With lip service paid to risk management but no real clout singled out as one of the culprits in the financial crisis, many companies in 2009 aim to make risk management a daily function of good governance. And since a new Congress and president both promise increased regulation, companies should expect to deal with risk management on Washington's terms. "We're going to see a world where accountability for risk management is spread throughout the organization, within all the functional areas of the company," says Pamella Easley, enterprise risk management (ERM) practice leader for accounting, tax and business consultancy RSM McGladrey. Risk management goes beyond "working with regulators on things like Sarbanes-Oxley and handing in forms on time," she says.
The chief risk officer's (CRO) job will evolve from what was mainly a focus on regulatory compliance to include across-the-the board oversight of everything from Sarbanes-Oxley to credit risk to business continuity. They are responsible for "making sure that everyone has an equal stake in risk management and is held accountable," Easley says.
Once buried in the organizational structure, the CRO "is being elevated to a more senior executive role," to work with other C-level executives to identify, manage and implement appropriate risk responses throughout the organization.
CROs will also become the "focal point between management and the board," says Easley. "They'll make sure that the board is educated about risk management procedures and work with the board to set the risk management agenda." Too many boards were overly focused on financial disclosure compliance and kept in the dark about their companies' risk exposures, she adds.
Meanwhile, as companies burn through federal bailout money, standards will be put in place for effective risk management, beginning with financial risk, including credit and liquidity risk, says John McLaughlin, senior managing director at SMART Business Advisory and Consulting LLC. He expects the Securities and Exchange Commission will enforce these standards, just as rigorously as it does Sarbanes-Oxley.
The international Basel II Accord that requires banks and financial institutions to set aside capital to cover financial and operational risk, which global U.S. banks are already following, provides a good basic framework, says Richard Spillenkothen, head of Deloitte & Touche's banking and finance regulatory practice and a former director at the Federal Reserve. SMART's McLaughlin notes that Basel II wasn't very effective in averting the financial disaster.
It still comes down to individual companies, says Erik Petersen, vice president of information at security services provider SecureWorks. "Risk analysis isn't done very well because most organizations don't have the technical skills in house to quantify threats and probabilities very well."