monitoring, and reporting of risks at all levels, from projects, [to] operations to strategy. The Group Risk Management Framework, consistent with the Committee of Sponsoring Organizations (COSO) enterprise risk management framework, sets out the risk management governance and infrastructure, risk management processes and control responsibilities.”10
The board of directors, through its Audit Committee, is assisted in these responsibilities by AMH's Group Risk Management Committee (GRMC). The GRMC meets at least quarterly, includes senior management from each business segment and unit, and is chaired by AMH's CEO. The CEO and CFO are accountable to the board of directors for the implementation of strategies, policies, and procedures to achieve an effective risk management framework.
Furthermore, Astro has linked senior executive pay to sound risk management up to the highest level of the organization: “Risk management has been identified as a key result area in the annual performance evaluation of the CEO and CFO.”11
If the lack of disclosure of key risks (other than financial risks) by top Malaysian companies was noted in the 2013 Corporate Governance Scorecard mentioned earlier, it is not the case at Astro, which also follows the guidance of the Global Reporting Initiative Framework and discloses—in addition to financial risks—seven other key risks: market and competition; political, legal, and regulatory; services availability; procuring exclusive and compelling content; technology and innovation; people; and branding and reputation.
Astro is also committed to what is increasingly recognized as a key success factor of long-lasting ERM implementation: risk culture. “Risk awareness and control consciousness are integral in cultivating a good risk and governance culture among the Group employees. Risk and control briefings, online training, and a web portal are in place to facilitate the ease of reference and better understanding of the risk management framework and internal control procedures.”12
Finally, to ensure consistent practices, Astro has adopted the concepts and terminology of the ISO 31000 International Standard (Risk Management—Principles and Guidelines, 2009) and the COSO process to ensure the ERM program is effectively implemented.
ASTRO OVERSEAS LIMITED
We now focus on the implementation and use of ERM to assess the risk-adjusted performance of a portfolio of foreign investments and to make key investment decisions at Astro Overseas Limited (AOL), the company responsible for all international investments (subsidiaries and joint ventures).
AOL's board of directors is very experienced and oversees the company's risk management framework. The board of AOL reiterates regularly that risk management is as important as maximizing profitability, and they should both be given equal weight in establishing investment performance benchmarks. AOL's objective is to achieve investment returns that are considered reasonable for markets in which it invests and the stage at which the investment is in its life cycle and risks for the investments. It looks at the long-term success of these investments, the risks of these companies over time and not necessarily to obtain short-term gain. While the board of directors is cognizant of ERM framework and methodology, they are also mindful that the approach to its implementation varies from one investment to another depending on the size and scale of each business. In this respect, influence of the investee company's board and audit committee plays an important role to ensure the process is successfully implemented. Senior management needs to fully understand and appreciate that although the process is a little provocative, it is value adding and has the potential to create a more robust business. Also, for investments which are smaller, resources and talent may be limited and there is a need for AOL to extend assistance to these investee companies to implement and manage the program until such time the investee company has adequate resources to do it on their own.
EVOLUTION OF ERM AT AOL
As we will soon see in detail, AOL has reached a level of maturity sufficient to work with the management of the investee companies to implement its ERM Framework. The evolution of AOL's ERM maturity over time is illustrated in Exhibit 35.3.
Exhibit 35.3 Evolution of AOL's Risk Management
Like many companies, AOL's approach to risk management started in a reactive mode, with a basic ability to respond to negative events. It then progressed to being able to recover as quickly as possible from a potential interruption, and then moved on to a more proactive mode with business continuity planning (BCP)—being able to prepare to ensure the continuity of critical operations and business activities in almost any circumstance. Later on, AOL started to enter the adaptive mode, with a focus of the risk management function on revenue preservation.
Now well into the adaptive stage, AOL is able to use ERM for anticipating risks before they impact employees or assets, protecting revenue generation, gaining competitive advantage, and creating value by adapting to the complex and changing media business environments one finds while investing in foreign countries and cultures. This ability plays an important part in the screening of potential investments by AOL and contributes to AOL's profitable growth strategy through international expansion.
