Risk Management for Nokia

I Contents

1. Introduction

2.1 Definitions and Concepts of Risk Management
2.2 The Risk Management Process (Tools and Techniques)

3. Different Types of Generic Risks
3.1 Product and Market Risk
3.2 Strategic Risk
3.3 Financial Risk
3.3.1 Equity Risk
3.3.2 Liquidity Risk
3.4 Political Risk
3.5 Environmental Risk
3.6 Reputation Risk

4. Types of Risks that Nokia Faces
4.1 Product and Market Risk
4.2 Strategic Risk
4.3 Financial Risk
4.3.1 Liquidity Risk
4.3.2 Equity Risk
4.4 Political Risk
4.5 Environmental Risk
4.6 Reputation Risk

5. Strategies for Nokia to Manage Risks
5.1 Diversification & Product Development
5.2 Alliances
5.3 Market Research and Marketing
5.4 Staff Development/ New Staff
5.5 Insurances
5.6 Sustainability
5.7 Control, Observation & Assessment

6. Conclusion

II Bibliography

III Table of Figures

IV Appendix

1. Introduction

Tremendous events like 9/11, the huge property/ banking/ debt/ euro crises, failing projects like Heathrow Terminal 5 or the instable political situation in many countries of the Middle East - just a few examples of events that have made people and organisations more aware of risks and uncertainty. Therefore, risk management has been gaining more and more in importance since the 1970s and is included in most organisations’ policy nowadays. (Merna & Al-Thani, 2008, p.40 [Online])

However, even if the connotation of the word “risk” in our everyday language is quite negative, risks do not just mean threats (also called “downside risks”) but they can also provide opportunities (“upside risks”) . (Woods, 2011, p.22)

Consequently, “avoiding a risk may mean avoiding a potentially huge opportunity” (Frame, 2003, [Online]), which makes risk management a complex matter that is essential to be considered thoroughly by every organisation that is interested in long- term profitability.

2.1 Definitions and Concepts of Risk Management

There are many different definitions for “risks”. The ISO Guide 73, for instance, describes risks as “the combination of the probability of an event and its consequences” (Woods, 2011, p.22) and Merna & Al-Thani put it in a nutshell by defining them as “the likelihood of something undesirable happening in a given time”. (2008, p.10 [Online])

In order to be prepared for those “undesirable” events, to tackle, mitigate or even prevent them from happening, organisations employ risk managers. It is their task “to identify risks specific to an organisation and to respond to them in an appropriate way.” (Merna & Al-Thani, 2008, p.2 [Online])

Merna & Al-Thani (2008, p.9 [Online]) state that nowadays most decisions are taken “purely on a financial consequences basis”, meaning that organisations consider financial loss as the most decisive negative outcome of a risk. It depends both on the industry and on the attitude of the leading people in the organisation if decisions are taken rather on a risk-averse or risk appetite basis. On the one hand there are situations in which “the returns on a project justify taking risks” , but in other cases “the extent of theses consequences (losses) if the risk materialises” are too high to be acceptable. (Merna & Al-Thani, 2008, p.9 [Online]) Therefore, an organisation has to realistically evaluate the situation in order “to determine how much uncertainty to accept as it strives to grow stakeholder value” . (COSO, 2004, p.1 [Online])

The most basic tasks of a risk manager are the assessment of the internal and external environment of an organisation and the identification of the likelihood (probability) and the impacts (consequences) of risks. (Edmead, 2007 [Online]) Under consideration of the company’s values, attitude and the general circumstances, an evaluation can be made before the action plan is implemented. This is also called the risk management process, which will be explained in greater detail in 2.2.

2.2 The Risk Management Process (Tools and Techniques)

As risk management is still developing, there are many different underlying concepts and strategies which result in different standards on international, national and even organisational levels. This becomes especially apparent when it comes to the risk management process. Many different graphics can be found; some containing more and others less steps that differ in terminology, order and emphasis.

