Enterprise Risk Management as a Core Management Process


Published on

Published in: Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Enterprise Risk Management as a Core Management Process

  1. 1. RISKY BUSINESS II:Enterprise Risk Management as a Core Management Process BEST PRACTICES REPORT
  2. 2. This page is left blank intentionally for double-sided printing.
  3. 3. Risky Business II: Enterprise Risk Management as a Core Management ProcessA best practices report from In collaboration with Research Champion* APOC P U B L I C A T I O N S ®Study Team Subject Matter Experts Contributing AuthorsGerry Swift, project manager Bob Paladino, founder, Stephanie CarlinAngelica Wurth, special adviser Bob Paladino & Associates Bob PaladinoAPQC William Shenkir William Shenkir, Ph.D., CPA, Gerry Swift William Stamps Farish ProfessorEditor Angelica Wurth Emeritus, University of VirginiaLauren TreesDesignersDavid AndrewsConnie Choatemembership informationFor information about how to become a member of APQC, and to receive publications andother benefits, call 800-776-9676 or +1-713-681-4020, or visit our Web site at www.apqc.org.copyright©2008 APQC, 123 North Post Oak Lane, Third Floor, Houston, Texas 77024-7797 USA.This report cannot be reproduced or transmitted in any form or by any means electronic ormechanical, including photocopying, faxing, recording, or information storage and retrieval.Additional copies of this report may be purchased from the APQC Order Department at800-776-9676 (U.S.) or +1-713-685-7281. Quantity discounts are available.ISBN-10: 1-60197-148-6ISBN-13: 978-1-60197-148-7Statement of PurposeThe purpose of publishing this report is to provide a reference point for and insight into the processesand practices associated with certain issues. It should be used as an educational learning tool and isnot a “recipe” or step-by-step procedure to be copied or duplicated in any way. This report may notrepresent current organizational processes, policies, or practices because changes may have occurredsince the completion of the study.* he IBM Logo is a registered trademark of IBM in the United States and other countries and is T used under license. IBM responsibility is limited to IBM products and services and is governed solely by the agreements under which such products and services are provided. Risky Business II: Enterprise Risk Management as a Core Management Process 1
  4. 4. This page is left blank intentionally for double-sided printing
  5. 5. Chapter number TABLE OF CONTENTS Risky Business II: Enterprise Risk Management as a Core Management Process Contents 4 Sponsor and Partner Organizations A listing of the sponsor organizations in this study, as well as the best-practice (“partner”) organizations that were benchmarked for their efforts in enterprise risk management. 5 Executive Summary A bird’s-eye view of the study presenting the study focus, the methodology used throughout the course of the study, key findings, and a profile of participants. The findings are explored in detail in the following sections. 11 Study Findings An in-depth look at the findings of this study. The findings are supported by quantitative data and qualitative examples of practices employed by the partner organizations. 53 Partner Organization Case Studies Background information on the partner organizations and their innovative practices in enterprise risk management. Risky Business II: Enterprise Risk Management as a Core Management Process 3
  6. 6. Org a ni z ati o n sRisky Business II:Enterprise Risk Management as aCore Management Process Sponsor Organizations CHRISTUS Health El Paso Corporation Lloyd’s Register Group Marathon Oil Corporation Public Ser vice Enterprise Group (PSEG) U.S. Army, ARDEC U.S. Coast Guard U.S. Depar tment of the Navy Visa Inc. Partner Organizations American Electric Power (AEP) Fonterra Cooperative Group Limited The Hartford Financial Services Group Inc.* Microsoft Corporation New York Independent System Operator (NYISO) Textron Inc. *   his organization participated as a data-only partner. T Risky Business II: Enterprise Risk Management as a Core Management Process 4
  7. 7. Executive SummaryI n today’s global business environment, leaders of organizations must deal with a myriad of complex risks, many of which carry potentially substantialconsequences. Stakeholders demand that these leaders employ methodologies touncover the risks embedded in any given opportunity as well as the risks inherentin ongoing business operations. Many businesses are implementing enterprise riskmanagement (ERM) as a program to improve the identification, assessment, andmanagement of risks across internal silos.Although ERM is a relatively young management discipline, this consortiumbenchmarking study has identified five organizations with advanced ERM programs.The report you are about to read describes how the leaders of these organizationsimplemented ERM across business units and embedded ERM in core managementprocesses to improve decision making. Throughout the report, APQC offersvaluable insights on developing strategic risk management processes and fosteringa risk-conscientious culture. These two components are essential for establishingan effective ERM program and are emphasized in other leading evaluations, suchas Enterprise Risk Management: Standard Poor’s to Apply Enterprise Risk Analysis toCorporate Ratings (2008). — William G. Shenkir, a special adviser on this consortium benchmarking studyResearch indicates that strategy execution continues to challenge many companieswhere executives are faced with new and more potent risks.   hile working on WAPQC’s two ERM studies in 2006 and 2008, I have observed that the ERM bodyof knowledge and the application of strategic risk management frameworks are stillmaturing. There are, however, best-practice partner organizations illuminating thepath for the rest of us, and I am extremely grateful to them. Our hope is that thisstudy will help your organization improve its ability to identify, mitigate, manage, andreport on ERM in a valued manner. — Bob E. Paladino, a special adviser on this consortium benchmarking study Risky Business II: Enterprise Risk Management as a Core Management Process 5
  8. 8. Exe cu ti ve s u m m a ryRisky Business II:Enterprise Risk Management as aCore Management Process STUDY SCOPE The organizations selected for deep, detailed study through structured data collection and site visits (referred to throughout the report as “best-practice organizations” or “study partners”) demonstrate innovative performance in one or more of the following study focus areas: 1. optimizing the ERM organizational structure; 2. identifying, implementing, and maintaining supporting ERM methodologies; 3. using ERM for effective decision making; and 4. using ERM for performance improvement. The goal of this study was to examine organizations that excel in one or more aspects of the study scope and to aggregate the best practices from all the organizations studied. To achieve this goal, the APQC study team identified potential   best-practice partners that demonstrated excellence and a history of success in the four scope areas. Project sponsors then selected the final list of partners from among the candidates. OVERVIEW OF FINDINGS The study team discovered 10 principal findings from studying the best-practice organizations. These findings have been organized into the following chapters, which map closely to the study scope. Each chapter explores key findings and supports them with brief examples from the study partners; additional details on the best- practice organizations can be found in their respective case studies at the end of this report. Chapter 1: Optimizing the ERM Organizational Structure 1. Best-practice organizations establish clear structures for ERM involving executive-level support. 