management accounting guideline identifying, …

M A N A G E M E N T

S T R A T E G Y

M E A S U R E M E N T

Identifying,

Measuring, and

Managing

Organizational

Risks for Improved

Performance

By

Marc J. Epstein

andAdriana Rejc

Published by:

MANAGEMENT ACCOUNTING GUIDELINE

MARKETING5

Placed Image

NOTICE TO READERS

The material contained in the Management Accounting Guideline Identifying,Measuring, and Managing Organizational Risks forImproved Performance is designed to provide illustrative information with respect to the subject matter covered. It does notestablish standards or preferred practices. This material has not been considered or acted upon by any senior technicalcommittees or the board of directors of either the AICPA or the Society of Management Accountants of Canada and does notrepresent an official opinion or position of either the AICPA or the Society of Management Accountants of Canada.

S T R A T E G Y


Identifying,Measuring, andManagingOrganizational Risks for ImprovedPerformance

By

Marc J. EpsteinRice University and Harvard Business SchoolandAdriana RejcFaculty of Economics,University of Ljubljana

MANAGEMENT ACCOUNTING GUIDELINE

Published by The Society of Management Accountants of Canadaand The American Institute of Certified Public Accountants

M A N A G E M E N T

Copyright © 2005 by the Society of Management Accountants of Canada (CMA-Canada).All rights reserved.Reproduced by arrangement with CMA-Canada.

For information about the procedure for requesting permission to make copies of any part of this work, please visitwww.aicpa.org. A Permissions Request Form for e-mailing requests and information on fees are available there by clicking on thecopyright notice at the foot of the AICPA homepage.

1 2 3 4 5 6 7 8 9 0 PP 0 9 8 7 6 5

ISBN 0-87051-619-1

INTRODUCTION

The world has changed significantly in thelast five years.New and greater pressuresand risks have dominated both theinternational and business news,dramatically altering the issues thatcorporate managers must address.Theattacks of September11, 2001 madebusiness executives aware that they musttake action to prevent acts of terrorismas well as to prepare for their occurrenceat the corporate site and in the widercommunity.The collapse of notablecompanies such as Enron and WorldComhighlighted the risk of financial fraud,raised new concerns about corporate

governance and internal control, andresulted in the Sarbanes-Oxley Act of2002 (also referred to as SOX). Formultinational organizations, because ofglobalization and the rapid developmentof international communications throughthe Internet, corporate activities relatedto environmental degradation, child labor,or other social issues in a developingcountry have been able to impact profitssignificantly and quickly in the homecountry. In addition, the risks associatedwith Information Technology (IT)installations,mergers, human resourcepolicies, and other daily organizationalactivities have escalated.

IDENTIFYING, MEASURING, ANDMANAGING ORGANIZATIONAL RISKS

FOR IMPROVED PERFORMANCE

CONTENTS EXECUTIVE SUMMARY

Risk is an inescapable element ofcompeting in a market economy.Organizations must be able to evaluatemany types of risk — political, social,environmental, technological, economic,competitive, and financial — andincorporate the results into decisionsregarding investments and operations, aswell as into the systems used to monitorand evaluate the effectiveness of theactions taken.

This guideline provides a Risk ManagementPayoff Model that includes a selection ofperformance measures to properlyidentify,measure,manage, and report risks.The model demonstrates that improvedrisk measurement and management notonly helps the organization prevent loss,achieve performance and profitabilitytargets, and increase shareholder value, butalso produces organization-wide benefits,such as allocation of resources to the risksthat really matter, enhanced workingconditions, and sustained or improvedcorporate reputation.

INTRODUCTION 5DRIVERS OF INCREASED RISK

AWARENESS 6INCREASED RESPONSIBILITIES IN

RISK MANAGEMENT 8APPROACHES TO RISK MANAGEMENT 8THE PROCESS OF RISK MANAGEMENT 9RISK MANAGEMENT FOR SPECIFIC

BUSINESS FUNCTIONS 31INFORMATION RISK 33RISK ASSESSMENT IN DUE DILIGENCE 34COMPREHENSIVE RISK MANAGEMENT 34THE ROLE OF SENIOR FINANCIAL

MANAGERS 35CONCLUSION 36BIBLIOGRAPHY 37APPENDIX:REGULATORY

REQUIREMENTS ON ENHANCED INTERNAL CONTROL 39

Page

M A N A G E M E N T

5

6

S T R A T E G Y

M E A S U R E M E N T Today, organizations must learn to managethese increased risks. In the publication entitledEnterprise Risk Management — IntegratedFramework, the Committee of SponsoringOrganizations of the Treadway Commission(COSO) described the underlying principles ofrisk management and its components.However,boards of directors and their audit committees,senior corporate managers, senior financialmanagers, auditors, and external stakeholdersoften need more detailed guidance with respectto the measurement and management oforganizational risk.

In addition to the COSO framework and thenewly effected regulatory requirements forinternal control (see Appendix), this guidelineprovides a Risk Management Payoff Model thatincludes a selection of performance measuresto properly identify,measure,manage, andreport risks.The model demonstrates thatimproved risk measurement and managementproduces organization-wide benefits, such asenhanced working conditions, allocation ofresources to the risks that really matter, andsustained or improved corporate reputation.These consequences help the organizationprevent loss, achieve performance andprofitability targets, and increase shareholdervalue.Measuring a broader set of risks moreeffectively is necessary not only to meet thenew regulatory requirements but also, primarily,to improve managerial performance andstakeholder confidence.Risk managementinvolves the identification, evaluation, andmitigation of business risks in order tomaximize opportunities and turn risks intosources of competitive advantage.

The objectives of this guideline are as follows:

● To provide a comprehensive overview ofrisk management and highlight the role ofrisk identification and measurement withinthe risk management process;

● To create a broader framework for riskidentification;

● To describe key elements of a measurementmodel (the Risk Management Payoff Model)for success in dealing with risks strategicallyand operationally.The model includes thecritical inputs and processes that lead to risk-related outputs and ultimately to overallorganizational success (outcomes). As such,the model helps managers identify andevaluate risks, determine the potential

profits of risk management initiatives, andcompare different risk responses;

● To outline specific drivers related to theseinputs, processes, outputs, and outcomes. Byidentifying the causal relationships amongthe drivers,managers can better understandthe way in which risk strategies, structures,and systems affect organizationalperformance;

● To provide specific performance metrics, sothat managers can better prepare for,measure, and manage risks; and

● To demonstrate the calculation of return oninvestment (ROI) for risk managementinitiatives.

The target audience of this guideline includesboards of directors,members of auditcommittees, chief executive officers (CEOs) andchief financial officers (CFOs) with increasedresponsibilities, senior management teams, andaccounting, internal audit, and financeprofessionals that face the challenges of riskassessment, analysis, and control.The guidelineis also aimed at external auditors who mustattest to, and report on, internal control overfinancial reporting.

DRIVERS OF INCREASED RISKAWARENESS

Regulatory Compliance

In recent years, facing more difficult businessconditions and the growing expectations ofshareholders, some corporate executives —fueled partly by excessive corporate andpersonal greed — deliberately bent the rules orblatantly reported false financial results for theirorganizations, causing a series of accountingscandals and corporate failures.These high-profile collapses demonstrated the potentialconsequences of failing to adopt even the basicprinciples of risk management as a keycomponent of good corporate governance. Inresponse, the pressure for improved riskassessment has increased throughout theworld, taking the form of guidance documents(e.g., the Ontario Securities Commission’sproposed policy on effective corporategovernance in Canada) and compulsoryregulations (e.g., SOX).

Containing some of the most major and radicalalterations in securities regulations in theUnited States since the 1930s, SOX has caused

M A N A G E M E N T

I D E N T I F Y I N G R I S K S F O R I M P R O V E D P E R F O R M A N C E

7

important changes in public accounting, corporategovernance, and internal audit. For many decades,the protection of the investing public focusedprimarily on financial reporting. It was believedthat investors provided with transparent financialresults, and the information necessary tounderstand them, could make fully informeddecisions. In 2002, SOX stated that the reportingof financial results was insufficient and requiredorganizations to do more — to analyze andevaluate the quality of the processes and controlsused to report these results. In order toharmonize the Canadian regulatory reporting andcertification rules with SOX,Canadian SecuritiesAdministrators issued a set of proposals entitledReporting on Internal Control over Financial Reporting.

Beyond the Sarbanes-Oxley Act

SOX specifically addresses the evaluation of risksrelated to financial reporting.However,organizations should look beyond the recentlegislation, rather than merely comply with it, andlearn to evaluate and monitor other types of risksand their underlying causes.Herein lies theopportunity to develop a business discipline:create formal systems of internal control, detailhow these systems will identify, evaluate(measure), and respond to significant risks to thebusiness,monitor these risks, and communicatethe results to the appropriate parties.Themismanagement of risk and uncertainty may carryan enormous price. Beyond the traditionalfinancial risk factors, internal and externalstakeholders today expect reports on a widerrange of issues that can affect future performance,reputation, and financial health.

In general terms, a risk can be described as anyevent or action that will affect adversely the abilityof an organization to achieve its businessobjectives and execute its strategies successfully.More specifically, risk is the probability thatexposure to a hazard will lead to a negativeconsequence. As such, risks do not arise frominternal environments alone. External factors suchas technological progress, customer demands, andglobal forces continuously change business modelsand increase competitive pressures.Governmentregulations, deregulation of key industries, andfreer trade and investment worldwide createadditional uncertainty. Risk is an inescapableelement of competition and is integral to theeconomics of trading, investing, and competing in amarket economy.

Thus, organizations need better ways to integratethe consideration of many types of risk —political, social, environmental, technological,economic, competitive, and financial — with themaking of management decisions. For example,political instability in a host country, potentialproduct liability, process emissions that areenvironmentally undesirable, and human resourcepolicies that have social consequences can beimportant factors in managerial decisions.Organizations must be able to evaluate such risksand incorporate the results into decisionsregarding investments and operations, as well asinto the systems used to monitor the issues andthe effectiveness of the actions taken.Thisguideline seeks to address these concerns.

Risk Management Pays Off

Many organizations view the effort to complywith SOX as a high-cost, largely administrativeexercise. Indeed, significant resources are neededboth to comply with regulatory requirementsand to manage other risks. Estimates of the costs to comply with the new accounting andauditing regulations range from $400,000 to$750,000 for smaller companies alone.Moreover, these estimates do not include thetime executives and other employees mustspend dealing with compliance issues. A recentsurvey conducted by Financial ExecutivesInternational reveals that a company with morethan $5 billion in revenue could expect Section404 costs of about 0.06 percent of sales,whereasa company garnering less than $100 million couldsee costs of about 2.55 percent of sales (Katz,2005). As a result, the number of companiesannouncing plans to go private has risen steadilysince the passage of the Act.

Though there are legitimate concerns about thecosts of implementing SOX,organizations shouldnot see the activity as merely an enormoustactical undertaking, producing little more than alist of tasks and corresponding costs.On thecontrary, the potential benefits of the new,rigorous examination of risks and controls shouldbe acknowledged. For visionary organizations, therequirements of SOX present a uniqueopportunity to pursue and implement the bestrisk management practices.Through the carefuland thorough examination process, organizationscan become aware of risks that are larger,morevaried, and more global than anticipated, assessthese risks, prepare appropriate responses, andmeasure the efficiency and effectiveness of the

8

S T R A T E G Y

M E A S U R E M E N Trisk management initiative.This can result inimproved internal control processes, betterdecision making, increased reliability ofinformation for external users, and enhancedinvestor confidence.

INCREASED RESPONSIBILITIESIN RISK MANAGEMENT

Because of the new and greater risks in thebusiness environment and the strengthenedregulatory requirements for internal controls,the responsibilities of corporate boards, auditcommittees, and the internal audit function haveincreased with respect to risk management.

The board of directors has a central role ingovernance, its primary duty being to promotethe long-term interests of the organization andof its shareholders. Epstein and Roy (2002)highlight three critical roles of boards ofdirectors: overseeing strategic direction and riskmanagement, ensuring accountability, andevaluating performance and senior-level staffing.Related to the first is the board’s responsibilityto review carefully the organizational processesof risk identification,monitoring, andmanagement. Specific reviews of financialobjectives, plans,major expenditures, and othersignificant material transactions should also beincluded in the board’s responsibilities withrespect to risk. Although the ultimate riskmanager of any organization is the CEO, theboard of directors must provide advice andensure that relevant direction is being given onmatters related to risk and internal control.

