As an enterprise approach to managing risk takes hold, risk managers are transcending their traditional role of insurance buyers.
Business is arguably more fraught with risk than ever before. As a result, risk management not only holds a spot on most CFOs' agenda, but it is also a top priority. That means CFO expectations of the risk-management function and of risk-management executives themselves are changing. And the key to success for those risk-management leaders is finding ways to understand and meet current expectations while watching for those expectations to evolve along with the risks.
The nature and speed of these changes are likely to be as unique as each company. Risk management in many organizations is still an isolated undertaking, which means only a few individuals can see what is happening across the entire enterprise. But the growing trend toward enterprise risk management (ERM) is slowly changing the dynamic and expanding the job of risk-management executives well beyond traditional expectations.
"The risk-management role has traditionally focused on insurance programs and managing physical and business interruption exposures," says Randy Marshall, managing director, financial risk solutions, with Protiviti in New York City. "It clearly is evolving away from that to focus on driving risk-adjusted return on invested capital and shareholder returns." For CFOs to fully understand the relative level of risk they are taking on to achieve a specific return, they need more risk-related information and support. "CFOs are looking for more from risk-management executives in order to calibrate the risk in the organization," he says.
To provide the kind of input that CFOs need, according to Marshall, companies should build a risk-management infrastructure with six elements -- strategies and policies, processes, people and organizational structure, management reports, methodologies for using data, and systems. When this type of structure is in place, the risk-management executive can feed more robust risk data to the CFO and other members of the leadership team. "The key is to develop a better way to think about risk," says Marshall.
When a company embarks on a full ERM process, risk-management executives will stand front and center, breaking new ground and initiating risk-management efforts in many parts of the organization. CA, an IT management software company headquartered in Islandia, N.Y., has launched an ERM initiative with Marc Loupe, senior vice president and general auditor, at the helm. Dedicating an executive to the initiative will "help ERM get more attention from the business-unit general managers because we need to get them to focus on ERM," says Bob Davis, executive vice president and CFO at CA. The company also has a risk manager who handles traditional programs such as insurance.
Loupe will work closely with business-unit executives to help them understand why ERM is important to their operations, a crucial first step in the initiative. "ERM, if you do it right, becomes a partnership with the businesses, as they all work to make sure they can see what is in front of them and that their headlights are still operating," says Davis.
Getting involved in the work of operating groups isn't always easy. When risk-management executives start interacting with business units in their newly defined roles, debate can erupt about whether certain risk measurement and management activities should reside with line management or risk management. "Effective risk management requires the ability to walk in the shoes of operations," says David Kelsey, senior vice president and CFO at Sealed Air Corp., a global manufacturer of packaging products based in Saddle Brook, N.J. "Risk management can't be perceived as getting in the way of what business wants to do. Risk management needs to manage exposures, but not by creating more work or increasing costs."
Once risk-management leaders have gained the attention and trust of the operations managers, they need to assume the role of educator and help the managers identify their key risks. Only then can the risk-management executives measure the probability and materiality of risk events and the potential impact of those risks while also working with other managers and executives to develop an appropriate risk-mitigation and management plan. "Risk managers have to provide information to which operations managers can react," says David Axson, president of the Sonax Group, a consulting firm headquartered in Bath, Ohio. "They can use this intelligence to make better decisions."
Some companies have developed organizational structures that help to bring risk-management executives into greater contact with others in the organization. Richard Sarnie, director of risk management for Engelhard Corp., a basic materials company based in Iselin, N.J., knows exactly what the company's CFO, Michael Sperduto, expects from him because Sarnie is a member of the finance council Sperduto leads, along with all of the finance managers who report to Sperduto. The finance council meets every six weeks to discuss issues in the business and decide how the group can work together to manage those issues. It is through these council meetings that Sarnie hears about new product lines and other developments that might affect the company's risk exposure. For example, if the company is expanding into new markets that represent a new type of credit risk, "I can work closely with the credit department to provide them with solutions for managing those risks," says Sarnie. At the council meetings, "we talk about risk, how we can help each other, and how the finance organization can work better together in all areas, not just risk."
Including Sarnie on the finance council does more than expose him to areas of the company that need his expertise; it sends a clear message that Sarnie's role in the organization is far more than just buying insurance. "Managers and executives understand that my focus is on helping to manage business risk and improve the bottom line," says Sarnie. The business-unit controllers are also part of the finance council, so Sarnie has an automatic strong connection to the company's business units and an opening for helping those business units manage risk more effectively.
