On March 25, 2009, Compliance Week and Deloitte hosted an exclusive editorial roundtable, “Risk Intelligence in a Down Economy.” A top concern among the 17 executives who appeared at the forum, held at the New York Academy of Sciences in NYC, was how to ensure that tools and strategies already in place will be able to keep pace with the changes taking place in a failed economy. Moderated by CW Editor-in-Chief Matt Kelly, and featuring Henry Ristuccia, U.S. leader of Deloitte’s governance and risk management practice, and Mike Fuchs, principal at Deloitte, the roundtable encouraged panelists to discuss risk-management challenges and solutions. The following article provides readers with an in-depth look at their discussion.
Given the economic and political climate these days, it’s little wonder that corporations want to manage their risks more intelligently. But at a recent roundtable to discuss the challenge, one principal question emerged: Why can’t companies ever get a grip on this stuff?
“Why does history keep repeating itself?” asked one executive at the roundtable, which was sponsored by Compliance Week and Deloitte. He noted that a rogue employee flouting the rules caused the collapse of Barings Bank in 1995—and that another rogue trader almost caused Societe Generale to collapse in 2007. “Are we as risk managers learning and applying the lessons from those events?”
They are trying, at least. Compliance Week and Deloitte gathered 17 compliance and risk executives to talk about the challenges of building a more risk-intelligence enterprise, especially in today’s difficult economic times. One of the most daunting tasks, many said, was simply keeping pace with new risks emerging all the time. They worried that the tools, strategies, and processes they’ve historically used to measure risk simply aren’t up to the task anymore.
Another common theme was the belief that companies must have a better understanding of the big picture on risk to avoid repeating past mistakes. One idea floated was a “post-mortem review” of past accounting and fraud scandals—Barings, Société, Enron, Ahold, Siemens; take your pick—to dissect the specific failures that let them occur.
One participant suggested that risk managers ask whether their own compliance programs would have prevented such scandals, or at least identified and responded to the red flags that arose along the way. “If your answer is anything short of yes,” he said, “you will be left with a pretty good roadmap of where you need to focus from a programmatic perspective.”
A major issue for many corporations is that risk assessment efforts are “still largely siloed” across various business functions, says Michael Marotta, manager of governance, risk management and compliance at Crane & Co. That means the knowledge does exist in the company as a whole, he says, but the problem is to get people “to work together, to address the immediate and long-term issues facing their organizations.”
One participant said her organization is focusing on how to enhance its existing risk assessment processes without adding a lot of infrastructure, since she doesn’t have the extra budget dollars to do so. To that end, her company is working to improve the sharing of information across departments, better documentation, and greater attention to the power of controls and systems.
Jamie Stern, deputy general counsel for regulatory and compliance at ING Insurance, said one of her biggest challenges is staying abreast of the shifting regulatory framework. “Enormous changes may be in the offing,” she says. ING is wondering how to prepare for those changes, she says, and how to develop best practices with an eye toward what 51 state and federal regulators may eventually enact.
Compliance and risk executives also want to keep “pushing out” responsibility for various risks to the business units and executives who actually work in the area where that risk exists. “Getting people to understand that although I’m focused on the company’s risks, I’m not necessarily the risk owner” has been a challenge, said Donald Floyd, chief audit executive at Polycom.
Likewise, Bill Stiehl, vice president of internal audit at Goodrich, said he must constantly work to obtain consistent participation in the enterprise risk management process by Goodrich’s strategic business units.
“We have some business units with highly developed ERM processes. Others, because of resource constraints, are just beginning the journey,” Stiehl said. Consequently, there are “varying degrees of support and follow-through to the process.”
Stiehl said his firm is attempting to “migrate ERM to more of a systematic, living process and less of an annual review.”
Setting Risk Priorities
Henry Ristuccia, U.S. leader of Deloitte’s governance and risk management practice, said senior management and the board must “boil down to the organization’s ‘master list’ of risks.”
Ristuccia also advocated that companies “connect your key risks to your strategy.” What does that mean? Examine the risk factors disclosed in the annual 10-K report, and figure out how all the companies’ programs relate to those risk disclosures. It is, he said, a “one size fits one” exercise.
Mike Fuchs, a principal in Deloitte’s human capital practice, said effective risk management also requires a strategic partnership between the formal corporate monitoring functions and the business leaders in the field dealing with these risks on a daily basis.
“It would seem that there’s a burning issue around risk right now—that everyone has seen the light and understands the importance of effectively evaluating risk when making key business decisions,” Fuchs said.
But, he quickly warned, “It may not take long before people take their eye off the ball and lower their standards on what it means to have an effective risk-management function and culture.”
Participants at the roundtable also shared some of the strategies their organizations have implemented to get a better handle on their risks.
At PepsiCo, for example, a chief risk officer oversees the process, but the risks are owned by individuals, according to General Auditor Robert Mac Kay. The chief executives of the divisions and corporate functions have been designated as the risk owners. They report to the chairman and CEO, and they’re accountable to the board for their risks.
James Wilson, left, associate counsel at Verizon, and Frank Fiorille, right, head of ERM at Paychex, listen to the discussion.
Alfred Rosa, manager of compliance programs at General Electric, speaks. At left is Susan Tritinger, head of internal audit at Lockheed.
At ING, Stern said, risk is overseen by a member of the executive board and is evaluated in quarterly reports by business-line managers. Those reports are consolidated into regional reports, which are then consolidated on an enterprise basis, where the most systemic risks are captured.
There’s also a financial component, “a points system” to evaluate the controls in place and how well they’re working, Stern said. Business capital requirements differ depending on how well the risk environment is controlled; as a result, she said, business units also have a financial incentive to manage risks carefully.
Regardless of how companies structure their risk-management efforts, panelists agreed that business owners must be involved. “Otherwise you’ll never get the buy-in you need to get traction,” Marotta said.
Several participants also stressed the need to focus on the really big picture. “Get rid of the noise, set the heat maps aside, and step back to look at things from 100,000 feet,” Marotta said.
Stern added that the IT department’s participation is crucial when you’re building your list of top risks. “If you ask the right questions, IT is an enormously important partner in identifying and controlling risk,” she said.