Auditing Business Risks

controlling risks

In this Commentary, we examine two corporate catastrophes which occurred within the last year, focusing on the damage done and on the ensuing personal risk to the directors and officers (D&O’s). In both cases, D&O’s failed to identify, manage and act on protection for stakeholders against the key risks. At the conclusion, we provide a call-to-action on what can be done by corporate leaders in prevention of similar occurrences, i.e. regular audits of business risks and following the five basic steps in risk management.

How could these situations have been prevented?

Not considering the tragic loss of life and the lives ruined, the press reports that the economic losses from the Lac Megantic disaster may cost in excess of $400MM, yet the corporation reportedly carried only $25MM in insurance. The Quebec authorities are currently seeking recourse against all potential “persons responsible” ultimately and likely including individual D&O’s of MMA Railway Inc. In a second case, D&O’s of the now insolvent Northstar Aerospace, Inc. were held personally liable by the Ontario Ministry of Environment (MOE) for $4.75MM to cover clean-up of contamination at the manufacturing and processing facility in Cambridge, Ontario.

In the Lac Megantic case, MMA Railway Inc. failed to protect it’s key stakeholder, namely the public- people who live and work near the trains which transported the dangerous goods. Not only were the public exposed to deficient safety practices, but the company failed to carry adequate insurance to satisfy third party liability suits arising from an accident. In Northstar, the company had not properly funded remediation efforts before bankruptcy and failed to prioritize mitigation of its environment risks.

risk management

Officers and Directors Responsibilities

D&O’s of both public and private companies face serious consequences for failing to manage and oversee the mitigation of risk issues. Not only are D&O’s often responsible for high profile corporate catastrophes as mentioned above, but also are held liable for a myriad of less profile occurrences such as for unpaid wages and taxes arising from bankruptcy. Many other risks face those who administer and oversee of organizations.

Auditing Business Risk; Five Steps in Risk Management

In short, for D&O’s to endeavour to prevent such occurrences, business risks should be regularly audited and managed through a formalized process facilitated either internally, or through the use of an external firm. Once key risks are identified, they should be assessed for severity, and then managed with regular monitoring and with reporting to the executives (and board if a formal board exists). The “risk management process” generally involves five steps as illustrated in the diagram: 1) risk identification; 2) risk assessment & measurement; 3) risk response and action; 4) monitoring; 5) reporting to executive and board.

To audit the risks and undertake an assessment of their severity (steps 1 & 2), organizations practicing formalized risk management (using a standard such as ISO 31000) will often align the key risks it identifies with its strategic objectives, to prioritize the risks which may impede the achievement of key goals. Key risks can be assessed by determining their likelihood, impact and the effectiveness of controls in place to mitigate the risks. Experts should be utilized if necessary to undertake the referenced five steps.

Insurance and key Stakeholders

One common mistake is failure to oversee the adequacy of the corporate insurance program, to ensure that all stakeholders are properly protected. In the MMA case, the affected key stakeholders were the public, but also included owners, employees, governments, and other users of the tracks. In Northstar, leaders failed to protect the environment, and directors were penalized.

D&O Insurance is often not purchased by private companies, considered mistakenly by some organizations as being needed only for protection in shareholder suits in public companies. Yet suits come from numerous stakeholders such as regulators, customers, suppliers, lenders and shareholders. Employment Practices actions from employees are a leading source of litigation in Canada, including for: sexual, racial or workplace harassment; workplace violence; and wrongful termination. D&O’s of partnerships face different liability risks, i.e. for oppression & unfairly prejudicial conduct with partners; and all directors face liability for unpaid wages or taxes; breach of contract; failure to carry insurance; punitive damages.

Why Audit Commercial Insurance

The adequacy of protective insurance for stakeholders can be determined by formal or informal audit, but should be conducted on a regular basis for several reasons:

1)      Emerging Risks: Operational, strategic and other risks for a corporation can change within a short period of time, with new emerging risks occurring regularly. Hence, insurance must be reviewed to ensure adequacy for changes in circumstances like the economy, and others including:

  • Deteriorating infrastructures in Canada- due to a lack of capital re-investment by governments in infrastructures, for example deteriorating bridges, power supplies, and sewage systems, and resulting impact on corporations
  • Weather risks- storms, heat, warming. Floods and storms in last 10 years have exceeded those in last 100 years
  • Cybersecurity liability and privacy, and increasingly punitive legislation in Canada
  • Changing director’s liabilities- many pension funds in Canada are now underwater- this is a new phenomenon. The financial crisis of ‘08/’09 has intensified the spotlight on the directors risk oversight role, i.e. board charters now universally include language holding directors responsible for risk oversight
  • Terrorism and violence- not only found abroad where Canadian businesses are locating to, exporting to, and importing from, but now is finding its way to North America. Resource developers are increasingly aware of risks presented by affected stakeholder groups with differing claims requiring increased risk management.

2)      Changing Insurance Marketplace: coverages change regularly. Risks insured yesterday are often no longer insurable today, and conversely, corporate insurance programs not recently reviewed may not be up to date with newly offered, state of the art insurances.

The obligation by corporate leaders to carry adequate insurance protecting stakeholders is now  universally recognized, as is the board’s obligation to oversee risk management. Accordingly, some D&O liability insurance carriers now specifically exclude “Failure to Carry Adequate Insurance”. This underlines the onus on D&O’s to exercise proper due diligence to properly audit their insurance and risk programs.

In summary, D&O’s have an obligation to administer and oversee the adequacy of risk management within their organizations, including on the adequacy of insurance. Failure to audit the key risks of the organization may have devastating consequences for the organization and its stakeholders, and may result in severe personal liability for its D&O’s. To properly manage risks, D&O’s should ensure the organization has in place a process to identify, assess, manage, monitor and report on key principal business risks.

Call to action- Audit key organizational risks by using in-house or external professionals; identify and assess all principal business risks regularly, and formally study/review/compare the key risks with the insurance coverages in place, especially on new emerging risks; align the key insured and non-insured risks, with the overall corporate objectives to ensure that the corporations is dedicating the appropriate loss prevention techniques, insurance or other means to treat such risks. Ask insurance providers to continually overview relevant new insurance offerings.

Share this