Ever more companies like the idea of enterprise-wide risk management, amid fears of harsh enforcement penalties from regulators and a greater desire to push responsibility for risk management out to operating business units. The good news: Compliance executives are getting a seat at the table as companies plan their moves to ERM.
The bad news: Those plans are still tricky to create and difficult to implement.
To hash out what has worked well for Corporate America so far, Compliance Week and Crowe Horwath recently hosted a dozen compliance, risk, and audit professionals in New York for an executive roundtable on the subject. “Companies are finding more opportunities to get ahead of risk and to become more strategic about managing it,” said Bill Watts, partner and leader of internal audit services at Crowe and co-host of the forum.
The idea of ERM is to let the company take the initiative in addressing risk. Rather than waiting for risks to arise and then reacting, companies are getting better at identifying and assessing risks, and then monitoring and managing them. “Companies that spend time understanding, managing, and navigating risk—from a business-unit level to an enterprise-wide view—benefit from critical insights into risk that influence sound strategic decision making,” Watts said.
Many participants agreed that, where compliance once was viewed as something that had to be done to satisfy a regulatory requirement, “now people are starting to pay attention to it more as good strategy,” said Neil Frieser, vice president of internal audit at Frontier Communications.
Mitch Avnet, chief ethics and compliance officer for Lincoln Financial Group, quipped that compliance departments traditionally have been perceived as sitting at the kids' table. “Now we are at the big people's table, and management is very engaged in what we have to say,” he said.
But sitting at the big table brings new challenges. One of the biggest is getting senior management and department heads to articulate business strategy, attendees said. Once the business articulates its strategy, compliance will be in a better position to understand the risks and provide alternatives to the company's desired objective. “We have to be in the position to influence outcomes,” Avnet said. “That's the job.”
Many companies want to “do ERM” but don't know why, Watts warned. Is it driven by a regulatory action or a business catastrophe, or are the board and CEO driving ERM as a nice-to-have? Understanding why the company wants ERM “tends to really build that foundation,” Watts said.
Two other issues roundtable participants identified were developing a common language about risks within the company and standardizing risk-management processes. Many business units have pockets of compliance and risk assessment going on simultaneously, “but they're not talking to each other,” said Watts. As a result, those groups are tending to risks, yes, but they're assessing, measuring, and monitoring risk in different ways.
Effectively achieving ERM means have a fundamental foundation. “You have to have the same focus, measurements, language, and approach for ERM,” Watts said.
Influencing Outcomes
Another particularly daunting task for compliance and risk executives is challenging the assumptions of senior executives. In many cases, the chief executive officer is removed from day-to-day operations and may not be open to changing the way risk is managed across the organization. On the other extreme—and more commonly the case—the CEO and the board have bought the idea of enterprise risk management and are even demanding it, and resistance to change comes from lower down. “The CEO says, ‘Make it happen,' but he doesn't really understand what that encompasses or the resources that are needed to get it done,” one participant said.
An effective approach is gauging the “mood in the middle,” Avnet said. Developing strong relationships and an ongoing dialogue with management is essential to the success of a compliance program.
Unless you have your finger on the pulse of the organization, it will be very difficult to pinpoint and understand where the discreet pockets of risk may exist. “It's about getting your ducks in a row before you even step into the room with your CEO," added Avnet.
Overall, compliance and risk officers today are expected to react less and take the initiative more, many attendees agreed. “It's about understanding what's around the corner, what are we not thinking about, what else is out there, and how you get at that,” said Louay Khatib, chief compliance officer of Aramark.
|
|
More than just being proactive, compliance and risk executives are increasingly pressed to also bring value to the organization. The big question, said Frank Fiorille, director of enterprise risk management at Paychex, is: “How do you go from playing defense to offense? How do you not just mitigate risk, but enhance shareholder value?”
“It comes down to having people embedded in risk management functions that have a deep understanding of the businesses they support," Avnet said. "This in turn enables risk management and compliance professionals to provide measurable value by guiding the business to make good risk decisions,” Avnet said.
That can be a daunting transition for compliance and risk professionals who are used to working mostly in their own domain, and some struggle to make it. It requires not only a change in the way compliance and audit functions think, but a change in the resources they bring to bear. Still, it doesn't have to be a major leap, Avnet said. In plenty of cases, the compliance and internal audit functions “have skill-sets that are not being leveraged,” he said.
Measuring Risk
Roundtable participants also discussed the key indicators they use to measure risk. For example, at Pearson, a U.K.-based education and media company, each operating group has a risk “register” that explains key risk areas, probability data, mitigation tasks, and velocity, a term that describes how quickly risks can create loss events, said John Rivera, senior manager of risk assurance for Pearson. Additionally, the company has several assurance groups that can be matched to the risks on the ERM statements.
At Paychex, heat maps are used to communicate the company's top risk areas. “We look at inherent risk, residual risk, velocity, and external factors and plot those,” Fiorille said.
Avnet recommended that companies find five to ten key risks that are repeatable and measurable, “because the last thing you want to do is present a key risk indicator where you have no confidence in your ability to provide analysis on a quarterly basis or however often you do it.”
Some attendees shared the frustration of having conversations about the growing threat of risks, and then being unable to expand the conversation above and beyond that. It's time to start moving the conversation away from “'these risks are red and are going to continue to be red,'” Avnet said.
Setting Risk Appetite
Setting and communicating the company's risk appetite also came up for conversation. What level of risk is the company willing to tolerate to ensure it meets its business strategy? “That's the challenge companies are faced with—making sure it's a strategy-driven approach,” Watts said.
|
|
When assessing risk appetite, don't forget to consider how external relations—customers, competitors, and clients—may affect the business both financially and operationally. “You have to weigh those different factors,” Watts said.
Part of the challenge: Senior management does not want to spend money on the necessary risk-management tools and technologies to quantify risks effectively, some attendees said. “In order to grow the business where there are revenue opportunities, organizations need to make strategic infrastructure investments that provide sustainable and scalable support capabilities," Avnet said.
“Point solutions and manual workarounds don't cut it anymore; organizations should implement an enterprise framework that is expandable over time and can be leveraged across the organization in a consistent and cohesive manner," Avnet added. "The trick is to start small and pick the appropriate fights. A big bang approach to implementing ERM / GRC solutions is not the way to go."
Roundtable participants also talked about how they monitor and confirm the effectiveness of their ERM programs. Avnet says he conducts “pulse” surveys that assess values, ethics, and compliance to measure corporate culture.
While surveys can be helpful, they don't dig as deeply into issues as internal auditors do. “You need an independent focus, someone going in to look at what is actually going on below the top level,” Watts said. Internal audits add value by assessing how effectively management has responded to key risks.
Another lesson that emerged during the roundtable is that the transition to ERM is more of a journey than a one-time exercise, and many endeavors can fizzle out if they are not properly ushered along. Leadership may be lacking or the organization has lost sight of what it is they need to be doing. Fundamentally, the job of internal audit is to provide the board and management with an objective assessment of the company's ERM efforts, including where the company can improve.
Overall, effective enterprise risk management is about better communication and corroboration between the operational units, the board, and senior management. “If we are truly going to bring risk under one roof,” Avnet said, “we have to start speaking the same language.”