Rick Navarre wanted the audit committee at Peabody Energy to know exactly how he is managing risk at the company. As Peabody’s CFO, Navarre developed a comprehensive methodology for analyzing and quantifying risk, in large part to educate the audit committee about all the risks confronting the $2.8 billion St. Louis-based producer and distributor of coal.
Although Navarre developed this methodology prior to the passage of the Sarbanes-Oxley Act of 2002, he notes that “under Sarbanes-Oxley, the audit committee is mandated to understand how we assess and handle the risks confronting the company. I wanted them to be comfortable that we had identified each and every risk we face and prescribed specific risk transfer and mitigation strategies for those risks we did not want to retain.”
Navarre’s approach to risk management illustrates the difference between traditional risk management and enterprise risk management (ERM). Traditionally, operational and strategic risk management have been static — an examination of risks as they were in January 2003, for example. “You know where you were three months ago, but now it’s April and you don’t have a clue about your risks until the next audit,” explains Frank Terzuoli, senior vice president of business-risk consulting at New York based insurance broker Marsh Inc.
Traditional risk management works best on financial and hazard risks — the risks that are transferable. ERM, by contrast, stresses the management of operational and strategic risks. “A bank’s operational risk would be its back office, in terms of how its payments are made and its credit-underwriting processes in terms of how it makes loans, monitors credit, and ensures repayment of loans,” says Terzuoli. “A manufacturer’s operational risk would involve the manufacturing process and the processes embedded in building ideas. While traditional risk management requires more accounting-type skills, ERM requires skill in strategic planning, process reengineering, and marketing.”
What Peabody Energy and a few other pioneering companies have undertaken is a risk-management discipline that extends beyond traditional financial and insurable hazards to encompass a wide variety of strategic, operational, reputational, regulatory, and information risks. Some companies, like Agricore United, a Canadian agricultural-services firm, have been using ERM for several years now. Other companies have found ERM useful in theory but tedious in practice, and have resisted the effort and expense.
That may change, following passage of Sarbanes-Oxley and its stricter corporate-governance and accountability provisions. Although the act doesn’t say anything about better risk management, more robust risk-reporting would seem to provide more assurance to anxious audit committees, and to CEOs and CFOs who must now certify financial statements.
The devil is in the details — translating the implications raised by the act into actionable items. “[Sarbanes-Oxley] certainly talks a lot about risk transparency — the risks you know that are not shared with other stakeholders, particularly investors,” says Terzuoli. “While hiding this information was never acceptable, [the act] affirms that it definitely is not acceptable. As for the risks you should have known about but didn’t, [the act] obligates companies to uncover them through a process that is rigorous enough to ensure a reasonable chance of uncovering them. This is implied, not specific. Still, wise companies believe the effort is worth it. And ERM is a methodology to get there.”