In this era of SOX and heightened scrutiny on public companies, there is growing pressure from shareholders, credit rating agencies, and other stakeholders for companies to develop enterprise risk management programs, and use the resulting data to improve overall compliance and disclosure efforts.

Q&A

A Conversation With SEC Commissioner Glassman

ERM Resources

Download COSO ERM Executive Summary

View Related FAQ On COSO ERM Framework

Purchase The COSO ERM Framework From The AICPA

Recent ERM Coverage

Companies Migrating From SOX 'Myopia' To ERM

Getting Your Arms Around ERM: Help Has Arrived

Read Recent CW Coverage Of ERM, Including Guidance

One of those stepping up the pressure is SEC Commissioner Cynthia Glassman. In a often-quoted speech in September 2003, Glassman urged public companies to provide more forward-looking information to their investors. But now Glassman, in a recent discussion with Compliance Week, is expanding on that call for more thorough MD&A by suggesting that companies use information gleaned from ERM systems to enhance disclosure.

Glassman

“The purpose of MD&A is to provide a sense of the quality of a company’s earnings and cash flow,” says Glassman. “To do that, companies must understand risks to performance going forward and an ERM process is a way to do that. ERM can help companies to articulate their major risks and identify the nature of those risks, then develop a process for measuring, monitoring, and controlling those risks.”

Glassman emphasizes that this is not about eliminating risks, but about developing a process and a level of accountability for managing those risks. “Companies need to take risks to make money,” she says. “This is about companies managing risks appropriately, eliminating some risks if they can, and managing those risks if they can’t.”

Then, Glassman says, companies can pass along that information to investors. “I don’t think that company has to use ERM to meet MD&A requirements, but to understand the business, companies need a strong risk management process. If companies have ERM, then that information can be attributed to MD&A.” (For more of Glassman’s comments, see box above, right.)

How Much ERM In MD&A?

Everson

It is almost inevitable that ERM will affect a company’s disclosure at some point and at some level. “Companies have to become more anticipatory in operations, making the need for disclosure of ERM more relevant today than ever,” says Miles Everson, a partner with PricewaterhouseCoopers in New York. “Companies need to show how they manage events and emerging trends and issues, as well as how they are controlling their dispersed business activities.”

ERM does more than provide a list of the risks a company faces; it helps companies develop a perspective on the implications of those risks and what processes are necessary to manage risk throughout the enterprise. However, a key question is how much ERM-related information should make it into MD&A? “Companies need to proceed cautiously before disclosing too much information because outside users tend to have a short-term focus,” says Everson.

Friis

Some companies have already begun enhancing MD&A with ERM-related insight. “MD&A reflects the way we think about the business and includes more disclosure of risks in the business compared to five or 10 years ago,” says Morten Friis, chief risk officer for the $11.5 billion Royal Bank of Canada, which trades on the New York Stock Exchange. “It provides a more relevant and clearer picture to the investing public.”

Indeed, Friis notes that one of main benefits in ERM is in helping the company to develop and communicate a clear message about its overall risk appetite and how the company manages risk. “It is difficult to find a common measure of risk, but a company can tell investors the direction it is trying to go from a risk perspective.”

Friis notes, however, that not all ERM information will make it into MD&A. “ERM is a collection of risks that ensures that management has broad coverage of all of the company’s risks,” he says. “However, MD&A itself will still focus on the risks that are most significant to the organization.” For example, MD&A for a financial services company might focus on credit and market risks by including information on how the company is managing its corporate loan portfolio or any other area that represents the largest concentration of risk. In other words, ERM can help to shape the commentary in MD&A, but not all ERM-related information will be relevant and important enough to warrant mention in MD&A.

“If the ERM process is strong, it can be another good tool to rely on to make sure MD&A is correct and that the company is speaking with confidence,” says Dean Marotta, senior vice president and director of internal audit for $1.4 billion Zionsbancorporation, based in Salt Lake City. However, “I am not sure it makes sense to disclose details about the ERM process in MD&A.” Instead, Marotta suggests that companies would be doing enough to make general comments about the presence of a robust and independent ERM process.

Evolving Role Of ERM

Many companies are hearing the call for ERM from several directions. “Shareholders don’t like surprises and regulatory and credit rating agencies see ERM as part of strong corporate governance and take it seriously,” says Marotta.

Indeed, Prodyot Samanta, director of enterprise risk management for Standard & Poor's in New York, says that while S&P does not require companies to have ERM, ERM practices are part of a company’s overall rating. “This is one part of the overall credit rating process, not a standalone issue, and companies understand that,” says Samanta. “Many companies have a more formalized and concrete ERM structure than they did a few years ago. But the key is for companies to use these programs and the information gathered strategically and proactively.”

