Main directions of the development of the risk management system in corporations

Actuality and relevance of implementation of the risk management processes in the general system of management in organizations are justified in this article. Three major issues can be pointed out as referred to the implementation of the risk management system in modern organizations, such as 1) a high level of costs combined with relatively long payback period; 2) lack of the universal approach to the implementation of the risk management procedures; and 3) difficulties in identification of perspective directions of the systems under consideration. The basic directions of development of the risk management systems in the corporate structures are defined based on the results of comparative analysis of the experience of Russian and foreign companies. The activity in the field of risk management of such corporations as “Rusgidro”, “NMLK”, the Investment Company “RUSS-INVEST”, “Severstal”, “Gazpromneft”, “Metalloinvest”, “Philips”, “Nestlé”, and “Unilever” became the object of our research. Comparative analysis of practices of implementation of the risk management system has been performed based on the following criteria: organizational structure of management, register and prioritization of risks, structure and methods of risk management, and effectiveness of the risk management systems. The results of the study allowed identifying the following basic directions of development of the risk management systems in the corporations: amending register of prioritization of risks; increasing level of integration of the risk management procedures into the basic business processes of the corporations; expanding of use of the external assessments, credit rankings, etc. in the framework of implementation of the risk management procedures; increasing level of unification of methods of risk assessment and management that finally would be a prerequisite for improving effectiveness of the risk management systems in organizations.


Introduction
In today's economic situation, risk management systems become one of the obligatory functional peculiarities of the corporate management structures. Substantial volumes of financial and other types of resources, large scales of activity, a wide range of territorial and branch directions of development cause global and critical risks and, as a consequence, a possibility of substantial losses. Dynamic development of this sphere of management in corporations supports data of study of the company KPMG. According to the results of the study performed in November 2015, most of the companies considered systems of the risk management as, first of all, the tools of the strategic and operational management aimed at building of values and preservation of their assets. Than followed the task of correlations with the regulatory demands. In 65% of the questioned companies, a special structural unit responsible for coordination of the risk management processes was established, and it was twice as more as in 2010 [1]. Thus, introduction and implementation of the risk management systems is objectively needed for the corporate structures.

Problem Statement
In contemporary economic literature, principles of formation of the risk management system are considered with necessary details [11], [15] that includes interrelations between processes of economic security and risk management [11], [14], and major elements of the risk culture in organizations, such as identification, analysis, prioritization of risks and other issues of the organization risk management [12], [13], [14], [15]. However, a high level of dynamics of the risk management processes in the corporate structures requires justification of basic effective directions of their development. In addition to that, the relevance of identification of perspectives of the risk management system functioning in organizations is connected with identification of some problems of their implementation in current economic conditions, since they are characterized with: 1) a high level of costs together with relatively long payback period; 2) lack of the universal approach to the implementation of risk management procedures; 3) complicated identification of perspective directions of the systems under consideration.

Research Questions
1. What criteria can be used for conducting a comparative analysis of the risk management systems in companies? Based on which principles a selection of the objects for the comparative research can be arranged? 2. What are specific characteristics of the risk management system in Russian and foreign companies?
3. What are perspective directions of development of the risk management systems in contemporary organizations?

Purpose of the Study
To consider possibility of the effective development of the risk management systems in corporations based on the situational and factor analysis, and object-oriented modeling of the situation.

Research Methods
The following basic components of the risk culture have been selected as the criteria of the comparative analysis of the risk management system: organizational structure of management, register and prioritization of risks, structure and methods of risk management, and effectiveness of the risk management systems [11], [12], [13], [14], [15].
The selection of companies has been made based on the following principles: 1) the company organization activity can be related to the corporate entrepreneurship; 2) the system of management in the organization includes formalized and duly regulated business processes in the sphere of risk management; 3) a high level of development of the risk management systems in the organization in accordance with the international standards.
The basic methods of the research are the situational method, factor analysis and the object-oriented modeling of the situation. In general, the algorithm of the modeling of the situation includes the following stages: 1) availability of information about basic characteristics of the object; 2) study of the most important characteristics of the model, to which in the framework if this research can be referred the basic components of the risk culture in the organization; 3) concretization of the parameters of the model based on the results of the previous stage; 4) summarizing characteristics of the object and identification of possibilities of its transformation [16]. Implementation of these stages in the framework of this research will allow objectively justify basic perspective directions of development of such model as the system of the risk management in organizations.

