Top 10 Must Dos for Risk Management in 2010

You would be hard pressed to find someone who does not believe that 2009 was a landmark year for risk management and compliance professionals.

As we began the year looking at a continuing economic crisis, it became increasingly clear that the lack of proper risk assessment and management played a leading role in the crisis. While this was especially true for Wall St. and financial services firms, no companies were immune.

With financial regulatory reform almost certainly headed to President Obama's desk for approval in the first quarter of 2010, I'd like to offer my list of top 10 must do's for effective risk management in 2010... and beyond.

Remember, each organization is different and has special considerations; however, these steps can be effective for just about any company.

1. Define and formulate your company's appetite and approach to risk: What are the company guidelines on risk tolerance? What is considered material? What are criteria to be used? Also, be sure to balance them with the company's goals. Get approval and buy-in from the top down.
2. Determine where your company stands on the enterprise risk management maturity continuum: Where do you stand? Understand the attributes and how they characterize your organization. Determine what your next steps are and how to get from one level to the next. Most importantly, assess how far you can go with the resources available.
3. Create a long term plan: Set and quantify your objectives. Involve others in your company. Form a cross-functional risk management committee representing all disciplines/departments with a strong senior leader.
4. Drive change, educate and communicate across the entire organization-regularly: Speak the same language, encourage collaboration, drive culture change. This is not a one-time event- it's an on-going business process. Risk is as much about opportunity as it is about negative impact. Communicate this message clearly and to those parts of the organization responsible for financial performance.
5. Perform a risk (and opportunity) audit/ assessment of the whole business: Go beyond traditional hazard risks. Measure risks against opportunities throughout your business to define and drive initiatives that will lower the total cost of risk and capitalize on opportunities.
6. Prioritize your exposures and measure the interdependencies of identified risks: One department's risk- or risk mitigation plan, for that matter - can have repercussions on other areas of the business. Be sure that the impact of the risk is understood and quantified for the best decision-making.
7. Use one or more techniques for treating identified risks: Avoidance, mitigation, transfer, financial instruments, etc.- do not be confined to insurance as your primary treatment of risk (see AIG). A combination of techniques is often the best approach. Be creative and encourage innovative plans and approaches.
8. Leverage technology from the start: Use technology to implement risk management measures quickly and demonstrate the benefits sooner rather than later. Simplify a perceived onerous process; automate repetitive manual processes; drive accountability with reminders, alerts, and escalation. Allow systems to track, aggregate, and integrate your processes. (I've talked in the past about how spreadsheets are not enough.) 
9. Make everyone a risk manager: At its most basic accountability and attention to detail in daily activities translates to good risk management. Sometimes it is one person's perceived "small" error that can cause a negative chain of events. If people properly understand the role they play and the impact they can have, they will embrace the process.
10. Demonstrate the value of risk management (and the risk manager): Whether creating an ROI model or using simple graphics to prove the effects of risk management, it is essential to be able to show the value clearly and concisely to senior management, stakeholders, and regulator alike. Speak in business terms and you will succeed.

Again, there are nuances for each company in their risk management, but I promise you, the 10 items above are a great way to start for a less risky 2010!

Escheatment laws remain a hot topic at state and Federal levels

We've been discussing a couple of recent news items related to escheat laws that really drive home the risk management issues associated with unclaimed, abandoned or escheated property.

The first story is from The Times Picayune in New Orleans, LA. Benny Spann, director of the Unclaimed Property Division of the state's  Treasury Department details Louisiana's escheatment audit and unclaimed property efforts.

I've talked in the past about escheat laws, audit risk, the increased scrutiny companies are facing, and the rising state interest in unclaimed property. The bottom line is that unclaimed and abandoned property contributes a lot to the states' top line revenue.

From the story:

"Collections are coming in at a record clip because of the state's stepped-up efforts to audit companies that might have been withholding payments and not turning them over as state law requires. Companies talk, even competitors talk...that the state is auditing more."

If you ever doubted that unclaimed property and reporting issues posed a risk to your company, ask any companies headquartered or doing business in Louisiana right now.

The other story is regarding the Fed's planned overhaul of the rules governing gift card escheatment. Essentially the Fed is proposing that, "consumers must have at least five years to use the gift cards before they expire," and that, "service or inactivity can be imposed only under certain conditions." A number of outlets covered the news, including the Wall Street Journal.

In our internal discussions our consultants all agreed that this was a step in the right direction! The patchwork of state restrictions on gift card/certificate fees and expirations, which appear in both consumer protection and unclaimed property laws, make compliance with the escheat laws very difficult for our clients and businesses in general.

We've talked about this before because the fact is some states have very strict rules on charges and expirations, while others have none. A standard set of rules across the states would be a welcome and logical change!

State escheat laws: Companies must report, but can also reap benefits

When we discuss state escheat laws in our quarterly newsletter, or when you see news regarding them in the media, it typically centers on companies' obligation to comply or the increasing rate of state unclaimed property audits.

However, the The State of Pennsylvania and State Treasurer Rob McCord issued a press release on October 8 on a completely different point. McCord informed PA companies that they may be able to collect unclaimed property that is owed to their business. Specifically, he suggested that "social service agencies, schools, and local governments across the Commonwealth that are strapped for cash can put their money back in their wallets through Pennsylvania's Unclaimed Property Program."

Treasurer McCord's outreach directly relates to Pennsylvania's protracted budget issues. If you're not living in Pennsylvania right now, you're probably happily unaware of the turmoil and debate that surrounded the state budget. While it appears that that the State's budget woes have finally been resolved, it continues to create major issues for companies and organizations dependent on state budget dollars. Large cuts mean that companies and organizations will likely pursue unclaimed assets in the hope of accessing much needed resources.

The Treasurer's unclaimed property cause is well intentioned. State escheat laws and unclaimed property are often seen consumer issues, but the fact is that there are a large amount of corporate and organizational assets that are reported to every state each year which sit unclaimed. It's not just a PA issue.

For those that have taken note of Mr. McCord's press release, I'd like to offer both encouragement and caution if they are looking to collect unclaimed property. There is definitely money to be claimed, but there are risks involved that you should understand before you make a claim.

First and foremost, it's the law to be in compliance with state unclaimed property law. So, for those looking to benefit from the assets held by the state, the right thing to do is to first ensure you are in compliance. It is important to note that not all states have a direct connect between compliance and recovery, but for those states that do, be aware of a potential audit if you are not in compliance.

If the state finds that the party looking to recover is not in compliance, instead of retrieving much needed assets and capital, a company may find itself facing hefty fines and audit costs. We see this nationwide in the Corporate Asset Recovery area of Keane.

Once you are in compliance it is certainly within reason to request your assets. As more and more businesses have adopted unclaimed property reporting and remittance requirements as part of their normal compliance activities, opportunities are being created for compliant firms to capitalize on cash being held in state unclaimed property offices. Just as your organization reports funds owed to outside corporate entities such as vendors, business partners and affiliates, other firms are reporting your property to the states as unclaimed.