At Sealed Air, risk management's role has been evolving for some time. With this function in the lead, the company has undertaken initiatives to strengthen business continuity and crisis management, says Kelsey. Sealed Air needed to develop ways to manage risks with a coordinated response across the company because half of the company's business is outside the United States.
To that end, risk management has been working with both senior management and local plant management to develop an appropriate risk-management response to certain types of events, such as a major disruption at a particular plant. This includes developing plans for shifting production to other facilities and securing financial data and customer records so that the transition is seamless and invisible to customers. Risk management is reaching out to individuals throughout the company because "we need to have a knowledgeable group of people to develop this type of game plan for our plants around the world," says Kelsey.
Corporate governance is an important area where risk managers can provide value. At CA, which is recovering from an accounting scandal, another of Loupe's jobs is to see that the organization is above reproach in its compliance with the Sarbanes-Oxley Act, particularly the internal controls documentation and testing required by Section 404. He is also tasked to figure out how ERM can benefit from these efforts. "Rather than looking at Sarbanes-Oxley from a pure compliance standpoint as something we have to do, we want to look for ways to reap some benefits from that work," says Davis. "We think it can be a major force for process improvement."
The potential for risk management to provide proactive services to CFOs is high. "By the time risks have an impact on the company and its finances, it is too late to do anything about it," says Axson. As a result, companies are increasingly looking for emerging risks and identifying mitigation efforts that will buy time to react appropriately. For example, if a company picks up signs that its largest customer may stop doing business with it and a plan for such a contingency is in place, the organization can begin the mitigation efforts contained in the plan to buy time to retool its business and minimize the financial impact if the risk does become a reality.
Davis expects ERM to play an important proactive role in CA's acquisition activity. "ERM plays a key part in the due-diligence process," says Davis. "This way, we can identify risks early on and remediate as soon as possible." In the past, if risk management were involved in an acquisition, it would occur once the deal was done. "We are building ERM into the DNA of the company by focusing on how we manage risk rather than handling the results of a problem," he says.
To be able to fulfill the evolving risk-management role, risk managers will have to expand their knowledge sets by improving their understanding of the business and its strategic orientation, Protiviti's Marshall points out. "The CFO expects risk management to deliver a certain amount of value to the organization." He adds that CFOs also want a read on the effectiveness of the resources deployed and insight into how to allocate capital internally. Risk management can develop methodologies and allocation models to help CFOs make those decisions.
Davis has a similar point of view. Risk managers need to build their financial acumen and develop the ability to view the total business spectrum for risks, then devise solutions for managing those risks, he emphasizes. "Historically, risk management has been a classic finance function," says Davis. "But risk managers need some operations savvy." For example, risk managers have to look ahead for new trends and developments that could change the company's risk profile and priorities. After all, he says, "the risks companies face today are different from those they faced in the past."
Davis believes that interest in ERM is growing, particularly now that some companies are completing their second year of Sarbanes-Oxley compliance and are looking for ways to leverage that work to improve operations. "ERM is in the spotlight now, but at some point the spotlight will move unless there are enough improvements and interest to keep it there," says Davis. "It is up to risk managers to step up their game over time. If they do, they can become a huge asset to the company."
New Jobs Opening Up in Risk ManagementThe rise of risk management has led to new career opportunities in the field. A growing number of companies are creating a chief risk officer (CRO) position, a role once limited exclusively to financial services and insurance companies. In some cases, the CRO is a peer to the CFO rather than a direct report, according to Paula Park, senior client partner, financial officers practice, at Korn/Ferry International in San Francisco. "CFOs are not over the CRO." In some cases, companies tap chief audit executives to step into the CRO role, with internal audit reporting to the CRO, she says. In general, companies are looking for CROs with strong leadership and execution skills, as well as broad experience in finance and operations. "They don't just want people with experience on the technical level but also with experience at the business-unit level," says Park. "CROs need to offer help throughout the organization, so they need a broader experience base." Some companies are opting to rotate the CRO role among executives from legal, finance and operations. However, the exact structure and responsibilities of the position are likely to vary considerably from company to company based on their industry, markets, customers, products and many other factors. Individuals in job ranks below CRO who possess risk-management experience also see new opportunities in risk management and in other functions. These employees are valuable because "a risk-management position provides a very broad perspective of what goes on in a company," says David Kelsey, senior vice president and CFO of Sealed Air Corp. in Saddle Brook, N.J. In his view, the position also requires communication and analytical skills as well as the ability to make sense of often ill-defined risks and quantitative costs and benefits and the initiative to remediate those risks. "These characteristics lend themselves to moving up in the organization," he says. |