AOL's investment strategy is to focus on businesses in the media and entertainment sector including platforms, distribution of content, and businesses closely related to AMH's core businesses, including media such as TV, radio, content creation and aggregation, Internet Protocol television (IPTV),13 and advertising. A major challenge for AOL is implementing ERM across its investment portfolio where it does not have a majority position. Other key challenges in terms of risk management include: Implementing ERM consistently across all investments.
Managing differences in terms of cultures and obtaining buy-in from management.
Managing the expectations of board members.
ROLE OF ERM IN THE ACQUISITION PROCESS
Astro is growing through acquisitions and therefore has developed a method to systematically and efficiently screen investment opportunities. Exhibit 35.4 shows how AOL makes investment decisions through a layered investment risk funnel.
Exhibit 35.4 Making Key Investment Decisions
A first risk review of the opportunity pipeline is performed by the senior leadership team of AOL.
If that first hurdle is cleared, a second risk review is conducted. This review is led by the Business Development (BD) Team in conjunction with the ERM Team. As anyone who has ever been involved in mergers and acquisitions knows, a full risk assessment prior to an acquisition is almost impossible to carry out during the due diligence process, owing to the speed at which negotiations evolve and to their highly confidential nature. When in the process of making an investment, it is not the right time to be running risk workshops. This being said, AOL's ERM Team has established a number of key activities to be carried out during the preacquisition portion of the process, as we see in more detail in Exhibit 35.5. The result of this second risk review is either an approved investment proposal or a rejection of it.
Exhibit 35.5 Overview of ERM's Role in AOL's Acquisition Process
A third risk review is performed by the BD Team during the negotiation period. After the negotiation, if the acquisition offer is accepted and the contract is signed, AOL's ERM Team enters the most important portion of the process, the focus on implementing its ERM Framework: the operationalization phase, or the Monitor and Review panel of Exhibit 35.5.
During the Preacquisition portion of the process in Exhibit 35.5, the ERM Team uses a set of guidelines to determine a preliminary risk profile of each of the potential target companies. The word preliminary is important here. The initial evaluation will include issues related to political and regulatory risks, partner management, skills, expertise and human resources, operational influence, the company's business model, its strategy, growth plans, operations, and cultural fit. From the initial assessment come the preliminary key risks and existing risk treatments or mitigation plans required for the potential target. Once this preliminary risk profile has been obtained, the BD Team will then identify the potential acquisition's funding structure, management fees, and return on investment, as well as exit strategy options. These analyses and scenarios are then put to the test or confirmed further. Finally, the preacquisition activities conclude with a “go/no-go” recommendation to the board of directors. If the board of directors approves the investment proposal, the approval will normally have recommendations and stipulated conditions that need to be met for the acquisition to proceed.
During the monitor and review phase, the ERM Team will further develop the preliminary risk profile using the strategic objectives approved by the board of the investee company as a starting point. Based on these objectives, the ERM Team will also use specific financial and nonfinancial targets set by management to undertake their assessments. The risk profile provides further evidence as to whether the current targets can be met under existing business conditions. It is then reasonable to assume that the strategic objectives, as well as the financial and nonfinancial targets, may be adjusted once the board of the investee company is fully apprised of the risks associated with the business. Designated directors from AOL who are on the board of the investee company will work with management to make the necessary adjustments. The adjustments made are normally to ensure that objectives are reasonable and adequately robust to meet set performance targets.
AOL's ERM function adopts a consistent methodology and has an established risk dashboard and reporting templates for all companies within its portfolio. It also has developed appropriate and effective mechanisms for its implementation and use. The initial risk-based strategy review is followed by regular annual reviews over the life of the investment. Finally, AOL's ERM function has oversight and regularly monitors the risk management process of the investee company.