The audit committee is responsible forexamining the performance of the internalcontrol function and the exposure of theorganization to a variety of risks.This role hasbecome much more critical. Although there isno regulatory mandate for the implementationof enterprise risk management, the New YorkStock Exchange’s Corporate Governance Rules require that a listed company’s auditcommittee have a written charter of duties andresponsibilities, and that these include discussingpolicies with respect to risk assessment andrisk management.The Rules’ commentary notesthat, although other mechanisms to assess andmanage risk need not be replaced by the auditcommittee, the audit committee must discussthe company’s major financial risk exposuresand the management processes in place tomonitor and control such exposures.Thus, inorder to help focus energies in this area,many

organizations are developing and implementingRisk Management Charters that establish theauthority, roles, and responsibilities of theiraudit committees as well as define the scope ofthe activities of their internal auditors.

Internal auditors now have greater responsibilityvis-à-vis the audit committee, the externalauditors, and corporate governance in general.Although the responsibility for SOX compliancerests with management, the internal auditfunction typically has responsibility for theSection 404 review of internal controls overfinancial reporting and presents documentedresults to the audit committee and to theexternal auditors. The external auditors thenattest to the adequacy of that review, giving theiropinion regarding management’s assessment ofinternal control over financial reporting, andproviding their own assessment of internalcontrol over financial reporting. In addition,internal auditors provide independent assuranceregarding the risk management process byforming an opinion about the extent to whichsound controls have been implemented andmaintained to mitigate the significant risks thatmanagement has agreed to embrace. Also,internal audit often has primary responsibilityfor monitoring the ethics and whistle-blowerfunctions to ensure that these comply withcompany and regulatory requirements.

APPROACHES TO RISK MANAGEMENT

Traditional Approach

Historically, a silo approach has been favored,with different types of risk (e.g., insurance,technology, financial, and environmental risk)being managed independently in separatedepartments.Usually, there has been little or nocoordination of risk management and, often,organizations have been slow to identify newand emerging business risks.Nevertheless,well-managed organizations have always managedrisk successfully.

Risk can be viewed as uncertainty, hazard, oropportunity.Traditional risk management hasconcentrated on the two former views,attempting to reduce the variance betweenanticipated outcomes and actual results. Incontrast, the goal of an organization-wide riskmanagement system is to create, protect, andenhance shareholder value by managing theuncertainties that could affect the achievement

M A N A G E M E N T

of the organization’s objectives either positively(opportunity) or negatively (hazard).

Current Frameworks

Each of the major publications that address thegrowing importance of comprehensive andintegrated risk management suggests ways toassess and manage risks within a generalizedframework (e.g.,DeLoach, 2000; Shaw, 2003; andMcCarthy and Flynn, 2004).The required tasks,which vary in number, generally includeestablishing a context, identifying risks, analyzingand assessing risks, designing strategies formanaging risks, implementing and integrating riskmanagement,measuring,monitoring, andreporting (e.g., AICPA and Canadian Institute ofChartered Accountants, 2000).Typically, thesepublications do not provide clear guidance as toeither the actions that managers should take toidentify risks or the specific performancemeasures that should be implemented foreffective risk management.

Among the most prominent works are thosepublished by COSO. In 1992, Internal Control —Integrated Framework departed from thetraditional internal accounting control model bypresenting a broad framework of five interrelatedcomponents: control environment, riskassessment, control activities, information andcommunication, and monitoring. In 2004,Enterprise Risk Management — IntegratedFramework provided a risk managementframework that included key principles andconcepts, used a common language, and consistedof eight interrelated components: internalenvironment, objective setting, event identification,risk assessment, risk response, control activities,information and communication, and monitoring.Expanding on the internal control framework, thisdocument presented a more extensive treatmentof the broader subject of enterprise riskmanagement, including aligning risk appetite andstrategy, enhancing risk response decisions,reducing operational surprises and losses,identifying and managing multiple and cross-enterprise risks, seizing opportunities, andimproving deployment of capital (COSO,2004a).Both COSO documents offered clear directionand relevant guidance with respect to theidentification and management of risks.

Nevertheless, empirical evidence reveals thatcompanies have difficulties designing andimplementing new internal control systems tocomply with the regulatory requirements. A

recent survey of the US Fortune 500 indicatedthat less than 30 percent of those organizationshad implemented any form of enterprise systemto support risk management (Teixeira, 2003).There is an apparent knowledge gap with respectto risk management and in particular, a lack ofperformance metrics for risk managementinitiatives.Given the increasing demand forsignificantly improved risk management, specificrisk measurement tools are necessary.

THE PROCESS OF RISK MANAGEMENT

With the speed of change increasing for allorganizations, senior managers must dealconstantly with a myriad of complex risks thathave substantial consequences for theirorganizations.The goal of risk management is notto eliminate risks,which would also eliminatepotential rewards, but to find the right responsesto them.Risk management seeks to maximizebusiness opportunities and turn risks intocompetitive advantage. Effective risk management(see Exhibit 1) involves identifying risks, evaluatingpotential effects, identifying and analyzing possiblesolutions, adopting the most appropriatesolutions,measuring the results (payoffs) ofmanaging risks, communicating results, andmonitoring risk evolution.

Step 1: Event Identification

In today’s rapidly changing, complex, and globallyoriented businesses, risk is not always apparent.Although, ultimately, the CEO is the organization’schief risk management officer, decision makers atall levels should consider risk identification acritical part of their jobs.Moreover, bothmanagers and employees must learn to spot thewarning signs of risks. For example, in the area ofhuman resources, signs of risk could include achange in the demeanor of an employee, a declinein productivity, or a sudden increase inabsenteeism.A list of potential risks to theorganization could increase the attention paid bymanagers and employees to the events that mightindicate risk occurrence.

There are several ways to classify risks. Building onthe COSO framework, Exhibit 2 provides a riskclassification scheme that comprises four broadcategories of risk — strategic, operational,reporting, and compliance. Strategic risks relate toan organization’s choice of strategies to achieve itsobjectives. Such risks endanger the organization’sachievement of high-level goals that support its


9

10

mission, and call into question management’sview of the environment.Operational risksrelate to the possible loss of organizationalassets and include threats from ineffective orinefficient business processes for acquiring,financing, transforming, and marketing goods and services as well as threats to the reputationof the organization.Reporting risks relate to the reliability and accuracy of informationsystems and to the reliability, timeliness, andcompleteness of information for internal andexternal decision making. Finally, compliancerisks relate to the communication of laws,regulations, internal codes of behavior, andcontract requirements and include the adequacy

of information about the failure of management,employees, or trading partners to comply withapplicable laws, regulations, contracts, andexpected behaviors (Kinney, 2000).

Although controlling compliance risk isrecognized as important, regrettably littleattention has been focused on improvingmethods to reduce strategic, operational, andreporting risks. It is true that compliancefailures have accounted for the mostspectacular organizational losses in the lastdecade, generating legal costs, tarnishingcorporate image, potentially affecting futureprofitability, and sometimes leading tocorporate failure.However, all four categories

Event Identification

Risk Assessment

Accept Risk

Control Activities

Is Risk/Reward Acceptable?

Avoid Risk Can Risk Be Mitigated?

Information & Communication

Monitoring

Quantify Magnitude

Assess Probability

Quantify Impact

Cost/Benefit Analysis

Priority/ Rank

Yes No

No Yes

Reduce Risk Transfer Risk Share Risk

Risk Response

1

2

3

4

5

6

Exhibit 1: Risk Management Process

Adapted from Kinney, 2000 and COSO,2004.

S T R A T E G Y


M A N A G E M E N T

3

1

2

4

6

5

are major sources of organizational risk anddeserve an equally high level of managerialattention and relevant response.

The risk classification scheme attempts to define arisk universe and provide a sample listing oforganizational risks.To this end, the selected risksincluded in Exhibit 2, and explained in Exhibits 3, 4,5, and 6, are representative of the most criticalrisks faced by organizations today.However, eachorganization should establish a working list of therisks that are most relevant to its own businessesand business environments.

In each organization, a combination of techniquesand supporting tools may be used to identify risks.Approaches include: internal analysis; process flow analysis; creation of event inventories;identification of escalation or threshold triggers;discovery of leading event indicators; loss eventdata methodologies; facilitated, interactive groupworkshops and interviews; scenario analysis; andbrainstorming sessions.

At Microsoft, the world’s leader in thedevelopment of software for personal computers,the risk management group spends a great deal oftime face-to-face with the business units (Bartonet al., 2002).At Telus, one of Canada’s leading

providers of data, Internet Protocol (IP), voice, andwireless communications services, riskidentification involves conducting surveys ofvarious stakeholder groups and asking them toidentify possible risks — low,medium, and high —in their areas of responsibility (Telus, 2004).

In the brainstorming approach, participants shouldbe highly visible, represent a broad range ofbusiness operations, and have a global perspectiveof the organization. Some organizations haveestablished a brainstorming team that comprisesmost of the executive group, including the CEOand the CFO, as well as employees selected fortheir understanding of different operational areas.

Event identification should ensure that all relevantrisks are identified and their sources determined.In this regard, it is important to look beyond silosof risk. For example,when considering the risks ofan earthquake,Microsoft managers thought aboutpotential damage to equipment and buildings and,therefore, looked at property insurance.However,management must also take a broader view andconsider the elements that are most important tothe organization. In the case of an earthquake, thereal risk is not that buildings can be damaged butthat this can cause an interruption in the


11

Exhibit 2: Risk Classification Scheme

Operational Risks Strategic Risks Reporting Risks

Economic risks

Industry risks

Strategic transaction risks

Social risks

Technological risks

Political risks

Organizational risks

Environmental risks

Financial risks

Business continuity risks

Innovation risks

Commercial risks

Project risks

Human resource risks

Health and safety risks

Property risks

Reputational risks

Information risks

Reporting risks

Compliance Risks

Legal and regulatory risks

Control risks

Professional risks

Risks

12

Risk Type Definition Example

Ecomonic Risks

Industry Risks

Strategic Transaction Risks

Social Risks

TechnologicalRisks

Political Risks

OrganizationalRisks

Risks related to macroeconomicpolicies and economic cycles.

Risks related to competitivepositioning, industry profitmargins,market structure, andcompetition laws

Risks related to activitiesundertaken to initiate significantchange in strategic direction

Risks related to changingdemographics and social mores

Risks related to technologicalprogress and technology-drivendisruptive forces

Risks related to changes ingovernment, public policy, andfederal oversight, and global risksrelated to political instability

Risks related to control systems,business policies, and businessculture

Government’s monetary and fiscalpolicy

Changes in supply and demand,industry concentration, orcompetitive structure; introduction ofnew products and services

Asset reallocation via mergers andacquisitions, spin-offs, alliances, andjoint ventures

Child labor; changes in familystructures and work/life priorities(human resource issues that couldalter demand for products/servicesor change buying venues)

Engineering success/failure;technological obsolescence ofproduct or product assembly (issues that could give a competitoran advantage)

Management of governmentrelations; terrorist activities

Alignment between performancemeasurement and reward systems

Exhibit 3: Strategic Risks

production/business cycle so that theorganization cannot do business.The riskidentification effort should produce a portfolioof risks, classified as strategic, operational,reporting, and compliance, for the organizationas a whole and for every business unit.

Step 2: Risk Assessment

All risks identified as potentially importantshould be assessed as to their magnitude — themonetary loss or severity of the negative effectif the event should occur. In this regard, it isimportant to concentrate on the impact of anincident and, especially, on its duration. Inaddition, the probability of the occurrence of anadverse event of a given magnitude should bedetermined.The organization can gain a muchbetter understanding of the potential effects ofa given risk by calculating both the probability ofits occurrence and the expected losses.

Traditional, quantitative techniques for riskmeasurement and evaluation include:benchmarking; probabilistic models such asvalue at risk (VAR), cash flow at risk, earnings atrisk, development of credit, and operational lossdistributions; and non-probabilistic models suchas sensitivity models, stress tests, and scenarioanalyses. In order to quantify the real costs of arisk, its correlation with other risks must beconsidered as well.Using scenarios may behelpful, particularly in studying the experiencesof other organizations.

