The Essentials Of Enterprise Risk Management

Monday, January 28, 2013 - 12:37

The Editor interviews James W. DeLoach, Managing Director of Protiviti’s Houston office.

Editor: Please tell us about your professional background.

DeLoach: I’m a managing director of Protiviti and am based in Houston. I am a member of the firm’s Solution Leadership and a member of the Executive Council to the CEO. I’ve been with the firm since its inception in 2002 and formerly was a partner of longstanding with Arthur Andersen.

Protiviti was formed from a practice of about 600 professionals from Arthur Andersen. We focus on solving client business problems in improving their business and technology performance. We help clients respond to situations like bankruptcy, restructurings, major transactions, mergers and acquisition, IPOs and fraud, as well as provide consulting services in governance, risk management and compliance.

Editor: Why should directors and officers assure themselves that their company has an effective corporate risk management program?

DeLoach: First and foremost from a director’s point of view, public companies are required in their proxy disclosures to disclose how their boards oversee risk. These disclosures are intended to improve investor understanding of the board’s role in risk oversight, including how the board interacts with management on matters relating to risk. This gives directors skin in the game of addressing risk management.

From an executive management perspective, one of the biggest lessons of the financial crisis was that reckless risk taking can destroy enterprise value that took decades to build. As a result of the crisis, stock prices of a number of the major banks went down to pennies on the dollar from their previous highs. This sends a clear message that it’s just as important to protect enterprise value as it is to focus on opportunities to create enterprise value.

The value proposition from an executive management perspective is to protect as well as to enhance enterprise value. Risk management can contribute to establishing a sustainable competitive advantage by contributing to long-term business performance as a result of managing the cost of surprises and performance variability. This value proposition gives executive management incentives to focus on risk management and involves the directors in providing effective oversight.

Editor: What are some of the higher-risk business sectors?

DeLoach: We have conducted a survey that involved over 200 C-suite executives and directors in which they were asked to identify what they thought would be the critical risks in the next 12 months. The study will be published probably in the first half of February.

What we found was that all sectors have risks. There were a couple of risks that were virtually universal across all sectors; one was the risk relating to profitability constraints due to overall economic conditions that executives thought might limit growth opportunities. In other words, how do we continue to sustain growth in the current environment?

A second risk that was top of mind across most sectors was the issue of regulatory risk. This includes the potential for regulatory changes and heightened regulatory scrutiny that might affect the products and services provided by that sector.

The sectors that reported the most concern about risks were first technology, media and communications, and secondly financial services.

Editor: Do global operations increase exposure?

DeLoach: There is no doubt that they do. Cross-border sourcing has created a boundary-less organization for most companies. In today’s interconnected world, an enterprise overview of the international value chain is vital to understanding and managing risk. This view requires consideration of the various tiers of suppliers, not to mention the logistics in linking the vital elements of the supply base together with a company’s operations. It’s hard to identify a major company whose value chain doesn’t extend beyond the borders of the United States.

When operating abroad, corruption is definitely an issue to be reckoned with. Given the bet-the-company penalties involved, companies must avoid the risk of violating the Foreign Corrupt Practices Act, the UK Bribery Act and similar legislation throughout the world. There is unprecedented cooperation of prosecutorial authorities across country borders to deal with corruption.

There is little public sympathy for companies involved in corruption because it’s becoming clear that corruption stifles economic growth and drives poverty across the world. The consequences of corruption violations we're finding can be extremely severe, with great damage to a company’s reputation.

Global operations also create market risk exposure relating to changes in foreign exchange rates, interest rates, commodity prices and other market factors, such as equity prices. They also create exposure to sovereign political risk, which can lead to nationalization or expropriation of assets and disruption of operations such as what we’ve seen with some global companies. The Arab Spring is a stark reminder of how quickly nations can spin out of control. Multinational corporations with operations in potentially unstable countries or regions need to plan in advance for the contingency that they may need to take immediate action to protect their employees, operations and assets.

Editor: Should companies plan for risks that might occur as a result of breakdowns in their supply chain or headquarters by reason of a natural catastrophe? How can these be mitigated?

