Listen on Apple Podcasts, Spotify and YouTube
Welcome to AccelPro Audit, where we provide expert interviews and coaching to accelerate your professional development. We are coming to you a day early this week because of the Juneteenth holiday. We’re featuring a conversation with Mark Beasley, Professor of Enterprise Risk Management and the Director of the Enterprise Risk Management Initiative at NC State’s Poole College of Management.
Beasley is a thought leader in the area of Enterprise Risk Management (ERM) and its integration with strategy and corporate governance. The ERM framework grew out of previous approaches to risk assessment that viewed risks in silos. ERM, says Dr. Beasley is trying to “close the gaps that exist between the silos.” Today, we talk about the basics of ERM, and how external auditors may benefit from better understanding their client's approach to risk management.
“A lot of times, the way the C-suite thinks about more external risk is what I would call ad hoc risk management in the sense of, oh, I thought about this when I was running this morning, or I saw that on the Wall Street Journal front page. It's very unstructured. ERM is going to take you through a process to force explicit conversation and discussions in a structured way about what kinds of risks could emerge that can affect our strategy.”
Listen on Apple Podcasts, Spotify and YouTube
Interview References:
Mark Beasley’s Poole College of Management profile.
14:49 | Beasley, Mark S.; Hermanson, Dana R.; Carcello, Joseph V.; and Neal, Terry L. Fraudulent financial reporting: 1998-2007: an analysis of U.S. public companies. (2010). Association Sections, Divisions, Boards, Teams, 453. American Institute of Certified Public Accountants (AICPA).
Supplemental Materials:
Enterprise Risk Management Initiative. North Carolina State University.
TRANSCRIPT
I. RESPONSIBLE RISK MANAGEMENT, RE-ENVISIONED
Alizah Salario, Host: I want to start out by asking you a basic question, which is simply to distinguish between enterprise risk management and traditional risk management. What are the main differences?
Mark Beasley: The way most entities have traditionally managed risk is to look to different parts of the business and subject matter experts and say, “Please manage the risk in your area of responsibility.” They're going to look to the attorneys to manage legal risk; they're going to look to sales to manage customer risk; they're going to look to technology to manage technology risk, and on down the road, which makes good logical sense. I would want smart people that know that area to manage risk.
But the problem is in traditional risk management, we stop there. Enterprise risk management is meant to take that and add a different dimension to it. What ERM is trying to do is to close the gaps that exist between the silos. The CFO is dealing with finance and treasury risks, but there are gaps. There are risks that fall between the cracks. Some of them can be even bigger with a risk across multiple parts of the business. And I might see a piece of it if I'm the CFO, but I’m not seeing the full picture of that risk.
And so ERM is trying to say, how can we help facilitate conversation and communication between these silos to try to close that gap? The other challenge with a traditional risk approach is, I, as one of your silo leaders, may manage risk in my area. So if I'm the CFO, I'm going to manage finance-related risk, and I’m going to lower the risk that I see. What I might do, but not know I have done, is create a different risk, so I have now lobbed a risk over to the legal side. I don't know that I did that. I'm trying to do the right thing, and the legal team doesn't know I've done that.
The third piece is that many traditional approaches to risk management are looking at it from, here's the risk issue, I deal with that issue, and we're not mapping it to the strategy of the business. So ERM is really trying to reconnect risk and return by saying risk management and strategy go together, because I know when I'm trying to deploy a strategy, there are risks to it, and I want to bring those conversations together. But in a lot of organizations, strategies are managed at the top, risks are managed in pockets all across the entity, and sometimes those people don't know each other.
AS: That's a really great overview, and you bring up a couple of questions. Taking a step back, let's say an external auditor comes in, they're meeting with a CEO or the CFO, and instead of starting with these little pockets of risk, they want to start with that big picture strategy. What does that look like?
MB: Starting with that big picture strategy and then learning from the business how ERM is informing that strategy is incredibly helpful for an external auditor. I'd love to know what they think their big risks are to their strategy. Now, a lot of auditors will push back on that and they'll say, “Mark, I don't need to worry about a lot of strategic risk.” I'm like, “Really?” and they'll say, “Well, because it doesn't lead to a material misstatement.”
