Should CFOs worry–or salivate at the possibilities?

Proponents of enterprise risk management have been predicting for years that the discipline would revolutionize the way that companies respond to threats and opportunities. Outside of the financial sector, the discipline has been slow to take root–but now amid a heightened awareness within the business community about the need for a holistic perspective on risk, ERM's more likely adoption is portending a shake-up of the corporate org chart that is often as radical as the changes ERM promotes in risk management practices. Until recently, there was no question that the province of risk resided in the CFO's office. But with an ERM view of business, there is a much broader role for the owner of the risk function–one that at some companies has prompted the creation of a CRO who reports directly to the CEO or board. "Finance executives have an important role in helping companies understand and manage risk, but they should not be viewed as the sole fiduciary of a company's risk," says Miles Everson, a partner at PricewaterhouseCoopers LLP and principal author of the framework document on ERM that was published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). "What is important is to step back and look at the various responsibilities that need to be carried out to both manage risk and ensure that the risk management process has proper oversight. Essentially everyone on the executive team has a role."

That's certainly the message of the COSO enterprise risk management framework, released in late September. A three-year project that incorporates and builds on the group's widely influential internal controls guidelines released more than a decade ago, the new framework includes eight general guidelines on areas such as objective setting, event identification and risk assessment to help a company establish an ERM strategy or improve on an existing one. "There was no commonly understood base of knowledge of what ERM was, not unlike internal controls prior to the release of that framework," says John Flaherty, COSO chairman and former vice president and general auditor of PepsiCo Inc. "The terms meant different things to different people."

The COSO report also emphasizes the role of financial executives in ERM activities, given that they control much of the flow of key financial data and technology necessary for accurate and timely risk management assessments, especially at larger companies. But the group failed to provide specific guidance on whether a CRO is necessary or whether the CFO should be the place where the buck stops on risk.

The issue has come to the forefront with recent revelations about accounting policies and financial reporting at Fannie Mae, the home mortgage financing group. Among the criticisms was the fact that Fannie Mae's CFO Timothy Howard also oversaw corporate risk management. "The concentration of these responsibilities in a single person does not provide the independence necessary for an effective chief risk officer function," said Armando Falcon, Jr., director of Fannie Mae's regulator, the Office of Federal Housing Enterprise Oversight, in recent congressional testimony. Among the recent reforms Fannie's board agreed to was the appointment of an independent chief risk officer.

Even so Tom Dowling, the CRO at advertising giant Interpublic Group of Cos., says it's too early to conclude how enterprise-wide risk structures will evolve at companies or whether the COSO framework will become a de facto ERM standard. And even though Interpublic believes it is the only advertising company to have appointed a CRO, Dowling is convinced that his company is headed in the right direction. "We want to build a model that helps the company understand all of its risks," Dowling says. "ERM is about achieving a granular understanding of the risks and opportunities arising from your business."

Interpublic's search for an answer began in 2002, when it uncovered intercompany billing problems within its largest unit and launched an in-house review. (Subsequently, the SEC launched an investigation of financial controls and accounting practices at the company.) Interpublic's internal review produced two key recommendations: The company should tighten up its financial controls, and it should try to capture all of its potential risks and opportunities by centralizing risk management.

At the same time, passage of the Sarbanes-Oxley Act was pushing Interpublic and every other public company in the U.S. in a similar direction, resulting in what Dowling calls "an intense focus on internal controls and risk management." Interpublic created the CRO's post to give its drive an organizational leader–a point person on risk, so to speak–and Dowling, then senior vice president for financial administration, moved across the hall to take up the responsibility, just as Pepco's Williams did earlier this year.

But while Sarbanes-Oxley may have been a force behind the creation of the CRO position at Interpublic, it also has been the key driver behind the expanding power base of the CFO that anointed the CEO and CFO as the two executives responsible for certifying the accuracy of a company's internal controls. "It's really only the CEO and CFO who are risking jail time, and that binds them together in a major way," says Laurence Stybel, vice president of Boston-based Board Options Inc., a career services firm for board-level executives. For this reason, many predict that CFOs will be wary, if not downright ornery, about handing over the reins on risk, and the CEO is unlikely to force the one person in the organization that shares his or her regulatory role to do so.