2. Senior leaders understand the impact of risk information. 3. A holistic approach to risk management enables improved understanding of critical risks. Chapter 2: ERM Support Tools and Methodologies 4. Best-practice organizations use a variety of methodologies to identify, assess, aggregate, and report risks. 5. Currently, the technology of choice for ERM among the partner organizations is Microsoft Office. Chapter 3: Using ERM for Effective Decision Making 6. A focus on risk management creates a culture of informed risk takers. 7. Risk information must be effectively communicated across the enterprise in order to influence decision making. Risky Business II: Enterprise Risk Management as a Core Management Process 6
  9. 9. E xe cu tive Summary Risky Business II: Enterprise Risk Management as a Core Management ProcessChapter 4: Using ERM for Performance Improvement8. Effective risk management is evaluated as an organizational key performance indicator.9. Best-practice organizations use risk management as an individual performance indicator.10. Evaluation of ERM effectiveness is in the early stages of maturity.Chapter 5:   he “Essentials” of ERM TThis chapter details lessons learned and critical success factors for effectivelymanaging enterprise-wide risks.STUDY METHODOLOGYDeveloped in 1993, APQC’s consortium benchmarking study methodology APQC’s Benchmarking Model:(Figure 1) serves as one of the world’s premier methods for successful The Four-Phased Methodologybenchmarking. It was recognized by the European Center for Total QualityManagement in 1995 as first among 10 leading benchmarking organizations’models. It is an extremely powerful tool for identifying best and innovativepractices and for facilitating the actual transfer of these practices.Phase 1: PlanThe planning phase of the study began in fall 2007. During this phase,   PQCAconducted secondary research to help identify innovative organizations that mightparticipate as study partners. In addition to this research,   PQC staff members Aand the subject matter experts identified potential participants based on their ownfirsthand experiences, research, and sponsor recommendations. Each recognizedorganization was invited to participate in a screening process. Based on the results Figure 1of the screening process, as well as each organization’s capacity or willingnessto participate in the study, a final list of nine potential partner candidates wasdeveloped.A study kickoff meeting was held in April 2008, during which the sponsors refinedthe study scope, gave input on the data collection tools, and selected the studypartners at which they would most like site visits to be conducted. Finalizing thedata collection tools and piloting them within the sponsor group concluded theplanning phase.Phase 2: CollectThree tools were used to collect information for this study:1. screening questionnaire—qualitative and quantitative questions designed to identify best practices within the partner organizations;2. detailed questionnaire—quantitative questions designed to collect objective, quantitative data across all participating organizations; and3. site visit guide—qualitative questions that parallel the areas of inquiry in the detailed questionnaire, which serves as the structured discussion framework for all site visits. Risky Business II: Enterprise Risk Management as a Core Management Process 7
  10. 10. Exe c u ti ve su m m a ryRisky Business II:Enterprise Risk Management as aCore Management Process Along with the nine sponsor organizations, five best-practice partners completed the detailed questionnaire:   merican Electric Power, Fonterra Cooperative Group A Limited, The Hartford Financial Services Group Inc. (a data-only study partner), Microsoft Corporation, and Textron Inc. Four of these five organizations also hosted site visits, and study partner New York Independent System Operator hosted a fifth site visit. The APQC study team prepared a written report (case study) of each site visit and submitted it to the partner organization for approval or clarification. The case studies are included at the end of this report. Phase 3:  Analyze The subject matter experts and APQC analyzed the quantitative and qualitative information obtained through the data collection tools.   nalysis concentrated on A examining the challenges that organizations face in the four study focus areas. The analysis of the data, as well as case examples based on the site visits, is contained in this report. Phase 4:  Adapt Adaptation and improvement, stemming from identified best practices, occur after readers apply key findings to their own operations.   PQC staff members are A available to help create action plans appropriate for readers’ organizations. PARTICIPANT BACKGROUND Figure 2 describes the industry distribution of the best-practice partners that responded to the detailed questionnaire. Industry Representation of Partner Organizations Percentage of Partners Telecommunications/ Aerospace/Defense Utilities 20% 20% 20% 20% Insurance Food and Beverage 20% Information Technology/ Computer Figure 2 Risky Business II: Enterprise Risk Management as a Core Management Process 8
  11. 11. E xe cu tive Summary Risky Business II: Enterprise Risk Management as a Core Management ProcessSUBJECT MATTER EXPERTISEBob Paladino, CPA, Founder, Bob Paladino Associates, LLCBob Paladino is the founder of Bob Paladino Associates and a former executive andlong-time implementation practitioner in the corporate performance management(CPM) field. His firm advises boards of directors and executives and offers CPMservices. Formerly a leading consultant for PricewaterhouseCoopers and TowersPerrin, Paladino has been published in leading journals and is among the highest-ratedspeakers at corporate and industry events such as FEI, ASMI, and CFO Rising.William G. Shenkir, Ph.D., CPA, William Stamps Farish Professor Emeritus,University of VirginiaBill Shenkir served on the faculty of the University of Virginia’s McIntire School of  Commerce for almost 40 years and as dean from 1977 to 1992. He continues toconsult and do research on ERM. Shenkir has published more than 50 articles andedited/co-authored eight books, three of which focus on ERM. He served on thestaff of the FASB, as president of the AACSB, on numerous professional committees,and on three corporate boards. He has received the IMA’s Virginia OutstandingEducator Award and was recognized by students as one of the 10 UniversityDistinguished Professors in the 1997 Corks and Curls.ABOUT APQCA recognized leader in benchmarking, knowledge management, measurement, andquality programs, APQC helps organizations adapt to rapidly changing environments,build new and better ways to work, and succeed in a competitive marketplace.For more than 30 years, APQC has identified best practices, discovered effectivemethods of improvement, broadly