However, the basic principle of all the different models is the same, as there need to be 5 main steps: Identification of the risks, assessment, treatment/response, reporting and finally controlling/monitoring. (Woods, 2008, p.31) Those can, for example, be found in the ISO 31000 model (2009), or in the COSO Cube which is shown in the figure below. COSO is an abbreviation for “Committee of Sponsoring Organizations of the Treadway Commission“, which is a voluntary private organisation from the US. It has developed a sophisticated model, that does not just show risks as a one-dimensional flow-chart, but in a three-dimensional way that includes all the different levels that are affected by risks and have to be considered in its management.

illustration not visible in this excerpt

Figure 1 COSO Cube

First of all, the risks that an organisation faces have to be identified, for which both the internal and the external environment have to be assessed (Merna & Al-Thani, 2008, p.3 [Online]). This means a risk manager needs to have knowledge about the company, its objectives, culture, attitude towards risks, the market itself, competitors, etc. Under consideration of all these aspects, he will be able to identify risks and opportunities that “might affect the achievement of objectives”. (Woods, 2011, p.30) A few examples of techniques that can be used in order to identify the risks are brainstormings, questionnaires, checklists, interviews, workshops, flow charts, inspection and audits as well as SWOT and PESTLE analyses. (Woods, 2011, p.34)

After the risks have been identified, they have to be quantified and prioritised. (Merna & Al-Thani, 2008, p.9) To be able to determine the likelihood of a risk to happen, the source and the motivation of the threat have to be analysed, as well as the capability of the source. (Edmead, 2007 [Online]) The combination of the likelihood and the impact of risks can then be identified in a likelihood chart or table, which enables the ranking of them by calculating a score for every single risk (see figure 2). Thus the risk manager will be able to assess the significance of the risks and can decide where to focus.

illustration not visible in this excerpt

Figure 2

Likelihood Table

Responding to risks means “implementing appropriate control measures to modify the risk”. (Woods, 2011, p. 36) Depending on the status of the risk that has been determined in the previous step, it can be decided between the following 4 options of treatment: (according to Merna & Al-Thani, 2008, pp.52-54)

1. “Retention”, which means accepting risks and doing nothing against them. This measure should only be used for risks that “the organisation ’ s core value-adding activities are associated” with. (Merna & Al-Thani, 2008, p.54)
2. “Reduction” signifies the mitigation of “either the likelihood [ … ] or impact of the risk occurring”. (Woods, 2011, p.36) An example would be to wear security clothing in dangerous places.
3. “Transfer” means to contract risks out. The most obvious way to transfer risks is by insuring, either with insurance companies or by self-insuring (captive insurance). Both are ways of “risk financing” . (Woods, 2011, p.36)
4. “Avoidance” implies the elimination of “activities that create a given risk” (Woods, 2011, p.36). Merna & Al-Thani describe it as removing the “source of the risk” , for example by not taking part in risky projects.

Those four measures for risk treatment are also referred to as the “4 Ts” (tolerate, treat, transfer, terminate). (Hopkin, 2010 [Online]) To be able to decide between those options, a risk matrix chart - as shown in figure 3 - can be applied. (Merna & Al-Thani, 2008, p.75 [Online])

illustration not visible in this excerpt

Figure 3

Risk Matrix

To be able to control the effectiveness of the risk responses, a risk register is very helpful as it provides a comprehensive overview of all the risks and their significance (like in the risk matrix chart) plus the applied strategy, the action plan and it names the person responsible. An example of such a register can be found in the Appendix (5.).

The next step “Information and Communication” is sometimes also called reporting and crucial to “enable people to carry out their responsibilities” . (COSO, 2004, p.4 [Online]) It is also internally important for control purposes and externally with regards to the organisation’s accountability towards stakeholders etc.

