Ten years after the Sarbanes-Oxley Act highlighted the need for better corporate risk management, many experts say that companies’ misguided efforts to do so actually poses a new kind of risk.
The main problem, they argue, is that companies are not defining risk in the right way. They pay too much attention to a common subset of risk management activities, such as insurance coverage, fraud detection, and regulatory compliance, while ignoring more-important risks. Risk management “typically focuses on operational risks and compliance risks, but those are a small piece of the puzzle,” says Christopher Dann, a vice president at consulting firm Booz & Co. Even financial risks like bad debt or fraud, “in terms of shareholder-value loss, are very, very minor.”
Instead, a Booz & Co. study of 1,200 large companies over a five-year period suggests that “more than 60% of [shareholder] value lost over the last decade has been attributable to strategic risks, like being in the wrong market with the wrong product,” Dann says. Very few risk management programs would regard the “What product in what market?” question as falling in the risk domain.
Another flaw in many programs is that they’re too complex, putting form over content. Board members and management “need to be mindful of a risk management program that is so extensive it paralyzes the company,” says Michael Peregrine, a partner at law firm McDermott Will & Emery specializing in corporate governance.
Some CFOs would argue that they dodge these pitfalls by approaching risk management not as a formal process but as a concern that is woven through all strategic decision-making. “Senior management doesn’t think about managing risks; we think about managing the business, where there are risks around every corner,” says Dennis Hernreich, CFO and chief operating officer of the nearly $400 million Casual Male Retail Group. “[Risk management] is just part and parcel of everything we do.”
Whatever the starting point, the good news is that CFOs can and should be leading the risk management charge, in whatever form it may take. And a major key to handling that successfully, many CFOs believe, is to inculcate risk management savvy into every corner of the organization.
“I see every risk translating into a number in some way or another, whether it’s the loss of sales or the loss of opportunities,” says John Varvaris, CFO and COO of Best Doctors, who recently initiated a companywide risk management program. Here, we look at some of the key components of how to sharpen a risk management program and get it right.
Human Capital: How to Build a Risk Team
Varvaris joined fast-growing global medical-specialist network Best Doctors as CFO three years ago, after 30 years working in the insurance industry and 2 as a risk management consultant. So it’s not surprising that one of the first holes he noticed at the $120 million firm was the lack of a formal risk management function.
“I knew right away we had to put something into place,” says Varvaris. The first step: get the rest of the senior leadership team on board. “If you put something in place but the executive management team doesn’t buy into it, it dies on the vine.” The task at Best Doctors was relatively easy, Varvaris says, as the company’s senior leaders quickly agreed that it was time to formalize efforts.
Step two was to assemble the right people to assess the firm’s risks, in this case by creating a risk management committee. The committee began with 12 people: the heads of business units and geographies, as well as key departments like finance (which was represented by the vice president of finance, because Varvaris himself was chairing the committee) and IT, and the company’s chief actuary. That group meets quarterly for about two and a half hours each time.
Once the committee was formed, Varvaris focused on its education. To make sure everyone had a common understanding of risk management, he ran a brief survey with open-ended questions asking committee members what they thought risk was, and how they might measure it. “People had different answers,” he recalls, “so we went through a little tutorial of how you identify and measure risk as a corporation.”
Once everyone was up to speed on the working definitions, the group then collectively set a risk-appetite level for the organization based on the impact the risk would have on several key metrics, including revenue growth, earnings, and shareholder equity. For any given decision to move forward, its potential estimated negative impact can be no more than half the total risk appetite, since there could be more than one incident in a year.
Committee members self-assess their parts of the business before each meeting and report on the top 5 to 10 risks they face and what they’re doing about them. From there, each risk is plotted on a grid according to its potential severity and likelihood, with the results helping the committee winnow many dozens of items down to a list of the top 10 risks for the corporation as a whole. “The goal is to anticipate things before they come up; if you have a good team that’s challenging each other, you get some of that,” says Varvaris. “But trust among the team is critical, so they can share their areas of exposure, rather than trying to prove they don’t have any.”
