aicpa.orgEnterprising Views of Risk ManagementHome · Online Publications · Journal of Accountancy · Online Issues · June 2004 · Enterprising Views of Risk Management RISK MANAGEMENT/BUSINESS AND INDUSTRY Businesses can use ERM to manage a wide variety of risks.Enterprising Views ofRisk ManagementBY RUSS BANHAMEXECUTIVE SUMMARY ENTERPRISE RISK MANAGEMENT (ERM) IS A STRATEGY organizations can use to manage the variety of strategic, market, credit, operational and financial risks they confront. ERM calls for high-level oversight of risks on a portfolio basis, rather than discrete management by different risk overseers. ERM HAS GIVEN RISE TO A QUESTION: Who should head the risk management process—internal audit or a chief risk officer? Some believe internal audit should take a back seat to preserve the checks and balances the audit function provides. Others say risk leadership should depend on what a company is comfortable with. USING ERM ENABLES AN ENTITY TO ASSESS risk across the enterprise instead of looking at it on a per-project basis. It also gives the company a means to assess the controls in place to handle each risk and identify any gaps. This consistent approach also offers businesses an opportunity to determine authority and responsibility and allocate resources appropriately. TO EXTRACT RISK DATA, MANY ORGANIZATIONS use business intelligencesoftware. Many packages feature “traffic-light” systems that show a red light if risk exceeds acceptable levels. The chief risk officer then can “drill down” to see the reasons and make more informed decisions. OVERALL RESPONSIBILITY FOR ENTERPRISE RISK is changing because of new standards from the Institute of Internal Auditors. They require the internal audit function in a company to monitor and evaluate the effectiveness of the organization’s risk management and control systems. RUSS BANHAM is a business journalist and frequent contributor to the Journal of Accountancy. His most recent book is The Ford Century (Artisan, 2002), a 100-year history of the Ford Motor Co. His e-mail address is [email protected]. ndustry insiders tout enterprise risk management (ERM) as the most effective strategy an organization can use to manage a plethora of risks, running the gamut from strategic, market, credit, operational and financial exposure to the daunting array of man-made and natural disasters. New ERM committees led by chief risk officers identify, quantify and monitor these risks via a holistic, portfolio-based management system. However, new internal audit standards from the Institute of Internal Auditors (IIA) (www.theiia.org) may change the paradigm; they require internal auditors to assume responsibility for monitoring enterprise risk, creating tension in some organizations over who is in charge. CPAs with internal audit or risk management responsibilities can use this article to determine whether ERM is a strategy that will benefit their organizations and who should be responsible for overseeing risk management.ERM BASICSThe difference between ERM and more traditional ways of managing risk (see the exhibit on page 68 for more details) is that ERM calls for high-level oversight of a company’s entire risk portfolio rather than for many different overseers managing specific risks—the so-called silo or stovepipe approach. ERM, in effect, centralizes management under a chief risk officer or ERM committee who manages the individual overseers to help identify overall how much risk the entity can tolerate, assess mitigation tactics and otherwise take advantage of risk opportunities.The idea of viewing risk as an opportunity may surprise some CPAs. ERM adherents explain that absorbing, hedging or transferring risk requires capital—dollars a business might otherwise directto other, more productive and profitable endeavors. “Since entities must hold capital to absorb the risk of loss, there is less to invest in other profit-producing activities,” explains Peter Nakada, executive vice-president of ERisk, a New York-based ERM consulting firm and software provider. “ERM helps determine the right amount of capital companies should direct toward risk.”How does ERM help a company arrive at this figure? It’s done by gathering or otherwise polling risk overseers to determine the threats to the organization, the financial impact and the effectiveness of risk mitigation options. “The goal of the process is to determine the appropriate amount of capital you need. You can’t get that number unless you identify and measure all the risks threatening the organization,” Nakada says. “Once you know you can determine where to direct capital.” Embracing ERMIn a survey of 200 senior finance and risk management executives, 41% said their companies were implementing some form of enterprise risk management (ERM). 90% whose companies were pursuing ERM were very confident in their ability to manage risk, compared with just 45% of those not using ERM. 84% believed ERM could help improve their companies’ price/earnings ratios and cost of capital. Source: Enterprise Risk Management: Implementing New Solutions, The Economist Intelligence Unit and MMC Enterprise Risk, www.mmcer.com. Why should CPAs care about ERM? “Because it will directly affect how and why they do their job,” says William Spinard, senior vice-president in the Washington, D.C., office of Marsh Inc., a large multinational insurance broker that works with clients to develop ERM strategies and systems. “With ERM an entity establishes risk definitions and tolerance levels, as well as policies. It defines procedures to measure risk and creates monitoring activities. ERM will basically be the standard bearer for risk management in a company, a role traditionally handled by internal audit.” The question now emerging, Spinard says, is “Who should head ERM: the internal audit department—given the new Institute of Internal Auditors standards—or chief risk officers and other traditional risk overseers from finance?”While Spinard advocates that internal audit take a back seat to more traditional risk managers—“to effectively preserve the checks-and-balances element of the audit function”—some organizations are designating internal audit as the über risk manager. “Having set the standards for internal controls, the auditors are now setting the benchmarks for ERM,” Spinard adds. But should internal audit manage the entity’s ERM strategy?