The risk of fraud or noncompliance with rules and regulations is ever present in the current business and legal environment. Managing this risk is therefore critical for any company. The author details the key qualities of an effective risk management process and a well-developed ERM program that is relevant and specific to a company’s needs and supported by top management. He stresses the importance of having the right people implementing the right processes in the right way.
* * *
Since the enactment of the Sarbanes-Oxley Act of 2002 (SOX), public companies have taken steps to strengthen their internal controls over financial reporting and enhance their ability to comply with rules and regulations. For the past two decades, in response to accounting and corporate scandals as well as increased enforcement of Foreign Corrupt Practices Act of 1977 (FCPA) violations by the SEC and Department of Justice (DOJ), there has been an increase in corporate boards’ awareness and management’s focus in governance and risk management. Specifically, beyond basic internal controls, companies are taking preventive measures to manage their potential risks of fraud and noncompliance by implementing antifraud policies and procedures, staying on top of relevant compliance requirements, and leveraging periodic fraud awareness training to keep employees informed of their roles and responsibilities.
Such an increase in awareness and focus on risk mitigation is not limited to publicly traded companies, as more privately held organizations and not-for-profit entities are beginning to formalize their enterprise risk management (ERM) programs and deploy dedicated resources, from periodic controls testing by internal auditors to the creation of compliance offices, to monitor risks and compliance.
Based on best practices companies have adopted to manage their relevant risks in recent years, this article intends to demystify the risk management process by outlining how it works and how the process of building a manageable yet effective ERM program can be scaled to fit a company’s needs as it grows.
The Risk Management Process
While it is debatable whether the risk management process is borne out of necessity because of the regulatory environment, no one would disagree that an effective risk management process has benefits. A well-managed ERM program will not only enhance management’s ability to timely prevent and detect fraud or irregularities but also control failures that could result in regulatory noncompliance or violation of rules and regulations.
To build an ERM program, companies need support from the top, proper risk monitoring and oversight, qualified employees, and control activities that are relevant and balanced. In general, the effectiveness of a company’s risk management process and ERM program is dependent on the qualities of these factors:
- Risk governance
- Risk assessment
- Risk mitigation
- Risk reporting.
As depicted in Exhibit 1, at the heart of the risk management process is the company’s formal ERM program, the effectiveness of which is directly affected by the company’s antifraud and compliance culture; that is, its risk tolerance and attitude towards doing things right the first time and doing the right thing. This is evidenced by the actions of its board—defined herein as “risk governance”—and the integrity of the processes overseen by management.
The objective of risk assessment is to identify the most critical or relevant risks (including but not limited to financial, operational, and compliance risks); rank them based on their likelihood of occurrence and potential financial, operational, and reputational impact to the company; and identify those areas where the company is most vulnerable to failure in detecting or preventing these risks in a timely manner (i.e., control gaps). Risk mitigation focuses on the timely remediation of control gaps and testing of those specific control activities for their effectiveness in preventing or detecting the identified risks. Risk monitoring focuses on the tracking of control weaknesses and deficiencies identified, the implementation of remedial actions, and the periodic reporting of challenges encountered and progress attained.
Given the extent of the guidance available for reference, building a comprehensive ERM program with the right concepts should not be difficult for most entities. That said, in order to develop an effective ERM program that is sustainable in nature, companies are encouraged to incorporate the following attributes into their risk management process:
- Appropriate risk governance, characterized by active board participation
- Existence of a formal ERM program that is well defined and well managed
- Periodic risk assessment that is complete and focused on what really matters
- Timely identification and remediation of control gaps and deficiencies
- Existence of proper checks and balances, in that updated control policies and procedures are balanced, reasonable, and well understood
- Proper mitigation of people risks; that is, employees are well trained and there is ongoing antifraud awareness training
- Periodic testing of key control activities for their design and operating effectiveness
- Appropriate risk monitoring evidenced by proper management oversight
- Timely reporting of problems encountered and objectives attained.
Enterprise Risk Assessment
Risk management should not be an academic exercise, and until a company is ready to invest in a user-friendly ERM software package, the annual enterprise risk assessment can be easily summarized by key functions and key areas using Excel worksheets. As a rule of thumb, companies are encouraged to conduct the risk assessment process at least once annually or whenever there is a significant change in the internal control environment, such as a business acquisition or reorganization wherein there is a change in process flows and related internal control activities or personnel responsible for conducting those control activities.
A typical enterprise risk assessment consists of the following steps:
- First, identify (or update) the company’s risk universe. In mapping the company’s risk universe, start with what is known by referring to relevant industry risks and risks that are specific to the company and business operations. Identify unknown risks, such as those recently identified by regulators or issues [such as Foreign Corrupt Practices Act (FCPA) violations, control failures, and accounting scandals] encountered by peers. Determine what could go wrong in light of the current internal control environment; while not every challenge or issue encountered by peers is relevant to a particular company, the risk universe should highlight those areas (by process, function, or department) in which the company is most vulnerable to non-compliance. Avoid using another company’s risk universe as a template; it should be unique to the needs of the company in light of its vulnerabilities, available resources, and pressing priorities.
- Then, the risks of the potential exposures should be ranked so that resources can be properly allocated to address them. Risks should be ranked based on their likelihood of occurrence, potential impact (financial, operational, and reputational), and existing compensating controls, if any, that are designed to mitigate the related impact.