Over the past three years, Varvaris says he has seen an evolution in how his colleagues approach risk. “People understand it; the [self-assessments] are getting a bit more realistic each quarter,” even as new people join, he says. The committee now has 14 members, with some of the original members rotated out and representatives from several new business areas joining. Enthusiasm for learning is no doubt boosted by the fact that Varvaris gives the committee credit for several successes. One example: in 2010, the group pinpointed that the company would soon run out of capital for growth. That spurred a $20 million equity-capital raise from strategic investor Nippon Life last April.
While he is constantly reassessing the work and composition of the group, Varvaris says the very act of carving out time for people to think deeply about what can go wrong in their businesses is vital. “Unless people come with a risk management hat on, you’re not really going to get the focus and attention you need. In our meetings, we’re not talking about the staff, or goals for the quarter, or anything like that; it’s just risk management, and you get a lot of value out of that.” And the price is right: not counting any risk mitigation strategies the company might take, there’s “no cost, just the leadership team’s time.”
Such companywide risk committees are “one of the best practices I’ve seen,” says Hank Prybylski, a risk management expert at Ernst & Young specializing in the financial-services industry. While the finance department often takes the lead, “including the businesses as well as the key support groups on a level playing field to identify risks and make decisions helps create more ‘risk-spotters’ across the organization,” he says.
Supply Chain: How to Find Out What Risks Lie Beyond Your Walls
If there is one part of the organization that has proven more vulnerable in the past year, it’s the supply chain. “The supply chain is usually cited as the biggest driver of uncertainty, because it has become much more globalized and in some cases much more vulnerable to disruption,” says Dann of Booz & Co. Natural disasters and man-made ethics violations have combined to create major headaches even for companies that have diversified their supplier base. (For a related look, see “To Be Continued?” in the March issue.) Dell CFO Brian Gladden recently explained to analysts that the company was forced to give up some margin gains in 2011 due to the strain Thailand’s floods put on its hard-disk-drive makers. The news of the runaway success of Apple’s iPhones was mingled with headlines about the harsh conditions at its contract manufacturing facilities in China.
How can CFOs get more intelligence on those critical elements outside their direct control? While routine supplier audits are standard procedure at many firms, what happens in between audits can still be damaging. That’s why Jin Leong, chief procurement officer for the International Monetary Fund, recently implemented a “supplier observation database” designed to capture the procurement staff’s current concerns about the institution’s most critical vendors. Since the IMF operates as a financial-services organization, Leong, based in Washington, D.C., is most concerned about firms like the fund’s offshore IT providers, back-office function outsourcers, and key economic data providers.
Leong launched the database in mid-2011, and has since sent out e-mails encouraging staff to log what they notice about the suppliers that they work with most closely. Examples of useful observations: supplier performance metrics that are trending downward, staffing changes, decreasing responsiveness from a vendor, and management gaffes, like a CFO who has trouble explaining what happened in a quarter. Any one negative observation isn’t likely to change much, Leong explains, but taken together, a series of observations could prompt some action. “The database is fairly easy to set up; making sure it’s used appropriately is the harder part,” he says. One challenge: getting people “away from the idea that it has to be 100% accurate,” says Leong.
Indeed, such databases are becoming more common, but they inherently require a designated owner “to control the quality of the entries,” says Gene Tyndall, executive vice president of global supply chain services for consultancy Tompkins International. “We would not want one minor issue that may have occurred in an isolated situation to be reported as a major recurring crisis.”
While natural disasters may never lend themselves to advance warnings, experts say it can also be helpful to populate such databases with external information. “It is important for risk managers to consider more than just those factors that can affect their suppliers directly; equally important are the risks to the environment in which the supplier is operating — including geopolitical and economic factors, labor and health trends, and natural hazards,” says Gary Lynch, global risk intelligence strategies practice leader at Marsh.
