A Road Map to Risk Management

CPAs can help companies manage risk to create value.

SUCCESSFUL BUSINESSES TAKE CALCULATED RISKS to achieve objectives. Companies must measure these risks, try to minimize them and—if possible—use them to their advantage. The CPA—as internal or external adviser—is the professional best suited to help them manage risk.

CURRENT BEST PRACTICES follow these steps in the risk management process:

Establish the context.
Identify potential risks.
Analyze and assess.
Design strategies for managing risks.
Implement and integrate management processes.
Measure and monitor the business’ efficiency, profitability and vulnerability.
Report the data to the executives in charge.

CPAs AT FIRMS AND COMPANIES of all sizes are knowledgeable about clients’ or employers’ businesses and goals. Managing Risk in the New Economy, an AICPA booklet prepared by the risk advisory task force, provides a framework for understanding and implementing proper risk management steps. It can be found at www.aicpa.org/assurance/index.htm .

STEPHEN W. BODINE, CPA, a principal with Larson, Allen, Weishair & Co., LLP, Minneapolis, is also a member of the risk task force. His e-mail address is sbodine@larsonallen.com . ANTHONY PUGLIESE, CPA, is AICPA vice-president—member innovation. His e-mail address is apugliese@aicpa.org . Mr. Pugliese is an employee of the American Institute of CPAs and his views, as expressed in this article, do not necessarily reflect the views of the AICPA. Official positions are determined through certain specific committee procedures, due process and deliberation. PAUL L. WALKER, CPA, PhD, an associate professor at the University of Virginia, is a member of the AICPA/CICA risk task force. His e-mail address is pw4g@forbes2.comm.virginia.edu .
uccessful businesses take calculated risks to achieve objectives. Globalization, deregulation, Web-based services, complicated financial instruments and contracts, emerging markets—all contain tremendous potential advantages for companies and carry the danger of huge mistakes or unexpected developments. Businesses must measure these risks, try to minimize them and—if possible—use them to their advantage. The CPA is the professional best suited to help them manage risk. CPAs—as internal or external advisers—have the skills and competencies required to help companies evaluate and address risk.
This article describes a generic framework or set of steps for risk management—based on current best practices—that is applicable to any size or type of organization. The AICPA risk advisory services task force created the framework as a resource for CPAs advising clients or employers in an increasingly complex business environment.


Although each business may have its own unique approach to risk management, current best practices suggest following these steps:

Establish the context; look carefully at an organization’s strategy, stakeholders and environment.
Identify situations that can affect the business objectives.
Analyze and assess the risks.
Design strategies for managing risks.
Implement and integrate management processes.
Measure and monitor the business’ efficiency, profitability and vulnerability.
Report the data to the executives who are in charge.

Taking a Well-Hedged Risk
Boosts Sales for One Company

As an enticement, Bombardier, a Canadian aerospace and snowmobile company, offered a $1,000 rebate to buyers of its Ski-Doo machines in 16 U.S. cities if the local snowfall was less than half the average of that in the past three years. Ski-Doo sales in the 16 cities soared 38% over the year before. Bombardier hedged its bet with snowfall options it purchased from Enron. The company paid Enron between $45 and $400 for each snowmobile sold, and Enron agreed to reimburse Bombardier the full $1,000 for every rebate paid.

Source: Managing Risk in the New Economy, AICPA, quoting from Future Wealth, by Stan Davis and Christopher Meyer.


Risk management can succeed only when it works within the context of a company’s environment, goals, objectives and strategies. Organizations may differ greatly in their risk tolerance and management styles. Deposit-taking institutions necessarily place a high value on solvency and the preservation of capital. Their investors and customers expect a good return with little risk. Companies that prospect for minerals or develop high-tech products focus on big rewards in exchange for big risks. Their investors typically understand this trade-off and the significance of such an organization’s appetite and capacity for risk. CPAs will want to examine a company’s business environment and risk tolerance as a first step in risk advisory services.

How do these ideas work in practice? The Medicines Co. (TMC), a pharmaceutical developer in Cambridge, Massachusetts, has been able to minimize risk because it not only understands the market but also knows how to leverage its strengths. According to a report on TMC by Stan Davis and Christopher Meyer in Future Wealth, developing a drug can cost as much as $300 million, and the process entails several distinct stages—from creating the chemical or biological compound to winning approval from the Food and Drug Administration. Pharmaceutical companies take a risk that the huge investment will pay off in the hope of producing a billion-dollar seller such as Zantac or Viagra.

TMC understands that drug development involves a sequence of very different risks. A product can fail for several reasons at any stage, but the rigors of the approval process can kill it late in the game. The later the failure, the more expensive it is.

TMC recognized which risks it managed well—for example, the potential for failure during clinical trials. It had recognized it was weak in the beginning stages—basic research—and at the end of the process—marketing drugs to physicians. Accordingly, the company buys the rights to proven chemical and biological compounds, develops them into drugs and then sells them to other pharmaceutical organizations to bring to market. Having successfully found its niche, TCM bears risk only in the areas where it is strongest.

