Implementing Enterprise Risk Management

Friday, August 10, 2012 - 17:03
Mitchell J. Auslander

Mitchell J. Auslander

The Editor interviews Mitchell J. Auslander, Partner, Willkie Farr & Gallagher LLP.

Editor: Please tell us about your professional background.

Auslander: I am co-head of Willkie Farr’s litigation department and a member of the firm’s Executive Committee. I do general commercial litigation and specialize in insurance matters of all types.  I have represented policyholders, insurance brokers and insurers in disputes worldwide.

Editor: Why should directors and officers assure themselves that their company has an effective enterprise risk management program, and what are its most important elements?

Auslander: In the current climate, where there is so much government and private sector scrutiny of public companies and their directors and officers, it would be imprudent for directors and officers not to make sure that they have effective enterprise risk management programs in place to protect their companies, their shareholders and themselves.

Historically, risk management consisted mostly of making sure that there were insurance programs set up to protect the company’s assets and its directors and officers. Insurance is certainly a major component of risk management, but there is much that a company can and should do to avoid or mitigate risk before it needs to call upon its insurance policies. The real issue is avoiding liability by implementing a good enterprise risk management program. Insurance should be viewed as an important backstop.

Editor: Should the enterprise risk management program be approved by the board of directors?

Auslander: Risk management has become so important to the success of an organization that it is incumbent upon the board of directors not only to approve their company’s enterprise risk management program but also to understand it well enough to assure themselves that the company is protected against foreseeable risks. This includes ensuring that appropriate insurance is procured, but, more importantly, the board should have regular reports concerning not only operations but also compliance and legal. In my view, this should include reports on risk management programs and processes themselves, not just problems that have occurred. Liability prevention is the key.

Editor: What types of businesses are most exposed to risk?

Auslander: As you can see from the daily headlines, the financial sector remains front and center. The lingering economic downturn will keep attention focused there for some time to come. There is also great risk for technology companies, which depend for their success on their intellectual property and its protection. Consumer-oriented businesses always have risk, but government scrutiny at the federal and state levels has increased those risks, and, of course, compliance failures of any kind can lead to monetary exposure and, as importantly, reputational damage. You cannot buy insurance for that.

Editor: Do global operations increase exposure?

Auslander: There’s no question that they do. Companies used to view their U.S. operations as the areas where the potential for exposure was the greatest, both on the regulatory side and on the civil litigation side. Most companies are now aware that the exposure is at least as great in the international arena. The FCPA, UK Bribery Act and similar legislation in countries throughout the world, together with money laundering and export controls, have focused companies’ attention more than ever on what they are doing around the world. That is something that is going to continue and become even more complicated.

As a law firm, we certainly have our eye on that ball. We find that our clients are increasingly looking for advice as to how they can control their risks related to buying, selling, providing or producing products and services abroad, even before a particular problem arises. Because we serve clients with global operations, we provide advice not only from here in the United States but also on the ground locally.

Editor: There are recent examples of losses that occur as a result of breakdowns in the supply chain by reason a natural catastrophe. How can these be mitigated?

Auslander: That is an important question that is overlooked too often. Protection against these kinds of risks should be taken into consideration in preparing an enterprise risk management program. The program should assure that operations are protected to the fullest extent possible.

I always start from the proposition that the company must understand the risks it faces and work to mitigate them before the problem arises. However, this is an area where insurance is critical. Appropriately drafted business interruption insurance can protect against the financial loss occasioned by a supply chain breakdown. From a drafting standpoint, it is important to make sure that the insurance policy language covers such downstream risks. Companies often purchase large amounts of insurance to protect themselves. However, after the catastrophe hits, questions arise as to how the insurance actually works with respect to all of the company’s losses. For example, a hurricane strikes a power plant causing enormous property damage. It is relatively easy to calculate the loss and collect insurance for it. But how much business was lost when the plant was down or ramping back up? What about the company’s inability to supply to customers, some of which may be affiliated companies? The issues abound.