The postacquisition stage is concerned with the execution of an appropriate exit/divestment strategy. In the preacquisition phase, potential exit strategies are identified. In the monitor and review step, these strategies are constantly reviewed and relevant triggers determined and tracked. These are indicators or metrics with thresholds set so as to trigger the consideration of exit strategy options and eventual execution of one of them—terminating the investment. The divestment process starts when the monitoring of triggers has resulted in the decision to execute an exit strategy. The ERM Team contributes to the escalation of the recommendation to divest, through management and to the board of directors of AOL, with a focus on the risk/return aspect of the recommendation. Once the decision has been obtained from the board, where required, the ERM function helps the divestiture team to set the negotiation guidelines, assess the risk profile of potential buyers, and manage sensitive confidential information until the divestiture is closed.
THE MONITOR AND REVIEW STEP—FOCUS OF AOL'S ERM
As mentioned, the monitor and review step is focused on the effective implementation of AOL's ERM Framework. Once the investment has been made, AOL seeks to work with management to adopt and integrate AOL's ERM Framework quickly. To that effect, AOL has instituted a number of key measures to ensure not only that ERM is implemented quickly and effectively, but in addition, it seeks to have the ERM framework adopted by the business for the long term. The key measures put in place to ensure those results are achieved include:
A risk key performance indicator (KPI) (with an estimated weight of 10 percent tied to the compensation package) is assigned to the business heads of each investment to ensure that they are vigilant in managing their risks and implementing the necessary mitigation strategies.
Risk management performance is monitored on a quarterly basis, after which a report card is developed outlining the areas of compliance and areas where gaps have been identified (i.e., the proportion of their risk management actions that are on target).
Results are consolidated on an annual basis for review by the Remuneration Committee of the board of directors.
To further inculcate the ERM culture, an “Introduction to ERM” course has been included as part of the core syllabus for induction training.
AOL is sufficiently experienced at implementing ERM that it rolls out its Framework using typically 60 person-days of its own ERM Team over a three- to four-month period. However, as mentioned earlier, the plan can only materialize if there is full support from the board and audit committee of the investee company, and there is management commitment in ensuring the program meets its objectives.
Shortly after AOL has completed the investment, AOL's ERM Team identifies two or three persons from the investee company who will be trained into AOL's ERM approach and brought on board as soon as the implementation project starts. We will collectively refer to them as the Joint ERM Team (JET). The overall ERM implementation process is illustrated in Exhibit 35.6. It will culminate in the investee company having an up-to-date risk profile consisting of a risk map, a risk register, and details for each risk identified (causes, treatments, controls, action plans, and steps required to complete each action plan).
Exhibit 35.6 Typical ERM Implementation Process for Operating Entities
This process is performed in three steps: Planning, Rollout, and Sustainability.
At the Planning step, the JET starts the stakeholder management activity, first engaging with the investee company's senior management team (SMT) to explain the process, reach mutual understanding, and obtain buy-in. A risk champion is determined among the SMT members. This senior executive will be the sponsor of the ERM implementation process. A Risk Committee, which also constitutes the ERM steering committee during the implementation stage, is also formed. It will include the CFO, other senior executives, and their direct reports.
Then, the implementation project plan is devised, including its scope, time line, the project team membership, and delegation structure (number ”1” in Exhibit 35.6).
As mentioned earlier, the Rollout step is performed in three phases over the aforementioned three- to four-month period, using most of the 60 person-days of AOL's ERM Team.
Phase I uses approximately 30 person-days of AOL's ERM Team and starts with awareness training sessions. The JET enters into the information gathering activity (number ”2” in Exhibit 35.6), organizing the first risk workshop with the SMT. This part of Phase I uses a top-down approach. The JET members discuss the industry and business challenges of the company with the SMT. The workshop will produce a laundry list of risks, and they ask the SMT, as an initial assessment, to rank them simply, using their best judgment, as low, medium, or high.
This is then followed by the interviews stage. They may interview up to one-third of the organization (for example, 100 out of a total of 300 employees) from the bottom up. Based on the company's objectives, they ask participants what their objectives and targets are, what may impede them from meeting their objectives (these become their risks), their causes, and the risk treatments and/or controls that are already in place. The JET also uses the high-level risk list from the SMT workshop to prompt and facilitate discussions if necessary. The AOL ERM Team calls this the Level 1, or ground level, risk identification. At this level, risks are neither screened nor validated (they are not yet what they call “sanitized”).
