Enterprise Risk ManagementRisk Management
Treasury can bring a lot to efforts to implement enterprise risk management
By Ann Lubart
By conventional measures, there were no extra resources in the Symantec Corp.'s treasury—or anywhere else at Symantec, for that matter—to accommodate an entire new initiative, let alone an initiative like enterprise risk management (ERM), which requires a company to reevaluate not only the way it approaches risk mitigation but also how it defines risk itself. Still, Symantec's assistant treasurer and director of finance, Rossini Zumwalt, didn't hesitate for a second when she was tapped to become a core member of the company's global risk council. In Zumwalt's opinion, the key to tackling ERM is not canvassing the board of directors for lots of extra money to hire consultants or buy heavy-duty analytics; the key is making the risk management experts you have in the company—often managers in treasury, operations or information technology—redefine their mission. "ERM is a big word, but you don't need to be extreme," Zumwalt says. "We're starting where it's more appropriate and more cost effective—engaging people to think beyond what they know as risks."Zumwalt is one of a cadre of treasury people at large and midsize companies being called upon these days to help map out their organization's ERM strategy. While treasury is unlikely to be the final home for ERM at most companies—including Symantec—Zumwalt and other strategically minded treasury executives recognize that treasuries need to be knee-deep in the effort, whether or not they think they have the resources. Why? Because enterprise risk management is en route to becoming a defining strategy for larger concerns. If treasurers want to hold a pivotal role in their company's future course, they have to be players. "The influence of ERM on how companies manage risk in the future will be so large that I suspect in 10 years we won't even be using the term enterprise risk management," says Stephen Baird, a Chicago-based project manager for Treasury Strategies Inc. "It will have become so ingrained that it will become simply part of the fundamentals of good management. I think we are in a comparable situation to quality management in the 1980s."
DEPARTMENT WITH A VIEW
Baird notes that treasurers need to play a leadership role in ensuring that ERM does not become simply a burdensome exercise in risk compliance. While risk compliance is a process of identifying, tracking and mitigating risk, says Baird, strategic risk management is a process of applying a high-level analytical framework to understand the composition of a company's risk. The former is a tactical approach that misses the connections between risks, addresses risks individually and overlooks some risks entirely. The end result of a successful execution of the latter can be determining the most value-added strategies for accepting, transferring or mitigating risks for an entire enterprise. "Treasurers are better equipped than anyone in the organization to develop and apply these frameworks," contends Baird.
But not all of Zumwalt's colleagues are seizing the opportunity. "Chasms are opening up between treasurers fulfilling their duty on internal controls," says Craig Jeffery, managing director of Atlanta-based treasury consulting firm Strategic Treasurer. "A lot are abdicating more than they should."
That is certainly not the case with Jennifer Ceran, treasurer of eBay Inc., who recognized the growing importance of risk assessment even before ERM suddenly became something companies knew they needed to be talking about. To effectively deal with the conventional risk areas under treasury's domain, including insurance, Ceran argues that treasury needs to understand the broader risks and their interdependencies. She contends that playing a principal role in the company's ERM initiative will help treasury better manage its traditional role of risk mitigation and make treasury more strategic. "We didn't hire a risk manager to buy insurance," she says. "We wanted someone to understand our risks and determine the best solutions to manage that risk. [The] single metric for performance is to reduce the long-term total cost of risk for our company."
PROACTIVE, NOT REACTIVE
Ceran found that risk manager in George Redenbaugh, director of corporate risk management at eBay since mid-2003. "Organizations measure themselves on their ability to perform crisis management," Redenbaugh says, but contends that it's better to avoid crises rather than have a process to react to them. He observes that in some companies, "as audit and Sarbanes-Oxley teams drive the ERM initiative, the risk manager is being left out. The sole job [of the risk manager] is to manage residual risk, and the function gets marginalized." But for treasury, the risk of irrelevance has an immeasurable cost, he says.
Given the regulatory pressure and importance placed on controls, Tarek Anwar, senior vice president for global treasury management at Bank of America Corp., agrees that treasury's involvement in ERM is essential and that treasury is already well positioned, having cultivated internal business partners: "An ERM [framework] should tie directly to the stability of financial performance and send a strong signal [of assurance] to investors and other stakeholders. I see ERM as a natural extension of treasury's responsibility for protecting corporate assets and the treasurer's role as one of change agent and catalyst."
Anwar views ERM as a way to institutionalize best practices across the organization. "Rather than relying on a hero culture, good leadership should enhance the structure," he says. "Treasury is an excellent starting point for an ERM initiative."