New Era of Risk Management
Steven Minsky, a risk expert, highlights the differences between traditional Risk Management and true Enterprise Risk Management, which most importantly is about helping something happen - not preventing something from happening. Steven's blog helps you think about risk in a new way and how to benefit practically from this rapidly evolving new field.

• Global Warming: What does it mean to your bottom line?
  

  Al Gore received his Nobel Peace Prize on Monday and urged the United States and China to make the boldest moves on climate change or “stand accountable before history for their failure to act.” The cause and effect of global warming on a macro scale are well documented. However, most companies would be hard pressed to understand how global warming will affect their company's operations and bottom line in measurable terms. Failure to act may be attributed in part to lack of motivation considering the high expense of corrective action.
  
  This is an opportunity to illustrate how Enterprise Risk Management can be applied to turn the hype into a hard dollar business case for concrete actions. Consider the task of each corporation individually to translate the consequences into how it will specifically hit their bottom line and their stakeholders and weigh the cost benefits of action or inaction. Using Enterprise Risk Management, a company would review risk factors within each of five root cause categories to determine how global warming may affect their company (External, People, Process, Relationships and Systems) For example, a manufacturing company in Michigan going through this exercise may determine that global warming falls under vendor relationships for their shipping distribution. Global warming has been attributed to the lowering of the water of the Great Lakes by more than 3 feet. The falling water level is already affecting Lake Superior's shipping industry. Freighters carry less cargo now for fear of running aground. Further, that same manufacturer may find liability in the increased effect of the effluent that drains into the Great Lakes. As the water drops, previously safe emissions may now result in compliance issues and liabilities for civil actions.
  
  The movie Civil Action is based on a true story about a class action lawsuit being filed on polluters decades after the pollution took place. The settlement was for $70 Million. Could today's industrial titans have a liability accumulating regardless of their geographic location? In this case of global warming it appears history may be about to repeat itself.
  
  Organizations need to build their own business case for action based on detailed information relevant to their company, culture and industry. The general ledger in a company keeps track of all risks that have been realized. Not very helpful for forward looking risk. An Enterprise Risk Management system identifies and tracks risks that have not yet happened. With an Enterprise Risk Management system future expenses and liabilities can be predicted, acted upon and mitigated before they hit the financial statements. The bonus is that you can get Sarbanes-Oxley compliance done at the same time.
  
  Find out how to translate risk into action, The Risk and Insurance Management Society offers a free self-assessment on Enterprise Risk Management readiness using a maturity model. You spend 20 minutes of your time and get a personalized report for your organization detailing where you are and what needs to be done to improve your bottom line with enterprise risk management. Taking a page from Al Gore, no more excuses on how to take your ERM program to the next level. Remember, your career and your company will stand accountable for your failure to act.
  

• The Institute of Internal Auditors: A champion of ERM
  

  At the recent Institute of Internal Auditors (IIA) event “2007 Risk and Control Conference Featuring Governance, Risk, and Compliance” one of four tracks was dedicated to Enterprise Risk Management (ERM). The role of internal audit has gained in stature as a result of the financial reporting scandals in the past five years. However, internal audit has seen their time become overly focused on the risks of misstatement of financial reporting. The message at the conference “Back to Operational Audits” resounded loud and clear. ERM provides the path to return to operational audits while maintaining the financial reporting compliance achievements without adding resources or work. The Internal Audit function is increasingly championing ERM as one of their priorities.
  
  
  Conference attendees could be frequently heard discussing the new Sarbanes-Oxley guidance pertaining to section 404, called Auditing Standard 5 (AS5). AS5 prescribes ERM, a top-down and risk based approach, as the recommended way by the Public Company Accounting Oversight Board (PCAOB) and the Securities and Exchange Commission (SEC) to increase efficiency and effectiveness of financial reporting compliance. External Auditor fees have risen dramatically since 2002 and conference attendees are recognizing that much work needs to be done to apply this new guidance and ERM to reduce the burden to their businesses. In the session “SOX Controls Rationalization – Better Coverage, Less Effort” Beth Kaplan at Deloitte & Touche, remarked that companies up until now have not done risk assessments well and that in the past controls and risk were not linked as they should be. Her client, “PETCO Animal Supplies, Vice President of Internal Audit and Asset Protection, James Brigham in that same session commented that the risk owners, which are in the operational areas, are critical to get involved. Jim lamented that SOX software today “is weak on assessment capabilities that are both graphical and intuitive to make it easy to engage and involve front line management. Assessments quality is all about asking the right questions and focusing on the process directly with the process owners.” When asked how did PETCO become committed to ERM while so many other companies have not yet made progress. Jim mentions that PETCO recently pulled product off the shelf from 900 stores for contaminated pet food. This was a wake-up call for ERM and he was hired to initiate ERM at PETCO. Jim further remarked that “it is sad that companies have to get burned before they appreciate the significant of what ERM has to offer. This can also be seen with the recent embargo of Chinese products with pollutants. Retailers are in tough shape sourcing a lot of the products and not dealing with the problem until it already happens. ERM is about getting ahead of the problem and preventing it from happening.”
  
  
  It seems sometimes that compliance gets people’s attention because it is perceived as doing what is required. However, this view has been getting corporation America into trouble. According to keynote speaker, Rushworth Kidder, the President, Institute for Global Ethics, 15% of the population is dedicated to compliance which is destroying our economy. Rushworth made the case that better corporate governance is a key to reducing the compliance burden. Rushworth presented his research on how lapses in ethics may be the canary in the coal mine and a key indicator of more insidious and material weaknesses throughout the enterprise. The Rushworth message was that a strong governance based approach is a more effective and efficient way to achieve results versus a compliance approach that focuses primarily on controls.
  
  
  If you are an Internal Auditor focused on business value, the risk manager is your new best friend as ERM solves the following Internal Audit headaches:
  
  

• Independence: Many Internal Audit teams are burdened with doing risk assessments in order to gather the information they need to perform their duties. ERM facilitates accountability and helps identify the owner of risks and prescribes an infrastructure and process for them to do their own risk assessment.
  
• Audit Plan Coverage: Internal Audit teams are resource constrained and their discretionary internal audit time typically covers only 5 to 10% of the enterprise in any given year. Management input often consists of hallway conversations or emails leaving the Internal Auditor with insufficient information to prioritize resources. ERM provides common enterprise-wide evaluation criteria, an information gathering process and standardized scoring criteria so that any and all risks from any business area can be compared objectively and resources can be matched accordingly.
  
• Communications: ERM eliminates the redundancy due to ove