The Risk Manager
April 1, 2012
Elliot A. Fuhr
Senior Managing Director
Christine Wu McDonagh
Chief financial officers may have the ideal combination of perspective and abilities to link capital.
Perhaps more than ever, large businesses must navigate a world of financial crises, volatile markets, natural disasters, growing regulatory scrutiny and the risky waters of global expansion. As a result, risk management has moved from the background to center stage in the boardroom. Because of the increasing uncertainty of business outcomes, shareholders, with the support of regulatory agencies, are becoming more intolerant of “surprises” that damage investment value and are demanding that companies have thorough, dynamic risk management processes in place. It all starts with creating a risk-aware culture. The CFO can play a significant role.
Many organizations have not yet developed robust risk management programs or embraced a culture of risk management.
The Demand for Better Risk Management
There are seemingly many regulatory requirements to address shareholder concerns. Companies undergo costly, lengthy audits to adhere to Generally Accepted Accounting Principles (GAAP) and receive objective opinions on their financial statements from accounting firms. Section 404 of the Sarbanes-Oxley Act of 2002 (SOX 404) assesses a company’s internal controls and requires a top-down risk assessment. The Public Company Accounting Oversight Board (PCAOB), concerned about the quality of independent audits, has recently embarked on audit reform to ensure that accounting firms render an objective opinion. In 2010, the U.S. Securities and Exchange Commission established rules that require boards to disclose risk oversight measures. The Dodd-Frank Act requires U.S. public companies to adopt clawback policies requiring the return of incentive compensation paid to executives based on erroneous financial statements. In addition, companies can no longer exclude proposals from proxies where shareholders are seeking more disclosure on risks related to major policy issues.
Yet these measures can be inadequate. While regulatory requirements address internal controls and attempt to measure risk, companies are ultimately responsible for managing it. Compliance with GAAP, for example, does not speak to how management decides to apply it. A company can be in compliance with regulations and still fail to effectively manage and mitigate risks. One multibillion-dollar company cleared its SOX 404 testing with significant liquidity issues and filed for Chapter 11 bankruptcy a few weeks later.