• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Enterprise Risk Management as a Core Management Process
 

Enterprise Risk Management as a Core Management Process

on

  • 1,976 views

 

Statistics

Views

Total Views
1,976
Views on SlideShare
1,976
Embed Views
0

Actions

Likes
2
Downloads
126
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Enterprise Risk Management as a Core Management Process Enterprise Risk Management as a Core Management Process Document Transcript

    • RISKY BUSINESS II:Enterprise Risk Management as a Core Management Process BEST PRACTICES REPORT
    • This page is left blank intentionally for double-sided printing.
    • Risky Business II: Enterprise Risk Management as a Core Management ProcessA best practices report from In collaboration with Research Champion* APOC P U B L I C A T I O N S ®Study Team Subject Matter Experts Contributing AuthorsGerry Swift, project manager Bob Paladino, founder, Stephanie CarlinAngelica Wurth, special adviser Bob Paladino & Associates Bob PaladinoAPQC William Shenkir William Shenkir, Ph.D., CPA, Gerry Swift William Stamps Farish ProfessorEditor Angelica Wurth Emeritus, University of VirginiaLauren TreesDesignersDavid AndrewsConnie Choatemembership informationFor information about how to become a member of APQC, and to receive publications andother benefits, call 800-776-9676 or +1-713-681-4020, or visit our Web site at www.apqc.org.copyright©2008 APQC, 123 North Post Oak Lane, Third Floor, Houston, Texas 77024-7797 USA.This report cannot be reproduced or transmitted in any form or by any means electronic ormechanical, including photocopying, faxing, recording, or information storage and retrieval.Additional copies of this report may be purchased from the APQC Order Department at800-776-9676 (U.S.) or +1-713-685-7281. Quantity discounts are available.ISBN-10: 1-60197-148-6ISBN-13: 978-1-60197-148-7Statement of PurposeThe purpose of publishing this report is to provide a reference point for and insight into the processesand practices associated with certain issues. It should be used as an educational learning tool and isnot a “recipe” or step-by-step procedure to be copied or duplicated in any way. This report may notrepresent current organizational processes, policies, or practices because changes may have occurredsince the completion of the study.* he IBM Logo is a registered trademark of IBM in the United States and other countries and is T used under license. IBM responsibility is limited to IBM products and services and is governed solely by the agreements under which such products and services are provided. Risky Business II: Enterprise Risk Management as a Core Management Process 1
    • This page is left blank intentionally for double-sided printing
    • Chapter number TABLE OF CONTENTS Risky Business II: Enterprise Risk Management as a Core Management Process Contents 4 Sponsor and Partner Organizations A listing of the sponsor organizations in this study, as well as the best-practice (“partner”) organizations that were benchmarked for their efforts in enterprise risk management. 5 Executive Summary A bird’s-eye view of the study presenting the study focus, the methodology used throughout the course of the study, key findings, and a profile of participants. The findings are explored in detail in the following sections. 11 Study Findings An in-depth look at the findings of this study. The findings are supported by quantitative data and qualitative examples of practices employed by the partner organizations. 53 Partner Organization Case Studies Background information on the partner organizations and their innovative practices in enterprise risk management. Risky Business II: Enterprise Risk Management as a Core Management Process 3
    • Org a ni z ati o n sRisky Business II:Enterprise Risk Management as aCore Management Process Sponsor Organizations CHRISTUS Health El Paso Corporation Lloyd’s Register Group Marathon Oil Corporation Public Ser vice Enterprise Group (PSEG) U.S. Army, ARDEC U.S. Coast Guard U.S. Depar tment of the Navy Visa Inc. Partner Organizations American Electric Power (AEP) Fonterra Cooperative Group Limited The Hartford Financial Services Group Inc.* Microsoft Corporation New York Independent System Operator (NYISO) Textron Inc. *   his organization participated as a data-only partner. T Risky Business II: Enterprise Risk Management as a Core Management Process 4
    • Executive SummaryI n today’s global business environment, leaders of organizations must deal with a myriad of complex risks, many of which carry potentially substantialconsequences. Stakeholders demand that these leaders employ methodologies touncover the risks embedded in any given opportunity as well as the risks inherentin ongoing business operations. Many businesses are implementing enterprise riskmanagement (ERM) as a program to improve the identification, assessment, andmanagement of risks across internal silos.Although ERM is a relatively young management discipline, this consortiumbenchmarking study has identified five organizations with advanced ERM programs.The report you are about to read describes how the leaders of these organizationsimplemented ERM across business units and embedded ERM in core managementprocesses to improve decision making. Throughout the report, APQC offersvaluable insights on developing strategic risk management processes and fosteringa risk-conscientious culture. These two components are essential for establishingan effective ERM program and are emphasized in other leading evaluations, suchas Enterprise Risk Management: Standard & Poor’s to Apply Enterprise Risk Analysis toCorporate Ratings (2008). — William G. Shenkir, a special adviser on this consortium benchmarking studyResearch indicates that strategy execution continues to challenge many companieswhere executives are faced with new and more potent risks.   hile working on WAPQC’s two ERM studies in 2006 and 2008, I have observed that the ERM bodyof knowledge and the application of strategic risk management frameworks are stillmaturing. There are, however, best-practice partner organizations illuminating thepath for the rest of us, and I am extremely grateful to them. Our hope is that thisstudy will help your organization improve its ability to identify, mitigate, manage, andreport on ERM in a valued manner. — Bob E. Paladino, a special adviser on this consortium benchmarking study Risky Business II: Enterprise Risk Management as a Core Management Process 5
    • Exe cu ti ve s u m m a ryRisky Business II:Enterprise Risk Management as aCore Management Process STUDY SCOPE The organizations selected for deep, detailed study through structured data collection and site visits (referred to throughout the report as “best-practice organizations” or “study partners”) demonstrate innovative performance in one or more of the following study focus areas: 1. optimizing the ERM organizational structure; 2. identifying, implementing, and maintaining supporting ERM methodologies; 3. using ERM for effective decision making; and 4. using ERM for performance improvement. The goal of this study was to examine organizations that excel in one or more aspects of the study scope and to aggregate the best practices from all the organizations studied. To achieve this goal, the APQC study team identified potential   best-practice partners that demonstrated excellence and a history of success in the four scope areas. Project sponsors then selected the final list of partners from among the candidates. OVERVIEW OF FINDINGS The study team discovered 10 principal findings from studying the best-practice organizations. These findings have been organized into the following chapters, which map closely to the study scope. Each chapter explores key findings and supports them with brief examples from the study partners; additional details on the best- practice organizations can be found in their respective case studies at the end of this report. Chapter 1: Optimizing the ERM Organizational Structure 1. Best-practice organizations establish clear structures for ERM involving executive-level support. 2. Senior leaders understand the impact of risk information. 3. A holistic approach to risk management enables improved understanding of critical risks. Chapter 2: ERM Support Tools and Methodologies 4. Best-practice organizations use a variety of methodologies to identify, assess, aggregate, and report risks. 5. Currently, the technology of choice for ERM among the partner organizations is Microsoft Office. Chapter 3: Using ERM for Effective Decision Making 6. A focus on risk management creates a culture of informed risk takers. 7. Risk information must be effectively communicated across the enterprise in order to influence decision making. Risky Business II: Enterprise Risk Management as a Core Management Process 6
    • E xe cu tive Summary Risky Business II: Enterprise Risk Management as a Core Management ProcessChapter 4: Using ERM for Performance Improvement8. Effective risk management is evaluated as an organizational key performance indicator.9. Best-practice organizations use risk management as an individual performance indicator.10. Evaluation of ERM effectiveness is in the early stages of maturity.Chapter 5:   he “Essentials” of ERM TThis chapter details lessons learned and critical success factors for effectivelymanaging enterprise-wide risks.STUDY METHODOLOGYDeveloped in 1993, APQC’s consortium benchmarking study methodology APQC’s Benchmarking Model:(Figure 1) serves as one of the world’s premier methods for successful The Four-Phased Methodologybenchmarking. It was recognized by the European Center for Total QualityManagement in 1995 as first among 10 leading benchmarking organizations’models. It is an extremely powerful tool for identifying best and innovativepractices and for facilitating the actual transfer of these practices.Phase 1: PlanThe planning phase of the study began in fall 2007. During this phase,   PQCAconducted secondary research to help identify innovative organizations that mightparticipate as study partners. In addition to this research,   PQC staff members Aand the subject matter experts identified potential participants based on their ownfirsthand experiences, research, and sponsor recommendations. Each recognizedorganization was invited to participate in a screening process. Based on the results Figure 1of the screening process, as well as each organization’s capacity or willingnessto participate in the study, a final list of nine potential partner candidates wasdeveloped.A study kickoff meeting was held in April 2008, during which the sponsors refinedthe study scope, gave input on the data collection tools, and selected the studypartners at which they would most like site visits to be conducted. Finalizing thedata collection tools and piloting them within the sponsor group concluded theplanning phase.Phase 2: CollectThree tools were used to collect information for this study:1. screening questionnaire—qualitative and quantitative questions designed to identify best practices within the partner organizations;2. detailed questionnaire—quantitative questions designed to collect objective, quantitative data across all participating organizations; and3. site visit guide—qualitative questions that parallel the areas of inquiry in the detailed questionnaire, which serves as the structured discussion framework for all site visits. Risky Business II: Enterprise Risk Management as a Core Management Process 7
    • Exe c u ti ve su m m a ryRisky Business II:Enterprise Risk Management as aCore Management Process Along with the nine sponsor organizations, five best-practice partners completed the detailed questionnaire:   merican Electric Power, Fonterra Cooperative Group A Limited, The Hartford Financial Services Group Inc. (a data-only study partner), Microsoft Corporation, and Textron Inc. Four of these five organizations also hosted site visits, and study partner New York Independent System Operator hosted a fifth site visit. The APQC study team prepared a written report (case study) of each site visit and submitted it to the partner organization for approval or clarification. The case studies are included at the end of this report. Phase 3:  Analyze The subject matter experts and APQC analyzed the quantitative and qualitative information obtained through the data collection tools.   nalysis concentrated on A examining the challenges that organizations face in the four study focus areas. The analysis of the data, as well as case examples based on the site visits, is contained in this report. Phase 4:  Adapt Adaptation and improvement, stemming from identified best practices, occur after readers apply key findings to their own operations.   PQC staff members are A available to help create action plans appropriate for readers’ organizations. PARTICIPANT BACKGROUND Figure 2 describes the industry distribution of the best-practice partners that responded to the detailed questionnaire. Industry Representation of Partner Organizations Percentage of Partners Telecommunications/ Aerospace/Defense Utilities 20% 20% 20% 20% Insurance Food and Beverage 20% Information Technology/ Computer Figure 2 Risky Business II: Enterprise Risk Management as a Core Management Process 8
    • E xe cu tive Summary Risky Business II: Enterprise Risk Management as a Core Management ProcessSUBJECT MATTER EXPERTISEBob Paladino, CPA, Founder, Bob Paladino & Associates, LLCBob Paladino is the founder of Bob Paladino & Associates and a former executive andlong-time implementation practitioner in the corporate performance management(CPM) field. His firm advises boards of directors and executives and offers CPMservices. Formerly a leading consultant for PricewaterhouseCoopers and TowersPerrin, Paladino has been published in leading journals and is among the highest-ratedspeakers at corporate and industry events such as FEI, ASMI, and CFO Rising.William G. Shenkir, Ph.D., CPA, William Stamps Farish Professor Emeritus,University of VirginiaBill Shenkir served on the faculty of the University of Virginia’s McIntire School of  Commerce for almost 40 years and as dean from 1977 to 1992. He continues toconsult and do research on ERM. Shenkir has published more than 50 articles andedited/co-authored eight books, three of which focus on ERM. He served on thestaff of the FASB, as president of the AACSB, on numerous professional committees,and on three corporate boards. He has received the IMA’s Virginia OutstandingEducator Award and was recognized by students as one of the 10 UniversityDistinguished Professors in the 1997 Corks and Curls.ABOUT APQCA recognized leader in benchmarking, knowledge management, measurement, andquality programs, APQC helps organizations adapt to rapidly changing environments,build new and better ways to work, and succeed in a competitive marketplace.For more than 30 years, APQC has identified best practices, discovered effectivemethods of improvement, broadly disseminated findings, and connected individualswith one another and with the knowledge, training, and tools they need to succeed.APQC is a member-based nonprofit serving more than 500 organizations aroundthe world in all sectors of business, education, and government. Learn more aboutAPQC by visiting www.apqc.org or calling 800-776-9676 or +1-713-681-4020.ABOUT IBM GLOBAL BUSINESS SERVICESWith consultants and professional staff in more than 160 countries, IBM GlobalBusiness Services is the world’s largest consulting services organization. IBMGlobal Business Services provides clients with business transformation andindustry expertise, as well as the ability to translate that expertise into integrated,responsive, innovative business solutions and services that deliver bottom-linebusiness value. IBM Global Business Services offers industry-leading transformationconsulting skills and delivery capabilities across a range of areas, including humancapital management, financial management, customer relationship management,R&D management, supply chain management, and strategy and change. For moreinformation, visit www.ibm.com. Risky Business II: Enterprise Risk Management as a Core Management Process 9
    • Exe c u ti ve su m m a ryRisky Business II:Enterprise Risk Management as aCore Management Process IBM Global Business Services’ Financial Management practice focuses on enabling enterprise innovation and performance through improved finance organization efficiency and effectiveness. With more than 4,000 practitioners, Financial Management has a full suite of end-to-end capabilities to address a client’s challenges. Its capabilities include finance transformation, finance operations improvement, business performance management, business risk management, and finance enterprise applications. Risky Business II: Enterprise Risk Management as a Core Management Process 10
    • S TUDY FIN D INGS Risky Business II: Enterprise Risk Management as a Core Management ProcessStudy Findings13 Chapter 1  > Optimizing the ERM Organizational Structure23 Chapter 2  >  ERM Support Tools and Methodologies31 Chapter 3  > Using ERM for Effective Decision Making41 Chapter 4  > Using ERM for Performance Improvement49 Chapter 5  >  The “Essentials” of ERM Risky Business II: Enterprise Risk Management as a Core Management Process 11
    • This page is left blank intentionally for double-sided printing.
