It’s well known that lack of strategic oversight played a part in the disastrous collapse of many sectors of the economy. While corporate America is certainly more aware of the need for tighter controls, the possibility of major crises continues to loom.
To uncover the general attitudes, efforts and concerns of corporate executives surrounding their own financial and operational oversight, Crowe Horwath commissioned a research study to determine CFOs’ perspectives on enterprise risk management (ERM).
The study revealed some surprises: namely, a lack of understanding and support within many corporations for effective ERM as well as ambiguous roles and responsibilities of different individuals and groups in developing and maintaining controls.
Smart Business spoke to Rick Julien, a partner at Crowe Horwath LLP, to learn more about the survey results and what businesses can do to overcome their own barriers to effective risk management. A new development includes an innovative approach to establishing ERM process roles and responsibilities.
What were the biggest challenges identified in the survey?
The most frequently cited concerns surrounded the fundamental questions of just what ERM involves and who is responsible for ensuring that the process is effective. Most businesses lacked in: ‘managing risk across the entire company,’ ‘improving financial reporting’ and ‘improving internal controls.’ These challenges become particularly daunting when you consider that more than a third of these executives said their companies showed a ‘lack of shared understanding and approach to risk management across business units.’
Considering that ERM is still an evolving process at many organizations, this lack of understanding is not surprising. The complexity of ERM also adds to the governance challenge. The integrated ERM model introduced in 2004 by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission organizes risk into four general categories: strategic, operational, reporting and compliance. Each is then defined along a scale that addresses eight stages of ERM maturity; this system is often far too complex for most organizations’ needs.
In most companies, a variety of risks are already being managed in diverse ways. Non-integrated risk management activities may be effective in their limited scope, but there is often no link to broader business strategies.
What do businesses need to do to improve?
A truly effective risk management program will require support from the top. Corporations’ finance executives need to work with C-suite colleagues and boards of directors. Executives also need buy in from business unit managers, audit committees and internal audit teams when developing and executing risk management policies.
Key executives must reinforce and support the role of the chief risk officer or ERM leader and, above all, link the ERM process to other management activities, especially strategic planning and budgeting. ERM activities must be a part of overall good governance processes of the board and organization as a whole.
How should businesses set up leadership roles and responsibilities for ERM?
Organizations must define governance roles with greater precision and differentiate clearly between company activities and board responsibilities. While every organization is different in its needs and structure, a successful ERM governance model will often involve a risk management council and an ERM leadership team.
The risk management council provides executive leadership and reports to the CEO. The council should include senior level executives, who would oversee ERM strategy and infrastructure as well as define the organization’s appetite and tolerance for risk. The council would also monitor and report significant risks, ensure corporate strategy is risk-responsive and provide direction and oversight to the chief risk officer and ERM leadership team.
The ERM leadership team should be led by the chief risk officer or ERM leader and should include some members of the risk management council as well as compliance risk officers and representatives from individual business units. It will oversee the actual execution of ERM-related activities and implement the appropriate ERM infrastructure, which should include a common risk model and definitions, a consistent method of risk assessment, and risk documentation procedures and standards.
Rick Julien is a partner at Crowe Horwath LLP. Reach him at (214) 574-1000 or firstname.lastname@example.org, or visit the company’s website at www.crowehorwath.com.