The risk management department is no longer taking the lead in managing risk. Because of the highly publicized scandals of the past several years, internal audit increasingly enjoys the reputation as being the corporate risk manager. And because internal audit usually reports to the board of directors while risk management usually reports into the vice-president level internal audit enjoys a reputation at the board of directors level.
Stating that any one group is in charge of risk is problematic. The risks to operational and revenue disruption are by their very nature complex and require a concerted and coordinated effort among many groups. Internal audit does indeed handle a large portion of a company's risks. But so do legal, human resources, operations, IT and research and development.
For example, staffing issues can cause operational disruptions which in turn cause a failure to meet contractual terms, lost revenue and possibly D&O suits. Business units do not operate in a vacuum.
It is ironic that Enterprise Risk Management, which purports to create just such a holistic view, has created a battle for ownership among the very groups that should be coordinating efforts. This became evident when the Institute of Internal Auditors published a paper titled "The Role of Internal Auditing in Enterprisewide Risk Management" which called for internal audit to take the lead in the creation and oversight of ERM.
Such turf wars do a disservice to the company. In order for all of the truly material risks to be captured, multiple groups have to coordinate their efforts. According to a study conducted by the Corporate Executive Board that tracked market capitalization declines for the Fortune 200 over a 14-year period, only 15 percent of market capitalization declines were driven by financial issues. A full 65 percent of market capitalization declines were caused by strategic drivers such as shifting market forces and product miscues. Focusing risk management efforts in auditable areas like financial risk leaves out 85 percent of a company's material risks. Even though audit procedures and SOX testing have gained popularity, they are missing a large piece of the risk puzzle.
Neither risk management nor any other group can address the entire risk management puzzle alone.
Chris Duncan, managing director of Marsh and previously the CFO of Delta Airlines offers an excellent perspective. In his role as chief risk officer, he oversaw both risk management and internal audit. He provides a balanced view. "Audit brings eyes and ears to the ERM table that delivers key insights into the organization, its culture and management capabilities, as well as internal and external threats," he says. But he also says that internal audit's process capabilities can only take you so far.
In order for risk management efforts to support decision-making and behavior change, it must incorporate a spectrum of the resources within the enterprise. Duncan provides a good example of how this worked at Delta. "The internal audit function at Delta was its own function, as was risk management. However, ERM was seen as a function that cut across all the risk functions, which included internal audit, risk and insurance, finance, safety, security, legal, information security/privacy. The ERM effort gave us a platform to allow the risk groups to work more effectively together."
A coordinated holistic approach that leverages multiple organizations is the only way to effectively manage a company's material risks. Audit simply does not have the breadth of focus to manage risk alone.
BEAUMONT VANCE, a risk manager for Sun Microsystems Inc., is a columnist for Risk & Insurance®.
May 1, 2006
Copyright 2006© LRP Publications