In addition to the costs that may be incurred if arisk materializes, the benefits that may beprovided by an appropriate response to the riskshould be assessed.The quantification of bothcosts and benefits then makes it possible todetermine the payoff of a risk managementinitiative.Traditional risk assessment techniquesoften focus on those elements that can be

S T R A T E G Y


M A N A G E M E N T


13

Exhibit 4: Operational Risks


EnvironmentalRisks

Financial Risks

BusinessContinuityRisks

Innovation Risks

CommercialRisks

Project Risks

Human ResourceRisks

Health and Safety Risks

Property Risks

Reputational Risks

Risks related to the naturalenvironment that could result indamage to buildings, restrictedaccess to raw materials, or loss ofhuman capital

Risks related to credit, interestrates, the stock market, currency,and collateral

Risks related to conditions thatcould result in work stoppage oradversely affect production,delivery,marketing, supplier andcustomer management,outsourcing, or compliance with industry and other standards and codes

Risks related to thetransformation of some aspect ofthe business in an effort toimprove operating performance

Risks related to the expectedperformance of products orservices

Risks related to the completion ofa project

Risks related to the adequacy andexecution of human resourcestandards, policies, and practices

Risks related to employee healthand safety in the workplace

Risks related to the security ofboth tangible and intangible assets

Risks related to the perception ofthe organization by itsstakeholders, the media, and thegeneral public that could impactliquidity, capital, or credit rating

Weather conditions, such asearthquake, fire, or flood;environmental pollution

Foreign exchange rates; strategicequity; asset liquidity; employee stockoption program; commodity risks

Reliability within the supply chain;supplier integrity; quality of goods;price of external supply

Underperformance in new productdevelopment and in Research &Development (R&D) investment

Quality of engineering,marketing,communication, and sales; productliability in the event of failure

Technical difficulties; commercialobstacles

Ethical/unethical conduct bymanagement and employees;availability of assistance to employeesfor career planning and personaldevelopment; issues that could resultin work stoppage, loss of personnel,or monetary or reputational damage

Unsafe equipment or environment;workplace stress; potential for injuryfrom repetitive strain or falls fromheights

Inventory protection against spoilageor theft; intellectual property rights;potential for enforcement action

Publicity regarding productionmethods, business practices, orinternal controls

14

quantified easily and fail to address all criticaldrivers of successful risk management.What isneeded is a framework of key factors(antecedents and consequences) that canenable decision makers to assess the impacts ofrisks in terms not only of the costs but also, andmore importantly, of the benefits that successfulrisk management initiatives may provide.Following is the description of a specificframework that can be used as a tool for riskassessment and risk management. Because ofthe fundamental nature of risk and itsconsequences, the Risk Management PayoffModel is equally applicable to for-profit and not-for-profit organizations.

The Risk Management Payoff Model

Business measurement systems are designed tomeasure and display key success factors forachieving specific objectives.The RiskManagement Payoff Model (Exhibit 7) describesthe key factors for corporate success in riskmanagement.These include the critical inputs andprocesses that are needed for success in riskmanagement outputs (e.g., increased regulatorycompliance),which then reduce the cost of riskand increase revenues. Finally, the payoff of riskmanagement is determined by its contribution to overall organizational success (outcomes) interms of shareholder value — the ultimatemeasure of success.This approach helps

Exhibit 5: Reporting Risks

Exhibit 6: Compliance Risks


Information Risks

Reporting Risks

Risks related to the quality andaccessibility of information

Risks related to the process ofcapturing, analyzing, and submittingdata in a meaningful format tomanagers and externalstakeholders for decision-makingpurposes

Data accuracy, relevance, reliability,and completeness; security ofinformation; integration ofinformation systems

Reliability and completeness offinancial information; efficiency ofthe process for internal decisionmaking and for external reporting


Legal andRegulatory Risks

Control Risks

Professional Risks

Risks related to meeting legal andregulatory requirements withrespect to corporate governance,labor relations, industry standards,the environment, etc.

Risks related to the internalcontrol systems and securitypolicies that could result in systemdowntime, backlogs, fraud, and theinability to continue businessoperations

Risks related to organizationalliability and the personal liability ofdirectors and managers

Employee compliance with theorganization’s code of conduct andNon-Governmental Organizationstandards; human rights violations(e.g., child labor)

Data integrity; data and systemavailability; potential for malpracticeby employees or outsiders (e.g., theft,deception, forgery, false accounting);potential for operational errors (e.g.,clerical, record-keeping, and thoseresulting from faulty IT systems)

Misrepresentation; defamation;corporate insolvency

S T R A T E G Y


M A N A G E M E N T


15

managers understand the critical drivers ofreduced long-term risk and related costs as well asincreased long-term shareholder value. It alsohelps managers determine the value of the riskmanagement efforts and improved internal control.

Inputs are the external environment in which theorganization operates and the risks it faces.Theorganization’s ability to develop an appropriateinternal environment — risk appetite and culture— to respond to external forces, to anticipaterisks and allocate resources in its corporatestrategy, and to develop specific risk managementstrategies to deal with these risks effectively iscritical and is reflected in the strategic fit.Thebetter the alignment between the organization’sinternal strengths and its external opportunitiesand threats the more effective is the riskmanagement process. Existing organizational andgovernance structure and systems, such as incentivepressures,may either support the riskmanagement strategy or inhibit the riskmanagement efforts.Thus, if an organization wantsto secure the necessary conditions for effectiverisk management processes, it must continuouslyexamine its external environment and establish arisk culture and appropriate strategies, structures,and systems in relation to the defined

environment. Inputs and processes are the mostcritical success factors.

Processes involve risk management leadership, riskmanagement structure, and risk managementsystems.Committed leadership at the corporatelevel and focused efforts of the risk managementleaders will affect the dedication of employeesinvolved in the event identification, riskassessment, response, and control activities.Together with a carefully designed riskmanagement structure,measurement and rewardsystems, and IT support systems, this will ensurethe achievement of various risk managementoutputs.These include intermediate outputs, suchas improved regulatory compliance, businessprocess continuity, or enhanced internal andexternal reporting, and final outputs, such asreduced overall costs and increased revenues.Ultimately, effective risk management should leadto improved overall success and increasedshareholder value (outcomes).

In Exhibit 8, inputs, processes, outputs(intermediate and final), and outcomes of riskmanagement activities are further articulated asrisk management objectives.This is consistentwith the COSO framework.The list of risk

Exhibit 7: Risk Management Payoff Model — Antecedents and Consequences of Successful Risk Management

Organizational Success

and

Shareholder

Value

Feedback Loop

INPUTS PROCESSES OUTPUTS

Intermediate Final

Compliance with Regulations

Business Process

Continuity

Enhanced Working Environment

Improved Resource

Allocation

Enhanced Internal Reporting

Improved External

Reporting

Improved Organizational

Reputation

Reduced Earnings Volatility

Risk Management Leadership

Risk

Management Structure

Risk

Management Systems:

Measurement & Rewards

Event Identification, Risk Assessment, Risk Response,

Control Activities, Information and Communication,

Monitoring

Reduced Costs:

Reduction of Short -term Costs of Risk,

Reduction of

Long-term Costs of Risk, and

Reduction of Other Costs

Increased Revenues

Increased Program

Effectiveness

Strategic,

Operational, Reporting, and

Compliance Risks

External Environment

Internal

Environment

Strategy, Structure,

Systems, and Resources

Risk

Management Strategy

OUTCOMES

OrganizationalSuccess

and

ShareholderValue

16

management objectives is not comprehensive;rather, it is an example of the type of objectivesthat might be selected. Ideally, all objectivesshould be quantified so that, later, the extent towhich the objectives have or have not beenachieved can be determined numerically.

After specific risk management objectives have been articulated, the drivers of riskmanagement success (see Exhibit 9) must be determined. In order to identify the specific causes of risks, determine the best way to control them, and analyze the wayin which specific risk responses affect overall organizational costs to producefinancial benefits, managers need a clearunderstanding of the most influential drivers of risk management success and their causal relationships.

For example, consider that an organization’s risk objective is to prevent unauthorizedtransactions by employees.On one hand, theorganization may invest resources in beliefsystems (communicating the core values of thecompany and expected employee behavior) andboundary systems (specifying actions andbehaviors that are unacceptable) to prevent therisk from occurring (see Simons, 1999, for moreon belief and boundary systems).On the otherhand, the organization may increase riskawareness through training and encouragewhistle-blowing through appropriatecompensation and disciplinary systems,whichmay result in adequate risk identification,assessment, and response. In both cases, thereshould be a positive impact on business processcontinuity, resulting in sustained or increasedrevenues and decreased costs of risks, or both.Alternatively, if corporate and risk managementstrategies are aligned, the organization mayallocate more resources to risk managementinitiatives and thereby further theimplementation of appropriate boundary anddiagnostic control systems,which may lead tothe prevention of risks.Higher risk managementspending may also increase employee awarenessof risk and dedication to event identification,which may lead to timely risk responses. Boththe prevention of risks and timely risk responsesshould enable the organization to sustainbusiness process continuity and thus lead tohigher customer satisfaction, sales, and revenues.

Exhibit 9 provides a comprehensive example ofrisk management drivers and the causalrelationships among them. Since the causalities

are based on assumptions regarding leading andlagging elements, these hypothesizedrelationships need to be tested and revisedcontinuously. In practice, there are many moredrivers of risk management success than thosepresented in Exhibit 9.Nevertheless,whenexamining causal relationships, organizations arelikely to articulate fewer drivers so that theillustration is less complex and more easilyunderstandable, thereby allowing managers tofocus on the drivers and relationships that arethe most critical.

Inputs

The Risk Management Payoff Model is aneffective risk assessment framework. In order touse the model to manage risks properly, improveinternal control, and create added value, seniormanagers must first evaluate the inputs — theexternal elements that will affect the design ofthe risk management process — with respect tothe objectives and drivers of success.

All businesses are exposed to potential hazards.For each organization, the extent of exposurewill vary according to the firm’s uniquecharacteristics.Managers need to construct acomprehensive list of risks faced by theorganization in order to ensure that all threatsto achieving corporate objectives are assessedadequately, contained to a reasonable degree,and managed economically. Strategic,operational, reporting, and compliance risks, aspresented in the risk classification scheme, arethus critical inputs in the Risk ManagementPayoff Model.

The external environment is defined by theindustry in which the organization operates; thecountry-specific political, economic, legal, andsocial forces; and the location of production andother facilities.These elements affect the risksthat the organization faces and should beconsidered in the design of a risk managementsystem.A Booz Allen Hamilton analysis of 1,200firms found that the poorest performersdestroyed almost seven times more valuethrough strategic missteps related to thebusiness environment (e.g., ineffective reactionto competitive pressures, poor forecasting ofcustomer demand, etc.) than throughcompliance failures.These findings suggest that,to manage growth, organizations must designrobust and integrated strategic planningprocesses built on a broad understanding of allrisks to the business (Kocourek et al., 2004).

S T R A T E G Y


M A N A G E M E N T


17

Exhibit 8: Risk Management Payoff Model—Setting Risk Management Objectives

Outcomes

Outputs:o Final

o Intermediate

Processes

Inputs

Increased Long-term Organizational Success and Shareholder Value

Increased Short-term Organizational Success and Shareholder Value

Reduced Costs:Reduction in short-term costs of risk by $1 million

Increased Revenues: Increase in new-customer sales by $2 million

Increased Program Effectiveness: 10 percent increase in customer satisfaction

Regulatory Compliance: Full compliance with strategically relevant regulations

Business Process Continuity:Zero unplanned process interruptions

Enhanced Working Environment:10 percent increase in labor productivity

Improved Resource Allocation: Focus on compliance risks

Enhanced Internal Reporting: Reliable, accurate, and on-time information

Improved External Reporting: Reliable financial and other reports for external use

Organizational Reputation: Sustained or enhanced corporate reputation

Reduced Earnings Volatility:Reduction in earnings distribution

Reduced Cost of Capital: Reduction in cost of capital by 0.2 percentage points

Risk Management Leadership: Full commitment and focus

Risk Management Structure: Full integration into business unit structure

Risk Management Systems:

1. Measurement & Rewards:Optimal balance between belief systems,boundary systems, diagnostic control systems, interactive control systems,and traditional control systems

2. Risk Management Process:

Event Identification: Enhanced risk identification techniques

Risk Assessment: Increased quantification of risks

Risk Response:Adequate risk response strategies

Control Activities:Ongoing control of risk responses

Information & Communication:High risk awareness throughout theorganization

Monitoring:Ongoing monitoring activities

Risks:Development of a list of potential risks

External Environment:Ongoing monitoring of external environment

Internal Environment: Appropriate risk management philosophy, integrity, andethical values

Corporate Strategy: Strategic fit between the internal potential and externalopportunities

Organizational Structure:Appropriate organizational architecture andgovernance structure

Organizational Systems: Suitable training and incentive systems, IT supportsystems

Organizational Resources:Adequate capital and people

Risk Management Strategy: Risk objectives coherent and aligned with thecorporate strategy

18

The internal environment is the tone of theorganization as revealed in its risk managementphilosophy, integrity, and ethical values. It isessential that all employees know how theiractions affect one another and contribute toachievement of the organization’s risk objectives.In addition, developing and maintaining the rightcorporate culture is extremely important, sinceemployees tend to copy the behavior of theirsuperiors. For example, if employees seedishonesty and corruption at high levels, theyoften believe that this is acceptable. Somecompanies with demonstrable risk managementprocesses collapsed (e.g., Enron) partly becausethey failed to take issues of culture and integrityinto account, and procedural controls maskedthe existence of fraud.The way the business andits controls interact with people and, inparticular, the way the organization

communicates its attitude toward transgressionsare elements of the internal environment thatshould not be ignored.