disseminated findings, and connected individualswith one another and with the knowledge, training, and tools they need to succeed.APQC is a member-based nonprofit serving more than 500 organizations aroundthe world in all sectors of business, education, and government. Learn more aboutAPQC by visiting www.apqc.org or calling 800-776-9676 or +1-713-681-4020.ABOUT IBM GLOBAL BUSINESS SERVICESWith consultants and professional staff in more than 160 countries, IBM GlobalBusiness Services is the world’s largest consulting services organization. IBMGlobal Business Services provides clients with business transformation andindustry expertise, as well as the ability to translate that expertise into integrated,responsive, innovative business solutions and services that deliver bottom-linebusiness value. IBM Global Business Services offers industry-leading transformationconsulting skills and delivery capabilities across a range of areas, including humancapital management, financial management, customer relationship management,RD management, supply chain management, and strategy and change. For moreinformation, visit www.ibm.com. Risky Business II: Enterprise Risk Management as a Core Management Process 9
  12. 12. Exe c u ti ve su m m a ryRisky Business II:Enterprise Risk Management as aCore Management Process IBM Global Business Services’ Financial Management practice focuses on enabling enterprise innovation and performance through improved finance organization efficiency and effectiveness. With more than 4,000 practitioners, Financial Management has a full suite of end-to-end capabilities to address a client’s challenges. Its capabilities include finance transformation, finance operations improvement, business performance management, business risk management, and finance enterprise applications. Risky Business II: Enterprise Risk Management as a Core Management Process 10
  13. 13. S TUDY FIN D INGS Risky Business II: Enterprise Risk Management as a Core Management ProcessStudy Findings13 Chapter 1   Optimizing the ERM Organizational Structure23 Chapter 2    ERM Support Tools and Methodologies31 Chapter 3   Using ERM for Effective Decision Making41 Chapter 4   Using ERM for Performance Improvement49 Chapter 5    The “Essentials” of ERM Risky Business II: Enterprise Risk Management as a Core Management Process 11
  14. 14. This page is left blank intentionally for double-sided printing.
  15. 15. Chapter 1Optimizing the ERM Organizational StructureR isk management has evolved significantly since APQC published its initial report on the subject, Risky Business: Employing Risk Management to SustainGrowth, Mitigate Threats, and Maximize Shareholder Value. When research was being   Chapter 1 Key Findings 1. Best-practice organizationsconducted for that report in 2006, many organizations had long histories of deploying establish clear structures forrisk management for specific risks such as insurance and audits, but true enterprise ERM involving executive-risk management was a fairly new endeavor. Few participants in the 2006 study had level support.well-established ERM approaches—in fact, half of the ERM programs examined were 2. Senior leaders understand theonly three to five years old. However, organizations were beginning to recognize the impact of risk information.importance of an enterprise-wide approach to risk due to factors such as:• the increased volatility of markets driven by competition, globalization, 3. A holistic approach to and technology; risk management enables• an enhanced focus on the tradeoffs among achieving financial, customer-, improved understanding of process-, and people-oriented results; and critical risks.• changes in regulatory oversight, from deregulation in the utility and telecom industries to recent legislation such as the Sarbanes-Oxley Act (SOX).The best-practice partners examined in our most recent study reflect this ongoingevolution from more limited, silo-based risk strategies toward enterprise riskmanage­ ent. Four of the five best-practice ERM programs have existed in their current mstates for less than three years, and the remaining program for less than five years.According to APQC’s past and current research, organizations at the level of ERM “ERM is a strategic and dynamicmaturity demonstrated by the best-practice partners have integrated enterprise risk process that all our employeesmanagement into their strategic planning processes and analyze the likelihood and have a stake and ownership in toimpact of risks across the enterprise, as opposed to relying on an isolated approach implement. In its ideal state, ERMwhere they merely react to events. This report explores how best-practice should identify business processorganizations achieve this level of maturity and plan for continuing development. improvement and risk mitigationTo that end, the report details how the best-practice partners ensure that ERM is opportunities, be they physical,treated as a core management process. It also examines optimal ERM organizational financial, or cultural.”infrastructures, effective support methodologies, how ERM can influence key — Wayne Bailey,decisions, and how an enterprise view of risk can improve overall performance. director of risk, compliance, and quality management,THE BUILDING BLOCKS OF ERM: ORGANIZATIONAL NYISOSTRUCTURESBest-practice organizations establish clear structures for ERM involvingexecutive-level support.The best-practice organizations in this study have established clear roles andresponsibilities for deploying and overseeing their ERM initiatives. They also haveexecutive sponsors in place to support the continued maturation of ERM efforts. Risky Business II: Enterprise Risk Management as a Core Management Process 13
  16. 16. Chap ter 1Optimizing the ERMOrganizational Structure Figure 3 and Figure 4 provide an overview of ERM process ownership at the best-practice partner organizations. Most of the study partners have assigned core functions to oversee ERM activities as well as C-level executives to act as ERM executive sponsors. According to representatives from these organizations, clear ownership and reporting structures are crucial to communicating the importance of risk management to the work force. Who Provides Executive Sponsorship for ERM? Partners were asked to select all options that apply to their organizations. Core ERM group 20% Chief risk officer (CRO) 20% CEO team 40% CEO direct report 40% CEO 0% Board of directors, subcommittee 40% Other: Board of directors 20% • Chief operating officer (COO) • Chief financial officer (CFO) Other 40% 0% 20% 40% 60% 80% 100% (n=5) Frequency of Response Figure 3 Who Is Responsible for Deploying and Overseeing ERM? Partners were asked to select all options that apply to their organizations. Core ERM group 60% CRO 20% CEO team 0% CEO direct report 20% CEO 0% Board of directors, subcommittee 0% Other: • Vice president of Board of directors 0% internal audit Other 40% • COO 0% 20% 40% 60% 80% 100% (n=5) Frequency of Response Figure 4 Risky Business II: Enterprise Risk Management as a Core Management Process 14
