VW, FIFA, GM: Three organizations that have recently been in the news for violations of ethics and possibly criminal behavior. They are facing fines, possible lawsuits, and in the case of the corporates, share price deterioration, higher financing costs and substantial legal fees. All three present classic case studies in enterprise risk management (ERM), and they should be lessons for treasurers, who increasingly lead their organization’s ERM efforts, as AFP has found in the CTC Guide, “Leadership in Treasury: How Treasury Can Lead ERM”.
1. All risk translates into dollars and cents, and that’s why treasurers are best positioned to manage broader risks. One of the nagging issues in ERM has always been how to quantify the impact of risk on the bottom line. According to Gary Bierc, president of risk quantification consultancy rPM3 Solutions, “once we begin to quantify more risk, we can better prioritize and be able to make better resource allocation decisions and better manage risk going forward. There’s only one individual who can do all this, and that’s the treasurer.”
The VW and GM cases offer a glimpse into what the cost of not managing risk properly can be. First, there’s the effect on the stock price—it dropped 30 percent in the first week after the fault was announced by the EPA. Second, there’s the cost of the actual recall and the development of the fix. Third, there are billions in estimated penalties from multiple jurisdictions, and lawsuits from angry customers and disillusioned shareholders. Finally, there are untold costs in damaged brand value and lower car sales. These immediate and future cash flow impacts will have to be managed by treasury, as “calls” on cash to pay for lawsuits and fees will affect liquidity management, including cash forecasting, borrowing and investment.
2. Embed ERM into the culture. The VW debacle also illustrates how important it is to embed ERM into the very fabric of the organization. The question on everyone’s mind is: Were the people making the decision to insert deceptive software into the cars aware of the potential cost of the risk they were taking on? Companies that have advanced ERM programs ensure that every employee is aware of the company’s major risks and what the costs of failing to manage and mitigate that risks may be. Risks are expressed in the form of risk tolerance thresholds.
The biggest risks are strategic risks
The VW case illustrates the reputational and strategic risks are the most dangerous, as AFP explored in the CTC Guide, “Enterprise Risk Management: Beyond Theory, Practitioner Perspectives on ERM”. “What’s changing in the more progressive companies is the senior view on what could affect reputation and brand,” said Henry Ristuccia, partner and global leader, governance, risk and compliance services at Deloitte & Touche LLP.
That’s a departure from the traditional COSO framework, originally devised in 1992 but recently updated, which breaks risk into four buckets: strategic, operational, financial and compliance. “Senior stakeholders cut the list in half,” Ristuccia said. The reason is that on both financial reporting and compliance, companies should have a zero tolerance level for risk. “The emerging view is that companies should focus on strategic and operational risk,” he continued. . “How can they really engage risk management in the creation assumptions that drive the business plan? The key questions executives should be asking are: ‘What haven’t we thought about? What can go awry?’ In the lightening-fast post-digital age, social, mobile and cloud world it boils down to reputational risk. That’s where we need to focus. What’s critical is the ability to execute strategy.”
How can ERM leaders prevent disasters?
In studying successful ERM programs, several common themes emerge. Following these trends can help ERM champions mitigate the chances of reputational disasters:
- Get in front of risk. If a risk is identified, it’s best to get in front of it to mitigate it. In the case of VW, management was aware of the allegations a year before the EPA’s challenge. A voluntary recall and apology would create a lot less pain than the accusations leveled against the company. This should have been clear to management from observing the case of GM’s recall.
- Run scenario analysis. Try to identify the biggest risk in terms of dollars and cents by running scenario analysis on potential real-life events, i.e., what to do if you wake up in the morning to a big WSJ headline. How would that headline affect the company’s performance and cash? For a car company, a large recall should clearly have been one of those scenarios.
- Embed risk into the fabric of the organization. It remains to be seen how far up the knowledge about the illegal software went. But a good way to ensure everyone, from senior management to line employees, follows risk management guidelines is using ERM language to educate everyone about the company’s risks and how management expects employees to approach them.
- Get buy-in from the top. To ensure the program has “teeth”, ERM champions need buy-in from the top – as far up as the board, which often plays a critical role in providing direction. “If executive management is not on board, the first thing would be for them to understand how this can add value to the business,” said one corporate treasurer at a Canadian mining company.
- Have a well-articulated process that makes logical sense to everyone. What was most striking about each case study in the CTC Guide was how fluent the ERM practitioners were in their processes. They were able to easily outline a sensible and well-articulated approach that was connected at the top and designed to reach out into the organization, linking the process to how the company makes decisions and talks about risk. That fluency reflects the fact that each of these companies has developed a very sensible organized approach. They didn’t have to memorize rhetoric or go through checklists.
- Keep it fresh. Finally, it’s important to review and update the program to reflect the business’ evolution and external events. “Don’t do it once and put it away,” advised one ERM team. “It needs to be a living breathing process as your business develops.”