Just when directors thought that no more could possibly be expected of them — especially after the enactment of Sarbanes-Oxley (SOX) — they are now confronted with a new acronym: ERM (enterprise risk management).
Directors are now expected to conduct oversight of their company’s enterprise risk, when just a few years ago very few people had even heard of ERM. Additionally, the audit committee of a company now seems to bear a disproportionate amount of the responsibility for ERM.
What Is Enterprise Risk?
Wikipedia has, in my opinion, an excellent definition of ERM: “Enterprise Risk Management are the methods and processes used to manage those risks, possible events or circumstances that can have influence on the enterprise in question.
“By identifying and proactively treating such potential effects, one protects the very existence, the resources (human and capital), the products and services, or the customers of the enterprise, as well as external effects on society, markets or the environment.”
The key to ERM is to identify what risks could cause substantial damage to your company, to prioritize those risks, to set up a proactive monitoring process that will focus on mitigating risks — and to choose who will be responsible for your company’s ERM, including management, board of directors and/or outside consultants.
Listen to Ted di Stefano (6:27 minutes)
Your company should be thinking as broadly and globally as possible when it comes to defining and identifying what risks could do it harm. In other words, it should compile a complete inventory of the credible risks that could beset the organization.
Here’s how I define a broad swath of risks:
- Credit Risks: The risks of debtors of the company not being able to pay their debts as they come due. This risk applies mainly to financial companies like banks, mortgage companies and credit card companies.
- Underwriting Risks: The risks coming from wrong assumptions by company underwriters. This risk is most common with life and property insurance companies.
- Risks from Disasters: This could be any of a long list of events that could affect multiple industries. One present-day risk that comes to mind would be a terrorist attack.
- Regulatory Risks: This occurs when some sort of government regulation is violated. In today’s environment, the first thing that I think of is some SEC (Securities and Exchange Commission) or SOX violation.
- Operational Risks: This would include risks to your production capacity, labor unrest, supply chain disruption, etc.
- Strategic Risks: These would include various risks posed by your competition such as a patent violation, new product development, pricing strategies by your competitors, etc.
- Human Resources Risks: This would include in-house fraud, major morale problems, management change and a corporate culture that is misaligned with your company mission and corporate responsibilities.
Choosing Your Risk Management Team
The CEO of a company should be very clear as to who is responsible for the overall execution of a risk management strategy.
In this regard, we now have yet more acronyms to talk about and they are the DRM, or director of risk management, sometimes called the CRO, or chief risk officer. This title can be somewhat different from company to company, but whatever you call this position the person in charge should be clear that he/she is responsible for overseeing your company’s risk management strategies.
However, the responsibility for risk management doesn’t rest solely with management. Boards are increasingly being held responsible for risk management failures that they should have foreseen.
I’ve read studies wherein the entire board is cited as being responsible for ignoring looming risks. In addition, I’ve read studies that put an inordinate amount of responsibility on the audit committee — as though being responsible for SOX and its implications isn’t enough.
Establish a Risk Management Committee on Your Board
As it appears that a good amount of responsibility for risk management is laid on the board, I feel that in some cases a separate committee should be established that would focus solely on risk management.
Obviously, this puts a good amount of responsibility on the members of the risk management committee. However, this burden has the positive effect of highlighting risk management not only to the board, but to the corporate officers as well.
The company might very well have a director of risk management, yet it would still be appropriate to have a risk management committee of the board of directors. The DRM would answer to the CEO and could give periodic reports to the risk management committee of the board as well as to the entire board.
The risk management committee would create its own report for the full board of directors.
Is Risk Management Overblown?
Someone recently told me that we’re really overdoing it with so much present-day focus on risk management and best practices for risk. I responded by saying that I looked at this as sort of a coin toss: heads you establish a risk management committee; tails you are forced to establish a crisis management committee.
If you are a corporate officer or board member, would you choose heads or tails? I know where I would place my bet.
Theodore F. di Stefano is a founder and managing partner at Capital Source Partners, which provides a wide range of investment banking services to the small and medium-sized business. He is also a frequent speaker to business groups on financial and corporate governance matters. He can be contacted at [email protected].