Then, the JET interviews Level 2 managers, who are the direct supervisors of Level 1 interviewees. As with the previous stage, they perform first a zero-based risk identification discussion with Level 2 managers. This is followed by discussions on the list of risks and causes as identified during the Level 1 analysis/results. The JET looks for agreements and disagreements and tries to balance them out.
Based on Level 1 and Level 2 results, the JET “sanitizes” the risks and causes, which means that they regroup some risks and eliminate others that seem out of place based on the JET's business judgment and experience in risk management. They then bring the “sanitized” and prioritized risk list to the company's SMT. At this point, the risk register is constituted of only a one-dimensional rating (low, medium, or high), together with the causes of risks and treatments and controls in place.
This is the end of Phase I, and the AOL ERM Team gives the investee company a period to consider, analyze, and think about both the top-down risk list and the bottom-up one, before starting Phase II.
Phase II uses approximately 20 person-days of AOL's ERM Team. Combining the top-down and bottom-up results, the JET typically finds that 75 percent of the risks are common and 25 percent may be different. The JET and SMT reconcile them through what AOL calls a “dispute/validation” workshop. The investee company's risk register is then agreed to. Next, the JET asks the SMT to assign, among themselves, a risk owner for each of the identified risks.
Depending on the nature and size of the business, there may be between 10 to 20 risks for each investee company. Those risks are managed by the investee company, and AOL has oversight of the process. The JET and SMT use the overall rating of low, medium, and high to determine the company's top 10 risks.
The JET then commences the risk profile development activity (number ”3” in Exhibit 35.6). The team members discuss each risk with its owner individually. During the meeting, they address the risk's causes, its probability of occurrence, and the impact (or “consequence” in ISO 31000 terminology) if it materializes, taking into consideration the existing risk treatments and controls already in place as the case may be. To identify the root causes of the risk, the team drills down to a reasonable depth. This process requires judgment and experience. As an indication, they may go as far back as three years in terms of data history, but not much more, as they find that drilling further down tends to bring diminishing returns compared to the expense and effort involved. The JET and risk owner also look at the strength of each of the controls in place, asking themselves: “Is it sufficient or not?” In other words, they use a binary decision method. If the JET and risk owner find that control is lacking, the JET works with the risk owner to determine what should be done and to establish action plans to treat the risk accordingly. This is the end of Phase II.
The JET populates the risk profile, including the risk map, and sends them back to risk owners with their action plans. Following the end of this phase, the JET and risk owners enter a two-week period of follow-up and challenges. The JET encourages risk owners to think outside the box while also considering the costs of their existing treatments, controls, and key action plans.
Phase III uses approximately 10 person-days of AOL's ERM Team. This phase starts with a third SMT risk workshop. The company's risk profile, including the risk map and the key risk action plans, are reviewed collectively and challenged. Again, this is a validation workshop. The validation process allows the SMT, for instance, to ensure that one action plan does not duplicate or contradict another action plan or existing treatment and/or control. Once the key risk action plans have been validated by the SMT, the JET meets again with risk owners individually to revise those action plans and reassess their cost/benefit analyses as required. The JET returns to the SMT with the risk map and action plans, including their cost/benefit analyses. The SMT provides final validation of the risk profile, including risk map, action plans, costs or budgets needed, and the time line to implement the action plans.
Finally, the Sustainability step is performed on a continuous basis (number ”4” in Exhibit 35.6). It consists of monitoring the risk profile of the investee company and reporting it to the board (see Exhibit 35.7).
Exhibit 35.7 Reporting and Monitoring Structure
The risk owners selected by the investee company will then implement key action plans by project-managing the deliverables. The action plans are broken down into key action steps and target dates for completion. The ERM Framework (see Exhibit 35.8) is handed over to the local ERM Team, which consists of the local members of the JET and must include at least two persons who have been trained by AOL's ERM Team.
