More and more companies want to build their enterprise risk management programs, particularly as emerging risks like cyber-security force their way on to board agendas—the trick is in getting from your compliance routines of today to a more coherent ERM program tomorrow.
To debate the finer points of shifting from a compliance program to ERM, Compliance Week and Workiva recently hosted 10 compliance, risk, and audit professionals in Orlando for an executive roundtable on the subject. “Risk management is not a sequence after compliance,” said Mike Rost, vice president of vertical solution strategy with Workiva. “It is its own thing, and every organization is going to come at it differently.”
The following panelists participated in the Sept. 15 CW & Workiva roundtable on compliance collaboration to drive ERM. Click on participants' names to see their full bios.
Marie BlakeEVP, Chief Compliance Officer,BankUnited
Lindsay KorenSenior Associate Counsel, Ethics & Compliance,Darden Restaurants
George LewisSenior Manager, Risk & Compliance,CHEP North America
Deborah PenzaSVP & Chief Compliance Officer,Impax Laboratories
Bryan RhodeVP, Internal Audit & Compliance,CSX Corp.
Craig RoshakSenior Manager, Head of ICFR/SOX and ERM,Fiat Chrysler Automobile
Michelle ScottDirector, Corporate Compliance,SeaWorld
Aaron SundquistAVP, Compliance Data Analytics Manager,BankUnited
The good news: Most participants said that they are implementing ERM to some degree, even if many are still in the early stages. Some of that effort traces its origins back to compliance with the Sarbanes-Oxley Act, plus good internal auditing principles that require an annual enterprise risk assessment. Little surprise, then, that numerous participants said their internal audit departments still drive their organization’s ERM efforts.
For compliance officers, however, housing ERM in internal audit provides only a fraction of the picture, as the risk landscape has rapidly evolved beyond internal control over financial reporting, spilling into other risk areas—such as anti-corruption, anti-money laundering, and cyber-security.
And over the last few decades, companies have moved from possessing mostly tangible assets (factories, land, inventory) to intangible goods (customer lists, marketing data, intellectual property), Rost noted. That means new risks such as reputation management must be fit into ERM programs that never originally anticipated them.
“That’s the essence of ERM: How do I know what I don’t know? How do I find out what I don’t know?” said one executive. Those “black swan” risks—low likelihood, but high impact—that companies have to worry about, the executive said.
Such uncertainty has some audit, compliance, and risk executives doing an intricate dance through the usual Three Lines of Defense model. As one executive put it: “We’re figuring out how not to step on each other’s toes, but rather how to inform each other in a better way.”
Executives with a professional auditing background are in a great position to be involved in the discussion of ERM, another executive said, but “I don’t know that they should drive it.”
In that aspect, companies may want to take a page from Brambles Ltd. The $5.4 billion global supply-chain logistics company has a vice president who oversees global internal audit and risk management areas together, “so it’s housed pretty close together from a global perspective,” said George Lewis, senior manager of risk and compliance for CHEP North America, Bramble’s subsidiary here.
Several roundtable participants said the pace of merger activity at their companies often makes it difficult to gather data and understand risks at the enterprise level, since the size of the enterprise keeps changing. “When these mergers and acquisitions happen, it doesn’t mean all the technologies come together,” said Marie Blake, chief compliance officer at BankUnited.
Following M&A activity, data often is housed on several different systems. That makes like-to-like comparison of key risk metrics difficult. “It’s still a challenge,” Blake said, and underlines the need for a data warehouse—one central repository where all information about the company and its risks can be stored and then analyzed by audit, compliance, or risk leaders.
In the pharmaceutical industry, for example, regulatory initiatives involving the reporting of payments to healthcare professionals drove the need for data warehouses to capture all data that needs to be reported to the state and federal government. “This data sits on multiple systems and in various formats,” said Deborah Penza, chief compliance officer of Impax Laboratories. “None of these systems ever spoke to one another, so we had to create data warehouses to gather all this data from the various systems and then implement additional systems to aggregate the data and format it to meet the reporting requirements.”
The shortcoming with data warehouses, however, is that they depend on people to feed data into it. “The only way to get that data is to beg for it,” one executive quipped.