Monitoring is the last step of the risk management process that is of great importance in order “to ensure the ongoing effectiveness of a risk management system” . (Woods, 2011, p.37) Organisations have to control the success of their risk strategies and review processes to be able to learn from their experiences.

Risk management has to take place on all levels of the organisation - “from strategy level through to day-to-day operational activities and special projects”. (Woods, 2011, p.34) According to the COSO Cube, it can be on the entity level, the division, the business unit and the subsidiary. Furthermore, in its vertical columns the COSO Cube sets four categories that are required to achieve objectives: setting strategic goals, operations (meaning the effective use of resources), reporting and compliance with laws and regulations. (COSO, 2004, p.3 [Online])

Using this comprehensive approach to risk management enables organisations to understand risks, take reasonable decisions and do contingency planning, which eventually improves outcomes. Thanks to the monitoring process, companies will draw valuable lessons that “allow better modelling for future projects and investments” . (Merna & Al-Thani, 2008, p.57)

3. Different Types of Generic Risks

Organisations experience a lot of different and complex risks, which is why it does make sense to categorise them into groups. In the following some of the risk categories will be explained.

3.1 Product and Market Risk

Definition Example

Product and market risks are especially relevant when introducing new products and they go hand in hand. If the organisation has just a limited understanding of the market, there is the danger of misreading signals or concentrating on wrong aspects and finally developing a product that “may not be feasible or lacks unique qualities “, (Lucintel, [n.d.] [Online]) a product that is overcomplicated and confuses its potential customers or simply does not work properly. (Schneider & Hall, 2011 [Online]) As a result, the product does not find a ready market, competitors are very strong and the organisation’s customers are dissatisfied with the product.

Windows Vista that was introduced in 2007 with high expectations had massive software and compatibility problems. As a consequence, customers soon turned away from the product and looked for other systems, letting Microsoft lose many customers to Apple. (Schneider & Hall, 2011 [Online])

3.2 Strategic Risk

Definition Example

Strategic risk is defined as a “risk concerned with where the organisation wants to go, how it plans to get there, and how it can ensure survival.” (Office of Government Commerce, 2007, p.158)

In 2011, Tesco had to pull out of the Japanese market completely and sell all their shops, as they had not become a lucrative part of the business despite all efforts. Entering the Japanese supermarket industry therefore was a strategic mistake, that endangered the profitability of the whole business. (Jones & Nakamato, 2011 [Online])

3.3 Financial Risk

Financial risk is one of the most multifaceted risks with several subtopics. However, due to the limitation of words in this assignment, just the liquidity and equity risk will be explained in greater detail. An overview of all financial risks, however, can be found in a table in the Appendix (1.).

3.3.1 Equity Risk

Definition Example

Equity risk arises from the depreciation of investments “due to stock market dynamics” (Investordictionary [n.d.] [Online]), and the rise and fall of share prices. If the share price falls, it becomes difficult for the organisation to raise finance, which can have major impacts and lead to liquidity risks. (Merna & Al- Thani, 2008 pp.127, 128)

General Motors is an example for an organisation suffering equity risk. According to the Forbes magazine from August 2012, the company was facing various problems and was again “headed for bankruptcy” after share prices had been plummeting and even the US government was thinking about a bailout. (Woodhill, 2012 [Online])

3.3.2 Liquidity Risk

Definition Example

Liquidity risk means the hazard of an organisation not being able “to generate sufficient resources to meet its liabilities”. It is also described as a “cash flow problem” and extremely dangerous for an organisation, as it can quickly lead to bankruptcy especially due to “cross-default clauses” . (Merna & Al- Thani, 2008, p.128)

The British Bank Northern Rock experienced the consequences of liquidity risk after the financial crisis in 2008. The bank began to struggle when it could not raise funds anymore in 2007, which caused the shares to plummet, a run on the bank, and after an unsuccessful attempt to sell Northern Rock, finally the British government had to step in and save it. (BBC News, 2008 [Online])

[...]