Risk Management

Safety First

How finance executives are keeping their companies safe and secure from accounting scandals and other material missteps.
David KatzDecember 8, 2003

“Only you can prevent forest fires” was the cautionary message of a long-running risk management campaign. An accounting scandal may seem much less dramatic than a wildfire — but to your company, it could be just as devastating.

Roger Friedberger has certainly been keeping a lookout. Since 1996, when he became finance chief of ILOG — a software provider headquartered in Gentilly, France, and Mountain View, California — Friedberger has been keenly aware of the possibility of a revenue-recognition misstep. The temptation for salespeople to boost their compensation by booking revenues improperly, before they’re fully earned, is famously strong in Silicon Valley.

The effects of overly aggressive accounting have a way of scaling the corporate ladder, leading to restatements and shareholder lawsuits — not to mention executive dismissals. “More software CFOs have bitten the dust because of rev-rec problems” than due to any other accounting issue, maintains Friedberger.

By putting preventive measures in place, however, Friedberger has helped ILOG steer clear of a restatement, or even so much as an adjustment by its auditors, since the company went public in 1997. That “safety first” approach has also found favor with many other finance chiefs, corporate risk managers, and internal auditors who guard against fraud, gamesmanship, and inattention, and keep accounting woes from their doors.

Spreading a responsible corporate culture, and using your powers of persuasion to keep employees and lower-level managers in line, has always been an essential practice. Today, finance executives are also launching enterprise-risk-management programs to take a comprehensive picture of corporate risk, and installing new software to get a clearer view of potential hot spots in even the most remote outposts of their organizations.

Sarbanes-Oxley compliance requirements have spurred these efforts, of course. But a look at how fast a company’s fortunes can plummet in the first blush of bad accounting news might be motivation enough. Indeed, a tarnished reputation can deliver a lingering jolt to a company’s finances, suggests a May 2003 study by Deloitte & Touche of a score of companies touched by corporate accounting scandal.

The companies — whose ranks included the usual suspects — suffered an average 50 percent drop in share price within 20 days after news of the scandal first broke, according to Rick Funston, national practice leader for governance and risk oversight at Deloitte & Touche.

At five of the companies, the share price fell by more than 90 percent. “Shareholder value is tried and [hanged] in the court of public opinion long before it gets to a court of law,” says Funston — hence the need to prevent financial scandals entirely, and not to “go to trial” at all. But can you guard against corporate scandal just as you would guard against wildfires?

The View from On High

Start by taking a comprehensive view of potential problems across your entire organization, say advocates of enterprise risk management, and set your priorities.

Some companies have begun to link their internal-audit functions with broader corporatewide plans of managing risk. “Risk management and [internal audit] were never coupled in the past as they are today,” says John Calkins, director of risk management at Masco Corp., a manufacturer of home-improvement and building products based in Troy, Michigan.

Risk management, the theory goes, can help widen the focus of internal auditors. At Zions Bancorporation in Salt Lake City, Utah, for instance, the auditors use risk-assessment software to “receive alerts about new risks and changing risk levels,” David Stone, the company’s senior vice president of risk management, recently wrote in FSA Times, a publication of the Institute of Internal Auditors.

Up until recently, though, ERM was rarely mentioned in the context of accounting perils. In its formative years, enterprise risk management was largely a dream in the minds of property-casualty underwriters, who saw comprehensive views of risk as a way to sell big-ticket insurance policies.

ERM may be ready for a growth spurt, however. In July, the Committee of Sponsoring Organizations of the Treadway Commission (COSO), a private-sector group aimed at improving the quality of financial reporting, issued its proposal for a standardized ERM “framework.” COSO members hope to set up a common ERM terminology for what has been largely a rag-bag of ideas — everything from the establishment of the title of “chief risk officer” to the use of derivatives. Slated for release in its final form early in 2004, the framework is already influencing risk management thinking and software design.

ERM proponents do acknowledge that even a systemic approach will have a tough time stopping outright fraud. Intentional deception, rather than a mere tweaking of the numbers to create an overly rosy impression, is difficult to prevent, says H. David Sherman, a professor of business administration at Northeastern University. To take a bite out of these crimes, Sherman suggests that internal auditors should make their spot checks less predictable and more detailed — an improvement that’s been frequently suggested for external audits, too.

The Proof Is in the Portfolio

One way enterprise-risk managers think they can uncover hidden sources of potential scandal is by adopting a “portfolio” view of corporate hazards. To put such a view into practice, each manager in charge of a business unit might provide an assessment of the unit’s risks to senior management, according to COSO’s proposed framework.

Senior executives could then pore over discrete pictures of their companies’ risks, enabling them to assess exposures that seem scant in numeric terms but that might pose other woes. Indeed, managers who worry only about those risks that represent material financial threats could be making a big mistake, says Frank Terzuoli, a senior vice president in business risk management for insurance broker Marsh Inc. in San Francisco.

Out of tiny units, big problems can grow. Take, for instance, a fictional corporation comprising 10 subsidiaries, says Terzuoli. Nine are in perfect health, but the remaining unit — left to its own devices because it produces just 1 percent of the company’s revenues — has spawned an outsized problem. The managers of that unit’s pension plan have committed “an egregious mistake that creates a front-page article,” hypothesizes Terzuoli. “The reputational risk is huge” despite the size of the unit.