Effective Risk Mitigation
Companies that are most effective in managing and mitigating their operating, financial and compliance risks—that is, preventing and detecting control failures and instances of noncompliance—are those that have the right tone at the top and the right people—that is, employees who are technically qualified and possess an appropriate awareness of their roles and responsibilities in relation to risk detection and prevention—managing and monitoring the right processes—that is, the right set of reasonable and unexcessive internal control activities.
When the right tone is set at the top and acceptable workplace behaviors are guided and reinforced by a code of conduct, business ethics, and periodic fraud awareness training, employees are more susceptible to doing the right thing, and companies will be able to build a sustainable compliance and risk management culture. As depicted in Exhibit 2, the integrity of a company’s internal control environment (and thus its ability to mitigate and manage the relevant risks) is directly related to the following questions:
- Does management set the right tone, so that employees are asked to do the right things and do things right the first time?
- Does the company have a formal code of ethics and business conduct?
- Has management implemented a formal ERM program?
- Have the company’s policies and procedures been properly updated, and have they been appropriately disseminated to the employees?
- Does the company have a formal talent recruitment and retention process?
- Are employees required to attend periodic awareness training?
- Are employees required to confirm their understanding of their roles and responsibilities with respect to risk prevention and detection?
- Does the company have a whistleblower hotline?
- Are control activities periodically tested to confirm their effectiveness?
- Are control deficiencies timely reported?
- Are remedial actions timely implemented to mitigate the control deficiencies identified?
Effective risk mitigation is all about having qualified and trained employees applying the right internal control procedures on a consistent basis. Companies could have the perfectly designed control policies and procedures, but if they are not properly executed, the effectiveness of the risk mitigation process will be significantly reduced; this is known as people risk. To help mitigate the related people risks, companies have updated their hiring practices to include background and reference checks; incorporated risk management responsibilities into employee’s performance goals, compensation, and incentives; linked incentives to employee performance and other short- and long-term metrics, such as the company’s operating results; and tied payouts to attainment of specific risk mitigation objectives.
Representative Risk Management Initiatives
Companies have learned to prioritize their risk management initiatives in order to build a scalable ERM program that will grow with the company and is responsive to its operating and compliance challenges. Companies have strengthened their internal control environments through the following actions:
- Developing formal guidelines on unacceptable business practices
- Implementing zero-tolerance policies and formal disciplinary procedures
- Establishing formal guidelines on unacceptable business practices
- Conducting ethics, antifraud awareness, and compliance training
- Using an annual certification program to demonstrate compliance
- Instituting a whistleblowing hotline.
In addition, people risk can be minimized by formalizing policies on talent recruitment and retention. Duties should be segregated and incompatible functions separated. Independent review and supervision of employees can help, as can implementing performance-based incentives and annual performance evaluations.
An ERM program can be formalized by appointing a dedicated chief risk officer and risk committee, as well as expanding the use of detailed analytics and transaction testing.
An ERM program can be formalized by appointing a dedicated chief risk officer and risk committee, as well as expanding the use of detailed analytics and transaction testing. It is also important to conduct a timely investigation and reporting of any instances of noncompliance.
Compliance and internal controls can be integrated into process flows by implementing the following measures:
- Preapproval procedures and authorization limits to prevent unauthorized purchases or payments
- Specific controls over business gifts, travel and entertainment, and donations and contributions
- Policies on detailed review and approval of nonroutine transactions
- Policies on timely investigation of significant variances against budget or plan.
Finally, the internal audit team should periodically conduct a compliance review and operational audit. Internal audit should also perform quarterly testing of key controls to confirm operating effectiveness, penetration testing, and testing of access controls to mitigate the risk of unauthorized access or changes to the company’s data and applications.
Setting the Right Tone
Companies do not need a big budget or an extensive project management team to establish an effective ERM program. In the author’s experience, an effective ERM program is one that gets commitment from the top and is well supported by management. While the success of any ERM program is dependent on many factors, the following tips highlight those within a company’s control:
- Focus on what really matters. Map the risk universe based on an evaluation of what could go wrong and scale up risk management initiatives and the testing plan in line with the growth of the company.
- Only implement controls that are balanced and relevant. Sometimes, less is more.
- Create and nourish a culture of risk prevention and compliance. This will drive positive changes in behavior.
- Prevention is always better than remediation. It is always cheaper to prevent an issue from happening than to remediate a problem and the attendant damage to the company’s reputation.
- Learn from the mistakes of others. Any company could be just as vulnerable as its peers.
- Do not reinvent the wheel. When it comes to developing the right controls to address the relevant risks, look to those companies that have successfully remediated their related challenges.
- Be responsive to warning signs and red flags. Each control deficiency should be thoroughly evaluated; if not dealt with early enough, it may come back to harm the organization.
- Speak up if something doesn’t look right. Create a communication protocol where employees are comfortable reporting problems, and enhance employee awareness via periodic training.
- Build regulatory compliance and internal controls into the ERM program.
- Leverage the internal audit team wisely.
- Strengthen a company’s compliance risk management culture with timely risk reporting.
Risk monitoring is an ongoing process and a critical aspect of the company’s ERM program. For additional information on enterprise risk management, readers are encouraged to review COSO’s Enterprise Risk Management–Integrated Framework,originally published by COSO in 2004 and updated in 2017.