 |
 |
 |
|
Enterprise Risk Management Pressure from the board Risk management has become core area of business management By Michael J. Moody, MBA, ARM Risk management has been front and center in recent years as corporations struggle to reduce their overall business risks. And a recent survey from The Economist Intelligence Unit provides additional evidence that further pressure will be the order of the day for the foreseeable future. The survey of international risk managers indicates that corporate stakeholders are demanding improvements in risk management. The survey also notes that the board is seen as the most important internal driver for strengthening risk management. Further, the primary external drivers are the demands of regulators and investors. One of the most important findings of the study is that the risk management function has evolved over the past few years to become a core area of business management. And while it is driven by the board, it has now become embedded at every level of the organization. Today, according to the survey results, firms of all sizes, in all parts of the world are planning to increase their investment in risk management over the coming years. These findings suggest that the holistic approach to risk management known as enterprise risk management (ERM), although evolving rapidly, will continue to expand and deepen its reach within most organizations. Board concerns Today, corporate boards of directors can be expected to ask their management a variety of risk-related questions. Among their key concerns, according to Rick Julien, executive specializing in risk management with Crowe Chizek and Company (Crowe) is, “How is the enterprise thinking about what risks are important?” Further, he says, they want specifics on, “How are they managing the process of dealing with risks, as well as what strategies they have just put into place to handle risks?” As a result of questions like these, corporations are turning to consulting firms like Crowe, a member of the international accountancy firm Horwath International Association, to assist them in the journey towards ERM. Julien notes that board members are getting bombarded with enterprise risk management. He says: “They are reading about it in their business publications, hearing about at their seminars and conferences, as well as in their corporate broad training sessions.” As a result, Julien points out, “They all want to know what their corporations are doing about ERM.” He says that while historically risk management has been an insurance function, “today it has become a much broader application.” Insurance is certainly one component of ERM, but now it must take a much broader view. Building on the past While the ERM concept has been around for more than 10 years, Julien says, it is just beginning to get serious attention. He points out that “10 years ago, ERM represented such a big change that most corporations were not ready to deal with it.” However, since that time, a number of highly visible financial accounting mishaps have occurred and as a result, a number of new legislative and regulatory efforts have been passed. Most notable was the Sarbanes-Oxley Act of 2002 (SOX). Julien says that it was SOX that greatly increased the interest level in ERM. This is primarily due to the fact that “SOX requires public companies to understand and document their internal controls with regard to finance and accounting recordkeeping.” However, Julien also points out, “SOX only deals with a very small subset of the entire business risk universe.” He goes on to say that, “Obviously, this is where all the attention and heat have been, but it is still a pretty small area.” Most public companies soon found that there were a number of structural and organizational issues that needed to be put in place before they could effectively meet their SOX requirements. But what they found, Julien notes, was that they could use much of this same structure and organization and apply it to risk management. He points out that this was one way for organizations to leverage their investment in SOX compliance. They realized that they could simply broaden the focus of their effort and it would have an incremental effect to encompass ERM. And while SOX was certainly the catalyst that got organizations thinking about ERM, Julien says it was new regulations at the New York Stock Exchange (NYSE) that really got boards’ attention. The new regulations stated that the audit committees, which are typically made up of board members, needed to know how their companies managed risks. He says that for many firms, this drove a lot of interest in ERM. Board members now know that their personal reputations and their financial health are tied to the financial health of the organizations they oversee. Obviously they are justifiably concerned. A change in thinking Julien notes that while both SOX and the NYSE regulations required corporations to look more closely at their risk management programs, the resulting changes at corporations went deeper than simply following wht was mandated. He says that in order to comply with the new regulations, “it would require change management.” To a large extent, “people were forced to accept SOX.” But it showed the willingness of people to accept change. And, he states, while initially this was confined to financial statement issues, many organizations began to take the momentum that they had gained and began to expand it to all business risks. As a result of the basic compliance requirements imposed by SOX and the NYSE, organizations are coming to grips with ERM. Corporations have found that ERM is not as easy to implement as SOX. Julien points out that ERM is really more of a journey than SOX, typically a multi-year journey. There is no real roadmap to follow. As a result, ERM is evolving at corporations in a number of different ways. But, ERM is moving forward. Julien says that for most companies, “the journey is progressing.” He indicates that more and more organizations are “seeking to understand ERM and are moving forward with risk assessments.” They are also raising the awareness within their companies and developing actions steps for implementation. But, he says, “It should be noted that some companies are doing this without calling it ERM.” Looking for help Some organizations still lack the focus to make the leap to ERM. But many of those companies are trying to find help. Julien says that Crowe is frequently asked by clients to assist them in their efforts to come to grips with ERM. Most realize that, at this point, there is a competitive advantage to be gained by implementing an ERM process in their business. For most organizations it is not like starting from a standing stop. But rather, Julien says, “Organizations should take advantage of the many good things that they are already doing in various areas of their company to promote good risk management.” Many times he says, “If those efforts could be organized in a manner that comple-ments and increases their efficiency, it should reduce the overall cost of risk.” In addition, “it would give the organization a strategic advantage by understanding and managing its risks better than its competitors.” He points out that ERM is really a big shift in an organization’s view of risk management. “It is not about saying ‘no.’” The common view, which ties risk to insurance, needs to be modified, he says. With regard to the more holistic view of risk manage-ment and ERM, “Nothing we ever talk about says ‘no’ or about stopping people from doing their jobs.” He goes on to say, “ERM is just putting some structure and formalization around good management.” At the end of the day, “it puts accountability and discipline into the management process.” And this is important, Julien says, since many times in organizations that had to comply with SOX, the chief financial officer believed that they had the process in place only to discover that “when they actually looked, they did not have the controls they thought they had, or they were not being executed as they believed.” Conclusion Crowe’s Rick Julien notes, “The interest in ERM by the board of directors continues to grow each day, and directors are making inquiries of their company’s management as to what actions have been taken with regard to ERM. And, while ERM has become a core area of business management, it has now become embedded at every level of the organization. Julien also notes, “Risk management has become embedded in other management activities, most notably strategic management and project management.” While the company boards have shown an increasing interest in ERM, management, according to Julien, does not want to create a new “flavor of the month” approach or add new layers of bureaucracy. Accordingly, companies will attempt to implement ERM in the most cost-effective manner, by taking advantage of what they have learned from their prior SOX compliance efforts. * The author |
|
||||||||||||||
| |||||||||||||||
