Enterprise Risk Management Gets Elevated -- Again

The latest wave of corporate governance reform is now washing across C-suites and board rooms around the world -- and it means more work for CFOs and board members at organizations that issue publicly traded securities.

The first wave was triggered by the Sarbanes-Oxley legislation of 2002 and, soon thereafter, the New York Stock Exchange rules that required board-level audit committees to describe their policies for risk management. A second wave arrived in 2009 when the ratings agencies, led by Standard & Poor's Inc., began to look at whether (nonfinancial) issuers were providing hard evidence that their Enterprise Risk Management (ERM) programs were working as intended.

The third wave, which is proving just as significant, came in early 2010 in the form of SEC Rule 33-9089, which "mandates disclosure of risk oversight and risk reporting lines, risk assessment by business unit, and assessment of the risk associated with compensation plans," explains Paul Walker, Associate Professor of Commerce at the University of Virginia and a leading academic in the field.

"Furthermore, the recent Dodd-Frank Wall Street Reform and Consumer Protection Act has raised the risk bar by mandating risk committees and risk experts on those committees. Add to this the fiduciary duty pressure on boards and the potential risk-related lawsuits, and you end up with risk getting attention at every level of the organization," adds Walker.

Now consider this twist. According to an article by Deloitte Financial Advisory Services LLP's Toby Bishop, "The Dodd-Frank Act has created a large financial incentive for whistle-blowing in companies across all industries." An area of particular concern relates to violations of the Foreign Corrupt Practices Act, and that could mean higher potential liabilities for companies moving aggressively into emerging markets where local officials expect to trade access for cash.

"As regulatory enforcement against fraud is increasing both domestically and internationally, the whistleblower provisions of Dodd-Frank have the potential to expand prosecutions of fraud dramatically, and boost the number of fraud accusations a company confronts," writes Mr. Bishop. "Whether or not investigations reveal actual violations, the costs and disruption of responding to such allegations can be substantial, particularly for larger multinational companies, not to mention the costly reputational damage that can arise from unexpected reports of wrongdoing," he adds. The local devil in the details will now have to be identified and monitored more closely than ever.

Mobilizing for Response

On the bright side, public companies with reputations, customers, suppliers, and investors to protect are getting all these messages. "Even though the new SEC rule does not mandate a specific course of action, it indirectly promotes the adoption of best practices in risk management," says Kristina Narvaez, President of ERM Strategies, LLC, a consulting and research firm focused on ERM.

Ms. Narvaez has recently studied proxy statements filed by Fortune 500 corporations in the wake of the new SEC rule. Adding urgency to the situation, she notes, are several bills pending in Congress that would impose even stricter risk management requirements on boards of directors, including one provision that requires all publicly traded companies to form a board-level risk committee.

"Regardless of whether these bills are passed, it is clear that greater shareholder action pertaining to risk management can be expected," says Ms. Narvaez. "This is huge, and corporations have to deal with it."

It's Not about Hazard Insurance

Let's be clear: this latest focus on risk management is not about the threat of floods, sexual harassment, or even the run-of-the-mill embezzlement. Corporate executives and board members are now embracing the idea that the effective ERM program not only protects the organization from catastrophe as it pursues it over-arching strategy; it allows the organization to stretch its capabilities.

A sports analogy is useful: the experienced deep-sea diver would never dream of descending too far without a back-up oxygen supply, water pressure gauges, and other risk assessment equipment. Similarly, an effective ERM program allows an organization to successfully cope with the risks inherent in an ambitious pursuit.

Today, risk is not viewed only as a potential cost or a negative event to be avoided pure and simple. Rather, risk is perceived as uncertainty that can be understood, measured, monitored, mitigated, and ultimately leveraged. The best-practice ERM program allows decision-makers to make well-informed decisions about the inherent trade-offs between risk and reward. Also noteworthy: a mature ERM program recognizes that risks and risk-mitigation plans change over time as any number of internal and external variables change.

Impact on CFOs

According to recent research by APQC, the CFO is most frequently cited as the senior executive with direct oversight of the core ERM team. (See chart below.) Note that more than 70 percent of the organizations surveyed by APQC had revenues in excess of $1 billion.

This does not come as a surprise. After all, one tends to find that the CFO at large, complex organizations has responsibility for, among other things, enterprise-wide performance modeling and forecasting, regulatory compliance and disclosure, and management reporting.

The Office of the CFO usually has enterprise reporting frameworks, processes, and protocols in place that look across organizational silos. That environment is a good fit for the ERM team that must also work across organizational silos and roll up its findings and analyses to the executive team and the board.

Note, too, that the APQC research, which will be released publicly in full this summer, shows that best-practice organizations have a Chief Risk Officer (CRO) who interfaces proactively with the strategic planning and internal audit functions, but does not fall under the auspices of internal audit. The CRO's assessments of business unit risk typically inform the annual audit plan -- and in some cases the internal audit executives sit in on high-level reviews of risk assessment and mitigation.

In all, the buck lands on the desk of the CFO, and that ropes in the attention of the CEO with a firm yank. And that's what the regulators and stakeholders who are riding the third wave of governance reform want to see.

Mary Driscoll serves as senior research fellow at APQC, a non-profit benchmarking and best-practice research organization. She leads its new financial management research initiative and is a regular contributor to Business Finance.