44 Part I: Governance, Risk, and Compliance Demystified
Who cares about risk?
In addition to business owners, a variety of
other stakeholders are concerned about risk
and how risks are managed. Here are some of
them:
Boards of Directors.Boards of directors
worry about risks. You tell the board the
plan, and they ask you, what are the risks?
What do we know about them?Investors.Investing is all about risk. Is
investing in this company a good bet, or is it
too risky? If investors are confident that the
company is assessing its risk accurately,
they will be more willing to invest in and
support the growth of the company.
Companies that provide data for investors.
For example, Standard & Poor’s issues
credit ratings for companies. These ratings
determine how much their bank will charge
them to loan money. Standard & Poor’s now
includes the company’s approach to risk in
its evaluation, so whether a company con-
ducts risk management affects whether it
will be able to borrow money and at what
rate.Managers.Good managers also care about
risks: they are often compensated based on
their group’s performance, and risk man-
agement will maximize that performance.
Regulators. Although the R in GRC has tra-
ditionally been separate from the C (compli-
ance), risk-related regulations are on the
rise:Switzerland has passed a law that requires
boards of directors of publicly held compa-
nies to describe their procedures for con-
ducting risk assessments in the notes to
their financial statements. Companies may
instead list the significant risks that they
face.In Germany, the Act on Control and
Transparency in Enterprises (KonTraG)
specifies that companies must perform risk
management, and they must do so in a way
that allows them to address the risks before
they turn into incidents. Furthermore, they
have to address the risks in a way that
aligns with their corporate objectives.
In the United States, the Public Company
Accounting Oversight Board (PCAOB) and
the Securities and Exchange Commission
(SEC) has published Auditing Standard
No. 5, which recommends a top-down,
risk–based approach to organizations’ SOX
compliance requirements (assessment of
internal control over financial reporting). As
such, companies are implementing a risk-
based methodology to implement and main-
tain their policy and control environment.Even where risk management is not directly
named by regulators, it turns out that you
need effective risk management as part of
the underlying business environment. The
U.S. Amended Sentencing Guidelines state
that organizations must take reasonable
steps to ensure that their compliance and
ethics programs are followed (including
monitoring and auditing to detect criminal
conduct) and must periodically evaluate the
effectiveness of their compliance and
ethics program. Although risk management
is not explicitly stated, analysis of the guide-
lines shows that what is required to meet
the guidelines is basically, in fact, a sys-
tematic approach to managing and moni-
toring risks.