Be careful there, because it could create pressure. It could create incentives that could lead to a material misstatement. I think ERM, if an entity has done it well, and it's connected to strategy, would be hugely relevant to external auditors to first go in and say, “Management, what do you think your big risk issues are?”
—
II. PRIORITIZING RISKS AND RE-BALANCING AMID CRISES
AS: We've had a number of recent crises, including Covid, crypto, bank failures, inflation - and a lot of these boil down to taking on too much risk. Tell us how an enterprise risk management approach might have prevented or even just mitigated some of these crises that we've seen play out?
MB: Another limitation of traditional risk management is it tends to have an internal lens. What are the risks to our operations? What are the risks to our compliance? What's the risk to financial reporting? ERM wants to pay attention to those, and it wants to really push people to think about what could emerge from outside the entity. Things like the economy, things like a pandemic, things like innovation that suddenly disrupt how we do business. ERM, if it's done well, forces me to think outside the entity. What's happening with geopolitical issues? What's happening with the economy? What's happening with competitors?
A lot of times, the C-suite, the way they think about more external risk is what I would call ad hoc risk management in the sense of, oh, I thought about this when I was running this morning; I was taking a shower. Oh, I saw that on the Wall Street Journal front page. It's very unstructured. ERM is going to take you through a process to force explicit conversation and discussions in a structured way about what kinds of risks could emerge that can affect our strategy.
Interestingly, we've had a number of entities tell us, “We sort of looked at a pandemic, but thought, nah, I'm not going to spend time on that.” From a traditional approach, they're looking at the probability of an event and saying it's low, it's not going to happen. But they're forgetting the other dimension that I have to think about together with likelihood, and that is impact. A lot of entities only focus on probability, and once they see it's really low, they move on.
But back up. It's not zero probability. It's low. Well, what if it does happen? Is it catastrophic? ERM should get our eyes on that fast. It's disciplined, and it's going to force people to think about likelihood and impact, as well as other dimensions, like velocity. Obviously, it's a real fast mover. I better pay attention to it more than something that's going to trickle over five years. So I think ERM gives us an ability to be a little more prepared, which puts us in a proactive versus reactive stance.
AS: In some of your research, you've described ERM as both an art and a science, and when you were just answering my last question, I really thought about that. Can you unpack that for us?
MB: ERM is, by definition, a process, which means it's ongoing, it's continual. But the word ‘process’ is also meant to say it has to be repeatable; it has to be defined. I have to be able to replicate this across multiple people. That is where you begin to lean towards the science side of, we need a structured process, we have a cadence of how we want to go about getting insights about risk and how we assess that. Then, when you start assessing risk, go back to the likelihood and impact conversation. I need to have some way to measure and distinguish a low likelihood event from a high likelihood event, or a low impact from a high impact.
A lot of entities are trying to develop scales that are typically a four to five point scale. So, I can apply and say on this risk, I think likelihood is a two. On this other risk, I think likelihood is a four. Now I've got a number tied to a risk for likelihood, and I'll do the same for impact. Now I can start doing some math. I can say, “Let's get insights about these risks from 20 different people. Let's maybe take an average of the likelihood score, and I can then use that to create a risk score to rank order the biggest risk to the least significant.” There's a science to it.
A lot of times, entities or people that are doing ERM love that math because they can put a number on it and they can rank it, and it takes the subjectivity out of the picture a little bit. But many of our risks that we're going to be needing to think about are going to be difficult to measure. That's where the art comes in; that's where there are certain risks that I just know are going to be challenging.
Think geopolitical, or think resistance to change. That's a big risk for a lot of people. That's a more qualitative assessment, so I've got to balance qualitative and quantitative, and where it really comes into play is if I've got the math to rank order my risk, and so I say, “This risk was the highest scoring numerically, that's the science.”
But when I see the list as an executive team, we may go, “I don't get it. I don't know why risk seven is that low. It needs to be number one.” And that's where that judgment comes in. We're saying, “Then put it number one, it's okay,” because you're just trying to rank order priority. Don't let the math lock you in. And so, that judgment piece is the art piece of it.
AS: Can you give me an example of a time when the art and the science came together in a unique way because of the company or organizational culture?
MB: One pops to mind. An organization does an interview-based approach with the board and C-suite, and then direct reports to the C-suite, and then they do surveys of what I call more middle management. And I'm talking like three or four hundred people engaged in that piece.
