Small, Mid-Sized Companies Consider ERM; No Board Urgency

Don’t expect a quick reaction from corporate America now that the Committee of Sponsoring organizations of the Treadway Commission has released its framework for managing enterprise risk

U.S. businesses, particularly smaller and mid-sized ones, say they’re still far too preoccupied with the internal control provisions of Sarbanes-Oxley to pay much attention to COSO’s framework. Indeed, it may be mid- to late-2005 before they focus on COSO’s new recommendations.

Slowing the embrace of “COSO ERM” is the fact that no regulatory authority is requiring the implementation of COSO’s framework. Of course, that was also the case with COSO’s internal controls framework, released in 1992 and only recently deemed “suitable” by both the Securities and Exchange Commission and the Public Company Accounting Oversight Board. In addition to the current focus on Section 404 of SOX, many companies believe they already do a good job of managing enterprise risk.

But that doesn’t mean that smaller companies are ignoring the COSO framework. “The full framework—the book—is in the mail to us even as we speak,” says Bruce Hallums, director of internal audit at $2.4 billion CBRL Group.

Thomas Samartino, vice president of audit services at $19.4 billion AutoNation, is also paying attention. “I’m immersed in COSO I and II,” he says, referring to the internal control and ERM frameworks, respectively. “With ERM, you need to take a broader strategic view,” says Samartino, “not simply look at financial reporting as the whole picture.”

So while small companies may not have rigorous enterprise risk management programs in place, many executives believe that eventually ERM will become more institutionalized and ubiquitous. “I think awareness and understanding of ERM will grow over time,” says Samartino. “Sarbanes-Oxley’s passage has been a giant leap forward in the right direction. This whole thing just gets back to plain common sense.”

Hallums at CBRL Group agrees, noting that the COSO process has provided “specificity” regarding controls and risk management. “Now all companies are talking the same language, and that’s good.”

Reservations Abound

While most corporate executives are aware of the new COSO ERM framework, many say that coming to terms with it may take quite some time. “COSO itself has always been good conceptually, but it’s hard to connect in reality,” says Paula Buckman, manager of internal control, design and insurance at $816.4 million tire company Bandag.

In addition, the framework is so new that Buckman doesn’t know how it would be implemented at the company. “We’ve got a very robust strategic planning process,” she says. “For the COSO ERM framework to be employed in our company in a spirited way, it needs to link up with that strategic planning process to show that there would be some benefit, and I don’t have a feel for that.”

In addition, some believe that selling management and the board on the benefits of ERM could be a challenge. “Risk management is such a nebulous concept,” says Samartino at AutoNation, adding that most management teams believe they’re already doing an adequate job of assessing risks. “I can imagine they think they’ve made real strides,” he says, “until they have a failure or lawsuit.” According to Samartino, it’s only then that “someone at the board or senior management level stops and says: ‘We’re not doing good enough.’”

The AutoNation board is scheduled to hear a full presentation on ERM, but Samartino says the term ‘COSO’ won’t be on the agenda. “I’m very careful not to use the phrase ‘COSO’ because people’s eyes start to glaze over when you do,” he says. “What I want to say is: ‘Here’s a macro view of risk, here’s what we do about it.’” According to Samartino, the specifics of the framework are less important than the organization’s commitment to ERM. “The issue is whether you consciously have a process to monitor risk and react to it in a timely way.”

Step One: Education

Most executives believe that simply educating the company is a critical first step to enterprise risk management. “The first thing you have to do is educate the board about what ERM is,” says Don Harikian, director of internal audit at Portland, Ore.-based Esco Corp. Samartino at AutoNation agrees, nothing that “boards are not schooled in the ERM concept.”

The challenge, of course, is that many boards are—like management—caught up in the minutiae of new compliance and disclosure mandates. Harikian acknowledges that his own board isn’t pushing hard to implement a robust ERM program at this moment. “If you’re talking about ERM as a total concept we’re probably not doing that,” says Harikian. “So far the executive group and audit committee have said they’d prefer to concentrate on Sarbanes-Oxley and how it pertains to risk,” Harikian says.

That seems to be a common theme for many companies as they wrap up the SOX 404 process and prepare for sustainability issues in 2005. As far as ERM goes, executives acknowledge that it’s critical, but it’s still on the horizon. “We probably won’t get to that before the end of next year,” says Harikian.

“I have not purchased the whole [ERM] book,” agrees Buckman at Bandag, “but we will.”