Corporate strategy includes both theorganization’s goals (corporate strategicobjectives) in terms of its markets, products,and technologies and the plan for achievingthese objectives. An organization expanding itsoperations to new markets, developing newproducts, targeting new market segments, oradopting new production technology may facenew,more numerous, and more complex risks,which will affect the design of the riskmanagement process.

Another important determinant of the designof the risk management process is theorganizational structure.This includes the numberand geographical location of business units and

Exhibit 9: Risk Management Payoff Model — Drivers of Risk Management Success and Causal Relationships

Increased Revenues and Program Effectiveness

Decreased Overall Costs

Risk awareness

Adequate risk responses strategies

Improved reputation

Risk manag ement spending

Increased productivity

Enhanced working environment

Greater sales

Risk training and literacy

Aligned corporate and risk management strategies

Reduced earnings volatility

Event identification and assessment

Needed risk mana gement knowledge and skills

Increased Organizational Success and Shareholder Value

Compliance with laws & regulation

Business process continuity

Enhanced internal and financial reporting

Risk management philosophy and ethical values Appropriate compensation a nd

disciplinary systems

Prevention of risks

Improved resource allocation

Reduction of short-term cost of risk

Decreased cost of capital

Diagnostic control systems

Boundary systems

Ongoing monitoring of risk drivers

Outcomes

Outputs:Final andIntermediate

Processes

Inputs

S T R A T E G Y


M A N A G E M E N T

departments, lines of authority and responsibility,and lines of reporting. An organization with alarge number of strategic business units having ahigh degree of autonomy and spread across awide geographical area will have a different riskmanagement process than an organization with asimple, centralized organizational structure. Itshould be noted that organizational structuresdiffer greatly in the handling of risk informationand in the associated control mechanisms.

Organizational systems also shape the riskmanagement process and include such elementsas control systems, IT support systems, andcompensation and disciplinary systems. Beliefsystems — communicated through missionstatements, credos, and statements of values —may create a culture that rewards integrity andclarifies the types of choices that should be madein the face of temptation (Simons, 1999). ITsupport systems such as software tools mayeither limit the risk management process orenable the organization to quantify its risks moreaccurately and prepare alternative scenarioanalyses. Incentive systems may be aligned withthe risk management philosophy, organizationalview of integrity, and corporate ethical values orlead to dysfunctional employee behavior. Anexample of the latter is the case of Bankers TrustCompany, a traditional commercial bank whoseincentive system rewarded bankers and tradersfor creating and pushing new products as fast asthey could. As a consequence of this incentivepressure, Bankers Trust was sued in 1995 byseveral clients for misrepresenting the risksassociated with new financial products.Thisresulted in millions of dollars of fines, customerreimbursement costs, and the dismissal of topexecutives (Simons, 1999).

Organizational resources that are of vitalimportance to effective risk management includeboth the financial and the human resourcesneeded for risk prevention, event identification,assessment, response, control, communication,and monitoring. In light of the challenges ofcomplying with Section 404,many publiccompanies are now facing the problem ofunqualified or inadequate finance staffs. Forexample,AXA, an international insurance giant,was found to have insufficient personnel in thecorporate accounting department and AdvancedMaterials Group Inc.was found to be operatingwith no full-time CFO and a lack of staff expertise(Nyberg, 2004).

Risk management strategy — what theorganization aspires to achieve in terms of its

risk exposure and risk management — must beconsistent with corporate strategy, structure, andsystems.Objective setting is an integral part ofthis input and involves articulating specificoperational, reporting, and compliance riskobjectives. Risk management strategy must specifythe organization’s risk appetite (risk tolerance),which may vary with different categories of risk.For example, an organization may have a low riskappetite relative to all compliance objectives but ahigh risk tolerance for operational objectives thatinclude innovation and commercial risks.Organization-level risk objectives must beintegrated with more specific risk objectives forstrategic business units and business functions(e.g., IT, human resources, health and safety,production and engineering, etc.).

Processes

After senior managers have evaluated the inputsthat affect successful risk management activities,they must plan, develop, and execute riskmanagement processes.Careful attention toboth inputs and processes with respect toobjectives and success drivers will determinethe risk management consequences: outputsand outcomes.

The new regulatory demands on riskmanagement processes and internal controlsrequire a significant shift in thinking and leadership.Organizational leadership at all levels — that ofthe board, senior management, and the riskmanagement group — must be committed to riskmanagement and provide a role model foremployees in terms of ethical values and behavior.In addition to regulatory compliance, theleadership focus should be on seizing theopportunities emanating from internal or externalsources and gaining competitive advantage.Theexample of Citigroup, the world’s largest bank anda pioneer in international finance, provides awarning. Japanese regulators required the bank toclose its private banking unit in Japan for, amongother things, failing to guard against moneylaundering. Senior executives knew that theiractions were violating the rules and a number ofemployees were fired, including three prominentsenior executives (O’Brien and Thomas, 2004).

Risk management structure provides theframework to plan, execute, control, and monitorrisk management activities.Transparency in theassignment of roles and responsibilities to the riskmanagement function enables improvedaccountability and awareness and, ultimately,improved management and control. A risk


19

20

management committee may include the CEO,the CFO, a corporate risk manager, thetreasurer, the manager of corporate audit, acompliance manager, and divisional managers. Inaddition to recommending policy and process,this committee would be responsible for formalreporting to the audit committee of the boardof directors on risk management performance.The internal audit function must be structuredin such a manner that organizational objectivityis achieved and access to top management andthe audit committee is unrestricted.

Many organizations recognize that improveddecision making generally results from a well-structured framework for risk and assurance.At United Grain Growers, a Canadian grainhandler and distributor of crop inputs, the riskmanagement committee is responsible forassembling comprehensive information onperformance in relation to the full range of riskexposures; the previous practice had beenlimited to reports of adverse experiences withinsured risks, treasury, and derivatives trading(Barton et al., 2002).Without an appropriaterisk management structure, organizations caneasily miss new or changed risks and be unableto exploit opportunities.

Risk management systems encompass specificcontrols aimed at preventing the occurrenceof risks.These include belief systems toexpound the core values of the business,boundary systems to identify specific actionsand behaviors that are unacceptable, diagnosticcontrol systems to monitor criticalperformance variables, interactive controlsystems to stimulate learning, and traditionalinternal control systems (Simons, 1999). Riskmanagement systems may also includecompensation and disciplinary systems, specificpolicies relating to risk training, and humanresource standards for hiring the mostqualified individuals, with emphasis oneducational background, prior workexperience, past accomplishments, andevidence of integrity and ethical behavior(COSO, 2004a). Finally, risk managementsystems incorporate six components of theCOSO framework: event identification, riskassessment, risk response, control activities,information & communication, and monitoring.Organizations must develop appropriateactivities for each of these six components.

There must be consistency in the riskmanagement system throughout the organization.

For example, every business unit should use thesame definition of risk and control, adopt thesame criteria for evaluation, follow a standardprocess for defining what is material or significant,and test to the same extent.

Outputs

Managing risk effectively can result in severalbeneficial outputs, including compliance withlaws and regulations, secured business processcontinuity, enhanced working environments,better allocation of resources, improvedinternal reporting and external disclosure, anincrease in organizational reputation, reducedcost of capital, and a reduction in earningsvolatility.These benefits are all considered to beintermediate outputs because they lead, in turn,to the final outputs of reduced overall costs andincreased revenues.

Compliance with laws and regulations includes theadequate design and operation of internalcontrol as well as adherence to other legalguidelines, such as health and safety regulations,anti-competitive practices, commercial andprofessional indemnity rules, intellectualproperty regulations, employment practicesregulations, and the like. By identifying, assessing,and properly responding to the risks related tolaws and regulations, organizations can preventthe tremendous loss of organizationalresources and avoid the unnecessary costs ofprosecution and penalties.

Business process continuity is reflected in on-time deliveries of products and services, zerounplanned interruptions in the functioning ofinformation systems, zero unplannedproduction downtime, and generally smoothexecution of the business process.Thiscontinuity is best achieved through a carefullyelaborated risk management frameworksupported by a disaster recovery plan thatcovers critical risks, users, systems, andprocedures, and is tested and updated toreflect changing conditions at least annually.Maintaining business process continuity isessential to profitability.

Evidence of an enhanced working environment canbe seen in reduced absenteeism and turnoverand in increased productivity and creativityamong employees. According to Health andSafety Executive, 40.2 million working days werelost in the United Kingdom in 2001-2002 dueto work-related illness and injury, representingbillions of pounds in lost revenues.Thus, the

S T R A T E G Y


M A N A G E M E N T

ability to identify and manage workplace risksalone can result directly in an increase inproductivity and profitability (Cottell, 2003).

Channeling appropriate resources to the mostsignificant risks is more cost-effective and efficientoverall.This improved allocation of resources is animportant result of effective risk identification andmeasurement and contributes directly to thebottom line.

Based on effective risk management processes,enhanced internal reporting of risk and controlinformation can lead to improved decision makingwith respect to taking on risks knowingly, a moreeffective balance between risk and reward, andbetter responsiveness to internal and externalactivities and change. Improved internalcommunication and knowledge sharing canincrease understanding of the main risks to thebusiness and the effective strategies put in placeto address these issues. Reliability, relevance, andtimeliness of information will also improveinternal reporting of other information, such asfinancial or operating information, so that heads ofbusiness units and senior managers can makebetter business decisions.

Organizations are required to provide qualityinformation to external stakeholders, and toensure honest, balanced, and complete externalreporting.With a proper risk managementframework, an organization can produce reliableexternal reporting that will affect the organization’sreputation and shareholder value in a positive way.

Improved organizational reputation is one of themost important outputs of successful riskmanagement activities and the loss of reputationis one of the most significant risks thatorganizations face today. A recent survey of over100 CEOs of major European corporationsranked reputational risk as the second biggestthreat to business, after business interruption.Thesame survey also ranked the effectivemanagement of reputational risk as the mostimportant opportunity for increasing shareholdervalue (Blunden and Allen, 2003). A change inreputation impacts not only the immediateearnings of the organization but also several yearsof future earnings.Damage to an organization’sreputation can be accompanied by direct, short-term losses, such as regulatory fines, that affectthe profit and loss statement almost immediately.However,most organizations consider theindirect, future loss from public disclosure to befar more significant, as well as more costly.

Organizations can be proactive by building upreputational capital. For example, JP MorganChase, a New York-based leader in investmentbanking and asset management, released a freepublication of its value-at-risk methodology thatled to the broad adoption of this model in thefinancial markets and enabled the organization toestablish a reputation for cutting-edge riskmanagement (Blunden and Allen, 2003).

Reduction of earnings volatility can be an output ofintegrated risk management. By bundling themanagement of various risks into one framework,organizations can not only eliminate the costs ofoperating multiple programs but also offset anegative experience relative to one risk with afavorable experience relative to another.This canreduce the volatility of earnings,which, in turn, cannot only reduce share price volatility but alsoincrease the average share price over time.

Reduced cost of capital is a benefit that for-profitorganizations can expect from an integrated risk-financing program.With integrated riskmanagement, an organization can increase itsleverage capacity by transferring part of apreviously retained risk to a third party.Thehigher debt levels, carrying a lower cost thanequity and forming a greater proportion of totalfinancing costs, reduce the overall cost of capitalto the organization.With respect to not-for-profitorganizations, the corresponding benefit is thereduced cost of funds acquisition.

The intermediate outputs described above resultin improvements in two final outputs: notablyreduced costs and increased revenues at theorganizational level.

