Risk Management Reports

In peanut butter, as in life, we encounter lumps and smooth parts. The lumps are invariably the most interesting. So it was at the annual General Audit Management Conference of the Institute of Internal Auditors, held in Orlando, Florida, on March 21-23. The lumps that commanded the attention of the almost 600 paid registrants were those produced by the Sarbanes-Oxley Act, the new law and regulations that affect all public companies in the United States plus many foreign companies traded here. Of the 47 sessions, including pre- and post-conference workshops, fourteen sessions explicitly mentioned this new law and many of the others addressed it parenthetically. It dominated the discussion in Florida, just as the new Basel II Accords dominated the GARP (Global Association of Risk Professionals) annual conference in early February. Regulators, auditors and consultants all tried to dissect the importance of the regulations, their effects and costs, and how best to respond. Given this new Washington ogre, internal auditors are scrambling to assure compliance and to create the needed controls. It even submerged enterprise risk management, a favorite topic in prior years, as "governance" and "compliance" become the prevailing buzzwords. Despite this, I saw strong evidence that risk management thinking has successfully infiltrated the general processes of the internal audit profession. This is the most promising development.

This year´s GAM started inauspiciously with a presentation labeled "Ethics-Based Leadership." What I heard was a motivational comic monologue filled with one-line jokes- a paean to the self-importance of the speaker-that shed little light on a critically important topic. Anyone who sports five sets of initials after his name (none of which I recognized!) creates an immediate aura of suspicion. It sounded like a sales pitch for his consulting services more than a contribution to our understanding of the importance of ethical behavior these days. Warning to conference organizers: these kinds of "motivational" speakers may handle themselves well on stage, but they inevitable demean the intellectual content of a conference.

Following that poor start, GAM immediately improved. Charles Niemeier, of the new Public Company Accounting Oversight Board, in Washington, reminded the audience of the initial Federal government securities acts in 1933 and 1934, responding to the first major market crisis. He warned that the old system embodied a checklist approach, creating an illusion of a safety net that did not exist. He sees Sarbanes-Oxley as a return to basic issues and concerns, a new "willingness to challenge accepted norms," something essential to improving the system. His organization, an offshoot of Sarbanes-Oxley, is focusing on five key issues for the accounting profession: creating a new "tone at the top," revising partner compensation, assuring accounting firm independence, requiring client acceptance of reforms, and, most important, continuing interaction with non-US affiliates making a global firm operate under the same standards. He acknowledged that, in the past, accounting standards in the United States have been "rule-based," in contrast to the "principle-based" global standards.

Yet the approach of Niemeier and the PCAOB seems overly negative-trying to avoid major accounting pitfalls and disasters-with little recognition of some of possible favorable opportunities. This gloomy-Gus focus was echoed later by Joseph Atkinson, of PricewaterhouseCoopers, who summarized the ideas of COSO´s new ERM framework (see RMR December 2004). COSO limits itself by aiming only at "shareholder value" instead of the broader and more applicable "stakeholder value." It sees risk as a negative outcome, and it fails to stress the importance of stakeholder communication. The Atkinson presentation was fluid and intelligent but it failed to recognize COSO´s internal contradictions. Robert A Howell, a professor at the Tuck School of Business at Dartmouth College, issued a similar warning in CFO Magazine in March this year. He suggested that the Sarbanes-Oxley over-focus on compliance might inhibit the risk-taking necessary for continued growth. He concluded: "Once people have confidence that their systems are all that they need to be, then you´ll be able to take greater (my italics) risk and know that you can assess the impact of the risk that you´re taking."

Three other sessions gave me new insights into current issues. Daniel Langer, a consultant with Jefferson Wells, shed light on some of the risk issues connected with executive compensation, something that most risk officers approach with utmost caution! Too much time is spent on approving the pay numbers, contracts and agreements and too little on the effect of excessive executive compensation on stakeholders and reputation. Public perception is the most important driver. But are those responsible for risk management ready to attack the compensation issue? Thomas Marshall, manager of Enterprise Risk Management at First Energy Corporation, described his firm´s approach to ERM, already a four-year effort. He helped create a new risk infrastructure, a culture of risk awareness, a common methodology for risk measurement and, finally, an ERM function that serves as First Energy´s "risk advocate." He also described one way to produce a tangible benefit: showing a cumulative distribution of risk (both plus and minus), before an after responses, showing a reduction in the likelihood of outlier (extreme) events. He described in detail one example, using weather hedges for tornado damage. While Marshall´s presentation was excellent in describing ERM in practice, I had the nagging feeling that, somehow, First Energy might overlook some systemic risks in its emphasis on the more conventional operational and financial risks. Finally, Byron Hollis, the National Fraud Director of Blue Cross/Blue Shield, offered a frightening description of the magnitude of fraud loss within our national healthcare system. About 70% of all fraud cases involve medical practitioners, and only 18% involve patients (subscribers). The annual cost of fraud in the United States ranges from 3% to 10% of the total cost of healthcare ($1.9 trillion in 2004), or as much as $180 billion. Two problems are that most anti-fraud activities are reactive, not proactive, and that the system must deal with multiple participants who have radically different interests: the medical practitioners, the insurers, the employers who finance many of these programs and the subscribers/patients. Fraud is a monumental problem.

As usual I try and review some of the technical management factors for conferences. GAM 2005 reported over 750 participants, who whom 587 were paid registrants and 56 were speakers. The IIA also reported 29 exhibitors and nine sponsors. Of the speakers, 25 were auditors, 22 were vendors and 9 represented government, academia and regulators. The IIA produced a first-rate booklet that included brief bios on all speakers, plus a CD with copies of almost all the presentations. It was also one of the best-organized sessions I´ve attended.

From studying the registration list, I uncovered an unusual fact: over 10% of the paid registrants (61 of 587), came from one vendor, the consulting firm of Protiviti. I´ve never seen this dominance of one vendor at any risk management conference.