Risky Business

Risk management isn't just financial anymore.

October 2008 | by Jamie Swedberg

C.M. Winn

For years, banks and insurance companies have implemented financial risk management programs for the most mundane of reasons: they are required to do so. Starting with the 1977 Foreign Corrupt Practices Act, federal laws have required publicly held companies to create internal controls to prevent fraud and loss. More and more of those laws are created every year; Sarbanes-Oxley is the most famous recent example. Accounting firms work hard to bring their clients in line with them.  

But recently, publicly held companies have begun taking a broader, more holistic approach to risk management. It’s not just banks and insurance companies that are analyzing their potential Achilles’ heels. Likewise, private firms have realized that paying attention to risk management may help them become more competitive and secure over the long term. This broader approach is known as enterprise risk management, or ERM, and it can encompass anything from financial and operational risks to potential changes in the market. 

Kreg Weigand, partner at the Minneapolis office of KPMG, LLP, an audit, tax, and advisory firm, thinks it’s a good thing that compliance is no longer the sole focus. Such a blindered approach can lead companies to miss important warning signs in their organizations. 

“When you identify your risks, it causes you to ask some important questions about your business,” Weigand says. “Some of my clients have tended in the past to look at a lot of just the compliance risks. I have one client in particular that had their own investment portfolio. They had an investment policy, but no one had really ever monitored how the funds were allocated and they had gotten too concentrated in one area. When we went through the process, they completely recalibrated their investment policy and balanced their portfolio, which I think led them to be in much better shape, given some of the downturns of the market we’ve seen recently.”  

Weigand finds that the United States lags behind many other developed countries in requiring companies to demonstrate that they are managing risk. “Australia, South Africa, Europe, and the United Kingdom all have mandatory requirements for risk management that their public companies have to follow,” he says. “That requirement, I think, has put those countries and those companies ahead of U.S. companies in terms of competitiveness” and their ability to anticipate industry changes.