  17. 17. Ch apter 1 Optimizing the ERM Organizational StructureAs you can see from Figures 3 and 4, the partner organizations employ diversereporting structures for ERM. The study did not reveal a one-size-fits-all approach.However, all the partners effectively support the executive-level positioning of ERMthrough senior committees and other change agents.Figure 5 depicts the ERM reporting structure at Fonterra, a best-practice partner inboth the both the 2006 study and the current study. In 2006, Fonterra split its globalassurance function into audit and risk, with two different reporting lines to the officeof the chief financial officer (CFO). The organization integrated its ERM process intobusiness strategy and planning; the ERM function now interacts with insurance brokersand leverages employees within the business units who are engaged in risk assessments. Fonterra’s Risk Reporting Structure Enterprise Risk Manager Insurance Manager Manager Business Risk Injury Brokers: Risk Risk Continuity Management Management • Claims Assessment Assessment Manager Admin Manager • Insurance • Captive Claims • Risk management Risk Administrator • Risk engineering Manager (Contract) Claims ERM responsibility: Administrator • ERM program • Monitoring and reporting key risk matters (residual and emerging risk) to senior executives and the board (including the top 20 risks) • Business interruption evaluation • Business continuity planning and crisis response planning • Insurance program (strategy, policies, placement, and reporting) • Claims management and administration • Financial aspects of accident compensation • Other risk management activities including contract risk, security, etc. Figure 5Fonterra’s ERM function is responsible for managing the ERM program, monitoringand reporting key risk information, evaluating business interruptions, and carryingout business continuity planning. The ERM function also manages insuranceprograms, claims management, financial aspects of accident compensation, andvarious other risk management activities such as contract risk and security.To influence behaviors and reinforce the importance of ERM in its culture, Fonterragave its business units a defined role in ERM. The organization expects business unitsto manage risks and promote certain behaviors by:• identifying downside risks and upside opportunities for the business,• serving as expert witnesses with deep knowledge of operations to assess risk magnitude, Risky Business II: Enterprise Risk Management as a Core Management Process 15
  18. 18. Chap ter 1Optimizing the ERMOrganizational Structure • mitigating risks and monitoring emerging risks, • collecting and reporting risk data to the ERM function for aggregation, • enforcing compliance with risk mitigation procedures among business-unit personnel, and • making sure that processes are in place and that costs arising from implementation strategies are planned for and budgeted. At Textron, the ERM function reports to the vice president of audit, who reports directly to the organization’s board of directors. The business continuity management function also reports to the vice president of audit; in addition, both functions report to an operating committee comprising key managers and leaders from all Textron business units. The ERM function reports to the operating committee instead of a traditional risk committee so that it can communicate directly with the business-unit owners. This structure has enabled risk reporting to have a greater impact across the organization. At American Electric Power (AEP), ERM is centrally managed, but key reporting responsibilities are held at the business-unit level. The name of AEP’s enterprise risk organization—enterprise risk oversight (ERO)—is intended to emphasize the group’s role: Whereas ERO oversees risks across the organization, the individual business functions are responsible for risk management process execution. In accordance with this structure, funding for risk management is incorporated into business-unit budgets. Figure 6 depicts the risk management structure at AEP.   s shown, risk management A involves all levels of the organization. AEP’s Risk Reporting Structure • AEP’s ERM policy - sets governance structure, roles, and responsibilities • Summary report provided to board audit Audit committee Comm. • Strategic focus for monthly REC Risk Executive meetings Committee • Independent oversight Enterprise Risk function Oversight Function • Management of risks Functional Unit Management Figure 6 Risky Business II: Enterprise Risk Management as a Core Management Process 16
  19. 19. Ch apter 1 Optimizing the ERM Organizational StructureMicrosoft’s risk reporting structure centers on four risk “pillars”: strategy, finance,operations, and legal/compliance (Figure 7). Each pillar is supported by acommittee and an executive sponsor responsible for coordinating the overallprogram approach developed by the Office of ERM. This structure is complementedby the efforts of individuals and groups in specific business units and functionswhere risk management specializations already existed prior to the implementationof an enterprise-wide approach. Microsoft’s Risk Reporting Structure Enterprise Risk Office (ERO) - Virtual Organizations The Office of Enterprise Risk Management is sponsored by the vice president of internal audit and supported by the director of ERM leading and executing the overall program approach. The ERM effort is being coordinated virtually across the organization including four risk committees (pillars) each with their respective executive sponsors. Board of Directors: Audit and Finance Committee(s) Enterprise Risk Office: Executive Sponsor: VP of Internal Audit Program Office: Director of ERM Strategic Legal/Compliance Financial/Reporting Operations Chief Executive Officer Chief Legal Officer Chief Financial and Chief Chief Operating and Chief VP of Corporate Strategy VP of General Counsel Accounting Officers Information Officers Director of Corporate Director of Compliance Sr. Director Compliance General Manager Strategy Compliance Attorney Sr. Manager Compliance Manager Figure 7FOLLOW THE LEADER: THE ROLE OF EXECUTIVESSenior leaders understand the significant impact of risk information.Executive-level support for ERM is a critical success factor for the best-practicepartners. Given their birds-eye views of the entire enterprise, senior leaders andhigh-level committees are uniquely positioned to understand and oversee anorganization’s overall risk picture.   hat is the role of these leaders regarding ERM, Wand how and why did this role develop? What is the value of their involvement inERM? The following examples detail senior leadership’s unusually high level of directinvolvement in ERM at the partner organizations.At the New York Independent System Operator (NYISO), responsibility for ERMresides within the organization’s risk, compliance, and quality management function.The head of this function reports directly to the CEO and board of directors,who were the organization’s original ERM champions.   s ERM’s executive sponsor, Athe CEO also acts informally as the chief risk officer. Additional risk managementresponsibilities are spread throughout the organization. For example, the general Risky Business II: Enterprise Risk Management as a Core Management Process 17
