How to avoid enterprise-risk surprises

About a year ago, a regional snack-foods bakery in the US found itself in a predicament.

Persistent political unrest that followed a 2009 political coup in Madagascar had interrupted vanilla supplies from the island nation off the southeastern African coast. Madagascar, which accounts for about two-thirds of the world’s vanilla exports, was the bakery’s main source of vanilla.

Caught unprepared for this strategic risk event—and lacking an alternative supply—the bakery was quickly sold to a large competitor.

Up-to-date management plans need to be in place to deal with risks that can threaten a company’s ability to continue operations, said Chuck Mitman of Prism eSolutions, a Philadelphia data-management firm. Mitman spoke about risk management at the AICPA’s CFO Conference in New Orleans last month.

Indeed, businesses still find it difficult to understand enterprise risk management, Mark Beasley, Bruce Branson and Bonnie Hancock, three ERM researchers at the North Carolina State University Poole College of Management, wrote in a CGMA report.

“We have observed that some organisations believe that the ad hoc risk management practices they currently employ are sufficient,” Beasley, Branson and Hancock wrote. “Unfortunately, they often do not fully appreciate the value proposition of ERM until a major risk event occurs, which, by then is too late.”

Almost half of the negative earnings surprises that 68 companies trading on the Standard & Poor’s 500 index reported in the first three months of the year were based on risks inherent to the companies’ business models, a recently published study by Connecticut consulting firm ValueBridge Advisors found.

The study looked at reported earnings that were more than 5% below analysts’ expectations based on company guidance. Brian Barnier of ValueBridge Advisors previewed the study results at the CFO Conference.

So how can companies better prepare for and manage enterprise risks? The three NCSU researchers and Barnier have some suggestions for senior managers. They include:

• Know your strengths and weaknesses. What do your customers and partners value in your business? What are the skills gaps in your workforce? Where are the weak links in the supply chain? Where could competitors do damage?
• Identify risks and describe them as events that would affect the achievement of goals. Update them annually and communicate them to members of management and the board of directors. Are you using plain language?
• Assess the likelihood of a risk event occurring and its potential impact, including any cascading effect.
• Base your risk-management plan on a written description of senior management’s and the board’s willingness to take on risks.
• Test your planned risk responses in “what if?” scenarios. Is the risk response working as intended? Are the right people tasked with monitoring, evaluating and responding to risks?
• Develop risk indicators that are warning signs and that measure the effects of risk events occurring. Have senior management identify thresholds or trigger points that would prompt additional focus on an emerging risk.
• Integrate the business’s risk profile in the formal strategic plan and update it annually.
• Check whether you are using the appropriate methods to assess and monitor your risks. How well are your risk measurements aligned to your performance objectives? Are the risk measurements aligned with the root causes of a risk event?
• Periodically obtain an objective assessment whether the ERM processes are effective.

—Sabine Vollmer (svollmer@aicpa.org) is a CGMA Magazine senior editor.