On July 22, 2009, Compliance Week and PricewaterhouseCoopers presented an editorial roundtable about managing emerging risks—the unexpected or uncontrollable threats (think swine flu, global warming, political insecurity) that can leave companies at a loss for mitigation strategies. The discussion, moderated by Compliance Week Editor Matt Kelly and taking place at the Four Seasons Hotel in Chicago, involved more than a dozen compliance and legal professionals, who provided their insights and ideas on how to address the problem.
THE PANELISTS
The following executives participated in the July 22 roundtable on managing emerging risk.
Joseph Atkinson,
U.S. Leader, Governance, Risk & Compliance,
PricewaterhouseCoopers
Paul Mokdessi,
Principal,
PricewaterhouseCoopers
William Caton,
EVP & Chief Risk Officer,
Navistar International
Jeanine Jiganti,
Chief Compliance Officer,
Takeda Pharmaceuticals
Steve Koslow,
SVP, Chief Ethics & Compliance Officer,
CUNA Mutual Group
Michelle Mayes,
General Counsel,
The Allstate Corporation
Jeffrey Muretta,
Senior Manager, Corporate Audit,
Boeing
Haydee Olinger,
VP and Chief Compliance Officer,
McDonald’s Corp.
Ron Provenzano,
Chief Compliance Counsel,
R.R. Donnelly & Sons
Patricia Puccinelli,
VP, Global Finance Operations,
Manpower, Inc.
Scott Putnam,
VP, Internal Audit,
JohnsonDiversey, Inc.
Nancy Ross-Dronzek,
VP, Internal Audit,
Anixter International
Colette Simo,
Director of Corp. Compliance and ERM,
OfficeMax
Thomas Van Cleave,
Finance Director, Internal Audit Services,
Motorola
Chief compliance officers are already busy enough managing all the risks they know. But the risks they don’t know are what really worry them.
That was the consensus among compliance executives participating in a recent editorial roundtable hosted by Compliance Week and PricewaterhouseCoopers, exploring the topic of “emerging risks”—large-scale, global changes that often have unpredictable outcomes and are usually beyond any single company’s ability to control: climate change, swine flu, political instability, or the like.
“When I think about emerging risks, I might see them, but I can’t tell how they’re going to turn out,” Michele Mayes, general counsel of Allstate Corp., said at the July 22 event in Chicago.
Still, companies must try to manage those risks anyway, even in today’s era of tight budgets and myriad other immediate concerns crowding in on a compliance executive’s time. “The real challenge here is how you start to get the right discussion, dialogue, and response around managing your risks,” said Joseph Atkinson, head of the risk management practice at PwC.
Many at the roundtable said they worry most about fast-moving risks that emerge from nowhere; several cited the eruption of swine flu this year as the perfect example. The Mexican government shut down large swaths of its society during one of the nation’s biggest holidays (Cinco de Mayo), the Chinese have imposed a draconian quarantine policy for travelers who show signs of illness, and countless businesses have changed travel policies or had to re-draw business continuity plans—all in a matter of months.
“Who would have thought of something like swine flu?” said William Caton, executive vice president and chief risk officer of Navistar International.
Other emerging risks attendees cited repeatedly:
The financial crisis, and especially its economic consequences could endanger customers or suppliers;
New directions in regulation or accounting rules, and particularly the possibility that the United States will adopt International Financial Reporting Standards;
Climate-change regulation both at home and overseas; and
Scarcity of skilled labor—yes, even today, since over the long term legions of Baby Boomer employees will still retire and global competitors will only grow stronger.
Supply-chain risks were a repeated theme: suppliers who might engage in fraud or suppliers who might be unreliable. Most worrisome was the risk that broad economic instability in another part of the world could hurt vital overseas suppliers, and leave a U.S. company’s supply chain vulnerable. “When the country is not stable, we feel it,” said Colette Simo, director of corporate compliance and risk management at OfficeMax.
And sometimes those risks blur together, posing yet another threat of “risk overload.” McDonald’s Corp., for example, depends on a steady supply of beef to stock its restaurants around the world, so the company needs to assure that its suppliers are reliable and that it maintains high-quality meat all along the way. “We want to make sure that our suppliers and our suppliers’ products are continuously being inspected,” said Haydee Olinger, global compliance officer at McDonald’s. “We look at it as, ‘What can bring down the house? What is the potential for a serious risk to occur?’”