Reduced costs include reductions in the short- andlong-term costs of risk and in overall costs.Theshort-term costs of risk include the costs ofprosecution and penalties.Typically, the reductionof costs in this area is a direct consequence ofincreased compliance with legislation. For example,implementation of health and safety standards inthe workplace prevents work-related injury, illness,and death.The long-term costs of risk are reduced asa result of the portfolio effect,which should be ofparticular interest to all organizations. Forexample, discounts on the cost of insurance can begiven for a wide range of risk managementmeasures, including enhanced security, improvedsafety equipment, and new safety policies for staff.By bundling risks into a portfolio rather thanmanaging them separately,United Grain Growerswas able to use the very low loss ratios on somelines of insurance to offset less favorable loss ratios


21

22

S T R A T E G Y

M E A S U R E M E N Ton other lines, and integrate insured businessrisks with non-insurable risks (e.g., grain-handlingvolume). As a result, the long-term cost of riskwas reduced significantly (Barton et al., 2002).Overall cost reductions occur when unforeseenevents are reduced in number, the associatedcosts being avoided, and when foreseen risks areplanned and well-controlled, the associated costsbeing reduced.

Increased revenues, in the case of for-profitorganizations, and increased programeffectiveness, in the case of not-for-profitorganizations, result from several intermediateoutputs. Compliance with regulations has apositive affect on business process continuity,which can increase customer satisfaction andloyalty and lead to higher revenues. Anenhanced working environment increasesemployee satisfaction, motivation, andproductivity and can lead to increased sales.Enhanced internal reporting supports betterdecision making and, together with improvedexternal reporting, can increase organizationalreputation, impact stakeholder perceptionsand customer satisfaction, and lead toincreased revenues.

Outcomes

For the risk management initiatives to be ofvalue, the outputs must pay off eventually in theoutcomes of increased organizational success andimproved shareholder value. In other words,organizations can increase corporate successand shareholder value by using integrated riskmanagement to reduce costs, increaserevenues, and enhance program effectiveness.

Metrics

In order for senior managers to monitor thedrivers and causal relationships in the RiskManagement Payoff Model, appropriatemeasures must be developed that areconsistent with, and supportive of, theobjectives and drivers of success.The samemetrics are not appropriate for everyorganization. Exhibits 10, 11, 12, 13, and 14present a selection of possibilities rather than acomprehensive set of measures for effectiverisk management and internal control.Managersmust select or adapt a few metrics that mostclosely fit the corporate and risk managementstrategy of their respective organizations.

It is important to focus on the key indicators,rather than introduce indicators for everythingthat can be measured, and to choose a

manageable number of performance measures.In this way, decision makers will be able to focuson the critical elements of organizationalsuccess rather than try to cope with everyaspect of the risk management process.However,with respect to the metrics for risks(Exhibit 10), organizations should havemeasures in place for all subcategories ofstrategic, operational, reporting, and compliancerisks that the organization faces.

Managers can encounter various difficulties whenapplying risk management performance measures.For some metrics, particularly with regard tointermediate and final outputs, existing data maybe insufficient. For drivers such as enhancedworking environment or increased organizationalreputation,managers must establish baselineindicators with initial measurements in order todemonstrate improvement. In order to compile asatisfactory profile of some risks, it may bedesirable to gather data going back as far as 15years. Finally, business risks that are not easilymeasurable are difficult to quantify at all.Whensufficient credible data for a quantitativeassessment are not practically available or whenthe risk does not lend itself to quantification,qualitative techniques must be used for riskevaluation. For example,with respect totechnology and regulatory risks, the onlymeasurement that can be made is a subjectiveranking based on dollar effects or severity ofimpact; in such cases, it is common to use a scalefrom 1 (highly critical) to 3 (least important) with2 indicating moderate importance.

The results of risk assessment can be projectedon a risk map. Individual risks are prioritized onthe map according to level of importance(significance), probability (frequency), andpotential costs and benefits. In constructing arisk map,managers should consider a plan ofthree years or longer.

The selection of appropriate performancemeasures should enable managers to monitoron an ongoing basis the risks to which theorganization is exposed, the level oforganizational preparedness for coping withrisks, and the quality of the organization’s riskmanagement process in terms of outputs andfinancial consequences.

Calculating the Payoff

The implementation of SOX requirements,particularly those related to Section 404,presents organizations with many challenges,

M A N A G E M E N T


23

Exhibit 10: Risk Management Payoff Model: Examples of Metrics for Inputs

Inputs Performance Measures

Risks o Increase in number of customer complaints about service

o Percentage of jobs filled with newcomers

o Rate of expansion of operations relative to increase in organizational capacity to invest in more people and technology

o Percentage of business based on new products and services generated by creative, risk-taking employees

o Increase in frequency of failed deals, new products, or new services

External Environment o Potential changes in laws and regulations

o Political and cultural climate

o Availability and cost of labor,materials, and capital

o Changing customer tastes and preferences

Changes in competitive position of the organization

Internal Environment o Percentage of employees familiar with the organization’s risk management philosophy and risk appetite

o Percentage of employees familiar with the organization’s risk management strategic objectives

o Percentage of employees familiar with the corporate ethical values

Corporate Strategy o Number of risk management projects approved in the strategic plan

o Type of risk management projects (strategic, operational,reporting, and compliance) approved in the strategic plan

o Percentage of aggressive stretch goals that are set from the top down with little or no input by subordinates

Organizational o Level of risk management empowerment experienced by Structure business units and functional managers

o Clarity in delegation of risk roles and responsibilities

Organizational o Likelihood that employees are misconstruing the intentions Systems of senior managers

o Likelihood that employees are taking on unacceptable levels of risk for personal gain

o Percentage of total compensation represented by performance-variable pay

o Percentage of employees ranked for purposes of comparison

o Dollars invested in risk-related IT support systems

o Percentage of hardware, databases, communications systems,and applications systems that are standardized

o Number of IT applications that are not fully integrated with the overall IT system

o Percentage of systems developed/maintained outside the organization

(continued)

24

S T R A T E G Y


M A N A G E M E N T

Exhibit 10: Risk Management Payoff Model: Examples of Metrics for Inputs (cont’d)

Organizational o Rate of growth in risk management spending relative to rate Resources of growth in direct total spending

o Dollars available for risk management infrastructure investment

o Size of systems security budget relative to total risk management budget

o Dollars available for employee risk management training and development

o Level of employee risk management literacy

o Percentage of finance and accounting staff with adequate qualifications

Risk Management o Number and scope of risks covered by risk management strategyStrategy

o Level of integration planned in managing strategic, operational,reporting, and compliance risks

o Anticipated increase in corporate reputation due to risk management

o Anticipated level of business process continuity due to risk management

o Planned reduction in annual total cost of risk

o Planned costs, benefits, and profitability of risk management projects

complexities, and new costs.However,with anapproach to risk assessment and managementthat goes beyond the evaluation of internalcontrol over financial reporting, organizationscan realize benefits far wider than enhancedinvestor confidence in financial reporting.

The Risk Management Payoff Model presentedin this guideline provides organizations with aframework for the identification and assessmentof various risks.Using the metrics selected inthe model,managers can also determine theeconomic payoff of risk management activities.Exhibit 15 illustrates the calculation of ROI for arisk management initiative.

Step 3: Risk Response

In responding to risk, it is important for theorganization to consider both the type andscale of risk that it should embrace and theextent to which stakeholders can be expectedto accept the commercial consequences, if therisk materializes.Using the quantificationprocess outlined in the Risk Management Payoff Model, the organization can determinethe most appropriate response to a given riskand assess the effectiveness of the riskmanagement processes and controls already inplace. If these are found to be insufficient orexcessive, and thus not cost-effective, the

organization can use the knowledge it gainsfrom the Risk Management Payoff Model toreallocate capital or resources.

In general, risk responses include:

● Acceptance (no action taken to affect risklikelihood or impact).Usually, organizationsaccept risks because they can withstand theimpact, they have transferred the risk, orthey have reduced the risk to a tolerablelevel. It is the CEO’s responsibility to clarifywith the board of directors both thecategories of risk and the extent ofexposure that are considered acceptable forthe organization;

● Sharing (risk likelihood or impact reduced bytransferring or otherwise sharing a portionof the risk);

● Transfer (risk passed to an independent,financially capable third party at a reasonableeconomic cost under a legally enforceablearrangement). For many years, buyinginsurance was seen as the only riskmanagement tool that organizations couldemploy.Today, although insurance can help toprovide financial security againstunforeseeable events, other forms of riskmanagement are essential to help guardagainst foreseeable risks that essentiallyremain within the control of the organization.


25

Processes Performance Measures

Leadership o Percentage of senior executives’ time dedicated to risk management

o Percentage of annual budget allocated to risk management initiatives

o Percentage of CEO’s and CFO’s bonuses linked to decrease in overall cost of risk

o Percentage of senior managers literate in risk management

Structure o Clearly defined and transparent risk management roles and responsibilities

o Degree of board’s independence from management

o Level of experience and expertise of board members

o Ratio of risk management support staff to total number of employees

o Number of risk management professionals per employee

Systems: o Percentage of employees compensated according to risk management effectiveness

Measurement & Rewards o Percentage of employees’ variable pay linked to reduced long-term cost of risk

o Percentage of risk management support staff receiving pay-for-performance compensation

o Percentage of employees aware of the critical performance variables

o Frequency of updates to risk policy and procedures

o Frequency of government regulations compliance checks

Event Identification o Percentage of employees involved in the risk identification processes

o Number of different risk identification techniques applied

o Number of risk identification initiatives using both future- and past-oriented techniques

o Number of tests of risk occurrence applied

o Percentage of uncertainties identified as risks

o Percentage of risks identified that require regulatory compliance

o Percentage of risks identified that require competitive repositioning

Risk Assessment o Percentage of risks assessed with quantitative techniques

o Percentage of risk rankings validated by specialists’ opinions

o Percentage of risks assessed with respect to cost/benefit

o Percentage of risk costs sufficiently defined and broken down

Risk Response o Percentage of risks avoided with no costs

o Percentage of risks reduced, transferred, shared, or accepted

o Percentage of risks managed integrally

(continued)

Exhibit 11: Risk Management Payoff Model: Examples of Metrics for Processes

26

Processes Performance Measures

Control Activities o Percentage of risk responses controlled by top-level reviews

o Percentage of risk responses controlled by direct functional or activity managers

o Number of executed periodic threat analyses of extremist groups with respect to current operations

o Percentage of key areas (units) under camera surveillance to identify potential fraud or illegal activity

Information & o Percentage of senior managers and employees that understand Communication the objectives of risk management initiatives

o Dollars invested in employee risk awareness

o Dollars invested in improving risk management skills and knowledge

o Percentage of corporate-level performance measures and rewards linked to risk management effectiveness

Monitoring o Percentage of risk project evaluations based on Return On Investment (ROI) metrics

o Percentage of risk management initiatives monitored on an ongoing basis

Intermediate Outputs Performance Measures

Compliance with o Evaluation of effects of proposed or pending legislation on Regulations current operations

o Percentage of relevant legal and regulatory risks that have been avoided by complete compliance with laws and regulations

o Percentage of relevant legal and regulatory risks that have been reduced by partial compliance with laws and regulations

Business Process o Percentage of information system downtime that was Continuity unplanned

o Amount of time saved, previously earmarked for disaster recovery/business continuity efforts

o Percentage reduction in operating cycle time

o Percentage reduction in ordering, invoicing, tracking, and payment

o Average time required to fill and process a customer order

o Percentage increase in number of customer orders processed

Exhibit 11: Risk Management Payoff Model: Examples of Metrics for Processes (continued)

Exhibit 12: Risk Management Payoff Model: Examples of Metrics for Intermediate Outputs

S T R A T E G Y


M A N A G E M E N T


27

Intermediate Outputs Performance Measures

Business Process o Timeliness in order deliveriesContinuity (cont’d)

o Percentage reduction in customer grievances

o Dollars saved based on time saved

o Percentage increase in capacity utilization

o Change in fixed costs per unit of capacity

o Percentage of processes improved

Enhanced Working o Dollars saved due to improved health and safety conditionsEnvironment

o Dollars saved due to decrease in absenteeism

o Dollars saved due to lower rate of employee turnover

o Dollars saved due to reduction in costs of employee grievances

o Dollars saved due to reduction in costs of labor union grievances

o Percentage increase in production output per employee

o Dollar increase in sales due to productivity improvements

o Percentage turnover in risk management support staff

Improved Resource o Percentage of risks for which risk management responses were Allocation developed as part of an integrated risk-financing program

o Financial effects of the integrated risk-financing program

Enhanced Internal o Dollars saved due to increased IT security (i.e., reduced ITReporting system downtime, reduced incidence of fraud, etc.)

