Video | Newsletters | Alerts | Subscribe

CFO Magazine

You are here: Home : CFO Magazine : June 2003 Issue : Article

Fear Factor

(continued)

Given the tepid response accorded ERM before Sarbanes-Oxley, the service providers are remarketing their ERM practices to capture the marketing cachet offered by the new governance and accountability provisions. "The stick is Sarbanes-Oxley," says Terzuoli.

Ted Senko would agree. "Since the assessments a company performs are ultimately reflected in the corporate financial statement, organizations can benefit by viewing this compliance process as a risk-management exercise," the KPMG LLP partner says. "Companies that execute their internal-controls assessment within the framework of an enterprisewide risk-management program can help ensure the integrity of their financial statements and preserve investor confidence in the company's economic sustainability."

How Peabody Recast Risk
The system Navarre installed at Peabody offers a good example of a best practice in ERM. He polled more than a dozen executives, from the C-level suite down to departmental managers, to extract what each believed were the risks challenging their respective areas of oversight.

The varied risks cited fell into four categories — operational, financial, strategic, and IT. Once the risks were captured on a scorecard, Navarre and his fellow risk overseers in treasury, operations, and the various departments calculated the expected probability of each risk in terms of frequency and severity. "For instance, the likelihood of a business interruption is low, but the severity of that event, in terms of monetary risk, would be off the charts," says Navarre. Peabody arrived at this quantification via a mixture of experience, intuition, and research, he says.

Using risk-mapping software developed internally, the group then plotted the risks on a PowerPoint risk matrix — a template depicting low-level infrequent risks in the bottom left quadrant, and the risks presenting the greatest threat of frequency and severity in the top right quadrant.

Once a risk is plotted in the matrix, it is color-coded to indicate how it has been addressed: red indicates that a risk has had little or no transfer; blue indicates that a risk has been transferred; and a partial risk transfer, such as workers' compensation, is in green, showing that Peabody is partially self-insured in this regard. "You don't want to see something red in that upper right-hand quadrant," warns Navarre.

Peabody's Risk Matrix

Drill down on a particular risk and a detailed analysis of that risk emerges, from its relative importance in the risk hierarchy to how or if it is transferred or mitigated to whose responsibility it is to manage the risk.

Governance risks posed by Sarbanes-Oxley are managed by Peabody's active board of directors and by audits, a code of business conduct, and a comprehensive set of controls as mitigations, says Navarre. Although such regulatory risks as stricter environmental controls cannot be insured, he notes that even these risks are mitigated, in this case through lobbying efforts.

The entire process is dynamic: Peabody formed a cross-functional risk-management committee with Navarre as chairman that meets monthly to continually assess the company's risks. "If a new risk emerges — say we enter into a joint venture or acquisition — we meet to assess the inherent risks and feed them into the ERM process," explains Navarre.

Why is this a better mousetrap? "This is a broadly focused process that involves the entire senior-management teams across all functions to evaluate risk," the CFO replies. "Instead of looking at individual risks, ERM gives us the ability to assess all the risks of the company and understand them, separately and in relation to each other, potentially identifying risks we may not otherwise have identified, and then making a determination to either mitigate that risk or choose to accept it."