Findings
The experience of Russian companies in the framework of formation of the risk management organizational structure is relatively identical, as a rule, it is a special unit operating under the Board of Directors. It can be a department, service, Audit Committee, a group, etc. that is responsible for the problems connected with carrying out risk assessment and elaborating of measures for preventing negative impact of risks. For example, Audit Committee considers the issue of risk management in such corporations as "NMLK" [2], "Metalloinvest" [5], etc. The Department of Control and Risk Management is one of the controlling systems in the general system of management in "Rusgidro" [10].
Risk Management Service is responsible for coordination of activity in identification and assessment of risks, for introduction of the best practices in the sphere of risk management, preparation internal and external reporting, and also for the organization and coordination of the insurance program in the corporation "Severstal" [4]. As far as the experience of foreign companies is concerned, it is worth mentioning a low level of openness of their systems of risk management. However, their characteristic feature is the integrity of risk management procedures in each level of the business cycle. That, inter alia, is provided by the implementation of their own standards and regulations of risk management. In Nestlé, the Group Enterprise Risk Management -ERM) operates on the basis of the internal regulation of the company, which annually submits the results of risk analysis to the company boards, the Board of Directors and the Audit Committee.
Unilever functions with a wide range of processes and activities that embrace strategy, planning, execution and production. All procedures are formalized and documented, and as a rule, are centralized and automatized into the information technological system. Philips considers procedures of the risk management in the framework of the set up register of risks.
In can be noted that a high level of development of the risk management organization structure exists in the corporation "Gazpromneft" [6]. There is a single approach to the risk management that is fixed in the corporate standard ISUR (Integrated System of the Risk Management). Risk management is built on the principle of integration of the tools of risk analysis and risk management in major corporate processes. Responsibility for the risk management and reporting is defined in accordance with the system of linear and functional management.
The configuration of the risk management system also depends on the register that is accepted in the company, and on the prioritization of risks. Peculiarity of Russian companies is well-developed practice of classification of risks per branches of economy and spheres of activity. For example, practically in all of the analyzed companies, operational, financial, credit, political and legal risks have been identified. The highest level of risk structuring is typical for such corporations as "Rusgidro" [10], "NMLK" [2], and "Severstal" [4]. In "Rusgidro" three major groups of risks are included in the general register of risks, such as critical, significant and less priority risks. Critical risks are that of the implementation of the capital building; diminishing revenue from the sales of electricity and power against the provisions of the business plan; unfavorable change of laws; technogenic incidents; deficit of finance. The group of the significant risks includes risks of interaction with the interested partners; delays and mistakes in improvement of the management system; damage caused by natural disasters and man-made accidents, and so on. Risks of the less priority consists of the growth in accounts receivable; shortage of the key personnel; impossibility to receive access to the international markets.
The key difference between Russian and foreign companies in the prioritization of risks is that Western corporations mostly emphasize necessity to consider intangible risks in the general register of risks, such as risks connected with business reputation, organizations' brands, acquisition of the intellectual property rights, and strategic development of the companies. For example, Philips considers strategic risks as the most important ones. The second significant risks are the operational risks and compliance risks; then follow the financial risks. The risk of division of the organization is separately defined. In Unilever to the most significant risks belong the following: the risk of the clients' preference to the brand, portfolio risk (portfolio management), the risk of the level of professionalism of personnel (talents and the organization of labor), the risk of supply chain, the risk of safety and quality of the products; IТ risk, risk of the business transformation (successful transformations in the framework of some projects means a success); external economic and political risks, risks of natural disasters, treasury and pension risks, ethnical (reputation) risks of interactions with clients, and legal and normative risks. Nestlé consider the two most significant groups of risks: intangible risks (risks connected with business reputation, the brand image, and intellectual property; tangible risks (financial, operational, risks of physical damages, labor risks, etc.).
A high level of segmentation of risks is justified for improving objectiveness and widening the register of methods to be used for their assessment. It should be mentioned that in all the analyzed organizations special methods of the risks management exist formed on the basis of either their internal standards, or standards of COSO ERM, FERMA, etc. "Rusgidro" utilizes methods of identification, measurement and reaction on risks based on the principles of COSO ERM and risk management standards of ISO 31000 and ISO 31010. "NMLK" also considers obligatory procedures of risk identification and assessment.
The Investment Company "RUSS-INVEST" most often uses such methods of risk assessment as a statistical method of the cases of risks; point-weight method; scenario analysis (stress tests). Risk assessment is executed by the owners of risks and aggregated by the employee responsible for the system of risk management [3].
Dynamic development of the procedures of risk assessment is characteristic for "Metalloinvest". For the assessment of risks they use sensitivity analysis method and scenario modeling method, meaning that a group of people elaborates on the maximum negative results of the company, should one of the risks appear [5]. Special conditions are created for the effective cooperation of the risks owners for the exact assessment of the significance of risks, development of the reaction strategy and coordination of measures to be undertaken by different units in connection with specific risks. So, in 2015 the process of accumulation and administering of data of the permanently renewable risks database was automatized that provided a timely access to the relevant information for all units. Feedback mechanism is also used by units for the analysis of the incidents connected with risks, for internal audit reporting and for the assessment of the adequacy and integrity of the action plans on risk management. A training program was designed: since 2016 risk management training has become an obligatory training for all new employees of the company that has allowed, since 2017, to conduct risk assessment with the help of the expert method [5].
