This month, Compliance Week is pleased to introduce the debut column of Richard M. Steinberg, an advisor to boards and executives on corporate governance. The former corporate governance practice leader at PricewaterhouseCoopers, Steinberg is also well known as a co-author of the COSO “Internal Control—Integrated Framework.” A sought-after speaker and widely published author on topics of corporate governance and board effectiveness, Steinberg will contribute to Compliance Week on a monthly basis.
S urveys show, and experience confirms, that directors of public companies are very much concerned about how management is identifying and dealing with risks.
Regardless of the motivator—tougher listing standards, greater liability risks, or heightened shareholder scrutiny—directors want to know what key risks are present, and what management is doing to ensure the risks are effectively identified, assessed and managed.
They don’t want surprises; corporate directors want to go to sleep feeling at least reasonably comfortable that any potential icebergs are on management’s radar screens, and that their corporate ship is being navigated effectively. Of course, management feels the same way, and some—particularly those running large banks and other financial services firms—have already established relevant risk identification and management systems.
Help Arrives
On the surface, the board’s responsibilities for risk management are straightforward. Specifically, directors must ensure that management:
Is positioned to identify key risks;
Brings to the board’s attention those risks and the ways they are being addressed; and
Is accepting and managing risks in line with the company’s established risk appetite.
But there’s been no consensus on what “risk” is, or what’s required for effective risk management. Compounding directors’ concerns—especially those of audit committee members—are new listing standards requiring that they focus on “risk assessment and risk management,” but with virtually no direction on what is entailed to carry out these responsibilities.
In late September, help will finally arrive.
It comes from COSO—that is, the Committee of Sponsoring Organizations of the Treadway Commission—in the form of a report titled Enterprise Risk Management–Integrated Framework. Yes, COSO is the same consortium of organizations that brought us the internal control standard with which you are likely very familiar—perhaps more than you ever wanted. That report sets the standard against which public companies are measuring their internal control systems, and under which they will soon be reporting. Pointed to by both the Securities and Exchange Commission and the Public Company Accounting Oversight Board, it’s likely the basis for your ongoing Sarbanes-Oxley Section 404 work.
The new enterprise risk management report, which has been in development for three years, is expected by some to have impact similar to the COSO internal control framework. The ERM report sets a benchmark against which companies can measure their risk management processes. And if a system isn’t yet in place–which is still the case for the many companies that assess risk in an ad hoc fashion—the report provides guidance on what’s needed.
Strategic And Tactical
The ERM framework makes clear that enterprise risk management is very different from “risk assessment,” which takes a risk inventory at a specific point in time. Rather, enterprise risk management is a robust and ongoing process that’s baked right into management’s ongoing business processes. As a result, ERM can help companies—at both the strategic and tactical levels—enhance risk-response decisions, reduce operational surprises (and related losses), identify and seize opportunities, and enhance deployment of capital.
ERM can be used by companies to help decide, for example, whether to invest in new product development, exploit new markets, or open new sales channels. It can help executives make strategic decisions, like whether to expand brick-and-mortar retail outlets or enhance Internet capabilities, or whether to migrate to a new technology platform or enhance legacy systems. And ERM can help companies ascertain whether exposure to political, socio-economic or complex financial risks—like foreign currency, commodity price or interest rate movements—or risks at the process level, should be better managed to achieve operational goals.
And, of course, ERM can help companies determine whether financial reporting or compliance processes need strengthening.
Clearly, ERM’s definition of “risk” is much broader than the traditional view of risk; done well, it can help companies of any size or sector make informed, value-based decisions.
Importantly, enterprise risk management can help boards become less “risk-averse.” That aversion to risk, which can frustrate management and stifle innovation and growth, brings with it a high opportunity cost. Unfortunately, we’ve seen the boards of some companies indeed becoming more risk averse as the spotlight shines brighter and brighter on corporate governance.
But at companies that have implemented effective enterprise risk management processes, boards tend to avoid a risk-averse mindset. At those firms, corporate directors are comfortable that management is making informed decisions to take the “right” risks—avoiding them where the risk-return ratio tips out of favor—and that management is bringing relevant information to the boardroom.
The COSO ERM framework should become an authoritative source on risk management, defining not only the roles of management in effecting enterprise risk management, but the roles of directors in their oversight role.
No, it won’t provide a panacea, and directors will need to demonstrate ongoing diligence in their attention to risk. But the management teams that implement ERM correctly will see their companies better positioned to seize opportunities, avoid major pitfalls and grow share value.
And their directors will sleep better, too.
Editor's Note: The ERM framework is expected to be released September 29. We will provide details to subscribers as soon as available. In addition, the October print edition of Compliance Week will include a reprint of the ERM framework's executive summary. If you don't already receive our print edition, please email us or call 888-519-9200 for more information.
No comments yet