WHITE PAPER. Inside Information: What Business Leaders are Saying About the Complexities of Enterprise Risk Management (ERM)

Transcription

1 Inside Information: What Business Leaders are Saying About the Complexities of Enterprise Risk Management (ERM)

2 As the third quarter of 2012 marches to a close and the end of the year approaches, economic uncertainties abound as investors continue to seek stable markets. Daily there are new instances of fraud and white collar crime permeating the news, leaving those in leadership positions with the task of answering tough questions and striving to build businesses able to withstand the economic storm currently playing out on both a micro and macro level. Uncertainties about changes to the regulatory environment and overall economic condition of the United States remain a central focus of politicians and business people equally, particularly during a presidential election year. As a thriving market covers all sins, the inverse has also proven to be true in the current economic environment as fraud is still pervasive and presents itself on a regular basis. This realization has left business leaders and law makers asking the question What measures should be undertaken to prevent this cycle from perpetuating itself? Since the onset of the financial crisis in 2008 and the resulting market corrections, politicians, scholars and the like have studied the causes, effects and outcomes in search of ways to prevent similar events from happening again. A quest for the contributing factors has led to new regulations as well as the implementation or redesign of corporate risk management programs. The industry response to these undertakings appears to be mixed. According to a survey 1 of over 400 C-level executives across the United States conducted by Mesirow Financial Consulting ( MFC ), nearly 40 percent of respondents felt that regulation has a very negative impact on their industry because it impedes the ability of business to grow. An overwhelming majority (78.5 percent) felt that their company had appropriate protocols in place to identify potential business risk, while 60.9 percent of the same respondents indicated they do not have an Enterprise Risk Management ( ERM ) program in place. Startlingly, 82.9 percent of those respondents without an ERM program in place also indicated that they are not looking to implement an enterprise-wide risk mitigation program. If that is the case, how do corporate executives evaluate risk mitigation programs while ensuring they are properly considering all potential risk factors facing their organizations? The History of Enterprise Risk Management (ERM) The advent of ERM can be traced back to compliance measures enacted in response to the Foreign Corrupt Practices Act in the late 1970s as well as the billion dollar failures in the financial sector in the mid-1990s. With the subsequent high-profile collapses of Tyco, Enron, WorldCom and others, greater and more stringent focus was placed on evaluating internal controls, risk management and corporate governance. In 2004, the Committee of Sponsoring Organizations of the Treadway Commission ( COSO ) 2 published a document to provide guidelines and best practices in the design and development of an enterprise-wide risk monitoring and management system. This initiative was led by a group of accounting and finance organizations and, as a result, was primarily formed on the basis of an accounting and audit methodology. According to a 2009 article by Michael Power, the Director of the Centre for the Analysis of Risk and Regulation at the London School of Economics, there is a necessary balance between a risk management program consisting of audit-type operational controls and the development of a holistic, dynamic and multi-faceted ERM program. He states the risk management of nothing and the impact of a model created on preserving the logic of the audit trail, rather than a boundary-challenging practice which confronts and addresses the complex realities of interconnectedness 3 results in the creation of a risk mitigation process focused 1 Mesirow Financial Consulting contracted IBOPE Zogby International to conduct an online survey of more than 400 C-level executives across the United States. The margin of error is +/- 5.0 percentage points 2 The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of the American Accounting Association, American Institute of CPA s, Financial Executives International, The Association of Accountants and Finance Professionals in Business and The Institute of Internal Auditors. It is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence. 3 Power, M. (2009). The risk management of nothing. Accounting, Organizations and Society,

