Download Weiss and Barkley - American College of Real Estate Lawyers

The Upside of Risk:
Enterprise Risk Management and Public Real Estate Companies
James Barkley, Simon Property Group, Inc. and David E. Weiss, DDR Corp.
Introduction:
As lawyers, particularly real estate lawyers, we are trained to identify and address risks in the
various transactions we handle for our clients. We do so in many ways – performing due diligence,
obtaining surveys and title insurance, negotiating representations, warranties and indemnities,
securing various forms of insurance to cover known and unknown liabilities, and negotiating for
guarantees, cash holdbacks or other security, to name but a few. These risks, however, are
transaction specific. Real estate lawyers spend much of their negotiating efforts finding ways to
allocate risks away from their client. We spend a great deal of time trying to allocate risk to other
contract parties or to third parties in exchange for premium consideration or other payments.
Many external forces create business risks and are generally not addressed in everyday
transactional work. The impact of a financial meltdown, the absence of adequate financing, the
bankruptcy of tenants or other contract parties, are things that we may give thought to, but rarely
address in our day-to-day transactional lives. Unfortunately, the same cannot be said of companies
who operate in a significant risk environment every day. To successfully navigate the maze of
risks that they face, companies must be proactive about both identifying and addressing risks. The
best companies essentially embrace the risks that they face and do so in a way that can be turned
to their business advantage. This is a relative new phenomenon and has its origins in a variety of
different sources, but it has led to an approach adopted by most companies known as Enterprise
Risk Management, or “ERM”. This paper, and the accompanying presentation and roundtable
1
discussion, will provide background into the origins of the risk management movement, as well as
enterprise risk management programs and their design, implementation, communication and
maintenance throughout an organization in a way that creates value and aligns the interests of
various business units with a company’s overall strategic vision.
I.
What is Enterprise Risk Management?
The Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) established
a benchmark for both defining and implementing an effective ERM program. In its September
2004 paper (“Paper”), COSO defined enterprise risk management to mean the following:
“All entities face uncertainty, and the challenge for management is to determine
how much uncertainty it is prepared to accept as it strives to grow stakeholder
value. Enterprise risk management enables management to identify, assess, and
manage risks in the face of uncertainty, and is integral to value creation and
preservation. Enterprise risk management is a process, effected by an entity’s
board of directors, management and other personnel, applied in strategy setting
and across the enterprise. It is designed to identify potential events that may affect
the entity, and manage risk to be within the entity’s risk appetite, to provide
reasonable assurance regarding the achievement of entity objectives. It consists of
eight interrelated components, which are integral to the way management runs the
enterprise. The components are linked and serve as criteria for determining
whether enterprise risk management is effective.”
COSO, however, was not the first organization to recognize the advisability of identifying and
implementing an effective ERM program. There are also judicial underpinnings of ERM:
2
In re: Caremark International Inc. Derivative Litigation, 698 A. 2nd 959 (Del. Ch.
a.
1996), the Delaware Chancery Court set standards for determining whether
directors breached their duty of care, either because they ignored “red” flags
suggesting that a company or its employees were violating company policy or
applicable legal or regulatory standards, or because a company’s board failed in its
oversight responsibilities by ignoring systematic failures in a company’s
information and reporting systems. The decision was a wake up call for boards
since directors are not exculpated, and cannot be indemnified, if they are found to
have acted in bad faith.
The legislative landscape has changed the view of ERM as well:
The Sarbanes-Oxley Act of 2002 (“Sarbanes”) was adopted in response to a number
a.
of notable corporate meltdowns, including Enron and Worldcom. Its primary intent
was to require that corporate disclosures be more accurate and reliable in order to
protect investors. In doing so, Sarbanes mandated accountability for the boards of
public companies, management and a company’s auditors, and imposed personal
liability on chief executives and chief financial officers for financial misstatements.
Sarbanes also requires public companies to adhere to a variety of different standards
that have a direct connection to ERM.
i.
Among other things, Sarbanes requires the boards of public companies to
establish a formal framework for the operation of the board and its
committees through the adoption of governance principles, committee
charters and the like.
More importantly, Sarbanes requires public
3
companies to establish a system of internal controls that support a
company’s financial reporting function.
These internal controls are
required to be evaluated periodically, and to the extent deficiencies are
identified, they must be addressed and if material, those deficiencies must
be disclosed.
ii.
A public company’s auditing firm is required to attest to a company’s
assessment of its internal control environment.
iii.
