Risk management is a crucial part of any organisation’s strategy. Dan Martin, HR Zone business editor, reports on the experiences of eye care firm Vision Service Plan (VSR), which improved its methods for risk identification and management.
In the modern world, businesses are exposed to a range of risks, both internally and externally. Patricia Cochran, chief financial officer of California-based eye care firm Vision Service Plan (VSR), described how her company has implemented a new framework, developed by the Committee of Sponsoring Organisations of the Treadway Commission, which helps organisations in improving risk identification and analysis.
“Scandals like those involving WorldCom and Enron focused the good guys to relook at how we can do things in a different way,” Cochran said. “We realised that we needed to rethink the issue to come up with some very specific frameworks with which we could address the risks affecting our enterprise.”
Key to starting the procedure, Cochran said, was management’s responsibility to look at risk from a strategic standpoint across the whole company, while recognising there is inherent risk in business every day, as well as risk which produces opportunities. “We need to be realistic about how much risk we are willing to take on. What is our appetite for risk? How can we provide reasonable assurance that our business will be successful and we will be able to continue into the future knowing we haven’t overstepped the bounds of reasonable risk?”
Risk appetite varies among organisations, Cochran explained, and it is up to individual firms to decide how much risk they are willing to take on; something that can vary according to who is in charge. “For the last 14 years under the leadership of our chief executive who has just retired, we had a moderate appetite for risk in that we did take business risk but we took them in small steps,” she said. “We have just changed leadership and we have had another conversation about risk. As a result, we’ve gone from moderate to a little more aggressive risk.”
Outlining VSR’s enterprise risk management (ERM) framework, Cochran said the objectives are viewed in the context of four categories – strategic, operations, reporting and compliance – and considers activities across all level of the business. Built on three blocks, the procedure deals with event identification, risk assessment and risk response and encompasses more than just financial reporting.
Cochran warned that internal control is crucial to effective risk management. “You can have effective internal control without effective enterprise risk management but you cannot have effective enterprise risk management without effective internal control,” she said.
Other elements to the framework include effective communication with employees, including mandatory signing of the firm’s ethical values and code of conduct policy by each member of staff. “We operate an open door policy where if an employee believes there’s something going on which management needs to know about there’s an open door to the top.”
The firm’s ERM is also applied in objective-setting, in which management considers risk strategy when setting objectives, while the identifying risks process including analysis of the current status of evolving electronic commerce and impact on the business, market intelligence activities and reporting, competitor actions and political threats or opportunities. In addition, quarterly meetings take place between senior management and board leadership to review the progress of plans.
“Distinct roles and responsibilities are necessary to ensure effective ERM, including management, the board of directors, risk officers, internal auditors and all employees across the organisation,” Cochran concluded.
This is a report on a lecture given at the Chartered Institute of Management Accountants (CIMA) annual conference in November 2006.
