By Jack Greenberg, CPA
Sarbanes-Oxley looms large over the accounting profession. So large, in fact, that Sarbanes-Oxley compliance and internal controls work may have overshadowed dozens of other risks facing your, or your client’s, enterprise.
CPAs are in an ideal position to identify and analyze different types of risk, and to act as change agents in developing appropriate and effective management response. The CPA’s analytical tools help determine how to define risk and how much to tolerate. What’s more, the sharing of your experience with controls issues with a wider audience can assure that the evaluation of risk becomes an ongoing, integral part of the management process.
Every Business is Risky Business
Risk comes in many forms, and from internal and external sources. People, property, information, reputation, investor confidence, creditworthiness, and countless other organizational elements represent vulnerabilities that must be acknowledged, addressed, and mitigated.
In the past, the usual practice of risk management was solely in terms of insurance. This narrow view is no longer sufficient. Companies must develop what is known as a "portfolio view" of risk, including tangible risks - such as fires and property damage - and those that are intangible:
-- Losing market share to competitive activities and pressures
-- Effect of markets on growth strategies
-- Questions about the character or actions of executives
-- Natural disasters in other parts of the world, and how they affect the ability to do business
-- IT security breach on customer service
-- How terrorist action, here or in another country, could affect domestic markets
-- Elections and government policies
Risks must be identified, inventoried, and prioritized based on each company’s unique risk appetite – the level of risk that management deems acceptable - and risk tolerance - an acceptable level of variation around objectives.
Internal and external CPAs can act as facilitators, providing direction to the management team as it explores risks. Sometimes, the risk can be addressed immediately; other times, it must wait. What is important, though, is that the risk is recognized and addressed in strategic planning.
Ultimately, some risks, like introducing a new product, are worth taking. But such risks are only acceptable within certain guidelines for return on investment. Some risks can be inherent in the type of business or industry segment, while others are the result of organizational structure, management decisions, markets, or clients you serve.
There is no right or wrong way to organize your, or your clients’, risk portfolio. Some organizations pursue strategies with higher risk, and some pursue lower-risk strategies. These levels are determined by a management team and communicated internally and externally.
After establishing and organizing the risk portfolio, processes and procedures can be developed to minimize or even eliminate risk. Some of these efforts can include the following:
-- Internal accounting and audit controls to help prevent fraud
-- Tax strategies to reduce tax burden
-- Documentation guidelines to meet government regulations
-- Strategies to protect sensitive electronic data and networks
-- Contingency plans and backup systems for technology failures
Risk Management Adds Value
Risk management adds value by helping management detail what could go wrong on the way to reaching their goals, and then consider potential compromises. The more effort put into reducing or eliminating the risks that stand in the way of rewards, the greater the value that is created. A proactive approach to managing risk can root out dangers that no one thought much about, and then focus resources on eliminating them. For example, an auto dealer whose sales are dominated by gas-hungry SUVs may not see an earthquake in Mexico as a direct risk to his or her business. In fact, damage to oil production and refining capacity in any oil-producing state can affect domestic gasoline prices, which, in turn, is likely to influence vehicle sales. In this example, risk exists not because you or your client failed to take action, but because something beyond either party’s control has occurred. Risk management is about enabling people and processes to move forward with the greatest opportunity for success in these circumstances.
Every company should evaluate risks on a regular basis to manage exposures. No one is better suited to lead the charge than a CPA who has a strong understanding of how to mitigate risk.
Jack Greenberg, CPA, leads Clifton Gunderson LLP’s Mid-Atlantic Business Risk Services practice. He can be reached at Jack.Greenberg@cliftoncpa.com.
Copyright 1998-2007 PICPA. All rights reserved. Contact journal@picpa.org for reprint permission