Once a company understands the risks of an undertaking, the owners or management can develop a strategy for containing them. This may involve formally structured policies and procedures or an informal process, depending on the business. Companies may bring in risk management consultants, such as CPAs, to help the business get to this stage. As part of the risk management process, company leaders might ask

What are our objectives?
What are our values?
Who is accountable?
Who has the authority?

Questions like these can help establish the context for an organization’s risk management efforts.


Managers need a systematic approach for uncovering and addressing risks that might affect a company’s success. If a CPA is called on to consult on this aspect of risk management, he or she must develop a risk identification system that’s rigorous, flexible and pertinent to the company under the microscope.

What kinds of risks might a business typically discover? The Guinness Co., for example, defined seven types within its large but relatively straightforward businesses, United Distillers and Guinness Brewing Worldwide, according to Managing Business Risks: An Integrated Approach, from the economic intelligence unit at Arthur Andersen. The treasurer is responsible for managing them. They are

Brand equity risk, which could affect the company’s brand name or reputation.
Customer satisfaction risk, which would reflect poor consumer reception to products.
Product quality risk, which would reflect quality control problems.
Catastrophic risk, which would generally cover political, natural or other disasters.
Regulatory risk, which results from political changes affecting the industry.
Cultural risk, which could damage brand image or acceptance based on changes in the attitudes of consumers.
Trade war risk, which would result from price cutting or other competitive practices.

A Cartography of Risk
A simple but powerful way to display the relationship between the likelihood and consequences of an event is to use a risk grid. This exercise can “map” by critical success factor, overall organization objective or each of the categories used in identifying risk.

Imagine a company relies heavily on a supplier that has a long track record in its field and a solid financial history. If the supplier were to go out of business or temporarily cease operations, the consequences to the company would be high, but the likelihood of such an event is low. This risk thus would be plotted on the map as noted by the X below. Once a company has plotted its risks on this map, it would concentrate first on those in the upper right box—high consequences and high likelihood of occurrence—then work its way down and left to deal with less likely or consequential threats. The map offers a quick graphic illustration of risks facing the company and where they are clustered in terms of severity and chances of occurring.

Risk mapping can be used for both aspects of risk: opportunities and threats. Organizations may also find it useful to prepare risk maps for different time horizons.


Once a company knows its risks, it needs to rank them to establish priorities in order to make decisions. The sidebar, “ A Cartography of Risk ,” at right, shows how to map the impact of risk.

Quantitative data play an important role in the process. Canadian Pacific is a diversified operating company involved in transportation, energy and hotels. Its bottom line is affected by external factors, such as fluctuations in the prices of crude oil, natural gas and coal, as well as movements in interest and foreign exchange rates. (See “ Canadian Pacific Data, Hedged and Unhedged , ” below.) Based on its analyses, Canadian Pacific can use derivative financial instruments, such as foreign exchange contracts, interest rate swaps and futures contracts, to mitigate its risks. This is the kind of quantitative analysis that CPAs can use to help clients or employers assess threats and opportunities.


Once companies know their risks, there are four basic responses that CPAs can help them consider:

Avoid. If the threat associated with an opportunity is too high relative to the potential reward, it may be appropriate to drop the idea. However, some executives—and entire company cultures—may unwittingly encourage risk aversion, which can result in missed opportunities. CPAs can provide data to illuminate whether an option spells trouble or promises new benefits.

Transfer. Strategies that CPAs can recommend to shift risk to third parties include buying insurance; using financial instruments, such as derivatives; outsourcing some parts of the process; or creating partnerships or strategic alliances. Transferring risk can be a smart strategy—but part of the due diligence is ensuring that the organization accepting the risk can fulfill its obligations.

Mitigate. To increase the chances of achieving objectives, CPAs can help employers or clients establish and monitor critical success factors and key performance indicators, which signal whether a strategy is working or failing. The committee of sponsoring organizations (COSO) of the Treadway Commission and criteria of control project of the Canadian Institute of Chartered Accountants models provide guidance on the design and assessment of control in achieving objectives.

Accept. Companies may be able to live with some risks. For example, a gold mining company facing fluctuating mineral prices may conclude the profit opportunities outweigh the risks.

ACT International, a U.K.-based financial software maker, made specific operational choices to detect and mitigate risk, according to Managing Business Risks: An Integrated Approach. It had grown very quickly until business and profits plummeted in the early 1990s. A survey clearly showed the company had failed to recognize profound customer unhappiness with its products and support. The company solved the problem, in part, with a program to elicit ongoing customer feedback.

Canadian Pacific Data, Hedged and Unhedged
This illustrates the estimated effect of changes, under certain conditions, in the foreign exchange value of the Canadian dollar, interest rates and the prices of crude oil, natural gas and coal on consolidated 2000 earnings, based on the company’s 1999 annual report:

Customer surveys can make sense for many types of businesses. ACT asks its customers to rate the following on a scale of 1 (very unsatisfied) to 5 (very satisfied) in a poll that takes between 15 and 30 minutes to complete:

Product satisfaction.
Account management and sales personnel.
Customer service center response quality.
Technical support timeliness.
Customization of installations.
Administration and communication.