Failure to comply with the requirements of Sarbanes can impose penalties,
including fines and imprisonment.
iv.
Provides protection, and incentives, for whistleblowers to report noncompliance.
v.
For further information regarding Sarbanes, the reader should access the
Act through http://uscode.house.gov/download/pls/15C98.txt. Particular
attention should be paid to Sections 302 (CEO and CFO responsibilities),
404 (Internal Controls), 409 (Required Disclosures), 802 and 807 (Criminal
Penalties), and 806 (Whistleblower Protection).
b.
The Dodd-Frank Wall Street Reform and Consumer Protection Act (“DoddFrank”), was aimed primarily at the perceived abuses which led to the financial
crisis in 2008 and 2009. Even so, Dodd-Frank does contain a number of corporate
governance provisions, including:
4
The so-called “say-on-pay” mandate requiring advisory votes by
i.
stockholders on executive compensation.
ii.
A requirement that compensation committees for public companies be
comprised solely of independent directors.
iii.
The need for additional compensation disclosures in public company proxy
statements.
iv.
The expansion of executive compensation claw-backs in the event of a
financial restatement.
v.
Proxy access rules regarding director nominations by company
stockholders.
The Securities and Exchange Commission has been charged with responsibility for
rulemaking under Dodd-Frank.
c.
Rating agencies, stock exchanges and proxy advisory firms have also issued their
own set of guidelines which can impact a company’s analysis and approach to
addressing risk. See for example:
i.
The New York Stock Exchange Listed Company Manual, Section 3
(Corporate Responsibility):
http://nysemanual.nyse.com/lcm/.
ii.
Standard & Poor’s Ratings Direct:
5
http://www.standardandpoors.com/spf/upload/Ratings_US/Managment_
Governance_Criteria.pdf
iii.
Institutional Shareholder Services Proxy Voting Guidelines:
http://www.issgovernance.com/files/2013ISSUSSummaryGuidelines1312
013.pdf
II.
How Does ERM Differ from Traditional Risk Management.
Historically, managing risk within an organization was a narrowly focused, “silo”
a.
based approach.
Both the scope and mitigation efforts were tied to the
identification and treatment of a very narrow category of risks and was discipline
specific, not unlike the risk identification and treatment in a real estate transaction.
i.
Interdependencies across an organization were not known, nor were the
risks within each of the individual silos communicated throughout the
organization.
ii.
There was a disconnect between the strategic vision of the organization and
the silo based approach to risk, as well as inconsistent risk reporting and
assessment and reassessment.
iii.
Finally, and perhaps equally important, the allocation of responsibility for
addressing (or failing to address) identified risks was, at best, ambiguous.
With no clear responsibility, frequently risks were not adequately addressed
nor solutions communicated.
6
b.
ERM, on the other hand, supports a more strategic approach to the identification,
assessment and mitigation of risk.
i.
It integrates the risk assessment into the overall strategy of an organization
and provides concise, consolidated and consistent communication of
reporting across an organization, rather than within each of its individual
business units.
ii.
It allows the entire organization to understand strategy, the risks faced by
an organization, the interdependencies of those risks and ways in which risk
can not only be mitigated, but used to a company’s advantage.
iii.
It requires a continuous reassessment process and focus on new and
modified risks, and provides complete coordination of risk mitigation
strategies throughout an organization.
iv.
Finally, there is clearly assigned accountability for each of the identified
risks, and a control environment is established, insuring that risks are not
only identified, but the mitigation strategies are fully implemented.
III.
How do you Create an ERM Program?
a.
Once the decision is made to pursue an ERM program, both client and counsel must
spend time reviewing the COSO framework. While the framework itself makes
clear it is not intended to be an all-encompassing guide, nor considered as “best
practices”, it does provide an outline of both the quantitative and qualitative
processes and procedures which boards, management and counsel should examine
7
in creating an ERM program. A core team of executives, and likely board members,
should be identified and be representative of the key business units and functions
within an organization to help design an ERM program.
b.
In particular, the COSO framework identifies eight interrelated components for an
effective ERM program, those being:
i.
Internal Environment - The complexity, industry, culture, management
style and other characteristics of an organization need to be examined in
order to properly and thoroughly assess its internal environment. Will the
board and senior management be an active proponent of an ERM program?
The proper “tone at the top” will be important, and company executives
must not only recognize but be able to effectively articulate the goals and
benefits associated with ERM.
Also important is to identify an
organization’s philosophy regarding risk management and its appetite for
risk, framework for board oversight, identifying the ethical values of the
organization, and determining how authority, responsibility and people are
organized and assigned throughout the organization.
ii.
