Poor Risk Assessments Can Be Biggest Risk Of All

In an era of unparalleled corporate oversight, senior executives and corporate boards know all too well that assessing risk is an integral part of their compliance obligations—but many companies still leave themselves exposed by failing to identify, address and disclose the myriad potholes that may pop up in a given business, experts say.

Harrington

Larry Harrington, vice president of internal audit at Waltham, Mass.-based Raytheon Co., says the advent of disclosure committees in the wake of the Sarbanes-Oxley Act has helped to generate a “good cross-section of people … take considerable time talking about the risk factors and the disclosures in the 10-Ks and 10-Qs.”

But many companies still need help “thinking through risk to make sure not only that they are disclosing it but that they are clearly identifying what is the risk and what is their appetite for risk,” says Harrington, who chairs the professional issues committee of the Institute of Internal Auditors.

The IIA strongly advocates adoption of COSO’s enterprise risk management framework as an effective way to assess and manage risk. Harrington cites a 2005 survey by the IIA showing that one-third of organizations had no plans to implement the ERM framework—which was released in September 2004—or had considered implementing the framework but hadn’t yet made a decision to go forward.

“If you’re going to manage your business successfully, you have to manage risk appropriately,” Harrington says. “Not understanding risk with respect to how the world can change or how the market can change—that can impact your business. That’s why ERM is so important. It covers future strategy to daily operational kinds of things.”

While not all companies have embraced the COSO risk framework yet, Harrington says he’s encouraged that 48 percent of the companies responding to the IIA’s survey either had a complete ERM framework in place or had partially implemented one. The ERM framework addresses six specific risks: financing, investing, and financial reporting risks; legal and regulatory risks; information technology and systems risks; operational, supply chain and process risks; strategic, market and industry risks; and reputational and political risks.

‘Think About It Globally’

Lipman

Frederick Lipman, a partner with the law firm Blank Rome in Philadelphia, says that while some boards of directors are more diligent about risk assessment than others and “all boards do some of it,” many companies have failed to realize the importance of “monitoring risk by starting to think about it globally.”

Boards “should have committees that identify the particular risk to their industry They need to have management people, the general counsel and others report to them periodically on risk and to discuss and analyze how to minimize risk,” says Lipman, who is president of the Association of Audit Committee Members and has served on several boards, including Butler International and of Kinetics Technology International.

Lipman says a “lack of education” still exists about what boards should do. “There’s a whole cottage industry of compliance officers, which is a reaction to Sarbanes-Oxley and the whole atmosphere of scandal,” he says. “But hiring a corporate compliance officer is just one aspect. You need to develop systems for making sure there is no gap in the risk analysis and the implementation of the methods of mitigating risk.”

Many corporate governance people are too focused on narrow issues, he says, such as implementing Section 404; meanwhile, they have had too little time “to really develop other areas or to recommend them to the board.”

Berner

Arthur Berner, of Haynes Boone in Houston, agrees that some companies “are looking at one particular issue or another and dealing with it on an issue-by-issue basis,” but he says that “a lot of companies are doing a very good job” with risk assessment. Indeed, he says, companies can even have too much risk management.

“If anything, there may be an overabundance of caution and a lessening of the creative entrepreneurial spirit,” he says. “Some companies are doing things these days that, in the past, ordinary rational business people wouldn’t be doing.”

But Mark Opausky, chief executive of governance software maker Business Propulsion Systems Inc., notes that there are potential economic benefits to having “an ongoing approach” to the assessment of risk.

“The vast majority of the market has made a slight shift toward viewing [risk management] as part of their overall governance burden, but only a handful of companies have started to think about risk in terms of market advantage—something to be used as an entrepreneurial tool,” Opausky says.

Companies “that have a lot of value tied up in brand identity tend to be pushed toward a proactive approach to risk,” Opausky says. “These companies start to promote the fact that a good approach to risk is a proxy for good management and good governance. Companies that are not in public eye are apt to treat it on a cost-avoidance basis. They’re going to be late-adapters.”

Harrington agrees that “good risk assessment helps you manage your business better. And there’s a financial return on that investment. If you understand where major risks are, you can be sure you’re focusing time, energy and resources on those major risks. But if you don’t understand the total risks of the company, its goals and objectives may be impaired.”

‘Self-Assessment and Awareness’

Blume

Peter Blume, the head of the business practice group at the law firm Thorp Reed & Armstrong in Pittsburgh, says the heightened individual liability faced by chief executive and financial officers who sign SOX certifications has been a strong incentive for all companies to make sure their risks are in order.

Assessing risk is “a combination of self-assessment and being aware of what other companies in your industry are doing—problems that other companies have had, such as accounting problems and financial reporting problems,” says Blume, who counsels directors and audit committees.

Another vital way to assess risk, he says, is to “go back and look at every single compliance review, whether by OSHA, the FTC, the IRS, the SEC, or whatever. That’s a good starting point. And, if you ever get re-audited by a government agency, their starting point will be to look at whether you’ve corrected past deficiencies.”

One of the biggest problems “is when companies do not pay attention to compliance—they’re not doing a risk assessment—until they face an audit by a government agency or until they face a major lawsuit by a shareholder,” he says. “At that point it’s too late.”

Companies “need to be able to show that—before a problem arose—they had an effective compliance review and reporting program in place,” he says. “Regulators take a dim view of companies that only put programs in place after they’re audited or have been sued or after there’s been a failure of accurate financial reporting.”