This month, Compliance Week and the Open Compliance and Ethics Group's regular interactive series, “GRC Illustrated,” which features visual representations of key governance, risk, and compliance initiatives, explains the internal and external factors that play a role in the increased expectations placed on business executives and board members in the oversight, management, and disclosure of key risks.Click here for more information on the series).
In the current environment, risk has a higher profile and increased responsibility for those who manage it. Business executives and board members face higher expectations for the oversight, management, and disclosure of key risks.
ILLUSTRATION
Part III of the GRC Illustrated series is sponsored by Ernst & Young.:
Download The Illustration Accompanying This Column
The Series
Click Here For Information On The GRC Illustrated Series
Recent Related Webcast With OCEG CEO Scott Mitchell
Many external factors have driven this heightened focus on risk, including recent regulations and standards concerning corporate governance and compliance, and risk management. In addition, large institutional investors and regulators are urging companies to do a better job in disclosing both risks to reliable financial reporting as well as non-financial risks. In response to these pressures, companies are spending--and will continue to lay out—millions of dollars.
In this new environment, executives and board members are anxious for a comprehensive understanding of how risk is being managed in their companies and, in particular, how to manage risk to create the greatest reward for their shareholders.
Benefits of Effective Risk Management
The benefits of effective risk management go beyond satisfying legal and regulatory requirements. Internally, an effective risk-management program promotes better business performance, increases efficiency, and aids effective governance. These benefits can be characterized as follows:
Fewer Surprises—Proactive identification and management of key risks reduces earnings fluctuations and increases stakeholder confidence.
Reduced Loss And Increased Reward—Risk management helps to reduce the likelihood of, and loss from, negative events. It also helps executives to take advantage of opportunities that may otherwise go unseen.
More Effective Decision-Making—Better decisions are made when a structured consideration of risk is built into existing activities. In this scenario, risk management is an inherent part of key decision-making processes.
Improved Corporate Governance—Solid risk management, with defined reporting and communication protocols, can help an organization fulfill expectations of key stakeholders and comply with regulatory requirements. A risk-assessment program that is well thought out helps a company understand and stay within the acceptable boundaries of corporate conduct—both the mandated laws, rules, and regulations; and voluntary values, agreements, and other social obligations.
External Scrutiny and Benefits
Externally, the capital markets are paying closer attention to how companies manage risk. As noted, more effective risk management can lead to less uncertainty around the achievement of business objectives, which, in turn, can increase benefits for the organization's stakeholders.
Investors are willing to pay a premium for effective risk management—According to a 2006 survey of 138 of the world's largest institutional investors, 82 percent of those surveyed reported that they were consistently willing to pay a premium on per-share prices for companies following effective risk-management practices.
Ratings agencies are increasing their focus on risk management—Agencies such as Standard & Poor's and Moody's have expanded their analysis within some regulated industries to include factors zeroing in on risk management. Many informed observers view this analysis as a precedent that will be applied across all industries. A $5-billion retail organization recently highlighted its risk-management capability in discussions with creditors and ratings agencies. These discussions helped the organization improve its bond rating. The key here is the ability to communicate your risk-management approach.
Model Risk-Management Process
How do you put together a risk-management process? There are a number of frameworks you can use. All have strengths and weaknesses. Regardless of your choice, your process should include the following steps:
Define objectives and context.
Identify boundaries, risks, and opportunities.
Assess risks and define actions.
Prioritize risks and allocate resources.
Address risks.
Monitor and report on risks.
Respond to risks.
Note: Steps 1 thru 4 are typically considered “risk assessment.”
Obviously, the entire process should be subject to continuous scrutiny and when indicated, improved so that the risk-management capability can deliver business benefits.
