The global economic scene has provided a sobering reminder that risks potent enough to take down the whole enterprise are very real. And while identifying and managing those risks is a challenge, the steps to do so are essential to survival.
Tips and strategies on taking those steps were a main topic of discussion at Compliance Week 2009 earlier this month. Hundreds of compliance executives and experts shared their ideas—some learned the hard way in the last 12 months of economic turmoil.
The sudden change in fortune for many companies wasn’t lost on Mike Rost, vice president of marketing for Paisley.
Rost
“It has struck me how much the dialogue at this conference has changed,” said Rost. “Just a few years ago, we were talking about Sarbanes-Oxley and too much regulation. Now we’re talking about more regulation. Regardless of the theme of the year, the week, the quarter—the disciplines around audit, risk, and compliance are consistent.”
Some companies have seen the economic crisis as their cue to develop more formal risk-assessment approaches. Patrick Sheller, chief compliance officer and corporate secretary at Eastman Kodak, offered some tips on getting a program started from the beginning.
First (as always) is to win support from senior management and the board of directors, Sheller said. If necessary, remind top management and the board of the numerous regulatory requirements to assess risks, and the threat of litigation over ill-conceived risk-management strategies. Then, form a council or committee that represents expertise from throughout the enterprise, and start taking inventory of all the risks your company faces.
Kodak, for example, followed an audit firm’s template to help drive the conversation about what risks the company might have but not fully understand, Sheller said. The company then ranked various risks according to potential severity and the likelihood that they might occur; that helped to prioritize risks requiring greatest attention and resources. “We discovered that the more we could simplify this process, the more positive reaction we would get,” he said.
After presenting results to the board and management, Kodak developed plans and strategies to mitigate the most important risks. “The end game is to build in or embed into the business risk management,” Sheller said. Kodak has developed a system for tracking progress on mitigating key risks and is building risk-management into strategic planning. It’s also working toward building risk management into regular business performance reviews, Sheller said.
Robert Brewer, chief compliance officer at Office Depot, talks ERM at Compliance Week 2009.
Robert Brewer, compliance officer at Office Depot, said his company’s challenge was to expand its enterprise risk management program into a business practice embedded across all functions of the company. Office Depot is now in the final stages of getting its portfolio of risk strategies approved and accepted by the board of directors. “The audit committee is comfortable owning the ERM process, but they aren’t comfortable owning the risks,” he said. “They want the full board to own the risk.”
Adapting ERM to the Times
John Farrell, a partner and global enterprise risk management leader at KPMG, said establishing a proper tone around compliance and risk at all levels of the organization is important. And when times are tough (that would be now) companies must adapt their views on risk to assure they’re focused on the right risks and controls. For example, consider whether the company has taken into account regulatory changes, system failures, supply chain or quality problems, technology breakthroughs, or other game-changing events.
Susan Panzer, head of ERM and internal audit at Computershare, said the company recently implemented a governance-risk-compliance system that helps put discipline and consistency to the company’s approach. The Australia-based company operates units in 19 countries, driving the need for a more systematized process, she said.
One important goal was to align various rules and regulations with the company’s internal business processes. “So when the regulations change, we know exactly what needs to be changed and what the impact is to our organization,” she said.
And while Computershare did want to break down silos, it didn’t necessarily want a centralized process either, Panzer said. “Some companies have compliance officers and some have compliance functions dispersed across the functions,” she said. “This tool gives us the ability to do that. It is a central repository.”
Once a program is in place, then comes the task of evaluating how effective it is, said Carol Stern Switzer, president of the Open Compliance and Ethics Group. “Setting it up and then just letting it run is a recipe for potential failure,” she said.
Companies can choose to evaluate whether the program is designed to achieve its objectives, or to use more empirical measures. For example, Sheller said, companies might choose to measure the number of people who have been trained or the number of calls to a compliance hotline. Even further, companies might choose to measure the effectiveness of certain risk controls more carefully than others, depending on the nature of the risk and the control, Switzer added.
Switzer also dismissed the argument that since companies are mandated to have some form of ERM anyway, measuring effectiveness is pointless. That view, she said, misses the point that assessing effectiveness helps determine how well your ERM budget is being spent. “The government doesn’t care if your program is inefficient or how much money you have to spend,” she said. “You want it to be effective, but also efficient.”
Still, measuring effectiveness can’t be fully empirical, said Grace Fisher Renbarger, a vice president at Dell. “It’s very hard to prove you prevented something from happening,” she said. “You can use indicators, look at prevention and detection, or do a root cause analysis. But nothing gives you the full picture.”
Rost at Paisley said he often hears questions about measuring programs or establishing a return on investment. “It’s similar to measuring the cost of quality,” he said. “You’re trying to prove the value of a negative or trying to avoid bad things. If it hasn’t happened yet, you’re not sure of the cost.”
No comments yet