Your guide to getting started with financial risk management

The vast majority of companies have neither the size nor complexity that necessitates a dedicated Treasury function. However, managing the company's financial risks is always required, and in this article you can read about how to structure risk management in your organisation.

In an era of increased global uncertainty, geopolitical tensions and rapid market changes – factors which all affect financial risks – effective risk management has become a necessary discipline in any Finance organisation. This is both because requirements for risk management are written into the Danish companies' act, amongst other regulations, and because it can become a costly affair which, in the worst case, may threaten the company's existence if risks are not adequately managed.

Companies with complex supply and distribution chains, and therefore typically also substantial international activities, will often have a Treasury department staffed with specialists who, in certain cases, use sophisticated financial instruments.

The situation is typically different in less complex companies, where financial risk management is performed by the CFO and persons whose primary responsibilities involve financial controlling and financial reporting.

In this article, we focus on how you can organise your risk management without a dedicated Treasury department. You can read about how risks are first identified and then quantified, before they are hedged and monitored.

The financial risks that companies are exposed to depend largely on the company's activities and where these are carried out. Factors such as value chain, products, geography, customer types and financing arrangements play a significant role. Therefore, both the scope and complexity of the specific risks, and particularly their materiality, vary depending on the individual company.

A smaller company that only sells goods or provides services in Denmark will often only be exposed to credit risk. This risk concerns losses on trade receivables if customers either do not pay or do not pay on time.

If the company trades with foreign customers, the resulting currency risk will depend on the perspective – because if the transactions are made through a foreign subsidiary with the same functional currency as the sales currency, the subsidiary will not be exposed to currency risk towards customers. Which group company in the distribution chain bears the risk on the internal transaction depends on which company's currency is used for settlement. Additionally, the parent company has a currency risk when it comes to received dividends and currency translation in the consolidated financial statements.

If the company has variable-rate loans, there is an interest rate risk. And with fixed-rate bond loans, there may be a price risk if the debt is repaid early.

For manufacturing companies, commodity price risks are often an important factor. This is particularly true if large portions of the cost price consist of raw materials with highly fluctuating prices, or if the margins on the company's products are low, making the company's earnings sensitive to even small price fluctuations.

The significance of commodity price risk depends, among other things, on how price-sensitive the customers are. If the company can pass on changed raw material prices to its sales prices, the risk is reduced or perhaps completely eliminated if, for example, customer agreements contain price adjustment mechanisms linked to commodity indices. Therefore, it is important to assess the risks both net and gross, both through the value chain and aggregated for the activities of the company and, where applicable, of the group.

When risks are managed effectively, they can actually be transformed into a competitive advantage. A company that understands and manages its risks effectively can create additional trust and confidence among customers – and thereby strengthen its position in the market.

A prerequisite for effectively hedging risks, and particularly not increasing risks through unintended speculative measures, is that the magnitude of the risks is quantified – that is, a mapping of what potential financial impact the company is exposed to.

The quantification is determined by identifying the respective risk sources at entity (gross) and group level (net) and then calculating the impact on the key performance indicators (the established targets) when risk factors change.

Your company has an outstanding receivable of USD 100 million. A 10 per cent change in the USDDKK exchange rate will affect the result by USD 10 million.

For credit risk, the quantification can consist of a calculation of the debtor portfolio distributed across different overdue intervals, which could be, for example, >1 month, >3 months, etc. Based on historical losses, depending on the age of the debt, you can estimate the expected age-weighted loss.

For most companies, liquidity risk is relevant to address. This can be driven by the company's 'life cycle', for example in a start-up phase where commercial momentum has not yet been achieved, in a growth phase where there is an increased need for investment, or where an otherwise mature company with solid liquidity reserves is exposed to fundamental business changes due to, for example, geopolitical conditions or other crises. A significant liquidity risk can also arise driven by profitability challenges, where covenants in financing agreements are breached, which may, for example, cause a bank to demand repayment of the facility.

To quantify the risk, you can prepare a liquidity forecast, which estimates the cash flows and thus the cash position at established future points in time. The sensitivity of cash flows can be estimated through various assumption scenarios. These could, for example, be based on changed credit periods for customers, delays in projects or fluctuations in exchange rates. In this way, both you and management gain insight into how sensitive the company's liquidity is to changes in assumptions.

With a clear overview of the risk profile and the materiality of risks, you can both prioritise your activities and design mitigating actions that precisely address the risk exposure.

Before you get that far, it is necessary to clarify management's risk appetite and secure a mandate from senior management. This is formulated in risk and hedging policies, which may include, among other things:

• Description of the risk profile (credit, liquidity and market risks)
• Risk measurement, quantification and tolerance
• Risk hedging strategies (e.g. hedging and insurance)
• Governance, roles & responsibilities and escalation processes
• Monitoring and reporting (frequency and content, reassessment of risks)
• Contingency plans including crisis management
• Training and communication.

Based on the agreed risk management policy, which, depending on the company's circumstances, can range from very comprehensive and formalised to informal and decided on an ad hoc basis, the risk-mitigating actions can be designed and implemented. These will include:

Tasks, such as adjustment of contractual arrangements with suppliers and customers, e.g. regarding changed settlement currencies and price adjustment mechanisms. It can also involve procedures for credit assessment in order to quantify the risk of a customer relationship and thereby determine whether the exposure should be reduced to a more acceptable level.

Controls, such as credit limits, which ensure that sales do not exceed the company's established risk tolerance.

Financial instruments, such as interest rate swaps or currency options, which are used to hedge specific interest rate and currency risks, by locking in the factors (possibly partially).

For risk management to create maximum value and protect both the company's assets and its creditors, it is important to also focus on future risks within your company's operational time horizon.

This may, for example, involve estimating cash flows for the next 12 months, distributed by currency, purchases of raw materials, interest payments, etc. It is necessary to estimate the cash flows in order to determine the liquidity risk. The time horizon depends on many factors such as:

• How robust is the company's financial situation?
• What is your customer type (private individuals, businesses, public sector), and what is their risk profile?
• How sensitive is the setting of the price point relative to the production cost?
• Are long-term sales and purchasing contracts entered into, and can price risks on the input side be passed on to customers?
• Is there a natural hedge in that incoming and outgoing cash flows occur in the same currency – either at entity level, or because it balances at group level?

The time horizon for the respective risks is set independently of each other and at company level. Thereafter, you should conduct a similar assessment at group level, as certain risks such as currency may be offset at group level and, through central management, can be naturally hedged as the effects balance each other out.

As with all risk management, the assessment should be updated at appropriate intervals – the frequency depends on the company's activities and the risk landscape in which you operate.

A practical challenge with risk hedging is whether future cash flows can be estimated reliably. A solid data foundation for exposure to, for example, currency and commodity risks is crucial, as errors in the estimates can increase the risk rather than reduce it.

The reliability of the decision-making basis depends both on the uncertainty that naturally comes with making predictions, and on the accuracy of the historical data foundation, where it is a challenge to ensure precise data through, for example, procedure descriptions and internal controls.

One way to handle this is to graduate the hedging according to time horizon, ro example 90 per cent hedging for the next 6 months and 60 per cent for 6-12 months.

Monitoring the risk profile and its changes is an ongoing task that ensures risk hedging follows the risk policy. If the risk profile changes, the policy should also be continuously assessed and adjusted.

Risk reporting should be provided both to the executive management, so that risks can be integrated into the strategy and coordinated across the company, and to the board of directors, which must ensure that the executive management effectively establishes and monitors risk management policies and practices.