Are We Focusing on the Risks That Matter?
Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.
What are the risks that could cause the demise, or at least a significant drop in the share value of an enterprise?
Are those risks given significant attention by the board, executive leadership, risk management, and audit professionals?
Here are a few such risks, taken either from recent news or personal observation/experience:
- A dysfunctional board: for example, a board that doesn’t challenge the executive team. Reasons could include: a lack of information; timid directors; insufficient independence of the board; directors who don’t allocate sufficient time to the company’s affairs or even skip meeting; or, directors that don’t have an adequate understanding of the company, its strategies, and the risks to those strategies. See this earlier post on board effectiveness.
- A bully of a CEO (as described by Lord Smith of Kelvin in his speech to the IIA International Conference last year). It is interesting that the report of the Group of Thirty observed that “a very good CEO is preferable to a ‘star’ CEO”. I worked at one multi-billion dollar company where the CEO encouraged competition among his direct reports rather than teamwork. So, instead of sharing information and working together, they hid information and schemed against each other.
- Ineffective risk management. If risk management is immature or, even worse, the organization complacently accepts as sufficient a program that only considers risk on a quarterly basis, they are flying blind and it’s only a matter of time before they fail. A study by COSO reported that “the state of ERM appears to be relatively immature. Only 28 percent of respondents describe their current stage of ERM implementation as 'systematic, robust and repeatable' with regular reporting to the board. Almost 60 percent of respondents say their risk tracking is mostly informal and ad hoc or only tracked within individual silos."
- Insufficient information to make decisions. For example, if executives cannot access the information they need when they need, and in a form that is not only reliable but useful, how are they going to make quality decisions?
- A dysfunctional executive team: for example, where the executives are working to feather their own nests rather than the long term future of the organization, or where one or more executives are ineffective. I worked at one company that, in the middle of a revenue contraction and layoffs, spent more than a million dollars refurbishing the top executive offices. They later gave each other millions of stock options — during a period where the company slipped from #1 in the market to #3. You can only imagine what this did for employee morale and trust.
- Another example or version of the dysfunctional executive team is where the CEO is unable to lead. I worked under one CEO who was ignored by his COO, to the point that the COO called him "stupid" in front of the other executives. The CEO proved that the COO was right by refusing to fire the COO when requested to do so by the board! (They were both fired, but the company failed within a few years anyway.)
- A CEO who does not have the trust of the board. Experience shows that the CEO can start behaving irrationally to prove his or her worth.
- A poor strategic planning process. In a report from last year, McKinsey reported that “only 21 percent of directors surveyed claim a complete understanding of their companies’ current strategy.” If the directors are unable to work with management to define effective strategies, what hope is there for success?
- Aging products, with a poor record and capability for delivering cost-effective and exciting products or services on time. Just consider the plight of RIM. Tie to this the related risk of disruptive competition that renders the company’s products obsolete. Consider Nokia’s experience: They had a 40 percent mobile phone market share — until the iPhone.
- A poor corporate culture. There are many varieties of this, such as one that is either too cautious and risk adverse or takes on a reckless amount of risk. Other varieties include: the organization does not pay sufficient attention to employee safety, disregards regulatory compliance obligations, does not pay attention to ethics, or fails to oversee its extended enterprise (and suffers significant reputation loss when incidents hit the news — such as with Apple and Levi’s).
Each of us could probably add to this list from our own experience of reading of the news.
But, the question remains. Are the risks that could sink the ship given sufficient attention? Are the risks levels understood and have sufficient actions been taken to address them?
Posted on Apr 29, 2012 by Norman Marks
Share This Article: