Risky business? Not if you set thresholds, manage exposure: experts agree that companies are doing a poor job of assessing and managing risk--either they lack a mandate from executive management or they don't have the necessary discipline. As risk management becomes a still larger focus area, it's time for those that haven't identified and analyzed risk areas to do so.

• Author: Marchetti, Anne
• Position: Risk management

Despite the plethora of internal and/or external events that could expose an organization to serious risks, companies focus much more time and resources on measuring and monitoring financial performance than on proactively measuring, analyzing and responding to and mitigating risks--threats that could hurt financial performance.

[ILLUSTRATION OMITTED]

One would think that recent corporate scandals and fraud, as well as provisions set by the Sarbanes-Oxley Act, would have spurred companies to assess and improve the management and mitigation of enterprise-wide risks. This is apparently not the case.

A July 2004 PricewaterhouseCoopers "Sarbanes-Oxley Compliance Survey" found that 61 percent of 152 senior executives from U.S. multinational companies recognize that they must improve their risk identification and assessment process in future years because of new corporate-disclosure rules. And 55 percent anticipate adopting risk-mitigation processes, the survey found.

Risk-management experts agree that, for the most part, companies are doing a poor job of assessing and managing risk because either they lack the discipline for it or a mandate from executive management is absent. However, as risk management is rapidly becoming a major area of focus, if you haven't identified and analyzed risk areas within your organization, it's time to do so.

Companies that assess risk, set risk thresholds and actively monitor and manage their risk exposure within those thresholds can more accurately predict future performance. They are also likely to achieve higher performance and/or meet financial expectations because they are better able to avoid large fluctuations in business and evade the consequences of unmitigated risk events.

In "Add Risk Exposure Considerations to Planning Process, Says Fed Governor," an article in the March 2005 issue of America's Community Bankers, Federal Reserve Board Gov. Susan Schmidt Bies called on companies to adopt a "consistent, sound enterprise-wide risk-management culture." In adopting such a culture, risk management is viewed as a way to keep pace with changes in risks and achieve strategic advantage rather than a mere compliance exercise, she adds.

Bies also contends that risk management and internal control begins by "stretching the planning exercise" to consider alternative outcomes. Bies believes managers should be expected to evaluate the risks and controls within their authority at least annually and report the results...