Risk management or the need for a business to have and implement risk management processes is obvious, or at least in my view it is. Of course, each business is different and risk management will vary from business to business. Thus, a recent article in the Journal of Accountancy (see link below) was disappointing – assuming the article is correct, in terms of recognizing the need for and implementing risk management processes we really haven’t gotten nearly as far as I would have hoped, or expected, or thought. Perhaps that is so because, although the need for risk management processes is obvious or intuitive, or in my view it should be obvious or intuitive, you have to actually schedule and spend time to perform risk management – you have to make a conscious decision to evaluate, design and implement appropriate risk management processes – and I find that in business (including governmental entities, nonprofits, public companies, and private businesses), except for actions or tasks that must specifically and directly be performed to design, produce, and market a product or service, people generally only perform a task or take an action, especially when they do not view that task or action as being directly tied to the making or marketing and offering of the product or service:
(1) If required to do so by law, regulation, rule or similar requirement, or
(2) If required or expected to do so by the consumers, or important or influential stakeholders or organizations, or the community or public, or
(3) Pursuant to the personal values, beliefs, morals or expectations of the business itself or of the person performing the task or action.
I follow articles and posts written by several very experienced and influential risk management and enterprise risk management professionals and organizations. Thus, information in the recent article in the Journal of Accountancy about the status of risk management took me by surprise as it indicates or at least suggests that the development and implementation of risk management processes is across the board less than I had assumed. At this point, knowledge and implementation of risk management or enterprise risk management processes should be well-recognized, accepted, and implemented, not only at public companies, but also at governmental entities, nonprofits, and private businesses. Here is the link to the Journal of Accountancy article: https://www.journalofaccountancy.com/issues/2018/sep/risk-oversight-can-inform-audits.html
Below in this blog post I have inserted six snapshots of information from the article. Although the article is less detailed than I would have wished, in terms of risk management, I would have expected not only much greater implementation of risk management processes, but also I would have expected that accountant auditors already would be taking the entity’s risk management processes, or lack thereof, into consideration. I have to say that the lack of progress in this regard seems ridiculous.
What actions are required to bring about or achieve increased or even universal acceptance of the need to evaluate, design and implement risk management processes? Only time will tell. One answer is more laws, regulations, or rules mandating more broad and specific risk management requirements. That might be one of the solutions, and I can certainly see the need for more specific mandated risk management requirements and processes in certain high-risk situations, or in certain situations where there is potential significant risk to an innocent third-party (such as a consumer or employee) and where that risk is controlled or can be controlled only by a third party such as a manufacturer or employer.
The typical approach is to enact more laws, regulations, or rules mandating more broad and specific risk management requirements. Let me suggest another answer or solution. For the most part a business only has responsibilities to its shareholders (and sometimes to prospective shareholders), and, in appropriate circumstances, such as product liability or environmental contamination as examples, there can also be legal responsibilities to not cause harm to other people.
However, other entities exist which have responsibilities and perhaps influence that are broader, such as, for example, governmental and nonprofit entities and organizations. Let me suggest that although enacting more broad and specific risk management requirements on public companies is one approach to bring about increased risk management processes and activities, and perhaps that approach is necessary, a more or equally constructive approach is to educate the public at large and other stakeholders, and to lead by example, particularly in the context of governmental entities which enact and impose specific risk management requirements upon others.
Thus, I suggest that governmental entities lead by example, and that they not only evaluate, design and implement their own risk management processes, but then also report to the public what the governmental entity is doing in the context of risk management evaluation, design and implementation, thereby creating a heightened awareness and expectation level for all, including for governmental entities, public companies, nonprofits, and private businesses.
I referenced above governmental entities and nonprofits as having responsibilities and perhaps influence that are broader and that can exceed those of businesses in general. That is, both governmental entities and nonprofits have responsibilities that are for the broader public benefit. And there are other institutions and industries or professions – for example, influential institutions or entities such as mid- and higher-level education, the media and the press, and medical or healthcare institutions and entities – each of which can and should be a leader, and can enhance or heighten the public’s awareness and expectations about risk management and risk management processes, in addition to evaluating, designing and implementing their own risk management processes. It seems to me that this is a clear win all around for everyone. We just need some influential people and organizations to run with it. Are there any that are willing and interested in doing so? The alternative might be increased mandatory requirements or lawsuits. Risk management processes also are worthwhile to reduce liability and legal damages exposure.
The following are six snapshots from the Journal of Accountancy Article, several times the words “some” and “may” are used – it is time to get past the “some” and “may” and use words that indicate and evidence definite and universal expectation and acceptance of the evaluation, design and implementation of risk management processes for public companies, governmental entities, nonprofits, and private businesses:
Best to you, David Tate, Esq. (and California CPA (inactive)), Royse Law Firm, Menlo Park, California office, with offices in northern and southern California. My blogs: trust, estate, elder abuse and conservatorship litigation http://californiaestatetrust.com, D&O, boards, audit committees, governance, etc. http://auditcommitteeupdate.com, workplace http://workplacelawreport.com
David Tate, Esq., Overview of My Practice Areas (Royse Law Firm, Menlo Park, California office, with offices in northern and southern California. http://rroyselaw.com),
- Civil Litigation: business, commercial, real estate, D&O, board and committee, founder, owner, investor, creditor, shareholder, M&A, trade secrets, IP, and other disputes and litigation; and investigations
- Probate Court Litigation: trust; estate; power of attorney; elder, disability, and dependent adult abuse and protection; and conservatorship disputes and litigation
- Administration: trust and estate administration and contentious administrations representing fiduciaries and beneficiaries
- Workplace (including discrimination) litigation and consulting
- Board, director, committee and audit committee, and executive officer responsibilities and rights, governance, and investigations
Royse Law Firm – Overview of Firm Practice Areas – San Francisco Bay Area and Los Angeles,
- Corporate and Securities, Financing and Formation
- Corporate Governance, D&O, Boards and Committees, Audit Committees, Etc.
- Intellectual Property – Patents, Trademarks, Copyrights, Trade Secrets
- Mergers & Acquisitions
- Labor and Employment
- Litigation (I broke out the litigation as this is my primary area of practice)
- Business & Commercial
- IP – Patent, Trademark, Copyright, Trade Secret, NDA
- Accountings, Fraud, Lost Income/Royalties, Etc.
- Internet Privacy, Hacking, Speech, Etc.
- Labor and Employment
- Mergers & Acquisitions
- Real Estate
- Owner, Founder, Investor, D&O, Board/Committee, Shareholder
- Trust, Estate, Conservatorship, Elder Abuse, and Administrations
- Real Estate
- Tax (US and International) and Tax Litigation
- Technology Companies and Transactions, Including AgTech and HealthTech, Etc.
- Wealth and Estate Planning, Trust and Estate Administration, and Disputes and Litigation
Disclaimer. This post is not a solicitation for legal or other services inside or outside of California, and also does not provide legal or other professional advice to you or to anyone else, or about a specific situation – remember that laws are always changing – and also remember and be aware that you need to consult with an appropriate lawyer or other professional about your situation. This post also is not intended to and does not apply to any particular situation or person, nor does it provide and is not intended to provide any opinion or any other comments that in any manner state, suggest or imply that anyone or any entity has done anything unlawful, wrong or wrongful – instead, each situation must be fully evaluated with all of the evidence, whereas this post only includes summary comments about information that may or may not be accurate and that most likely will change over time.