3 only on quantifiable risks. The exclusion of the non-quantifiable risks is problematic as it oversimplifies the operating environment of many businesses and the creation of a check-the-box compliance exercise described as ERM by the numbers. 4 In a survey conducted in 2010, COSO found that in the six years since the implementation of the 2004 guidelines, 60 percent of the respondents indicated that their risk management tracking was informal and not enterprise wide. 5 These findings corroborate the results reported in the MFC survey conducted almost two years later and suggest that even with the passage of The Dodd-Frank Act ( Dodd-Frank ) in 2010, corporations are still struggling with the concept of an enterprise-wide risk management system and continue to focus on defined, quantifiable elements of risk. The MFC survey also highlighted the fact that nearly 75 percent 6 of respondents feel they have done enough to prevent fraud and 68.3 percent feel they have done enough to protect whistleblowers. Moreover, nearly 80 percent reported that they had strong internal controls and an appropriate system in place to identify potential business risks. With the juxtaposition of the number of survey respondents who indicate they have appropriate controls in place relative to those respondents that state they do not currently have, nor do they plan to implement an ERM program, we are left to ponder what it all means in a period of increased public scrutiny, governance and regulation? Finding the Right Mix While the amount, type and administration methods of financial regulation can be controversial, it is a tool used by governments and businesses to increase transparency, maintain confidence and prevent wrongdoing internally and externally. Despite the survey strongly indicating that business leaders feel regulation has a very negative impact on their industries, the results also indicated that the largest percentage of those surveyed feel there are too few regulations in the areas of anti-fraud, anti-corruption and insider trading. Financial regulation empowers and requires organizations to monitor activities and to manage risk to the business as well as the marketplace. From a macro perspective, this is carried out through various government agencies and federal and state lawmakers. Financial regulation aims to identify risks that arise out of the interconnectedness of U.S. business and financial institutions and provide a tool and window into businesses to be sure that laws are being obeyed and ultimately investors and interested parties are being protected. Conversely, from a micro angle, financial regulation manifests itself through internal corporate governance and ERM programs. Regulatory requirements are a part of the overall framework companies can use to develop a robust risk management program. If done correctly, a robust risk management program complements a firm s unique relationship with government and regulators in the context of their business and industry. When developing an ERM system, it is essential to identify and assess quantifiable and qualifiable risks to ensure their proper handling comprehensively across an organization. This assessment includes the necessary step of considering how these risks are measured, evaluated and tied to individual performance and rewards. A 2010 study found that there are three unique types of ERM programs that companies attempt to integrate into their organization: compliance, corporate governance and pervasive performance. 7 The compliance model of ERM is predominately focused on the internal management of risk and tends to be based on the audit methodology of internal controls. 4 Arena, M., Arnaboldi, M., & Azzone, G. (2010). The organizational dynamics of Enterprise Risk Management. Accounting, Organizations and Society, COSO s 2010 Report on ERM 6 Approximately 73.3 percent 7 Arena, M., Arnaboldi, M., & Azzone, G. (2010). The organizational dynamics of Enterprise Risk Management. Accounting, Organizations and Society,

4 This focus does not provide employees a mechanism to identify unknown risks as they are only attentive to the sources of risks they already know. The corporate governance model of ERM is focused on identifying mostly known internal risks, but simultaneously providing the external market (and customers and shareholders) a feeling of assurance regarding the ERM program in place. This type of ERM program is still not holistically embedded in the organization and does not provide the basis for employee autonomy in the identification of new risks or threats. Pervasive performance, however, attempts to marry the organization s and the employee s responsibility to identify, manage and communicate risk issues. By creating a sense of shared ownership in risk management, the pervasive performance model of ERM creates a culture of action whereby managers and line employees assess each of their actions and the potential impact in the framework of a holistic risk management program. Recommendations When considering improvement to businesses, the implementation of a strong ERM / Internal Controls program is essential. Key steps to consider include: n Provide employees examples of risks that they play a hand in controlling and ask for them to critically assess and communicate other risks that they may not be currently focused on. n Include elements of risk management in employee presentations and communications, in addition to providing tangible reminders of the ERM program in the form of placards or desk tombstones. This is important as creating an enterprise-wide culture of risk management requires constant communication and branding of the effort. n Use historical examples to highlight pertinent instances where unexpected failures occurred. n Move the conversation away from ERM as a concept of things to be measured or reports to be generated and move towards a more strategic discussion of the various risks and issues that impact the business, identifying specifically what employees can help assess and control. n Ensure that performance management and reward plans give appropriate consideration for an employee s success or failure in helping to manage and mitigate the various risk components they can control. 3

5 About the Authors Kristin Trahan Winford is chief operating officer of MFC and has extensive experience with strategic operations and performance improvement services, corporate governance, enterprise risk management and the development and refinement of internal controls. With a strong background in global technology and professional services firms, Winford has a proven track record of partnering with executives to realize strategic business objectives, design highly effective organizational structures and ensure profitable growth. Currently, Winford leads all aspects of MFC s business operations and is chief operating officer of its global joint venture, BTG Mesirow Financial Consulting. Hannah Zeffiro is a senior associate and a member of MFC s Litigation, Investigative and Intelligence Services team. She has experience advising clients in fraud-related investigations, forensic accounting and other complex critical issues facing companies. 4