Print this article | Return to Article | Return to CFO.com
Sarbanes-Oxley offers one more reason to tackle enterprise risk management.
Russ Banham, CFO Magazine
June 1, 2003
Rick Navarre wanted the audit committee at Peabody Energy to know exactly how he is managing risk at the company. As Peabody's CFO, Navarre developed a comprehensive methodology for analyzing and quantifying risk, in large part to educate the audit committee about all the risks confronting the $2.8 billion St. Louis-based producer and distributor of coal.
Although Navarre developed this methodology prior to the passage of the Sarbanes-Oxley Act of 2002, he notes that "under Sarbanes-Oxley, the audit committee is mandated to understand how we assess and handle the risks confronting the company. I wanted them to be comfortable that we had identified each and every risk we face and prescribed specific risk transfer and mitigation strategies for those risks we did not want to retain."
Navarre's approach to risk management illustrates the difference between traditional risk management and enterprise risk management (ERM). Traditionally, operational and strategic risk management have been static — an examination of risks as they were in January 2003, for example. "You know where you were three months ago, but now it's April and you don't have a clue about your risks until the next audit," explains Frank Terzuoli, senior vice president of business-risk consulting at New York based insurance broker Marsh Inc.
Traditional risk management works best on financial and hazard risks — the risks that are transferable. ERM, by contrast, stresses the management of operational and strategic risks. "A bank's operational risk would be its back office, in terms of how its payments are made and its credit-underwriting processes in terms of how it makes loans, monitors credit, and ensures repayment of loans," says Terzuoli. "A manufacturer's operational risk would involve the manufacturing process and the processes embedded in building ideas. While traditional risk management requires more accounting-type skills, ERM requires skill in strategic planning, process reengineering, and marketing."
What Peabody Energy and a few other pioneering companies have undertaken is a risk-management discipline that extends beyond traditional financial and insurable hazards to encompass a wide variety of strategic, operational, reputational, regulatory, and information risks. Some companies, like Agricore United, a Canadian agricultural-services firm, have been using ERM for several years now. Other companies have found ERM useful in theory but tedious in practice, and have resisted the effort and expense.
That may change, following passage of Sarbanes-Oxley and its stricter corporate-governance and accountability provisions. Although the act doesn't say anything about better risk management, more robust risk-reporting would seem to provide more assurance to anxious audit committees, and to CEOs and CFOs who must now certify financial statements.
The devil is in the details — translating the implications raised by the act into actionable items. "[Sarbanes-Oxley] certainly talks a lot about risk transparency — the risks you know that are not shared with other stakeholders, particularly investors," says Terzuoli. "While hiding this information was never acceptable, [the act] affirms that it definitely is not acceptable. As for the risks you should have known about but didn't, [the act] obligates companies to uncover them through a process that is rigorous enough to ensure a reasonable chance of uncovering them. This is implied, not specific. Still, wise companies believe the effort is worth it. And ERM is a methodology to get there."
Terzuoli, it must be pointed out, works for a firm that offers ERM services, charging substantial fees to help companies identify risks, quantify them, and so on. Other insurance brokers also see ERM as a fruitful market, as do audit firms and consulting firms, many of which are competing to facilitate the risk scorecard/matrix process at the behest of their clients.
Given the tepid response accorded ERM before Sarbanes-Oxley, the service providers are remarketing their ERM practices to capture the marketing cachet offered by the new governance and accountability provisions. "The stick is Sarbanes-Oxley," says Terzuoli.
Ted Senko would agree. "Since the assessments a company performs are ultimately reflected in the corporate financial statement, organizations can benefit by viewing this compliance process as a risk-management exercise," the KPMG LLP partner says. "Companies that execute their internal-controls assessment within the framework of an enterprisewide risk-management program can help ensure the integrity of their financial statements and preserve investor confidence in the company's economic sustainability."
How Peabody Recast Risk
The system Navarre installed at Peabody offers a good example of a best practice in ERM. He polled more than a dozen executives, from the C-level suite down to departmental managers, to extract what each believed were the risks challenging their respective areas of oversight.
The varied risks cited fell into four categories — operational, financial, strategic, and IT. Once the risks were captured on a scorecard, Navarre and his fellow risk overseers in treasury, operations, and the various departments calculated the expected probability of each risk in terms of frequency and severity. "For instance, the likelihood of a business interruption is low, but the severity of that event, in terms of monetary risk, would be off the charts," says Navarre. Peabody arrived at this quantification via a mixture of experience, intuition, and research, he says.
Using risk-mapping software developed internally, the group then plotted the risks on a PowerPoint risk matrix — a template depicting low-level infrequent risks in the bottom left quadrant, and the risks presenting the greatest threat of frequency and severity in the top right quadrant.
Once a risk is plotted in the matrix, it is color-coded to indicate how it has been addressed: red indicates that a risk has had little or no transfer; blue indicates that a risk has been transferred; and a partial risk transfer, such as workers' compensation, is in green, showing that Peabody is partially self-insured in this regard. "You don't want to see something red in that upper right-hand quadrant," warns Navarre.Peabody's Risk Matrix
Drill down on a particular risk and a detailed analysis of that risk emerges, from its relative importance in the risk hierarchy to how or if it is transferred or mitigated to whose responsibility it is to manage the risk.