A Comprehensive Risk Assessment: The First Step In An Effective Program
DRIVERS
There are a number of U.S. and international laws, rules, regulations, and key voluntary codes that call for the board and senior management to conduct risk assessments. Here is a dizzying list of just a few of these mandated drivers for risk assessment:
United States
Federal Sentencing Guidelines
DOJ prosecutorial guidance (McNulty Memo)
SEC prosecutorial guidance
PCAOB AS2 / COSO Internal Control
NYSE and NASDAQ listing requirements
HHS, OCC, OFHEO, DOL regulatory guidance
BRT Principles; NACD Report; Conference Board Recommendations
TIAA-CREF Policy Statement; CalPERS Principles; AFL-CIO Voting Guidelines; CII Policies
International
OECD Principles, EASD Principles; ICGN Statement/Global Voting Principles; Institute of International Finance Code (general international codes)
Swiss Code & Directive (Swiss)
Tabaksblat Code (Netherlands)
King II Report (South Africa)
Nørby Report (Denmark)
Vienot I & II Report / Bouton Report (France)
Dey Report; Saucier Report (Canada)
German Panel Rules; German Code
Swedish Shareholders Association Policy
The Combined Code/Turnbull Report; Cadbury Report; Hermes Statement (UK)
Olivencia Report (Spain)
KCP (Securities Commission) Code (Czech Republic)
Ministry of Trade & Industry Guidelines (Finland)
Code on Corporate Governance (Belgium)
Confecamaras Code (Columbia)
CCE/CNBV Code (Mexico)
Corporate Governance Principles; Governance Forum Principles (Japan)
ASX Principles (Australia)
Kumar Mangalam Birla Report; Stock Exchange Board (SEBI) Report (India)
SEC Code (Pakistan)
Code on Corporate Governance (Malasia)
Code of Best Practice (Korea)
Singapore Institute of Directors Code
APEC-PECC Guidelines (East Asia)
SET code of Best Practice (Thailand)
SEC Code of Corporate Governance (Republic of the Philippines)
Federal Securities Commission Code (Russian Federation)
The first element of an effective risk-management effort is a comprehensive risk assessment, which details a clear picture of an organization's most significant risks. This exercise is an efficient process that provides insight as to risks and links them to the organization's objectives, initiatives, and business processes.
The enterprise risk assessment identifies key risks to the achievement of business objectives. This is a critical first step—a clear understanding of an organization's most important risks to the achievement of business objectives within both mandated and voluntary boundaries. This assessment—the risk profile—identifies significant risks and allows management to prioritize risks for monitoring, testing, and improvement. The enterprise risk assessment also serves as a foundational element to align risk-management activities across traditional boundaries within the business.
An effective risk assessment captures valuable knowledge of the organization's current and emerging risks with a focus on:
understanding and assessing key business risks;
compiling risk-assessment results and developing a risk profile;
validating the risk profile with process owners and management;
validating a final risk profile with executive management and/or the audit committee;
identifying significant risks with associated drivers;
evaluating the potential impact and likelihood of the key risks;
capturing existing risk management and control activities;
evaluating the level of management and control activities;
analyzing significant gaps and opportunities for improvement; and
reviewing existing monitoring procedures.
Risk Assessment Gone Wrong
After taking the helm a few years ago, the chief executive officer of an insurance company asked his executive team to conduct a risk assessment to identify key obstacles the company faced. His team held a two-day workshop to identify these top-level issues. After the meeting, each executive was charged with analyzing in detail one or more of the issues. A month later, the team put together a report for the CEO to consider.
The report failed the CEO's inexact but important test. “Not a single item on the list was something that kept me up at night,” he noted. “Not only that, but the executive team didn't seem to have a plan to address the risks.” While many of the items on the list certainly mattered, they were not the items that, in the new CEO's opinion, mattered most. He felt that management:
was insulated from the real issues on the ground;
failed to drive consensus on what needed to be done; and
was not focused on the right issues.
Several months after he received this inadequate report, his organization was fined by their primary regulator and, in addition, had to issue a financial restatement because several risks were missed. To say the least, this was an embarrassing start to a new job.
Critical Success Factors for Effective Risk Assessment
CONSIDERATIONS
There are a number of standards and frameworks to help design your capability.
Australian / New Zealand Standard: AS/NZS 4360:2004 (2004)
ISO Framework (due in 2007, based on AS/NZS 4360)
COSO ERM (2004) / COSO Internal Control (1992)
COCO (Canada)
Turnbull (UK)
IRM / AIRMIC Risk Management Standard (2002)
RIMS Risk Management Maturity Model (New)
The OCEG “Red Book” also provides a unified model for conducting risk assessment based on the standards above.