o Dollars saved due to improved information quality (i.e.,improved timeliness, accuracy, relevance, etc.)

o Time saved due to improved quality of information and internal reports

o Change in auditor’s evaluation of the quality of internal reports

Improved External o Increase in shareholder satisfaction with financial reportingReporting and risk disclosure

o Increase in satisfaction of other stakeholders with financial reporting and risk disclosure

o Change in auditor’s evaluation of the quality of financial reports

Improved Organizational o Improved corporate reputation rankingReputation o Frequency of positive media coverage

o Improvements in the ratings of corporate brands

Reduced Earnings Volatility o Percentage reduction in earnings volatility

Reduced Cost of o Percentage reduction in cost of capitalCapital/Funds Acquisition o Percentage reduction in cost of funds acquisition

Exhibit 12: Risk Management Payoff Model: Examples of Metrics for Intermediate Outputs (continued)

28

S T R A T E G Y


M A N A G E M E N T

Final Outputs Performance Measures

Reduced Costs o Percentage reduction in costs of prosecution and penalties

o Percentage reduction in overall short-term costs of risk

o Percentage reduction in overall long-term costs of risk

o Percentage reduction in overall operating costs

Increased Revenues o Increase in sales due to business process continuity

o Increase in sales due to improved organizational reputation

o Percentage of sales from new customers

o Increase in sales from existing customers

o Number of new customer partnerships created due to improved regulatory compliance

Increased Program o Percentage of strategic non-financial goals achievedEffectiveness o Increase in customer satisfaction

o Increase in customer loyalty

Outcomes Performance Measures

Long-term o Percentage change in stock price attributable to risk Organizational Success/ management initiativesShareholder Value o Percentage of strategic financial goals achieved

o Economic Value Added (EVA)

o Growth in earnings

o Return on Assets (ROA)

o Return on Equity (ROE)

Short-term o Growth in cash flowOrganizational Success/

o Value added per employeeShareholder Value

o Profitability of risk management projects

o Market value of financial instruments relative to contract value

Ways to transfer risk include buyinginsurance, hedging risk in the capital markets,sharing risk through joint venture investmentsor strategic alliances, arranging outsourcingthat is accompanied by a contractual risktransfer, and indemnifying risk throughcontractual agreements (DeLoach, 2000);

● Reduction or mitigation (action taken toreduce risk likelihood or impact, or both).

Building controls in response to risk is aform of mitigation.The CEO should evaluatethe organization’s ability to reduce theincidence of risks and the impact on thebusiness; and

● Avoidance (exiting the activities that giverise to risk).

Exhibits 16, 17, 18, and 19 illustrate selectedapproaches and techniques for the prevention,

Exhibit 13: Risk Management Payoff Model: Examples of Metrics for Final Outputs

Exhibit 14: Risk Management Payoff Model: Examples of Metrics for Outcomes


29

Exhibit 15: Risk Management Payoff Model: Calculating ROI for a Risk Management Initiative

CALCULATE THE MONETARY VALUE OF THE BENEFITS OF THE RISK MANAGEMENT INITIATIVE

CALCULATE THE TOTAL COSTS OF THE RISK MANAGEMENT INITIATIVE

CALCULATE THE ROI OF THE RISK MANAGEMENT INITIATIVE

Outputs Benefits Monetary Value

Compliance with Regulations Reduced costs of prosecution and penalties $...................

Business Process ContinuityLabor hours saved,machine hours saved,reduced cost of grievances, etc. due toincreased on-time deliveries

$...................

Enhanced WorkingEnvironment

Increase in output (units produced, servicesoffered)

$...................

Improved ResourceAllocation

Savings in costs due to efficient capitalallocations

$...................

Enhanced Internal andExternal Reporting

Reduced direct administrative and operatingcosts, reduced incidence and costs of fraud, etc

$...................

Corporate ReputationIncreased sales from existing and newcustomers

$...................

Reduced Earnings Volatility Increase in shareholder value $...................

Reduced Cost of Capital Savings in costs of equity financing $...................

Total Benefits $...................

Costs Value

Front-end Direct Costs ofRisk Initiative

Costs of event identification, assessment, andresponse (e.g., hardware, software, installationand configuration, training, etc.)

$...................

Disruption Costs Related toHuman Factors

Hours lost because of risk training, decline inlabor productivity, decline in product andservice quality, lost revenues

$...................

Disruption Costs Related toOrganizational Factors

Costs of organizational restructuring,technical disruptions, breakdowns in service

$...................

Total Capital Costs $...................

Operating Costs of RiskManagement Initiative

Costs of control activities, information &communication, and monitoring

$...................

Total Operating Costs $...................

Total Benefits – Operating CostsROI = ------------------------------------------------------ * 100

Capital Costs (Investment)

reduction (mitigation), transfer, and sharing ofstrategic, operational, reporting and compliancerisks.When choosing an approach, anorganization will be influenced by its riskappetite, or that of its stakeholders. In addition,the organization should consider the costs ofoperating particular controls relative to thebenefit obtained in managing the risks.

In addition, risk response involves planning andpreparing to take action in the event that adisaster occurs.This may include practicingspecific responses to hazardous situations orworst-case scenarios.

Step 4: Control

Control policies and procedures are needed tohelp ensure that the chosen risk responses arecarried out properly and in a timely manner.Such activities typically include top-level reviews,direct functional or activity management, andthe segregation of duties as well as the use ofphysical controls, information processing, andperformance indicators.Control procedurescan be implemented manually or make use ofcomputers or other devices. Because riskschange over time, ongoing evaluation is neededof both the risks and the policies and proceduresdesigned to manage and control them.

The Risk Management Payoff Model adds anextra dimension of control.Using the frameworkoutlined above, organizations can determinewhether or not the anticipated intermediate andfinal outputs have been realized and calculate themonetary effects (payoffs) of risk managementinitiatives. Thus, the model represents a controldevice for evaluating the efficiency of the riskmanagement process.

Step 5: Information and Communication

Within the organization, effective riskcommunication is essential. Employees at alllevels must understand the definition of risk,the corporate attitude to risk, the organization’sexposure to different risks, the consequences ofthose risks, and the organization’s response tothem.This information can be disseminated bymeans of employee manuals, bulletins, and thecorporate intranet. In addition,managementmust provide employees with specific anddirected communication that addressesbehavioral expectations for individuals and therisk-related responsibilities of personnel.Thisshould include a clear statement of the

organization’s risk management approach and aclear delegation of authority.

Generally, risk communication should conveythe commitment of senior management to theeffective management of risk.More specifically, itshould convey:

● the importance and relevance of an effectiverisk management framework;

● the organization’s risk-related strategicobjectives;

● the organization’s risk appetite (risktolerance); and

● the role and responsibilities of personnel ineffecting and supporting the riskmanagement efforts (COSO,2004a).

Some companies communicate the importanceof effective risk management by establishing alink with employee incentives. For example,shareholder value-added (SVA) is applied at JPMorgan Chase (Barton et al., 2002).This metriccalculates profit by subtracting a charge forinvested capital from cash operating earnings.The more risk taken by a decision maker on theorganization’s behalf, the higher the capitalcharge. By introducing SVA, an organizationcould ensure that all business decisions involvean explicit consideration of risk.

At the board level, risk information mustcommunicate the principal business threats andopportunities, the type of controls that are beingimplemented, and the relationship between theachievement of strategic and operationalobjectives and risk performance measures. Atop-level risk management report should beprovided to both the CEO and the auditor andshould ensure that both individuals achieve aclear understanding of the level of risk exposureand the effectiveness of the controls in place.

External stakeholders are interested in therisk-taking policy of the organization, thespecific risks to which the organization isexposed, and the way in which those risks aremanaged. Communication of relevant risk-related information to shareholders,regulators,financial analysts,and other external partiesleads to a better understanding of thecircumstances and risks the organization faces. Inaddition,public expectations are growing withrespect to reliability and security in financialreporting and in the disclosure of risks.Accordingly,risk-related communication should bemeaningful,pertinent, timely,and in conformancewith legal and regulatory requirements.

30

S T R A T E G Y


M A N A G E M E N T


31

Strategic Risks Approaches and Techniques

Economic Risks Derivatives (futures, options, and swaps)

Industry Risks Ensuring compliance with laws and regulations; training employees in compliance culture with respect to their dealings with customers, suppliers, and competitors

Strategic Transaction Risks Derivatives (futures, options and swaps)

Social Risks Marketing research; environmental scanning

Technological Risks Industry analysis; environmental scanning

Political Risks Lobbying

Organizational Risks Adopting contemporary management control systems

Step 6: Monitoring

Businesses and circumstances change constantly,and risk management must evolve with them.Therefore, all aspects of the risk managementprocess — risk identification,measurement,response, and control — need to be monitored.Risk-related strategic objectives, success drivers,and performance measures should be updatedand elements of risk management modified asnecessary.Generally,monitoring can be done inone of two ways: through ongoing activities or bymeans of stand-alone evaluations.The greater thedepth and effectiveness of ongoing monitoring,the less need there is for separate evaluationprojects. For example, Johnson & Johnson uses ahighly interactive, long-range profit-planningsystem to assess opportunities and threats on acontinuous basis.Under this system,managersconstantly revise projections in response to threequestions:What has changed? Why? What are wegoing to do about it? (Simons, 1999).

Given the ongoing changes in corporategovernance, organizations also need systems tomonitor developments in this area and to identifythose aspects of the existing compliance, audit,and risk management programs in which revisionis needed.The board of directors should ensurethat such a system is implemented. For example,at Telus, the audit committee is responsible forreviewing and monitoring the risk managementsystems currently in place in order to mitigate thecompany’s exposure.The committee reviews therisk management goals, proposed changes, annualrisk assessment flow, benefits, and the riskmanagement matrix and timeline (Telus, 2004).

Another area of risk management that needs tobe monitored is the organization’s contingency

plan for business continuity. If the unexpectedwere to happen, critical business operationswould have to be redeployed quickly, in order toreduce downtime and minimize the impact onproductivity and profitability. In 2002, only 28percent of organizations had a business continuitystrategy in place, and this figure was lower in2001 (McNeill, 2003).Managers need to identifythe processes, equipment, and people that areessential for the organization to provide itscustomers with the products or services theyneed and, on that basis, construct a contingencyplan for maintaining business operations. For theplan to be effective, it must be reviewed andrehearsed on a regular basis. It is advisable thatthe drills be as real as possible,with computersshut down, for example, or telephones switchedoff.Unless the plan is tested to this degree,participants, including senior management,maypay little attention to the rehearsal and flaws inthe plan may go undetected. In many cases, aproven business continuity plan is essential forinsurance coverage and may influence the insurerto retain more of the risk.The process describedabove can enable an organization to establish aviable plan for business continuity and significantlyimprove its management of risk.

