Printer Friendly

Risk management audits set directors' minds at ease.

Material threats facing business today abound. The Manville Corp.'s difficulties with the adverse health effects of asbestos is well known. Union Carbide knows the risks of hazardous-chemical releases in a populated area as a result of the Bhopal tragedy. In the non-profit arena, Goodwill of Chicago received an intensive environmental liability education after accepting, without prior inspection, a donation of contaminated property. Exxon's public image has also been tainted, with its problems tied to oil spills in Alaska's PrinceWilliam Sound and New Jersey.

Recognizing that the responsibility for responding to these material threats lies with the company's management, the board should avoid second-guessing every risk management decision and focus on the overall health of the risk management function and the company's success, or failure, in safeguarding its assets. The risk management audit is a primary method used to review the effectiveness of the company's risk management functions. If properly conducted, it will provide the board with the necessary due diligence.

As guardians and representatives of a corporation's shareholders, directors are obliged to protect the company and its shareholders from harm, including inept management, unfavorable takeover offers or inaccurate financial reporting. Since a company's ability to produce income for dividends or stock value appreciation is important to shareholders, it follows that the board of directors has an obligation to ensure that the business' ability to produce income is safely guarded. That means protecting the organization's primary income-producing base-its assets, which include its reputation, customers, suppliers, employees, land and equipment, technology and financial resources..

Depending on one's perspective, the obligation to produce income can be balanced against other corporate and societal goals, such as acting as a good corporate citizen and providing a safe work environment and products and services that do not damage the environment. Many companies have created corporate ethical standards or guiding principles-even environmental ethics"-to balance conflicting economic and non-economic goals. Even discounting these "higher order," non-economic responsibilities, directors have an implicit responsibility to ensure that income-producing assets are reasonably well protected, as it is in their best economic interest to do so.

What About Insurance?

In the past, the board's inquiries have typically been limited to asking, "Do we have enough insurance?" This question is also important to the directors on a personal level, as directors' and officers' claims have been levied for failure to effect and maintain adequate insurance. Underlying this common question is the board's desire to understand and measure the adequacy of the corporation's ability to respond to the risks of loss.

Insurance, however, responds only to a portion of the broad spectrum of corporate risks. Typically excluded are pollution losses and product-recall incidents. Insurance seldom pays for the total loss. Indeed, hidden or indirect costs, such as loss of reputation, lost productivity, product recall, retraining, diverted management resources and loss of market share, can be significantly higher than the insured or direct loss. Also, adequate insurance, a reactive loss financing mechanism, does not prevent the loss from happening in the first place. The broadest insurance policy available with the highest limits imaginable has never prevented an oil spill, put out a chemical fire or stopped a claimant from suing.

Given recent concern over the financial security of some insurers, even the promise to address the direct financial effect of a covered loss is questionable. Companies insured with Mission, Transit and other insurers have painfully discovered that the safety net of insurance may contain a few holes.

Today, prudent management no longer depends on insurance as its primary safety net. Rather, it works to ensure that all major risks are clearly identified and controlled through aggressive risk control measures. Insurance and risk financing mechanisms are only used as a final line of defense against a major loss.

The risk management function may be the responsibility of a specific department, or it may be spread throughout different areas of the company. However, regardless of the design of the risk management function, its objectives remain the same: identify, control and finance the company's loss exposures. Directors should be comfortable" with the adequacy and success of the risk management function, not with the limits of insurance purchased.

The company's failure in risk management may represent a material threat to its financial success and, more importantly, its reputation. Realistically, however, even the best risk management program cannot anticipate every potential loss. A basic rule of risk management-and business in general-is "What can go wrong, will go wrong." A strong risk management program can, however, mitigate the effect such risks can have on the company's financial success and reputation.

ln a measure directly applicable to board of directors activities, the Securities and Exchange Commission has called on companies to improve disclosure of possible Superfund liabilities. The SEC may eventually even strengthen disclosure compliance requirements related to other environmental laws such as the Clean Water Act. On the internal control front, the Treadway Commission's report suggested that board members improve their understanding of computer-related risks such as fraud.

As a result, in stockholder meetings across the country the same questions are continually being asked: Could the company be involved in an environmental disaster? What steps have been taken to prevent it? Can we survive a natural disaster such as Hurricane Hugo? Are our computers vulnerable to fraud, viruses or other intrusions? How has the company improved its worker safety programs?

A Board's Due Diligence

The board of directors is obligated to determine if the company has taken reasonable and responsible measures to identify, control and finance corporate risks. The Treadway Commission recommended that audit committees be informed, vigilant and effective overseers for the financial reporting process and internal controls. An audit committee's periodic review of the company's risk assessment process and management's responses to significant financial and non-financial risks is a critical step toward fulfilling this obligation.

