For those working in enterprise risk management (ERM), wading into uncharted territory, such as assessing threats in the era of cloud-based businesses, can be nerve-racking. But for Roopa Baboota, a CPA (Canada) and a chartered accountant, creating solutions to new and uncertain challenges is part of the thrill.
Baboota is a financial internal audit manager for tech giant Google, an environment oozing with talent and ingenuity. It's a huge challenge — and an exciting one, she said — to create an ERM programme that can keep pace with innovation at a company that is changing the way people live.
"We are looking at self-driving cars, looking at methods of enhancing our overall wellbeing," Baboota said. "All of those business models are happening, and there are no conventional ways or frameworks to actually build the concept of risk or audit around them because we have never seen them before," she said during a presentation at the 2017 AICPA Financial Planning & Analysis Conference in Las Vegas.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) offers a lengthy definition for ERM, but Baboota sums up her view of ERM in three words: protecting the company.
"A lot of companies these days are adopting risk management techniques where they are only looking at the tangible and physical losses within the company, but not extending it to actually the intangible side of things," she said. "Becoming more and more important are things like customer satisfaction or reputational risk, brand image, and corporate culture. I like to think about enterprise risk management encompassing both tangible and intangible risks."
Developing an ERM programme is time-consuming and challenging but ultimately can bring businesses closer to achieving their goals, she said. "It's really about driving investor, stakeholder, and shareholder value, and ultimately that is the number one concern for companies these days — to make sure that they are living up to their strategies and providing value," Baboota said.
She offered the following five tips for avoiding common pitfalls.
Understand the value of ERM
"Companies need to be in tune with how their company is changing to stay ahead of the curve and remain profitable and remain competitive, especially with different dynamic and changing business environments," Baboota said. Many companies traditionally may be more concerned with compliance and regulations, and some may not see the value of intangible assets. But "soft" ideas, such as corporate culture and customer experience, can also create material tangible losses.
She offered an example of a company making an acquisition and focusing on factors related to cost and profitability. "If you truly have a risk mindset, you need to think of other attributes," she said. "Do that company's values actually align with the parent company? What's the reputation of that company, and is that going to help our brand image?"
Corporate culture is another area where it's hard to gather hard data, but one that can have a major impact, she said. For instance, employee turnover can mean employees with critical knowledge of emerging risks are walking out the door and taking those insights with them. The time it takes to recruit and hire another employee and bring them up to speed could leave the company exposed.
Create management buy-in
Businesses need intelligence from all areas and levels of the company to truly build a sound plan. But not everyone will see the value in shifting the way they monitor risk. Businesses should work to determine the root cause of that reluctance, whether it's an unwillingness to address the risk or a perceived lack of resources.
"You could have tenured employees who don't want to change and have the perspective that everything is fine the way it is," Baboota said. "This is why you need buy-in at the top." Strong tone at the top assures that once risks are identified, roadblocks to resolving them can be eliminated.
If you're facing resistance from management, for instance, internal audit may be your best friend. They are charged to ensure the business is staying on top of risk; you couldn't ask for a better ally, she said.
"Depending on your role in your organisation, if you are not able to influence management buy-in to happen, it's just about starting small with some of those layers of processes that you are working with every day, and developing a risk mindset to really anticipate those best-case and worst-case scenarios," Baboota said.
Update your assessment frequently
Creating a comprehensive risk assessment takes patience and perseverance. A common pitfall of this process, which can be lengthy, is that plans are not evolving quickly enough to keep pace with business changes.
"If you have done a good job as a company and identifying your complete portfolio of risk, that's fantastic, but how you have rated them and how you've prioritised them completely is different month to month," Baboota said. She recommended updating the assessment quarterly, with annual updates to oversight committees.
Assessments may have to be recalibrated as business models and market conditions fluctuate, and especially in multinational companies where international markets are also a factor.
Ensure roles are clearly defined
ERM is a factor on many levels, whether it is embedded into financial planning and analysis or managed through the internal audit function. For some companies, internal audit is a natural fit.
"Internal audit inherently has talent on their teams that are able to link risk and governance really well together," Baboota said. But audit's role must be clearly defined. Internal audit may serve in a consulting capacity, helping management assess risk and develop a process and audit plan. Or internal audit may be engaging from an assurance perspective. But whether it's in a consulting capacity or an assurance capacity, the line needs to be clear, she said. Internal audit should not be managing risk on behalf of management. Management remains responsible for risk, and this should be documented in the internal audit charter.
"That's where it's important for the internal audit function to push back and clarify roles. I'm not able to be responsible and make the decision for you," Baboota said. This is a common issue, and it's easy for the lines to get crossed, but in a company that truly has a sound ERM programme, "management should be coming to you with a proposal, not asking "'What do I do?'" she said.
Research to stay ahead of the game
Risk managers are frequently asking how to anticipate the future.
"All you can rely on is staying up-to-date on current events and leveraging all of the industry research that's happening with different resources to stay ahead of the curve and market trends that are happening," Baboota said. "As you're innovating, go back to those basic principles."
Read more, she said, keep apprised of what's going on in the world, and be aware of how it can affect your organisation. The answers will come, influenced by your experience. "If you have a risk mindset, you'll naturally be able to anticipate things."
Samiha Khanna is a freelance writer based in the US. To comment on this article or to suggest an idea for another article, contact Sabine Vollmer, an FM magazine senior editor, at Sabine.Vollmer@aicpa-cima.com.