Enterprise Risk Management

The heat is on

Audit committees lean on boards of directors to better control risk

By Michael J. Moody, MBA, ARM

While the summer may be over for most of us, for those involved with enterprise risk management (ERM), the heat is still on. In the past 12 to 18 months, there has been intense pressure for organizations to adopt aggressive ERM agendas. For the most part, this pressure has been applied by external sources such as rating agencies, stock analysts, and regulatory agencies. Today, however, the major push for ERM is coming from within the corporation, principally from the audit committee.

ERM fundamentals

Without question, today’s corporations face significantly more complex and difficult risks than they did just 10 years ago. From increasing risk associated with changes in technology to the establishment of a more global economy, the nature and pace of today’s business risks have increased. With these increases comes a number of important issues for corporate boards of directors. One of the major board issues is the expectation that they are effectively managing the organization’s risk.

After the massive failures of corporate boards such as Enron and WorldCom, the public has placed the overall performance of the company squarely at the door of an organization’s board of directors. Through a variety of federal legislation and private recommendations, corporate boards in no uncertain terms have been called to task for failing to meet stakeholders’ expectations. As a result of increased attention from federal regulations such as the Public Company Accounting Reform and Investor Protection Act of 2002, or as it is commonly known, the Sarbanes-Oxley Act of 2002 and a new approach from the New York Stock Exchange titled “Final Corporate Governance Rules,” corporate board members now realize that managing the increased expectation of stakeholders is, for the most part, job number one.

While each corporation has handled this increasing emphasis in different ways, the majority has looked to a new approach for risk management to help establish a proper system. The new approach, ERM, takes a much more holistic view of risk management. For decades, risk management was often an “ad hoc” approach where risks were managed by various corporate functions. The risks associated with each functional area—finance, research, sales, etc.—were pretty much managed in isolation. The risks from the functional areas were rarely acknowledged to interact with each other.

The newer view of risk management allows corporations to take a broader enterprise view of risk management in order to see the total effect of risk on the organization. This also allows upper management to set the agenda for risk management. One of the most basic and subtle changes that has accompanied the movement to ERM has been the whole risk/reward issue. Many of the more experienced corporate risk managers have had difficulty with this issue: that the goal of ERM is not risk reduction. It is rather that ERM is established to increase the likelihood that risks are effectively managed. Thus, the key organizational objectives such as value creation and value preservation are more likely to be achieved.

An inside job

As ERM programs have begun to emerge, first in the financial service sector, and now general business sectors, the critical role of the board of directors has been highlighted. It has become readily apparent that the “tone at the top” is one of the most important determiners of success in ERM implementation. Without the proper board oversight and support from senior management, ERM’s promise may never come to pass. A critical ally in this has been the audit committee. A recent report provided by KPMG, titled Spring 2008 Audit Committee Roundtable Report, shows just how important risk oversight has become to the audit committee.

Earlier in the year, KPMG’s Audit Committee Institute gave a glimpse as to where risk oversight was on the audit committee’s agenda. They noted that on the top 10 To-Do list for 2008, number one was to be “a catalyst for improving risk management and oversight.” They indicated that risk management continued to be a “front burner” issue for both the board of directors and the audit committee. It was also noted that the committee should work to identify important gaps in the risk management process and help assure coordination throughout the organization.

It should be noted that the roundtable report was the result of a series of roundtable meetings held throughout the country that was attended by more than 1,200 participants. Further, the report highlights key challenges and emerging practices regarding risk oversight. While a number of findings came out of the roundtable discussions, there were essentially three major areas, which included:

1) “While the scope and nature of recession-related risk can vary widely by company and industry, audit committees are particularly focused on understanding how management is addressing risk in several areas.” A key concern is for the company’s liquidity risk as well as the potential impact of such risk on the company’s supply chain and distribution channels. As a result, audit committees are particularly focused on understanding who is responsible for managing these risks. The impact of the credit crunch on the company’s assets and liabilities is another key concern. While some corporations believe that they have limited impact from the credit crunch, the report points out that corporations need to be aware of exposures to the current market conditions through their investment portfolio and their pension funds, as well as dependency on refinancing in the short term, among other things.

Again, audit committees need to understand how vulnerable the company’s investments are to changes in values. And finally, the increased risk of earnings management in the current business environment was a concern for audit committees, and they need to be particularly sensitive to pressures on management to meet expectations and incentive targets as well as satisfying lenders’ debt covenants.

2) “Risk management, particularly the quality of companies’ risk intelligence continues to be a priority and a concern for audit committees today.” KPMG defines risk intelligence as a full complement of information that the company has on risk facing the business. Further, it begins with risk identification or inventory of key business areas facing the company. It also includes enterprise-level risk to complement an organizational strategy and business models, as well as its very existence. KPMG notes that an understanding of the interrelationship of these risks is central. Given the concern about the quality of risk intelligence, many audit committees are asking management to reassess the status of a company’s risk management processes as well as identify potential gaps. A number of survey respondents (27%) expressed concern that their company does not have an effective process to identify and assess the potentially significant business risk on the horizon.

3) “Audit committees are taking a harder look at capital ‘R’ risks, the tone at the top, culture, and incentives.” KPMG states that these capital “R” risks, if left unattended, may pose the greatest risk to the company, particularly in an economic downturn when management is under intense pressure to meet expectations. As a result, audit committees are taking a closer look at the culture within corporations, including management styles, information flow and performance incentives. The survey noted that 22% of attendees said that they are only somewhat confident that the audit committee really understands the culture of the organization. A major concern expressed by the participants is the risk-taking behavior that the company’s incentive plans may be driving.

All in all, the report provides valuable insight into how the audit committee is working to provide the proper oversight to a company’s risks.

Conclusion

It would appear that ERM is being pushed from a number of quarters in today’s difficult business climate. Without question, ERM requires a significant change in the culture of most organizations. While the pressure from various stakeholders has been profound, some organizations have yet to complete the ERM process. This is certain to have long-term implications to those organizations that lag in implementation.

ERM programs can provide better risk insights that can help companies to identify situations that not only decrease risk threats, but also create risk opportunities. This will provide a very compelling advantage for early adopters.

The author
Michael J. Moody, MBA, ARM, is the managing director of Strategic Risk Financing, Inc. (SuRF). SuRF is an independent consulting firm that has been established to advance the practice of enterprise risk management. The primary goal of SuRF is to actively promote the concept of enterprise risk management by providing current, objective information about the concept, the structures being used, and the players involved.