For the company "Gaspromneft" is also typical to have a constant development of the methodological basis of the assessment of risks [6]. In 2015, a pilot project on the quantitative analysis of the project risks in the Block of Logistics, Refining and Marketing was implemented and considered by the Committee on Audit. A number of methodological documents on the analysis of some production and environmental risks have been elaborated, and interactive training course for all the employees of the company has been designed [6]. In 2016 the work was continued of the development of the normative methodical documents on the analysis of specific significant risks and on integration of the risk analysis into the process of decision making. Training program for the managers and employees of the company on the tools and methods of the risk management has also been widened.
The analyzed foreign companies implement indicators and methods of risks assessment in the framework of integration of management in the daily activity by ensuring compliance with legislation and integrity of the financial reporting. The wider use of the practice of external assessment, credit rankings, etc. is the specifics of the implementation of the risk assessment procedures in foreign companies, as compared with Russian ones.
The range of risk management methods in Russian companies is either of a generic nature, or absolutely structured by each type of risks.
For example, the aggregated variant of the system of risk management is used in the Investment Company "RUSS-INVEST", which elaborates measures on the risk management on the basis of one of the following methods: risk avoidance; risk reduction; risk redistribution; risk acceptance. The most appropriate means of the risk management are risk avoidance or risk reduction [3]. If risk reduction is not possible or not appropriate, the employees of the structural units should develop alternative measures on risk redistribution or risk acceptance. Risk acceptance is the less effective instrument of the risk management.
The highest level of diversification of the system of risk management is characteristic for the company "Gazpromneft" [6]. The register of methods of the risk management has also been significantly broadened in "Metalloinvest" [5]. In some cases, organizations do not introduce a clear division between the procedures of risk assessment and risk management, that means that methods of analysis and definition of the extent of the risk impact are considered as the activities aimed at risk management. For example, in "Metalloinvest" the following methods are listed as the methods of risk management: 1. for the production risks, the complex assessment of the impact of different risk factors on the production processes and the volumes of output of the products; 2. for the regulatory risks, the monitoring of risks. In addition to that, this company considers possibilities of managing the political risk based on its monitoring and development of plans of the uninterrupted activity, carrying out a reasonable policy in terms of the attraction of investments and their use with the orientation on the internal development of the company. More objective and effective methods of management are specified for some special types of risks. For example, to minimize the negative impact of the risk of lower product prices, the following methods can be used: clients-oriented technical renovation in the long-term perspective, diversification of the sales market, promotion to the new markets, monitoring of residual risk from diversification effect with currency risk, and cost reduction in procurement.
It is worth mentioning that methods of the risk management in the analyzed foreign companies are more unified and concretized. For example, Nestlé considers two basic groups of the risk management: "top-down" methods (meaning that the accent is made on the risks for the company as a whole), and "bottom-up" methods (the accent is made on the risks for specific components of the company, the projects, units, functions, etc.) [7]. Unilever identifies hedging and use of derivatives among the major methods of risk management [8]. Quality control is the basis for the risk management system in Philips. Internal auditors control the quality of business processes by conducting rapid checkouts based on the risk assessment, financial control of the reporting and auditing. The company approach to the risk management is a part of the corporate management Philips Business Control Framework и Philips General Business Principles [9].
Such parameters as profit, revenue, EBITDA, EVA, different types of losses, including VaR, profitability, the dynamics of costs, savings on costs, as well as different branch indicators, etc. are typically referred as the basic indicators of the effectiveness of the risk management both in Russian and foreign companies. For example, "Gazpromneft" refers to the percentage of growth of extraction of hydrocarbons, the index of new capacities commissioning, increase in the number of geological exploration works, etc. as the indicators of the effectiveness of implementation of the risk management procedures. Qualitative indicators, such as deviations and deficiencies noted in the design of controls over financial reporting, which have not been fully rehabilitated (Philips), etc. can also be considered for the assessment of the risk management effectiveness.

Conclusion
The results of our research allow us to make a conclusion about a high level of the dynamics of transformation, openness and a certain degree of transparency in the systems of risk management in large corporations. Based on the results of this study, the following perspective directions of development of the corporate risk management can be identified: 1. Increasing level of integration of the risk management procedures into basic business processes of the companies.
2. Development of practices of ensuring integrity of the document turn-over in the sphere of risk management and official financial reporting of the organizations.
3. Amendments to the risk register. Indication in the register only risks of a generic nature, which determine just a sphere of activity, diminishes the level of objectiveness of further risk assessment. Formulations of risks, which characterize the results of their impact, allow concretizing the indicators of the assessment.
4. Transformation of structure and prioritization of risks. More accents can be made on the enclosure of intangible risks, including risks connected with the implementation of intellectual property rights, business reputation, constant increase of the level of informatization of the economy, use of the IT-technologies, etc. in the general register of risks.
5. Expanding use of methods of the external assessment, credit rankings, etc. in the framework of implementation of risk assessment procedures.
6. Possibility of the increasing level of unification of methods of the risk assessment and risk management, as well as their concretization that would finally become a prerequisite for improving effectiveness of the system of risk management in organizations can also be taken into consideration.