    • Chapter 1Optimizing the ERM Organizational StructureR isk management has evolved significantly since APQC published its initial report on the subject, Risky Business: Employing Risk Management to SustainGrowth, Mitigate Threats, and Maximize Shareholder Value. When research was being   Chapter 1 Key Findings 1. Best-practice organizationsconducted for that report in 2006, many organizations had long histories of deploying establish clear structures forrisk management for specific risks such as insurance and audits, but true enterprise ERM involving executive-risk management was a fairly new endeavor. Few participants in the 2006 study had level support.well-established ERM approaches—in fact, half of the ERM programs examined were 2. Senior leaders understand theonly three to five years old. However, organizations were beginning to recognize the impact of risk information.importance of an enterprise-wide approach to risk due to factors such as:• the increased volatility of markets driven by competition, globalization, 3. A holistic approach to and technology; risk management enables• an enhanced focus on the tradeoffs among achieving financial, customer-, improved understanding of process-, and people-oriented results; and critical risks.• changes in regulatory oversight, from deregulation in the utility and telecom industries to recent legislation such as the Sarbanes-Oxley Act (SOX).The best-practice partners examined in our most recent study reflect this ongoingevolution from more limited, silo-based risk strategies toward enterprise riskmanage­ ent. Four of the five best-practice ERM programs have existed in their current mstates for less than three years, and the remaining program for less than five years.According to APQC’s past and current research, organizations at the level of ERM “ERM is a strategic and dynamicmaturity demonstrated by the best-practice partners have integrated enterprise risk process that all our employeesmanagement into their strategic planning processes and analyze the likelihood and have a stake and ownership in toimpact of risks across the enterprise, as opposed to relying on an isolated approach implement. In its ideal state, ERMwhere they merely react to events. This report explores how best-practice should identify business processorganizations achieve this level of maturity and plan for continuing development. improvement and risk mitigationTo that end, the report details how the best-practice partners ensure that ERM is opportunities, be they physical,treated as a core management process. It also examines optimal ERM organizational financial, or cultural.”infrastructures, effective support methodologies, how ERM can influence key — Wayne Bailey,decisions, and how an enterprise view of risk can improve overall performance. director of risk, compliance, and quality management,THE BUILDING BLOCKS OF ERM: ORGANIZATIONAL NYISOSTRUCTURESBest-practice organizations establish clear structures for ERM involvingexecutive-level support.The best-practice organizations in this study have established clear roles andresponsibilities for deploying and overseeing their ERM initiatives. They also haveexecutive sponsors in place to support the continued maturation of ERM efforts. Risky Business II: Enterprise Risk Management as a Core Management Process 13
    • Chap ter 1Optimizing the ERMOrganizational Structure Figure 3 and Figure 4 provide an overview of ERM process ownership at the best-practice partner organizations. Most of the study partners have assigned core functions to oversee ERM activities as well as C-level executives to act as ERM executive sponsors. According to representatives from these organizations, clear ownership and reporting structures are crucial to communicating the importance of risk management to the work force. Who Provides Executive Sponsorship for ERM? Partners were asked to select all options that apply to their organizations. Core ERM group 20% Chief risk officer (CRO) 20% CEO team 40% CEO direct report 40% CEO 0% Board of directors, subcommittee 40% Other: Board of directors 20% • Chief operating officer (COO) • Chief financial officer (CFO) Other 40% 0% 20% 40% 60% 80% 100% (n=5) Frequency of Response Figure 3 Who Is Responsible for Deploying and Overseeing ERM? Partners were asked to select all options that apply to their organizations. Core ERM group 60% CRO 20% CEO team 0% CEO direct report 20% CEO 0% Board of directors, subcommittee 0% Other: • Vice president of Board of directors 0% internal audit Other 40% • COO 0% 20% 40% 60% 80% 100% (n=5) Frequency of Response Figure 4 Risky Business II: Enterprise Risk Management as a Core Management Process 14
    • Ch apter 1 Optimizing the ERM Organizational StructureAs you can see from Figures 3 and 4, the partner organizations employ diversereporting structures for ERM. The study did not reveal a one-size-fits-all approach.However, all the partners effectively support the executive-level positioning of ERMthrough senior committees and other change agents.Figure 5 depicts the ERM reporting structure at Fonterra, a best-practice partner inboth the both the 2006 study and the current study. In 2006, Fonterra split its globalassurance function into audit and risk, with two different reporting lines to the officeof the chief financial officer (CFO). The organization integrated its ERM process intobusiness strategy and planning; the ERM function now interacts with insurance brokersand leverages employees within the business units who are engaged in risk assessments. Fonterra’s Risk Reporting Structure Enterprise Risk Manager Insurance Manager Manager Business Risk Injury Brokers: Risk Risk Continuity Management Management • Claims Assessment Assessment Manager Admin Manager • Insurance • Captive Claims • Risk management Risk Administrator • Risk engineering Manager (Contract) Claims ERM responsibility: Administrator • ERM program • Monitoring and reporting key risk matters (residual and emerging risk) to senior executives and the board (including the top 20 risks) • Business interruption evaluation • Business continuity planning and crisis response planning • Insurance program (strategy, policies, placement, and reporting) • Claims management and administration • Financial aspects of accident compensation • Other risk management activities including contract risk, security, etc. Figure 5Fonterra’s ERM function is responsible for managing the ERM program, monitoringand reporting key risk information, evaluating business interruptions, and carryingout business continuity planning. The ERM function also manages insuranceprograms, claims management, financial aspects of accident compensation, andvarious other risk management activities such as contract risk and security.To influence behaviors and reinforce the importance of ERM in its culture, Fonterragave its business units a defined role in ERM. The organization expects business unitsto manage risks and promote certain behaviors by:• identifying downside risks and upside opportunities for the business,• serving as expert witnesses with deep knowledge of operations to assess risk magnitude, Risky Business II: Enterprise Risk Management as a Core Management Process 15
    • Chap ter 1Optimizing the ERMOrganizational Structure • mitigating risks and monitoring emerging risks, • collecting and reporting risk data to the ERM function for aggregation, • enforcing compliance with risk mitigation procedures among business-unit personnel, and • making sure that processes are in place and that costs arising from implementation strategies are planned for and budgeted. At Textron, the ERM function reports to the vice president of audit, who reports directly to the organization’s board of directors. The business continuity management function also reports to the vice president of audit; in addition, both functions report to an operating committee comprising key managers and leaders from all Textron business units. The ERM function reports to the operating committee instead of a traditional risk committee so that it can communicate directly with the business-unit owners. This structure has enabled risk reporting to have a greater impact across the organization. At American Electric Power (AEP), ERM is centrally managed, but key reporting responsibilities are held at the business-unit level. The name of AEP’s enterprise risk organization—enterprise risk oversight (ERO)—is intended to emphasize the group’s role: Whereas ERO oversees risks across the organization, the individual business functions are responsible for risk management process execution. In accordance with this structure, funding for risk management is incorporated into business-unit budgets. Figure 6 depicts the risk management structure at AEP.   s shown, risk management A involves all levels of the organization. AEP’s Risk Reporting Structure • AEP’s ERM policy - sets governance structure, roles, and responsibilities • Summary report provided to board audit Audit committee Comm. • Strategic focus for monthly REC Risk Executive meetings Committee • Independent oversight Enterprise Risk function Oversight Function • Management of risks Functional Unit Management Figure 6 Risky Business II: Enterprise Risk Management as a Core Management Process 16
    • Ch apter 1 Optimizing the ERM Organizational StructureMicrosoft’s risk reporting structure centers on four risk “pillars”: strategy, finance,operations, and legal/compliance (Figure 7). Each pillar is supported by acommittee and an executive sponsor responsible for coordinating the overallprogram approach developed by the Office of ERM. This structure is complementedby the efforts of individuals and groups in specific business units and functionswhere risk management specializations already existed prior to the implementationof an enterprise-wide approach. Microsoft’s Risk Reporting Structure Enterprise Risk Office (ERO) - Virtual Organizations The Office of Enterprise Risk Management is sponsored by the vice president of internal audit and supported by the director of ERM leading and executing the overall program approach. The ERM effort is being coordinated virtually across the organization including four risk committees (pillars) each with their respective executive sponsors. Board of Directors: Audit and Finance Committee(s) Enterprise Risk Office: Executive Sponsor: VP of Internal Audit Program Office: Director of ERM Strategic Legal/Compliance Financial/Reporting Operations Chief Executive Officer Chief Legal Officer Chief Financial and Chief Chief Operating and Chief VP of Corporate Strategy VP of General Counsel Accounting Officers Information Officers Director of Corporate Director of Compliance Sr. Director Compliance General Manager Strategy Compliance Attorney Sr. Manager Compliance Manager Figure 7FOLLOW THE LEADER: THE ROLE OF EXECUTIVESSenior leaders understand the significant impact of risk information.Executive-level support for ERM is a critical success factor for the best-practicepartners. Given their birds-eye views of the entire enterprise, senior leaders andhigh-level committees are uniquely positioned to understand and oversee anorganization’s overall risk picture.   hat is the role of these leaders regarding ERM, Wand how and why did this role develop? What is the value of their involvement inERM? The following examples detail senior leadership’s unusually high level of directinvolvement in ERM at the partner organizations.At the New York Independent System Operator (NYISO), responsibility for ERMresides within the organization’s risk, compliance, and quality management function.The head of this function reports directly to the CEO and board of directors,who were the organization’s original ERM champions.   s ERM’s executive sponsor, Athe CEO also acts informally as the chief risk officer. Additional risk managementresponsibilities are spread throughout the organization. For example, the general Risky Business II: Enterprise Risk Management as a Core Management Process 17
    • Cha p ter 1Optimizing the ERMOrganizational Structure counsel is the chief compliance officer. Cyber and physical security risks fall within the domain of the enterprise security function’s business continuity planning department. A senior risk specialist is responsible for insurance program contracts, structure, loss control, and reporting, as well as the administration of the ERM process and national trends analysis related to the overall power generation and distribution industry. This trend information is provided to the board and CEO.   Textron’s board of directors plays a significant role in ERM. Specifically, the board: • sets ERM expectations, • communicates that ERM is an integral part of the overall management and governance structure, • provides input and oversight for all aspects of ERM, and • funnels concerns about specific risks into the ERM process. At Fonterra, enterprise-wide risk strategy is based on board-level recognition that the organization must effectively manage risk in order to grow and be successful. Risk management is integrated across the organization and supported by senior leaders, including the CFO and the chair of the board’s audit, finance, and risk committee. In addition, ERM roles and responsibilities are cascaded down to the specific business units. A HOLISTIC VIEW A holistic approach to risk management enables improved understanding of critical risks. Organizations that incorporate identified risks into strategic planning make better decisions and are more likely to achieve their strategic objectives. But how do organizations ensure that they understand their own risk universes and then effectively leverage resources to mitigate risks? How do they confirm that all relevant risks are included in their risk assessment processes? How do certain risks offset one another? Because these questions are central to the idea of ERM best practices, a key objective of this study was to examine how organizations develop an understanding of their own critical risks. The following examples illustrate some of the methods used by the partner organizations. The NYISO focuses on risks that fall into three broad categories: reliability (resources and fuel costs/availability), markets (legislative/political, finance and credit, and billing), and reputation (legal/regulatory issues and compliance). These   three categories are further broken down into 17 areas of risk that are leveraged throughout the organization: Risky Business II: Enterprise Risk Management as a Core Management Process 18
    • Ch apter 1 Optimizing the ERM Organizational Structure•  infrastructure •  credit exposure, •  market participants,•  resources, •  press/media, •  fraud,•  financial, •  security, •  retention,•  compliance, •  billing, •  political climate, and•  execution, •  market design, • market•  seams, •  regulator relations, administration.Risks aligning to these categories are tracked according to a hybrid framework thatcombines those of the Risk and Insurance Management Society (RIMS) and theCommittee of Sponsoring Organizations of the Treadway Commission (COSO). TheNYISO uses matrix scales and heat maps that list each of the organization’s 17 riskcategories according to probability and impact. The list of risks changes periodically,with new risks added and others replaced or subsumed under other categories.Figure 8 illustrates how the NYISO defines its risks to facilitate strategic decisionmaking. The NYISO’s Risk Rating Definitions Impact to Impact Reliability Reputation Markets Low/No Affects local reliability, 0 to $100,000 Small process/procedural Impact non-mission-critical errors that impact limited systems stakeholder segments Some Affects zones outside $100,000 to Continuous mistakes in Impact J&K, non-mission-critical $1 million processes that affect systems not operational stakeholders and indicate NYISO inability to correct Serious Affects zones J&K, $1 million to NYISO fails to meet regulatory Impact mission-critical $5 million compliance issues/NYISO systems affected execution causes marked disruptions Most Affects all of the In excess of Regulators, market participants, Severe state’s control area $5 million and media severely impugn Impact mission-critical NYISO reputation, with NYISO systems unable to influence outcome Improbable—unlikely to affect Imminent—likely to affect NYISO within NYISO within one year one quarter Possible—may affect NYISO Immediate—the risk presently affects NYISO within one year Figure 8 Risky Business II: Enterprise Risk Management as a Core Management Process 19
