(remember, you encouraged them to start a
business and borrow to start it).
Until you have sat in the conference room
going over the final year-end numbers with
a business owner, you have no concept of
the disappointment they feel to learn that
what appeared to be a success of $300,000
in profit is really only $180,000 (which they
used to repay debt, so their cash balance did
not change). And if they are diligent and have
no bumps in the market, they will be out of
debt in five years.
Those are big “ifs.” We found that we have
to monitor this quarterly with clients because
they spend their profits and leave no cash for
taxes. When they have no cash for taxes, this
starts the death spiral of their business, because the IRS is now a creditor of last resort.
management need to set a risk appetite, the
level of risk the organization is willing to accept in pursuit of its objectives. Risk appetite
may be set in relation to the organization as
a whole, a business unit, a line of business,
a business process, a geographic area, or a
combination of these.
5. Assess and measure. Management must
develop a process to assess and measure previously identified risks in terms of severity
and likelihood. There are both qualitative and
quantitative approaches used for this process, and some consider risk assessment to
be more of an art than a science.
Many organizations start by obtaining a
top-down view of the most important risk
exposures from board members and executive management across the organization.
Quantitative assessment methods include
benchmarking against others in the industry
or using probabilistic models. Risk severity is
typically measured as high, medium or low,
and likelihood of occurrence is estimated
as unlikely, possible or probable. In light of
some of the catastrophic events of the past
few years — such as 9/11, Hurricane Katrina,
and the tsunami-induced nuclear disaster in
Japan — some organizations now expand severity and likelihood of occurrence to include
an assessment of vulnerability to risks and the
level of preparedness.
Whatever method is selected, the assessment should be concise, use consistent terminology, have a rating system, and have clarity
in message. While it is management’s responsibility to conduct a risk assessment, internal
audit can expedite this effort by expanding its
annual risk assessment to develop an ERM
THE CASE FOR SIMPLIFICATION
Taxes may never be simple, but we can do
better than this. Also, I would be a happy
practitioner if I never had to help someone
file another tax return. We do not need tax
preparation to be a jobs program; all of those
folks can easily be used to do other useful and
more productive things.
Here are my ideas from the real world:
1. Go back to two simple brackets, 15 percent and 25 percent. You need to keep the
top bracket at 25 percent since we need room
for inevitable increases in Social Security and
Medicare tax rates or limits. All income would
be treated the same (i.e., no capital gains).
2. Simplify taxation of C corps by allowing a tax deduction for dividends paid. This
will encourage public companies to pay out
excess capital back into the marketplace, plus
you can withhold taxes on the payment and
increase tax cash flows to the Treasury. This
assessment process that includes strategic
risks embedded in the organization’s strategies and risks related to governance.
Once the risk identification and assessment
processes are complete, management must
decide on risk responses that align with the
organization’s risk appetite and develop plans
to address any gaps in the responses. Typical
risk-response options include the following:
Accepting the risk and monitoring it on
a regular basis;
Avoiding the risk by divesting, eliminating
the process, or stopping the action causing
Reducing the risk by changing processes
or controls; or,
Transferring the risk by insurance, hedg-
ing or outsourcing.
Management will need to consider what
control systems are in place to ensure that
risk responses and other directives are carried out, and what controls will be needed,
if they are not already in place. The controls
selected will depend on the organization’s
risk appetite and an analysis of the amount
of risk mitigated and the cost to achieve that
level of mitigation.
MONITOR, ASSURE AND EVALUATE
An important element of a well-functioning
ERM program is the monitoring of the risk
management process to maintain confidence
in its ability to provide relevant risk information. Individual ERM components should be
monitored on an ongoing basis, by a separate
evaluation, or a combination of both.
Ongoing ERM monitoring should occur
would also help small, privately held C corps
eliminate double taxation and put them on a
level playing field with S corps and LLCs.
Boards and management require relevant
and timely information concerning key
risks. Thus, effective reporting and transparent communication of results is a necessity.
An effective reporting system should provide
feedback that summarizes each risk that was
identified, the controls in place to mitigate
the risk, a performance measure or language
that indicates how the target is being met, if
and when corrective action is needed, any
corrective action that was taken, and identification of issues for management action.
Internal audit can customize its reporting
to meet an organization’s needs. For example,
internal audit might issue more consultative
types of reports for organizations just beginning an ERM program, or it might perform
audits and issue assurance reports for organizations with more mature ERM processes.
An ERM process is critical for an organization
to successfully assess, address and monitor
risk. The steps presented above can help an
organization implement a broad ERM program while, at the same time, leveraging its
investment in, and the knowledge contained
within, its internal audit function. AT
freight forwarding co.
Freight Options, Inc.,
446 Clover Leaf Dr.,