RISK MANAGEMENT FOR SPECIFIC BUSINESS FUNCTIONS

Although the framework described aboveproposes measures for managing risks at theorganizational level, and for complying with the new regulation on internal control,organizations face similar challenges inmeasuring and managing risks at the functionallevel. For example, operations and production

Exhibit 16: Responding to Strategic Risks

32

Operational Risks Approaches and Techniques

Environmental Risks Insurance; catastrophe plans and strategies; catastrophe protection products; compliance with environmental laws; certification on ISO 14001(environmental controls within an organization)

Financial Risks Regular credit checks on customers; setting terms of trade early in the process, checking invoices, and adopting a follow-up system; factoringand invoice discounting; derivatives (futures, options and swaps)

Business Avoiding overreliance on a key supplier; improving supplier Continuity Risks management; adequate forecasting of demand; anticipating arrival of

new competitors; anticipating a competitor’s promotion; coping with variability in production, bottlenecks, and IT systems; determining strategic inventory; establishing efficient internal control systems,rules, and policies;monitoring external risks; certification on ISO 9000:2002 (quality of products and services); outsourcing

Innovation Risks Derivatives (futures, options and swaps); patent watches; outsourcing

Commercial Risks Derivatives (futures, options and swaps); ongoing identification of potentially registrable rights; patent watches; securing licenses and permissions; outsourcing

Project Risks Well-defined project strategy; effective and well-defined project management with identified timelines and milestone markers; clearly defined roles and responsibilities; good understanding of project-specific requirements; effective tax and Value Added Tax (VAT) planning; precise definition and breakdown of costs; good matching of time, cost, and quality; complete and sufficiently detailed timetable; coping with decisions on design; effective monitoring of time and cost; complete operating and maintenance information;outsourcing of specific project activities

Human Resource Adequate systems of promotion; regular reviews of staff competencies;(HR) Risks effective antidiscrimination policies; transparent and fair

compensation schemes; pre-employment health checks to identify existing problems; high-quality supervision and leadership;compliance with employment laws; outsourcing of specific HR activities

Health and Certification on OHSAS 18001 (health and safety within an Safety Risks organization); compliance with health and safety regulations;

development of guidelines for adherence to corporate safety and environmental standards; ongoing health and safety training; regular plant,machinery, and equipment inspections; occupational health programs; ensuring proper fit and suitability of employees’ personal protective equipment; employee rotation; routine drills of organizational response to fire and other hazards

Property Risks Insurance; ongoing identification of potentially registrable rights;adequate inventory and record keeping; securing licenses and permissions; staff training; clearly defined policies and guidelines

Reputational Risks Investment in branding; investment in socially responsible projects;advertising; political lobbying; communications strategy;maintaining relationships with the media;media training for relevant staff; commu-nication of company policies on ethical conduct and human rights to public security providers; product and service excellence programs

Exhibit 17: Responding to Operational Risks

S T R A T E G Y


M A N A G E M E N T

functions must manage supply chain risks;human resources managers and legal staff needto address personnel risks and health and safetyrisks; environmental quality managers have todeal with environmental regulation complianceand related risks; and R&D managers must findways to manage innovation and commercial risks.In addition,many of these business functions havegrown in importance recently and experiencedincreased pressure for accountability withrespect to resources used. As a result, specificbusiness functions will find it useful to apply theRisk Management Payoff Model in order toidentify,measure, respond to, control, andmonitor risks more carefully, as well as calculatethe payoffs of risk management initiatives.

INFORMATION RISK

Information is at the heart of risk management,yet is itself a source of risk. Although informationtechnology plays a critical role in many companies

today and is expected to extend its influence tovirtually all organizations in the near future,mostcompanies do not have a formal process in placeto identify potential risks associated with IT, ortrace their sources. Information risk can bemanaged successfully only if IT risk strategies areintegrated with the firm’s overall business riskstrategies. Failure to do so makes it difficult toidentify the links between business processes andthe business risks that result from the use of IT.

Some of the most worrisome IT risks relate notto the technology itself but to the integrity andsecurity of the information. For example, theinformation on which management relies fordecision making and reporting must be relevant,current, accurate, and representative. In addition,certain information must not fall into the hands ofthe organization’s competitors and therebybecome a threat to the business.

The COSO framework specifically addresses theneed for controls over IT and information


33

Reporting Risks Approaches and Techniques

Information Risks Certification on BS 7799 or ISO 17799 (information security standards within an organization); password security and encryptions; careful disposal of information; system design and training; random inspections

Reporting Risks Certification on BS 7799 or ISO 17799 (information security standards within an organization); password security and encryptions; careful disposal of information

Compliance Risks Approaches and Techniques

Legal and Certification on ISO 14001 (environmental controls within an Regulatory Risks organization); certification on BS 7799 or ISO 17799 (information

security standards within an organization); password security and encryptions; careful disposal of information; system design and training; random inspections; detective controls such as audits

Control Risks Regular audits and inspections; risk policy, structures, and processes for responding to risk incidents; fraud awareness training; use of passwords and encryption; vetting all new and potential employees and following up on their references; establishing a system that ensures no single employee is in control of a financial transaction from beginning to end; safeguarding company check books and credit cards,maintaining a tight bookkeeping system

Professional Risks Commercial and professional indemnity; employers’ liability coverage; directors’ and officers’ liability insurance

Exhibit 18: Responding to Reporting Risks

Exhibit 19: Responding to Compliance Risks

34

S T R A T E G Y

M E A S U R E M E N Tsystems.General controls ensure the continued,proper operation of all application systems andinclude controls over security management, ITinfrastructure and management, and softwareacquisition, development, and maintenance.Application controls focus directly on thecompleteness, accuracy, authorization, andvalidity of data capture and processing.Thesecontrols help ensure that data are captured orgenerated when needed, supporting applicationsare available, and interface errors are detectedquickly (COSO,2004a). Application controlsinclude balancing activities, digit checks,predefined data listings, data reasonability tests,and logic tests.

It is the responsibility of senior management toclarify what data should be protected, howsensitive this information is, how muchprotection is needed for different types of data,and how much risk the organization is willing toaccept. Armed with this understanding, the ITdepartment can then decide on the best way toprovide the necessary security. It is advisable toconcentrate responsibility for the security ofinformation in all forms — printed and electronic— under a single management structure.

Once an information security system has beenestablished, organizational culture is a criticalfactor in ensuring that individual employees payattention to the information security policiesand implement the procedures. It is alsoimportant to monitor the system. For example,an overall assurance report can be generated,detailing regular security checks, the exceptionsthat were found, the effectiveness of escalationprocedures in containing incidents, and otherrelevant information.

RISK ASSESSMENT IN DUE DILIGENCE

Assessing risk is also an important part of thedue diligence required with respect to bothmergers and acquisitions. Surveys and reportsby the media and financial analysts reveal thatmost mergers fail, and that due diligence is oneof the determining factors. Although anacquisition typically involves the much simplerprocess of fitting a smaller organization into theexisting structure of a larger, acquiringorganization, the perils of bad risk assessment indue diligence are much the same as thoseencountered in a merger of equals.

Among the risks associated with mergers andacquisitions are those related to the conversion

of existing systems and the initiation of newones.The integration strategy should be wellarticulated and indicate the selected systems,processes, and practices that are most relevantto the functioning of the new entity.Targets andmilestones must be created, especially for themeasurement of synergies. Performancemeasurement systems must be aligned with thenew strategy.Centralization of the IT functionmay be necessary to ensure compatibility andcohesiveness of data and to avoid addingunnecessary layers of technological complexityto the decision-making process. Specifically, it iscritical to prevent deterioration of the keycontrols that were in place in the twoorganizations before they merged and tostandardize the management of errors.Humanresource issues must be handled with speed andclarity; employees of both organizations must bewell informed of the severance policies and ofthe criteria for staff retention and promotion inorder to prevent losing employees whose skillsare vital to the new firm. Also, the issue ofdiffering compensation programs must beresolved quickly (Epstein, 2004).

Additional risk is associated with the need forintegration and conversions to be completedwithin a short period of time so that the neworganization can conduct business seamlesslyafter the merger/acquisition is formallycompleted. At the same time, it is vital thatlegal and regulatory issues be consideredcarefully.The Risk Management Payoff Modelrepresents a useful tool that can be applied inthe context of due diligence to risksencountered both in the merger/acquisitionprocess and in the continuing operations ofthe new organization.

COMPREHENSIVE RISK MANAGEMENT

Today, the risk management perspective isshifting from a fragmented (departments orbusiness functions managing risksindependently), ad hoc (according to need, asperceived by managers), and narrow approach(focused primarily on insurable and financialrisks), to one that is integrated, continuous, andbroadly focused. Everyone in the organizationshould view risk management as part of his/herjob and risk management efforts should becoordinated through senior-level oversight.Therisk management process should be ongoingand all business risks and opportunitiesconsidered.

M A N A G E M E N T

Although the management of many operationalrisks (e.g., financial) can be assigned to specificdepartments (e.g., treasury, insurance, audit, healthand safety, procurement, etc.) strategic riskmanagement cannot be delegated and remainsfirmly on the board agenda. It is the responsibilityof the CEO to provide the leadership necessaryfor the active management of strategic risk andhe/she must be held accountable for it in his/herannual performance review and evaluation by theboard. Strategic risk management should form asignificant part of the CEO’s job description andbe a top priority for both the CEO and thesenior management team.

Risk management should become an integral partof strategic and operational decision makingthroughout the organization.The RiskManagement Payoff Model should be applied to alloperational and capital investment decisions sothat managerial assessment of risk exposure canbe part of the decision-making process. Ex antecalculation of the costs and beneficialconsequences of alternative scenarios can helpmanagers make the right decisions. For example, ifa company plans to expand its operations andbuild new production facilities in a foreign country,managers must first determine the risks to whichthe company would be exposed. After carefullyevaluating these risks, they must developalternative risk responses and calculate the costsand benefits associated with each. Similarly, in anorganization planning to set up a new incentivesystem for salespeople, the unintended risks ofincentive pressures must be foreseen in variouscircumstances. In one such scenario, employeesfeel intense pressure to succeed at all costs, evenif their actions overstep ethical bounds, out of fearthat failure to meet performance expectations willjeopardize their status and compensation.

Organizations can make risk consideration a partof the decision-making process by:

● articulating the organization’s risk managementattitude in the mission statement and strategicobjectives;

● communicating the risk managementphilosophy, specifically the link between riskmanagement and strategy; for example,Dupont emphasizes that risk must be managednot in isolation but with a full understanding ofwhat the organization wants to achieve(Barton et al., 2002);

● consistently incorporating risk awareness inthe budgets;

● instilling risk awareness in the corporateculture (which may have been focused on

other objectives) and enabling employees tobecome aware of all risks that are faced —both positive and transferable (insurable);

● conducting risk education and training toensure that employees understand how riskscan be identified and managed;

● articulating risk policies and tolerancesthrough the use of analytical tools and riskassessments;

● introducing mechanisms to connectperformance evaluation and incentive to riskmanagement initiatives; and

● making risk assessment a required annualexercise within the business units;whenparticipation in these assessments is broad,and the discussion and prioritization of risksthorough, the mindset of managers andemployees can be altered so that riskmanagement is viewed no longer as averification of compliance with rules andregulations but rather as an important part ofeveryday decision making.

THE ROLE OF SENIOR FINANCIAL MANAGERS

Responding to the pressures of the businessenvironment and stakeholder expectations,organizations are looking beyond regulatorydemands to seek significant performanceimprovements from their risk managementactivities.This type of risk management, based ona proper risk assessment framework, is muchmore evolved than the provision of assurancethat an organization has complied with corporateand regulatory standards.

The adoption of such organization-wide riskmanagement is a major cultural change for anorganization and needs full support from thehighest levels of management in order to succeed.Senior financial managers cannot merely delegatethe task of implementing risk managementinitiatives; they must be the champions of theeffort. In particular, the personal commitment ofthe CFO is of vital importance to the rapid,successful introduction of organization-wide riskmanagement. In some organizations, the CFO is amember of the risk management committee. In allcases, risk management must be viewed as anintegral component of good, overall businessmanagement, rather than a mere adjunct to it.

The Risk Management Payoff Model can helpsenior financial managers improve internal controlover various risks and better manage operationaland capital decisions. As a result, reasonable


35

36

S T R A T E G Y

M E A S U R E M E N Tassurance can be given that both managementand the board of directors, in its oversight role,are being made aware in a timely manner of theextent to which the organization is movingtoward the achievement of strategic andoperational risk objectives.

CONCLUSION

The broad identification and measurement ofrisk is not easy and most organizations presentlylack comprehensive risk evaluation systems.However, over the last few years, increasinglyenormous costs have been associated with thefailure to identify risks properly, integrate thatinformation into operational and capitalinvestment decisions, and provide adequatecontrol systems and structures to plan for orreduce the risks.Whether these unanticipatedcosts have been related to financial frauds orignored external risks, they have impactedcorporate profits significantly and sometimesresulted in corporate demise.

The recently increased regulatory and reportingrequirements are one response to the criticalneed for both internal and external decisionmakers to have better information regarding

the risks inherent in business decisions and tofocus more explicitly on managing those risks.Some risks are foreseeable and can be plannedfor or reduced with various tools andtechniques.More general business risks must becontrolled through systems and structures.

This guideline has provided a Risk ManagementPayoff Model that carefully articulates theinputs, processes, outputs, and outcomes oforganizational activities related to riskmanagement.The model demonstrates thatcorporate risks can be measured and theresults integrated in all management decisions.The extensive set of metrics can be used toevaluate the payoffs of specific risk managementinitiatives as well as to assess the potential risksinvolved in decisions related to operations,processes, and capital projects (e.g., changes inperformance measurement and rewardsystems, IT systems, or production facilities) andthe costs of those risks to organizationalprofitability. More rigorous identification andmeasurement of broad corporate risks canenable senior managers to consider those risksmore effectively in their decision making andmanage them more successfully for improvedcorporate performance.