  20. 20. Cha p ter 1Optimizing the ERMOrganizational Structure counsel is the chief compliance officer. Cyber and physical security risks fall within the domain of the enterprise security function’s business continuity planning department. A senior risk specialist is responsible for insurance program contracts, structure, loss control, and reporting, as well as the administration of the ERM process and national trends analysis related to the overall power generation and distribution industry. This trend information is provided to the board and CEO.   Textron’s board of directors plays a significant role in ERM. Specifically, the board: • sets ERM expectations, • communicates that ERM is an integral part of the overall management and governance structure, • provides input and oversight for all aspects of ERM, and • funnels concerns about specific risks into the ERM process. At Fonterra, enterprise-wide risk strategy is based on board-level recognition that the organization must effectively manage risk in order to grow and be successful. Risk management is integrated across the organization and supported by senior leaders, including the CFO and the chair of the board’s audit, finance, and risk committee. In addition, ERM roles and responsibilities are cascaded down to the specific business units. A HOLISTIC VIEW A holistic approach to risk management enables improved understanding of critical risks. Organizations that incorporate identified risks into strategic planning make better decisions and are more likely to achieve their strategic objectives. But how do organizations ensure that they understand their own risk universes and then effectively leverage resources to mitigate risks? How do they confirm that all relevant risks are included in their risk assessment processes? How do certain risks offset one another? Because these questions are central to the idea of ERM best practices, a key objective of this study was to examine how organizations develop an understanding of their own critical risks. The following examples illustrate some of the methods used by the partner organizations. The NYISO focuses on risks that fall into three broad categories: reliability (resources and fuel costs/availability), markets (legislative/political, finance and credit, and billing), and reputation (legal/regulatory issues and compliance). These   three categories are further broken down into 17 areas of risk that are leveraged throughout the organization: Risky Business II: Enterprise Risk Management as a Core Management Process 18
  21. 21. Ch apter 1 Optimizing the ERM Organizational Structure•  infrastructure •  credit exposure, •  market participants,•  resources, •  press/media, •  fraud,•  financial, •  security, •  retention,•  compliance, •  billing, •  political climate, and•  execution, •  market design, • market•  seams, •  regulator relations, administration.Risks aligning to these categories are tracked according to a hybrid framework thatcombines those of the Risk and Insurance Management Society (RIMS) and theCommittee of Sponsoring Organizations of the Treadway Commission (COSO). TheNYISO uses matrix scales and heat maps that list each of the organization’s 17 riskcategories according to probability and impact. The list of risks changes periodically,with new risks added and others replaced or subsumed under other categories.Figure 8 illustrates how the NYISO defines its risks to facilitate strategic decisionmaking. The NYISO’s Risk Rating Definitions Impact to Impact Reliability Reputation Markets Low/No Affects local reliability, 0 to $100,000 Small process/procedural Impact non-mission-critical errors that impact limited systems stakeholder segments Some Affects zones outside $100,000 to Continuous mistakes in Impact JK, non-mission-critical $1 million processes that affect systems not operational stakeholders and indicate NYISO inability to correct Serious Affects zones JK, $1 million to NYISO fails to meet regulatory Impact mission-critical $5 million compliance issues/NYISO systems affected execution causes marked disruptions Most Affects all of the In excess of Regulators, market participants, Severe state’s control area $5 million and media severely impugn Impact mission-critical NYISO reputation, with NYISO systems unable to influence outcome Improbable—unlikely to affect Imminent—likely to affect NYISO within NYISO within one year one quarter Possible—may affect NYISO Immediate—the risk presently affects NYISO within one year Figure 8 Risky Business II: Enterprise Risk Management as a Core Management Process 19
  22. 22. Chap ter 1Optimizing the ERMOrganizational Structure At Fonterra, the organization has defined the purpose of ERM in order to articulate the why and how of enterprise risk. For example, Fonterra identifies “assist” as a key ERM activity: This refers to assisting the financial success of the business by providing a forum and methodology for evaluating and prioritizing potential risk improvement opportunities and understanding their financial and other impacts. Additionally, Fonterra is establishing risk champions within each key business. Risk champions will spend several days in risk assessment workshops designed to help individuals identify and manage key business risks. Risk champions will also become business liaisons to the risk function. Fonterra assesses risks using a database that, in turn, populates the organization’s risk profiling report. The database and report, which are discussed further in Chapter 2, illustrate the types of data fields that reporting employees must complete in order for the ERM function to accurately assess high and significant risks. According to Textron, every risk is quantifiable. The organization’s ERM function works closely with the business units to determine costs for specific risks. In some cases, the organization estimates a range to illustrate best- and worst-case scenarios, and each risk cost is factored into an overall cost average. A coordinator for each business unit works directly with the ERM function to ensure that Textron has a clear view of critical risks. In addition to spending 10 to 14 hours each quarter coordinating risk information, these individuals help subject matter experts in their business units and councils compile and assess risk data. The primary benefit of this structure is that it brings together experts who understand the risks with risk coordinators who understand the process; rather than training a large number of employees on ERM, Textron aims to keep risk management   intelligence flowing between ERM coordinators and the ERM function. Textron uses an ERM input tool to capture key risk data. For each risk, ERM coordinators help subject matter experts collect data in five key categories: 1. basic risk information—such as title, description, failure mode, and cause; 2. gross risk information—the cost of the risk event and the probability of occurrence (in annual terms) if no mitigations were in place; 3. current risk information—the cost of the risk event and the probability of occurrence (in annual terms) with all current mitigations in place; 4. decision—whether or not further action is required; and 5. expected risk—details on impact and likelihood. Data from this input tool is entered into an Excel spreadsheet that can be tracked and used for reporting purposes. The spreadsheet is color-coded so that, if the   “decision” category indicates that further action is required, then the risk is automatically highlighted in red. Risky Business II: Enterprise Risk Management as a Core Management Process 20
