When Enron’s financial statements didn’t turn out to be quite as rosy as they appeared, a new business era was ushered in – the Age of Corporate Regulation, marked by the enactment of SOX.
Interestingly, many of the factors that led to the Enron collapse had also prompted the 1929 Wall Street crash. The government, at that time, responded by passing the Securities Exchange Act in the hope that it would prevent the recurrence of similar corporate issues. But then came the Barings Bank scandal, followed by Enron, and almost a decade later, the global banking failure and financial crisis.
So, despite increasing regulation, we still see many of the same corporate failures continue to occur nearly a century later. How do we end this cycle?
It all boils down to governance. Good governance can keep in check human tendencies like greed, pride, and self-rationalization which, historically, have caused many of our worst corporate scandals.
Good governance, in turn, is achieved primarily through robust and consistent risk management. If you’re regularly assessing, managing, and documenting your business risks and controls, then you’re well-positioned to not only protect your business from scandal, but also simplify regulatory compliance, prepare in advance for new legislation, and build a reliable, profitable reputation.
So, how do you get to this stage?
Moving from Reactive to Proactive Risk Management
In 1990, Dwayne Jorgensen’s “Hierarchy of Internal Control Needs” was first published -- a pyramid that represents the different stages of maturity in risk management and controls.
At the bottom of the pyramid is the “Compliance” stage at which organizations manage risks and controls in order to comply with specific regulations, as well as organizational goals and objectives. At the next “Operational” stage, organizations have moved a step higher, and are now trying to proactively fix risk issues, so that they don’t recur. Organizations reach the “Consultative” stage when they strive to understand and learn more about their risks and how to effectively manage them.
The highest stage is that of “Control Self-Assessment” where an organization has reached such a level of risk awareness that they are constantly analyzing their risk universe, identifying new and emerging risks, determining which of those risks are important, and then managing and mitigating the risks in a timely manner. This stage of proactive risk management is when organizations achieve a truly high level of good governance, and start to benefit from it.
Many thought-leading organizations, at this point, also focus more on the “spirit of the law” rather than the “letter of the law” when it comes to regulatory compliance. They understand what governance is really about, and they educate their employees to effectively prioritize, mitigate, and document risks. As a result, these organizations have a much better control environment than most others.
In 2004, two new foundational layers were added to the Hierarchy of Internal Control Needs pyramid – “Objectivity” and “Independence.” These layers indicate that for governance to work effectively, there have to be independent and objective auditors who periodically evaluate the risk and control framework, and ensure that the organization hasn’t become complacent in risk management. These processes are performed both internally (by Internal Audit functions) and externally (by CPA firms): internally as a function independent of operating management, and externally for regulatory reporting and external public confidence.
That being said, auditors are not responsible for implementing the risk-control framework or ensuring good governance. Those are the responsibilities of the Company Owners or Board of Directors and the management team. They need to set the “tone at the top,” understand the organization’s risk appetite, and establish the appropriate controls.
Getting the Most Out of the COSO ERM Framework
When it comes down to risk management and governance, many industry experts believe that the best framework out there is COSO. Notably, COSO treats internal controls not as a one-time effort, but as an on-going process or journey.
Based on the COSO ERM framework, risk management is:
- Effected by people (not merely policies or surveys)
- Applied across the enterprise at every business level
- Designed to manage risk within the organization’s risk appetite
- Designed to provide reasonable assurance of risk control to the management and board
For companies setting up the COSO framework for the first time, the key is to:
- Conduct an initial risk assessment, using the COSO model to define and categorize risks (e.g. strategic risks, operational risks, compliance risks)
- Determine which key risks should be mitigated
- Document those processes
- Test the effectiveness of the processes through auditing, and then remediate issues proactively
- Finally, ensure periodic risk reporting, both internally and externally
Don’t try to execute this approach across all your organizational processes at one time. Pick a key business process as a pilot or trial, and run the above methodology through it. Work with external auditors to determine if the approach you have chosen is satisfactory. If it is, then implement it through all the processes in the organization.