Source
Open Compliance And Ethics Group
Start With Enterprise (Or Entity-Level) Objectives—All risk-assessment activities should start with the desired end result in mind. Risk is only meaningful in the context of objectives. If management does not understand the objectives that the organization must achieve, it is impossible to assess the risks and uncertainty inherent in pursuing those objectives.
Common Approach—While it may or may not make sense to centralize the risk-assessment process itself, it is always a good idea to ensure that a common process and vocabulary are used. This will allow the organization to analyze risks relative to one another and to share tools across the enterprise. It allows for a meaningful aggregation of risk across the business and the ability to consistently analyze risks that are most important. In addition, a common approach helps the organization better communicate to external stakeholders (creditors, rating agencies, etc.) about the risk-management process.
Break Down Silos—Management must look at risks across lines of business, functions, and processes, and up and down the organization. Risks should be considered in relation to one another. For example, how do bribery risks compare to information-privacy risks? Which one requires more or less focus over the next year?
Top-Down Scoping And Identification—Do not try to boil the ocean. Use top-down analysis to identify areas where more thorough risk assessment should be applied. Senior management typically has the best understanding of enterprise objectives, key value drivers, and an initial, high-level understanding of key risks that have the greatest potential impact on the business.
Bottom-Up Assessment And Evaluation—The board doesn't know what is happening in every department in the organization—but it may need this information to provide appropriate oversight in significant risk areas. Use bottom-up analysis to gain a more detailed and varied understanding of risks in all relevant business processes and control activities. Leading organizations use technology to gather candid perspectives from multiple personnel levels as to risks in their departments.
External Sources And Objectivity—Look to external sources of information and consider events affecting industry peers as well as organizations outside your industry that have similar: 1) scale of employees, 2) scale and/or growth of revenues, 3) geographic scope of operations, and 4) core processes.
Business Ownership—Have business owners take responsibility for risks related to the processes they execute. For example, the VP of sales, rather than the general counsel, should be an owner of bribery and anti-competitive practices risk.
Action Oriented—Define an action plan to manage risks. Define projects and milestones to ensure that plans are actually put in place.
Embedded, Ongoing And Progressive Process—Embed risk assessment within existing processes such as strategic, customer, product development, and sales planning. This helps to leverage existing meetings and processes so that risk assessment is part of the planning rather than a separate burden. In addition, linking into an existing process helps to institutionalize risk assessment and ensure that the process is sustainable. Further, risk assessment should not be a single, annual exercise. It should be an ongoing and progressive process that is part of day-to-day activities and considerations.
Link To Performance Measures—Develop risk-adjusted performance measures at the entity, department, and individual level so that everyone understands key risks and the role they play to manage these risks. For example, in a top medical-device firm, salespeople are evaluated not only on their quarterly sales results, but also on their ability to accurately estimate future sales. In another example, a major professional services firm linked contract risk metrics to performance evaluation for business development personnel. All non-standard contracts signed in emerging markets were flagged for review by local counsel. Periodically, management was evaluated based on the total number of non-standard contracts that were signed and the percentage of these contracts that were reviewed by local counsel. Both numbers were meaningful. Large numbers of non-standard contracts without review were found to be a leading indicator of future contract disputes and volatile revenue. All business-development personnel were compensated based on not only sales, but also on contract compliance.
Risk Assessment Done Well
Leading organizations are realizing competitive advantages from investing in risk management. Directors and executive management need to ask if the organization is focused on the right risks and making the right risk-management investments. To determine if the organization is appropriately focused on the right risks, the following questions should be asked:
Is our current risk-assessment process comprehensive and effective?
Are we focused on the risks that matter?
Do we fully understand the significant risks?
Are there gaps or overlaps in our risk coverage?
Are resources aligned to our risk profile?
Who is monitoring the significant risks?
Do we make consistent decisions about risk?
How can we achieve a better return on our risk investments?
Do we have the proper oversight on risk?
How a company approaches risk management can, and should, create a competitive advantage. Boards and senior executives should not view risk management as a compliance exercise, but as an opportunity to invest in activities to achieve strategic goals and objectives.
No comments yet