Corporations are increasingly turning to technology solutions that help them manage risks across the entire organization.
The world is changing dramatically, and transparency and management of risks across an organization is absolutely necessary. With more and more responsibility for this on the desks of CFOs and treasurers, the job is becoming increasingly difficult. In the wake of accounting standards changes, the introduction of Sarbanes-Oxley, Basel II and so on, managing enterprise-wide risk is ever more important.
This rapidly changing corporate landscape has given rise to a new concept: corporate enterprise risk management. Under the guidance of the Committee of Sponsoring Organizations of the Treadway Commission (COSO), a private sector organization set up to improve business ethics, this concept was developed into a frameworkCOSO ERMthat is being used by companies to tackle risk across all levels of the organization. Sponsored by a number of financial and accounting professional organizations in the United States, COSO has released research and publications on internal control, compliance and risk management.
Miles Everson, a partner in PricewaterhouseCoopers Advisory, says that corporates are very much aware of the COSO ERM framework: It is serving as a principles-based framework that companies are using to design, implement and operate enterprise risk management approaches tailored to best fit with their own organizations. Cintra Olson, US business manager at solutions provider CODA, adds: What the COSO framework has done is take risk management to the next step and build a blueprint to manage risk within the overall organization.
According to a number of consultants and risk management specialists, looking holistically at risk is critical to providing the transparency and control now necessary for an organization of any size. Christy Kaufman, associate director of enterprise risk management at insurance giant Aon, says most companies are still in the early stages of doing so. They may have done a risk assessment, and now their challenge is to operationalize the process on a real-time, ongoing basis, she explains.
The next step is to assign accountability for managing risks that have been identified during the assessment process. This can be tricky because it can cause some political upheaval within the organization, says Kaufman. It is important, however, to allocate responsibility and set up a mechanism for ongoing assessment of progress.
Kaufman adds: It is not necessarily appropriate for all companies, but technology can really help by automating the governance process, and there are a number of good systems on the market. When looking at systems, it is critical that companies ensure the system they choose fits their processes, rather than buying technology first and trying to fit it to internal processes after the fact. A lot of the off-the-shelf solutions are not as customizable as they appear at first glance, she says.
Choosing the Right Tools
Ruud Nijs, head of financial logistics at Dutch bank Rabobank, believes that information linked into technology has a big impact on the speed of decision-making. Having greater information available for decision-making in a shorter timeframe can be a great help, he says.
To address that, Rabobank developed the Enterprise Risk Management Scan to help simplify the process of analyzing and managing risk across an organization. The first step that we go through with a client in looking at enterprise risk management is deciding on the real issues that the company wants to address. This is the problem-definition stage. After this, we conduct an internal and external analysis of all possible risks with the client, says Nijs. Internally this means a client profiling exercise. Externally, we look at the companys industry, the lifecycle of the company, its position, external risks and so on.
From the information it collects, Rabobank creates a risk profile of the company, based on which it can advise on high-risk areas and the probable impact of those risks on the company. Rabobank uses an internally developed technology platform to help clients through the process of risk identification and mapping. In addition to pointing out what areas need better risk controls in place, such tools can also help corporates analyze where they have gone overboard in implementing control mechanisms, according to Kevin Roberts, vice president of business development at CODA. Using these tools is as much about stopping over-controlling as it is about setting up needed controls, he says.
Managing controls and reporting are critical issues for corporates. Advertising distribution group MediaForce is in the process of implementing CODAs reporting tool, CODA-XL. MediaForce wanted a tool that could help with complex reporting requirements by managing internal information-gathering across the organization. Ian Springett, MediaForce finance director, says: We have a complex organizational structure because the group is made up of lots of different companies. Therefore, we need a flexible chart of accounts that can handle the reporting of information from each.
Springett adds: We anticipate that when the system is up and running and fully integrated with our booking systems, we will have a much clearer idea of how the business is performing and will see significant time savings by being able to access the information we want, when we want it.
The Whole Picture
One major indicator that corporates are increasingly looking holistically at risk management is who is now involved in discussions surrounding risk management strategy. Whereas in the past such a discussion would have involved the treasurer, CFO and someone from audit, it would now typically include external audit, legal, HR, internal audit, the treasurer and CFO, a risk manager, CIO and others from IT. Says Kaufman, There is a definite cross-functional approach taking hold.
Not everyone is convinced that the enterprise-level approach, and technology related to that, is as effective as is touted. Riccardo Rebonato, global head of market risk and quantitative research at Royal Bank of Scotland, says: In an ideal world we would be able to manage risk at the global enterprise level. In reality that is the Holy Grail. If I were to choose between having concrete, specific, well-researched, but narrow, advice in one particular area of risk, or pretty generic advice on an enterprise level, I would prefer the former.
There is a lot of pressure now on companies to quantify enterprise-level risk, according to Rebonato. When looking at this, it is very important that management really make themselves happy that they have explored and carefully tested the sensitivity of the output to the quality of the input, he says. When we see hard numbers, we tend to forget that sometimes the input was based on subjective information.
Rebonato says that there is a place for enterprise-level risk assessment, but that caution must be used in analyzing results of such an assessment. By far the most intuitive and appealing approach to my mind is greater reliance on expert judgment aided by quantitative data.
Kaufman adds that it is important to continuously revisit what your core objectives were at the outset. She says: You have to dedicate resources to this long term. In terms of solutions, you see a lot of low-hanging fruit where it is tempting to get sidetracked resolving a specific issue and lose sight of what you want to accomplish over the longer term. Companies expend a lot of energy on treating those risks that have been identified, but you need continuous oversight as well.