DeLoach: Clear messages that supply chains and company operations can be disrupted by events were sent by Hurricane Sandy, the Japanese tsunami, the disastrous flooding in northern Thailand, Hurricane Katrina and, of course, 9/11. Hurricane Sandy caused as much as $50 billion in damage, closed roads across the northeast, shut down ports and triggered shortages of gasoline and groceries in New York and New Jersey. It snagged the supply chain for all kinds of goods just as retailers were gearing up for the make-or-break holiday selling season.

While not as dramatic as the Japanese tsunami, Sandy is again a reminder that the resulting slowdowns and cessation of operations of companies due to extreme events are always possible. One of the fascinating things is that companies historically have created a tight coupling of their operations to squeeze cost out by decreasing inventory, having a single strategic supplier and adopting just-in-time manufacturing and delivery techniques. No longer do they maintain higher inventory levels and multiple suppliers to buffer breakdowns in the supply chain.

Over the last 20 years, quality, time and cost considerations have won out over business continuity considerations. With the disasters in Japan and Thailand, directors are starting to ask whether their companies have gone too far. These supply chain disruptions are a reminder that the tradeoffs to squeeze cost out of our processes and build tight coupling with upstream suppliers are not without risk.

The current focus on lean manufacturing leads to minimal buffers that increase disruption risk. Business continuity considerations should be considered in determining the appropriate organization of the supply chain considering all scenarios stemming from the impact of losing strategic sources of supply for an extended period of time as the result of natural disasters.

Companies need to look at the scenarios of supply outages and the related financial impact to assess the immediate impact to the supply chain in terms of specific suppliers, products and markets and to determine the expected recovery time following disruption. This is not easy to do, but it’s a drill on which companies have not spent as much time as they should because of the emphasis on squeezing cost out of their operations over the last 20 years.

When a Sandy strikes, a company that is reliant on a single-source supplier may find that identifying alternative suppliers is very difficult. It may require changing product specifications or working closely with other key suppliers to develop alternatives, and that’s not an easy thing to do. Moving to an alternative supplier carries risk of quality issues and gets even more challenging in heavily regulated industries where suppliers must be appropriately qualified. The bottom line to all this is that supplier relationships honed over a period of years just simply cannot be replaced overnight with an expectation of comparable performance levels.

Editor: What are the most important elements of an effective corporate risk management program that will mitigate exposure of directors and officers to risks of compliance failures and litigation exposures?

DeLoach: There is no one-size-fits-all answer. There are four fundamental elements that frame what executive management and directors need to consider when assessing how they can ensure an effective corporate risk management program. The first is the process. This  typically includes identifying, sourcing, measuring, evaluating, mitigating and monitoring risk and making sure that the elements of this process that are in place (which can vary from company to company) accomplish the objectives of the company. These can be to reduce risk to an acceptable level, reduce variability of performance to an acceptable level, prevent unwanted surprises, and facilitate taking more risk in the pursuit of value-creation opportunities.

Whatever the objectives of the process, they first have to be defined so that everyone understands why they identify, source, measure, evaluate, mitigate and monitor risk.

The second element is integration. Integration is key; if the risk management process is a standalone it’s just not as effective - it doesn’t really matter to the C-suite. The effectiveness of the risk management process increases as it is integrated with the core management processes, including setting strategy, annual business planning, performance management budgeting, capital expenditure funding, M&A targeting and so forth.

A third key element is culture. Even the most well-intentioned risk management process can be compromised if there are dysfunctional organizational behaviors. These include having a CEO who doesn’t care what the risk management warning signs are or having a compensation structure that encourages short-term, reckless risk taking to the detriment of the long term. Under such circumstances, it really doesn’t matter what you’ve got in place because that culture will compromise even the best-intentioned risk management process.

The final element is that a company needs to have an appropriate infrastructure that facilitates implementation of the process, its integration into core management processes and the company’s culture. That's your policies, your organization structure and your reporting. These are the common elements across companies that are very flexible in application but are very essential because risk profiles vary across industries.