Ng, Artie
Artie Ng traces the steady g legalisation of enterprise risk management and considers its main implications for companies in East Asia.
The private sector is becoming increasingly aware of the need to implement enterprise risk management (ERM). A recent global survey by the International Federation of Accountants (IFAC) among its member bodies revealed that about half of the respondents believed that adopting good practice in internal control and risk management would be very important in the coming year1. Another survey of senior managers suggested that ERM development in more than half of companies was led by the board2. This reinforces the message that ERM implementation is attracting significant attention around the world and that more resources are likely to be allocated to it in the near future.
But, while efforts to converge international accounting standards to eliminate differences among the international capital markets have gained momentum, efforts to implement ERM remain at an early stage. We continue to suffer from incidents triggered by unanticipated risks at large companies from the collapses of Enron and WorldCom to the more recent failure of a number of banks to manage the risks concerning subprime loans in the US.
The sub-prime crisis is likely to make stakeholders increasingly stringent about measures of internal control and the effective use of ERM. It has also raised concerns about the efficacy of credit ratings agencies. Stakeholders are troubled by the failure of the credit rating mechanism to provide timely signals about the underlying risks of companies' financial assets.
In a recent development, credit ratings agencies have integrated ERM as an element of their overall analysis of corporate creditworthiness. At the end of last year Standard & Poor's (S&P) issued its timely publication Request for Comment: Enterprise Risk Management Analysis for Credit Ratings of Nonfinancial Companies (http://snipurl.com/ 24h1 h). This suggested that the company intended to incorporate ERM capability as a key criterion in its approach to reviewing the crediting ratings of companies, which would also be revealed in their reports.
Other credit ratings agencies are also showing more interest in ERM. Fitch Ratings has disclosed that it considered various aspects of ERM when rating insurers and financial institutions in 2006. Both Moody's Investors Service and S&P say that they examine the risk management processes of financial institutions and insurers. But these agencies have only recently formalised the evaluation of such processes in a more structured context - the Coso framework which has become more widely accepted among accounting and finance communities and regulators.
Noting that it expects this increased emphasis on ERM to continue, Moody's has stated that it is now including risk management capabilities in all of its credit ratings. Meanwhile, S&P has incorporated a review of ERM for public utility companies. This suggests that companies in financial and non-financial sectors - private and public organisations alike - are likely to become subject to this kind of review. It also implies that a company's debt ratings could be adversely affected if these assessments find significant issues and/or deficiencies in its risk management capabilities.
East Asia catches up
If the concept and application of ERM is still young in the US, it's in its infancy in most other parts of the world. The increasing convergence of accounting standards ought to be complemented with improved internal controls to ensure that the newly reported financial statements are reliable. The globalisation of capital markets would create an even stronger need to improve companies' risk management capabilities.
The globalisation movement has already led to more requirements for internal control among regulators around the world. Japan, for example, has launched "J-Sox" - its own version of the US Sarbanes-Oxley Act 2002. This embraces Coso while increasing awareness of the importance of ERM. Formally named the Financial Instruments and Exchange Law, J-Sox takes effect this year for companies listed in Japan. China is also considering the Coso framework and the need for further regulation. Hong Kong, the international financial centre of East Asia, has even explored the requirement for an internal control review based on the Coso framework for pre-IPO due diligence, following the release of guidelines on internal control by the Hong Kong Institute of Certified Public Accountants that ensure synchronisation with the other international capital markets.
Challenges ahead
This interest in strengthening the capabilities of risk management presents companies operating in the global marketplace with different challenges. One of the key issues is whether they can cope with the new demands for more effective ERM. I believe that the globalisation of ERM could be even more challenging than the globalisation of accounting standards. For instance, a country's tradition and culture could influence its attitude towards risk management. Two of the main challenges for companies implementing ERM in East Asia lie in the following areas:
* Experience of risk management. Given the short history of developing ERM, few professionals are experienced in dealing with the design and implementation of it in East Asia. Organisations continue, therefore, to rely on external consultants, typically from large international firms, to help them make initial risk assessments. But the consultants' reports will not help to embed ERM in the operations of these organisations. While the rest of the world has focused on the development of a risk registry, more advanced organisations in East Asia have begun to hire people in risk management positions. This gradual accumulation of experts should enable these organisations to start developing their own risk registries and to build ERM from within. This will require clear accountability and continuous risk assessments.
* Complementarity of corporate governance and culture. Large East Asian companies - for example, in China - are dominated by state-owned enterprises and family-owned conglomerates. These organisations need to adapt their traditionally rather centralised decisionmaking culture that manages risk using a top-down, diagnostic approach. They tend to deal with incidents internally and provide ad-hoc solutions instead of using a more structured method. They may need to change their culture of risk management radically in order to develop an effective ERM system. In particular, effective risk management requires a board that understands the dynamics of the increasingly complicated external operating environment and its links with internal controls. The role of the audit committee has to be strengthened with more clearly defined responsibilities in relation to the development of a dynamic internal control system. Simply being risk-averse is no longer enough to deal with the dynamics of risk.
The carrot and stick
Another survey of senior finance and risk management executives noted that 90 per cent of companies implementing ERM were very confident of their ability to manage risk, compared with 45 per cent of those that weren't using the approach3. Most believed that ERM could help to improve their companies' P/E ratios and costs of capital. Such benefits have further encouraged listed companies to adODt ERM.
Stakeholders, particularly institutional investors, may start to put more emphasis on a company's ERM capability during their investment decision-making processes. After all, this is by and large about the increasing concerns of stakeholders and the recognition that ERM goes beyond mere regulatory compliance. Organisations that fail to adopt effective ERM would not only fail to comply with regulators' expectations, but should also come under increased scrutiny from the credit ratings agencies.
In Japan, big companies with stakeholders in the capital markets have formed the Japanese Association of ValueCreating ERM to explore how ERM can contribute to business. The globalisation process should mean that increasing numbers of East Asian enterprises will soon start to show their risk management capabilities. It's also likely that they will become more aware of potential emerging risks related to the use of technology, infectious diseases and climate change. I predict that organisations that can develop a dynamic, intelligent ERM system, together with an ability to respond to emerging risks, will stand out from the crowd and reinforce their suitability for growth.
1 Global Leadership Survey, International Federation of Accountants, 2007.
2 Protiviti Consulting, "Credit rating analysis of enterprise risk management at nonfinancial companies: are you ready?", The Bulletin, VoI 3, No 2, February 2008.
3 R Banham, "Enterprising views of risk management", Journal of Accountancy, June 2004.
Artie Ng ACMA is senior lecturer at the School of Professional Education and Executive Development at the Hong Kong Polytechnic University.
Copyright Chartered Institute of Management Accountants May 2008
Provided by ProQuest Information and Learning Company. All rights Reserved
No comments:
Post a Comment