An emerging risk management and governance trend for 2008: renewed emphasis on establishing an integrated worldwide risk management plan.

Does everyone remember the landmark speech Stephen Cutler, former director of enforcement at the U.S. Securities and Exchange Commission, delivered at UCLA School of Law in September 2004? It was titled, "The Themes of Sarbanes-Oxley as Reflected in the Commission's Enforcement Program." This speech has since become known as the infamous "Gatekeepers Speech." In this speech, Cutler emphasized the importance of the gatekeepers, those people who are responsible for the monitoring and oversight of others in the financial markets. Cutler indicated that these people are the ones in the positions of authority to whom the investing public, the government and others expect will model honesty, integrity and veracity. Emphasis was rightly placed in this speech on the fact that these individuals must be beyond reproach and accountable for their actions.

If you recall the speech, you may recall the rather interesting quote with which Cutler commenced his speech, relating to the impact of fraud and corruption on corporations. It was, "The public corporation is currently under severe attack because of the many revelations of improper corporate activity. It is not simple to assess the cause of this misconduct. Since it has taken so many forms, the one-dimensional explanation that ... such conduct is a way of life, is simply not acceptable."

Most people who heard that speech probably were thinking that this was a reference to the recent corporate scandals. However, Cutler quickly indicated that the quoted words were actually first spoken in 1974 by then SEC enforcement director, Stanley Sporkin, who was referring to the many disclosures of bribes that had been paid to foreign government officials that led to the enactment of the Foreign Corrupt Practices Act. The truth of the old adage "history repeats itself" was once again painfully obvious, and Cutler issued his warning that the cycle would continue unabated unless a culture change occurred in the securities markets.

Cutler stressed throughout his speech that holding the gatekeepers responsible for their actions was the key to preventing continued corporate fraud and abuse. Included in his definition of gatekeepers were corporate executives; in-house and outside counsel; members of the board of directors, including independent directors, research analysts, external auditors and financial services firms; and other institutions and individuals who acted as the "sentries of the marketplace."

In this increasingly volatile and complex marketplace, what should the gatekeepers for companies with overseas operations, which require an integrated worldwide risk management strategy encompassing both audit and compliance programs for multiple locations, do? Operational risk management has been a challenge for companies for years and is becoming increasingly more complex with the addition of multiple overseas operations. If Cutler were to give a speech today on the gatekeepers' role against the international landscape, what "grade" would he assign to the gatekeepers today? What practical suggestions can we provide, in particular, to the corporate executives and directors who are responsible for effectuating the behavioral changes within their corporations that will lead to the major cultural shift Cutler alluded to in his speech?

Let us re-examine and highlight some foundational issues relating to the construction of a solid, worldwide operational risk management program. Let's go back to basics and start with the definition of risk and consider the result a robust assessment of a company's strategic, operational and financial reporting, technology, and compliance risks across international borders may have on the ultimate success of the gatekeepers.

Conforming to Reality

Risk is the possibility that an event will occur and adversely affect the achievement of a company's objectives. The event is an incident or occurrence that could affect the implementation of strategy or achievement of business objectives. These events distinguish risk and opportunity. There are events that may have a negative impact and represent risks and there are events that may have a positive impact and represent natural offsets or opportunities, which management channels back to strategy setting, and then classifies into four categories: strategic, operational, compliance and financial. Sound simple? Pretty much, except when you consider that humans generally resist change, behavioural and otherwise and accordingly balk even at many positive opportunities presented to them. Also, most companies lack appropriate staffing and education for their current employees to enable them to adequately assess the difference between risk and opportunity. Finally, most companies face monetary and other budget constraints which hamper their ability to effectively implement any type of risk management program, let alone one which encompasses their international units.

Key Factors to Developing an Integrated Risk Management Program

So what should the gatekeepers do? What words of wisdom can we impart to those entrusted with guiding the international corporation toward an integrated worldwide risk management strategy that can assist the company in preventing fraud from ever occurring in the first place?

* Implement a Top-Down Risk Approach: The focus of the top-down risk approach is to prioritize the top risks facing the organization as a whole by considering the significance and likelihood of each risk. Once the top-down risks have been identified, controls should be established and monitored to mitigate these risks to the satisfaction of management and the board of directors of the company. Such risk identification could occur through risk management workshops conducted by senior management.

* Integrate All Operational Risk Groups: Creation of one organizational entity (or steering committee) within the corporation for the purpose of risk assessment is highly recommended. By consolidating this function centrally within the organization, the focus is on helping the organization meet its overall business objectives, not just those within a single location or discipline (e.g., compliance). This is particularly important in decentralized corporations such as those that are employee-owned. In this manner, duplication of efforts is eliminated - duplication which often occurs as internal audit, compliance, Sarbanes-Oxley and ISO teams may have reviewed the same process or functional area to access their particular risks. Management is also able to resolve issues in a timelier manner, since management will not be required to read three or four separate reports from the different operational risk groups related to the same department. One consolidated report will also ensure that changes to controls to mitigate a risk in one area do not cause a weakness in another.

* Implement Risk Management Workshops: The purpose of risk management workshops is to expand the understanding of known risks and perhaps, surface risks that have not been emphasized previously within the organization. Dialogue among participants from all disciplines and levels at the company is critical to achieving this objective. Each participant has different exposure levels to various risks given their job responsibilities. Participants with more knowledge of a particular risk are strongly encouraged to share their perspective with the group to improve overall understanding of the factors to be considered in evaluating the risk. Discussion on the key activities in place to mitigate each of the highest priority risks and determination of management positions relating to the management of the highest priority risks is of paramount importance.

* Establish a Robust Monitoring and Reporting System: A formal monitoring and reporting system needs to be established for managing the dynamic nature of any organization. This formal monitoring and reporting must include a process to monitor changes in the risk profile of the company; controls to mitigate the risks identified by management; and a reporting mechanism for the risk identified, as well as a reporting mechanism to measure or identify mitigation of the risk.

* Utilize Technology: Many software options can aid a company in implementing, and more importantly monitoring, the company's operational risk management plan. These software packages are primarily web-based, allowing accessibility from all company locations, and are available in numerous languages. The software also allows the auditor to link multiple risks to multiple functional audits and locations. Reporting of audit results is also facilitated by using a software package, since the program can be used as a consolidated repository for the audit findings.

A fully integrated risk management program will likely take several years to achieve and is best implemented incrementally, but the key to executing a successful program is to continue to focus on the objective of mitigating your organization's highest risks in the most effective and efficient way possible. Moreover, honest evaluation, remediation, oversight and systematic monitoring will go a long way toward achieving not only a fully integrated risk management program across the globe, but will also lay a solid foundation for effecting the type of cultural change that Sporkin and Cutler spoke about in 1974 and 2004, respectively. Cultural change that any gatekeeper would be proud to have had an influence upon.