  23. 23. Ch apter 1 Optimizing the ERM Organizational StructureAEP divides risks into two categories: monitored risks and high-impact risks.Monitored risks are generally easier to quantify and have governing policies focusedon limits and controls. These risks are monitored for status changes and to ensure  that the controls in place are working. By contrast, potential high-impact risksare more difficult to quantify. High-impact risks are often operational or physicalrisks and are typically addressed by programs, rather than limits. In general, theserisks would have an impact on one or more monitored risks.   EP’s risk executive Acommittee, which is made up of senior executives who manage a significant amountof risk for the organization, focuses its discussions on high-impact risks.As previously mentioned, AEP’s functional units are responsible for analyzing,assessing, managing, and mitigating their own risks. Functional units provide monthlyrisk reports that include risk information such as metrics (where possible), currentstatus, trends, strategy and mitigation, and emerging risk areas. These reports are  reviewed by the enterprise risk oversight function, which then prepares a high-level summary for the risk executive committee. Reports from functional units arecompiled in a binder that is provided to all risk executive committee members priorto each meeting. This enables committee members who want more detail to read  about specific risks prior to the meeting and come prepared with questions. The  high-level summaries are also reviewed by the board audit committee, which sits atthe top of AEP’s organizational structure for ERM.Risks reported to the risk executive committee cover a very broad range of issues;some are quantifiable, but others are not.   lso, because risks change over time, AAEP continuously revises the list of reported risks. Some risks are reported on along-term basis, whereas others are reported for several months and then removedfrom reporting.CONCLUSIONThe best-practice partners featured in this report have created ERM organizationalstructures that facilitate fluid collaboration around risk management. Involvementand support from senior leaders convey the value of managing risk to the rest ofthe organization. By combining an infrastructure that places high visibility on riskmanagement with senior leaders that understand the importance of effectivelyidentifying and assessing risks, the best-practice organizations ensure that strategicobjectives will be met. Partners emphasize that ERM must be viewed holistically inorder for organizations to properly identify, aggregate, and asses all types of risk andthen incorporate the results of their analyses into strategic decision making. Risky Business II: Enterprise Risk Management as a Core Management Process 21
  24. 24. Chap ter 1Optimizing the ERMOrganizational Structure Res earch Ch a mp i o n P er s p ecti ve f ro m IBM Glo b a l Bu s i n e ss S e rv i c e s Optimizing the ERM Organizational Structure This study clearly shows that there is no “best” way to structure and manage an ERM program. But as we reflect on the different organization structure approaches taken by the best-practice partners, a couple of observations come to mind, particularly in light of recent IBM research in this area. The first is the role of the “risk manager,” a title used in many organizations and throughout the literature on ERM. The second is the linkage of risks to business processes and the associated management responsibilities and performance measurements, a topic we will discuss further in our Research Champion Perspective for Chapter 4 of this report. Importantly, we see these two points as intrinsically linked through the convergence of risk and performance management. In organizations and structures where the ERM function is stand-alone and tasked with risk management (as opposed to policy and process formulation), the risk manager typically owns the risks and mitigation solutions. For example, a supply chain risk manager may be expected to “gain a clear understanding of the supply chain process, its key exposures and values, and to develop a plan to minimize the adverse effects of the identified exposures on the organization.”1 In such a structure, the risk manager must identify, assess, and manage the risks that might impact that process. But where does this approach leave the supply chain manager, the individual who owns the underlying process and is responsible for the supply chain team? How does he or she manage the process and resolve issues, pro- or re-actively? If there is a failure (i.e., a risk event) in the supply chain, who is responsible for (1) its resolution, (2) its mitigation, and (3) its performance implications? Put very bluntly, where does the buck stop, and which performance metric will be affected? Our view is that business process owners should own the responsibility for risk management as a core part of their day-to-day management responsibilities. In this way, they can assess risks and alternatives with full understanding of the short- and long-term impacts of those options and make the most appropriate trade-offs for success of the process. On the other hand, a stand-alone risk manager might accept/avoid/mitigate risks which need not be so handled given the alternatives available to the process owner. But do not construe this perspective as a rejection of the role of the risk manager: He or she has a key role as an adviser to the process owner, acting in much the same manner as a financial, human resources, or information systems expert would. The risk manager should establish the risk management process, ensure its appropriate execution— including a reporting line to executive management if the process is not followed—and advise the process owner of alternative strategies. This is a key role required by every enterprise, but one that still leaves decision-making responsibility in the hands of process and business owners, thereby supporting a more effective performance measurement assessment structure. 1   on Stokes. “Understanding Supply Chain Risk.” Risk Management, August 2008 (www.rmmag.com). R Risky Business II: Enterprise Risk Management as a Core Management Process 22
  25. 25. Chapter 2ERM Support Tools and MethodologiesT wo of the most pressing concerns for organizations implementing ERM initiatives are: “What is the process for identifying and assessing risks?” and“How do you roll out risk management across an enterprise?” To answer these     Chapter 2 Key Findings 1 . Best-practice organizationsquestions, this report explores the steps that best-practice organizations have taken use a variety ofto integrate risk management into the way they work. methodologies to identify, assess, aggregate, and reportWhereas Chapter 1 focused on the best-practice partners’ organizational risks.infrastructures, this chapter details the methodologies and tools that partners use to 2. Currently, the technologyidentify, assess, monitor, and report enterprise-wide risks. of choice for ERM among the partner organizations isA METHOD TO THE MADNESS Microsoft Office.Best-practice organizations use a variety of methodologies to identify,assess, aggregate, and report risks.The study participants leverage many different techniques to assess risks andcollect and report risk information; for the most part, this diversity