VideoRick Navarre wanted the audit committee at Peabody Energy to know exactly how he is managing risk at the company. As Peabody's CFO, Navarre developed a comprehensive methodology for analyzing and quantifying risk, in large part to educate the audit committee about all the risks confronting the $2.8 billion St. Louis-based producer and distributor of coal.
Although Navarre developed this methodology prior to the passage of the Sarbanes-Oxley Act of 2002, he notes that "under Sarbanes-Oxley, the audit committee is mandated to understand how we assess and handle the risks confronting the company. I wanted them to be comfortable that we had identified each and every risk we face and prescribed specific risk transfer and mitigation strategies for those risks we did not want to retain."
Navarre's approach to risk management illustrates the difference between traditional risk management and enterprise risk management (ERM). Traditionally, operational and strategic risk management have been static — an examination of risks as they were in January 2003, for example. "You know where you were three months ago, but now it's April and you don't have a clue about your risks until the next audit," explains Frank Terzuoli, senior vice president of business-risk consulting at New York based insurance broker Marsh Inc.
Traditional risk management works best on financial and hazard risks — the risks that are transferable. ERM, by contrast, stresses the management of operational and strategic risks. "A bank's operational risk would be its back office, in terms of how its payments are made and its credit-underwriting processes in terms of how it makes loans, monitors credit, and ensures repayment of loans," says Terzuoli. "A manufacturer's operational risk would involve the manufacturing process and the processes embedded in building ideas. While traditional risk management requires more accounting-type skills, ERM requires skill in strategic planning, process reengineering, and marketing."
What Peabody Energy and a few other pioneering companies have undertaken is a risk-management discipline that extends beyond traditional financial and insurable hazards to encompass a wide variety of strategic, operational, reputational, regulatory, and information risks. Some companies, like Agricore United, a Canadian agricultural-services firm, have been using ERM for several years now. Other companies have found ERM useful in theory but tedious in practice, and have resisted the effort and expense.
That may change, following passage of Sarbanes-Oxley and its stricter corporate-governance and accountability provisions. Although the act doesn't say anything about better risk management, more robust risk-reporting would seem to provide more assurance to anxious audit committees, and to CEOs and CFOs who must now certify financial statements.
The devil is in the details — translating the implications raised by the act into actionable items. "[Sarbanes-Oxley] certainly talks a lot about risk transparency — the risks you know that are not shared with other stakeholders, particularly investors," says Terzuoli. "While hiding this information was never acceptable, [the act] affirms that it definitely is not acceptable. As for the risks you should have known about but didn't, [the act] obligates companies to uncover them through a process that is rigorous enough to ensure a reasonable chance of uncovering them. This is implied, not specific. Still, wise companies believe the effort is worth it. And ERM is a methodology to get there."
Terzuoli, it must be pointed out, works for a firm that offers ERM services, charging substantial fees to help companies identify risks, quantify them, and so on. Other insurance brokers also see ERM as a fruitful market, as do audit firms and consulting firms, many of which are competing to facilitate the risk scorecard/matrix process at the behest of their clients.
Given the tepid response accorded ERM before Sarbanes-Oxley, the service providers are remarketing their ERM practices to capture the marketing cachet offered by the new governance and accountability provisions. "The stick is Sarbanes-Oxley," says Terzuoli.
Ted Senko would agree. "Since the assessments a company performs are ultimately reflected in the corporate financial statement, organizations can benefit by viewing this compliance process as a risk-management exercise," the KPMG LLP partner says. "Companies that execute their internal-controls assessment within the framework of an enterprisewide risk-management program can help ensure the integrity of their financial statements and preserve investor confidence in the company's economic sustainability."
How Peabody Recast Risk
The system Navarre installed at Peabody offers a good example of a best practice in ERM. He polled more than a dozen executives, from the C-level suite down to departmental managers, to extract what each believed were the risks challenging their respective areas of oversight.
The varied risks cited fell into four categories — operational, financial, strategic, and IT. Once the risks were captured on a scorecard, Navarre and his fellow risk overseers in treasury, operations, and the various departments calculated the expected probability of each risk in terms of frequency and severity. "For instance, the likelihood of a business interruption is low, but the severity of that event, in terms of monetary risk, would be off the charts," says Navarre. Peabody arrived at this quantification via a mixture of experience, intuition, and research, he says.
Reader Comments» Post a comment