AT HEART, IT'S FINANCIAL

CFOs also still own the most significant risk faced by a business enterprise–financial risks, which many would argue compose the heart of every risk for a profit-making organization. "Part of the risk management process is making sure there is a strong balance sheet and understanding the inherent volatility in reported earnings. Nobody would know that better than the CFO," says Frank Sabatini, a partner in the insurance and actuarial advisory services department at Ernst & Young LLP. According to Sabatini, it's often "CFOs [who] are driving the evolution of ERM within their respective companies."

At trucking company Yellow Roadway Corp., the CFO was the prime mover in changes that saw internal audit folded into an expanded risk management mandate, notes Dan Churay, the company's CRO and general counsel. "He wanted to ensure that there was some distance–that internal audit would have the independence to act as a real check and balance on internal controls–so it became part of the risk function."

Now, while internal financial controls are owned by the finance department, and the CFO is responsible for sign-off under Sarbanes-Oxley, it is a risk management responsibility to test the controls and, more generally, to get the company geared up for the new regulations, says Churay.

The other responsibilities that fall under Churay's umbrella are "all those functions which were 60% or more to do with risk management," he says. In practice, that means the legal department, liability claims (a fairly active department because of the company's vast fleet of vehicles), workers comp, general insurance and corporate audit.

Over and above that, Yellow Roadway's risk management group has a responsibility at the corporate level to monitor how the company's different pools of risk influence each other and also to look out for risks that wouldn't traditionally be captured by any of the pre-existing departments.

It's this kind of underlying philosophy that should determine how companies reform their organizational hierarchy, says Robert Vettoretti, a director in advisory services with PwC in New York. "You have to align your corporate structure with your risk management aims. If risk management is seen as a purely defensive function, that might argue for the formation of a new committee. But if you want risk to play a broader role, that really requires the creation of a dedicated group–which could be located within treasury or strategic planning–to facilitate risk measurement."

SURROGATE CRO

The broader role that Vettoretti has in mind is one in which ERM is seen as a way of aggregating a company's traditionally dispersed buckets of risk information and harnessing it to get a firmer grip on strategic planning or performance measurement.

AMEC plc, the UK's largest construction company, has adopted this facilitative approach to risk management as well. Here again, risk used to be the responsibility of the company's CFO, but the risk management reporting lines now terminate at the commercial director, says Kate Boothroyd, AMEC's head of risk management and internal audit. Now, it's Boothroyd and the commercial director who present a profile of AMEC's risks to the board twice a year.

Boothroyd insists that she isn't a CRO: "We discussed that kind of role here and decided that it wasn't needed." But she is the managerial focal point for the reporting of risk at the executive level and bears the responsibility of reporting to the board. "I think 'risk manager' is a misnomer," she says. "I don't manage the risks–it's up to the businesses to manage the risks. What we're here to do is to provide assurance that risks are being monitored and managed."

If that sounds like a limited mandate in some ways, in others it is incredibly ambitious: The array of risks which Boothroyd is responsible for monitoring include "worrying about having the right staff and making sure they're safe, risks to do with the treasury function and tax, especially when we work in all sorts of regions around the world–risks related to mergers and acquisitions, strategy, internal and external communication, financing risks, investor relations and ethics."

Moreover, unlike most nonfinancial companies, AMEC makes an attempt to introduce some comparability into its risk management assessments, and ties that in to its decision-making process. All new projects are scored in terms of the probability and impact of the risk involved. As the level of risk escalates, so does the decision-making responsibility, culminating in a board-level risk review committee.

PwC's Vettoretti says that defining the scope and structure of the risk function is "a challenge" for nonfinancial companies. "If you opt for a CRO, how do you define the role and how does it relate to the existing organizational structure? You need to decide how it differs from the office of environment, health and safety, how it differs from the general counsel's office. Different companies will have different answers."

That may be true, but the new approaches to risk are dramatically distinct from what went on before, and they have certain things in common. At the root of all these risk overhauls is the fundamental belief that companies stand to benefit by aggregating the management and oversight of risk at the corporate level. Responsibilities that used to reside elsewhere now reside with an evolving risk function. It may be taking longer than some had predicted, but ERM is changing the way that companies work and may transform CFOs into CROs–if not in name, then certainly in how they operate.

–John Labate contributed to this article