The response rate is greater than 80%. Staff members talk to clients who have given ratings below 3 in any area to learn what they can do to remedy the problem. The focus on customer satisfaction has helped the company return to profitability by mitigating possible future dissatisfaction.


What should clients or employers do to make sure the right risk strategies are in place?

Establish specific risk management objectives and performance measures.
Create a culture in which employees are accountable for managing risk.
Develop an infrastructure for risk management.
Communicate information about and training in risk management.

TD Bank strives to be the best risk manager among major Canadian banks. Meeting this objective requires a well-established infrastructure, so the bank created a separate division staffed by qualified risk management professionals. Acting independently from the bank’s business units, the group established a policy framework and defined TD’s risk limits. Senior TD executives approve the group’s protocol for managing major financial risks and review it at least annually. In addition, the board of directors’ audit and risk management committee approves all such policies.

Risk management has become sufficiently important to boards and audit committees that an October 1999 report of the National Association of Corporate Directors offered guidelines. It concluded that the chairperson of the audit committee should develop an agenda that includes “a periodic review of risk by each significant business unit.” In many organizations, communication and training include raising awareness about risk management, explaining the organization’s approach, implementing a common risk language and developing oversight skills.


The enormous scope of risk makes it impossible to have a one-size-fits-all approach to measuring and monitoring it. To understand how well it is managing risk, a firm or company must ask questions about its specific business that are tailored to discern:

Are we achieving the results we planned?
Are we monitoring and learning from control breakdowns and losses?
What are we doing about the major risks that we have identified?
Do we have the necessary guidelines or policies and procedures?
Do they work—or will they?

Chase Manhattan Bank, now part of J.P. Morgan Chase, evaluated ongoing effectiveness in achieving its strategic goals in three areas: being the service provider of choice, the employer of choice and the investment of choice, according to Managing Business Risks: An Integrated Approach. The evaluation assesses the company’s progress or failure to meet its risk goals using the following format. The measurements are subjective, but it would be possible to assess each item on, say, a 1 to 10 scale.

Objective: To be the services provider of choice, measure:

Quality of product.
Functionality of product.
Speed of execution.
Cost of delivery.
Customer satisfaction.

Objective: To be the employer of choice, measure:

Turnover ratios.
Salary and benefit levels.
Opportunities for development.
Employee satisfaction.

Objective: To be the investment of choice, measure:

Share price.
Return on assets.
Return on equity.

Good performance management is an essential tool in risk management.

The bank translates these measurements into an ongoing reporting system for management, selectively tracking and attending to the most critical ones.

Risk Management Resources

Managing Risk in the New Economy

This booklet, published by the AICPA risk advisory services task force, is available free of charge by contacting the AICPA’s member innovation team at iroger@aicpa.org. It can also be obtained on the Web under Assurance Services at www.aicpa.org/assurance/index.htm . This link also contains information about these services:

CPA Performance View
This is a valuable resource for CPAs who want to assess an organization’s ability to monitor risk. It contains a variety of products for delivering consistent business performance measurement consulting services to clients.

SysTrust Principles and Criteria, Version 2.0, describes what is necessary to help manage some system risks and to ensure system availability, security, integrity and maintainability.

WebTrust Principles and Criteria, Version 3.0, details principles to ensure the reliability of a Web site in terms of privacy; transaction integrity; security; availability; nonrepudiation; and confidentiality. CPAs can rely on the principles and criteria underlying these risk advisory services in creating strategies for their own businesses, their employers or their clients.

Other sources

American Management Association: www.amanet.org .

Financial Executives Institute: www.fei.org .

Institute of Internal Auditors: www.theiia.org .

Institute of Management Accountants: www.imanet.org .

National Association of Corporate Directors: www.nacdonline.org .

The Risk Management Association (formerly Robert Morris Associates): www.rmahq.org .


Many accounting firms offer risk advisory services. “CPAs who serve middle-market and small companies are typically very close to the owner/manager and knowledgeable about many aspects of their clients’ businesses and their goals,” says Susan Menelaides, CPA, of Altschuler, Melvoin and Glasser, LLP, in Chicago. “We already have a good understanding of client companies’ business strategies, goals and motivations, which qualifies us to assist them. We can help them keep their focus on setting and achieving goals, identifying what can go wrong and—more positively—maximizing opportunities to succeed. We offer objectivity and knowledge of how similar businesses operate.”

Similarly, CPAs working in industry have firsthand insight into the challenges facing companies and the options available to them to mitigate or avoid risk.

The steps outlined in this article provide CPAs a framework for understanding and addressing elements of risk. They are from Managing Risk in the New Economy, an AICPA booklet prepared by the risk advisory task force. CPAs—whether in public practice, corporate finance or internal auditors—are qualified to manage risk for employers or clients. Accepting and managing risk are critical to the success of any organization.


Preparing the statement of cash flows

This instructive white paper outlines common pitfalls in the preparation of the statement of cash flows, resources to minimize these risks, and four critical skills your staff will need as you approach necessary changes to the process.


Keeping you informed and prepared amid the COVID-19 crisis

We’re gathering the latest news stories along with relevant columns, tips, podcasts, and videos on this page, along with curated items from our archives to help with uncertainty and disruption.