Exhibit 35.8 AOL's Risk Management Process
The Vice President of Enterprise Risk Management (VPERM) of AOL's ERM Team, serves as a liaison between the operating company's ERM Team and the SMT to ensure that everyone is on the same page in understanding what is expected in terms of risk management. AOL's VPERM undertakes reviews with the investee company (and all other companies in the portfolio) every six months by meeting and discussing with the CEO, the SMT, and the local ERM team, to monitor the risk management process at a high level.
In between those reviews, there are monthly meetings and a comprehensive formal quarterly review by a representative of the AOL's ERM Team, the local ERM team, and the risk owners to monitor the execution of the action plans, revisions required for the risk profile, and reporting on risks.
Once action plans for a risk have been completed, they become treatments or controls. The ERM team monitors the effectiveness of these controls and if they are working effectively, it contributes to the establishment of the risk's trend in ranking—stable, up, or down—as part of the regular reporting process.
Emerging risks are also considered regularly. Once a key emerging risk has been identified and considered significant, an assessment process similar to the rollout described earlier, including phases I, II, and III, is performed for that risk.
RISK PROFILE: RISK MAP AND ACTION PLANS
As explained earlier, the investee company's risk profile includes its risk map and set of assessments and action plans for each key risk. As shown in Exhibit 35.8, AOL's risk map is represented using a 4 × 4 matrix of impact versus likelihood/probability, with scales ranging from 1 to 4, “4” representing the highest probability or impact. When two risks are symmetrically placed in the matrix vis-à-vis its diagonal, for instance, one with ratings of probability “2” and impact “3” and the other with ratings of probability “3” and impact “2,” a higher priority is given to the risk with the higher impact.
Exhibit 35.9 illustrates how AOL tracks its summary risk profile on risk maps, identifying the inherent or gross risk rating (the level of risk that would prevail in the absence of treatments), the residual or net risk rating (the actual level of risk given the existing treatments in place), and the target risk rating (the appetite for that risk, which will be achieved through the execution of the key action plans).
Exhibit 35.9 Risk Map Displaying Inherent/Gross, Residual/Net, and Target Risk Ratings
To give these concepts more concrete meaning, consider a hypothetical investee company of AOL, Trex Radio, operating in the Socialist Republic of Vietnam. To simplify matters, let's assume it focuses on six key risks, as displayed on the summary risk map of Exhibit 35.10, where risks are displayed on a net basis (residual risks).
As can be seen from Exhibit 35.10, AOL uses a numbering system whereby the first number represents the likelihood (or probability), and the second one the potential impact if the risk materializes. This map shows simply the existing risks, but as the legend at the bottom of the chart indicates, AOL can also highlight existing risks that have been redefined and/or reranked, as well as new/ emerging risks.
Exhibit 35.10 Risk Map of Trex Radio, Vietnam, a Hypothetical AOL Investee Company
For illustration purposes only, Exhibit 35.11 shows what this means concretely for one hypothetical yet realistic key risk, that of R2, the ability to develop creative and compelling content.
Exhibit 35.11 Detail of Risk Profile—R2
This example considers a typical key risk that any media company faces, which is the ability to develop creative and compelling content that attracts and retains a target audience. In this illustration, we consider the radio programming of the hypothetical Vietnam subsidiary, Trex Radio. To better understand the following considerations, the reader should note that the key radio period for listenership in Vietnam is the morning breakfast time period.
As can be seen from the Risk Explanation section, Trex Radio needs to acquire/develop and protect unique quality content that will differentiate itself from the competition and sustain or increase listenership and advertising revenues. One of the potential causes that may put this ability at risk has been identified as “Changing listeners' trends and preferences” that would not be matched by the company. Without any risk treatment, Trex Radio has determined that the gross risk rating is “4,3,” which means probability 4, impact 3, which lies in the “red zone” (upper right area in chart).
The existing treatments/controls are also explained: Trex Radio commissions traditional market research and online surveys, and it nurtures its own talent to differentiate itself. With these treatments in place, the current net risk rating is “4,2,” which means that the existing treatments do not reduce the probability that the risk will occur, but will reduce its impact if it does occur—yet not sufficiently to move it from the “red zone.”
