ERM 10/02

ENTERPRISE RISK MANAGEMENT

CORPORATE GOVERNANCE MOVES TO THE FRONT BURNER

ERM expected to play a key role as boards of directors oversee risk management

By Michael J. Moody, MBA, ARM

Board level management must seize the risk management agenda and make risk management a strategic priority.

ERM graphic2 While corporate governance has been a high priority in many countries for the past four or five years, until recently it has received little more than lip service from corporate America. However, the days of lip service are coming to a rapid end. When Enron ran into major financial troubles late last year, some observers were quick to look past their indiscretions, pointing to the fact that Enron worked at the edge of the envelope, and that some of Enron's creative risk financing approaches were untested at best. But failings at Enron were only the tip of the iceberg.

Since then, we have watched a parade of U.S. companies disclose serious financial problems and/or accounting irregularities. The fallout from these problems has produced a crisis in corporate confidence that has shaken the very foundation of our financial system. And, unfortunately, no one is quite sure how to restore trust.

Clearly, a change in how U.S. companies transact their business is going to be required to regain the confidence of the American public. As a result, corporate governance has moved to the front burner and will finally get the attention it deserves. And for many boards of directors, enterprise risk management (ERM) will play a vital role in the new economy.

What are boards doing?

The crisis in corporate confidence is requiring boards across the country to respond forcefully and decisively. Most realize that they cannot wait for government regulations; it is time for quick action. A recent study by the National Association of Corporate Directors and the Institute of Internal Auditors (IIA) has shed some light on how corporate America will resolve this matter. The study confirmed that one of the predominant actions being taken is a new focus on corporate ethics as well as ERM policies and procedures.

However, the survey also pointed out some serious shortcomings regarding ERM. For example, 45% of the respondents indicated that their organization did not have a formal ERM process or, for that matter, any other formal method of identifying risks. Further, an additional 19% of directors indicated that they were not sure whether their company had a formal method of identifying risks. These kinds of responses will no longer be acceptable to the public, and corporate directors will need to resolve these shortcomings quickly.

As a result of the survey, IIA advanced three recommendations. The second one deals with the board's responsibility to disclose an assessment of the effectiveness of its internal controls. The IIA indicated that ERM is a critical aspect of this issue. The recommendation was directed at the coordination of risk management strategies that encompass assessment, mitigation, financing and monitoring of corporate risks. They note that ERM is designed to focus on the impact of risk on the overall financial and strategic objectives. The report also points out that ERM recognizes the upside as well as the downside nature of risk.

More holistic approach

Additional support for this wider view is provided in the form of a new report from PricewaterhouseCoopers (PwC) and the Economist Intelligence Unit, which point to a more holistic approach to risk management. The report, "Taming Uncertainty: Risk Management for the Entire Enterprise," is specifically directed at financial services companies. However, its conclusions would appear to be universal. The report highlights the wide variety of risks that financial institutions face. According to Paul Horgan, partner, PwC, the study is part of "a series of studies to identify key strategic issues facing the global Financial Services Industry, with emphasis on drawing conclusions about best practices and future trends.... Other studies have focused on economic capital and issues facing providers of wealth management services." Shyam Venkat, partner, PwC, observes that "the study is timely because some leading firms have spent a lot of time and money on risk management and now seek to leverage this capability to make more informed and better decisions from both a control standpoint as well as a broader strategic business context."

Among other things, the PwC report notes that financial institutions are still seeing, from an organizational standpoint, that risks are split into separate silos--frequently the three areas of credit, market and operational risks. The report goes on to state that in order to develop a leading-edge risk management capability, a company must develop a comprehensive, integrated view of risk, as well as a dynamic process for handling the risks.

Framework for ERM

The report offers three factors that need to come together in order to create the right framework for a holistic view of risk. The first factor is an important one for the changing world of corporate governance. It states that board level management must seize the risk management agenda and make risk management a strategic priority. According to Horgan, "Boards and senior management are beginning to get a clearer understanding about the different components of risk management. They are starting to connect the dots, where risks cross over," he says.

The other two factors in developing the holistic framework are:

* Management processes need to be set up to ensure that an awareness of risk informs corporate governance, decision-making, external reporting and compensation.

* The right enablers (i.e., the people and systems that facilitate risk management decisions) must be put in place to deliver the information upon which managers can base their decisions.

While corporate America has been a little slow in implementing the holistic approach to risk management, the report indicates that, as time goes on, ignoring this issue will not be an option. Shyam Venkat says, "As the governance issues around this topic begin to take on increased prominence in the business community, boards of directors will start driving the discussions in this direction.... At that point," he says, "you will see companies either be proactive in implementation, or be forced to act on the whole risk management issue." Regardless of how they get there, he notes, "They will need to take the necessary steps to implement a risk management culture and make the necessary commitment."

Venkat believes that this will be sooner rather than later: "Once company executives begin having to take on greater responsibility for the financial, non-financial and risk disclosures of their firms, there will be a heightened degree of management attention focused on risk management issues."

World class risk management culture

Another aspect of the PwC report is the identification of the attributes of successful risk management cultures. The report highlights 10 such attributes:

1. An awareness of risk and the need to manage it pervades the enterprise.

2. Risks are identified, reported and quantified to the greatest possible extent.

3. Equal attention is paid to both quantifiable and unquantifiable risks.

4. Risk management is everyone's responsibility and is not fragmented into compartments and silos.

5. All persons involved in monitoring risk, even non-financial risk, have a power of veto over new projects they consider to be too risky.

6. The enterprise avoids products and businesses it does not understand.

7. Scenario planning embraces uncertainty and factors all possible developments into decision making.

8. Risk managers are monitored. Internal audit procedures ensure that systems are running properly and the right results are being reported.

9. Risk management is recognized as a key contributor to value creation.

10. The risk culture is defined and enshrined to give managers and employees the requisite freedom of maneuver to deliver long-term growth and value.

The report points out that by following a holistic approach, companies not only avoid losses but, more important, increase shareholder value. Having a good understanding of risks can allow senior management to select the right balance between risk and reward which is fundamental to value creation and profitable growth.

Conclusion

Recent events have created a lack of confidence in corporate America. This is not something that will be regained overnight. Many investors have seen their savings and retirement funds erode significantly over the past two years. Companies will need to implement a variety of strategic and operational initiatives to assure the public that the worst is over and it will not occur again. One of the most important confidence building strategies will be enterprise risk management. As PwC has noted, companies can either be proactive or be forced to adopt an enterprise approach to risk management. But one thing is certain, "ignoring it is no longer
an option." *

The author

Michael J. Moody, MBA, ARM, is managing director of Strategic Risk Financing, Inc. (SuRF). SuRF is an independent consulting firm that has been established to advance the practice of enterprise risk management. The primary goal of SuRF is to actively promote the concept of enterprise risk management by providing current, objective information about the concept, the structures being used, and the players involved.