When new leadership took the reins at engineering and construction giant Foster Wheeler in 2001, getting a better grasp on the company’s wide-ranging risks was a top priority.
With 9,500 employees across 25 nations dealing with countless suppliers and customers, Foster Wheeler faced plenty of challenges. Its core business was building complex projects, such as power and chemical plants, located around the world in various regulatory environments and financed with multiple currencies. And the industry is highly cyclical, and hence vulnerable to payment risks.
Foster Wheeler’s CEO promptly appointed a “project risk management czar,” David Wardlaw. Wardlaw then turned to Peter Rose, Foster Wheeler’s head of internal auditing and chief compliance officer, to gain a better understanding of the risk profiles of the company’s projects and develop a risk-management plan.
Setting The Parameters Of ERM
The company’s efforts, Rose says, came from the realization that its major risks reside in its contracts with equipment suppliers, subcontractors, and project owners. It has several techniques for identifying and managing risks that any company could use: project reviews, U.S. executives sitting on the boards of foreign subsidiaries, review committees for financial statements, and the company disclosure committee.
Foster Wheeler also evaluates its risk profile quarterly for each balance sheet and profit-statement account, determines the portion of each addressed by its assessed and tested control structure, and monitors changes. These reviews, Rose says, “identify which processes we assess and test, which cover the cradle-to-grave lifecycle of major contracts and other significant non-contract activities.” As a result, the company’s risk-assessment process provides comprehensive coverage for its revenues and net assets, as well as significant individual accounts.
Given that context, two risk-management and compliance challenges emerged for Foster Wheeler. First, it had to stay connected to its geographically dispersed locations to be able to anticipate changes. Second, it had to ensure no control lapses crept into its oversight system.
Rose describes “staying connected” as monitoring the fast growth of Foster Wheeler’s operations in China and the migration of high-quality engineering functions to low-cost nations like India. “You have to understand the changing market conditions which dictate changing terms and conditions in contracts, which can alter the risk profiles,” he says.
The challenge of avoiding control lapses springs from accomplishing the first goal of staying connected. “You must have real-time, effective communications worldwide with local compliance officers and senior managers,” Rose says. To be able to react quickly and effectively when issues arise, “you really need to maintain multiple and robust communication channels to keep ahead of the change curve.”
Enter The IT Solution
The need for real-time monitoring and effective communications topped Foster Wheeler’s list of considerations for an IT solution to manage its compliance efforts. A “tension” always exists between a U.S. filer beholden to Sarbanes-Oxley compliance requirements and overseas employees or suppliers who don’t understand the logic behind the law, Rose says. “[Y]ou must constantly measure operating units to assess whether they are in control of their business—and that naturally causes tension.”
ERM OVERSIGHT
The following is an excerpt from The Conference Board’s executive summary discussing a report issued earlier this year entitled The Role of the U.S. Corporate Board of Directors in Enterprise Risk Management:
The new research found significant differences in how directors understand risk and how their companies manage risk. Moreover, directors may have more of a top down understanding of risk. The Conference Board study finds: Although 89.5% of directors say they fully understand the risk implications of the current strategy,
Only 77.4% of directors say they fully understand the risk/return tradeoffs underlying the current strategy.
Only 73.4% of directors say their companies fully manage risk.
Only 59.3% of directors fully understand how business segments interact in the company's overall risk portfolio.
Only 54.0% have clearly defined risk tolerance levels.
Only 47.6% of boards rank key risks.
Only 42% have formal practices and policies in place to address reputational risk.
Directors are, however, sensitive to the need for additional information:
While 71.8% of directors believe they have the right risk metrics and methodologies in making strategic decisions, 47.6% of directors would like to see more data analysis related to the company's risk profile.
Source
Corporate Directors May Not Be Providing Sufficiently Robust Enterprise Risk Oversight (The Conference Board; June 6, 2006)
In the fall of 2005, Foster Wheeler turned to Alinion, a compliance-software company. Its flagship product, Sentinel, is a Web-based database of compliance processes and a reporting tool to connect a company’s global operations. Rose was sold on Sentinel mainly because it enabled Foster Wheeler to “grasp the worldwide picture of its SOX activities quickly and effectively.”
Implementation took only 12 weeks, since Foster Wheeler and Alinion went directly to offices worldwide to do product-review work. Sentinel was up and running at 20 locations in 16 countries by the start of this year, enabling Foster Wheeler to complete its first-quarter self-assessments in March 2006 and begin SOX testing.
So far the tool has proven effective. Immediately after its launch, Sentinel detected that one location undergoing a controls assessment was experiencing an above-average number of incidents in one process. Central management, Rose explains, “was able to rapidly notify [the] operating unit management so they could direct appropriate resources and get the issues resolved.”
The Results
Rose expects Foster Wheeler to experience an increasingly smooth learning curve as it digests the practical chores of SOX compliance. In the first year, he admits, “like everyone else, we probably ended up doing too much.” In the second year, the company cut almost 40 percent of its controls—from around 5,900 to 3,600 worldwide—when “they didn’t move the needle.”
For 2006, Rose says, he will take his cues from the Public Company Accounting Oversight Board’s new guidance on auditing standards. “We continue to tailor testing more on a risk-based platform and less on a check-the-box approach and have cut over 17 percent of testing steps,” he says.
Is the program cost-effective? Here Rose points to Foster Wheeler’s structure of making operating units responsible to execute testing programs. This approach “creates a healthy tension between SOX program management and the operating units, as they continually question the need for testing in areas they feel are less important, and that often results in adjustments that reduce cost and complexity,” he says. Owning the cost of compliance motivates operating units to strive to deliver high-quality assessments and testing as efficiently as possible.
Another factor behind its steady performance improvement, Rose says, is the investment Foster Wheeler made in 2004 and 2005 to identify and train personnel in the operating units who would be responsible for self-governance and testing of controls. The company “doesn’t have to employ scores of high priced internal auditors or hire outsiders just to do SOX testing, and we are convinced we get a better result using people familiar with our business,” Rose says.
Another indication that Foster Wheeler’s efforts are paying off came last May when Standard & Poor’s raised the company’s corporate credit rating from a B- to a B+, citing improved risk-management policies, among other items. Now that it has the right coverage and cost-effective implementation in place, Rose believes Foster Wheeler’s third year of SOX compliance “will be the first true baseline year to correctly measure ongoing costs on a sustainable basis.”
Where does Foster Wheeler go from here? According to Rose, the next changes likely will be a shift from manual to automated controls, which should be faster and less expensive to test. “One thing we can bank on,” Rose quips, “is there will be more rules and more regulations, so the complexity factor will continue to put pressure on SOX program cost containment.”
No comments yet