Business Software Corporation (BSC) is a global software company headquartered in the Silicon Valley of California, with annual revenues of over $1 billion. It is listed on major North American stock exchanges. The head of the Internal Audit function, Jason Garnelas, has been asked by the board to lead the establishment of an enterprise risk management (ERM) function. Top management, led by the chief executive officer (CEO), John Black, and the chief financial officer (CFO), Jim Toll, have indicated their support for this important initiative. The plan is for Jason to run the program for the first year, at which point management and the board will consider whether it is necessary and appropriate to hire a full-time risk officer.

Jason is grateful for the support of both the board and top management, because it is unusual for an entrepreneurial technology company to recognize the value of risk management and dedicate both time and resources to its implementation. In fact, at a meeting of the executive leadership, John Black explains that he holds his direct reports individually and collectively responsible for the management of risks to the business. He sees the role of the risk officer, currently Jason Garnelas on a part-time basis, as a facilitator to the leadership team. Jason will lead the development of a framework and process, and will facilitate the identification, assessment, and treatment of risk, but all decisions are a management responsibility.

Jason holds a series of one-on-one meetings with each of the CEO's and CFO's direct reports to understand, with them, the more significant risks to the organization. Most of them engage actively and with energy into the discussions, as they can see that the process will contribute to their and the company's success. Due to their travels, Jason is initially unable to meet with the executive vice president (EVP) of development (responsible for all the software developers) and the general counsel. But he is able to develop a preliminary list and assessment of the more significant areas.

The preliminary assessment is reviewed with the executive leadership team, and the CEO expresses his appreciation for the work that has been performed, but he is concerned that several of his direct reports identified the same areas of risk with significantly different evaluations of both potential impact and likelihood. He decides to assign each area of risk to individual executives who will own them and be responsible not only for monitoring the risk levels and assessing the potential impact and likelihood, but also for ensuring that actions are taken as and when necessary to bring the risk levels in line with acceptable limits established by the CEO and the board.

As everybody leaves the meeting, Jason chats briefly with the EVP of development and the general counsel, George French. The EVP quickly agrees to meet later in the week for an hour to review the risks in his assigned areas. But the general counsel asks Jason to step into his office.

The general counsel tells Jason that while he agrees that a risk management program is fine in theory, he has strong reservations. His concerns fall into two general areas.

First, the company, like every technology company, is routinely engaged in multiple lawsuits. Some lawsuits, particularly those concerned with the protection of intellectual property, involve potential settlements in the hundreds of millions of dollars—both in favor of and against BSC. These lawsuits have been identified as areas of risk that should be addressed by the new risk management program, but any formal assessment is discoverable by the opposition attorneys and could be used against BSC both in negotiations and at trial.

George understands that Jason needs his and his team's input to identify the potential impact of both favorable and adverse results to current and future lawsuits, and the likelihood of those results. But, because of the risk to the company that would be created by a formal risk assessment of the lawsuits, he has decided he cannot participate.

Second, BSC is listed on some U.S. exchanges and is subject to all U.S. Securities and Exchange Commission (SEC) filing requirements. The quarterly and annual filings have to include a discussion of the significant risks facing the organization.

The general counsel is concerned that BSC's competitors could gain an unnecessary advantage from a risk management program. His reading of the SEC rules is that the discussion in the filings has to be consistent with any formal discussion of risks by management and the board. So, if the internal discussion is too detailed and includes specific likelihood and potential effects for each risk area, that would lead to excessive and unnecessary disclosures to the company's disadvantage.

George believes that participation by the legal department will constitute formal risk discussions. Discussion of risk by the rest of the management team is a normal part of running the business, but when he and his team join the discussion it raises risk management from informal discussions to a formal process that should influence the risk disclosures in the company's SEC filings.

George tells Jason that he commends him for the initiative but cannot support it by contributing legal advice to the risk assessment and evaluation process. That should be the responsibility of the executive leadership team, with Jason's assistance. The involvement of the legal department represents, itself, too great a risk.

ABOUT THE CONTRIBUTOR

Norman D. Marks, CPA, CRMA has been the chief audit executive of major global corporations for more than 20 years, and is one of the most highly regarded thought leaders in the global professions of internal auditing and risk management. He has been profiled as an innovative and successful internal auditing leader, and is a Fellow of the Open Compliance and Ethics Group and an Honorary Fellow of the Institute of Risk Management. Norman has been a motivational keynote speaker at conferences around the world and across the United States. In addition, he is a prolific blogger about internal audit, risk management, governance, and compliance.