CSA Sentinel - The Institute Of Internal Auditors  


Volume 8 · No. 3 · October 2004
printPrint Article
printPrint Entire Issue

Leadership Through Progressive Enterprise Risk Assessment

Sherry Whitley
Executive Vice President
Enterprise Risk Assessment Group
Countrywide Financial Corporation
Calabasas, Calif.

Countrywide's strategic-planning process includes a companywide focus on managing risks.

In the wake of headline-grabbing corporate financial scandals, management and boards of directors of public companies are under intense pressure to increase their involvement in the strategic and operational activities of the companies they oversee. Executives at Countrywide Financial Corporation, a diversified financial services provider, reviewed various ways to provide a more focused, comprehensive approach to help their leadership teams identify and better manage business risk across the organization. Approaching risk with the goal of increasing shareholder value in mid-2002, Countrywide incorporated comprehensive enterprise risk-management techniques into its leadership strategy, focusing board participation on a more global, disciplined decision-making process than has historically been used in the past. 

Traditionally, Countrywide's business leaders viewed enterprise risk assessment (ERA) as a program to assess risk and allocate resources within the individual business units. Moving forward in 2002, management elevated enterprise risk assessment to the point that it became a premier tool for strategic planning. This new view goes well beyond the traditional risk mitigation processes used in many companies. 


The coordinated companywide risk-management process — commonly referred to as enterprise risk-assessment within Countrywide — reinforces the highest standards of corporate governance in the interest of shareholders, customers, and employees. To enhance the organization's planning process, key operational and corporate executives now use ERA to reach their goal of managing the organization's most critical risks to create greater value for the company. 

Traditionally, many companies have used a segmented governance structure. For example, the audit committee monitored the effectiveness of internal controls, the credit committee guided credit policies and limits, and the compensation committee set salary, bonus, and other compensation targets for key executives. Often these committees worked independently of one another. To initiate a more integrated governance structure, Countrywide's leadership team used guidelines of the Committee of Sponsoring Organizations of the Treadway Commission (COSO), which issued the initial standards for a corporate risk framework in 1992, defining enterprise risk management as a business discipline. In conjunction with COSO's recently released Enterprise Risk Management — Integrated Framework, the standards provide a uniform framework of integrated principles and a benchmark for enterprise risk-management processes. The new standard includes specific activities such as aligning risk appetite and strategy; linking growth, risk, and return; enhancing risk-response decisions; minimizing operational surprises and loss; identifying and managing all company risks; providing detailed responses to multiple risks; and rationalizing the allocation of capital.

The ERA leadership team chose this framework as the company's control model, setting a high-level direction to guide Countrywide's strategic plans. Through the realignment of risk-related activities, the use of proprietary state-of-the-art technology, and coordination with the company's strategic planning staff, ERA is being embedded throughout Countrywide.  


When initiating the ERA process, the leadership team assigned designated risk professionals throughout the company to develop a comprehensive risk framework using standard terminology and conditions across functional and corporate lines. Five key business units were designated as ERA champions, including the enterprise risk-assessment group, internal auditing, fraud prevention and investigation, corporate insurance, and regulatory and external relations. The managing director of ERA reports directly to the board's audit and ethics committee, in addition to administratively reporting to the company's president.

At the highest level, ERA leadership is primarily responsible for identifying risk, determining risk tolerance, and assessing efforts to manage risk companywide in a comprehensive, disciplined, and coordinated manner. These responsibilities include:

  • Supporting the business units in performing risk assessments.
  • Recording the risk-assessment measurements.
  • Coordinating the business-unit risk assessments with corporate strategic plans to ensure proper alignment.
  • Reviewing the various values-at-risk to identify areas that require additional focus.
  • Offering recommendations for improvement.

In addition, the ERA team meets regularly with the rating agencies and state and federal regulators to discuss the company's risk-management strategies and activities. The team also provides regular reporting on the progress and achievements of ERA risk management to Countrywide's board.