“It is a lot of relationship management,” said Aaron Sundquist, compliance data analytics manager for BankUnited. “It’s learning to speak other people’s language. I often ask the folks in IT, ‘How can we communicate better?’ It’s making sure I get not only what I ask for, but also what I need, and sometimes those are different things.”
And getting the data is just the first hurdle; getting value from that data is the second. “One of the challenges is getting people to understand that centralizing compliance information is not centralizing compliance,” said Lindsay Koren, senior associate counsel for ethics and compliance at Darden Restaurants. Rather, it’s about helping businesses use data effectively to get to a more predictive state, she said.
Boards are paying more attention to ERM these days. Several roundtable participants said their audit committees or other directors and officers direct them to assess the state of enterprise risk management, particularly those who come from other companies where ERM is a hot topic.
Boards are also getting savvier in the type of information they ask about. “The conversations are around the effectiveness of the controls,” Koren said. Putting yourself on the same side of the table as your business partners and catching internal control weaknesses together, as opposed to enforcement authorities coming in and finding those weaknesses, “has been valuable on the relationship-building side, and has given me a lot more insight in terms of whether we’ve tested the controls,” she said.
Where many companies falter in their ERM efforts is that they have several “fire extinguishers” (that is, controls), but “they don’t have any clue where their ignition sources (that is, risks) might be,” Rost said. Those ignition sources could be with your brand, your third parties, cyber-security—the list is long. Companies should spend less time testing all their controls that have little material impact, and instead focus on their highest risk areas, he said.
OVERHEARD AT THE ROUNDTABLE
“Risk management is not a sequence after compliance. It is its own thing, and every organization is going to come at it differently.”—Mike Rost, Workiva
“It’s learning to speak other people’s language. I often ask the folks in IT, ‘How can we communicate better?’ It’s making sure I get not only what I ask for, but also what I need, and sometimes those are different things.”—Aaron Sundquist, BankUnited
“One of the challenges is getting people to understand that centralizing compliance information is not centralizing compliance.”—Lindsay Koren, Darden Restaurants.
“Banking regulators really are pushing for more board engagement, but that’s a tough corner to turn.”—Marie Blake, BankUnited.
“None of these systems ever spoke to one another, so we had to create data warehouses to gather all this data [that needs to be reported to the state and federal government] from the various systems and then implement additional systems to aggregate the data and format it to meet the reporting requirements.”—Deborah Penza, Impax Laboratories
“We’re figuring out how not to step on each other’s toes, but rather how to inform each other in a better way.”—Anonymous
Participants also spoke a great deal about which committee of the board should take the lead on ERM issues. Word of advice: Don’t assume the audit committee is your best choice.
“By nature, your audit committee is backward-looking,” Rost said. So while it focuses on “blocking and tackling,” he said, the company should separately have a board-level risk committee to think creatively about risks. The lack of a formal risk committee makes it difficult to assess all the risks that the company should be thinking about, Rost added.
Audit committees “often are concerned with fire drills, rather than emerging risks,” Blake said. Their focus typically is on what happened and what is being fixed. “Banking regulators really are pushing for more board engagement, but that’s a tough corner to turn,” she said.
Some boards are more sophisticated than others, depending on who sits on that audit committee. “In some cases, the audit committee is becoming the all-risk committee,” one executive said. They’re being forced by the oversight bodies like the Securities and Exchange Commission to become a forward-looking organization, he said.
Companies still have room to improve, however, in articulating their risk tolerance to the board. “It’s an emerging practice for a lot of organizations,” Rost said. “Most organizations are in that evolutionary stage of getting there.”
For companies that have already identified their risks and laid out mitigation plans, the next hurdle to overcome is how to ensure that the lines of business are actually employing those mitigation measures, attendees said.
“I think we’ve done it pretty well creating strong cheerleaders along the lines of business to champion the cause when we need them to,” Sundquist said. That was achieved by “bringing them direct value through actionable information they can take to monitor their risk.”
“ERM is one of those journeys that will never end,” Rost said. “Even if you’re not a global company, you’re still impacted by global factors.” That fact alone will continue to elevate ERM at the board level years down the road.