    • Chap ter 1Optimizing the ERMOrganizational Structure At Fonterra, the organization has defined the purpose of ERM in order to articulate the why and how of enterprise risk. For example, Fonterra identifies “assist” as a key ERM activity: This refers to assisting the financial success of the business by providing a forum and methodology for evaluating and prioritizing potential risk improvement opportunities and understanding their financial and other impacts. Additionally, Fonterra is establishing risk champions within each key business. Risk champions will spend several days in risk assessment workshops designed to help individuals identify and manage key business risks. Risk champions will also become business liaisons to the risk function. Fonterra assesses risks using a database that, in turn, populates the organization’s risk profiling report. The database and report, which are discussed further in Chapter 2, illustrate the types of data fields that reporting employees must complete in order for the ERM function to accurately assess high and significant risks. According to Textron, every risk is quantifiable. The organization’s ERM function works closely with the business units to determine costs for specific risks. In some cases, the organization estimates a range to illustrate best- and worst-case scenarios, and each risk cost is factored into an overall cost average. A coordinator for each business unit works directly with the ERM function to ensure that Textron has a clear view of critical risks. In addition to spending 10 to 14 hours each quarter coordinating risk information, these individuals help subject matter experts in their business units and councils compile and assess risk data. The primary benefit of this structure is that it brings together experts who understand the risks with risk coordinators who understand the process; rather than training a large number of employees on ERM, Textron aims to keep risk management   intelligence flowing between ERM coordinators and the ERM function. Textron uses an ERM input tool to capture key risk data. For each risk, ERM coordinators help subject matter experts collect data in five key categories: 1. basic risk information—such as title, description, failure mode, and cause; 2. gross risk information—the cost of the risk event and the probability of occurrence (in annual terms) if no mitigations were in place; 3. current risk information—the cost of the risk event and the probability of occurrence (in annual terms) with all current mitigations in place; 4. decision—whether or not further action is required; and 5. expected risk—details on impact and likelihood. Data from this input tool is entered into an Excel spreadsheet that can be tracked and used for reporting purposes. The spreadsheet is color-coded so that, if the   “decision” category indicates that further action is required, then the risk is automatically highlighted in red. Risky Business II: Enterprise Risk Management as a Core Management Process 20
    • Ch apter 1 Optimizing the ERM Organizational StructureAEP divides risks into two categories: monitored risks and high-impact risks.Monitored risks are generally easier to quantify and have governing policies focusedon limits and controls. These risks are monitored for status changes and to ensure  that the controls in place are working. By contrast, potential high-impact risksare more difficult to quantify. High-impact risks are often operational or physicalrisks and are typically addressed by programs, rather than limits. In general, theserisks would have an impact on one or more monitored risks.   EP’s risk executive Acommittee, which is made up of senior executives who manage a significant amountof risk for the organization, focuses its discussions on high-impact risks.As previously mentioned, AEP’s functional units are responsible for analyzing,assessing, managing, and mitigating their own risks. Functional units provide monthlyrisk reports that include risk information such as metrics (where possible), currentstatus, trends, strategy and mitigation, and emerging risk areas. These reports are  reviewed by the enterprise risk oversight function, which then prepares a high-level summary for the risk executive committee. Reports from functional units arecompiled in a binder that is provided to all risk executive committee members priorto each meeting. This enables committee members who want more detail to read  about specific risks prior to the meeting and come prepared with questions. The  high-level summaries are also reviewed by the board audit committee, which sits atthe top of AEP’s organizational structure for ERM.Risks reported to the risk executive committee cover a very broad range of issues;some are quantifiable, but others are not.   lso, because risks change over time, AAEP continuously revises the list of reported risks. Some risks are reported on along-term basis, whereas others are reported for several months and then removedfrom reporting.CONCLUSIONThe best-practice partners featured in this report have created ERM organizationalstructures that facilitate fluid collaboration around risk management. Involvementand support from senior leaders convey the value of managing risk to the rest ofthe organization. By combining an infrastructure that places high visibility on riskmanagement with senior leaders that understand the importance of effectivelyidentifying and assessing risks, the best-practice organizations ensure that strategicobjectives will be met. Partners emphasize that ERM must be viewed holistically inorder for organizations to properly identify, aggregate, and asses all types of risk andthen incorporate the results of their analyses into strategic decision making. Risky Business II: Enterprise Risk Management as a Core Management Process 21
    • Chap ter 1Optimizing the ERMOrganizational Structure Res earch Ch a mp i o n P er s p ecti ve f ro m IBM Glo b a l Bu s i n e ss S e rv i c e s Optimizing the ERM Organizational Structure This study clearly shows that there is no “best” way to structure and manage an ERM program. But as we reflect on the different organization structure approaches taken by the best-practice partners, a couple of observations come to mind, particularly in light of recent IBM research in this area. The first is the role of the “risk manager,” a title used in many organizations and throughout the literature on ERM. The second is the linkage of risks to business processes and the associated management responsibilities and performance measurements, a topic we will discuss further in our Research Champion Perspective for Chapter 4 of this report. Importantly, we see these two points as intrinsically linked through the convergence of risk and performance management. In organizations and structures where the ERM function is stand-alone and tasked with risk management (as opposed to policy and process formulation), the risk manager typically owns the risks and mitigation solutions. For example, a supply chain risk manager may be expected to “gain a clear understanding of the supply chain process, its key exposures and values, and to develop a plan to minimize the adverse effects of the identified exposures on the organization.”1 In such a structure, the risk manager must identify, assess, and manage the risks that might impact that process. But where does this approach leave the supply chain manager, the individual who owns the underlying process and is responsible for the supply chain team? How does he or she manage the process and resolve issues, pro- or re-actively? If there is a failure (i.e., a risk event) in the supply chain, who is responsible for (1) its resolution, (2) its mitigation, and (3) its performance implications? Put very bluntly, where does the buck stop, and which performance metric will be affected? Our view is that business process owners should own the responsibility for risk management as a core part of their day-to-day management responsibilities. In this way, they can assess risks and alternatives with full understanding of the short- and long-term impacts of those options and make the most appropriate trade-offs for success of the process. On the other hand, a stand-alone risk manager might accept/avoid/mitigate risks which need not be so handled given the alternatives available to the process owner. But do not construe this perspective as a rejection of the role of the risk manager: He or she has a key role as an adviser to the process owner, acting in much the same manner as a financial, human resources, or information systems expert would. The risk manager should establish the risk management process, ensure its appropriate execution— including a reporting line to executive management if the process is not followed—and advise the process owner of alternative strategies. This is a key role required by every enterprise, but one that still leaves decision-making responsibility in the hands of process and business owners, thereby supporting a more effective performance measurement assessment structure. 1    on Stokes. “Understanding Supply Chain Risk.” Risk Management, August 2008 (www.rmmag.com). R Risky Business II: Enterprise Risk Management as a Core Management Process 22
    • Chapter 2ERM Support Tools and MethodologiesT wo of the most pressing concerns for organizations implementing ERM initiatives are: “What is the process for identifying and assessing risks?” and“How do you roll out risk management across an enterprise?” To answer these     Chapter 2 Key Findings 1  . Best-practice organizationsquestions, this report explores the steps that best-practice organizations have taken use a variety ofto integrate risk management into the way they work. methodologies to identify, assess, aggregate, and reportWhereas Chapter 1 focused on the best-practice partners’ organizational risks.infrastructures, this chapter details the methodologies and tools that partners use to 2. Currently, the technologyidentify, assess, monitor, and report enterprise-wide risks. of choice for ERM among the partner organizations isA METHOD TO THE MADNESS Microsoft Office.Best-practice organizations use a variety of methodologies to identify,assess, aggregate, and report risks.The study participants leverage many different techniques to assess risks andcollect and report risk information; for the most part, this diversity reflects theorganizations’ unique work approaches. However, one commonality among thebest-practice partners is that they all make distinctions between ownership ofa specific risk and facilitation of the ERM process. Most partners rely on a com­bination of risk maps, scenario analysis, Microsoft Office applications, and home-grown software to aggregate and identify key risk categories (Figure 9, page 24).When organizations can catalog and pinpoint significant risks, they are better ableto ensure that those risks are thoroughly understood, closely tracked, andperiodically reviewed.To capture key risk data, Textron uses an ERM input tool based on failure modeeffects analysis (FMEA).2 Data from this input tool is entered into an Excelspreadsheet for reporting purposes and color-coded to indicate whether or not arisk requires further action.The spreadsheet data populates risk radars (Figure 10, page 25), which highlightTextron’s significant risks and associate those risks with dollar amounts related tonet operating profits. Risk radars track gross risk and are color-coded to indicatewhether further action is required; risks are graphed so that the likelihood of a riskoccurring in the next year is represented on the X-axis and annual net operating   PQC defines FMEA as “a well documented, proven technique commonly used to evaluate2 A the risk for failures in product and process designs” (2007). Risky Business II: Enterprise Risk Management as a Core Management Process 23
    • Chap ter 2ERM Support Tools and Methodologies Technologies, Applications, Techniques, and Methodologies Used for ERM Partners were asked to select all options that apply to their organizations. Risk maps 60% Bowtie diagrams 0% Failure mode effects analysis 40% (FMEA) Influence diagrams 0% Risk registers 40% Scenario analysis 60% Fault tree/event tree 20% Off-the-shelf application 40% Home-grown application 60% ERP 0% MS Office 80% Other 0% 0% 20% 40% 60% 80% 100% (n=5) Frequency of Response Figure 9 profit is represented on the Y-axis. For example, Risk A in Figure 10 was initially estimated at approximately $2 billion, but through mitigation and control efforts, that exposure was reduced by about half. However, since the level of exposure is still considered unacceptable, Risk A is depicted as a box, indicating that further action is required. Throughout Textron’s risk radars, embedded links guide users to more detailed information from the risk database. Fonterra uses a risk database to support risk assessment and evaluation across the enterprise. Figure 11 (page 26) provides an example of how Fonterra presents data captured during the risk assessment process.   lthough the figure contains only A sample data, it illustrates the types of data fields that must be completed in order to accurately assess high and significant risks. For example, the reporting employee must clearly define the context and objective of a given activity/process and then identify the risks that could prevent the accomplishment of that objective. Each risk is assigned an owner and a category, which allows the organization to aggregate risks into groups. The forms include a representation of “inherent” risk in terms of   Risky Business II: Enterprise Risk Management as a Core Management Process 24
    • Ch apter 2 ERM Support Tools and Methodologies Textron’s Significant Risks Radar $2B A Risk Risk Name Owner Initial Complete SAMPLE A Crisis 1Q06 TBD $1B A RISK Management DATA B Finance 1Q06 1Q06 Council$500M B C IMC 1Q06 1Q06 B D TFC 1Q06 1Q06 E Bell 1Q06 1Q06 I D C F Legal Council 1Q06 1Q06$140M C G Bell 1Q06 1Q06 H Finance 1Q06 1Q06 Council$105M H I Finance 1Q06 1Q06 E E Council F F J Bell 1Q06 1Q06 G G $70M H K Kautex 1Q06 TBD I $ is measured in annualized NOP D $35M Risk reduced to an acceptable level J J K Further action required K Gross risk $0 0% 25% 50% 75% 100% Figure 10impact and likelihood displayed on a heat map, a review of controls to mitigate risks,and a scoring of residual risks in terms of impact and likelihood displayed on aheat map.Figure 12 (page 27) depicts an example of Fonterra’s risk assessment report, whichprovides an overview of risk by category. This data flows to the business units sothat decision makers can better understand key risks.At the New York Independent System Operator (NYISO), risk identification andreporting are the responsibility of the business units. Risk owners—those owningthe business processes—are expected to report known risks, their status, andmitigation efforts on a monthly basis.As part of establishing its ERM program, the NYISO mapped out every function andprocess in the organization and then created an executive summary and supportingreport detailing each risk along with its triggers and status. The risk, compliance,  and quality management function updates this ERM report every month based onbusiness-unit-level reporting and mitigation efforts. Thus, the quality of the overall  ERM report depends on the accurate monitoring and reporting of risks by thebusiness units. Risky Business II: Enterprise Risk Management as a Core Management Process 25
    • Cha p ter 2ERM Support Tools and Methodologies Fonterra’s Formal Risk Assessment ProcessA Risk Management Framework - Risk Profiling ReportContext/ Guaranteed ability to process milk from shareholdersObjectiveRisk Reduced ability to supply milk to site for a period longer than 24 hours Volatility Increasing over timeRisk Owner GM Milk Supply (Optional Entry) Risk Milk Collection and (Optional Entry) Operational Category Coding Transport Process CodingINHERENT (UNTREATED) RISK ASSESSMENT: Assessment WITHOUT ControlsCasual Factors • Road closure from flood Expected • Unable to receive all milk supplies • Road closure from landslip Consequences/ • Worst reasonable case estimate 50% loss • Loss of power to the site for milk transfer >24 hours Impact of milk for 6 days following landslip Potential Cost NZ$1M - NZ$10M 9Inherent Inherent Consequence/ 9 6 7 LikelihoodLikelihood (1-10) Impact (1-10) 5Potential business impact WITHOUT the Inherent Risk Rating HIGH 3benefit of controls = 1 Figure 11 The NYISO’s risk, compliance, and quality management function also summarizes the larger ERM report in a four-page monthly risk report that is distributed to the board of directors. These summaries detail immediate and pending risks for the   coming year along with mitigation efforts currently in place. Each summary includes a risk matrix detailing probability and impact for specific risks as well as relative risk over time and an aggregate scoring of risk factors.   reporting section highlights A looming national issues in the industry. Each month, the ERM staff selects and inserts an article describing issues that affect the security of electricity markets in the United States, North America, and around the globe. At Microsoft, enterprise risk reporting occurs quarterly. The quarterly reports   include updates on ERM program status and progress made toward mitigating the most critical risks facing the organization. Board presentations to a special session of the combined audit and finance committees take place semiannually. The following   program principles help Microsoft execute on this reporting cycle. • ERM is an enterprise-wide framework and program adaptable to existing risk functions, division structures, and global geographies. • ERM increases transparency of risk to the board, senior leadership, and external stakeholders. • ERM is integrated and embedded into corporate-wide processes so that risk information can be leveraged for decision making. • ERM enables bidirectional input and information sharing with key governance, risk, and compliance (GRC) functions, such as Internal Audit, Windows Live Security, Corporate Privacy Group, and Information Technology Risk. Risky Business II: Enterprise Risk Management as a Core Management Process 26
