Enron marked the start of a new era for American corporations-a time in which regulators, managers, directors and the public more heavily scrutinize business. As a result, companies continue to appear in newspaper headlines for all the wrong reasons. Mattel lost public confidence when its children's toys were found to contain lead. The mortgage industry is reeling from the collapse of the subprime market. Food producers suffer the burdens of recalls, E. coli and salmonella.
Companies now talk about "risk" ad nauseum, so why are we still seeing all these problems? Businesses currently look at risk in a variety of ways: Sarbanes-Oxley (SOX) mandates financial controls, enterprise risk management (ERM) gauges companywide risks, internal audit oversees financial and operational controls, and the emerging field of governance, risk and compliance (GRC) tries to converge all those elements. Unfortunately, in many instances, the right hand may not know what the left hand is doing.
Do companies really understand their risks holistically or are they simply checking boxes for compliance? Are their boards ever actually thinking about the risk management efforts happening elsewhere in the organization?
It is easy to see that SOX, ERM and GRC-while all steps in the right direction-are not individually sufficient to protect companies and their shareholders. Unfortunately, many companies spend a lot of money on compliance implementation without ever looking at their overall risk from a broad perspective that incorporates operational risk's cause and effect.
This failure to connect the dots in the company's risk management plans can be both costly and disastrous. If a modern business wants to truly succeed in this ever-changing market, it must be able to pull the pieces together into one complete plan.
The Enron and WorldCom scandals alerted businesses to the fact that they were not taking corporate fraud seriously enough. Thus, SOX regulations and most internal audit departments are now focused on spotting financial risks and evaluating the balance sheet. Obviously, that is an important factor in risk management, especially in today's economy. But one cannot help but wonder whether organizations are looking at the right things because, despite a lot of time, effort and strict regulatory enforcement, financial statement fraud remains a significant issue.
While the fraud in the Enron case was huge, fraud itself does not pose the only-or even the largest-bottom line risk to most companies. What about those risks that do not have a quantifiably large number in a SOX assessment but seriously jeopardize shareholder value nonetheless?
While it is true that external auditors require companies to prove compliance with SOX, companies could do so much more with the framework of comprehensive risk management.
Instead of just over-engineering their fraud prevention plans, companies that take risk management seriously and draw from the benefits of SOX while also looking at broader enterprise and operational risks will fare better during uncertain times than those who are only looking to check the boxes.
Standard & Poor's (S&P) recent announcement proposing to introduce ERM analysis into corporate credit ratings also shows that a disjointed approach to risk management will no longer go unnoticed. For several years now, ERM has been a component in many rating agencies' evaluations of financial institutions, but soon, we will see similar scrutiny of other industries as well.
Unless corporations are careful to think about ongoing risk mitigation efforts in a collaborative fashion, the mandated ERM requirement could become yet another part of a puzzle that does not quite fit together. In the past, people have thought of ERM in isolation from SOX and internal audit, and resources have been wasted by undertaking these initiatives in a noncollaborative fashion. Will this become yet another compliance exercise and not a way for executives to really understand their key exposures?
Many companies are already operating past capacity. Audit committees and boards are always calling for companies to be better prepared. Now with S&P considering adding yet another requirement, you may think "Another initiative? We don't know how much more we can take."
Any company could become overwhelmed when first faced with the idea of coordinating risk mitigation efforts, and the instinct may be to hire yet another consultant to put together another report that attempts to tie together existing plans. Simply adding one more layer on top of existing plans really defeats the purpose of a cross-organizational approach, however.
While it may seem like a new idea, creating a holistic risk management plan does not have to be overwhelming. There are elements already existing within most companies that you can leverage into a workable plan. Consider that you probably already have 80% of the components you need. Stop, take a breather, and figure out what you already have in place by taking inventory of the different initiatives already happening. Sometimes in bigger companies, there are more initiatives underway than people even realize.
Next, since almost all risk initiatives started with some form of a risk assessment, why not share results across the organization to ensure everyone within the organization is using a common framework? If the common controls are clearly understood, it will avoid duplication and unnecessary extra work. Finally, work together to define clear outcomes and actions, taking into account the enterprise as a whole.
Most companies are already considering some risk factors and taking steps to mitigate them. So why is that not good enough? If the SOX team addresses financial risk, the ERM team reviews operational risk and insurance protects against disasters, it would seem that all bases are covered. This line of thinking can leave a good company vulnerable to extra costs, lost productivity and unforeseen multi-faceted risk. Risk mitigation teams in each company must work collaboratively to achieve the best possible risk protection at the lowest cost.
Instead of thinking about holistic risk management as just another requirement to be checked off the corporate to-do list, stop to consider whether these different initiatives are really being implemented for the maximum benefit of the company. Since the boxes have to be checked anyway, try raising the standard by which you judge your company's risk management plan to get some real use from it. Since companies must make the costly effort to comply with SOX and perhaps S&P's ERM requirements anyway, it makes sense to tie those efforts together into one cohesive plan. By gathering people who are already thinking about risk management in all the different ways it affects your company, you will save money, time and effort. Most importantly, if everyone is on the same page about risk, the company will be better prepared.
