Accounting Today - November 2011

(remember, you encouraged them to start a business and borrow to start it).

Until you have sat in the conference room going over the final year-end numbers with a business owner, you have no concept of the disappointment they feel to learn that what appeared to be a success of $300,000 in profit is really only $180,000 (which they used to repay debt, so their cash balance did not change). And if they are diligent and have no bumps in the market, they will be out of debt in five years.

Those are big “ifs.” We found that we have to monitor this quarterly with clients because they spend their profits and leave no cash for taxes. When they have no cash for taxes, this starts the death spiral of their business, because the IRS is now a creditor of last resort.

Entrepreneurs
FROM PAGE 14

management need to set a risk appetite, the level of risk the organization is willing to accept in pursuit of its objectives. Risk appetite may be set in relation to the organization as a whole, a business unit, a line of business, a business process, a geographic area, or a combination of these.

5. Assess and measure. Management must develop a process to assess and measure previously identified risks in terms of severity and likelihood. There are both qualitative and quantitative approaches used for this process, and some consider risk assessment to be more of an art than a science.

Many organizations start by obtaining a top-down view of the most important risk exposures from board members and executive management across the organization. Quantitative assessment methods include benchmarking against others in the industry or using probabilistic models. Risk severity is typically measured as high, medium or low, and likelihood of occurrence is estimated as unlikely, possible or probable. In light of some of the catastrophic events of the past few years — such as 9/11, Hurricane Katrina, and the tsunami-induced nuclear disaster in Japan — some organizations now expand severity and likelihood of occurrence to include an assessment of vulnerability to risks and the level of preparedness.

Whatever method is selected, the assessment should be concise, use consistent terminology, have a rating system, and have clarity in message. While it is management’s responsibility to conduct a risk assessment, internal audit can expedite this effort by expanding its annual risk assessment to develop an ERM

Risk
FROM PAGE 18

THE CASE FOR SIMPLIFICATION

Taxes may never be simple, but we can do better than this. Also, I would be a happy practitioner if I never had to help someone file another tax return. We do not need tax preparation to be a jobs program; all of those folks can easily be used to do other useful and more productive things.

Here are my ideas from the real world:

1. Go back to two simple brackets, 15 percent and 25 percent. You need to keep the top bracket at 25 percent since we need room for inevitable increases in Social Security and Medicare tax rates or limits. All income would be treated the same (i.e., no capital gains).

2. Simplify taxation of C corps by allowing a tax deduction for dividends paid. This will encourage public companies to pay out excess capital back into the marketplace, plus you can withhold taxes on the payment and increase tax cash flows to the Treasury. This assessment process that includes strategic risks embedded in the organization’s strategies and risks related to governance.

RISK RESPONSE

Once the risk identification and assessment processes are complete, management must decide on risk responses that align with the organization’s risk appetite and develop plans to address any gaps in the responses. Typical risk-response options include the following: Accepting the risk and monitoring it on a regular basis;

Avoiding the risk by divesting, eliminating the process, or stopping the action causing the risk;

Reducing the risk by changing processes
or controls; or,
Transferring the risk by insurance, hedg-
ing or outsourcing.

CONTROLS

Management will need to consider what control systems are in place to ensure that risk responses and other directives are carried out, and what controls will be needed, if they are not already in place. The controls selected will depend on the organization’s risk appetite and an analysis of the amount of risk mitigated and the cost to achieve that level of mitigation.

MONITOR, ASSURE AND EVALUATE

An important element of a well-functioning ERM program is the monitoring of the risk management process to maintain confidence in its ability to provide relevant risk information. Individual ERM components should be monitored on an ongoing basis, by a separate evaluation, or a combination of both.

Ongoing ERM monitoring should occur
would also help small, privately held C corps
eliminate double taxation and put them on a
level playing field with S corps and LLCs.

COMMUNICATE RESULTS

Boards and management require relevant and timely information concerning key risks. Thus, effective reporting and transparent communication of results is a necessity. An effective reporting system should provide feedback that summarizes each risk that was identified, the controls in place to mitigate the risk, a performance measure or language that indicates how the target is being met, if and when corrective action is needed, any corrective action that was taken, and identification of issues for management action.

Internal audit can customize its reporting to meet an organization’s needs. For example, internal audit might issue more consultative types of reports for organizations just beginning an ERM program, or it might perform audits and issue assurance reports for organizations with more mature ERM processes.

CONCLUSION

An ERM process is critical for an organization to successfully assess, address and monitor risk. The steps presented above can help an organization implement a broad ERM program while, at the same time, leveraging its investment in, and the knowledge contained within, its internal audit function. AT