Successful ERM Must Go Beyond Financial Risks

f you only consider “risks” to be those of the financial type, you are only confronting the most easily identifiable of threats—and you’re missing many more risks that should be addressed, according to a panel of risk-management experts at Compliance Week 2007.

RELATED RESOURCES Return To The Conference Updates Page At CW ’07 Schedule Of Sessions At Compliance Week 2007 List Of Keynotes, Speakers And Panelists Presentations Click Here To Download Conference Presentations

“Our risk management process would be lacking if it were just financial,” said Sal Mancuso, director of compliance and integrity at Philip Morris USA. Likewise, Lynn Fountain, vice president risk assessment and audit at Aquila, said her company first had 50 top risks that were mostly financial. “Then you realize there is just more there,” she said.

When Richard Cellini, of compliance software firm Integrity Interactive, listed his top items that should concern a company’s compliance or ERM department, financial integrity was certainly there. But corporate integrity was at the top, and privacy, the environment, employee interests, recordkeeping, and anti-trust issues also ranked high.

Indeed, some on the panel not only said that financial risk was a small part of their job, but also noted that ultimately financial risk is not that difficult to manage. “Financial risk is a subset. And it is the most easily controlled,” said David Frishkorn, director of business ethics and compliance office, Xerox.

Cellini, however, added that just because non-financial risks are not so number-centric, that doesn’t mean they are resistant to rational and consistent analysis. He argued that they too can be charted, graphed, and otherwise used to offer a clear picture of the company’s health.

“How do you manage reputational risk?” he asked. “You just do it. It can be measured.”

The panel included one company that had faced accounting scandals (Xerox), another that had questions raised about its accounting (Aquila, although an internal investigation found all concerns to be unsupported), and two companies that are in industries that face persistent public image issues (Philip Morris and Eli Lilly). These companies had learned the value of good risk management early on and had established robust ERM systems. Some argued that the troubles helped them to get their compliance programs in order.

“We had the benefit of having an accounting scandal before SOX and Enron,” Frishkorn said.

As to the exact style of ERM that works best, the panel was split. Some suggested that having a single “owner” should be avoided, and the responsibility for ERM must be shared. Others said that responsibility for the success of the program must be placed on the shoulders of one individual.

“The surest was to kill a dog is to have two people feeding it,” said Pamela Hrubey, director of global compliance and ethics programs, Eli Lilly.

But all seemed to agree that the use of the right technology was important. Heads nodded in agreement when the software maker Cymfony was mentioned. This platform monitors the press, blogs and, if required, internal e-mails, to measure a company’s reputation. Panel members said that this kind of system enables a company to see in real time how it is viewed by the public and by its staff. And it offers precise measurement of what was once primarily a matter of opinion.