The answer to that question will vary, depending on each company’s biggest organizational risks. Paul Mokdessi, a principal at PwC, advised companies to ask themselves: “What‘s really worth getting your hands around, and what’s really just business-as-usual?”
Most roundtable participants said understanding company-wide risks requires the input of all employees, although exactly how you collect that output can vary widely from one company to another, or even among different levels or functions within one company.
“We have an informal culture where we can walk into anyone’s office at any time and talk about business, including risks,” said Nancy Ross-Dronzek, vice president of internal audit at Anixter International. “We see risk as something we mitigate as part of daily business. We don’t treat risk as a separate issue.”
“Addressing lower-level risk is the responsibility of all employees,” Ross-Dronzek continued. “What may qualify as low-level risk in one area may be perceived as high-risk in another. Our goal is for people to understand, own, and manage risk within their areas of responsibility on a daily basis.”
Identifying and understanding the risks employees raise can then create a better sense of which ones require priority attention at the corporate level. “It’s more of the frequency of how often you hear about that particular risk,” Simo said. “If you hear about that risk more than once, it naturally trickles up” to senior management.
Search extensively for good risk analysis, too. For example, during a discussion around the risk of a pandemic, consider talking to knowledgeable doctors to assess the size and scope of the potential situation, advised Steve Koslow, chief ethics and compliance officer at CUNA Mutual Group. “How do you build assumptions without having knowledge?” he asked. His answer: turn to those who have more facts at hand than you do.
Jeffrey Muretta of Boeing offers his thoughts on the current state of risk. At left is Thomas Van Cleave of Motorola.
Allstate’s Michele Mayes expresses the joy of managing emerging risks.
Nancy Ross-Dronzek of Anixter International makes a point; Ron Provenzano of R.R. Donnelly looks on.
PwC’s Joseph Atkinson offered some advice and best pratices.
Some good news: Often, a company also discovers that emerging risks—even the most unpredictable ones—can be used as opportunities to improve weaknesses within a corporation. Caton gave the example of swine flu. Once the pandemic started wrecking travel plans across Corporate America, Navistar’s risk committee reviewed the situation and decided to adopt a policy that all employees book business travel through a single corporate travel website.
Previously, Caton said, employees could book travel plans through alternative methods—but then the company might not know where they were if a pandemic struck. “By requiring all travel booking through the Website … [we] can locate each employee in the affected areas to allow us to provide support and guidance to help safeguard them,” he said.
Boardroom Support
Compliance executives also stressed the need for boardroom support, and the importance of having the right thinkers and decision makers at the table when it comes to addressing risks.
Allstate Corp., for example, has a group of people from top executives to the corporate communications team who get together regularly to discuss risks, Mayes said.
Most attendees said their boards do grasp the importance of risk management, and say they want strong, effective risk-management functions. But boards also still have a hard time translating that conceptual support into practical support or clearly stated risk tolerances.
“We still hear from board members that they’re not getting adequate information about risk,” Atkinson said—but when he pushes board members to describe what they mean, he said, they often can’t identify specifics. To bridge that gap, compliance executives must build a communication mechanism that has a real, meaningful effect on decision-making that resonates with senior executives, he said. If you want to know what’s going to drive decision-making, look at what your incentives are, advised Atkinson.
Koslow advised that if a company cannot easily predict what its potential risks are, or can’t quite identify which risks could take down the company, then ask: “What kinds of minds do we want around the table thinking about risk when it does come up? That’s one of the things the economy has forced us to sharpen our vision around,” he said.
One common worry was that the mechanism a company uses to foresee risk (whatever that specific mechanism may be) isn’t operating at the level it should be “and you end up with something that feels like another audit control,” Atkinson said.
Conversely, converting a risk into an opportunity to improve risk mitigation, or even profitability, will get management’s enthusiasm, Ross-Dronzek said. She cited an example where finance and related departments from Anixter’s U.S. and overseas units convened to discuss processes and improvements for their accounts receivables. The practices are now being embedded into accounting operations worldwide.
Mayes summed up the issue simply: “That’s all this is really about at the end of the day: How much do you believe something is going to affect your business?”
No comments yet