The appetite for that risk, the target risk rating, is “2,2” (which would bring the risk in the “green zone,” lower left area in chart). Some key action plans have been identified and selected to bring the probability down two notches, and they are listed in the exhibit. One of them is: “Key shift producers to be migrated into employment contracts and away from vendor relationship.” How would this action reduce the probability of the risk that changing listeners' preferences creates a mismatch between their needs and the company's programming? The answer is that by enticing key shift producers to become employees as opposed to freelancers (for instance, by revising their pay and reward upward—see next key action in the list of the exhibit), the company will be in a better position than its competitors to quickly anticipate the programming changes necessary to keep in line with potential shifts in its audience's needs. Also, another action plan geared toward increasing emotional attachment of the producers to the station is: “Introduce a KPI for producers to track the increase in audience listenership by 100 percent from current standing through direct engagement over radio, social media, mobile apps, and phone listenership.” This action plan is geared toward building loyalty, and producers are rewarded accordingly for meeting the set targets.
Of course, all of these treatments and action plans have a cost. As explained previously, a cost/benefit analysis of these actions must be performed and a budget justified and approved.
Exhibit 35.12 illustrates a hypothetical yet realistic action plan for another typical risk for a radio company, Trex Radio's R5 risk: the ability to expand and improve broadcast coverage.
Exhibit 35.12 Detailed Action Plan—R5
As explained previously, action plans are broken down into key action steps featuring “Action by,” “Target date,” “Status,” and “Remarks” columns. In this case, key action number 1 to reduce the risk R5 (ability to expand and improve broadcast coverage) is to contract the telecom company Vietnam Telecom to upgrade and improve Trex Radio's transmission in key markets for 10 years. It has been broken down into six action steps, from a) Liaise with General Counsel to f) Commissioning and handover. The Status column has four possible states: (1) a check mark when the action step has been completed, (2) a green circle when it is on target, (3) a yellow circle when it is at risk of delay, and (4) a red circle when it is overdue. This is to ensure that the agreed action plan is project-managed and delivered on a timely basis. Note: Since the exhibit is printed in grayscale, green appears as the lightest shade in the exhibit, yellow as the middle shade, and red as the darkest shade.
THE INVESTMENT PERFORMANCE DASHBOARD
As is appropriate for a book on ERM cases, we have focused much of the chapter on AOL's ERM Framework. But since our goal is to show how it is used in practice to make risk-based investment decisions on a portfolio of foreign investee companies, we now turn our attention to the investment side of the equation. Exhibit 35.13 illustrates AOL's formula to build its investment performance dashboard.
Exhibit 35.13 Investment Performance Dashboard Formula
The investment performance dashboard is a matrix that allows comparing the operating entities in the portfolio to one another using their current investment value on one axis and their total investment performance score (TIPS) on the other (see Exhibit 35.13). The former is obtained through recognized valuation methodologies such as the discounted cash flow (DCF) method, while the latter is the sum of two risk scores: the qualitative investment risk score and the quantitative financial risk score.
The qualitative investment risk score is obtained by using the risk map of the top 10 risks of the investee company. AOL's approach to obtain this score is to multiply the probability by the impact for each of the top 10 risks and to add them up. A lower score means a safer investment with a lower risk profile (safer from an investment standpoint). The maximum score possible is 10 × 4 × 4 = 160.
The quantitative financial risk score is obtained by looking at the deviations from the plan of four financial metrics: gross revenue; profit after tax and minority interests (PATMI); earnings before interest, taxes, depreciation, and amortization (EBITDA); and free cash flow. For each metric, a score is derived from the variance between its budgeted amount and the actual number realized. The score can range from 0 (when there is a positive variance or no variance) to 10 (when the variance is –50 percent). A lower score is indicative of a more robust financial management and means a safer investment from a financial point of view.
