Less than 40 percent of senior executives have much faith in their companies’ ability to identify and manage significant risks to their business, according to a recent study by risk-management consultancy Protiviti.

Protiviti polled 76 C-level executives at Fortune 1000 companies who were “strategically responsible” for risk management. A slim 38 percent said their companies were “very effective” at enterprise risk management.

DeLoach

That percentage has barely budged in other studies that Protiviti has conducted during the past 12 years, according to Protiviti Managing Director James DeLoach. He says companies have failed to implement risk management processes that can keep pace with changes in legislation and regulations, such as the Sarbanes-Oxley Act and the Basel II accord, and with rising litigation exposure. Technological innovations and shifts in the needs and expectations of customers further exacerbate the problem, he adds.

“Something that continuously requires improvement is to ensure that the changing risk profiles of organizations are not outstripping their capabilities to identify and manage risk,” DeLoach says.

Accounting and management scandals at companies including Enron Corp., WorldCom and Tyco International heightened executives’ awareness of the need for ERM, certainly. Advances in technology in the past decade also helped to accelerate the rate at which changes occur, says Miles Everson, a partner at PricewaterhouseCoopers.

“Everything is more transparent and blows through communications so quickly,” Everson says. “You no longer have time to react and manage the message. Those two factors are why enterprise risk management is more important today than it was 10 years ago.”

Such events can have an economic impact on a business, Everson says. Publicly traded companies, for example, have to analyze risks in the context of how they are valued by shareholders, and the effects on their market capitalizations.

Companies aren’t the only organizations that need ERM. The University of Texas began as early as 1992 to try to institute controls to manage risk, according to David Crawford, audit manager emeritus for the university and a principal at JD Enterprises. Even so, he said, the school struggled with problems such as fraud. Several scandals, including one that involved improper Medicaid billing, forced the University of Texas to manage risk aggressively instead of responding after events occurred, he said.

“We were basically unsuccessful in getting people to listen to us until 1998, when we decided we would stop talking about controls and start talking about risk management,” says Crawford, who worked in the school’s internal audit department as a manager from 1996 to 2000. “The failures forced us to take action.”

The Protiviti survey’s findings don’t surprise Crawford, he says, because few executives take the time to think holistically about risk. What’s more, turf wars often prevent managers from communicating across divisions also impedes organizations, he says. “In the commercial world it takes money, and money comes off the bottom line.”

One weakness with ERM standards such as the COSO framework, Crawford says, is their auditor-centric focus, which may not immediately appear applicable to non-financial business processes. He touts the Open Compliance and Ethics Group (a group with which Crawford works), which plans later this spring to launch a set of standards derived from COSO but more appealing to broader audiences.

Many executives also often use ERM standards only to examine the downside of risk, and fail to consider the opportunities, said Michael Rasmussen of Forrester Research.

Funston

“They just see it as a process, something that’s cumbersome,” said Rick Funston, practice leader for governance and risk oversight at Deloitte & Touche. “You definitely have to avoid risks to existing assets. But you don’t get rewarded for doing that.”

Top executives need to accumulate “risk intelligence,” or information about the benefits and downsides of key decisions such as entering new markets or accelerating the manufacturing of products, Funston said.

Protiviti’s survey did indicate that companies are trying to improve their risk management systems. A majority of the companies surveyed, about 60 percent, said they were focused on integrating responses for managing risk with strategic business planning, DeLoach says. About 59 percent of firms said they were trying to clarify who is responsible and accountable for managing risk. More than half have assigned a manager, supported by a staff, to oversee the process.

“Clearly the sponsorship and the tone [of ERM] sits with the board and the CEO,” Everson says. “This is about changing the behaviors and cultures of an organization.”

In addition to appointing an executive to oversee risk management initiatives, DeLoach recommends that companies develop ways to quantify, set clear goals, and establish guidelines for communicating about risk.

Setting up an enterprise risk management system “isn’t a substitute for management’s judgment,” Funston says. “It’s ultimately about a judgment. This has to be part of the fabric of doing business.”

Websites

We are not responsible for the content of external sites