That scrutiny takes many forms. The Dodd-Frank Wall Street Reform and Consumer Protection Act establishes new requirements for board risk oversight and reporting. Rating agencies, led by Standard & Poor’s, now factor ERM criteria for financial and nonfinancial entities into the ratings process. The Committee of Sponsoring Organizations (COSO) rolled out COSO II (referred to by many as “COSO ERM”) in 2004 to establish requirements for risk identification, management, and reporting. And the Securities and Exchange Commission has sharpened its stance on risk management, creating a division in 2009 to, in part, create what Ristuccia describes as “new requirements for enhanced proxy disclosure on how a board is executing its fiduciary responsibility for risk oversight.”
All this activity should not escape the attention of CFOs, because, as Ristuccia notes, “while more companies are now appointing chief risk officers, many don’t have that position, and therefore responsibility for risk management ends up with the board and the CFO.”
Alliant Credit Union CFO Mona Leung can relate: her company is in the fourth year of an ERM implementation, and she has oversight responsibility for the effort. “My job is to ensure we have financial stability and minimum earnings volatility, meaning a fairly stable balance sheet and operating procedures,” says Leung. “To do that, we need structure. We need to manage risks at the enterprise level, which requires an integrated, high-level program. Otherwise, you end up with distributed risk management — different functional areas managing risk with no idea of overall risk tolerance or resource prioritization.”
At Country Financial, a group of U.S. insurance and financial-services companies, a properly structured approach to risk management hinges, in part, on having a director of ERM who reports both to executive vice president and CFO David Magers and to the audit committee of the board. The director oversees a 15-member ERM committee drawn from across the company. Their job is to identify, analyze, and model the top risks to the organization; work with Magers on mitigation tactics; and then monitor the effectiveness of those tactics.
“We have defined 10 categories of risk, such as reputational risk, strategic risk, market risk, competitive risk, and so on,” says Magers. “We do some pretty deep dives, especially when it comes to the black swans.”
The company turned the recent financial crisis into an opportunity. “As a big investor, we had significant market risk across a number of sectors,” he explains. “So [in 2008], we started doing some sensitivity analyses — ‘what-if’ scenarios involving downsides to our investment portfolio, such as stock prices falling to a certain level, or new regulations that might arise. We then determined how to mitigate those shocks. By doing that, we were better prepared for 2009, when things got really bad.” (Magers declined to elaborate on the particulars of Country’s tactics.)
At Alliant Credit, risk management is decentralized in some respects, but centralized in others. “Ownership of risks is functionally defined,” Leung says. “The investment group, for instance, has its own risk operations program, but all of these groups report up to finance, which then reports on the overall status to the supervisory committee of the board. Our next step will be to form a separate risk-management committee composed of leaders from other committees like governance, asset liability, supervisory, talent and compensation, credit, and the executive committee. We see this as the highest maturity for risk oversight and management.”