Law & Governance
The risks that blew up in the faces of boards at companies such
as WorldCom, Enron, and Parmalat all come under the general
category of operational risk, broadly defined as the danger of loss
resulting from inadequate or failed internal processes, people, or
systems, or from external events. These can include:
- Unscrupulous managers.
- Business interruptions caused by terrorism, war, or natural
- Supply-chain breakdowns.
- Changing technology.
- Increased competition.
The second, more familiar category of risk is financial, including stock-market fluctuations, variations in foreign exchange rates, and interest-rate volatility. What both operational and financial risks have in common is that they can vaporize shareholder value, create legal and regulatory difficulties, and batter a company's reputation.
"It's become clear over the last several years that instead of looking at the silos within companies where risks are located, you need to have a company-wide view, where the goal is to measure and aggregate risk across the entire enterprise," says Federal Reserve Board governor Susan Schmidt Bies. "You need to be managing these risks consistently and to understand how the different risk exposures move in relation to each other." Before she joined the Fed in 2001, Bies had worked at First Tennessee National Corp. since 1979, most recently as executive vice president for risk management.
An undetected operational risk was behind last year's scandal at the giant insurance broker Marsh & McLennan, where a lawsuit exposed long-term practices of price-fixing and bid-rigging. In addition to looming fines and settlements that could reach $1 billion, Marsh & McLennan's stock price initially fell by about 50%, its debt rating was downgraded, its chief executive officer resigned, several other senior executives were asked to step down, and the board was overhauled. Ironically, the Marsh website trumpets the company as "the world's No. 1 risk specialist."
"It's no secret that the risks directors need to consider in serving on a board have ratcheted up considerably in the last five or 10 years," says Judith R. Haberkorn, chair of the risk management committee at MCI. "And there's no question that every board and audit committee in the world is trying to understand all the elements of risk that face their companies."
Adds Richard Steinberg, head of Steinberg Governance Advisors in Westport, Connecticut, and a former senior partner at PricewaterhouseCoopers: "Directors need to know, in their oversight capacity, that management is bringing the most critical risks to the attention of the board. The only way they can know that is if they are comfortable that management has in place processes to identify risks throughout the organization."
Regulatory agencies around the world have enacted reforms and governance regulations designed to improve risk identification and management. Many companies have appointed chief risk officers to oversee the management of risk. Increasingly, companies are moving toward formal "enterprise risk management" (ERM) systems capable of monitoring the menu of financial and operational risks across an entire enterprise. But evidence from recent surveys shows that many boards and top executives still aren't confident that their risk management systems are effective and comprehensive.
Regulations have increasingly spelled out the need for directors to formally oversee risk management. In 2003 the New York Stock Exchange amended its listing requirements, setting forth procedures that enable audit committees to take responsibility for overseeing risk exposures and risk management processes. Last fall the Committee of Sponsoring Organizations, an influential private-sector group devoted to improving financial reporting and governance, released Enterprise Risk Management-Integrated Framework, a report aimed at providing a benchmark by which companies can evaluate ERM processes.
MCI's board-level risk management committee, which is separate from the audit committee, grew out of the company's emergence from the wreckage of WorldCom and from one of the most exhaustive corporate governance overhauls in history. Former Securities and Exchange Commission chairman Richard C. Breeden, called in to perform a postmortem and make recommendations for action, produced a 150-page report entitled Restoring Trust. It contained 78 different recommendations for governance improvements. One of Breeden's criticisms of the WorldCom directors was that their involvement in risk assessment was "strikingly absent."
"There is no indication," he wrote, "that the board analyzed how the enormous debts being accumulated by the company in acquisitions would be carried and ultimately retired. . . . The board failed to understand WorldCom's risks . . . or to design adequate risk control policies." Following the suggestions in his report, the revamped board formed a risk management committee consisting of three independent directors, with a detailed charter setting forth its key responsibilities. The advantage of having a committee to evaluate risk that is separate from the audit committee, says Jennifer McGarey, MCI's corporate secretary, is that the risk committee can consider a broader range of hazards than the audit committee, which tends to focus on the financial side.
Governance experts think that forming a risk management committee is a good idea, especially for larger companies. "There's a logic to giving the audit committee responsibility for oversight of risk management," says Richard Steinberg of Steinberg Governance Advisors. "The audit committee is focused on internal controls, and there's typically a great deal of overlap. But my experience is that audit committees already have a lot on their plates. There's no doubt that boards are looking now more than ever at how managements are dealing with the broad range of risks, and establishing a separate risk management committee provides additional, targeted focus for doing that."
