Enterprise Risk Management: How to Engage Your Board of Directors
But how does a security leader engage the board on ERM - and keep it engaged?
Pete Fahrenthold of Continental Airlines and RIMS discusses:
Fahrenthold is the Managing Director of Risk Management and the ERM Team Leader for Continental Airlines. He has over 20 years of risk management experience. Prior to entering the risk management field, he worked in public accounting and in various corporate functions including financial reporting, treasury operations, and employee benefits management. He is currently the Vice Chair of the RIMS ERM Development Committee, and he is the Chair of the AFP Risk Newsletter Editorial Advisory Board.
TOM FIELD: Hi this is Tom Field, Editorial Director with Information Security Media Group. The topic today is Enterprise Risk Management. What do you do to get your Board of Directors involved in this topic? We are talking with Pete Fahrenthold with Continental Airlines. Pete. thanks so much for joining me.
PETE FAHRENTHOLD: Sure.
FIELD: Pete just to get it started, why don't you tell us a bit about your background and your current roles both with Continental Airlines as well as with RIMS.
FAHRENTHOLD: I am the Managing Director of Risk Management for Continental Airlines. I've been here 12 years. I also have responsibility for leading the ERM effort here at Continental. I started it about three years ago, and I'm also the Vice-Chair of ERM Development Committee for RIMS.
FIELD: So, Pete, as you look at this topic of enterprise risk management, or ERM, what do you see as the top issues currently in the industries?
FAHRENTHOLD: The financial crisis has really focused a lot of attention on risk management and whether a more effective risk management could have prevented or somehow mitigated the effects. This scrutiny is on financial institutions for their more direct role in it, but also on non-financial institutions. On the idea that the non-financial institutions could have asked more questions, could have been a little better prepared for the economic downtown. So, risk management a very hot topic at the moment.
The legislative environment is also changing as a result of the financial crisis, and it's pushing organizations more toward ERM. The Securities and Exchange Commission issued some proposed proxy rules back in July that would require disclosure of the extent to which a board of directors is involved in an risk-oversight process, and the qualifications for the board members that perform that function to manage that. The comment period on that is over with. It ended in September, and the SEC hasn't issued their final rules as of yet, but the expectations is whatever changes they have will be applicable to the 2010 proxies. In addition there are some legislative proposals; Senator Schumer from New York in particular, has a piece of legislation called the Shareholder Bill of Rights that would require a publically traded organization to establish a board-level risk committee with the oversight responsibility. Now RIMS has looked at both of these documents and provided some commentary, and in general RIMS supports the more direct involvement of the board in risk oversight.
So the issues have now become how to weather to implement an ERM system, and how do you go about doing that, and how do you make that system something that helps the organization, makes the system sustainable so that it's not just creating another paperwork burden. It is truly an additional value added.
FIELD: Well, Pete, you talked about board of directors, I know you have a lot of experience there. My experience with a board is you start talking about an acronym like ERM, and you start to see eyes rolling up in the heads.
FAHRENTHOLD: Well you are correct in that. Board members have a lot on their plate. A lot of what they do sometimes appears to be formalities that make it difficult for them to focus on what they are doing, so the last thing they want is another system that appears to be just a more elaborate way to do something they are already doing. In particular with respect to risk management, the board members that I have talked to, a lot of them believe that their existing system already addresses risk on an enterprise level, so they don't really need to go anywhere else with ERM. And that is one of the big obstacles to bringing ERM forward. You have to demonstrate that ERM is not just more paperwork. That ERM is truly a system that will enable you to make better decisions, understand your business more fully, and evaluate where you are trying to go more accurately. As far as demonstrating the value of an ERM system, it can provide better information, and that is really what the board is looking for. It can standardize the measurement of risk, because - for us, for example, we have a particular set of criteria, and unless a risk meets one of those criteria, it has a financial threshold, does it have an impact on credit ratings, and things like that. What we are trying to do is filter the risk so that board is not looking at small numbers or things that they would view as a responsibility of management to deal with on a day to day basis. So that's the first thing; you have to convince the board that this is something better.
The system also provides them better information because it establishes some risk thresholds. There may be an informal understanding between management and the board as to what level of risk should move to the board for some oversight. This system would require the board to say, 'We want earning volatility within this range, or cash flow within a certain range,' and it will cause them to establish some particular measurement devices so that now management and the board are clear on what critical numbers are, what material, what they should be looking for. So that is going to eliminate some misunderstanding. It's going to keep some things from falling through the crack. And the other thing that the ERM system can do is it will help them understand their organization better. They may find in the process that the structure of their organization would give them -- it gives them a competitive advantage in terms of risk, that they can take more risks than their competitor because they have more manufacturing capability or unused capability, or their financing is better, or some other aspects like that, but it can actually move to a competitive advantage, which every board would be looking for.
Once you've convinced the board to do this, the second obstacle is that many of the risks that are looked at on the board level are strategic risks. It's not a question of 'What is my VAR, what's my value at risk for my investments or the derivatives that I had in place What is my foreign currency exposure?' Those are not the things that the board looks at. They are trying to figure out 'Should we go into a merger that will commit us to equipment for 20 years? Do we do a new product line?' And those are not things that you can easily put a number on. However, you can ,by evaluating them more in more detail, put a more accurate range both at probability and financial outcome on those, and I think that is better information that the board can certainly use. They are probably getting something like that now, but by having a more structured process they can get better information, and from their viewpoint that is certainly going to be an advantage.