    • Ch apter 2 ERM Support Tools and Methodologies Fonterra’s Risk Assessment ReportRisk Sub-Risk Risk AreasCategory CategoryStrategic Strategic Direction Operationalization of Strategy Stabilized Organization Structure Strategic Resource Ethics & Culture The Way We Work Knowledge Sharing Allocation Reputation NZ International Image Supplier Land Management & Empowerment Strategic Partnerships BFL Farming Practices China Strategic Evaluation of Post Investment Reviews DairiConcepts/DFA Soprole/DPA BFL/BSC New Business DPA/Nestle Outsourcing Investor Relations Payout Forecast Management Communications Shareholder Council Capital Availability Redemption RDI Innovations Product Market Process GE Risk Management Implementation of Risk Project Interface Change Initiatives/ Management Framework Transformation JediMarket Economic/Geopolitical Economic Downturn Political Instability/Sovereign Credit Risk Political/Regulatory Trade Access & Quotas Risk Acquisition Approval Competitors Industry Structure Product Specification & Duties Emerging Competitors Product Substitution Financial Financial Markets/Cost of Debt Competitor Strategy/Spend Commodity Prices Distributors Retail Channel Structure Capital Fund Raising Consumers Consumer Trends Social Trends Demand Uncertainty Customer SatisfactionOperational S&OP Management Demand Forecasting Supply Forecasting Production Planning Logistical Planning IP Protection Marketing & Innovation Product Innovation R&D Funding Business Case Evaluation of A&P Spend Brand Management Brand Strategy/Rationalization Brand Protection & Development Sales Order Management Counterfeiting Sales Promotion RDI Pricing Contract Management Production Asset Security & Protection Production Efficiency Production Capacity Product Quality/ Food Safety R&D Implementation Asset Maintenance Specification Logistics & Warehousing Milk Collection Product Shipment Distribution Channel Inventory Planning Inventory Protection & Project Management Capex Approval Post Project Evaluation Structure Security Time, Cost & Quality Control People Personal Health & Safety Attract & Retain Talent GROW & PERFORM Capabilities Motivation & Focus Succession Industrial Action Internal Communication Renumeration Transaction Processing Order Processing Invoicing Cash Collection Credit Management Expenses & Purchases Cycle Payroll Trade Spend Promotion Cycle Milk Payout Information Data Accuracy, Completeness & System Development System Integration System Failure System Transformation Timeliness COE Jedi IS Data Security Kea Crisis management Bio-Security Terrorism DRP/BCP Product Recall Natural Disaster Non-Core Business SynergyFinancial Financial Reporting COA FRS Hyperion SAP Functional Currency Core Controls Financial Planning CMP/S&P Payout Forecasts Foreign Exchange Commodity Price Volatility Cost of Production Inventory Mix & Valuation Sales Mix & Valuation Volatility Fair Value Share Valuation Peak Note Management Lifecycle Planning Working Capital Redemption Management Treasury Management Hedging Functional Currency Debt Raising Management Tax Planning Domestic Tax Regimes Foreign Tax Regimes Performance Planning & RCM Performance Measurement VBM Measurement Fraud Geopolitical/Cultural Control Design & ImplementationCompliance Policy & Procedures Procurement Production Standards HR Treasury Insurance Environmental Jedi Business Rules & Supplier Land Management Compliance & Farming Practices Legal & Regulatory Sovereign Legislation & Customs & Duties Health & Safety/ACC Environmental Hazardous Substances Regulation DIRA Intellectual Property Shareholder Reporting Future RegulationGovernance Ethics & Culture The Way We Work Geographic Diversity Empowerment Corporate Citizenship Board Activities Shareholder Reporting Sub-Committee Delegations Qualifications Figure 12 Risky Business II: Enterprise Risk Management as a Core Management Process 27
    • Cha p ter 2ERM Support Tools and Methodologies ERM AND TECHNOLOGY: WHAT’S THE SOLUTION? Currently, the technology of choice for ERM among the partner organizations is Microsoft Office. As with any evolving business process, organizations attempting to embed ERM in their structures and operations are constantly searching for ways to facilitate their efforts. Each best-practice organization in this study is implementing and executing ERM in some way that fits its current business agenda and business model.   lthough A the partners are open to a technology solution that would facilitate effective ERM implementation, the current preference to keep things simple has led these organizations to employ Microsoft Office as their primary enabling technology. Although the study partners do automate some data collection, analysis, and reporting processes, the majority rely primarily on manual support for ERM activities.   hile a comprehensive and effective process automation solution remains W elusive in the ERM arena, the following examples illustrate how the best-practice organizations create support processes adapted to their own cultures and strategic needs. Fonterra uses Microsoft Office Excel for most of its ERM technology support. Within Fonterra, the perception is that implementing a formal software package would impede the organization’s ability to quickly adapt to any process or business change.   ccordingly, the organization has decided not to purchase a software A package explicitly for risk management. Currently, one full-time employee manages the formal risk assessment process and the supporting database. American Electric Power (AEP)’s decision not to implement supporting technologies is similarly strategic. At this point, the organization feels that a new technology solution might hinder its ERM process.   lthough AEP has explored a A number of software packages, it has chosen to refine its process first and let that process drive future technology decisions. By concentrating on process and open communication, the organization hopes to ensure that information is effectively shared among its functional units. The NYISO’s core risk reporting and mitigation processes are heavily manual and supported by Microsoft Office programs such as Word and Excel. The organization   is currently examining a number of ERM technology support tools, but has not fully automated its processes. Microsoft is also exploring solutions to manage its risk and compliance activities. Since ERM is a relatively new concept, the program is investigating multiple options for building and implementing an ERM platform that can be leveraged globally.   tA present, the organization employs an enterprise solution based on SharePoint and SQL technology; moving forward, it plans to continue building a platform that integrates the best of Microsoft’s enterprise technologies with Microsoft Office solutions. Risky Business II: Enterprise Risk Management as a Core Management Process 28
    • Ch apter 2 ERM Support Tools and MethodologiesLike many organizations, Microsoft faces challenges associated with the volume andcomplexity of external compliance obligations. There are numerous overlappingcompliance requirements that must be integrated with ERM, including SOX,the Health Insurance Portability and Accountability Act (HIPAA), the PaymentCard Industry Data Security Standard, anti-corruption, privacy regulations, tradecompliance, and so on. All these compliance requirements involve different tools,and the organization believes that even more tools will be added in future, furthercomplicating the technology infrastructure. Microsoft’s proposed solution to addresssuch issues is to leverage the best of its technology through a platform approachtermed “OneCompliance,” which supports compliance with multiple regulationsand standards. The approach involves optimizing available resources that focus on  risk management, controls, and compliance while reducing duplication and time/costrequirements.CONCLUSIONAs the results of this study indicate, there are many ways to effectivelyoperationalize risk management. Partners use a variety of tools, methodologies,and applications to support ERM. However, one commonality among the partners’approaches is an emphasis on clear risk aggregation and reporting.   ggregation Asurfaces key significant risks that impact the organization, leading to a morethorough and informed understanding of risk.Although the best-practice organizations employ both automated and manualprocesses to manage risk, Microsoft Office is the technology of choice forsupporting ERM at this time. Many of the partners have just begun to think abouthow more complex software and systems might be used to support the uniquedemands of ERM. We can expect to see new technologies emerge as ERMprocesses mature. Risky Business II: Enterprise Risk Management as a Core Management Process 29
    • Cha p ter 2ERM Support Tools and Methodologies Res earch Champ i o n P er s p ecti ve f rom IBM Glo b a l Bu s i n e ss S e rv i c e s ERM Support Tools and Methodologies In terms of the study results, the relatively limited use of specialized technology was the area of greatest surprise to IBM, and we believe that this finding will be equally surprising to other organizations. IBM had expected to see much broader use of ERP and/or other “best of breed” software tools to support and drive ERM processes, but clearly this is not the case, at least not yet. In fact, the limited use of such tools has been affirmed by other research undertaken by IBM. The next logical question is akin to the “chicken and egg” analogy: Is the use of technology limited because the tools do not yet meet industry’s needs, or do the tools not exist because there is limited demand? Although there is no right answer, of course, we believe that the former is the primary limitation at this time, and we believe that the current economic conditions will in fact increase the demand for technology solutions as a means of more timely and effective management of risks. The effort many organizations expend to identify, assess, prioritize, track, measure/analyze, and report on risks will increase—at least to some degree—the use of automated tools, and such tools will start to be viewed as assets. But it must be recognized that most risks will always be heavily managed by human judgment, models and quantitative limits notwithstanding. And therein lies the challenge for developers of tools: How to build something that will regularly be overridden by human interpretation and gut feel to provide a dynamic view of risk. Many advanced technologies allow users to simply turn built-in controls on or off, in essence partially allowing the user to determine if and the extent to which automated approaches may be used in controls and risk management. In addition, a combination of “push” and “pull” reporting is generally required. “Push” reporting is required for any controls or limits violations, such as an employee not submitting a time report on a weekly basis or a production line deviating from quality parameters; in such cases, management must be notified so that corrective action can be taken. On the other hand, more analytical situations can be effectively assessed with “pull” reporting; for example, aggregate accounts receivable trends and balances by customer can be analyzed by a manager at intervals—within reasonable bounds—of his or her choosing, although specific limit violations might “push” reports to that same manager. Risky Business II: Enterprise Risk Management as a Core Management Process 30
    • Chapter 3Using ERM for Effective Decision MakingA lmost all of the study partners value ERM for the impact it has on decision making. ERM programs can justify their existence and contribute to overallorganizational performance by offering insight into short- and long-term risks.   Chapter 3 Key Findings 1. A focus on risk managementHowever, deriving value from ERM requires that organizations approach risk from a creates a culture of informedholistic perspective and act on risk information in a manner that mitigates risks and risk takers.maximizes opportunities. If an organization fails to translate the knowledge gained 2. Risk information must befrom ERM into action, then the program may falter and become a process without effectively communicateda purpose. across the enterprise in order to influence decision making.Most of this study’s best-practice partners have processes that guide the applicationof ERM information to support short-term, tactical, and/or long-term and strategicdecisions. Communication vehicles—whether formal or informal—are important tothe effectiveness of such processes. Tools and methods for sharing risk data acrossthe organization help facilitate better decision making.During this study, partners were asked how ERM influences short-term and tacticaldecision making. As Figure 13 (page 32) demonstrates, study participants use ERMin a variety of ways to support such decisions. For example, the majority of partnersleverage ERM information when considering business expenditures and planningprojects. Clearly, the ability to integrate ERM into decision making helps prepareorganizations to act quickly in response to short-term or tactical events that impactthe business.The best-practice organizations were also asked how ERM helps facilitate long-termplanning. Since ERM activities are generally designed to assist with both short-termand long-term decisions, it is not surprising that a majority of the study partners useERM information for processes such as planning, budgeting, and forecasting.RISK MANAGEMENT FOR MORE INFORMED RISK TAKINGA focus on risk management creates a culture of informed risk takers.Most of the best-practice organizations in this study use methods and tools thatallow risk data to flow freely between ERM functions, business units, and seniordecision makers. Risk managers and end-users employ risk information whenmaking day-to-day, short-term, and long-term decisions. The widespread sharingof risk information helps these organizations enhance the strategic nature of theirdecision-making processes and contributes to better decisions. Risky Business II: Enterprise Risk Management as a Core Management Process 31
    • Cha p ter 3Using ERM for Effective Decision Making How the ERM Process Supports Short-Term/Tactical Decisions Partners were asked to select all options that apply to their organizations. ERM information is used for considering 80% business expenditures ERM information is used 20% in daily activities ERM information is used 60% for project planning Other: Prioritization of risks Other 20% mitigated, identified, and assessed though annual risk review 0% 20% 40% 60% 80% 100% (n=5) Frequency of Response Figure 13 Some organizations, such as American Electric Power (AEP), rely on informal links between risk functions and senior management to facilitate decision making. As discussed in Chapter 1, under AEP’s risk structure, risk information flows from functional business units to the audit committee through the risk executive committee. Although there is no clear directive for the risk executive committee that pertains to decision making, the discussions that occur at risk meetings create a ripple effect throughout the organization, and outcomes from the meetings often have strategic impact. For example, shifts in budget dollars or changes to risk mitigation efforts are often indirectly linked to risk executive committee meetings. Other elements of AEP’s risk structure and reporting also affect decision making. Throughout the year, the organization strives to identify risks that may influence strategic plans and prevent the achievement of corporate objectives. In addition, each functional business unit reports on risks using green, yellow, or red to indicate current status. Business units must present mitigation strategies for all risks that are color-coded red, and a risk that is assigned a red rating is usually addressed—or at least discussed—by the risk executive committee. This approach helps the risk executive committee recognize trends and assign priorities. However, according to AEP, it is difficult to compare one functional unit’s red-level risks against those of another functional unit. Furthermore, a risk coded red by a functional unit is not necessarily of strategic importance to the organization. For these reasons, the organization views the color-coding system as a useful but limited decision- making tool. Risky Business II: Enterprise Risk Management as a Core Management Process 32
