“ Beyond Traditional Audit Techniques ” ( JofA, Jul.02, page 28) did an excellent job describing a company’s nontraditional approach to internal audit and risk management. My recommendation is that all CPAs, especially those who are CFOs, CEOs and on boards, read the article several times, file it, read it again and then put in place a similar process within their own organizations. Everyone will sleep better.
An effective integrated enterprise risk management system could have prevented or detected many of the activities that caused the recent events at WorldCom, Enron, Tyco and other companies.
Currently, most organizations take a silo approach to risk management at best. Silos do not provide executive management with a forum to know all the major risks and how they are being mitigated collectively to a level of assurance consistent with a company’s risk tolerance. For example, successfully managing environmental risks a company faces requires the input of legal, insurance, business, human resources and internal audit.
Executive management/board members should ask themselves why silos arise and what can be done to get rid of them. Here are some reasons they exist and some actions that will help reduce or eliminate them.
Various functions compete for ownership of risks, and it’s not clear who ultimately owns them or whether the functions should work together. The solution is facilitated by using workshops with employees from different areas to identify business risks. Another forward-thinking solution is for executive management to align appropriate resources into the risk management function or to have dotted line relationships with key groups, such as legal or human resources.
Executives are cost conscious and view the bottom line as a high priority. Building an enterprisewide risk management system requires investment. Just as companies need to invest in people with the expectation of payback down the road, companies need to invest in infrastructure. Of course, as with other investments, one needs to weigh expected cost against anticipated benefits. Unfortunately, an out-of-sight, out-of-mind mentality often prevails. For example, even after September 11, how many companies have concrete business continuity plans in place?
Boards may not have the right talent to ask probing risk management questions. Companies need to assess the competence of individual board members and replace those who cannot ask the difficult questions.
From the perspective of an in-house legal function, an enterprisewide risk management program breaks apart the attorney/client privilege because it documents in writing all of the major business risks, including legal matters. Legal counsel generally directs a company to maintain silo approaches to risk management because they believe documenting such matters could attract unfavorable attention in the event of a third-party investigation. But a well-drafted risk management program with a commitment to action would prevent risks from becoming legal issues or benefit a company’s defense in court proceedings. Boards have a responsibility to know what is going on with all major business risks (constructive knowledge doctrine). Failure to document and communicate this in a robust fashion is one of the first steps in failing to adequately recognize and mitigate the risks.
Arnold Schanfield, CPA,
CIA, CA, CFE
Vice-President, Risk Management and Internal Audit
New York City