FIELD: So, Pete, you talked about some of the challenges getting the board engaged in something like ERM. In your experience with boards, what really works in getting them engaged?
FAHRENTHOLD: The key thing is to demonstrate that it is additional value to them. Many ERM programs start with a lot of enthusiasm and work and end up documenting a lot of level risk. The board is assuming that certain things are taken care of by management, and they don't need to know that. The ERM system should provide assurance that the materials, sort of ongoing risk that the organization is facing, are being handled so they have this baseline comfort that nothing huge is going to jump up and bite them. And then that the ERM system can help them with these more difficult long term major decisions. That is what's going to work with them, as if they see this as something different than the information they are getting now, or one of the other advantages to the ERM system that can be demonstrated is that it looks at a risk on a portfolio basis. A risk in one area of the organization can be better or worse by it's inter-relatedness to a risk somewhere else. What your purchasing people do to save money on raw material, for example, can cause a problem with storage of the raw material at your manufacturing location. This is a simple example, but the point is that ERM will provide this sort of inter-related portfolio approach, which again the board will value because they see it as better information.
FIELD: So, Pete, flip side of this question. You talked about what works; what doesn't work when you are trying to engage a board in a topic like this?
FAHRENTHOLD: What doesn't work is if it appears to address risk at too low of a level and is not addressing their specific problems. Again, the board is making decisions over the long term, a number of years on acquisitions or equipment, competitive moves, or new products. If you come to them with your ERM system and say, 'As a result of all this work, we can assure you that our foreign currency exposure is not going to be a problem.' Well, they are assuming it's not a problem anyway. So it has to be, as I said, valued added information. If you go at them with a list of 300 things that they think 299 of them weren't a problem for them to begin with, they are just going to dismiss this as more paperwork and not any more value.
FIELD: That is a great way to illustrate this. It strikes me, Pete, that enterprise risk management is just one of the topics that management is going to want to engage a board in. You've got lots of experience with a board. How do you measure the ongoing engagement of your board of directors with your information security practices and policies, and the things that really increasingly need to be kept abreast of and involved with?
FAHRENTHOLD: It's like anything else that they deal with. It's going to be how often they ask and the type of questions they ask. Some organizations look at risk on an annual basis, and I think that's an evolutionary process. As its management provides better information, the board will ask for that information more often. For example with us: fuel prices. If our budget was based on fuel prices at a certain level and now they've gone back up. they'll come back to us, 'Well, what does that mean for us? Does that mean we change hedging? Does that mean we take some other steps?' So it's going to be their level of interest in the subject, and secondly you'll know if you're addressing the strategic issues that they are interested in. Their questions will be ongoing because strategic issues are never black and white sort of decisions. They are based on a large group of assumptions about the future, about what competitors will do, what raw materials will cost, and those issues are always evolving. They will continue to ask these questions up to the point the decision is made, or after the decision is made. So again, if they are asking about for more information, more detail, more analyses, and they are asking about updates to the information they have received for changes in the business environment, then you know that they are interested in risk as an ongoing topic. If you don't get any response, then you are not giving them enough information. You are giving them too little or too low of a level.
FIELD: Pete, one last question for you. In financial services especially, we've got a lot of organizations now that are trying to create this vital link with their boards of directors. If you could offer a piece of advice for how to create or strengthen this link, what would that advice be?
FAHRENTHOLD: Well, the advice would be to focus on their issues. Look at risk from their prospective. Risk has historically been managed in silos, and even ERM system is not removed from those silos -- the responsibility to manage the risk that is there. What ERM is going to do is its going to look at how it's being managed and how the pieces fit with the other exposures that are being managed. If you provide information that the board is interested in, then you have to look at from their view, what do they care about. They don't care about insurance, necessarily. They don't care about foreign currency hedges particularly, but they do care if they are about to invest in something that will run up 20 years or require additional debt financing. So if you are going to get them interested, you have to address it from their level which a lot of times will take a change in the prospective in the individual running the process. You have to think larger. You have to think higher up the chain than your own position. So that would be the primary advice.
Then the other thing I would say is this, between the SEC and Congress, I think that there is going to be an opportunity for ERM if an organization is thinking about implementing ERM. I think between those organizations they are going to open the window for you in the next few months. S&P has been going through the process of revising their specific procedures that they are looking for, and then Congress and the SEC will come out with something. So the other advice I would have is prepare now. Start working on your system so that when that opportunity opens with the board and they ask about ERM, should we have an ERM system or why don't we have an ERM system. Management is ready, they have done the legwork. They have the system ready to present and they are able to demonstrate it, otherwise ... you may be in a scramble to try to get something in place. So if it's in the 2010 proxy statements, for example, that's going to be, there could be a fairly short fuse on that early in the year. So that would be my other advice; start working on it now so that you are ready when that question comes from the auditing committee or from the board in general.
FIELD: Good sound advice. Pete, I want to thank you for your time and your insight today.
FAHRENTHOLD: Certainly, glad to do it.
FIELD: We've been talking with Pete Fahrenthold with Continental Airlines. The topic has been Enterprise Risk Management. For Information Security Media Group, I'm Tom Field. Thank you very much.