    • Ch apter 3 Using ERM for Effective Decision MakingAt the New York Independent System Operator (NYISO), the risk, compliance, andquality management function provides a monthly ERM report detailing every risk alongwith its triggers and status. The board’s audit and compliance committee reviews and  discusses the ERM report at least once a quarter—with line-by-line scrutiny—andprovides guidance to management on risk tolerances and mitigation.The NYISO’s ERM efforts alert employees and management to cross-functionalissues affecting voltage system reliability in both the immediate and long term. Theseendeavors also support the organization’s effective economic dispatch of energyand compliance efforts in accordance with local, state, and federal guidelines. Suchcompliance monitoring took on greater meaning for the NYISO after new FederalEnergy Regulatory Commission (FERC) reliability standards were introduced in 2007.These standards, which had to be operational by July 2008, include 817 standardsapplying to the NYISO. In some cases, noncompliance can result in a penalty of as muchas $1 million a day.Fonterra has a clearly articulated process that integrates ERM results into strategicdecision making. Most risk data is reviewed by the ERM function so that it can beaggregated for senior leadership.   ccordingly, Fonterra’s ERM function serves as a Aclearinghouse for all risk data. In this role, the ERM function is able to effectively weighbusiness risk against organizational impact and identify risks that are of corporatesignificance to senior leadership. Fonterra senior leaders then review all risk data—formal or informal—in order to make informed decisions.At Fonterra, risk information is linked to strategic policy and dispersed to business unitsthat use the data for budgeting and forecasting, business planning, capital evaluations,mergers and acquisitions, and project evaluations. The organization also links ERM to  business continuity planning and the outcomes of business projects and project reviewsthat feed into the business planning process.In addition, Fonterra uses risk assessments when expanding its businesses abroad. InChina, for example, the organization established a farm with cattle shipped from NewZealand in order to manage risks related to the milk supply for that country.Fonterra focuses its risk assessment activities on a number of areas and links them tokey business decisions that are categorized as operational, strategic, or financial. Whenthe organization is faced with a strategic decision, it uses a detailed risk managementframework process to identify and assess associated risks. Figure 14 (page 34) providesan overview of Fonterra’s risk management framework process, which is based on theAustralia and New Zealand Standard Risk Management (AS/NZS 4360, also referred toas Risk Standard 4360). Risky Business II: Enterprise Risk Management as a Core Management Process 33
    • Cha p ter 3Using ERM for Effective Decision Making Overview of Fonterra’s Risk Management Framework Process 1. Create Risk Map 2. Develop and Monitor 3. Report Upon Management Plans Risk Communication and Consultation Risk Establish the Identify Assess Evaluate Risk Risk response context the risks the risks the risks decision reporting strategy Monitor and Review Figure 14 As a result of ERM efforts, organizations are positioned to take more calculated business risks. A case in point is found at Textron.   hen Textron targets a company W for acquisition, that company’s risks are identified and evaluated before Textron decides whether to make the acquisition. In the future, the organization plans to use risk radars and risk summaries to evaluate all potential mergers and acquisitions. To facilitate the business ownership of risk, Microsoft has defined short-term, intermediate, and long-term themes within its ERM strategy and road map. The   short-term theme is focused on strengthening the foundation for ERM and building awareness across the organization. Microsoft has already met its short-term goals and, in most cases, is executing the second cycle of these initial goals. Microsoft’s intermediate theme focuses on establishing a risk management culture and achieving deeper integration into the business. Efforts are currently underway to meet goals related to this intermediate theme. Microsoft’s long-term plans center on optimizing ERM. Specifically, the goal is to extend ERM practices across all divisions and geographies by leveraging an integrated platform of risk data. With its current structure, strategy, and disciplined approach to ERM, Microsoft believes it is well on its way to establishing a sustainable program that is capable of achieving the organization’s overall vision: “Through ERM’s leadership, management’s value creation and value protection decision making enables Microsoft to become the most universally trusted and respected company in the world.” Risky Business II: Enterprise Risk Management as a Core Management Process 34
    • Ch apter 3 Using ERM for Effective Decision MakingSHARING RISK INFORMATION TO FACILITATEDECISION MAKINGRisk information must be effectively communicated across the enterprisein order to influence decision making.Frequent and comprehensive communication of risk information is one of the mostimportant factors in deriving value from ERM. Without effective communicationstrategies and mechanisms, leaders have no access to ERM data and cannot makeinformed decisions. This is evidenced by the fact that all the partner organizationsin this study communicate ERM data on an as-needed basis (Figure 15). Whenimportant risk data is obtained or uncovered, best-practice organizations useconsiderable resources to make sure that the data reaches senior leaders asquickly as possible. How Often Do Risk Owners Use Risk Information to Make Decisions? Partners were asked to select all options that apply to their organizations.At strategic sessions 40% As needed 100% On a quarterly basis 40% On a monthly basis 40% On a weekly basis 0% On a daily basis 20% Other 20% Other: Varies by functional area 0% 20% 40% 60% 80% 100%(n=5) Frequency of Response Figure 15At the NYISO, the risk, compliance, and quality management function summarizesERM information in a four-page monthly risk report for the board of directors.The summary lists immediate and pending risks for the coming year along withmitigation efforts currently in place. It includes a risk matrix detailing probability andimpact for specific risks as well as relative risk over time and an aggregate scoringof risk factors.   reporting section highlights looming national issues in the industry, Aand an article selected each month describes issues that affect the security of theelectricity markets in the United States, North America, and around the globe. Risky Business II: Enterprise Risk Management as a Core Management Process 35
    • Cha p ter 3Using ERM for Effective Decision Making Figure 16 highlights the types of risk information that the best-practice partners share internally to facilitate decision making. Risk impact, likelihood, and existing risk controls are the risk data sets most commonly shared across the enterprise. Types of Risk Information Used to Make Decisions Partners were asked to select all options that apply to their organizations. Cost of risk mitigation 40% Existing risk controls 100% Risk tolerance 60% Relevance to strategic objectives 60% Organizational resiliency 60% Time horizon 60% Risk impact 100% Risk likelihood 80% Other: • Quality and quantity of Other 40% information about the risk • Preparedness 0% 20% 40% 60% 80% 100% (n=5) Frequency of Response Figure 16 Among the study participants, meetings are one of the most frequently employed communication methods; 100 percent of the best-practice organization use meetings to impart key risk data (Figure 17). More than half of the partners also conduct presentations and workshops to share risk information. Eighty percent of the best-practice organizations use report cards or dashboards to identify and communicate risks, and 60 percent report these results monthly. Moreover, ERM information is communicated to all levels of the organization, including those leaders empowered to make decisions. This communication chain allows each best-practice partner to take more calculated risks and support an enterprise-wide culture of informed risk takers. Risky Business II: Enterprise Risk Management as a Core Management Process 36
    • Ch apter 3 Using ERM for Effective Decision Making How Decision Makers Are Informed of Risk Partners were asked to select all options that apply to their organizations. Reports/Dashboards 80%Presentations or workshops 60% Meetings 100% Other 20% Other: No response 0% 20% 40% 60% 80% 100% (n=5) Frequency of Response Figure 17As discussed in Chapter 2, Textron uses risk radars and risk summaries to facilitatedecision making. Risk radars track gross risk for every business unit and counciland are color-coded to indicate whether further action is required. The operatingcommittee reviews risk radars each month during a four-hour meeting. Risk data isupdated quarterly, and meetings that occur between updates provide committeemembers with opportunities to probe more deeply into any risks that are ofmajor concern.The use of a risk report card helps promote accountability at Textron; bymonitoring the report card, the organization ensures that risks are tracked andproperly addressed. Report cards are embedded into the quarterly reportingprocess and show which business units and councils are participating in riskactivities. If a business unit is not participating, then executives will usually callbusiness-unit leaders to increase involvement and promote accountability.At Microsoft, individuals called risk focals are described as “feet on the street” tosupport risk management. Focals manage action planning, risk profile development,steps to support risk, and the work breakdown structure. Generally, people take onthis role in addition to their day-to-day job responsibilities, so the organization hasdeveloped a work breakdown structure to help communicate requirements. Thislevel of detail helps risk focals talk to managers and convey needs across businessunits. Additional detail is provided so that focals understand the risk path anddescriptions. This assists focals with reporting for monthly meetings and enhancesknowledge transfer. Risky Business II: Enterprise Risk Management as a Core Management Process 37
    • Chap ter 3Using ERM for Effective Decision Making Although the NYISO has several performance dashboards, these metrics do not directly tie to risk reporting. Instead, the risk, compliance, and quality management function relies on its heat map of risks as its key visual aid. The organization’s 17 categories of risk are plotted on the heat map in terms of impact and probability. With aggregate risk measured historically for signs of progress, the heat map acts as a performance scorecard and a communication vehicle to share risk information across the enterprise. At AEP,  the flow of information is structured to minimize overlap and duplication in the data presented to executives. By providing a structured sharing forum, the risk executive committee helps business units increase corporate awareness of key issues and risks. To ensure a comprehensive and consistent view of risk across functional units, AEP periodically collects additional information on reported risks, including a risk’s potential impact on the organization, the possible timing of its impact, the manageability of the risk, and how well the possible impact can be measured. Standardizing the way in which this information is shared by the functional units helps the organization accurately compare risks at the enterprise level. According to AEP, publicizing the purpose, strategy, process, benefits, and results of ERM is critical to change management and helps achieve buy-in at all levels of the organization. By de-emphasizing systems and technology,   EP has been able to A establish effective communications and processes related to risk management. CONCLUSION The integration of ERM into decision making is critical not only for the health of an organization, but also for its sustainability. Moreover, successful organizations use ERM data to understand both downside risks and upside opportunities. The ability to communicate ERM information to all levels of the organization is equally important; without effective communication, leaders are not able to mitigate risks and reduce risk exposure. Dashboards, risk radars, and report cards are some of the tools that the best-practice organizations are leveraging to distribute key risk data and promote its use in decision making. Risky Business II: Enterprise Risk Management as a Core Management Process 38
    • Ch apter 3 Using ERM for Effective Decision Making Res earch Ch a mp i o n P er s p ecti v e f ro m IBM Glo b a l Bu s i n e ss S e rv i c e s Using ERM for Effective Decision Making This chapter addresses a number of important points that we would like to emphasize. The first is the applicability of ERM to the day-to-day planning, assessment, and management of projects; the second is the relative assessment of risks at the functional or business-unit level versus an enterprise view—in turn leading to a discussion of risk measurement tools; and third is the use of ERM data for planning, budgeting, and forecasting (PB&F). Although not discussed at length in this study, the practice of using ERM to plan, assess, and manage projects is highly beneficial to organizations. While some might view projects as relatively discrete activities, somewhat separated from core business operations, that is rarely the case: Most projects draw on resources otherwise deployed elsewhere in the organization and provide benefits for the “core” of the enterprise. Therefore, both project risk and project risk mitigation directly impact the organization. Consider a project that is delayed: Common mitigation solutions include (1) adding resources to complete the job, (2) allowing the delay to occur, and/or (3) reducing scope in order to “finish” on schedule. No matter which solution or combination of solutions is adopted, additional risks are created. • The addition of resources will cause future budget challenges. If the resources are new or incremental to the organization, there is a cash outflow and hence an enterprise-wide financial impact. If the resources, say staff, are reallocated to the project from elsewhere in the organization, then their previous activities will no longer be performed and that, in turn, will create new risk for those areas of the organization that depended on those activities. • Allowing the delay to materialize will defer the project’s benefits, and in the worst-case scenario may even eliminate the benefits. Imagine a new product launch:  A delayed launch may result in loss of market share or even the ceding of a market to a competitor. So here too, the underlying or core business is affected. • Reduction of scope can lead to losses similar to those associated with a delay. By its very definition, a reduction in scope means that expected benefits will not be realized as planned, and again, the underlying or core business is negatively affected. These brief comments clearly show that project risk is integral to enterprise risk management. A second key use of ERM data is to contrast business-unit perspectives of risk with the enterprise view. One of the most useful lessons learned from this study is the recognition that a risk deemed significant to a business unit might be of little consequence to the enterprise as a whole, or vice versa. While seemingly an obvious point, it clearly demonstrates the need for a common   tool or approach for comparing risks across business units or, for that matter, by a corporate function in looking at unit-level risks. Consider this example:  A large corporation may have a number of stand-alone operating units, each of which considers revenue risk below $20 million (within the fiscal year) to be insignificant. In turn, the corporation’s leadership team is primarily concerned with single risk events that would impact total revenue by at least $50 million. This is a very typical situation in multi- unit enterprises. But it leaves a potentially huge gap. What if several units each chose to accept a certain risk due to its small size, under $20 million, but the root cause of these risks is the same, such as a supply chain failure, natural disaster, labor stoppage with the same union, commodity price or availability, etc.? Now the corporate risk impact might well exceed $50 million, and this possibility can only be identified by taking a different risk assessment perspective, looking at causes across the enterprise rather than solely a unit viewpoint. The third area of note is the use of risk data for planning, budgeting, and forecasting. Too many business-unit budgets do not   explicitly reflect the risks that might impact actual results. Rather, the risks and the expected impacts are buried in the aggregate data that is presented and reviewed on a periodic basis. Consider the example of the loss of a key customer. 3   or the sake of simplicity, assume it is an all-or-nothing situation (i.e., either the customer remains or is fully lost, and any lost3 F revenue cannot be offset by other means). Without these simplifying assumptions, there is an infinite array of possible results. Risky Business II: Enterprise Risk Management as a Core Management Process 39