Companies in Europe and Canada seem to be further along in instituting integrated approaches to risk management than their U.S. counterparts. PricewaterhouseCoopers devoted its 2004 Global CEO Survey to risk management. The report, Managing Risk: An Assessment of CEO Preparedness, surveyed nearly 1,400 chief executives in North America and Europe and found that comprehensive risk management is still uncommon among corporations in general and U.S. companies in particular. (Financial companies, which began following bank regulatory risk guidelines in the 1990s, are exceptions.) Just under 40% of all CEOs said that risk management was a priority for them and their boards; only 30% qualified as "advanced practitioners" of enterprise risk management. A mere 20% of U.S. CEOs said they had the information they needed to manage enterprise-wide risk, and only 12% affirmed that a common terminology and set of standards existed within their companies. Just 7% of U.S. CEOs strongly agreed that ERM was fully integrated across all units of their organizations, compared with 22% for European companies.
"On a scale of 1 to 10, with 10 being perfect understanding and management of risks, American corporations on average are currently at about 3," says Larry E. Rittenberg, a professor of accounting and information systems at the University of Wisconsin's Madison School of Business. "We should be aiming for a 7 or 8. I'd say '10,' but you need to be realistic. What has been accomplished is that there is awareness that corporations face huge risks in all parts of their business and need to manage them holistically. What is not there yet is that at many companies, risk has not yet become part of the strategic planning process or the corporate culture in the way that managements and boards approach most issues." Rittenberg was a member of the oversight group for the Committee of Sponsoring Organizations' report and is a director himself, serving on the audit and governance committees of the board of Woodward Governor Co. in Rockford, Illinois, a maker of fuel-control systems for turbine and diesel engines.
Canadian companies moved earlier to formalize their approach to risk management. A 2003 study of Canadian risk management practices found that 31% of the country's businesses had adopted ERM and 28% were considering doing so. In Europe, meanwhile, a 2004 survey of 269 companies found that 78% had a clear policy on risk management and 75% had a formal risk management process; 57% of the companies described their risk management policy as covering the widest scope of risks, and 45% said their board of directors or audit committee dealt with risk management at least once a year.
To assess operational risks, says Larry Rittenberg, "board members should ask to what extent management is monitoring changes in competitors, changes in the business environments, and changes in the supply chain-what are the key, critical items for the organization that might present a risk." Operational risks include dramatic, unforeseen events like 9/11 but may also be found in much more prosaic areas, such as supply-chain disruptions, which can be caused by anything from a supplier's bankruptcy to a breakdown of internal processes for planning and production. In 2001 Cisco Systems announced the largest inventory write-down in business history-$2.2 billion-because of flaws in its system for forecasting and ordering components.
A 2003 study by Vinod R. Singhal, a professor of operations management at Georgia Institute of Technology, investigated 838 instances of supply-chain failure reported by the media between 1989 and 2001. On average, the initial news report of a supply-chain glitch was associated with a decrease in the stock price of nearly 11%. Furthermore, the study found that this steep drop in stock price often derailed or slowed the long-term growth of the company and adversely affected its credibility with investors.
"These are humongous effects," says Paul R. Kleindorfer, co-director of the Risk Management and Decision Processes Center at the Wharton School of Business. "There's a growing realization that operational risk can bring a company to its knees, and that's been reinforced by many recent events. We're seeing a real sea change, in which boards are no longer saying, 'If it's only going to happen once every five or 10 years, we're not going to worry about it.'"
Directors view the move toward more formalized, ERM-style approaches to risk management as inevitable. "What you're going to see is more structure around risk management, more committees being formed, and more documentation of risk reports," says Louise C. Forlenza, a CPA serving on the board of Innodata Isogen, a Hackensack, New Jersey, company that helps businesses manage and distribute information on the Web. "Directors need to have a solid and detailed overview. In the old days, everything was in a report. Today we're more involved in discussing risks and including risk in our discussions of strategy."
The potential benefits of implementing enterprise risk management are apparent in the results of PricewaterhouseCoopers' 2004 CEO study. Of the CEOs who said that ERM was a priority, 60% stated that they had confidence in their business operations and 50% said risk management had led to clarity in organization-wide decision-making and the chain of command. Among those not committed to ERM, only 35% said that they had confidence in their business operations and 19% that risk management had helped decision-making. Risk management processes may turn out to be an area in which more scrutiny-and more regulation-also create the conditions for better and more profitable business practices.
AcknowledgmentReprinted with permission.
This article first appeared in the May / June 2005 issue of Corporate Board Member Magazine.
Be the first to comment on this!
Personal Subscriber? Sign In
Note: Please enter a display name. Your email address will not be publically displayed