Governance risks posed by Sarbanes-Oxley are managed by Peabody's active board of directors and by audits, a code of business conduct, and a comprehensive set of controls as mitigations, says Navarre. Although such regulatory risks as stricter environmental controls cannot be insured, he notes that even these risks are mitigated, in this case through lobbying efforts.
The entire process is dynamic: Peabody formed a cross-functional risk-management committee with Navarre as chairman that meets monthly to continually assess the company's risks. "If a new risk emerges — say we enter into a joint venture or acquisition — we meet to assess the inherent risks and feed them into the ERM process," explains Navarre.
Why is this a better mousetrap? "This is a broadly focused process that involves the entire senior-management teams across all functions to evaluate risk," the CFO replies. "Instead of looking at individual risks, ERM gives us the ability to assess all the risks of the company and understand them, separately and in relation to each other, potentially identifying risks we may not otherwise have identified, and then making a determination to either mitigate that risk or choose to accept it."
Evidently Peabody's audit committee is pleased. "We've learned through this process not only the scope and breadth of risks inherent in the business, but also the various methods that management is using to effectively manage and balance those risks," says William Rusnack, chairman of the audit committee.
Still a Costly Process
The value of ERM must be balanced against its cost. Several third-party firms approached Peabody to facilitate the ERM process, not one of which quoted less than a $200,000 fee. Instead, Navarre decided to facilitate the process internally.
But even without a consultant, the process and infrastructure costs associated with uncovering material risks are significant. "You have to be more invasive within the organization, meaning that you have to ensure that each of the business units is examining its risks in a rigorous, well-defined, systematic way, as opposed to ad hoc oversight," says Terzuoli. "That costs money, since you have to put in place policies and procedures and then ensure that these are being complied with. Then you have to automate this process with an IT component, building a conduit from back-end legacy systems to capture risk-based data to provide risk transparency in a dynamic environment — a flow of information that typically is daily or at the very least weekly."
Fortunately the software tools to construct a dynamic ERM technology infrastructure already exist in package form, sold by vendors Hyperion, Cognos, and Active Strategy, among others. The tools identify the dozens of data elements that require ongoing monitoring, extract them from legacy systems, and gather them in one place, typically a data warehouse. The tools then create a conduit from the data warehouse to a front-end dashboard that alerts users when risks emerge. "Once tied together, the data may reveal, for example, a cash-flow surprise relative to market expectations," says Terzuoli.
The cost of a good back-end to front-end system, with all the hoopla in between? Another $500,000.
Cost concerns didn't stop Seminole Electric Cooperative Inc., a not-for-profit Tampa-based electrical generation and transmission cooperative with $714 million in 2002 revenues, from pursuing ERM. Seminole's strategic plan mandated a broad corporate-risk profile. "We needed to create a broad list of risks facing the company, not just the risks that executive staff had cited, but risks perceived by executives across all corporate lines," says Seminole vice president of financial services John Geeraerts.
To create it, Geeraerts and Timothy Rogers, manager of tax risk and property accounting, put together a fully fledged ERM strategy with assistance from London-based global insurance broker Willis Group Holdings. Like Peabody, they assembled a multi-departmental committee that included risk overseers from internal audit, tax, finance, and power-plant operations — roughly 8 people altogether. The committee wrote up a detailed questionnaire that was E-mailed to 110 other people in the organization asking them to identify and list risks in their individual areas of oversight, what Rogers calls "brainstorming across all corporate lines."
The process generated more than 60 defined risks, which the committee then boiled down to the top 25. Two workshops were held without executives, who were questioned separately. The goal was to drill down into each of the risks to determine what actions, if any, were being taken to mitigate them, and who was accountable for ensuring and monitoring these actions. "We wanted to know the probability of each risk causing financial harm, from both a frequency and a severity standpoint. [We also wanted to know] who was watching the store," explains Geeraerts.
Ultimately, the company was able to force-rank the five top risks challenging Seminole. Number one was electrical-generation capacity — the loss of a generating plant due to an unplanned or forced outage. The company evaluated factors such as tornadoes and terrorist incidents that would disrupt power supply or cause a unit to go down. The second-highest risk was loss of market, a concern given Seminole's status as a cooperative. Filling out the top five risks were the need to have an optimum mix of power resources to serve customers, fuel price volatility, and regulatory risks, such as the impact of potentially stricter environmental standards.
A dollar number was ascribed to most risks, representing probability, frequency, and severity. All the risks were then assembled on a matrix. The final part of the process — a determination of risk-mitigation options and a process for monitoring risk-management compliance — is still under way. "For fuel price volatility, the option is a fuel hedging program; for the loss of power lines, the option is insurance; for the risk of terrorism, the option is elevating our security officer to senior staff level," notes Geeraerts.
