Editor: Please describe your position at Eisner and your professional background.
Fodera: I am an audit partner in the Internal Audit and Risk Management group of Eisner LLP. We help companies assess the effectiveness and efficiency of related organizational practices and core business operations. The internal audit function bridges the gap between management and the board, and serves as an organization's safety net for compliance with rules and regulations and in developing overall best business practices. Currently I am a member of the New York State Society of Certified Public Accountants SEC Practice Committee, the Long Island Capital Alliance, and the Institute of Internal Auditors.
Editor: What strategic processes within a company should be factored into a risk-management scenario?
Fodera: The strategy-setting process is designed to identify potential events that may affect the entity, manage risks, and provide reasonable assurance regarding the achievement of the company's objectives. The enterprise risk management process utilizes inputs from the board members, management and other personnel across the entity to take a portfolio view of risk. The entity objectives are categorized by strategic, operations, reporting and compliance. The roles and responsibilities are key factors in the success of the enterprise risk management process. The event identification differentiates risks and opportunities which management channels back to the strategy setting.
Editor: Should companies organize interdisciplinary risk-management teams to oversee a company's risk assessment?
Fodera: It must be interdisciplinary to be successful. Each part of the company needs to be looked at and you need to engage the process owners from each of those different company units. You need to identify and have all parts of the company give their input for an overall risk management profile for the company. The other key aspect of that is that you need to set the guidelines so that everyone is on the same page. Everyone needs to understand the commonly defined terminology in terms of risk appetite or risk tolerance. Once you identify and define the terms in a risk management program, each of the process owners of the disciplinary units can actually understand and rank it accordingly so you come up with one approach for the company.
Editor: How frequently should major risks be evaluated? How should risks be classified?
Fodera: Many boards are requiring a more frequent risk management process. In order to stay current, annual formalized risk assessments are being updated on a more periodic basis. We recommend a quarterly or monthly risk assessment review although management should perform the cost benefit analysis and decide what is best for the organization. The risk assessment process employs a combination of both qualitative and quantitative criteria. The risk rating should include the likelihood and impact as part of the risk classification. Management should clearly define the risk appetite and risk tolerance terms across the entity in order to have a more effective risk management process.
Editor: What role should the board of directors have in defining risk management processes?Fodera: Ownership of the risk management function rests with management. The board has oversight responsibility over the risk management process and sets the tone at the top. The audit committee can be a catalyst in identifying critical gaps in the company's risk management process. This involves participation with the senior executives and through independent evaluations coming up through internal audit reports. From that standpoint, the board is the eyes and ears of the stakeholders.
Editor: What impact will the Sarbanes-Oxley regulations have on non-accelerated filers? Won't meeting the same reporting standards as the larger companies place a strain on many of those smaller companies?
Fodera: All non-accelerated filers with year ends after December 15, 2009 will be required to comply with Section 404(b) and have an audit of the effectiveness of internal controls over financial reporting. This will effectively put all public companies, small and large, in the same boat.
The first go-around will probably be more costly for smaller companies however the benefits definitely outweigh the costs. The rules have been with us since 2002. Since that time, restatements have been declining due to the increased expertise in the financial reporting groups and that is a step in the right direction. Smaller companies need to be mindful of the resources necessary to handle the complex accounting rules and tax regulations. In order to enhance transparency and financial disclosure, getting the right competencies should be a top priority for all companies.