There's a cadence when they do it. They've got these topics they're wanting to have discussions about within the interview. They want to know how they organize the risk information in their surveys with middle management. The art piece is, they've tried to keep it very simple and all tied to getting people to focus on strategy, and when they present the results to the C-suite and board, they're able to show that middle management thinks these are our big issues.
The C-suite sees these as our big issue, but the board sees it very differently. So they've got a number that shows this risk is high, but they've got color commentary that's in the form of quotes, and it's that color that then fosters great conversation for what we understand between the C-suite and the board particularly, but also the C-suite and middle management.
I know in one case, this particular entity actually learned from the middle management input about a risk issue that the corporate office just wasn't seeing. And it ultimately led to a redesign of a strategic tactic. From what they've told us, it was a 180 degree turn on that. I would say that was the art piece.
AS: With ERM, it sounds like there's more discussion, which is a good thing. However, there's often a difference in the way that auditors and CEOs talk about risk and risk management. How can they come to a common language?
MB: If ERM is done well, one of the outputs of that is it fosters very robust, rich conversation. And that, to me, is where the value is for a management team and a Board. Now, when you then move into the audit side, they're mostly focused on a misstatement that is material to their gap-based financials.
I can't have a material misstatement in accounts receivable. That's a problem. So, is it material or not? Is it hitting a threshold from a dollar perspective? As an auditor, the conversation I would want is with the board and C-suite about the issues that their team is constantly battling. I need to hear that.
And then it's my job as the auditor to then think through and crosswalk that to the financial state. I think it's a fair question for an auditor to say to the CFO, “Okay, given these risks, how do you see it affecting the income statement, the balance sheet and disclosure, particularly the footnotes?” Having those conversations with an auditor and their client would be, to me, incredibly informative. It's going to give me a much richer context, as well about my client.
AS: We would be remiss in talking about risk without talking about fraud. You wrote in a study that “a large percent of fraudulent acts uncovered by the SEC involved overstatements of revenue, either prematurely or fictitiously.” Walk us through how ERM might help detect those fraudulent statements.
MB: Having these conversations with management and potentially others about what they see their big risk issues are, that's going to help me understand what could be some triggers that might motivate one to move into a fraudulent act. So if we're just having a tough time with our supply chain and we can't get products in, that means they're struggling to sell, that means that we’ve got revenue pressure. Could that pressure be excessive enough to motivate someone to engage in some kind of fraudulent act?
That's where ERM would be insightful because I would understand that incentive. I would also say there's some insight if I walked into a client and I talked to them about how they approach risk management. Keep in mind the internal control framework perspective, which are auditors, are very focused on internal controls because they're having to assess them. I think a lot of times auditors are sort of skipping over the risk assessment, if they're honest. I don't know if they skip over it, but they're lightly dusting it.
We spend a lot of time as auditors with a control environment. “Tell me about your board. Do you have a code of conduct? What are your hiring practices? Do you hire competent people? Do you screen them a lot?” Control environment. I'm very focused on control activities.
I'm not convinced auditors dig into that as much as maybe we could. But then the second piece is, well, what about the control structure? How much is management engaged in really assessing where their risks are so they can design controls to deal with that? Which is where you could get into a misappropriation piece where someone embezzles money, for example, because we have terrible controls in place. Do they have a robust risk assessment process so that management first recognizes we have a vulnerability here with cash handling or investments?
AS: All of the different controls almost act like checks and balances in the ERM framework.
MB: ERM is trying to figure out, what are my big risks? and prioritize those, so that I can go to the next piece of the ERM process—and that is, what are we doing to respond to these risks? Once I know what my big risk issues are, then I need to know, what am I doing to manage those? I'd like my client to have great preventative responses to just keep the risk from ever occurring, but a lot of the risks that are going to affect me are coming from outside my walls.
So ERM then moves us into the response piece, which is where I'm really saying, “Here are the big risks. What are you doing to prevent it? What are you doing if it's not preventable, but you would detect it and put a stop to it quickly?” That's where you get into the control side, which is obviously very relevant in an audit setting.