    • Chap ter 3Using ERM for Effective Decision Making Res earch Cha mp i o n P er s p ecti ve f ro m IBM Glo b a l Bu s i n e ss S e rv i c e s ( c on t i nu e d ) Using ERM for Effective Decision Making Revenue for the period is budgeted at $10 million, 15 percent of which comes from this one key customer; however, there is a 40 percent likelihood, based on the business unit’s assessment of the situation, that the customer will take its business elsewhere. Initially, therefore, the risk-adjusted revenue budget for this business unit should be only $9.4 million ($10 million less the 40 percent likelihood of the loss of $1.5 million). But to accurately portray its position, the unit should indicate a revenue budget of $8.5 million OR $10 million, reflecting the loss or retention of the revenue. This dual-budget approach forces an explicit—and immediate—discussion of how the unit will respond if the revenue is lost, a very useful risk scenario that likely has broad applicability. Now let time move ahead a few months and assume that the customer situation is resolved. If the revenue was lost, the unit re- forecasts its budget with the shortfall being recognized, along with the offsetting benefits of its risk mitigation actions, those that were reviewed and agreed on during the initial situation assessment. This same logic can be applied to any risk scenario, such as a possible work stoppage, supply chain disruption, and so on. The   budget should show the likely scenarios or ranges, and then each forecast update would reflect the most current risk estimates. Risky Business II: Enterprise Risk Management as a Core Management Process 40
    • Chapter 4Using ERM for Performance ImprovementI n this consortium research study, APQC sought to answer two important questions related to ERM and measurement:   How are ERM programs used to “improve business results?” and “How are key performance indicators (KPIs) and key   Chapter 4 Key Findings 1. Effective risk managementrisk indicators integrated into performance management?” is evaluated as an organizational keyMeasuring the success and investment of any program is a notoriously difficult performance indicator.task. ERM is no exception. However, most best-practice organizations in this study 2. Best-practice organizationsare able to evaluate risk management as a key performance indicator and use risk use risk management asmanagement for individual performance measures at some level. an individual performance indicator.EVALUATING RISK MANAGEMENT AS A KPI 3. Evaluation of ERMEffective risk management is evaluated as an organizational key effectiveness is in the earlyperformance indicator. stages of maturity.The study partners display a range of maturity levels regarding the evaluation ofERM as a KPI. Sixty percent of the best-practice organizations use KPIs, and 40percent use performance dashboards. Furthermore, senior leaders at all the best-practice organizations use risk information to improve enterprise-wide performance(Figure 18). Likewise, individual risk owners use risk data to improve performanceat the majority of these organizations. Corporate leaders and ERM groups also userisk data to improve. Roles Responsible for Using Risk Information to Improve Performance Partners were asked to select all options that apply to their organizations. ERM group 40% Central performance 0% improvement group Individual risk owners 100% Corporate 60% Business leaders 100% Other 0% 0% 20% 40% 60% 80% 100% (n=5) Frequency of Response Figure 18 Risky Business II: Enterprise Risk Management as a Core Management Process 41
    • Chap ter 4Using ERM for Performance Improvement As a Six Sigma organization, Textron emphasizes the importance of measuring ERM performance. The organization tracks and assesses ERM components such as risk events and actions, overall risk prediction ratio, total cost of risk events per year, ERM participation, risk exposure reduction, mitigated reductions, and cost savings. The ERM function is able to quantify every risk by working closely with the business units to determine risk cost. In some cases, a range may be developed to illustrate best- and worst-case scenarios; each risk cost is factored into an overall cost average. Textron’s audit committee evaluates the ERM process periodically to ensure it is working as designed. These reviews have resulted in enhanced risk identification, evaluation, and mitigation throughout the organization. The following process is used for ERM reviews: • the business units and councils submit timely quarterly updates, • the ERM team reviews business-unit and council submissions for reasonableness and completeness, • quarterly updates of significant risks are presented to the operating committee, • the operating committee reviews significant risks, and • the risk review becomes part of strategy discussions. American Electric Power (AEP) strives to use ERM to enhance performance and organizational effectiveness. For example, it tracks risks related to commitments made in the organization’s corporate sustainability report, which provides an interface between ERM and other business functions; the goal is to identify risks and commitments while engaging internal and external stakeholders. AEP produces an annual report that spells out the organization’s sustainability commitments. Once the report is published, the organization is pledged to a biannual review of those commitments and their inherent risks. Each functional unit provides a biannual update to the risk executive committee documenting its progress toward meeting the commitments.   lthough this is a relatively new process for the organization, A it identifies a role for enterprise risk in relation to sustainability. The sustainability reporting process is illustrated in Figure 19. Risks are also evaluated on timelines related to AEP’s strategic plan. When it is possible to measure the impact of a particular risk, business units are encouraged to do so. Each functional unit answers questions related to the risk to determine the risk’s potential impact in areas such as regulation, safety, operations, and finance. AEP’s strategic planning function leverages this information to identify internal improvement opportunities. Risky Business II: Enterprise Risk Management as a Core Management Process 42
    • Ch apter 4 Using ERM for Performance Improvement AEP’s Sustainability Reporting Process Stakeholder engagement Internal updates Develop on risks and report commitments Report Identify risks published and commitments - addressed or created Figure 19Key risks and performance indicators are reported through AEP’s risk reports andlinked to the organization’s strategic plan. There is a strong relationship betweenbusiness-unit objectives and reported risks. Functional units are actively involved inidentifying risks that may affect strategy, and guidance is provided by the enterpriserisk oversight function. Enterprise risk oversight helps functional units definerisks that may prevent them from achieving strategic objectives. These risks arereviewed throughout the year by both the functional units and the enterpriserisk oversight function.Risk management enhances Fonterra’s ability to meet its financial targets. Theorganization uses ERM to manage risk at the lowest possible cost and reducethe number of surprises and losses that occur. Specifically, the ERM functionhelps business units meet performance targets and understand the drivers offinancial success in order to maximize risk improvement opportunities.   business Ainterruption valuation, which helps calculate potential interruptions to theorganization, is used for prioritizing risk improvement opportunities.For instance, Fonterra can evaluate the investment tradeoffs of securing a milksupply with the revenue and profitability of its local country operations. Byestablishing farms in China with dairy cows from New Zealand, Fonterra isleveraging risk results to minimize supply chain disruptions that would adverselyimpact customers and ultimately affect revenue. Risky Business II: Enterprise Risk Management as a Core Management Process 43
    • Chap ter 4Using ERM for Performance Improvement RISK MANAGEMENT AND INDIVIDUAL PERFORMANCE Best-practice organizations use risk management as an individual performance indicator. At some of the study’s best-practice organizations, risk management is used as an individual performance indicator. Linking risk management activities to performance measures helps promote accountability, augment awareness of risks, and obtain buy- in for ERM efforts. Typically, these performance indicators tie directly or indirectly to rewards. At Fonterra, risk management is linked to performance measures; this provides an additional incentive for participation. On an annual basis, Fonterra’s management team and board of directors agree on a scorecard to measure and track performance targets. Figure 20 shows a sample performance scorecard. The   shaded areas affect each manager’s annual bonus, whereas the unshaded areas do not directly affect the bonus structure. The clarity of definition signals the importance of these indicators and enables management to drive behaviors and performance. Sample Fonterra Performance Scorecard Fonterra Fonterra Group Core Ingredients Asia/AME China ANZFinancial 1-Yr TSRSuccess Payout per KgMS Contribution to Contribution to Gross Margin Gross Margin Gross Margin Payout/KgMS Payout/KgMS NPAT EBIT EBIT EBIT EBIT RONA RONA RONA RONA RONA RONA Sales Growth Sales Growth Sales Growth Sales Growth Cash measure Working Capital Working Capital Working Capital Working Capital Working Capital Turns Turns Turns Turns TurnsCustomer DIFOT composite DIFOT DIFOT DIFOT DIFOT DIFOTSuccess measure Complaints Value Complaints Value Complaints Value Complaints Value Complaints Value Complaints ValueOperational Forecast Stability Forecast Stability Forecast Stability Forecast Stability Forecast StabilityImprovement Measure (GT) Measure Measure Measure Measure Sales from Sales from Sales from Sales from Innovation Innovation Innovation InnovationCapable and Group LTIFR LTIFRWilling People LTIFR/TRIFR Group Fatalities Fatalities Fatalities Environment Environment Environment Issues Measure Issues Measure Issues Measure People Measure People Measure People Measure People Measure People Measure People Measure Figure 20 Risky Business II: Enterprise Risk Management as a Core Management Process 44
    • C h apter 4 Using ERM for Performance ImprovementRisk management also supports Fonterra’s ability to attract and retain capablepeople. The ERM function helps expand the skill base of management by offeringERM tools and training. In addition to formal training, Fonterra also provides ongoingcoaching and mentoring to risk champions and business units.At AEP, ERM is connected to strategic plans, which link to goals and incentiveprograms. There is no explicit link between ERM and performance measures, butthere is significant integration among incentives, objectives, risks, and the strategicplan. In this framework, employees are indirectly accountable for risk management.For example, distribution reliability is both a key performance indicator and a riskindicator. Employees are measured against the amount of time it takes to restorepower as well as the number of customer minutes lost. Distribution reliability is alsoa key risk area. In cases like this, there is a strong relationship between incentivesand the objectives stated in the strategic plan.At Textron, the use of a report card helps promote accountability and ensurethat risks are properly tracked and addressed. The report card is an element ofthe quarterly reporting process that illustrates which business-unit councils areparticipating in risk activities. Key executives approach those business-unit leaderswho are not actively participating to understand their lack of involvement. Thisapproach supports continued and increased participation across the enterprise.ERM EVALUATIONEvaluation of ERM effectiveness is in the early stages of maturity.With some exceptions, ERM evaluation is in the early stages of maturity. Mostorganizations measure cost savings related to risk management and use anecdotalsuccess stories to justify a continued business case for ERM. Consequently, mostof the study participants consider the development of additional and moresophisticated ERM measures to be an area for improvement.With a sophisticated measurement framework in place, Textron is an exception tothis finding. For each risk event occurrence, Textron’s ERM function reviews existingrisks for possible revision and revises the impact and likelihood assessments. Thisinformation is then presented in the same format as risk analysis data and is enteredin the risk event tracking system.Although AEP cites that it is difficult to measure the success of ERM, theorganization asserts that enterprise risk management has intangible benefits. Thereis an increased awareness of risk across the organization and a growing desire tounderstand and implement consistent risk approaches. Functional units frequentlyrequest assistance from the enterprise risk oversight function to ensure thatprojects are consistent with risk committee standards and to help identify andmitigate risks. Risky Business II: Enterprise Risk Management as a Core Management Process 45
    • Chap ter 4Using ERM for Performance Improvement In the future, Fonterra plans to closely monitor risk assessment activities within its business units. It will expand its existing control self-assessment process to further engage management. In past years, this process focused on manufacturing, supply chain, and sales and marketing. The organization plans to use the control self- assessment process to obtain feedback from business units in order to determine future risk areas. Currently, this process is completed twice annually, with signoff provided by senior managers at the sites. CONCLUSION The best-practice organizations in this study leverage ERM programs to enhance business results by evaluating the tradeoffs between risks and rewards and using this analysis to make conscientious investment and operating decisions. The study partners also reinforce their ERM key performance and risk indicator measurements by providing either direct or indirect links to individual performance results and, in some cases, annual bonuses. Risky Business II: Enterprise Risk Management as a Core Management Process 46
    • C h apter 4 Using ERM for Performance ImprovementRes earch Ch a mp i o n P er s p ecti v e f ro m IBM Glo b a l Bu s i n e ss S e rv i c e sUsing ERM for Performance ImprovementSuccessful and sustainable ERM processes explicitly and visibly demonstrate the tradeoffs between risks and mitigatingactions while also—in most cases—linking performance measurement with risk management.Among the innovative practices identified in this study was one that involved including the occurrence of risk eventsin risk team assessments, based on whether the team had identified the event as a possibility and the impact ithad expected the event to have on the unit. This is a good example of how organizations establish responsibilitiesbetween central and local unit business units: The local unit identifies the risk and makes mitigation recommendations(which may include “as is” acceptance), a central corporate function assesses those risks seen as higher priority bythe business units—while also considering the interaction of all other risks—and approves, adjusts, or turns downmitigation recommendations (based on resource availability, scale of size, etc.), and the local unit then implements theapproved plans. When a risk event occurs, the local unit is, in part, evaluated on whether it reasonably identified therisk and its impact as well as its response actions.Best-practice organizations also ensure that key risk indicators, often referred to as KRIs, are explicitly factoredinto performance measurements and results, including incentive compensation programs.4 In doing so, however,organizations should ensure that KRIs are not considered in isolation from other performance metrics; after all,risk mitigation actions directly impact other performance criteria and vice versa. For example, as we noted earlier,actions taken to bring a delayed project back on schedule usually include some combination of additional resourcesor reduced scope, but both of these actions will impact other metrics at a later date (project budgets and the benefitcase, respectively).This simple example also highlights the importance of the dimension of time: How decisions made in 2008 mightdeliver measurable benefits in 2009, but carry risks that emerge only in 2011 or 2012. In order to incent andcompensate staff and executives for the short-term benefit, the organization should first adjust future plannedperformance by the expected or potential losses that the risk might generate. In other words, performancemeasurement and incentive programs should take a much longer perspective on time.In addition, risk metrics can be very misleading on their own. For example, in a retail environment, stock-outs are likelya KRI. However, one can almost fully prevent stock-outs simply by having far too much inventory, thus running the riskof tying up capital and selling goods at lower prices.  As such, measuring a manager incorporating only the KRI overstock-outs can lead to sub-optimal behavior.Finally, the selection of KRIs must be based on their relative importance to the business, or in other words, basedon the value each KRI drives across the enterprise or business unit. Just as certain key performance indicators arestronger business drivers than others, some KRIs reflect very substantial risks, whereas others follow lesser ones.Therefore, an integrated view of risk and other performance metrics is vital for the long-term success of anERM process.4   Of course, given the recent turmoil in the financial markets and the results posted by large financialinstitutions, it does not appear that these organizations employed these practices. Risky Business II: Enterprise Risk Management as a Core Management Process 47
    • This page is left blank intentionally for double-sided printing.