Agricor's Granular Approach
Agricore United could tell both Peabody and Seminole a thing or two about ERM. The Winnipeg, Canada-based company initially went through the risk-identification phase in 1997, only to learn its risk-management focus was misplaced on more-transferable risks like a fire to a facility, rather than on the one major operational risk that could doom it, a reduction in grain volume.
Agricore's first step was to form a steering committee to identify and evaluate the major threats to earnings. More than 30 employees from all levels gathered in 1997 in one room at headquarters to identify the risks facing the company. This meeting was repeated earlier this year. "The world is a dynamic place and risks are constantly changing," says Peter Cox, CFO of Agricore, with $422 million (Canadian) in 2002 revenues. "It's much of the same thing with markets to transfer or mitigate risks. Nothing is static."
At the last outing, more than 30 areas of exposure were tabulated. In both years, the number-one risk was grain volume. "When a drought causes less grain to grow, we handle less grain volume, which depresses revenues accordingly," explains Cox. "Last year our revenues plunged almost 50 percent due to drought."
But Agricore went further than Peabody and Seminole to find a risk-mitigation solution to its primary risk problem. At first, the steering committee examined a weather-based financial instrument to hedge the grain-volume risk. But wide geographic regions in which grain is grown in Canada, and divergent weather patterns affecting each region, made such an instrument impossible to structure.
With help from its broker, Willis Group Solutions, Agricore assembled a unique risk-transfer program, combining nearly all its risks, including the grain-volume exposure, in a portfolio for transfer as a single block of risk to insurer The Citadel, which was reinsured by Swiss Reinsurance Co. of Canada. The losses from different risks would aggregate into an annual loss total that, if exceeding a prearranged dollar threshold, would result in an insurance payout.
A trigger for the grain-volume risk was built into the multiline insurance program, based on volumes reported by the Canadian Grain Commission, an independent body. The innovation was the fact that Agricore was able to transfer an operational risk to the insurance market that had never been transferred to insurers before.
When the novel three-year program expired at the end of 2002, Agricore sought to reinstate it. But back-to-back droughts and tightening terms, conditions, and premiums in the insurance market dissuaded Swiss Re, not to mention other reinsurers, from a similar deal. Yet Agricore again scored a unique contract, an insurance policy covering grain volume solely. The policy, bought from European International, a Swiss Re company based in Barbados, runs through July 2006, offering up to $25 million in coverage each year — minus an undisclosed deductible — and three-year coverage limits of $52.8 million. The payout is based on a simple formula that takes into account a five-year rolling average of industry grain volumes, Agricore's market share, and average profit margin per ton of grain handled.
Adding It Up
ERM has many proponents, but companies aren't exactly racing to install it. A survey of clients with at least $500 million in revenues conducted by KPMG found that only 28 percent had formal ERM programs, even though most of the same companies rated risk identification as their most important risk-management issue. Almost half the respondents (47 percent) without an ERM strategy stated they did not see the value proposition in ERM.
The resistance can be chalked up to two factors: cost and apathy. "Companies tend not to do something unless they have to," says Terzuoli. "While Sarbanes-Oxley raises the bar, companies just don't see the benefit from risk-scorecarding or matrixes or even ERM, in terms of added revenue or stock value. It's the old story — 'Here is what the law says and here is what I can get away with.' I'm just hoping that with a new [Securities and Exchange Commission] chief [Wall Street veteran William Donaldson], his diligence about interpreting the law and actions taken will compel companies to really do something about their risk."
Perhaps another reason for resistance is the complex nature of ascribing dollar values to risks like customer loyalty or corporate reputation. "Not all risks are strictly mathematically calculable," explains Senko. "ERM has created this sense of exactitude that just doesn't exist. There is still some art and judgment involved in quantifying risk."
Still, observers argue there is tremendous value in the process. "Smart CFOs know that their jobs call upon them to do two things — protect what they have and create more of what they have," adds Terzuoli. "Risk scorecards, matrixes, and ERM offer a proactive way to manage risk as a source of competitive advantage. And they reduce risk as a way of preserving assets. While the stick may be Sarbanes-Oxley, the carrot is good common sense."
Not only do companies forge a methodology for reporting potential surprises, this structure forces communication across functional lines. And arguably more important, accountability for risk is explicitly stated and monitored.
"When a risk event occurs," says Senko, "you want someone to step up, take responsibility for it, and take immediate action to manage or mitigate that risk. Wading through layers of corporate approvals would be disastrous."
Best of all, ERM is shareholder-friendly. "Perhaps the most important benefit from the whole process is a reduced gap between the knowledge an investor has about the company and the true risks embedded in that company," says Terzuoli. "That gap will be smaller than ever before."
|RM Versus ERM|
...the essential differences
|Traditional Risk Management||Enterprise Risk Management|
|Risk as individual hazards||Risk in the context of business strategy|
|Risk identification and assessment||Risk "portfolio" development|
|Focus on all risks||Focus on critical risks|
|Risk mitigation||Risk optimization|
|Risk limits||Risk strategy|
|Risks with no owners||Defined risk responsibilities|
|Haphazard risk quantification||Monitoring and measurement|
|Risk is not my responsibility||Risk is everyone's responsibility|