Highlights of ERA activity within the five departments include:

Risk Assessment. Under the guidance of dedicated risk professionals and using proprietary technology, the executive management of each business unit or subsidiary is responsible for identifying and managing risks that are specific to their area of operation. To create immediate buy-in, the process starts with each business unit performing a business risk self-assessment. This bifurcated arrangement allows a systematic approach to the business units and corporate functions so that they proactively assess and manage specific risks.

Countrywide uses proprietary ERA technology — Countrywide Organizational Risk Assessment Database (CORAD) — that provides a well-documented, centralized reporting mechanism to keep senior management fully informed of ongoing risks and the controls necessary to mitigate them. It provides senior management with the tools and information necessary to rationalize capital allocations, seize opportunities, and profitably manage growth, risk, and return. Once the CORAD review is completed for a business unit, the internal auditors conduct an audit of each business unit.

Internal Audit. The experience, objectivity, and training of Countrywide's internal audit team helps support the company's ERA process. Under the program, Countrywide's internal auditors, while maintaining their independence, participate in strategic planning, new product development, and risk-response protocols.

They also maintain their traditional role of conducting risk-related audits for each business unit during which they evaluate the answers to questions, such as:  

  • Have all risks been identified for this unit?
  • Are these risks properly rated?
  • Are the controls sufficient to mitigate and control the risk?
  • Are the controls operating properly?
  • Is there an understanding of the interrelationship among the risks?
  • Have non-traditional risks been evaluated?
  • Do incentive and rewards programs affect risk management?

The internal audit team reports its findings and recommendations to the business unit, the risk-assessment team, and ultimately to the board, focusing on minimizing operational risk surprises and loss. 

Fraud Prevention and Investigation. In recognition of the increasing risk that a company faces from identity theft, data leaks, money laundering, wire transfer fraud, and the new  phishing phenomenon, the fraud prevention and investigation team focuses on preventive and detective programs. Its mandate is to minimize risk operational loss and to participate in risk-response decisions. 

Key initiatives currently under way for this team include creating a comprehensive fraud-training program for senior management — with special emphasis on new product leaders — risk professionals, and internal auditing. This team manages fraud investigations, ensuring appropriate coordination with law enforcement and legal counsel. Other duties in process for this area include management of a fraud hotline and developing consumer education programs that would serve as an early warning system for fraudulent activity targeting unsuspecting companies and consumers. 

Corporate Insurance. Recently integrated into the ERA leadership team, the insurance group is responsible for negotiating and purchasing corporate insurance to minimize the adverse effects of accidental losses. Its aim is to protect company assets — including employees, property, and revenues — and to achieve a predictable and stable impact from insurable losses on corporate net earnings. Insurance risk management is critical to ERA, as it uses the risk data maintained on CORAD, as well as control weaknesses reported in internal audit reports and fraud-prevention and investigation reports to provide the business units with risk avoidance, risk transfer, and risk financing techniques to help them prevent and reduce losses.  

Regulatory and External Relations. Third parties, such as Moody's Investors Service and banking regulators, follow rigorous risk-assessment standards when assessing and rating a company. By meeting with the rating agencies and regulators to discuss Countrywide's corporate risk-management strategies, activities, and ERA program, the ERA leadership team not only champions the process, but it helps business units focus on comments and recommendations submitted by the third-party evaluators.  

In an increasingly complex business environment, incorporating ERA into Countrywide's strategic processes makes good business sense. Through a more innovative, holistic view of the enterprise, it provides a more cohesive, efficient use of talent to identify, assess, and manage risk that enhances strategic planning and provides more control to the company's business portfolio.  Frequent communication of overlapping ERA elements companywide has enhanced the board's role and created a more focused opportunity for directors to lead the strategic-planning process with a clear view of the company's risk-reward formula. In the end, the expressed goal of achieving greater profitability and shareholder value is attained.

Sherry Whitley, executive vice president at Countrywide Financial Corporation, has practiced financial institution law for more than two decades. During her career, Whitley has served as legal counsel to the U.S. Office of the Comptroller of the Currency and has held positions in a nationally recognized law firm and a Big Four accounting firm.

Quick Poll

How has flextime work schedules impacted audit completion time for your agency?

Audits have been completed faster.

There has been no change.

Audits take longer to complete.

My agency does not have a flextime poilcy.

View Results