Terzuoli, it must be pointed out, works for a firm that offers ERM services, charging substantial fees to help companies identify risks, quantify them, and so on. Other insurance brokers also see ERM as a fruitful market, as do audit firms and consulting firms, many of which are competing to facilitate the risk scorecard/matrix process at the behest of their clients.
Given the tepid response accorded ERM before Sarbanes-Oxley, the service providers are remarketing their ERM practices to capture the marketing cachet offered by the new governance and accountability provisions. “The stick is Sarbanes-Oxley,” says Terzuoli.
Ted Senko would agree. “Since the assessments a company performs are ultimately reflected in the corporate financial statement, organizations can benefit by viewing this compliance process as a risk-management exercise,” the KPMG LLP partner says. “Companies that execute their internal-controls assessment within the framework of an enterprisewide risk-management program can help ensure the integrity of their financial statements and preserve investor confidence in the company’s economic sustainability.”
How Peabody Recast Risk
The system Navarre installed at Peabody offers a good example of a best practice in ERM. He polled more than a dozen executives, from the C-level suite down to departmental managers, to extract what each believed were the risks challenging their respective areas of oversight.
The varied risks cited fell into four categories — operational, financial, strategic, and IT. Once the risks were captured on a scorecard, Navarre and his fellow risk overseers in treasury, operations, and the various departments calculated the expected probability of each risk in terms of frequency and severity. “For instance, the likelihood of a business interruption is low, but the severity of that event, in terms of monetary risk, would be off the charts,” says Navarre. Peabody arrived at this quantification via a mixture of experience, intuition, and research, he says.
Using risk-mapping software developed internally, the group then plotted the risks on a PowerPoint risk matrix — a template depicting low-level infrequent risks in the bottom left quadrant, and the risks presenting the greatest threat of frequency and severity in the top right quadrant.
Once a risk is plotted in the matrix, it is color-coded to indicate how it has been addressed: red indicates that a risk has had little or no transfer; blue indicates that a risk has been transferred; and a partial risk transfer, such as workers’ compensation, is in green, showing that Peabody is partially self-insured in this regard. “You don’t want to see something red in that upper right-hand quadrant,” warns Navarre.
Drill down on a particular risk and a detailed analysis of that risk emerges, from its relative importance in the risk hierarchy to how or if it is transferred or mitigated to whose responsibility it is to manage the risk.
Governance risks posed by Sarbanes-Oxley are managed by Peabody’s active board of directors and by audits, a code of business conduct, and a comprehensive set of controls as mitigations, says Navarre. Although such regulatory risks as stricter environmental controls cannot be insured, he notes that even these risks are mitigated, in this case through lobbying efforts.