So, contrary to popular belief, the risk manager's job is not just to point out all the things that might go wrong within an enterprise or with a particular piece of business. It entails avoiding the pitfalls on the path to success. The IRM, part of whose mission is to educate risk managers, says the role includes:
- Setting policy and strategy for risk management across the enterprise
- Being the primary champion of risk management at strategic and operational levels
- Building a risk-aware culture in the organisation, including appropriate education and training
- Developing risk-response processes, including contingency and business continuity programmes
- Preparing reports for the board and stakeholders
"Risk management," the IRM concludes, "requires a detailed knowledge and understanding of the organisation and the processes involved in the business. As well as internal specialists, there are a huge number of different advisers and consultants providing support to an organisation's risk management programme. Because of this, risk management is a truly multidisciplinary profession."
The goal of risk management is that stakeholders - shareholders, customers, employees and suppliers - can have confidence that a business is being effectively managed and not simply complying with corporate governance requirements.
CLIMATE CHANGE RISK
"The findings, which governments have agreed upon, leave no doubt as to the dangers mankind is facing and must be acted upon without delay. Any notion that we do not know enough to move decisively against climate change has been clearly dispelled."
These disturbing words were spoken by Yvo de Boer, executive secretary of the UN's Framework Convention on Climate Change, at a conference in Paris in February. The blunt message that managers can take from this announcement is that they have to take action to identify, assess, control and avoid risks to their business posed by climate change.
The most obvious risk is that to property itself. The New Orleans catastrophe and flood damage to real estate in many parts of Europe, Asia and Latin America present chilling evidence of the effects of climate change. This poses an obvious threat to businesses with operations close to watercourses or in coastal regions. The immediate impact will be on the cost of property insurance.
"Companies need to think about not just the issue of the cost of insurance but also of reliability," says Andrew Dlugolecki, a research fellow at the Tyndall Climate Research Unit at the University of East Anglia and consultant adviser to the UN's Environment Programme. "Will the insurers, and their reinsurers, meet the claims?"
There are risks to energy supplies, as shown by the fact that oil rigs in the Gulf of Mexico were destroyed by hurricanes arising from climate change. In other regions, drought and water shortages may wreak havoc. The risk to business is always manifold, but climate change embraces quite a number of them. Second, there is the inherent reputational risk; that management failed to recognise the threats and did not impose adequate controls to deal with them.
SARBANES-OXLEY MARK II?
The Sarbanes-Oxley Act, alias the Public Company Accounting Reform and Investor Protection Act of 2002, has advanced the cause of risk management - but perhaps not entirely as intended. It may be about to get a second wind.
Putting public company CEOs and CFOs firmly in the firing line for failures in their companies' disclosures was one of the Act's achievements; stiffening the internal controls of publicly quoted companies was another. But after several years of living with it, the cost and general burden of compliance are now questioned. Many take the view that the legislation has driven companies away from listing on the US capital markets.
Now the discussion is about a better way to regulate public companies that achieves the same or even better goals without drowning the business baby in the regulatory bathwater. Many are looking at the approach of the UK's Financial Services Authority as a role model and the key is 'principles'.
US Treasury Secretary Henry Paulson has said publicly that a more principles-based approach to accounting would be preferable to a rules-based one. Others, such as the Public Company Accounting Oversight Board, are now inclined towards the same view. In addition, the Act is concerned overwhelmingly with financial controls; in comparison, the UK's Combined Code, which governs the disclosure practices of publicly listed companies, is concerned with the total risk management process.
So are we about to see the birth of son-of-Sarbanes-Oxley - a more holistic, principles-based regime? Many US regulated businesses will say this is not before time, though their advisors, lawyers and consultants may rue the loss of so many billable hours of work that the Act has brought them.