A recent survey of over 200 corporate directors conducted jointly by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and Protiviti uncovered some unsettling news. Fifty-three percent of respondents consider their risk oversight processes as “effective” or “highly effective, yet over 70 percent of those surveyed say their boards are not formally executing strong enough risk management processes.
If that weren’t enough to make boards and financial experts cringe, COSO conducted another survey along with the ERM Initiative at North Carolina State University, asking corporate management about their current risk management processes. Over 60 percent say their current risk oversight is ad hoc or informal, and 42 percent indicate their organizations have “very immature” or “somewhat mature” ERM processes. That leaves a lot of room for risk to filter into the company at the uppermost level.
According to Dave Landsittel, COSO chairman, both studies indicate, at least anecdotally, that implementation of a formal risk management process was uneven from company to company. “In aggregate, there are a lot of organizations where implementation is at the early stages at best,” he said.
Overtaxed audit committees
With all the existing and new financial risks and regulations—from Dodd-Frank to Basel III—audit committees have plenty of work to do. But companies are adding risk, from data security to safety and workplace risks. Audit committees, trained to address financial and accounting risks, find themselves in charge of risks they may not be positioned to understand or address. Is risk management an audit issue?
Brett Frevert, former CFO and current managing director at CFO Systems, a financial and business advisory firm in Omaha, says no. Risk, in his estimation, is a business management issue. “It’s not the internal audit’s or external audit’s responsibility,” he said. “The board and the executives—not on the audit committee—somehow need to get the message that risk is right here, whether it’s your sales manager buying drinks for his team after work or it’s the business unit over in Egypt that not long ago we thought was a safe place to do business.”
Yet expanding risk oversight beyond the audit committee is often difficult in companies used to handling risk in a siloed nature. Part of it is an issue that companies and boards are overconfident. Landsittel sees that as a roadblock to progress. “In a lot of organizations, there’s that feeling that they do deal with risk because they pay to do so,” he said.
Landsittel said COSO’s recent fraud study uncovered the same type of overconfidence in how companies handle Sarbanes-Oxley risks. “One of the messages of the study—not too surprising—was that management override of internal controls was an issue,” he said. “In essence, top management would override controls that were in effect.”
That overriding of what he calls most powerful common denominator in terms of the attributes of financial fraud is exactly where risk finds a toehold. “A lot of organizations and boards acknowledge and recognize it’s a problem, but then say it’s not a problem in their organization,” he said.
The CFO’s role
Bill Brunner, CFO for JD Byrider in Indianapolis, believes the influence of risk management needs to be at a governance level and not migrate to the management level. As a former CFO in a financial institution, Brunner understands that boards need to tread carefully into managing risk. “There are individual risk management elements—certain internal controls and financial policies, certain quality controls, customer controls—that are tactical in nature,” he said. “If you get a board heading into micromanaging at that tactical level, they pierce their role of governing and in staying at a higher order.”
In his current role in a privately held company with approximately 600 employees, Brunner said risk is handled between the head of franchising, who is also a former CFO, and Brunner. He said the size of the organization does dictate the necessary structure of the risk controls.
Brunner feels no matter the size of the organization, the best approach from his experience is when boards take an active role in establishing the culture and the broad procedure of how a control framework should be built. He also believes the CFO can play a limited role in risk management. “The CFO has a concept of what risk means. At minimum, CFOs bring the tools of measuring and identifying risk. At best, I think the CFO can be a cheerleader for thinking strategically and help bring the others along,” he said.
All experts agree that the CFO, having umbrella oversight and responsibility for all things financial, can enhance the risk management function. “While risk management goes well beyond the financial piece, it eventually ripples up into financial,” said Frevert. “It has to be explained in the financials eventually. CFOs can be involved and have some responsibility and accountability upfront.”
Best risk structure
There is no one-size-fits-all in terms of how companies should structure risk management. Maureen Errity, Director at Deloitte LLP in New York, sees companies in a transition period. “Companies must think about what infrastructure at the management level is going to work best for them,” she said.
Deloitte’s Global Risk Management Survey uncovered the risk management habits of 400 S&P 500-listed companies. Of those, 12 percent had a chief risk officer. Within a committee at the management level, about 19 percent of the 400 companies had a management committee and within financial services, about 26 percent.
Errity works with companies to develop risk management structures that make sense for the company involved. She sees more companies adopting a risk management committee, which she said brings business unit leaders together to review and monitor risks. In many cases, the CFO is helping to lead the way.
In Frevert’s estimation, in order to know what role the CFO should take, companies need to look at the entity to see what the primary risks are and how the company is already structured to handle those risks. He believes one committee handling all risks is “nonsensical.” Instead, risk should be a cultural, complete, structured process approach given the same level of attention as the financial aspects. “Instead of spending eight-to-10 weeks each year working on budget preparation, step up a level and ask where the business is going next year,” he said. “What are the speed bumps, hurdles or brick walls?”
Risk management for profitability
More importantly, risk management is not just a necessary task. It can be, according to many experts, a valuable business tool that can help companies gain competitive edge.
Frevert uses the example of a client whose business was global. The company was spending the bulk of their time focusing on Sarbanes-Oxley compliance. “They focused so much on authorizing transactions and journal entries, they completely walked by the fact that 60 percent of their business is done globally,” he said. “They had a massive FX exposure.”
Wrapping their arms around the risks and addressing them has helped Frevert’s client company remove the risks and increase their competitive edge. The ability of proper risk management, assisted by the CFO and financial unit, to lessen serious risk can free companies to focus on the more important goals of gaining and keeping customers.
Errity agrees. She has already seen a move toward risk as a profit center, and she says it can be a real value creation for the organization. Risk, in her view, should not be thought of as a negative. “It should become cultural,” she said. “We always hear ‘We’re already managing risk—it’s part of what we do.’ It’s formalizing that, and then setting the tone from the top that this is priority. There’s a trend here that good risk management will ultimately create reward and value.”
Lori Widmer is a writer and editor specializing in risk management and insurance.