reflects theorganizations’ unique work approaches. However, one commonality among thebest-practice partners is that they all make distinctions between ownership ofa specific risk and facilitation of the ERM process. Most partners rely on a com­bination of risk maps, scenario analysis, Microsoft Office applications, and home-grown software to aggregate and identify key risk categories (Figure 9, page 24).When organizations can catalog and pinpoint significant risks, they are better ableto ensure that those risks are thoroughly understood, closely tracked, andperiodically reviewed.To capture key risk data, Textron uses an ERM input tool based on failure modeeffects analysis (FMEA).2 Data from this input tool is entered into an Excelspreadsheet for reporting purposes and color-coded to indicate whether or not arisk requires further action.The spreadsheet data populates risk radars (Figure 10, page 25), which highlightTextron’s significant risks and associate those risks with dollar amounts related tonet operating profits. Risk radars track gross risk and are color-coded to indicatewhether further action is required; risks are graphed so that the likelihood of a riskoccurring in the next year is represented on the X-axis and annual net operating  PQC defines FMEA as “a well documented, proven technique commonly used to evaluate2 A the risk for failures in product and process designs” (2007). Risky Business II: Enterprise Risk Management as a Core Management Process 23
  26. 26. Chap ter 2ERM Support Tools and Methodologies Technologies, Applications, Techniques, and Methodologies Used for ERM Partners were asked to select all options that apply to their organizations. Risk maps 60% Bowtie diagrams 0% Failure mode effects analysis 40% (FMEA) Influence diagrams 0% Risk registers 40% Scenario analysis 60% Fault tree/event tree 20% Off-the-shelf application 40% Home-grown application 60% ERP 0% MS Office 80% Other 0% 0% 20% 40% 60% 80% 100% (n=5) Frequency of Response Figure 9 profit is represented on the Y-axis. For example, Risk A in Figure 10 was initially estimated at approximately $2 billion, but through mitigation and control efforts, that exposure was reduced by about half. However, since the level of exposure is still considered unacceptable, Risk A is depicted as a box, indicating that further action is required. Throughout Textron’s risk radars, embedded links guide users to more detailed information from the risk database. Fonterra uses a risk database to support risk assessment and evaluation across the enterprise. Figure 11 (page 26) provides an example of how Fonterra presents data captured during the risk assessment process.   lthough the figure contains only A sample data, it illustrates the types of data fields that must be completed in order to accurately assess high and significant risks. For example, the reporting employee must clearly define the context and objective of a given activity/process and then identify the risks that could prevent the accomplishment of that objective. Each risk is assigned an owner and a category, which allows the organization to aggregate risks into groups. The forms include a representation of “inherent” risk in terms of   Risky Business II: Enterprise Risk Management as a Core Management Process 24
  27. 27. Ch apter 2 ERM Support Tools and Methodologies Textron’s Significant Risks Radar $2B A Risk Risk Name Owner Initial Complete SAMPLE A Crisis 1Q06 TBD $1B A RISK Management DATA B Finance 1Q06 1Q06 Council$500M B C IMC 1Q06 1Q06 B D TFC 1Q06 1Q06 E Bell 1Q06 1Q06 I D C F Legal Council 1Q06 1Q06$140M C G Bell 1Q06 1Q06 H Finance 1Q06 1Q06 Council$105M H I Finance 1Q06 1Q06 E E Council F F J Bell 1Q06 1Q06 G G $70M H K Kautex 1Q06 TBD I $ is measured in annualized NOP D $35M Risk reduced to an acceptable level J J K Further action required K Gross risk $0 0% 25% 50% 75% 100% Figure 10impact and likelihood displayed on a heat map, a review of controls to mitigate risks,and a scoring of residual risks in terms of impact and likelihood displayed on aheat map.Figure 12 (page 27) depicts an example of Fonterra’s risk assessment report, whichprovides an overview of risk by category. This data flows to the business units sothat decision makers can better understand key risks.At the New York Independent System Operator (NYISO), risk identification andreporting are the responsibility of the business units. Risk owners—those owningthe business processes—are expected to report known risks, their status, andmitigation efforts on a monthly basis.As part of establishing its ERM program, the NYISO mapped out every function andprocess in the organization and then created an executive summary and supportingreport detailing each risk along with its triggers and status. The risk, compliance,  and quality management function updates this ERM report every month based onbusiness-unit-level reporting and mitigation efforts. Thus, the quality of the overall  ERM report depends on the accurate monitoring and reporting of risks by thebusiness units. Risky Business II: Enterprise Risk Management as a Core Management Process 25
  28. 28. Cha p ter 2ERM Support Tools and Methodologies Fonterra’s Formal Risk Assessment ProcessA Risk Management Framework - Risk Profiling ReportContext/ Guaranteed ability to process milk from shareholdersObjectiveRisk Reduced ability to supply milk to site for a period longer than 24 hours Volatility Increasing over timeRisk Owner GM Milk Supply (Optional Entry) Risk Milk Collection and (Optional Entry) Operational Category Coding Transport Process CodingINHERENT (UNTREATED) RISK ASSESSMENT: Assessment WITHOUT ControlsCasual Factors • Road closure from flood Expected • Unable to receive all milk supplies • Road closure from landslip Consequences/ • Worst reasonable case estimate 50% loss • Loss of power to the site for milk transfer 24 hours Impact of milk for 6 days following landslip Potential Cost NZ$1M - NZ$10M 9Inherent Inherent Consequence/ 9 6 7 LikelihoodLikelihood (1-10) Impact (1-10) 5Potential business impact WITHOUT the Inherent Risk Rating HIGH 3benefit of controls = 1 Figure 11 The NYISO’s risk, compliance, and quality management function also summarizes the larger ERM report in a four-page monthly risk report that is distributed to the board of directors. These summaries detail immediate and pending risks for the   coming year along with mitigation efforts currently in place. Each summary includes a risk matrix detailing probability and impact for specific risks as well as relative risk over time and an aggregate scoring of risk factors.   reporting section highlights A looming national issues in the industry. Each month, the ERM staff selects and inserts an article describing issues that affect the security of electricity markets in the United States, North America, and around the globe. At Microsoft, enterprise risk reporting occurs quarterly. The quarterly reports   include updates on ERM program status and progress made toward mitigating the most critical risks facing the organization. Board presentations to a special session of the combined audit and finance committees take place semiannually. The following   program principles help Microsoft execute on this reporting cycle. • ERM is an enterprise-wide framework and program adaptable to existing risk functions, division structures, and global geographies. • ERM increases transparency of risk to the board, senior leadership, and external stakeholders. • ERM is integrated and embedded into corporate-wide processes so that risk information can be leveraged for decision making. • ERM enables bidirectional input and information sharing with key governance, risk, and compliance (GRC) functions, such as Internal Audit, Windows Live Security, Corporate Privacy Group, and Information Technology Risk. Risky Business II: Enterprise Risk Management as a Core Management Process 26
