EisnerAmper recently surveyed corporate directors to determine what risks are top of mind. The top risks identified by the respondents were reputational risk, compliance risk and technology risk. Of the three, reputational risk was by far the most mentioned. As a composite risk, reputational risk can be triggered by many individual risks or events. The myriad of recent scandals at large companies and not-for-profits can be attributed to the absence of a reliable enterprise risk management (ERM) program. More and more, directors are charging management to implement ERM and create a dialogue about risk management.
ERM is designed to identify, quantify, manage and mitigate risk based on a company’s risk tolerance. ERM programs are customized to fit each company—there is no one-size-fits-all solution or software package that will instantly transform a company that is lacking an ERM program to one that has an effective ERM program in the short term. Initiating, developing, implementing and monitoring an ERM program into a company’s strategic plan varies in difficulty based on the entity. A company must have three principles working together to successfully implement an ERM program. These principles are talented people, effective processes, and the willingness to share and transfer knowledge throughout the organization.
There are numerous stories regarding the recent financial crisis that illustrate that effective and ineffective ERM programs have been in place for several years at banks, insurance companies and other financial institutions, with varying degrees of success. Now, with ratings agencies (S&P, Moody’s and AM Best) considering a company’s ERM program in determining its rating and stability, more and more nonfinancial services companies are considering ERM and how best to initiate an ERM program.
The tendency of human nature is to be enamored with trends and buzzwords without fully understanding their implications or effects. The same can be said of ERM; senior executives should be proactive in determining the need for ERM, but should not instantly react by insisting on the implementation of an ERM program without giving careful thought as to what risk assessment procedures are already in place.
Before even considering implementing an ERM program, the concept needs to be embraced and initiated by a company’s board and senior executives. While management is responsible for establishing an entity-level risk tolerance, the board and senior executives need to be aware of and concur with the entity’s risk appetite. They need to be apprised of the most significant risks, and whether management is making appropriate responses.
The board is responsible for establishing the values and governance structure of the company along with ensuring that the company is compliant in regard to laws and regulations imposed by government and industry. Companies that have an effective ERM program in place most certainly comply with other regulatory requirements, such as the Sarbanes-Oxley Act.
“Tone at the top” is critical, meaning that the board and senior executives set the tone for how a company will operate and what it determines to be its core values. All companies care about risk management; however, each entity expresses that care in different ways. In order for ERM to be considered, it needs to be made a priority by the people directing the culture and strategy of the organization. The saying “only as strong as the weakest link” most certainly applies here. Stakeholders will certainly take seriously a strong reputation for corporate governance and directors with a strong corporate governance track record when the topic of ERM is discussed.
In the future, it is highly likely that boards will become more involved in corporate risk management. Indeed, stakeholders will demand that management produce performance reports and metrics that substantiate the ability of the company to achieve its goals. A vibrant dialogue about risk is vital to the partnership of the board and management, and will ultimately be key to the success of the organization.
Jim Mack is a partner, Jerry Ravi a senior manager and Kevin Sullivan a director at EisnerAmper.