At this point, you may be thinking, "This is all old news. Of course we face many risks. And of course we have plans in place and, most importantly, we buy insurance. We're fine." Unfortunately, insurance policies lull many companies into a false sense of security. If the unthinkable happens and catastrophic risk strikes, the company will receive a check in the mail. All will be well-problem solved. Or is it?
Imagine if your house burned down. Sure, your homeowner's insurance would send you a settlement to cover the cost of rebuilding and refurnishing. In the meantime, however, you would have lost all of your photos, your perfectly organized kitchen, the well-worn sweatshirt from your alma mater and your child's favorite stuffed rhinoceros. Your family might even have a hard time sleeping for, say, the next two years. Suddenly the insurance check seems vastly inadequate for such tremendous, intangible losses.
Similarly if a plant goes down, a company will lose much more than the inventory that goes unproduced. Employees may leave, customers may find solutions elsewhere, and an insurance payout will not erase the loss of goodwill that is sure to follow. A far better solution would be to prioritize prevention so that the insurance event never occurs in the first place-or at least so that the impact is minimized.
Traditionally, operational risks are documented and tested by the internal audit department, which focuses on the controls designed and implemented at the detail level to ensure transactions are processed completely and accurately.
Most organizations also have a regulatory compliance group to manage compliance risks (e.g., anti-money laundering, privacy). In both internal audit and compliance, companies traditionally have separate functions in each country.
In many worldwide companies, internal audit departments operate autonomously from their global head offices with local reporting lines in each country. Each country creates their annual internal audit plans based on the specific risks identified at their locations.
In addition to integrating all operational risk management groups, there is a shift to creating annual audit plans based on a process rather than a location. The process plan recognizes that many companies have now shifted key elements of their processes across departments and country borders. To best identify risk and controls, an integrated end-to-end process review is more efficient and effective. Many risks arise at the handoffs between these departments that may be missed when auditing them as discrete units.
For processes that are located in multiple locations (e.g., procure-to-pay), a coordinated review of all locations will help identify areas where enhanced consistency may improve operational effectiveness.
To improve efficiency and effectiveness, operational risk management activities should be strategically integrated across international locations, as mitigation of operational and financial risk becomes more process-oriented than location-oriented. A single operational audit plan also allows for rapid adjustments, which are often needed to address rapidly changing risks.
The existing operational risk program has resulted in significant inefficiencies and missed opportunities to improve audit and organizational effectiveness.
Holistic integration starts with creating one organizational entity and developing a consolidated operational risk audit plan. By consolidating into a single group, the focus shifts to helping the organization meet its overall business objectives, not just those within a single location or discipline (e.g., compliance at the UK subsidiary). Multinational companies are moving toward a singular operational risk management plan for both domestic and international locations. Duplication of efforts is then eliminated, as often occurs when internal audit, compliance and Sarbanes-Oxley teams review the same process as part of an effort to assess and manage their particular risks.
With one organizational entity, management is also able to resolve issues in a more timely manner. Currently, management may receive three or four separate reports from the different operational risk groups related to the same department. For example, in one organization, the payroll process was audited three times in one year: once for SOX purposes, once by internal audit and once by the regulatory compliance group. While the reviews had different overall objectives, many similar controls were tested three times. Creating one consolidated report will also ensure that changes to controls to mitigate a risk in one area do not cause a weakness in another.
The new head of operational risk should report to the audit committee with a dotted line report to a senior executive, preferably the CEO. Similar to the existing internal audit group and regulatory compliance groups, the new entity must maintain its objectivity and independence from the operations of the company.
Companies that take the time to put together a more complete risk management plan may find unanticipated benefits. For example, will insurers be more willing to offer lower premiums on directors and officers insurance if a company can prove it is managing risk effectively? Less risk for the insurance company should equal more dollars saved in insurance premiums.
Further, risk managers have a lot of knowledge about the company, but unfortunately they are not always involved in examining the bigger risk management picture. While some industries tend to employ a chief risk officer, there is still a long way to go before the risk manager function is universally elevated to a position beyond buying insurance. When was the last time your risk manager really understood what was going on in the internal audit department or with the SOX initiative? The risk management function should be the glue that sticks everything together, and companies that have a complete risk management plan should find that their risk manager takes on a more central role.
As simple as it is to create another taskforce or committee to address risk, a well thought-out, collaborative risk plan will be easier to create and far superior to use if the effort is coordinated. No one within the company is immune from thinking about risks in a holistic manner. Managers, employees, directors, consultants, accountants, board members and every other person preparing for future risks can question whether the company is operating most efficiently and effectively.
When you can sit back and honestly say, "We've done the best that we can," your company will be better prepared to face the risks in today's business world and less likely to be the headline in tomorrow's newspaper because the dots are truly connected.
Lisa Hauser is a partner in the Minneapolis office of Virchow, Krause & Company, LLP, where she is the partner-in-charge of the risk services practice group. She specializes in business and IT risk management solutions and services.