    • Chapter 5The “Essentials” of ERMI n any business area, continuous improvement may be the most essential ingredient for achieving “best practice” status. The best-practice partners in  this study take such an attitude toward their ERM initiatives; each places highimportance on lessons learned and critical success factors as tools for movingforward on the path of continuous improvement. Study results reveal commonthemes among these best-practice organizations as essential components ofsuccessful ERM programs.For example, the best-practice organizations cite risk assessment process tools, heatmaps, risk stewardship, and recording databases as some of the most useful ERMtools and methods. Furthermore, the partners tend to agree on the top quantifiablebenefits of implementing ERM as a core management process:• general risk awareness and understanding of exposure,• increased accountability,• loss avoidance,• reduced insurance costs, and• improved decision making.This chapter details lessons learned and critical success factors for effectivelymanaging enterprise-wide risks.American Electric PowerAEP cites the following critical success factors for its ERM program.• Communicating the purpose, strategy, process, benefits, and results of ERM is critical to change management and helps achieve buy-in at all levels of the organization.• Providing adequate, ongoing training on ERM methods and benefits is also important.   EP spent more than two years expanding the process, educating A functional units, refining its reporting process, and developing ways to evaluate risks at an enterprise level.• ERM was rolled out gradually across the organization, which helped with buy-in. Starting slowly encouraged others to get involved and lessened resistance to change.Fonterra Cooperative Group LimitedAccording to Fonterra, successful ERM approaches must incorporate the following:• senior management support and a venue for such support;• a way to show how ERM adds value to the business; Risky Business II: Enterprise Risk Management as a Core Management Process 49
    • Chap ter 5The “Essentials” of ERM • captured and communicated benefits; • built-in performance measures around risk assessment and improvement; • links through common systems (as used by functions such as internal audit and IT); • a common risk management language; • clearly defined roles and responsibilities; • established risk management processes to enable risk aggregation and transparent, unbiased reporting; • incentives to ensure the inclusion of risk information in business planning and project assessment; and • the integration of risk management into existing systems. New York Independent System Operator Key elements of the NYISO’s ERM success include: • responsiveness, flexibility, and the ability to adapt; • continuing education on emerging trends; • acceptance of a risk management framework as a focal point; • a common language for defining and describing risks; • senior management support and commitment; • risk management ownership; • communication of risk information throughout the organization; • comprehensive training; • reinforcement through HR mechanisms; • effective risk management processes; and • monitoring through self and internal audit. The NYISO would advise organizations that are starting ERM programs to obtain the support of senior leaders, rely on results for additional buy-in, identify how risk analysis and mitigation can help the organization’s core processes, be patient yet firm, and embrace responsible parties as part of the solution and acknowledge them accordingly. Textron Inc. Textron cites the following as critical success factors for ERM. • Senior leaders supported ERM, and initial risk management activities were led by the CFO. This strong leadership commitment promoted cultural buy-in for ERM activities. • Six Sigma was a starting point for ERM. Because ERM was launched from existing Six Sigma efforts, there were fewer cultural barriers to adoption and the process was validated immediately. • Textron established an operating committee in lieu of a traditional risk committee. The organization’s leaders felt strongly that the ERM function should report directly to risk owners within key business units. This structure means that risks are reported directly to individuals who have the ability to act on them. Risky Business II: Enterprise Risk Management as a Core Management Process 50
    • Ch apter 5 The “Essentials” of ERM• At Textron, a report card embedded into the quarterly reporting process shows which business units and councils are participating in risk activities. This report card promotes accountability and helps ensure that risks are tracked and addressed.The following list summarizes lessons that Textron has learned over the courseof its ERM journey.• ERM is a process, not a project.• Management owns the risks; ERM drives the process.• Risk assumptions have finite accuracy regarding impact and likelihood and are not critical to the process.• Management must be engaged in regular risk discussions.• Value is realized when the ERM process motivates beneficial actions that would not have occurred otherwise.• ERM must achieve tangible benefits in order to justify its existence.• ERM will never eliminate all risks and exposures.• The support of Textron’s board of directors is important to ongoing success.CONCLUSIONThroughout this study, certain themes repeatedly came to light: consistentprocesses, swift information flow, targeted support, pervasive accountability, buy-in,communication, defined roles, and flexibility. These are necessary ingredients that  contribute to the effective management of enterprise risk.   lthough ERM is an Aevolving practice area and cultures differ from organization to organization, thebest-practice partners have shown that the regular practice and reinforcementof these essentials is the best approach for implementing successful enterpriserisk management. Risky Business II: Enterprise Risk Management as a Core Management Process 51
    • Cha p ter 5The “Essentials” of ERM Res earch Cha mp i o n P er s p ecti ve f ro m IBM Glo b a l Bu s i n e ss S e rv i c e s The “Essentials” of ERM We echo the conclusions of this study, which recognize the critical elements of success in implementing ERM across an organization. There are clear parallels across the organizations that participated in this study, particularly with respect to executive support, role definition, lines of communication, and the use of agreed-upon risk metrics. While Enterprise Risk Management (ERM) and what we see as its sister discipline, the Management of Risk Events (MRE), are specific management processes, the underlying strategies parallel those of broader enterprise management. The key messages that we would like to close with are to emphasize the need for consistency in language and process, common definitions of data and risk, and an integrated approach to the management of risk, particularly through the dual prism of risk and performance management. We would like to thank our fellow sponsors for their support and participation,  APQC and the independent experts who guided the research and study deliverables, and most especially the organizations that agreed to be put under a microscope as best-practice partners. The partner organizations, in particular, put in many hours to present their ideas   and approaches and answer questions. Thank you for taking the time to review this study, and we hope you have gained as much as we did in helping to prepare it. We look forward to working with you again soon! Risky Business II: Enterprise Risk Management as a Core Management Process 52
    • Case stud i es Risky Business II: Enterprise Risk Management as a Core Management ProcessCase Studies55 American Electric Power67 Fonterra Cooperative Group Limited83 Microsoft Corporation93 New York Independent System Operator101 Textron Inc. Risky Business II: Enterprise Risk Management as a Core Management Process 53
    • This page is left blank intentionally for double-sided printing.
    • C a s e s t u dyAmerican Electric PowerA merican Electric Power (AEP) is one of the largest power generators in the United States. The organization provides electric service to more than fivemillion customers in 11 states. With approximately 20,800 employees,   EP has A$40.4 billion in assets and annual revenues that exceed $13 billion.AEP is the second largest domestic power generator, providing electricity thatpowers the national economy. Power generation involves the creation of electricalpower using fossil fuels (e.g., coal, oil, natural gas); nuclear technology; hydroelectricplants; and renewable and other resources. Domestically,   EP produces energy using Acoal and lignite, natural gas, nuclear, hydro, and wind. Coal and lignite account for68 percent of AEP’s power generation, and natural gas and oil account for23 percent. Nuclear and hydro power generation account for 6 percent and3 percent, respectively.Power transmission and distribution are key business functions within theorganization.   EP’s transmission business encompasses highly integrated bulk power Asupply facilities, high-voltage power lines and substations, and the ability to transportpower from a point of origin to load centers. This system is linked to a larger support  system. Distribution refers to the ability to connect customers to the grid throughsubstations, lower-voltage power lines, poles, transformers, services, and meters.AEP’s corporate strategy is to grow its core utility business at a consistent ratethrough major investment supported and funded by innovative programs forregulatory recovery, and to develop an independent, federally regulated transmissioncompany for the pursuit of new major interstate projects.Specifically, the current focus of the organization is to:• invest in and evolve infrastructure to support future technology and customer needs with an emphasis on efficiency, conservation, and load management;• enhance cash flow and earnings through rate recovery mechanisms; and• take advantage of AEP’s size to benefit customers and shareholders through regulatory-supported investment.The utility industry is regulated in most states.   ccordingly,   EP is highly dependent A Aon and affected by regulatory commissions and reviews. Two of the states in which itcurrently operates, Ohio and Texas, have deregulated domestic power generation; thispresents challenges as well as risks for the organization.   s a result, preparing for the Apost-2008 energy market transition in Ohio is another key strategic directive. Risky Business II: Enterprise Risk Management as a Core Management Process 55
    • ca se s tu dyAmerican Electric Power Regulatory risks and issues are managed by a separate function that works with AEP’s operating organizations. AEP’s regulatory function is responsible for ensuring consistency in filings across jurisdictions, regulatory changes, and any other risks that impact the regulatory environment. Since AEP operates in 11 states, there is a strong need for the regulatory function to maintain information on state changes, financial results, and timing and status of issues that pertain specifically to industry regulations. Accordingly, risks associated with the regulatory environment are not specifically addressed in this report, although there is a link to corporate risk processes in that they are impacted by the regulatory environment. “The enterprise risk oversight (ERO) OPTIMIZING THE ERM ORGANIZATIONAL STRUCTURE group does not manage risk per se; Risk management within the industry and at AEP has progressed over time. Figure 21 summarizes the evolution of risk management from an industry andrisks are managed by functional units organizational perspective.   s shown, in the 1970s, the primary focus was insurance A across the company. Some risks— risk management. Financial risk management, which includes risks associated with such as credit, insurable, and pension credit, was added in the 1980s. During the 1990s, the deregulation of utilities risks—are managed within the risk presented additional risks, and organizational and market risk management became and strategic initiatives department, critical to the organization. Since then, risk management has expanded to include which includes enterprise risk business expansion risks and operational risks. In 2007,   EP began to publish an A oversight. The ERO group works annual corporate responsibility report containing commitments that represent additional risks to the organization. Today,   EP applies risk management strategy   A with the functional units to identify to all areas of its U.S. operations and is applying for the 2009 Baldrige Award to their respective risks and emerging recognize its worldwide operations. issues that are considered significant enough to have an enterprise effect. The ERO group then works to combine this information into an Evolution of Energy Utility Risk Management enterprise view of the company. Enterprise Risk For this reason, and to avoid Management confusion about the purpose of Corporate Responsibility the group, this group is named Financial and ‘enterprise risk oversight’ and not Market Risk Operations Management ‘enterprise risk management.’  ” Business — Doug Buck, director of Expansion enterprise risk oversight, Financial and Insurance Risk Organizational Organizational American Electric Power Management Insurance Risk Market Market Management Credit Credit Credit Insurance Insurance Insurance Insurance 1970s 1980s 1990s 2000s (Deregulation) Figure 21 Risky Business II: Enterprise Risk Management as a Core Management Process 56
    • c ase study American Electric Power AEP’s risk organization is led by the vice president of strategic initiatives and chief risk officer (CRO). This individual is responsible for multiple groups within AEP, including enterprise risk and insurance, market risk oversight, credit risk management, trusts and investments, and strategic initiatives. The CRO reports   to the chief financial officer (CFO) of the organization, who is responsible for accounting, treasury and investor relations, corporate planning and budgeting, and risk and strategic initiatives. The enterprise risk oversight (ERO) group is under the vice president of enterprise risk and insurance, who reports to the CRO. Figure 22 depicts AEP’s current organizational structure. The shaded boxes indicate members of the risk executive committee (REC). The REC is made up of members of the executive council and other senior executives who manage a significant amount of risk for the organization. As shown, REC members are dispersed across the organization. AEP’s enterprise risk organization is strategically named “enterprise risk oversight” in order to communicate that, although the group oversees risks for the enterprise, risk management is the responsibility of the individual business functions. Accordingly, funding for risk management is incorporated into business-unit budgets. AEP’s Current Organizational Structure Chairman, President & CEO CFO President AEP EVP Generation SVP General VP Corp. COO Transmission Counsel Communications VP Strategic SVP SVP Eng. Projects Dir. Ethics & EVP Safety, Environ.Initiatives & CRO Transmission & Field Services Comp Health & Facilities VP Enterprise SVP Chief SVP Regulatory Risk & Insurance Nuclear Officer Services SVP CAO VP Generation SVP Shared Business Services ServicesSVP Corp. Plan. & SVP FEL President AEP Budgeting Utilities Treasurer & VP SVP Fossil & EVP AEP West VP Cust. Svcs.,Investor Relations Hydro Gen. Utilities Mktg. & Dist. Svcs. EVP AEP East SVP Comm. Ops 2008 REC Members Utilities Figure 22 Risky Business II: Enterprise Risk Management as a Core Management Process 57