Objective Setting – Establishing strategic objectives for the organization
involving both operations, reporting and compliance programs. This must
be in alignment with the entity’s risk appetite which will establish the
framework for risk levels within the entity.
iii.
Event Identification – The core team must identify the possible events
which present risk for the organization, and determine whether those events
8
present opportunities or whether they could adversely affect the entity’s
ability to implement its strategic objectives. Those with potential negative
impacts must require assessment and response, while those with a potential
positive impact must be recognized quickly so that management can utilize
those opportunities to assist the organization in reaching its stated
objectives.
iv.
Risk Assessment – Identify the extent to which the identified events could
have an impact on the achievement of the entity’s objectives.
The
assessment must focus on two key elements – likelihood and impact.
v.
Risk Response – After the relevant risks are assessed, the core team must
determine how the entity will respond if and when the risks are realized.
Responses might involve the ability to avoid the risk or reduce their impact,
or in the alternative, accepting the risk and determining how they may
present strategic advantages for the entity. In developing risk response,
management must continue to be mindful of the entity’s key objectives and
its appetite for risk in determining the optimal response.
vi.
Control Activities – These activities constitute the policies and procedures
to help insure that the responses or mitigation strategies for identified risks
are implemented. Control activities can occur throughout the organization
at all levels and all functions. This can take a variety of forms, including
reviews of operating performance, segregation of duties, diverse approval
policies and the like.
9
Information and Communication – Communication of identified risks and
vii.
mitigation strategies must be made in a timely manner across an entire
organization so that the risks can be recognized and applicable mitigation
strategies can be properly implemented. In addition, each discipline within
the organization must understand its role in both identifying and addressing
important risks.
Further, certain risks and the mitigation strategies
employed to address them should be communicated externally in order to
assure an organization’s constituents that the proper risks have been
identified and there is a mechanism in place to address the same.
viii.
Monitoring – ERM must be monitored on an ongoing basis in the ordinary
course of an organization’s activities. The frequency of the monitoring will
depend upon each organization’s particular needs, but to the extent
deficiencies can be identified, a mechanism must be in place to insure that
deficiencies are reported to appropriate levels of management and corrected
in a timely fashion.
As noted above, ERM is not a “one size fits all” process and will differ from one
c.
organization to another. Even so, most organizations address their individual ERM
programs by trying to answer several basic questions:
i.
What are the objectives for their particular ERM program? Is it simply a
program to insure compliance with applicable laws and regulations, is it a
defensive mechanism so that it is used solely to avoid significant problems,
is it intended to dismantle what previously was a silo-based approach to risk
10
by integrating a program across multiple functions in a company, or is it a
more aggressive program intended to exploit opportunities and if properly
utilized, create value for the organization as a whole? Regardless of how
an organization responds to these questions, its objectives should be
measureable and must articulate the expected results, so that performance
can be continuously monitored and re-evaluated.
ii.
What will be the scope of the ERM program? Is it simply intended to
address financial risks or is it to extend to operational risks, as well. Is it
intended to be a more strategic program designed to address potential legal
liabilities, natural disasters and the like? An organization cannot adequately
answer these questions without fully understanding which of the identified
risks matter most to the achievement of its stated goals and objectives.
iii.
What type of structure must support and monitor an effective ERM
program? Will departments within a company such as internal audit or
financial services perform this function or will there be an ERM specific
function within the organization (such as a compliance or risk manager)? It
is also important to determine to whom the ERM function will report,
realizing that the reporting must also include a board or one of its strategic
committees, such as the audit committee.
iv.
What specific tools will be needed for the program’s design and
implementation? There are a number of guides available to help identify,
evaluate and map the various risks an organization may face. In addition, a
11
robust and continuous monitoring program must be implemented that
includes regular reports to senior management and boards, as well as
external stakeholders such as regulators and shareholders.
IV.
Risk Identification
a.
There are a variety of approaches to identifying risk within an organization.
Although there is no “right” way since every organization is different and unique
in both its structure and allocation/responsibility for monitoring risk, the following
are some of the more typical approaches.
“Top Down” – This approach focuses on risk as identified by senior
i.
management or departmental heads that are most familiar with the various
“micro” and “macro” risks facing the organization.
ii.
“Bottom Up” – This approach involves risk identification at lower levels of
the organization such as managers or others “on the ground” within the
various operating division of the organization. Risks identified are then
categorized, quantified and evaluated by one or more internal reviews by
personnel at higher levels within the organization.
iii.