To be able to assess and manage such risks, senior executives need a clear view into the recesses of company operations. At Zions Bancorporation, a holding company with $26 billion in assets, that involves “escalating” information on operational and financial reporting risks from managers at its six banks operating in eight western states. Zions chose to install RiskResolve software, developed by Providus Solutions.

Based on COSO principles, the risk-assessment tool enables small but potentially costly accounting miscues to surface quickly, according to Stone, Zions’ risk manager. It could alert executives, for instance, to the danger of an incorrect interest rate being entered for the bank’s home loans. While such an error wouldn’t be so bad on an individual basis, “if it happens in a multitude of loans, then we have a problem,” says Stone.

By using RiskResolve, managers can assign scores to risks, then rate the controls applied to them as effective, partly effective, or ineffective. The scores are calculations of “residual risk” — roughly the inherent risk of an activity minus the strength of its controls, according to Stone. The system can also funnel a list of the corporation’s top ten accounting hazards to senior management.

Sometimes, a risk can be rated more objectively by someone outside a given department. For instance, a corporate risk manager might expose likely trouble spots by asking people in non-finance areas, like human resources or marketing, to rate the seriousness of certain accounting or financial-reporting hazards, according to Masco’s Calkins. ERM “shines a brighter light on everybody,” he adds. “It takes systems that were closeted before and makes them more transparent.”

New Ventures, New Risks

The view might not be so clear, however, if the risks in question involve the uncertainties of a merger or a changed business model. Nevertheless, ERM techniques can be especially useful in avoiding a restatement, say its proponents, if executives end up misgauging or inflating the future benefits of an acquisition or an entry into a new venture.

Up until a merger deal is signed, says Marsh’s Terzuoli, executives typically do a rigorous job of due diligence, but managers at the merged company routinely fail to monitor how well the prospects of the deal have panned out. Often, he says, there’s “a gap between what you thought you were buying and what you bought.”

The gap can widen to a financial-reporting abyss, as Terzuoli explains through a hypothetical merger of two technology companies. Because they overlap in a particular product line, the acquirer bets it can cut payroll cost by up to 40 percent if it eliminates the sales and marketing staffs of the acquired company. “That particular risk — whether you achieved that reduction — has to be monitored very rigorously,” says Terzuoli; such results tend to become “fuzzy after six months.” Years later, learning that the cost reductions haven’t been achieved, senior executives might find themselves having to report that the company’s share price has been artificially inflated.

M&A is also rife with the potential for accounting gamesmanship. Even when not illegal, overly aggressive goodwill reporting can bloom into a crisis if a company is caught in the act of financial self-aggrandizement. One area of likely skullduggery is the valuation of unfinished research and development projects acquired in mergers, thinks Prof. Sherman, a co-author of the recently published Profits You Can Trust: Spotting & Surviving Accounting Landmines (Prentice-Hall). The value of an “in-process R&D” project can be fair game for manipulation because it’s “a highly judgmental number,” he says.

An example of how flexible a judgment it can be occurred in September 1998. Responding to a change in Securities and Exchange Commission policy, WorldCom slashed its estimate of the worth of the in-process R&D it picked up by acquiring MCI. Apparently, WorldCom had built a fair amount of fat into its initial estimate of $6 million to $7 million — the company was able to pare it down to $3 million.

Being forced to lower valuations so dramatically could yield dire financial consequences. For instance, according to Sherman, a company might find itself in violation of bond covenants if they hinge on debt-to-equity ratios, and news of the violation could hurt the company’s share price. To prevent such risks, says the professor, senior management, the board, and the independent auditor should cross-check each other’s valuations, rather than have “one person pick the most extreme number.”

Big Brother or Culture Club?

Ongoing relationships with clients can also be fraught with accounting perils. At software provider ILOG, Friedberger and his associates closely vet how sales are booked in all large deals. The reason: In bigger transactions, customers tend to seek abounding service and product concessions from the seller as the deal evolves. “Those sorts of things can be impediments to immediate revenue recognition,” explains the finance chief.

Better, though, to book transactions correctly in the first place. At ILOG’s yearly sales conference, Friedberger briefs salespeople on the hot issues in revenue recognition, and finance executives and corporate lawyers spell out those deal structures that fall beyond the pale of company policy.

Sometimes the mere presence of a risk management program can help prevent accounting disasters, according to Mark Kontos, the CFO, treasurer, and senior vice president of Battelle Memorial Institute in Columbus, Ohio.

Recently Battelle, a non-profit trust that provides outsourced R&D services to the federal government, began entering a series of potentially risky new businesses, including the development of vaccines and human clinical trials. To assess some of its new risks — Does a project require regulatory approval? Are foreign-exchange considerations involoved? — Battelle executives revamped and computerized a questionnaire that employees must complete before they bid on projects.

Such questions might avert accounting problems not by capturing miscues themselves, but by conveying a message that management “is increasingly attuned to risk,” says the finance chief.

Unfortunately, questionnaires don’t have built-in lie detectors. “If people are filling them out in an inappropriate way, there’s no way to guard against that except by [setting the appropriate] tone at the top,” he said. True risk prevention, adds Kontos, “really comes back to the culture of the organization.”