Risky business? Not if you set thresholds, manage exposure: experts agree that companies are doing a poor job of assessing and managing risk--either they lack a mandate from executive management or they don't have the necessary discipline. As risk management becomes a still larger focus area, it's time for those that haven't identified and analyzed risk areas to do so.Despite the plethora of internal and/or external events that could expose an organization to serious risks, companies focus much more time and resources on measuring and monitoring financial performance than on proactively measuring, analyzing and responding to and mitigating risks--threats that could hurt financial performance. [ILLUSTRATION OMITTED] One would think that recent corporate scandals A corporate scandal is a scandal involving allegations of unethical behavior by people acting within or on behalf of a corporation. A corporate scandal sometimes involves accounting fraud of some sort. and fraud, as well as provisions set by the Sarbanes-Oxley Act See SOX. , would have spurred companies to assess and improve the management and mitigation of enterprise-wide risks. This is apparently not the case. A July 2004 PricewaterhouseCoopers "Sarbanes-Oxley Compliance Survey" found that 61 percent of 152 senior executives from U.S. multinational companies recognize that they must improve their risk identification and assessment process in future years because of new corporate-disclosure rules. And 55 percent anticipate adopting risk-mitigation processes, the survey found. Risk-management experts agree that, for the most part, companies are doing a poor job of assessing and managing risk because either they lack the discipline for it or a mandate from executive management is absent. However, as risk management is rapidly becoming a major area of focus, if you haven't identified and analyzed risk areas within your organization, it's time It's Time was a successful political campaign run by the Australian Labor Party (ALP) under Gough Whitlam at the 1972 election in Australia. Campaigning on the perceived need for change after 23 years of conservative (Liberal Party of Australia) government, Labor put forward a to do so. Companies that assess risk, set risk thresholds and actively monitor and manage their risk exposure within those thresholds can more accurately predict future performance. They are also likely to achieve higher performance and/or meet financial expectations because they are better able to avoid large fluctuations in business and evade e·vade v. e·vad·ed, e·vad·ing, e·vades v.tr. 1. To escape or avoid by cleverness or deceit: evade arrest. 2. a. the consequences of unmitigated un·mit·i·gat·ed adj. 1. Not diminished or moderated in intensity or severity; unrelieved: unmitigated suffering. 2. risk events. In "Add Risk Exposure Considerations to Planning Process, Says Fed Governor," an article in the March 2005 issue of America's Community Bankers, Federal Reserve Board Gov. Susan Schmidt Susan Schmidt is a reporter with the Washington Post and was awarded the Pulitzer Prize for investigative reporting in 2006. She is co-author with Michael Weisskopf of Truth at Any Cost: Ken Starr and the Unmaking of Bill Clinton (ISBN 0-06-019485-5) Bies called on companies to adopt a "consistent, sound enterprise-wide risk-management culture." In adopting such a culture, risk management is viewed as a way to keep pace with changes in risks and achieve strategic advantage rather than a mere compliance exercise, she adds. Bies also contends that risk management and internal control begins by "stretching the planning exercise" to consider alternative outcomes. Bies believes managers should be expected to evaluate the risks and controls within their authority at least annually and report the results to both the executive who oversees risk management initiatives and the board audit committee. Internal audit or another independent source should perform a separate evaluation to confirm management's assessments, she adds. Implementing a Risk Management Framework Those who don't have a formal risk-assessment and management program are certainly not alone. Although the percentage is declining, it is surprising how few organizations have formal programs. Even if companies have a risk-management program, often it is more informal in nature. That is shocking, given the amount of money that has been lost in the financial markets due to poor risk management and fraud. Research organization Gartner Inc. estimates this loss figure at $12 billion between 1992 and 2003. Corporate governance--specifically the compliance requirements Compliance requirements are a series of directives established by United States Federal government agencies that summarize hundreds of Federal laws and regulations applicable to Federal assistance (also known as Federal aid or Federal funds). of Sarbanes-Oxley--is driving development of a formal enterprise-risk framework at publicly traded companies publicly traded company A company whose shares of common stock are held by the public and are available for purchase by investors. The shares of publicly traded firms are bought and sold on the organized exchanges or in the over-the-counter market. . Increasingly, non-profit organizations A non-profit organization (abbreviated "NPO", also "non-profit" or "not-for-profit") is a legally constituted organization whose primary objective is to support or to actively engage in activities of public or private interest without any commercial or monetary profit purposes. and privately held companies privately held company A firm whose shares are held within a relatively small circle of owners and are not traded publicly. are considering developing such formal frameworks as well. Most believe that it is just a matter of time before compliance requirements will impact their operations. In order to establish a formal enterprise risk management framework, a team consisting of representatives from key areas of the enterprise should be established. This team, or a portion of it, may continue as