We are at just the beginning of challenging times ahead. Risk management is becoming of increasing importance.
For example, according to
a Towers Perrin survey of finance executives at major U.S. corporations, CFOs consider "improved risk management" as the top priority right now given the current financial crisis -- even more important than access to capital.
Towers Perrin commissioned the survey by
CFO Research Services, an affiliate of
The Economist and
CFO, to gain insights on how companies view the seriousness of the financial crisis for their businesses. According to the summary of the report:
- Approximately 72% of respondents expressed concern about their own companies' risk management practices and ability to meet strategic plans. (Towers Perrin notes this suggests that finance executives, regardless of industry, perceive a need to invest in more effective risk identification, measurement and management procedures.)
- More than half (55%) of the CFOs agree that they plan to put their risk management practices under a microscope and that this investigation will in many instances reach all levels of the organization, from the board down and from the shop floor up.
There is a risk that management will focus on specific risk associated with the financial crisis. We believe that risk management encompasses an entire company and the potential impact of external events on the company.
At CA we are developing a risk management library that addresses risk throughout a company. At the highest level this structure includes the following risk elements:
- Governance
- Operational
- Technological
- Compliance
- Financial
- Financial Reporting
- Economic
- Environment Regulation
- Stakeholders
- International
- Market
- Social Trends
In the coming weeks on this blog, we will look at risk management holistically and discuss risk management considerations that businesses should be addressing over the next twelve months.
We begin with the following elements of Governance risk:
Governance Structure: The risk of loss through legislative action or loss of reputation because an organization cannot demonstrate that it has an effective corporate governance structure
Organizational Structure: The risk of loss through legislative action or loss of reputation because an organization does not have an appropriate culture, including ethical culture, to support the corporate governance objectives
The ability to demonstrate that risk is being effectively managed at the board and senior management level is beginning to be raised as an issue in the media.
On November 10, 2008, Tobin Harshaw of the New York Times compiled some interesting insights regarding the A.I.G. bailout in an
"Opinionator" blog post:
"Executives there are handsomely paid, yet senior management cast a blind eye as one unit earned outsized profits while taking risks that would have driven A.I.G. into bankruptcy were it not for the Fed's rescue.
"¦the biggest single job of senior management in a financial institution ought to be to assure the health and survival of the entity, which means risk management and control is top of the list. "¦ Anytime a unit starts reporting very large profits, managers should be all over it like a cheap suit to make sure the earnings are not the product of massive risk taking."
(From the Naked Capitalism blog
.)
In the NY Daily News on November 9, 2008,
Carl Icahn focused on Lehman in an opinion column. He wrote:
"But behind the success or failure of every corporation is a board of directors which is supposed to monitor the CEO, set salaries and, importantly, weigh risks and business strategies.
So we must ask: Where were the directors of these companies? Were they qualified to assess the risks their companies were taking? Or were they off playing golf at Augusta or jetting to the Super Bowl aboard company aircraft?
Consider the Lehman board. Of the ten non-management directors, only three "¦ has financial industry background"¦. Moreover, its five member finance and risk committee included a theater producer, a retired naval officer, a retired computer executive and a retired television CEO. Only the chairman had a finance background. He was eighty years old.
Even if these people were qualified to evaluate the bank's risks, the committee met just twice a year in 2006 and 2007, according to the Corporate Library, a research group. Its editor, Nell Minow, told a House committee last month: "˜A company that had $7 billion in losses after becoming embroiled in the global credit crisis had a risk management committee that did not understand or manage its risk.'"
What should the board and senior management do to address these risks proactively?The first step could be to specifically have someone monitor developments in the governance and risk management area and to raise issues proactively and suggest potential management actions. This would be especially important for potential Government regulations, but of equal importance would be the monitoring of potential law suits. This could be performed by a risk manager in conjunction with general counsel and the regulatory compliance group.
The second step could be to assess the current state of governance, risk and compliance. Future blogs in this series will address factors to be considered in this review; however the first steps could be taken quickly. As part of this review, consideration could be given to the timeliness of risk management reporting "" including escalation of important issues. I suggest that the automation of GRC could address the timeliness issue and the review should include the reporting of significant issues to board members between board meetings.
Watch our blog in coming weeks to learn more about our thoughts on managing risk across the enterprise.