When it comes to taking responsibility to ensure a corporation is adequately addressing risk, it can be a political football. So who, indeed, inside a corporation, has the ball?
Since the financial meltdown caused by inadequate underwriting standards and the Deepwater Horizon Gulf oil spill, an overall emphasis has been on analyzing corporate risk. Congress required banks to have more capital with the Dodd-Frank legislation; the SEC started requiring companies to reveal in proxy statements how they were dealing with risk and a new industry of risk analysis has cropped up.
Various surveys show that risk governance is all over the board.
"Companies spend more than 7% of their revenue on these activities, and they don't work together with any degree of holistic behavior," says Jim Blair, who operates Integrated Risk Management Solutions. "Risk gets pushed down in the organization to functional folks, typically insurance and claims."
Some companies are trying to shield their C-suite managers from risk responsibility, such as making the chief risk officer responsible for all corporate risks, Blair says. Pushing down responsibility for enterprise risk management ultimately won't work, says David Young, senior vice president at Willis, which markets insurance to large corporations, including directors and officer's liability.
"Ignorance has never been a defense of the law. You should have known," Young says.
The Deepwater Horizon well spill and ensuing fallout was startling to Young's industry, he says.
"There was a lot of head shaking going on that one valve on one platform could theoretically take down one of the top five companies in the world, Young says. "That was one wake-up call."
Corporations target the wrong risks
There's another problem at work here. In Hein & Associates enterprise risk management engagements, the accounting and advisory firm has found that high-risk issues generally fall into the strategic or operational categories at least 90% of the time. Meanwhile, financial issues account for 10% or less of the high-risk issues.
This finding is especially interesting when looking at where risk responsibility is assigned in companies today. In many instances, risk governance responsibility is given to the audit committee, a team that tends to be financially oriented. However, if 90% of the high-risk issues tend to be strategic or operational in nature, it appears the primary responsibility for risk governance needs to be re-examined.
In public companies, it is common to find that risk management functions are located within the CFO's circle, whether with internal audit departments, risk managers with responsibility for insurance coverage, treasury personnel or even the CFO himself. However, risk responsibility may also lie with the audit committee or at the full board level.
Establishing a risk management system
So who is responsible for risk? The board of directors? The CEO and management team? Appoint a chief risk officer or outside consultant? The corporate attorney? The answer is all of the above.
There must be an unmistakable linkage between strategies, operations and the underlying risks inherent in achieving them. Then, assessing who is responsible for thinking about the potential impacts, timeliness and likelihood of related risks should be a priority in assigning the risk responsibilities.
Overall, a holistic and disciplined risk governance and risk management system is the best approach in today's global environment. In contrast to the nature of financial audits, it should be forward-looking and anticipatory in nature rather than backward-looking and historical.
At the management level, the CEO and his C-level team should assign "risk champions" for each major functional area of the business, including sales, marketing, operations, HR, IT, legal/regulatory and the financial departments. These champions can be charged with assessing risk both in their individual functional areas and as a cross-functional team, debating the top-10 critical risks across the entire organization.
This initial assessment of the top 10 should include recommended action plans to mitigate the risks, bringing each within the risk appetite that the board of directors has established as acceptable. The risk champions should present their top 10 critical risks to the CEO and his C-level team, and then the same presentation should be made to the full board of directors as well as the audit committee.
On a quarterly basis, the cross- functional risk champions should repeat the process and review the progress of the action plans, taking into account any changes in the risk profile for their respective area and for the overall top-10 critical risks. This process should be read out to the CEO and the C-level team, and then to the board.
Implementing some form of a risk champions process in a disciplined and rigorous manner can lessen the impact of surprises in the company's daily operations. Pursuit of its strategies can be smoothed over time, resulting in a more proactive and less reactive operating environment. Ultimately, the long-term value and sustainability of the organization will be greatly improved with a well-thought out and implemented risk management plan. Many managers regard this as hated bureaucracy, but as the former risk manager Blair puts it, "Risk equals cash. If companies don't manage risk well, they spend cash."
About the author
Ernie Sampias is a business advisory service director with Hein & Associates, a full-service public accounting and advisory firm with offices in Denver, Houston, Dallas and Orange County, Calif. He has more than 25 years of financial management experience and over seven years as an audit committee chairman and designated financial expert for a board of directors. Sampias specializes in assessing risk and developing action plans on both strategic and operational levels to improve growth. He can be reached at [email protected] or 303-298-9600.