For many companies, enterprise risk management is an almost academic sounding idea. But for us, it's much more real. We call it the "You catch and I clean" approach. The internal audit department catches a problem, and the risk management department cleans it up.
If we were to describe the role of the internal auditor within the framework of enterprise risk management, we would describe it as such: internal auditors are the monitors who offer objective assurance to a company's board that key business risks are being managed properly and that the system of internal control operates well--with all its ducks in a row.
Working alongside the internal auditor, perhaps unbeknownst to many in the company, is the enterprise risk manager. Together the two promote an aggressive strategy of risk management.
Enterprise risk managers provide support and implementation, taking a 360-degree view of the cumulative impact of a company's risks. The idea is to offer the company maximum protection.
Working together, a company's risk manager and internal auditor present a cohesive barrier to the organization's risks, hopefully allowing board members and shareholders to sleep a little better at night.
Take my case, for example. At Caesars Entertainment, Karen Brown, vice president of internal audit, and I work hand-in-glove. Along with our legal and accounting departments, we cogently address the diversity of exposures facing Caesars--and there are many.
In addition to casinos, Caesars Entertainment owns hotels, restaurants, retail stores, an ice house, gas stations, a wastewater treatment plant, three aircraft, three gaming cruise ships and various international interests.
Many of these components of the business have their own idiosyncratic risks. Issues such as natural disasters, criminal and political risks must all be considered every day. Then there are the mundane risks that all retail operations face. These risks include slips and falls.
Beyond that, our employees have some special risks unique to their sort. Many work long hours. Others are on their feet much of the time and must work to provide world-class customer service to an ever-demanding public.
And don't forget the pressures we face from state and federal regulators. Remember that legal beast known as the Sarbanes-Oxley Act which mandates that corporate governance undergo close monitoring of all potential directors' and officers' liability exposures? Well it applies to us. And we'd better follow it, or else!
Internal audit has the responsibility of monitoring various financial and operational areas within the company. Therefore, when something doesn't look right, whether safety-related or crime-related, it's brought to risk management's attention.
Using a fishing analogy, when internal audit says, "This doesn't smell right," then risk management follows up, assessing if the issue is important enough to keep on the line, and what to do with it if it's in the net.
If an angry customer threatens a lawsuit, for example, internal audit would ascertain whether proper procedures were followed and whether the casino complied with all state and local regulations. Internal audit would also make sure the legal department had all the needed documentation to assess the situation or defend the company.
"Internal auditors can monitor, facilitate, coach, participate and report on a process," says Karen Brown, vice president of internal audit for Caesars. But she adds, "It is not our responsibility to force something to be done. We just present." Whether or not to accept the risk is up to the risk executives.
At many companies, the internal auditor and the risk manager function independently. That can be dangerous, if not expensive. Sometimes this lack of communication leads to duplication, and gaps result from second-guessing whether someone else is taking care of it. It's not surprising that the ball can get dropped completely. Using the enterprise risk management approach, sharing information is crucial to the protection of the company.
There are no turf wars when ERM is implemented effectively.
The Institute of Internal Auditors, in conjunction with the Committee of Sponsoring Organizations of the Treadway Commission, recently issued a position paper on "The Role of Internal Audit in Enterprise-wide Risk Management."
It spells out these roles and suggests ways for internal auditors to maintain objectivity and independence. The paper states that "internal auditing's core role with regard to enterprise risk management is to provide objective assurance to the board on the effectiveness of an organization's enterprise risk management activities to help ensure key business risks are being managed appropriately and the system of internal control is operating effectively."
Both risk management and internal audit have roles as gatekeepers, especially as it applies in the gaming industry. Internal audit's task is to make sure laws and regulations are followed. "This includes investigations, regulatory compliance audits, operational audits, management requests and assisting corporate security ... as in the case of bartenders stealing, for instance," says Brown.
"If necessary, we work with corporate security investigators, who usually have law enforcement backgrounds, by providing them with the paper trail to support the alleged misconduct," Brown says. "Documentation or summarizing the evidence is something concrete that we can provide. Cases of litigation involving injury to guests or employees, and any D&O claims, become Lance's domain."
By establishing "central risk teams" we develop a strategy for accountability at the management level. These teams, headed by a chief risk professional, enable internal auditors to coordinate and work cohesively with the legal and accounting departments. This is a bit like dividing up household chores; the team meets on an as-needed basis and we go through our challenges together.
HOW TEAMS WORK
It works like this: The risk management department says, "Let's do this ?" and legal may add, "But the downside is this ..." Depending on the specifics of each case, we bring the issues to everyone's attention, then discuss solutions. This way the left hand knows what the right hand is doing.
Ultimately, management has the overall responsibility for ensuring that risks are properly managed. Both risk management and internal audit are on a disclosure committee to review reports prior to releasing them to the public. We share resources, yet there needs to be a champion in certain areas. In the case of aviation risk, for instance, risk management would take the lead.
"Together we look at risk assessment and ask, 'Where are the risks for our company?'" says Brown. "We all rank the risks as high, medium or low. Then we see whose area they fall into. Does this involve internal audit? Risk management? Legal?"
Brown says this is a good way to control the activities of a company and to check whether the firm is following the dictates of the Sarbanes-Oxley Act.
"An important part of enterprise risk management is setting the risk appetite," she says. "Management makes their decisions based on the information and exposures that internal audit and risk management uncover."
The successful enterprise risk management model is about breaking down silos. That means integrating, yet not combining disciplines because we each bring certain strengths to the table.
Enterprise risk management is a slow process that won't be embraced by every company. However, enterprisewide risk management brings benefits because of its structured, consistent and coordinated approach.
Whether or not to employ enterprise risk management depends on the structure and size of a firm, and the nature of the industry in which it operates. For publicly traded companies like Caesars, pooling our resources and working closely is effective and efficient for the organization. Caesars is moving toward the cutting edge.
A number of other large companies are embracing enterprise risk management as well. They include General Motors Corp., Hallmark Cards Inc. and First Energy Corp. The decision as to whether to embrace enterprise risk management comes down to risk appetite and management style.
Whether it is in a company's best interest to develop central risk teams--and to include finance, accounting, internal auditing, and risk management in the discussion--depends on what the organization is fishing for.
LANCE J. EWING,
past president of the Risk and Insurance Management Society Inc., is vice president of risk management for Caesars Entertainment Inc.
April 15, 2005
Copyright 2005© LRP Publications