About six months into the project, Leong says he is still eyeballing the data, given its relatively low volume. Long-term, he hopes to amass enough data to identify patterns. Pinpointing certain sequences of events that lead to, say, bankruptcy, or a supplier being acquired, could give the IMF more time to prepare for those risks. “You could set up very complicated rules or very simple ones, such as sending up a red flag on anyone who has more than five negative observations, or on three particular types of things that occur within a three-month period,” he adds.
Advance warning of problems is key, especially when product turnaround times are long. “It’s very difficult to manage supply chain disruptions; you can’t call up a new factory in a crisis and say, ‘I need 20,000 pocket tees,’ because you won’t get them for five or six months,” says Casual Male’s Hernreich. “That’s why all of our mitigation efforts are put up front, in terms of making good judgments about who we do business with.”
Technology: Assessing the Impact of ERM Automation
Intuit, maker of popular business and financial management software including QuickBooks, Quicken, and TurboTax, began its enterprise risk management (ERM) program along classic lines. Janet Nasburg, the $3.9 billion technology firm’s first chief risk officer, began building both risk-assessment processes and risk-assessment awareness across the company in 2009. The goal was to have “every leader across the business operating as a risk manager every day” in making decisions both large and small, she says.
The processes included asking each business leader to perform an annual risk assessment focused on identifying their top four to six exposures, deputizing an “ERM leader” within each business unit, and creating a quarterly reporting procedure in which the business leaders reported to senior leadership on the status of significant risks. Those risks then feed into a variety of other decisions and activities. The annual assessment process kicks off just before the annual planning process, says Nasburg, so risks can be incorporated into strategy and budget. The risks also help drive the focus of the internal audit plan, so that reviews can pinpoint areas that are the most vulnerable.
Before long, Nasburg had plenty of data and insights streaming into her office. The only trouble: she was drowning in it. “We had over 100 business leaders inputting data through Excel workbooks, then sending those spreadsheets back to the risk department,” where it could take weeks to manually aggregate.
Recognizing that it was more important to analyze the data than to collect it, she turned to Intuit’s product development team for help. The result was a homegrown web-based program that allows business heads to input data in real time and see what others are thinking and entering.
Even when such technology is in place, it can’t do all the work. “You have to put yourself out there,” says Carolyn Snow, director of risk management at health-care insurance provider Humana. While $36.8 billion Humana has a formal internal risk-management process, Snow says she does a lot of casual marketing for her function through training programs and simply by initiating conversations. “Our best sources of information come through referrals, such as someone who is working with a vendor, or one of our personal nurses who works with our most fragile members,” she says.
Risk Governance: How to Equip Your Board
Ironically, getting the best from frontline employees may start with sorting things out with the board. Experts say that requires careful guidance from the CFO. “The board has the duty to exercise oversight, so they should be part of the conversation on how detailed and extensive risk management is,” says Peregrine, “but it’s the executives who know what the fine line is between too heavy and too light.”
While there is still debate over whether the full board or the audit committee should be responsible for risk, finance executives can often help engage more members in risk, say experts, even by subtly working risk into broader educational efforts. Best Doctors’s Varvaris, for example, says that every board meeting involves a SWOT (strengths/weaknesses/opportunities/threats) analysis of a rotating series of business units and geographies. “Once an organization is clear about the level of risk it wants to take in executing its business strategy, it is much easier for board members to have a conversation about where in that spectrum the company sits, and where it might want to go,” says Ernst & Young’s Prybylski.
All of that structure can lay the foundation for higher-level analyses and discussions with the board, rather than simply inventorying a long list of risks. “The board looks at how robust our program is, but that is less of a focus than assessing what we are doing around these risks, whether we are looking at the right risks, and what is happening in the business that changes our risks,” says Intuit’s Nasburg. “It’s not just a report, it’s a discussion.”
Alix Stuart is a contributing editor at CFO.