Risk Management: Not a Done Deal
Enterprise Risk Management is constantly in the forefront of discussions concerning corporate management. Given this prominence, and given the press coverage of risk management failures in the economy at large, one would think that corporate management is far down the road in dealing with “ERM.” Seemingly, such is not the case.
At a seminar held October 19th by Boston-based Risk Discovery Services, JV, four principals outlined appropriate ERM to be undertaken by management. Their experience indicated that management often was not “up to speed.” (Risk Discovery Services is a joint venture of corporate consulting firm Entrepreneurial Resources Group and information technology firm Granite Bridge Advisors.)
Risk management properly is perceived as extending far beyond the tradition inquiries: do you have controls to make sure that no one is stealing from you, do you have controls to make sure you are in compliance with law, and do you have adequate insurance? As was noted in the presentation, risk lurks in every aspect of corporate operations. A punch list of risks discussed includes: customer relations; product development; information technology; employee relations; physical security and safety; financial controls; regulatory compliance; business planning; relationships with shareholders.
Here are some specific areas that the presenters found are quite often deficient:
- Absence of adequate cash flow planning.
- Failure to appreciate drivers of change in one’s industry, such as competition, merger and acquisition activity, etc.
- Inadequate funding for, and non-alignment with business operations of, information technology.
- Failure to address over-concentration, whether it is a limited number of suppliers or over-reliance on a single customer.
- Information technology systems not integrated to provide accuracy and ability to manage.
- No ratchet on tax compliance, particularly when involved with several states and localities.
- Not reflecting actual risks in strategic planning and budgeting.
- Inadequately protecting intellectual property (which is difficult, given expense).
Although one might think that a board of directors would have an interest in making sure that management is addressing ERM, RDS’s preferred approach is through management in the first instance, to avoid management’s feeling that they are being spied upon. The goal is to reduce risk, which in turn should be reflected in higher value: value in terms of profit, or value (in the event of impending sale) in terms of transaction pricing.
RDS performs many services that are also marketed by accounting firms, but the staffing approach may be promising for many companies, as RDS principals are business-oriented rather than accounting-oriented. One can only hope for a holistic approach to ERM, which to my mind is needed in the marketplace.
Areas that I find, in my practice, are often missed in ERM analyses, include: reputational risk, particularly through social media; existential risk, arising from economic or political developments (most people shy away from these on the theory that they are too global to deal with; I don’t agree); and, a particular focus these days of the Federal government, compliance with the Foreign Corrupt Practices Act, which applies not just to public companies or large companies, but also to any company doing business overseas.
It does seem that ERM remains a work in process for many businesses. That is a shame; seems to me ERM is just another way of conducting one’s business profitably.