“Combined” Approach – This process usually involves some combination
of both the Top Down and Bottom Up approaches which are then
“reconciled” within the organization to rank the various risks.
b.
Categories of Risk – The categorization of risk depends greatly on an organization’s
activities and business. However, many programs initially break down risk into
12
two broad categories of internal and external risk. Beyond this initial dichotomy,
many ERM programs use some permutation of the following general categories of
risk as a way for an organization to think about risk and avoid having a risk
overlooked.
i.
Credit Risk (e.g. credit market disruptions, etc.)
ii.
Business / Strategic Risk (e.g. economic market conditions, etc.)
iii.
Operational Risk (e.g. property operations, information technology,
systems, succession planning, etc.)
iv.
Compliance / Regulatory / Legal Risk (e.g. SEC, NYSE, FCPA, OFAC,
etc.)
V.
v.
Market Risk (e.g. stock price volatility, etc.)
vi.
Valuation Risk (e.g. valuation of investments, etc.)
vii.
Reputational Risk
Evaluate / Measure
a.
A key component of any effective ERM program involves a process of measuring
the risks faced by an organization. This enables an organization to properly allocate
internal resources. Exhibit A is an excerpt of a company-wide risk evaluation form
(utilized in a “bottom up” risk assessment”). This excerpted form involves a survey
of key business managers who can identify and assist in quantifying the risk they
identify as part of a broad-based risk assessment. This form would be expanded to
13
cover all operating departments and divisions for further evaluation upon
completion of the survey.
b.
One method of measuring risk is evaluating Probability and Severity. These aspects
can be defined as follows: Probability (= likelihood x control) and severity (=
magnitude x frequency). The attached Risk Identification Score Card (“RISC”)
Form (Exhibit B) provides an example of how these concepts can be considered
when evaluating and ranking risks.
Exhibit B is a representative form of Risk Identification Score Card or “RISC
c.
Form” that can be used to compare a risk to other enterprise risks. This form is
utilized as part of the risk evaluation process or ranking of risks.
i.
A key aspect of ERM programs is accountability. This type of RISC
incorporates a primary and secondary “risk owner” so that each primary risk
is regularly reviewed and revised by the appropriate subject matter expert
within the organization.
d.
Another important aspect of an ERM program is to have “forward-looking” criteria
whenever possible as opposed to simply documenting an ongoing risk or mitigating
a risk after it has occurred. (See citation under Resource (e) below). Exhibit C
represents two samples of a Key Risk Indicator Form or forward looking
monitoring forms to address the risk of key tenant bankruptcies and macroeconomic factors. These forms are regularly updated to reflect developing trends.
14
Exhibit D is an example of a simplified risk “Heat Map” which is often used to
e.
quantify the comparative degree of various risks.
VI.
What Processes Must be Undertaken?
While there is no “one size fits all” process for ERM programs, there are key
a.
underlying principles that should be considered when developing an effective ERM
program.
b.
Best practices suggest that an organization establish governance over the ERM
process to ensure that it is clear who ultimately is responsible for development,
implementation and ongoing monitoring of the risk program.
i.
Many organizations have robust discussions and debates about the role of
board and its committees in the ERM process. At a minimum, it is a best
practice to have the board review and evaluate the results of the
organization’s program at least annually.
ii.
Regardless of whether an organization adopts a top down, bottom up or
combination program, senior management involvement and an appropriate
“tone at the top” is critical. Recently, The Conference Board issued a report
emphasizing the need for leaders within a company to develop a corporate
culture or “tone at the top” for a successful ERM program. (See citation
under Resource (j) below)
iii.
There is extensive commentary about who should be responsible for ERM
programs and how best to organize or “house” the ERM function both at
15
the board (and board committee) and management levels. Much of the
debate involves the pros and cons of placing responsibility within existing
structures or creating new ones. For example, should the board’s Audit
Committee have primary oversight responsibility or should other
committees
(e.g. the
Compensation Committee) share oversight
responsibility? For executive management, should internal audit, the legal
department or other existing functional department orofficer (e.g. CFO)
have primary ERM responsibilities or should a new functional department
or officer (e.g. chief risk officer) be established?
(See citations under
Resources (b) and (h) below)
c.
Because of the inter-disciplinary and overlapping aspects of ERM, many
organizations elect to utilize a Risk, or ERM, committee to implement their
program.
d.
ERM Committee Membership. If an ERM Committee is utilized, the membership
or makeup of the ERM Committee can vary widely from organization to
organization. However, the following are some of the options considered by some
organizations:
i.