I probably should just highlight that when you get into a lot of the risks that are going to be revealed by the ERM process, you can't solve all the risks with a control. I can't stop a competitor from creating a risk for me. They may have this awesome technology, and they're going to innovate and launch it. I can't stop it. But what I might do is say, “You know what, we need to put more money in our own R&D. We should start doing more innovation.”
AS: How can ERM help us anticipate risks, or alternately anticipate needs down the line?
MB: ERM is really trying to force me to look out into the future. Given your five year strategic plan, let's think about what are the risks of that plan, what risks could emerge over the next five years? I'm looking well into the future and trying to see where things could emerge, which just allows me to be more proactive, versus ignoring the future and then being blindsided when it happens.
The other piece is looking at two sides of the risk coin. One side are risks that are not good to make—threats. But we also want to remember, risks are opportunity. So ERM is also trying to say, what are the risks that are emerging out there? How could that create strategic opportunity? Where are we too risk averse right now? And why are we risk averse? What risk are we not taking that we really should?
That, to me, is where the real opportunity starts coming out of ERM: when I can get people to see that, oh yeah, risks are not all bad. If I want a higher return, I’ve got to take more risk. The concept is not enterprise risk mitigation. It's using intelligence to manage and turn the dial up on some risk and down on some others.
—
III. GOVERNANCE AND A FORWARD-THINKING APPROACH
AS: I want to switch gears now and talk a little bit about your background. Tell me what prompted your interest in risk management and why do you like teaching about it?
MB: That's a fun question to answer. I'm an external auditor by background. I worked in auditing standards at AICPA for a while, pre-PCAOB days. But then my graduate work, and then my first eight or nine years of research was mostly in the auditing space, and particularly Fraudulent Financial Reporting.
But a lot of my research was looking at board governance, audit committee, and financial reporting issues. I was at a governance level. I did some research for COSO back in the 90s on Fraudulent Financial Reporting, and then COSO decided to launch its project to develop a principles-based framework on the topic of enterprise risk management. It was emerging here in the United States in the early 2000s. It was not a concept I knew, but they convinced me to go on the journey with them.
I was a member of the advisory group task force that helped develop COSO’s 2004 Enterprise Risk Management Framework. The board has an oversight role to make sure management is not taking more risk than they should. It just fit naturally into my research background because ERM is a governance issue. Board oversight, critical response to risk, is one of their biggest responsibilities.
I said, if this is how businesses are managing risk into the future, we need to be thinking about this for our curriculum. Because we want to train the next generation of executives, if they're going to be expected to do this, we should start teaching some of this stuff. So we started interacting a lot with the corporate sector. NC State has a motto of, “Think and Do”. The thinking part would be research and academia. The Do is, roll your sleeves up and talk to people doing it in the real world.
The fun part, to answer the question, is I love teaching ERM to executives as well as grad students because it's really strategy. And strategy, to me, is interesting because it's all about the strategy of the business. I tell my grad students all the time, if you're stumbling on a question on an exam, just write, “ERM, it's all about strategy.” I'll give you a few points.
When you think about why we are managing risk, it’s to be more strategically successful. It's to stay in business, and grow value. To me, it's looking at where things are going versus where things have been, and I like that.
AS: You're obviously a mentor and an advisor and people look to you for advice, but who do you turn to when you need career advice or direction?
MB: We have an advisory board here with our ERM initiative, and these are chief risk officers or equivalents who are working with companies and some work with advisory firms. I would say many of them I use as a sounding board, largely to keep up with what's happening out there, but then just to see where they're spending time, and what their points of focus are and where the opportunities are.
And then I have friends that are not accountants and they're not ERM people, but they can be great sounding boards to just bounce off ideas, just to see, does this seem wacky to do? But I would say the bulk of it is right here in this building with a lot of the colleagues I have who work with me on this journey.
Listen on Apple Podcasts, Spotify and YouTube.
This AccelPro audio transcript has been edited and organized for clarity. This interview was recorded on September 28, 2023.
AccelPro’s expert interviews and coaching accelerate your professional development. Our mission is to improve your day-to-day job performance and make your career goals achievable.
Send your comments and career questions to questions@joinaccelpro.com. You can also call us at 614-642-2235.
If your colleagues in any sector of the audit field might be interested, please let them know about AccelPro. As our community grows, it grows more useful for its members.