As stated earlier, the investment performance dashboard (Exhibit 35.14) allows AOL to compare its portfolio of operating companies based on their value on the vertical axis and their total investment performance score on the horizontal axis. In the matrix, the higher the value of the investment, the more sensitive AOL is to its risk score. Investments of low value (bottom row) are in the green zone as long as they don't reach the 240 TIPS point. Conversely, investments of USD 50 million or more are never in the green zone and require a regular monitoring of their risk score—from both an ERM and a financial variance point of view. Note: Since the exhibit is printed in grayscale, yellow appears as the lightest shade in the exhibit, green as the middle shade, and red as the darkest shade.
Exhibit 35.14 Investment Performance Dashboard
Exhibit 35.14 places the hypothetical AOL investee company, Trex Radio (investee company B1 in the chart), alongside eight others on the investment performance dashboard for comparison purposes. We can see that Trex Radio is in the green zone and that AOL would probably track more closely other subsidiaries such as B9 (TV Manila), B4 (Channel 2 HK), and B5 (IPTV Dubai).
As the legend states, the color-coding of the dashboard is based on:
The value of AOL's investment
The financial performance and risk management of the investee company
The effectiveness and timeliness of key risk action plans
The green zone (the lightest shade of gray) represents investee companies where the potential impact on AOL is low due to the size of the investment and/or there are adequate controls in terms of risk management and financial performance. The yellow zone (the middle shade) indicates a medium potential impact due to the investment's size and/or deficiencies in management (e.g., not meeting targets or delays in completion of plans). The red zone (darkest shade) indicates a need for urgent attention because of a high potential impact due to the size of the investment and/or performance is far below expectations—the company cannot produce results and suffers major delays in the completion of action plans.
Of course, these are simplified guidelines that need to be filtered through sound business acumen. A large investment that performs impeccably might not require urgent attention but consistent monitoring and review, while a smaller one that performs poorly may fall in the red zone instead of the yellow one. These guidelines have proved useful over time in assisting with the management of AOL's portfolio of investee companies.
AOL tracks its portfolio's investment performance dashboard on a quarterly basis (see Exhibit 35.15). Exhibit 35.16 displays a hypothetical variation from one quarter to the next. AOL's ERM Team is able to explain the variations in terms of either the valuation of the investment, the financial risk variance, or the investment risk score. It should be noted that a reduction in value of the investment is considered positive insofar as it is voluntary, for instance, when AOL sells a portion of its participation. If the reduction in value happens without a change in AOL's stake in the company, further investigation is required to determine the risk associated with such a negative change and to make adequate investment recommendations to the board of directors, as will be shown in the next exhibit.
Exhibit 35.15 Investment Performance Dashboard Comparison
Exhibit 35.16 Investment Performance Dashboard—Quarterly Movements
HELPING THE BOARD MAKE INVESTMENT DECISIONS
Exhibit 35.17 shows how AOL's ERM Framework ultimately assists its board of directors in making key investment decisions about its portfolio of foreign investee companies.
Exhibit 35.17 Assisting the Board in Making Key Decisions
Horizontal movements in the investment performance dashboard represent a change in the performance score. On that front, an increase in the performance score requires more attention. But a decrease in the performance score (financial or risk scores) may also call for further analysis, because, as we know from the risk/return relationship, a reduction in the risk profile may also mean a corresponding decrease in profitability that, if sustained, would mean a relative stagnation in AOL's investment value in the future. Possible strategic decisions for that axis of the dashboard range from reviewing the business model, the strategies, or the financial processes, the capital required to sustain or grow the business or to simply divest it.
Vertical movements in the investment performance dashboard represent a change in investment value. As explained earlier, a reduction in value indicates a lower risk in the matrix as long as it is a result of selling a portion of the business. Otherwise, a decrease in valuation is obviously a negative sign. The possible actions are similar to those above: review with a view to maintain or to divest.
CONCLUSION
This case study illustrates how a structured and diligent approach to ERM implementation, monitoring, and reporting can add value not only to the investee company adopting it, but also to the parent company having to make investment decisions for its portfolio of direct foreign investments. For this case study, we showed how the investment performance dashboard could allow a company to compare investment value to total investment risk score and compare profitability to overall risk. Without being fully quantitative, this approach brings the management of a portfolio of direct investments closer to the risk/return management of a portfolio of financial investments.
