Companies and boards of directors have been managing risk in various forms for a long, long time. It’s managing risk in a unified form that’s vexing them these days.
Shaping a holistic approach to enterprise risk management is something boards know they want to do. While companies have always practiced risk management per se, ERM “brings discipline to the process,” says John Farrell, a partner with KPMG and leader of the firm’s enterprise risk management practice. He describes ERM as “a scorecard” that outlines all the risks a management team faces, how serious those risks are, and what the company is doing to mitigate them.
Farrell
“It’s a deeper, performance-based program,” that unifies different departments within a company, he says, even if the risk management among those departments differs greatly.
In 2007, particularly, several factors have brought ERM to the forefront. Regulatory requirements, such as those established under Sarbanes-Oxley and the New York Stock Exchange, as well as growing concerns about fraud and responsibility to shareholders and the public, have all contributed to an enhanced awareness of risk prevention techniques.
Globalization has also proven to be a significant driver, Farrell says. “My experience has shown that once you operate internationally, almost every risk category is enhanced.”
For example, he says, working under numerous regulatory regimes means more risk that some part of the company will not be in compliance with some regulator, somewhere. Operational risks might be threatened by political issues in an unstable country; technology risks can escalate as well, “because you’re now relying upon the infrastructure of that country, which can be very different.”
To complicate the matter further, it’s not entirely clear that the United States is blazing the trail for ERM. John Varvaris, senior managing director with SMART Business Advisory and Consulting, contends that many European countries are actually further along in ERM concepts and methodologies than the United States is.
“It’s more part of their culture to be thinking longer term in financial management, as well as business management,” Varvaris says. European businesses think more about what could go wrong 18 months down the road; their American counterparts, he says, still focus on short-term risks.
On the other hand, ERM in less developed markets is “almost a diagnostic” that entails a complete examination of the culture and how to align an ERM program with that market and the people in that organization, Farrell says. “One of the challenges of a successful ERM program as you implement and continue deploying and moving out globally is just that: an ERM program with the flexibility to be adapted to the local market, without losing the important aspects of its purpose,” he says.
RISK PROFILE
Below are the top-10 enterprise risks as compiled this year by Protiviti, compared to 2006’s results.
Risk
Rank vs. 2006
1. Competitor
Up
2. Customer satisfaction
Unchanged
3. Regulatory climate
Up
4. IT systems & security
Down
5. Market conditions
Up
6. Financial conditions (tie)
Up
6. Brand & reputation (tie)
Up
7. Legal climate
Up
8. Technology innovation
Down
9. Legal issues
Down
10. Human resources
Up
2007 U.S. Risk Barometer: Survey of C-Level Executives with the Nation’s Largest Companies (Protiviti)
Where to begin? There are myriad tactics, and Compliance Week has covered many in recent years (see related coverage and columns above, right); however, experts say that any ERM program most consider these five simple steps:
1. Start at the top. An ERM program cannot succeed without the support of senior-level executives, period. “They set the tone for the whole firm,” says Wayne Fisher, executive director of ERM Institute International and a former chief risk financial officer for Zurich Financial Services. “That cascades down to the enterprise.”
Nevertheless, managers often put up a good deal of resistance. Senior executives frequently will argue they already have an effective risk management program in place, Varvaris says. His advice: “Unless you spend focused time thinking about risk management and mirroring your activities around that focus, you’re not really going to be addressing risk issues.”
In fact, in a recent survey of 150 senior-level executives at Fortune 2000 companies, 47 percent rated their organizations less than “very effective” at identifying and managing significant risks, leaving them vulnerable to unanticipated losses, reduced productivity, and business disruptions, according to the 2007 U.S Risk Barometer Study released by risk consulting firm Protiviti.
Gibbs
“This should be a wake-up call to senior management, the board, and investors,” Everett Gibbs, managing director and chairman of Protiviti’s operating committee, said in a prepared statement.
To gain increased support from executives, veer away from the perception that ERM is a regulatory or compliance-based project, which tends not to catch the interest of senior executives, Farrell says. Instead, it might be best to link ERM to a purpose, such as improving customer satisfaction.
2. Build a team. Once you have that support from the top, focus on building a dedicated risk management committee that “permeates all aspects of the organization,” Varvaris says. This involves appointing a midlevel or senior-level person from each division, expected to participate in risk management discussions.
Varvaris
Don’t stop at the board level; Varvaris stresses that organizational ownership at all levels is vital. “It becomes everybody’s job to become aware of risks in their day-to-day activities,” he says. For example, if a lower-level employee is suspected of committing fraud, his peers should make that known, he says.
3. Identify risks. Next, identify all the possible risks your organization may face. “In a typical firm, you would start with your largest exposures,” says Fisher. For example, a property casualty firm would start with risk assessment of a natural disaster.
But risks vary greatly, depending upon the company and the industry. According to the Protiviti survey, executives ranked competitor risk as the greatest threat related to a company’s internal processes. The next four top risks were customer satisfaction, the regulatory environment, IT systems and IT security, and changes in marketing strategy.
4. Manage risks. After all risks have been identified, you’ll want to assess how to manage those risks, says Farrell.
In his days at Zurich, Fisher says, executives would go through a “total risk profiling,” which involved a “disciplined methodology with a senior and very diverse group of executives” to assess what risks the firm faces. Then, in subsequent meetings with people who had more specific knowledge, they would “drill down what the real exposures would be,” says Fisher.
Fisher
5. Monitor risks. An ERM program is not something the board can implement in a quarter or fiscal year and then leave to hum along at its own pace. It is, Varvaris says, “a dynamic process” that boards must internalize, regularly revisiting their ERM assumptions and the program’s performance.
Typically, that CRO reports back every quarter to the risk management team and to the senior executives to follow up on risks that are “above the acceptability line,” Fisher says, and to discuss what’s being done to mitigate them. That CRO—whether a single person, or the leader of a committee that implements ERM efforts—should appear before senior executives and the board regularly. “You want to get them to think about it every quarter, because risks could change. New risks could emerge,” says Fisher.
Having such a monitoring system in place also “tends to keep people diligent on mitigation action and realistic about risk assessment,” he adds.
The Benefits of Preparedness
The Protiviti study found that companies rating themselves “very effective” often had a chief risk officer, to coordinate risk management policy, execution, and reporting. The findings suggest a growing recognition among companies that risk management is a critical process best addressed and managed by dedicated executives and resources, according to the survey.
Companies with a more sophisticated risk management infrastructure are also less likely to be caught unprepared by new developments, and “This ultimately gives them a competitive edge,” says James Pajakowski, a managing director at Protiviti.
The last thing anybody wants is for the board to identify a risk that was either ignored or forgotten about, Fisher says. “You want to show that you’ve done your homework, that you really thought through the risks of the enterprise, and you’re doing something about them.”
No comments yet