Shareholders in a 75-year-old investment bank become nervous and begin to flee, causing the bank’s stock price to plummet from $100 to $2 in one month. A surgeon at a hospital in Minneapolis removes a patient’s healthy kidney rather than the cancerous one. A 20-story crane collapses at a New York construction site and kills seven people.
Sometimes it looks as though the world of business is an accident waiting to happen. To help monitor and manage such risk, companies are becoming more creative about setting up management-level risk and compliance committees.
The structure, composition, and methods of these committees vary widely by industry and by company, says Mark Beasley, professor of enterprise risk management at North Carolina State University. But several questions always loom large: How does information flow across the committees and up to senior management? Who is the risk monitoring “champion” at the senior management level? Is someone accountable for the entire process to ensure a consistent approach to risk?
“If management has a risk committee, what they’re really trying to do is to provide a process to manage risk at a high level, an enterprise level, where the major risk exposure should be bubbling up,” Beasley says. “Are they really looking at the big stuff?”
To get a complete look at their risks and compliance issues, Stanford Hospital & Clinics in California not only has a compliance committee that meets every other month, but also a separate set of committees called risk-management alliances, which monitor the world of uncertainty from a whole different perspective.
“The alliances are a new breed of committee,” says Jeff Driver, chief risk officer and director of risk management at Stanford Hospital & Clinics. “The compliance committee is asking, ‘What keeps us up at night—what could happen?’ The alliances ask, ‘What has happened here, and how do we make sure it doesn’t happen again?’”
“I’m a strong believer in the fact that the most effective risk management occurs when there is integrated decision making.”
— Mary Tuuk,
The two types of risk-monitoring groups are comprised of different but overlapping sets of managers. They operate under different charters, and they draw information from different sources.
The compliance committee, which includes the COO, CIO, compliance officer, chief risk officer, vice president of facilities, director of nursing, and a representative from the general counsel’s office, reports to the audit committee of the board of directors. It works from an annual enterprise-wide risk assessment, tapping into all corners of the operation to learn about the concerns of management and staff. Of 100 or so issues that bubble up, the committee votes on about 10 of the most important and then assigns responsibility for tracking them to managers.
The alliances include the hospital COO, CFO, chief of staff, department chiefs, director of nursing, physicians, faculty members, and some members of the captive insurance company’s board. Their charter flows from the board of directors of the medical center’s captive insurance company (essentially, the hospital’s own insurance subsidiary), and the work is based on documented financial losses. The alliances meet quarterly to examine patterns and trends, drawing their information from the claims database, and they focus on risk financing, claims management, litigation, and loss control.
“The alliances are hardcore data-driven. It’s very strategy-oriented,” Driver says.
Driver characterizes the two committee structures as silos with bridges connecting them—he being one of the bridges. The two groups sometimes address similar issues, but they approach them differently. For example, issues related to health information management have cropped up in both the data used by the risk alliances and the annual risk assessment used by the compliance committee. The compliance committee looks at it from a regulatory standpoint, while the alliance looks at it from the perspective of financial loss.
Bridging the work of risk and compliance committees within a large organization is critical, because risk in one area can affect risk in another area, Beasley says. “The problem with a lot of entities is they manage risk in silos and never connect dots,” he explains. “Risks are connected, particularly in today’s global world.”
Speed of Response
Also important to effective risk management is a committee’s ability to work in an agile fashion and respond quickly to evolving needs. Beasley adds: “In a lot of businesses, risk can change minute by minute. Depending on what line of business I’m in, my risk can change in seconds.”
Financial services firm Fifth Third Bancorp, based in Cincinnati, boasts a highly nimble and transparent risk and compliance committee operation. That is particularly important because seven different management committees report to the board’s own risk and compliance committee, according to Mary Tuuk, executive vice president and chief risk officer at the firm.
Each committee has a formal charter describing who the voting members are, how often they meet, and their primary purpose and function. The most notable of the committees is the corporate credit committee, which meets twice a month and is co-chaired by Tuuk and the company’s CFO. Two of the other most significant committees are the executive asset and liability committee and the operational risk committee.
“We try to make sure that each committee has a very specific purpose, but there will always be some overlap among the committees,” she says, noting that the financial services business is facing lots of challenges stemming from the sub-prime lending crisis. “A lot of the topics are very volatile topics in the industry, so you will find a little bit of overlap of subject matter.”
Fifth Third strives to ensure that transparency in decision making and information flow are of primary importance in risk management, Tuuk says. She and the CFO sit in on multiple committees, ensuring that decisions are not made in isolation.
“Often times if there are gaps in risk management, it’s because the left arm of the organization didn’t know what the right arm was doing,” she says. “I’m a strong believer in the fact that the most effective risk management occurs when there is integrated decision making.”
Depending on the nature of the business and the particular risks it faces, a company brings together individuals with different expertise in their risk and compliance committees. One expertise that companies should include more often is someone from the IT department, since IT now permeates practically every aspect of modern business, says Michael McMillan, president and CEO of CynergisTek, which provides compliance, IT audit, and security management services.
“Most risk-management committees don’t have anybody on them from an IT perspective, which I find interesting,” McMillan says. He contends that companies often spend large sums on technology, but relatively little on protecting it. “The problem with risk in most organizations is that if nothing bad has happened in a while, the feeling is that there’s nothing bad out there.”
Ethics is another area of risk that can benefit from a management-level committee, says Marjorie Doyle, a former chief ethics and compliance officer at Vetco International and DuPont, and now a practice leader at LRN, an ethics software business. Such a committee can be effective not only in providing advice and approval for codes of conduct and policies, but also in helping embed the ethics program in the business, she says.
Global companies, in particular, can benefit from such high-level committees because regional customs, such as gift-giving traditions, may not always agree with policies at the main office. The management committee can demonstrate the importance of the risk management program by calling in business units to report on their own progress, Doyle says.
Doyle cautions, however, that while committees are beneficial in helping monitor risks and compliance issues, individuals are ultimately responsible for getting things done.
“You can’t run a program by committee,” she says. “It’s like anything in management. They’re there to make sure they know what’s going on and to help out if there are any barriers.”