If you already have a control framework, you might do well to assess which stage of maturity it falls into:
- Initial stage: Control structure is not defined. Controls occur incidentally.
- Repeatable: Control structure is not defined but control processes may occur based on past successes and management oversight.
- Defined: Control structure is documented, standardized, and integrated into control processes.
- Managed: Control processes are regularly assessed and tested. Detailed measures of the control process are collected and reported.
- Optimized: Continuous process improvement is enabled by quantitative feedback from the control process.
As you proceed through these five stages, the predictability, effectiveness, and efficiency of your internal controls programs will improve greatly.
Delving Further into the Risk-Based Approach
In addition to the Risk Pyramid referenced earlier, Mr. Jorgensen has pioneered an effective program for identifying and mitigating key risks, which has been used by many companies since 1990, both small and large, public and private. Here are some additional practices from Dwayne’s program to keep in mind while managing your risks and controls.
First, determine executive management’s strategies, goals, concerns, and objectives, so that you can better understand the associated risks. Then, define your risk universe, classify your internal and external risks, and map them to key controls, as well as management objectives.
The next step is to assess your risks both qualitatively and quantitatively, and measure their severity and likelihood. If applicable, obtain an external auditor’s assessment of your risks and controls. Also, talk to business unit level managers to discover any new or emerging risks that you might have missed.
Define a model of risk factors that are relevant to your organization. Weigh risks based on these factors, and review the scores with management and process owners.
Finally, direct audit resources to the areas of highest risk, and constantly remediate any issues that arise.
How Technology Can Help
Technology plays an invaluable role in building an effective risk management and governance program. Many organizations leverage software solutions to minimize risk inconsistencies and silos, and to establish a single risk taxonomy and culture across the organization. Others use sophisticated reporting tools and analytics to transform risk data into valuable business intelligence.
Apart from these capabilities, technology can also help streamline and automate risk management workflows. In fact, at every stage of risk management, it acts as a significant enabler:
Risk Identification: Some software solutions provide the ability to define and maintain a central risk register where you can capture and categorize risk, assign risk owners, and determine risk severity, impact, consequences, and rating. You can also create a centralized data model of organizational risks that are tightly mapped to the corresponding controls, regulations, policies, business processes, units, control evaluations, issues, and action plans, as well as business objectives. The result is better risk visibility, and greater ease in managing changes to regulations, risks, or business processes.
Risk Assessment and Analysis: Most organizations use technology to automate risk assessments, score inherent and residual risk, and conduct what-if scenario analyses. Through powerful dashboards, stakeholders can correlate, analyze, and visualize risks to determine areas of concern and opportunity. Many software solutions also help define risk thresholds, and monitor KPIs and KRIs. Automated alerts indicate when thresholds are breached.
Risk Monitoring and Reporting: Technology offers a highly structured and standardized method of reporting risk results. Risk reports, heat maps, dashboards, and charts can all provide real-time risk information, enabling you to stay one step ahead of new and emerging risk areas. Drill-down capabilities allow you to study the risk data at finer levels of detail. You can also slice and dice the data to proactively analyze risk trends and statistics, and make informed decisions. Some solutions go a step further and offer advanced risk modeling capabilities and analytics to help you effectively anticipate and mitigate emerging risks.
Loss Event Management and Issue Remediation: In many organizations, technology simplifies the process of capturing loss events, issues, and risk exposures across multiple lines of business. It also helps streamline loss investigations and corrective action.
If we want to prevent another Enron-like scandal or a repeat of the recent global financial crisis, it is imperative that we take the steps now to build stronger, more risk-aware corporate cultures. Risk management is no longer just about complying with regulations. Instead, it’s about consistently identifying, managing, mitigating, and documenting risks – using frameworks such as COSO – so that we are able to build better governed and more resilient organizations. Let’s leave the corporate failures, scandals, and recessions where they belong – in the past!