It turns out that it is not always clear how business interruption insurance works and even less clear how one calculates damages for business interruption loss. Companies must first understand the kinds of losses to which they are susceptible in the event of a disaster and make sure, in advance of any incident, that those losses are covered.

Editor: Who within the corporation should be responsible for updating the enterprise risk management program and assuring that adequate insurance protection exists?

Auslander: What we have seen over time is that the risk management departments of companies have grown larger and more sophisticated and that their responsibilities have expanded. This is a good thing.

In a major company with worldwide operations, the responsibility for enterprise risk management should be shared between the risk management group and the legal department. Legal sometimes gets involved only at the point at which the catastrophe has happened: the insurance that had been in place is called upon to pay for the claim, and for whatever reason the insurance isn’t paying or isn’t paying in full. That is too late. Legal is in the best position to understand the company’s potential liabilities. It should work closely with risk management to mitigate risk and ensure that the company’s liabilities are covered by insurance.  

Editor: What external services should be considered? 

Auslander: Insurance brokers are obviously very important to the process. Brokers, particularly the larger ones, have a broad-based view because they have clients who are in the same business and are exposed to similar risks.  Given the potential for great exposure of large companies with international operations, brokers play a critical role in testing the world’s insurance markets to secure the right amount and quality of insurance.

Public accounting firms are very good at helping policyholders quantify their losses. Losses from business interruption, for example, are notoriously difficult to quantify.

I would be remiss if I didn’t mention the lawyer’s role.  Outside counsel who are experienced in the insurance area have a very good handle on the kinds of insurance that are available. These outside counsel, having seen insurance coverage disputes, understand all that can go wrong with a policy. They can play a vital role in advance of a catastrophe in assuring that a company’s insurance is the right insurance – with the appropriate bells and whistles – for its coverage needs. In my practice I have seen many instances when companies were very comfortable that they had the proper insurance in place, only to discover gaps in their coverage that would have been detected in advance by lawyers who have handled coverage disputes. 

Editor: How important is having an internal compliance system that provides procedures for reporting of present or potential compliance failures? What are the key components of such a system?

Auslander: It is obviously very important to have not just a compliance program but one that will actually detect potential problems. There should be a system in place by which complaints or issues are brought to the surface as early as possible even if it turns out that there are some false alarms. Anybody who has been involved in a government investigation or threatened civil litigation knows that many types of problems can be managed and resolved if they are identified and addressed early. For this reason, complaint hotlines are important, and it is essential that complaints receive proper attention. Then, there should be effective lines of communication between relatively senior compliance people and the audit committee of a company. In short, companies should have active compliance programs in place with early detection systems and clear lines of communication up the chain.

Editor: How important is insurance to managing risk under the various scenarios we have discussed?

Auslander: Very, but I really can’t emphasize enough that, in my view, successful risk management programs do not rely only on insurance. Insurance should be viewed as a backstop. Risk management has to begin with managing risk at the operations level through an effective compliance program.  

Editor: Do directors and officers face risks that cannot be covered by insurance and that can be mitigated only by an effective corporate risk management program?

Auslander: The most obvious area where directors and officers cannot be covered by insurance is where their conduct is dishonest or fraudulent or where there is some desire on the part of regulators or perhaps even civil plaintiffs to exact a pound of flesh from the directors and officers personally. An example of that would be clawback liability, in which a settlement is reached that would require a director or officer to pay back out of his or her personal assets some or all of the compensation that he or she had received. That said, I believe the insurance industry is hard at work trying to create insurance that would cover even that risk.

With limited exceptions, a good insurance program should cover directors and officers for their potential liabilities up to the limits of liability that the company purchases. Directors and officers also have indemnifications from their companies they can fall back on, but the company may be unable or unwilling to comply with its indemnification obligations. It is incumbent on directors and officers who are concerned about their potential exposure, as they all ought to be, to take a harder look at the D&O insurance and the indemnification provided by their company. Directors should do this as a matter of diligence before they agree to sit on any board.

Please email the interviewee at with questions about this interview.