M A N A G E M E N T

BIBLIOGRAPHY

American Institute of Certified PublicAccountants. 2004. The AICPA Audit CommitteeToolkit. New York: AICPA, Inc.

American Institute of Certified PublicAccountants, Special Committee on AssuranceServices. 1997. Report of the Special Committee onAssurance Services. New York: AICPA, Inc.

American Institute of Certified PublicAccountants and Canadian Institute of CharteredAccountants. 2000. Managing Risk in the NewEconomy. New York: AICPA, Inc.

Barton,Thomas L.,William G. Shenkir, and Paul L.Walker. 2002. Making Enterprise Risk ManagementPay Off.Upper Saddle River: FinancialTimes/Prentice Hall PTR.

Blunden,Tony, and Ed Allen. 2003.ReputationalRisk. In Jolly, Adam. ed. Managing Business Risk.London:Kogan Page.

Braiotta, Louis, Jr. 2004. The Audit CommitteeHandbook. Fourth Edition.Hoboken:John Wiley & Sons, Inc.

Butters, John. 2003. Information at Risk. In Jolly,Adam. ed.Managing Business Risk. London:Kogan Page.

Committee of Sponsoring Organizations of theTreadway Commission. 1992. Internal Control —Integrated Framework. New York: AICPA, Inc.

Committee of Sponsoring Organizations of theTreadway Commission. 2004a. Enterprise RiskManagement — Integrated Framework: ExecutiveSummary.New York: AICPA, Inc.

Committee of Sponsoring Organizations of theTreadway Commission. 2004b. Enterprise RiskManagement — Integrated Framework: ApplicationTechniques. New York: AICPA, Inc.

Cottell, Roger. 2003.Creating a Safe WorkingEnvironment. In Jolly, Adam, ed. Managing BusinessRisk. London:Kogan Page.

DeLoach, J.W.2000. Organization-wide RiskManagement: Strategies for Linking Risk andOpportunity. London: Financial Times.

Deloitte & Touche LLP. 1997. Perspectives on Riskfor Boards of Directors, Audit Committees, andManagement.Wilton:Deloitte & Touche TohmatsuInternational.

Economist Intelligence Unit and Arthur Andersen& Co. 1995. Managing Business Risks — AnIntegrated Approach. New York:The EconomistIntelligence Unit.

Epstein,Marc J. 2004.The Drivers of Success inPost-Merger Integration. Organizational Dynamics,Vol. 33,No. 2: 174-189.

Epstein,Marc J., and Marie-Josée Roy. 2002.Measuring and Improving the Performance ofCorporate Boards. Management AccountingGuideline.Hamilton:The Society of ManagementAccountants of Canada.

Epstein,Marc J., and Robert A.Westbrook. 2001.Linking Actions to Profits in Strategic DecisionMaking. MIT Sloan Management Review (Spring):39-49.

Green, Scott. 2004. Manager's Guide to theSarbanes-Oxley Act: Improving Internal Controls toPrevent Fraud. Hoboken: John Wiley & Sons, Inc.

Joint Technical Committee OB/7 — RiskManagement. 1999. Joint Australia/New ZealandStandard: Risk Management (revised draft).Strathfield NSW:Standards Association of Australia.

Katz,David M. 2005. Smaller Than a Sarbox?www.CFO.com.March 24.

Kinney,William R. 2000. Information QualityAssurance and Internal Control for ManagementDecision Making. Boston: Irwin McGraw-Hill.

Kocourek, Paul, Jim Newfrock, and Reggie Van Lee.2004. It's Time to Take Your SOX Off. Strategy +Business, Resilience Report,December.

Lander,Guy P. 2004. What is Sarbanes-Oxley? New York:McGraw-Hill.

Levene, Lord. 2003. Premium on ManagingBusiness Risk. In Jolly, Adam. ed. Managing BusinessRisk. London: Kogan Page.

Ligos,Melinda. 2004.When Going Public May NotBe Worth It. The New York Times, June 3.

McCarthy,Mary P., and Timothy, P. Flynn. 2004. Riskfrom the CEO and Board Perspective.New York:McGraw-Hill.

McNeill, Ian. 2003. Business Continuity. In Jolly,Adam. ed.Managing Business Risk. London:Kogan Page.

Moeller, Robert R. 2004. Sarbanes-Oxley and theNew Internal Auditing Rules.Hoboken: John Wiley & Sons.

Mun, Johnathan. 2004. Applied Risk Analysis:MovingBeyond Uncertainty in Business. Hoboken: JohnWiley & Sons, Inc.

Nyberg, Alix. 2004.Raising Red Flags. CFO,September.


37

38

S T R A T E G Y

M E A S U R E M E N TO'Brien,Timothy, and Landon Thomas. 2004. It'sCleanup Time at Citi. The New York Times,November 7.

PriceWaterhouseCoopers. 2004. Sarbanes-OxleyAct: Section 404. Practical Guidance forManagement.

Ramos,Michael. 2004. How to Comply withSarbanes-Oxley Section 404: Assessing theEffectiveness of Internal Control. Hoboken: JohnWiley & Sons, Inc.

Ropeik,David, and George Gray. 2002. Risk: APractical Guide for Deciding What's Really Safe andWhat's Really Dangerous in the World Around You.Boston:Houghton Mifflin Organization.

Shaw, John C. 2003. Corporate Governance & Risk:A Systems Approach. Hoboken: John Wiley &Sons, Inc.

Sheridan, Fiona. 2003. Implementing Sarbanes-Oxley Section 404. In Jolly, Adam. ed. ManagingBusiness Risk. London:Kogan Page.

Simons,Robert. 1999.How Risky Is YourCompany? Harvard Business Review (May-June):85-94.

Teixeira,Tom.2003. Enterprise RiskManagement. In Jolly, Adam. ed. ManagingBusiness Risk. London:Kogan Page.

Telus. 2004. Leading the Way.Notice of AnnualGeneral Meeting, Information Circular.

Tivey, Andrew, and Ellynne Dec. 2003.Quantifying Uncertainty. In Jolly, Adam. ed.Managing Business Risk. London:Kogan Page.

Turnbull Report. 1999. Internal Control, Guidancefor Directors on the Combined Code. London:ICAEW.See www.icaew.co.uk.

M A N A G E M E N T

APPENDIX: REGULATORYREQUIREMENTS ON ENHANCEDINTERNAL CONTROL

The Sarbanes Oxley Act of 2002 — Section302 and 404 Requirements

The Sarbanes-Oxley Act of 2002 creates newrequirements for managers and accountingprofessionals related to corporate governance,including the responsibilities of directors andofficers, the regulation of accounting firms thataudit public organizations, corporate reporting,and enforcement. Sections 302 and 404particularly have created significant newrequirements related to internal control and theassessment of risk.

Under Section 302, the chief executive andfinancial officers of each publicly reportingcompany are required to certify each periodic(i.e., quarterly and annual) report filed orsubmitted to the SEC.The chief executive officerand chief financial officer must sign thecertification themselves — another executiveunder a power of attorney cannot sign thecertification. Section 302 requires the certificationto cover the review of the report, its materialaccuracy, and fair presentation of financialinformation, disclosure controls, and internalaccounting controls.

The internal control requirements in Section 404represent among the more important aspects ofthe act to a corporation and its external auditors.Management always has been responsible forpreparing periodic financial reports; externalauditors reviewed those financial numbers andcertified that they were fairly stated as part oftheir audit.Under the Sarbanes-Oxley Act,management now is responsible for documentingand testing its internal financial controls in orderto prepare a report on their effectiveness.Morespecifically,management’s process for evaluatingthe effectiveness of the company’s internalcontrols must include:

● Determination of which controls aresignificant,which should include controls over transactions (routine, non-routine,estimation and judgment), fraud, controls onwhich other significant controls are dependenton the financial statement close process, andthe locations or reporting entities to beincluded in the evaluation;

● The documentation of controls related tomanagement’s assertion, including each ofthe five COSO definitions of internal

control, controls designed to detect orprevent frauds or errors in significantaccounts, transactions or disclosures, thefinancial statement close process, andcontrols over safeguarding of assets;

● Evaluation of design and most effectivecombination of manual and IT controls;

● Evaluation of the operating effectiveness by thetesting of controls by internal audit or thirdparties under the direction of management, ora self-assessment process that includesprocedures to verify that controls are workingeffectively. Inquiry alone is not adequate; and

● Determination of which control deficienciesconstitute significant deficiencies or materialweaknesses (Sheridan, 2003).

A self-assessment alone is not enough withoutthe documentation and testing to back it up.Theexternal auditors also review the supportingmaterials leading up to the internal financialcontrols report to assert that the report is anaccurate description of that internal controlenvironment.The report should cover keyinformation such as risk control description,specification of those performing the control,types of controls, frequency, evidence, and resultsof testing from an efficiency point of view.

Federal Sentencing Guidelines

The United States Sentencing Commissionannounced that on November 1, 2004, stricterFederal Sentencing Guidelines for organizationswould be effective.These guidelines define theessential elements of a corporate complianceprogram. All U.S. companies, regardless whetherthey are public or private, are required to havecompliance plans if they wish to receive thebenefit of prosecutorial discretion from a federalprosecutor, or sentencing mitigation from a federaljudge.The primary purpose of a complianceprogram is to avoid these situations altogether bypreventing violations of the law from occurring.

The Federal Sentencing Guidelines set forth sevenbasic criteria, as follows:

1. Establish standards and procedures reasonablycapable of reducing the chances of criminalconduct;

2. Appointment of compliance officer(s) tooversee plans;

3. Take due care not to delegate substantialdiscretionary authority to individuals who theorganization knows, or should know, are likelyto engage in illegal conduct;


39

40

S T R A T E G Y

M E A S U R E M E N T4. Establish steps to effectively communicate

the organization’s compliance standards andprocedures to all employees;

5. Take reasonable steps to ensure compliancethrough monitoring and auditing;

6. Employ consistent disciplinary mechanisms;and

7. When an offense is detected, take allreasonable steps to prevent future similaroffenses, including modifying the complianceplan,when appropriate.

Canadian Regulation

In Canada, on February 4, 2005, the CanadianSecurities Administrators released proposedrequirements maintaining the harmonization of

Canadian regulatory reporting and certificationrules with Sarbanes-Oxley.The proposedMultilateral Instrument 52-111,Reporting onInternal Control over Financial Reporting,requires reporting issuers on the Toronto StockExchange to adhere to the following:

● Management will be required to issue areport on the effectiveness of internalcontrol over financial reporting; and

● The external auditor will be required toissue an audit report on management’sassessment along with its own report.

The earliest that the proposed instrument willbe effective is for fiscal years ending on or afterJune 30, 2007.

M A N A G E M E N T

Kent Allingham,MBA,CPASenior Manager,Corporate IT ControlsMCI

Barry Baptie,MBA,CMA,FCMABoard of DirectorsVCom Inc.

Dennis C.Daly,CMAProfessor of AccountingMetropolitan State University

William Langdon,CMA,FCMAVice President,Knowledge ManagementCMA Canada

Melanie Woodward McGee,MS,CPA,CFEManager of Accounting/Joint VentureControllerAmerican Airlines/Texas Aero Engine Services, LLC

John F.Morrow,CPAVice President,The New FinanceAmerican Institute of Certified Public Accountants

Kevin Simpson,MBA,CM&A,CPAManaging DirectorFocus Business Services, LLC

William H.Steeves,B.Sc.,CMA,FCMABoard Director and Business Consultant

Derrick Sturge,MBA,CMA,FCMA,FCAFirm Director,CFO and Governance Services,Deloitte & Touche, LLP

Al WallaceChief Operational Officer (COO)WorkCare Inc.

Kenneth W. Witt,CPATechnical Manager,The New FinanceAmerican Institute of Certified PublicAccountants

This Management Accounting Guideline was prepared with the advice and counsel of:

For additional copies or for more information on other products available contact:

In the U.S.A.: American Institute of Certified Public Accountants1211 Avenue of the AmericasNew York,NY 10036-8775 USATel (888) 777-7077, FAX (800) 362-5066www.aicpa.orgVisit the AICPA store at www.cpa2biz.com

In Canada and elsewhere: The Society of Management Accountants of CanadaMississauga Executive CentreOne Robert Speck Parkway, Suite 1400Mississauga,ON L4Z 3M3 CanadaTel (905) 949-4200FAX (905) 949-0888www.cma-canada.org

030001ISO Certified

AICPA Member andPublic Information:www.aicpa.org

AICPA Online Store:www.cpa2biz.com

management accounting guideline identifying, …

Documents