part of a risk-management organization after the initial critical work is completed. Management representation from throughout the organization should be included on this risk management team. Executive management buy-in A management buyin (MBI) occurs when a manager or a management team from outside the company raises the necessary finance, buys it, and becomes the company's new management. A management buy-in team often competes with other purchasers in the search for a suitable business. and support is essential to the success of this initiative. Therefore, the chief executive officer and/or CFO See Chief Financial Officer. should actively participate. If a compliance officer has been appointed, he/she should also be included. Depending on the organization, participation may also include representatives from the financial, accounting, legal, internal audit, information technology, human resources The fancy word for "people." The human resources department within an organization, years ago known as the "personnel department," manages the administrative aspects of the employees. , actuarial ac·tu·ar·y n. pl. ac·tu·ar·ies A statistician who computes insurance risks and premiums. [Latin and operations areas. Once a project team has been established, the team should identify and assess internal and external risks to the organization in order to develop a formal enterprise risk-management plan. The risk analysis should produce a risk ranking and ultimately a risk profile for the organization, as well as a strategy for continuously monitoring and assessing the various risks. The risk identification process can be daunting daunt tr.v. daunt·ed, daunt·ing, daunts To abate the courage of; discourage. See Synonyms at dismay. [Middle English daunten, from Old French danter, from Latin , since both internal and external risks must be measured. It may be easier to gauge internal risk factors, like fraud, and determine how to minimize them. But external risk factors such as economic, political, legal, market, industry and regulatory issues must also be analyzed, and mitigation plans should be developed. The importance of accurately predicting various risks and judging the levels of severity should not be underestimated. Credit rating agencies Credit Rating Agencies Firms that compile information on and issue public credit ratings for a large number of companies. and shareholders base their assessment of an organization and its future performance potential partially on the perception of the organization's ability to deal with and minimize risks. Poor Results Are Noticed For example, if a company consistently misses its profit targets, financial analysts, rating agencies and share-holders will take note. There will likely be repercussions repercussions npl → répercussions fpl repercussions npl → Auswirkungen pl such as a downgrade Downgrade A negative change in the rating of a security. Notes: For example, an analyst may downgrade a stock from strong buy to buy, or a bond rating agency may downgrade a bond from AAA to AA. in the company's credit rating or, the sale of shareholders' holdings in its stock. Most organizations rank risk levels as high, medium or low and may use "heat-mapping" (red, yellow and green) to clearly delineate ranking. The likelihood of a risk occurring within the context of the existing control environment should also be considered. The risk-management plan should include the establishment of a formal risk-escalation process. Many organizations evaluate risk once a year, but with a formal plan, everyone is more aware of the potential hazards as well as a risk-escalation process and can act accordingly. Besides identifying the universe of possible risks and establishing a rank for each, a risk-management team usually participates in defining an organization's risk appetite and response. * Risk Appetite -- the amount of risk exposure or potential adverse impact from an event the organization is willing to accept or retain. This framework consists of three principal elements: the probable impact of a risk or event on the organization; the likelihood the risk or event actually will occur, and the risk-response scorecard that direct mitigating action based on the overall risk level for each risk or event. * Risk Response -- consideration of the appropriate response or management processes for each identified risk, as well as viewing each risk individually and as part of the organization's overall risk portfolio. Risk response can range from avoidance to acceptance. Avoidance may be considered an acceptable option if the ability to alleviate risk is unacceptably low. Most often, risk response assumes the form of mitigating risk and risk-reduction planning. Through risk mitigation, an organization puts itself in a better position to more accurately predict future performance. In doing so, the organization has also become proactive, instead of reactive, when a risk materializes or threatens. If a formal risk-management process is in place, the team probably would have identified and monitored the threat and had a mitigation plan in place that it could proactively execute. Effectively managing risk is a vital exercise for today's organizations. It helps them make better-informed decisions, gain comfort that solid steps are being taken to achieve company goals and, most importantly Adv. 1. most importantly - above and beyond all other consideration; "above all, you must be independent" above all, most especially , it gives the organization its best chance for maximizing success. Anne Marchetti is a Practice Director at Parson PARSON, eccl. law. One who has full possession of all the rights of a parochial church. 2. He is so called because by his person the church, which is an invisible body, is represented: in England he is himself a body corporate it order to protect and defend the Consulting, (www.parsoncon.sulting.com) a leading financial management consultancy based in Chicago. She can be reached at amarchetti@parson.consulting.com. |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion