OWhat do you worry about?" That's the question Mark Gerstle will be posing to almost 100 directors, top-level executives, and business unit leaders at $8.4 billion auto parts maker Cummins over the next few months, as he steps into his new role as the company's first chief risk officer.
It's not that Gerstle wants to encourage paranoia. Rather, his new title entails identifying and analyzing all of the perceived threats that the $8.4 billion engine-maker faces across the enterprise so that the company can focus its worrying—and risk management strategies—on the ones that would most likely occur or most severely affect profits.
Gerstle's new charge is largely an outgrowth of Sarbanes-Oxley compliance efforts, he says. Having created a global picture of the Cummins' finance-related risks, that exercise "solidified our thinking that we should take a look at all risks across the enterprise" that would affect sales or growth, says Gerstle. He added the CRO title to his role as vice president of corporate quality in early May.
Cummins is in good company. While the chief risk officer title has become nearly standard in the financial services industry, thanks to the Basel II Accord that governs capital adequacy standards, and is popular among energy companies, it is becoming increasingly common in other sectors as well. Companies like Bearingpoint and EDS have appointed their first CROs within the last year, and experts see many more to come.
Funston
“Probably 25 to 30 percent of the companies we’re dealing with outside of financial services and energy either have a CRO or are planning to have a CRO,” says Rick Funston, national practice leader for governance, risk oversight and enterprise risk management services for Deloitte. Meanwhile, Forrester Research predicts that by 2007, 75 percent of large companies in critical industries like finance, energy, healthcare and transportation will have CROs.
Consistent Approach, Cohesive View
The upswing in CRO appointments and the corresponding move toward enterprise-wide risk management is not a coincidence.
The detailed documentation and testing of internal controls as mandated by Section 404 of Sarbanes-Oxley, for example, has made executives "more risk-aware" about the broader spectrum of threats, says Funston. In addition, a new Enterprise Risk Management framework published by the Committee of Sponsoring Organizations of the Treadway Commission has provided guidelines for identifying and analyzing risks on an enterprise level.
In addition, regulators are pushing companies to do a better job assessing and disclosing risks. Both the Securities and Exchange Commission and the Public Company Accounting Oversight Board released SOX 404 guidance in May that urged companies and auditors to take top-down, risk-based approach to internal controls.
Glassman
If fact, the SEC has been pushing for companies to do a better job disclosing risks in the Management's Discussion and Analysis section of periodic reports. In a often-quoted speech in September 2003, Glassman urged public companies to provide more forward-looking information to their investors. “The purpose of MD&A is to provide a sense of the quality of a company’s earnings and cash flow,” Glassman told Compliance Week in an interview last December. “To do that, companies must understand risks to performance going forward and an ERM process is a way to do that. ERM can help companies to articulate their major risks and identify the nature of those risks, then develop a process for measuring, monitoring, and controlling those risks.”
Bies
Other agencies and regulators have similarly emphasized risk management and disclosure; in January, Federal Reserve Board governor Susan Schmidt Bies gave a speech in which she emphasized "recognizing the importance of qualitative factors in an effective risk management process."
Even the exchanges are pushing the issue; the New York Stock Exchange requires that audit committees discuss with management "risk management processes around anything that could constitute a major financial exposure" adds Funston.
Directors want "some central point where all the risks can be aggregated so they can say, 'Here’s what’s new on the radar screen, here’s where we’re vulnerable, and here’s what we’re doing about it,'" says Funston.
Assessing Exposure
The task of most CROs, then, is to provide that central point of reference, rather than managing all the risks themselves.
"My role is not to manage all the risk but to make sure all the risk is being managed," says Bill Bojan, who has been vice president of business risk services—essentially a CRO position—at $37.2 billion UnitedHealth Group for the past three years. His job, he says, is "really about bringing a consistent approach to risk management, and bringing it up into a cohesive view."
Salluzzo
BearingPoint CRO Ron Salluzzo, for example, says he is in the process of standardizing the risk-scoring process for all the firm's projects. Doing so will enable him to assess the firm's overall exposure at any given point through a total risk score. Those scores will enable BearingPoint to be more proactive on a global basis, "looking at the design of how we are going to manage risk, as in, what are we going to do and who is going to go do it?," rather than coming up with solutions to each risk, Salluzzo says.
The CRO is also typically responsible for translating the risks to a common financial metric, such as profits or share price. "In my mind, a risk officer’s function includes how we improve margins as a result of systemic business processes," says Salluzzo. That means taking on some risky projects when the cost of mitigation is lower than the potential gains, and nixing others before they take off.
Beyond some basic similarities, though, the same title looks very different from company to company. For one, each company will have a unique set of threats to face and appetite for risk. In addition, the structure of the role often depends on a company's existing resources. Salluzzo has internal audit (which includes Sarbanes-Oxley work), federal regulatory compliance, and risk and quality management reporting to him; he reports directly to the chair of the audit committee. Others, such as Gerstle at Cummins, have no direct oversight of internal audit, and report to the CEO.
However, CROs warn that implementing a meaningful risk framework across a company is no easy task. Bojan says that it has taken UnitedHealth about five years to truly integrate the framework into the business units to yield an enterprise view. And while 80 percent of the companies in the financial services sector had a CRO by 2004 (up from 65 percent in 2002) according to a recent survey by Deloitte, less than one-quarter of those surveyed said they were able to integrate risk across any of the major dimensions of risk type, business unit, or geography.
In addition, purveyors of bad news don't typically enjoy very long careers. "If you’re going to be an outspoken CRO, you’d better have a good separation agreement, because you could be at odds with your management group," says Funston.
He expects that over time, as with internal auditors, "we’re going to have to have protections for the CRO, so that there is good independence and they can raise issues. Right now, it depends so often on personality."
No comments yet