  29. 29. Ch apter 2 ERM Support Tools and Methodologies Fonterra’s Risk Assessment ReportRisk Sub-Risk Risk AreasCategory CategoryStrategic Strategic Direction Operationalization of Strategy Stabilized Organization Structure Strategic Resource Ethics Culture The Way We Work Knowledge Sharing Allocation Reputation NZ International Image Supplier Land Management Empowerment Strategic Partnerships BFL Farming Practices China Strategic Evaluation of Post Investment Reviews DairiConcepts/DFA Soprole/DPA BFL/BSC New Business DPA/Nestle Outsourcing Investor Relations Payout Forecast Management Communications Shareholder Council Capital Availability Redemption RDI Innovations Product Market Process GE Risk Management Implementation of Risk Project Interface Change Initiatives/ Management Framework Transformation JediMarket Economic/Geopolitical Economic Downturn Political Instability/Sovereign Credit Risk Political/Regulatory Trade Access Quotas Risk Acquisition Approval Competitors Industry Structure Product Specification Duties Emerging Competitors Product Substitution Financial Financial Markets/Cost of Debt Competitor Strategy/Spend Commodity Prices Distributors Retail Channel Structure Capital Fund Raising Consumers Consumer Trends Social Trends Demand Uncertainty Customer SatisfactionOperational SOP Management Demand Forecasting Supply Forecasting Production Planning Logistical Planning IP Protection Marketing Innovation Product Innovation RD Funding Business Case Evaluation of AP Spend Brand Management Brand Strategy/Rationalization Brand Protection Development Sales Order Management Counterfeiting Sales Promotion RDI Pricing Contract Management Production Asset Security Protection Production Efficiency Production Capacity Product Quality/ Food Safety RD Implementation Asset Maintenance Specification Logistics Warehousing Milk Collection Product Shipment Distribution Channel Inventory Planning Inventory Protection Project Management Capex Approval Post Project Evaluation Structure Security Time, Cost Quality Control People Personal Health Safety Attract Retain Talent GROW PERFORM Capabilities Motivation Focus Succession Industrial Action Internal Communication Renumeration Transaction Processing Order Processing Invoicing Cash Collection Credit Management Expenses Purchases Cycle Payroll Trade Spend Promotion Cycle Milk Payout Information Data Accuracy, Completeness System Development System Integration System Failure System Transformation Timeliness COE Jedi IS Data Security Kea Crisis management Bio-Security Terrorism DRP/BCP Product Recall Natural Disaster Non-Core Business SynergyFinancial Financial Reporting COA FRS Hyperion SAP Functional Currency Core Controls Financial Planning CMP/SP Payout Forecasts Foreign Exchange Commodity Price Volatility Cost of Production Inventory Mix Valuation Sales Mix Valuation Volatility Fair Value Share Valuation Peak Note Management Lifecycle Planning Working Capital Redemption Management Treasury Management Hedging Functional Currency Debt Raising Management Tax Planning Domestic Tax Regimes Foreign Tax Regimes Performance Planning RCM Performance Measurement VBM Measurement Fraud Geopolitical/Cultural Control Design ImplementationCompliance Policy Procedures Procurement Production Standards HR Treasury Insurance Environmental Jedi Business Rules Supplier Land Management Compliance Farming Practices Legal Regulatory Sovereign Legislation Customs Duties Health Safety/ACC Environmental Hazardous Substances Regulation DIRA Intellectual Property Shareholder Reporting Future RegulationGovernance Ethics Culture The Way We Work Geographic Diversity Empowerment Corporate Citizenship Board Activities Shareholder Reporting Sub-Committee Delegations Qualifications Figure 12 Risky Business II: Enterprise Risk Management as a Core Management Process 27
  30. 30. Cha p ter 2ERM Support Tools and Methodologies ERM AND TECHNOLOGY: WHAT’S THE SOLUTION? Currently, the technology of choice for ERM among the partner organizations is Microsoft Office. As with any evolving business process, organizations attempting to embed ERM in their structures and operations are constantly searching for ways to facilitate their efforts. Each best-practice organization in this study is implementing and executing ERM in some way that fits its current business agenda and business model.   lthough A the partners are open to a technology solution that would facilitate effective ERM implementation, the current preference to keep things simple has led these organizations to employ Microsoft Office as their primary enabling technology. Although the study partners do automate some data collection, analysis, and reporting processes, the majority rely primarily on manual support for ERM activities.   hile a comprehensive and effective process automation solution remains W elusive in the ERM arena, the following examples illustrate how the best-practice organizations create support processes adapted to their own cultures and strategic needs. Fonterra uses Microsoft Office Excel for most of its ERM technology support. Within Fonterra, the perception is that implementing a formal software package would impede the organization’s ability to quickly adapt to any process or business change.   ccordingly, the organization has decided not to purchase a software A package explicitly for risk management. Currently, one full-time employee manages the formal risk assessment process and the supporting database. American Electric Power (AEP)’s decision not to implement supporting technologies is similarly strategic. At this point, the organization feels that a new technology solution might hinder its ERM process.   lthough AEP has explored a A number of software packages, it has chosen to refine its process first and let that process drive future technology decisions. By concentrating on process and open communication, the organization hopes to ensure that information is effectively shared among its functional units. The NYISO’s core risk reporting and mitigation processes are heavily manual and supported by Microsoft Office programs such as Word and Excel. The organization   is currently examining a number of ERM technology support tools, but has not fully automated its processes. Microsoft is also exploring solutions to manage its risk and compliance activities. Since ERM is a relatively new concept, the program is investigating multiple options for building and implementing an ERM platform that can be leveraged globally.   tA present, the organization employs an enterprise solution based on SharePoint and SQL technology; moving forward, it plans to continue building a platform that integrates the best of Microsoft’s enterprise technologies with Microsoft Office solutions. Risky Business II: Enterprise Risk Management as a Core Management Process 28