Generally, some combination of the CEO, President and CFO, and heads of
major functional departments should be active members to effectuate “buy
in” by senior management and establish the appropriate “tone at the top.”
ii.
Often there is a department which will “staff” the committee and implement
its recommendations.
For some organizations, the Audit Services (or
16
internal audit) or Law Department may staff the committee if there is no
separate Risk Department.
iii.
Some organizations find it advisable to have one or more board members or
a committee of the board take a more active role in ERM. For example,
the Audit Committee chair may have a standing invitation to attend all
meetings of the ERM Committee.
e.
Primary ERM Committee Responsibilities. Among the many potential roles of the
ERM Committee, the following are some of the more common responsibilities:
i.
The ERM Committee is responsible for identifying and classifying the top
risks.
ii.
The ERM Committee is responsible for the implementation and
administration of the ERM Program.
iii.
The ERM Committee is responsible for reviewing the annual risk
assessment and presenting it the board of directors or appropriate committee
of the board of directors.
iv.
The ERM Committee is responsible for making recommendations on
actions to be considered to monitor and mitigate those risks which could
adversely affect operations and short or long term strategy.
VII.
Who and How do you Train?
17
a.
A key component of any ERM Program is the training of the appropriate personnel
of the organization. This training not only provides an opportunity to access those
persons who may be most familiar with business risks but such training also
reinforces the culture of risk identification and mitigation throughout the
organization. Consideration for training should include the following persons:
b.
i.
Board of Directors
ii.
Executives and Senior Management
iii.
Managers and Divisional/Operational Directors
iv.
Field personnel
One aspect of training that many organizations consider is “Black Swan” scenario
testing. This process involves simulating actual risk events to ensure that the
organization’s risk identification, monitoring, and mitigation procedures are
operating effectively.
VIII. Mitigation
a.
Mitigation is, of course, an indispensible aspect of any ERM Program. Mitigation
can both help to avoid the negative effects of risk or minimize such effects.
b.
Many organizations consider risk mitigation as part of its internal control
environment which is tested regularly.
c.
Mitigation is tied to monitoring and measuring the risk and therefore incentivizing
compliance and the reporting of risks is critical.
18
d.
Accountability is an important part of the mitigation process.
e.
Even if a risk cannot be alleviated, mitigation techniques can reduce or “balance
out” the risk profile (e.g. loan maturities and lease terms).
f.
An obvious consideration in any mitigation analysis is the availability of insurance
or other third party risk-reducing products or protections (e.g. interest rate and
currency hedges, etc.).
g.
An organization must also have a culture that fosters and supports risk mitigation
as one component of its business strategy and analysis.
19
RESOURCES
a.
“Enterprise Risk Management – Integrated Framework” by the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) – (September
2004)
b.
“A Unified Approach to Risk Management” by AICPA (March 2008)
c.
“Risk Governance: Balancing Risk and Reward” by NACD Blue Ribbon
Commission Report (2009)
d.
“Risk Intelligent Proxy Disclosures: Transparency into board-level risk oversight”
by Deloitte (2010)
e.
“Developing Key Risk Indicators to Strengthen Enterprise Risk Management” by
the Committee of Sponsoring Organizations of the Treadway Commission (COSO)
(December 2010)
f.
“A Practical Guide to Risk Management – How principles-based risk assessment
enables organizations to take the right risks” by PriceWaterhouseCoopers
(December, 2008)
g.
“Enterprise Risk Management – an emerging model for building shareholder value”
by KPMG (November, 2001)
h.
“Risk Intelligent Proxy Disclosures: Transparency into Board-Level Risk
Oversight” by Deloitte (2010)
20
i.
“Risk Management and the Board of Directors – an Update 2012” by Wachtell,
Lipton, Rosen & Katz (December 31, 2011)
j.
“Corporate Culture and ERM” by The Conference Board (July 2013)
k.
Advisory Council on Risk Oversight – Summary of Proceedings issued by the
National Association of Corporate Directors (2013)
l.
Turning Risk into Results by Ernst & Young (February, 2012)
m.
Enterprise Risk Management – 2012 Real Estate Internal Audit Conference
(August, 2012)
21
EXHIBITS
Exhibit A – Management’s Risk Assessment
Exhibit B – Risk Identification Score Card (RISC Form)
Exhibit C – Key Risk Indicators – Global and Domestic Conditions
Exhibit D – Management Risk Assessment – Scoring Matrix
1