At Zionsbancorporation, an ERM program has been in development over the last three years, including a lengthy recess as the demands of SOX Section 404 compliance overtook the need for ERM. The company has at least another year of work before its ERM efforts are complete. Then, Zionsbancorporation’s executive management will have ready access to a system that tracks the company’s top 10 risks to the business, including financial reporting, credit, market, and compliance risks.

Newcomers To The ERM Game

Many companies that are taking an enterprise-wide approach to risk management for the first time are still working out the role ERM can play in compliance and disclosure. Plano, Texas-based Electronic Data Systems is developing an ERM approach to replace a process that left business units to act independently on risk management issues based on client requirements. The $21 billion company is now formalizing and developing global standards for ERM, partly because of external pressure from clients, regulators, and shareholders, according to Roy Condon, the company’s chief risk officer.

Although EDS’ program is still evolving, Condon believes that enhanced disclosure will be a key part of the ERM program once it is up and running within the next 12 to 15 months. “Once the ERM program is generating information, we can use that to provide feedback to stakeholders and create a clear picture of where the company stands and what risks it faces,” he says. “I think this will yield more concise and articulate disclosure.”

“We recognize what shareholders are asking of us in terms of disclosure,” Condon continues. “The intent of the ERM program is to provide the board and senior management team with a broad spectrum of powerful information with which to make decisions, including insight into how to improve processes and operations.” This, in turn, will provide investors, analysts, and rating agencies with a better picture and more insight into what EDS is trying to accomplish. The nature of the disclosure from the ERM program would be based on what the program is measuring, which is likely to evolve over time as the business changes and the ERM program begins focusing on new and different aspects of the business.

ERM & Compliance

While many companies leave ERM in the hands of a chief risk officer, others are tying ERM more closely to compliance by placing it within the purview of the compliance function.

Soodik

The Boeing Company has been using ERM to enhance its overall compliance efforts, according to Bonnie Soodik, the $52 billion company’s senior vice president and head of the office of internal governance, which is an independent area that combines ethics, compliance, and audit and reports directly to the CEO. As part of its ERM program, Boeing has identified 28 compliance risk areas in which it identifies and monitors risks on an ongoing basis, an effort that is overseen by the office of internal governance. Moreover, these risk areas change as the business changes. For example, in the wake of the scandal involving the hiring of former military personnel, Boeing established a risk area on hiring employees from the U.S. and foreign governments.

Overall, these risk areas are organized around Boeing’s various functional areas and cut across businesses. For example, the supplier management function oversees compliance with rules on accepting gratuities; engineering weighs the risks of various product substitutions; and the export area focuses on export compliance, including licensing, regulations, and controls. The export compliance risk area involves everyone in the export function as well as the individuals in the business units who touch the export process, such as traffic officials who need to know export rules and regulations for transporting goods.

“Each risk area is audited at least annually by the internal audit department to ensure that it is living up to best practices,” says Soodik. At that time, the auditor identifies any major risk areas that might require more attention and a higher level of monitoring. In those cases, those risks are addressed by an executive council made up of senior level executives.

Queisser

At $13.68 billion Eli Lilly & Company’s ERM efforts are being headed by Lori Queisser, the Indianapolis-based company’s vice president and chief compliance officer. “The goal is to make the risk/return evaluation process more strategic,” says Queisser. “We want to link strategy to risk management so that the company can balance resource allocation and place ‘bets’ that are linked to the overall business strategy.” The company also expects that having an integrated risk management framework will increase internal and external confidence that management is making the right decisions.

Overall, Queisser sees several opportunities for ERM to enhance compliance and disclosure. Eli Lilly manages risk on three levels: the enterprise level; the process level, in order to ensure more reliable processes; and the individual level, to ensure that people understand risk and have accountability for risk management. Because disclosure is a process, Queisser expects to use the company’s ERM approach to make sure the disclosure process itself is reliable and stable.

“We need to know that what we disclose will hold up,” Queisser says. “ERM can increase our confidence in what we know we know and what we are confident we know.” This is becoming ever more important as the company seeks to maintain the integrity of its disclosure as the external marketplace continues to demand faster reporting and greater transparency.

Queisser also expects ERM to minimize surprises for the company and its shareholders. “If we manage risk well in a comprehensive way, there should be fewer crises in general,” she says. “Moreover, the company will be better able to plan and prepare for problems.”

But perhaps the most profound change ERM can bring is by providing the company with more information with which to better evaluate, and then relate to the public, what is going on inside and outside of the company. “ERM can make us more confident that we can deliver on what we are disclosing,” says Queisser.