The Compliance Week 2010 conference provided a series of “conversations” on risk assessment that revealed how far along leading companies have come in implementing that process, and gave some valuable insight into how executives can improve the information that boards of directors need to exercise their risk-management role.
To evaluate the overall state of risk-assessment, one must start with how companies have implemented a risk-assessment process. Most focus on the legal and regulatory requirements applicable to their particular industry and regulations from the Sarbanes-Oxley Act. I heard some people in the CW2010 discussion groups refer to the basic process as a “check-the-box” approach once rules and regulations are identified.
The evolution of risk assessment has advanced to the point where a significant number of those with the responsibility have the title of chief compliance officer. Most are lawyers and report to the general counsel or chief audit executive, with a dotted line to the board’s audit committee. At the board level, the audit committee chairman receives reports from the company’s compliance officer; the entire board may discuss these, particularly if some areas need additional emphasis.
At the next level, more sophisticated companies have combined their assessments of legal and regulatory risks with enterprise risk management. This is a more holistic approach, since identifying risk is a comprehensive assessment of the enterprise itself. Jack Holleran, the senior compliance officer at Marsh & McLennan Cos., identified five categories of risk: compliance and regulatory, strategic, operational, financial, and human capital. Holleran said that the ERM results should align with strategic planning, budget setting, auditing, and other core processes. He also said it takes at least three years for most organizations to achieve full alignment.
Marsh Mac instituted a risk-assessment model in 2009 for an enhanced compliance and risk-management framework. At the heart is the company’s culture. Around the culture is the detection of risks, the response to those risks, and means to prevent risks from materializing. At this level, a coordinated risk assessment is conducted using a common risk framework. Professional standards and business-process reviews are incorporated followed by an analysis of the effectiveness of control measurements—all of which lead to process and control improvements.
So who actually does all that assessment of risk? Holleran says in many organizations, “both compliance and risk-management professionals struggle to define … their respective roles, boundaries, and avenues of coordination.”
At Marsh Mac, he said, they recently integrated the two functions under a chief risk and compliance officer. He advised companies not to “over-engineer” their first effort. In the first year, he said, simply raising awareness of risk through risk-identification efforts may be enough. Of utmost importance for long-term success is executive management support. Beyond that, according to several who had already implemented an ERM program, is a need for a “tone from the top” approach where the board of directors and senior management are fully engaged and supportive.
Jim Traut, director of “ER2M” at H.J. Heinz Co. (enterprise risk and reputation management), raised the bar one more notch to incorporate reputation management as part of the company’s risk assessment. Heinz is one of a relatively few companies that appears to be examining risk in terms of the company’s reputation and brand image, product quality and safety, and other more intangible dimensions such as trademarks as well as consumer and customer relations.
That makes sense; Heinz’s risk profile is exceptionally high. It is a globally recognized food company with annual sales topping $10 billion, more than 33,000 employees worldwide, 75 factories located around the world, and 60 percent of sales coming from products manufactured internationally. Yet, what mitigates its overall level of risk is the exceptionally detailed process it uses for risk identification and management. The mission is, in the words of Chairman Bill Johnson, “to be the must trusted company in the industry.”
According to Traut, in former days, Heinz informally addressed risk assessment without a standard process. Risks evolved from a SWOT analysis (Strengths, Weaknesses, Opportunities, and Threats) in addition to one-time negative events that caught management by surprise. Today, executives have a detailed process where they assess risk in operational areas such as product safety and quality, employee safety, environmental management, asset conservation, human resources, and facility and product security. In the non-operational areas they evaluate risks related to marketing, corporate governance and ethics, and financial and legal perspectives. Moreover, they examine the effect on their business using broader variables such as volatility in commodity prices and credit markets, the impact of the current economy along with food safety issues, and Heinz’s comprehensive sustainability program.
As companies create staffs and identify chief compliance officers to implement and execute basic risk-assessment and compliance processes, they need to move up the chain to incorporate enterprise risk management.
Traut made a key point that the board- and executive-level support are essential for success of a risk-management program. This is evident in the company’s top-down process of risk assessment, involving the board’s participation. This was sorely lacking in financial firms such as Bear Stearns and Lehman Brothers, where the boards were relatively clueless about the inherent risks in the firms’ complex derivatives, particularly those rooted in sub-prime mortgages. The boards’ and senior management’s inability, along with the rating agencies, to untangle the complex derivative products to understand their underlying value and inherent risks was largely to blame for their respective firms’ collapse leading to the 2008 financial markets crisis. The subsequent blame was laid at the feet of the board of directors. Clearly, their inability to perform adequate oversight in risk assessment was a major failure. Subsequently, the marketplace and investment community placed a heightened emphasis on the role and responsibility of the board in its oversight capacity and as a component of good governance.
While the determination of risks and the internal communication to the board of that information is largely a bottom-up process, oversight is top-down. Moreover, directors from other business sectors may see potential risks based on their experience. Investors are demanding greater board participation in risk assessment and management and boards will hopefully recognize their liability for failing to do so.
Yet, with compliance information going to the audit committee chairman that is largely based on legal and regulatory compliance, one has to wonder whether the entire board is at the point of asking hard questions about how well the company is prepared to deal with reputational risks that can have a monumental effect on a company’s shareholder value, its employees, the environment, the public, and its ability to sustain itself.
One need only to look at recent examples where operational failures resulted in major reputational damage—British Petroleum and Massey Energy to name a couple. Would proper attention to risk assessment and management have made a difference? In all probability, yes. A careful examination of the corporate culture in the two companies would also reveal reticence toward regulatory compliance.
It is clear from the Compliance Week 2010 conversations about risk assessment and compliance, that as companies create staffs and identify chief compliance officers to implement and execute basic risk-assessment and compliance processes, they need to move up the chain to incorporate enterprise risk management. Once that’s accomplished, move on to the vitally important component of reputation management. Even companies with a relatively low public profile and brand identity would do well to incorporate “the whole enchilada” because they too have reputations to protect among customers, suppliers, employees, and their shareholders.
No comments yet