QUESTIONS
Identify some reasons why risk management practices might not take off and/or be embedded effectively in an investee company.
Who should participate in the ERM process to ensure successful implementation of this on-going program?
What should the CEO's role be for the successful implementation and on-going performance of an ERM process?
How will senior management benefit from supporting ERM implementation?
Does ERM require reporting to executive management? If so, what types of reports are most suitable for executive management?
What do you think is the best approach in ensuring a successful implementation of ERM? Please provide a few different elements.
NOTES
1 BBC News Asia-Pacific, May 23, 2013. www.bbc.co.uk/news/world-asia-pacific-15367879.2 Tourism Malaysia, November 17, 2013. www.tourism.gov.my/en/my/Web-Page/About-Malaysia.3 National Geographic, November 18, 2013. www.travel.nationalgeographic.com/travel/ countries/malaysia-facts.4 Financial Times, November 18, 2013. www.ft.com/intl/markets/currencies.5 Astro Malaysia Holdings Berhad's Annual Report 2013.6 Ibid.; Corporate Governance on Asia, Asian Roundtable on Corporate Governance, OECD, 2011.7 Malaysian Code on Corporate Governance 2012, Securities Commission Malaysia, March 2012.8 “ASEAN Corporate Governance Scorecard, Country Reports and Assessments 2012–2013,” Joint Initiative of the ASEAN Capital Markets Forum and the Asian Development Bank, Asian Development Bank, 2013.9 Astro Malaysia Holdings Berhad's, “Go Beyond: Annual Report 2013,” 48.10 Ibid., 55.11 Ibid., 55.12 Ibid., 56.13 Internet Protocol television is a system through which television services are delivered using the Internet Protocol suite over a packet-switched network such as the Internet, instead of being delivered through traditional terrestrial, satellite signal, and cable television formats.
REFERENCES
Asian Development Bank. 2013. “ASEAN Corporate Governance Scorecard, Country Reports and Assessments 2012–2013,” Joint Initiative of the ASEAN Capital Markets Forum and the Asian Development Ban.
Astro Malaysia Holdings Berhad. 2013. “Go Beyond: Annual Report 2013.”
Securities Commission Malaysia. 2012. Malaysian Code on Corporate Governance.
ABOUT THE CONTRIBUTORS
Patrick Adam Kanagaratnam Abdullah is the Vice President of Enterprise Risk Management (ERM) for Astro Overseas Limited (AOL). He specializes in the implementation of ERM practices across AOL's investments, which are located primarily in Asia Pacific. He has over 21 years of experience in safety and crisis management and 17 years in risk management that includes ERM and Business Continuity planning. He is also responsible for statutory compliance monitoring and reporting for AOL group of companies. He has a BSC (Hons) in Environmental Management from the Science University of Malaysia (USM). He also has an Accredited Safety Auditor Certification from Edith Cowan University, Western Australia. He represent Malaysia as a Board member of Pan-Asia Risk and Insurance Management Association (PARIMA) which has been set up to promote professionalism and a high and efficient standard of competence for risk management practices in Asia. When required, he also presents ERM and Business Continuity planning papers at conferences, and facilitates work group discussions on risk management practices.
Ghislain Giroux Dufort is President of Baldwin Risk Strategies Inc., a consulting firm advising boards of directors and management teams on risk governance and ERM. He has 25 years of experience in management, risk, international business, and consulting, including at Transcontinental, Willis, Hydro-Québec International, the Mathematical Research Center, and Export Development Canada. He headed an international business program and taught at the HEC Montreal Business School. He is a graduate of the London Financial Times Non-Executive Director Diploma, has an MBA from McGill University, and an M.Sc. in Applied Mathematics and a B.Sc. in Physics from the University of Montreal. He is a member of the Strategic Risk Council of the Conference Board of Canada, of the London-based Institute of Risk Management (including its Global Education Advisory Board and Panel of Judges for its Global Risk Awards), and of the Institute of Risk Management of South Africa. He writes on risk and participates in international risk conferences as chair and speaker.