In light of the increasing risk consciousness of investors, one can expect increased interest from shareholders concerning significant corporate risks and the company's ability to respond. For example, the growth of institutional investors' activism and vocal concern over corporate environmental matters signifies a material change in the landscape of investor concerns. Given the many natural and man-made disasters that have occurred in recent years, including industrial fires, environmental spills and earthquakes, and their significant costs in terms of dollars and publicity, investors' interest in nonfinancial matters is hardly surprising.

The risk management audit should address such board-level concerns as: What are the company's major risks? What control measures are in place to control them? Are they working? Has the company prudently financed risks that may slip through? Are management systems for performing the risk management function effective?

The audit can be conducted internally by management or externally by an independent third party. The internal review is usually conducted by a cross section of managers from such operations as legal, treasury, product development and security. If a third party is used, it is important to choose a risk management auditor who, similar to the company's outside financial auditor, is independent, unbiased and knowledgeable. To maintain this independence, the risk management auditor should report to the board or the audit committee in addition to the company's management.

The risk manager and upper management derive several benefits from an audit, including an objective opinion of risk management performance, as well as recommendations on how to improve the effectiveness of the risk management function. Given the scarcity of valid quantitative measures for risk management success, an audit is often the most effective performance measurement tool available to management.

What Happens in the Audit?

The risk management audit is typically a four-part process. First, the major material risks facing the organization are identified and analyzed. To accomplish this, the auditor must develop an understanding of the company's resources, identify exposures that harm resources and assess risk in terms of probable loss frequency and severity.

Then the auditor examines the company's efforts to control these risks through contingency plans, security measures, worker safety programs, property protection programs and hazardous materials programs, as well as its methods to finance the risk. In the third step, the auditor compares the risks and company responses to determine adequacies, including an opinion on the potential negative effect on the corporation from exposures that have gone unaddressed. Last, the auditor recommends improvements in company activities in the identification, control and financing of critical risks.

The audit process usually includes management interviews, selected facility inspections and reviews of risk management and insurance procedures and documentation, safety and loss control programs and industry practices. It also involves performing analyses using fault-trees and hazard scenario charts.

The auditor usually works closely with the company's risk manager and others with related responsibilities in examining all risk management areas. The final product is an oral and written presentation to the audit committee and management. Unless there are major changes in the company's risk profile, including acquisitions or diversification into new product areas, another audit will not be needed for at least three years.

The risk management audit, however, has one major shortcoming: There are no generally accepted risk management principles or comparable standards to an accountant's Generally Accepted Accounting Principles. Efforts have been made to define common risk management principles for use in measuring performance across industries. However, the general nature of these guidelines provide only an analytical framework; they do not provide specific performance measurements.

In addition, state-of-the-art risk management tools and techniques differ for industries and individual situations. A construction company's loss control programs may not work well for a retailer. Liability insurance limits for a nonprofit charity may be insufficient for a manufacturer of hazardous chemicals. The risk management auditor must understand the differences between industries and apply the proper risk management techniques to each company's unique situation. Indeed, the quality of the audit is only as good as the experience, expertise and methodology of the individual performing it.

Simply reviewing insurance limits no longer constitutes adequate due diligence to determine if a company's assets are adequately protected. Insurance only addresses the direct financial impact of a limited set of risks. A comprehensive risk management audit provides an independent, well-documented evaluation of the risk management function. It also provides directors with the information and comfort level they require to determine if corporate assets are adequately protected and that shareholder's future earnings are reasonably sheltered from material harm. Christopher A. Duncan, CPCU, ARM, is a director of risk management for KFC Corp. in Louisville, KY.
COPYRIGHT 1991 Risk Management Society Publishing, Inc.
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1991 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Author:Duncan, Christopher A.
Publication:Risk Management
Date:Aug 1, 1991
Previous Article:A practical guide to prosecuting pollution claims.
Next Article:State and federal regulators in 'footrace' to finish state guaranty fund system 'overly burdensome.'

Related Articles
Smells like team spirit: by establishing "central risk teams," Caesars Entertainment has developed a strategy for accountability at the management...
Rising expectations: audit committee oversight of enterprise risk management.
Audit committees focus on operational risk: FBI targets corporate corruption banking group proposes self-regulation for risks management transparency...
The auditor's role in mergers and acquisitions: companies often underestimate the importance of risk management during the M&A process.
Using COSO's ERM framework.

Terms of use | Copyright © 2017 Farlex, Inc. | Feedback | For webmasters