    • ca se s tu dyAmerican Electric Power The organization created an enterprise risk management (ERM) policy that outlines the governance structure for ERM and clearly defines roles and responsibilities associated with managing risk.   ny changes to the ERM policy must be approved by A the CFO, the CRO, and the vice president of enterprise risk and insurance. Figure 23 depicts the risk structure at AEP.   s the diagram indicates, enterprise risk A management involves all levels of the organization and is governed by the ERM policy. AEP’s Risk Reporting Structure • AEP’s ERM policy - sets governance structure, roles, and responsibilities • Summary report provided to board Audit audit committee Comm. • Strategic focus for monthly REC Risk Executive meetings Committee • Independent oversight Enterprise Risk function Oversight Function • Management of risks Functional Unit Management Figure 23 The ERM policy establishes a governing framework for assessing the organization’s collective risk and ensures accountability for the identification, measurement, evaluation, and mitigation of risk.   t the top of the structure is the board audit A committee. Audit committee members meet approximately six times each year and are provided with summary risk reports to review. The REC is the organization’s high-level risk management group. Each month, REC members meet to discuss risk reports and address issues facing the organization. The REC also provides input on identifying and managing enterprise risks. The vice president of enterprise risk and insurance chairs the meetings, which generally begin with a review of notable risk items from the monthly risk reports along with items that require follow-up action from previous meetings. The rest of the meeting is led by an REC member who represents a specific functional unit within the organization. Using input from the ERO group, this member determines a topic from his or her respective area for the committee to discuss and presents to the group on that topic. Discussion topics focus on emerging and/or major risk Risky Business II: Enterprise Risk Management as a Core Management Process 58
    • case study American Electric Powerissues and tend to be strategic in nature. The committee provides feedback anddevelops an action plan for assistance, if needed. The REC ensures that reportedrisks are aligned with AEP’s strategic plan; it also biannually reviews the status ofcommitments made in the company’s corporate sustainability report.The ERO group coordinates the agenda, prepares relevant information for monthlyREC meetings, works with functional units on risk identification and reporting, andis responsible for the ongoing development and maintenance of a collective(i.e., enterprise) risk view for the organization. This group also provides enterpriserisk–related information, analysis on emerging areas of risk, and strategies forimproving risk measures.The functional units are responsible for managing their respective risks andproviding monthly risk reporting. They involve ERO in special projects as needed.Functional-unit management is the foundation of the risk structure at AEP.   lthough Athe oversight function is available to provide assistance, much of what is reportedis determined by functional units. Functional units are asked to report on whythey think certain risks should be tracked, what mitigation plans are underway, andthe current status of the risks. Functional units are also asked to identify trendsand emerging issues that affect enterprise risk. The status of risks is measured byguidelines that are established by functional-unit managers.Figure 24 (page 60) lists the specific functional areas that provide risk reports tothe REC. The REC information flow is designed to minimize overlap and duplicationin the information presented to executives.The ERO group works with functional units to help identify risks and provideseducation and support. There are currently two full-time resources in the oversightfunction; however, these individuals are supported by numerous functional-unitrepresentatives who act as an “extended family” to ERO. This group helps functionalunits determine what risks should be reported, what information should beincluded in the reports, and how to identify emerging areas of risk.At   EP, there are many risks within each functional unit; however, the focus of AERM is on risks that affect the enterprise as a whole.   lthough risks are managed Afunctionally, input on these risks is solicited from across the organization.One of the challenges that AEP faces pertains to the fact that “all risks are notcreated equal.” Risks reported to the REC cover a very broad range of issues;some are quantifiable, and others are not.   lso, because risks change over time, the Aorganization continuously revises the list of reported risks. Some risks are reportedon a long-term basis, whereas others are reported for several months and thenremoved from reporting. Risky Business II: Enterprise Risk Management as a Core Management Process 59
    • ca se s tu dyAmerican Electric Power REC Reporting at AEP CEO Generation Finance Fossil and Hydro Plant Operations Risk and Strategic Initiatives Environmental Construction Treasury New Generation Construction Fuel, Emissions and Logistics Environ., Safety, Health, and Facilities Environmental Utilities Safety Corporate Responsibility Transmission Customer and Distribution Services Other Regulatory Commercial Operations Reputation Legal Analysis Shared Services Audit Services IT Financial Audits Business logistics Operational Audits Workforce Environ., Safety, and Health Services SOX Complaince Operating company risks are reflected in the functional reports Figure 24 AEP divides its risks into two categories: monitored risks and potential high-impact risks. Monitored risks are generally easier to quantify and have governing policies focused on limits and controls. They are monitored for status changes and to   ensure that controls are working. By contrast, potential high-impact risks are more difficult to quantify. High-impact risks are usually operational or physical risks and are addressed by programs, rather than limits. These risks typically have an impact on one or more monitored risks; therefore, potential high-impact risks are the focus of REC discussions. In general, it is difficult for AEP to define and measure its risk appetite. This is because it is easier to set a risk appetite around risks that are quantifiable, and many of AEP’s most significant risks are very hard to quantify. However, there are some risk policies that aim to set limits and appetites. The regulatory aspect of the industry also makes it difficult to define and measure certain risks, and much of the risk appetite is influenced by industry regulations. Risky Business II: Enterprise Risk Management as a Core Management Process 60
    • case study American Electric PowerAs previously mentioned, functional units are responsible for analyzing, assessing,managing, and mitigating their own risks. Functional units provide monthly riskreports that include information such as metrics (where possible), current status,trends, strategy and mitigation, and emerging risk areas. Reports are reviewed by theERO group, which in turn prepares a high-level summary for the REC.   ll reports Aare subject to audit. In addition, reports from functional units are compiled in abinder that is provided to all REC members prior to each meeting. This enablescommittee members who want more detail to read about specific risks prior tothe meeting and come prepared with questions. The summary is prepared for thosewho prefer high-level reviews. This summary is also reviewed by the boardaudit committee.Increased communication around ERM has helped AEP overcome barriers toadoption and promote buy-in across the organization. When ERM was firstimplemented, members of the ERO function engaged in discussions with seniorexecutives to determine what they liked about previous risk committee meetingsand to learn about their expectations for monitoring risks. The ability to engageleaders in one-on-one conversations was important because it helped leadersbecome part of the process.   s a result, discussions about risks and risk-related Aissues occur frequently across the organization.Increased communication also helped change the perception of risk managementacross functional units. Education and one-on-one conversations with key leadersand functional-unit representatives were instrumental in obtaining buy-in fromall levels of the organization. By promoting early successes from its enterpriserisk processes,   EP was able to convince employees that ERM is both valuable Aand tangible. An increased understanding of enterprise risk began to be seen asbeneficial. Today, risk reporting is viewed as an opportunity to share issues andaddress concerns with executives, and business units often ask for assistance onprojects to ensure they are taking an enterprise view of risk.Identifying, Implementing, and Maintaining “There are some good onesSupporting ERM Technologies [software packages] out there, butCurrently, AEP does not use any specific ERM software. Monthly reports we are focusing on process first andare submitted in various formats, including Word, PowerPoint, and Excel. The letting that drive our decision.”organization uses a manual process to manage the data and prepare informationfor the REC. Leveraging tools that work across different business units is difficult — Doug Buck, director of enterprise risk oversight,because each unit has different needs. American Electric PowerThe decision not to implement supporting technologies is strategic.   lthough the Aorganization has explored a number of software packages, it has chosen to focuson process first and let the process drive future technology decisions.   EP believes Athat, by concentrating on the process, it can ensure that more information is sharedbetween functional units.   t this time, a software package would most likely be A Risky Business II: Enterprise Risk Management as a Core Management Process 61
    • ca se s tu dy American Electric Power a hindrance to the process. In the future, the organization expects to implement some type of ERM technology; however, there is a general expectation that it will be highly customized to fit the organization’s unique needs. AEP is continuing to develop criteria for implementing an ERM software system. The organization wants a system that will help identify common root causes of risks and apply common definitions and rating criteria; for example, if one business unit refers to financial risks, these terms and concepts should have the same meaning across all business units. Such a system would facilitate risk reporting and analysis by providing an aggregated view of risk that could be used in decision making.“The risk executive committee Using ERM as a Decision-Making Toolis like a large, extended family. It AEP’s risk structure and reporting are often factored into decision making, but theincludes individuals from across the process is informal. For instance, many strategic decisions are influenced by risk information provided to the REC.   lthough there is no clear directive from the REC Aorganization. We don’t duplicate that pertains to decision making, the discussions and outcomes from risk meetingsefforts—we coordinate them create a “ripple effect” across the organization, and the results from the meetingsand work together to minimize frequently have strategic impact. For example, shifts in budget dollars or changes tothe overlap of information they risk mitigation efforts are often indirectly linked to REC meetings.receive.   s a result, this group is Aa valuable forum for sharing key Each functional business unit reports on risk using a “stop light” approach. Risksrisk information.” are assigned a color—green, yellow, or red—to indicate the current status of each reported risk. If a risk is assigned a red rating, it is usually addressed or at least — Steve Haynes, vice president of discussed by the REC. This approach helps the REC recognize trends and assign strategic initiatives and chief risk officer, American Electric Power priorities. In addition, any risk that is coded red must have an associated mitigation strategy. However, this system is difficult to apply consistently across the organization because of challenges inherent in comparing one functional unit’s “red-level risks” against those of another functional unit. Furthermore, just because a risk is in the red does not necessarily mean it is of strategic importance to the organization; it could simply be a lower-level risk that happens to be important to the functional unit. For this reason, the color-coding system has limitations as a decision-making tool. To ensure a comprehensive and consistent view of risk across functional units, the organization periodically collects additional information on reported risks, including potential impact, the timing of possible impact, the manageability of the risk, and how well the possible impact can be measured. This allows for a more forward-looking approach   to evaluating risks. Standardizing the way in which this information is provided by the functional units helps AEP accurately compare risks at the enterprise level. ERM is applied using various methods across the industry. Due to the range and types of risks that AEP tracks, it is difficult to apply a common technique to manage risk throughout the organization. Therefore, the goal is to make sure that there is consistent recognition of risk management across the enterprise.   EP leaders believe A that this is best accomplished by requiring functional units to identify and address risks at the functional level with assistance from the ERO group. Risky Business II: Enterprise Risk Management as a Core Management Process 62
    • case study American Electric PowerAt AEP, there is a strong relationship between the audit function and the enterpriserisk function. Figure 25 depicts the audit and enterprise risk interface. As shown,both functions start with the same risk universe.   lthough a number of enterprise Arisks may be auditable, some of the potential or emerging risks cannot be audited.This is where the two functions diverge: The audit function focuses on processesand risks that can be audited, whereas enterprise risk focuses on strategic, emerging,and potential risks. The audit function receives monthly reports and is charged withidentifying what can be audited. Risks that are not easily measured are tracked by theenterprise risk function. There is a strong interrelationship between the two functions,and communication occurs on a regular basis. Data shared between these twofunctions is often used in strategic decision making, as well. AEP’s Audit/Enterprise Risk Interface Audit risk types and processes • Continuous/Ongoing • New and emerging • Implementation Auditable Audit plan “Due to the nature of our business, risks execution and reporting we are not a risk-taking company. We don’t speculate, and we aren’t out there looking for high-risk opportunities.” Risk Monthly — Doug Buck, director of universe reporting enterprise risk oversight, American Electric Power Significant Enterprise risk types enterprise risks • Strategic • Significant auditable • Emerging and potential Figure 25Using ERM as a Performance Improvement ToolIn using ERM to enhance performance and organizational effectiveness,   EP relies Aon a number of methods and tools. For example, the tracking of risks relatedto the commitments made in the corporate sustainability report provides anadditional interface between ERO and other business functions. During the year,the organization generates a report on its sustainability efforts. Both internal andexternal stakeholders are engaged in developing this report. Once the reportis published, the organization is committed to a biannual review of the includedcommitments and risks. Each functional unit provides a biannual update to theREC documenting its progress toward meeting the commitments.   lthough this is A Risky Business II: Enterprise Risk Management as a Core Management Process 63
    • Ca se s tu dyAmerican Electric Power a relatively new process for AEP, it identifies a role for enterprise risk in relation to sustainability. The sustainability reporting process is illustrated in Figure 26. There is also a strong relationship between strategic planning and ERM. Strategic objectives are created on an annual basis under the direction of the CFO. This is a formal process that outlines business plans and defines incentives and performance indicators. Within the risk reporting process, reported risk categories from each functional unit identify risk factors that could prevent the business unit from meeting its goals and objectives. AEP’s Sustainability Reporting Process Stakeholder engagement Internal updates Develop on risks and report commitments Report Identify risks published and commitments - addressed or created Figure 26 There are two types of risks at AEP. The first is one-time events, which are   risks related to happenings that occur only once. The second is ongoing risks or circumstances, which are risks that occur periodically over time or are conditions in which the company operates. Some of these conditions are beyond the control of the organization.   ssessing the effects of ongoing risks and conditions is challenging. A Due to the nature of these types of risks, it is difficult to calculate likelihood and impact for all risks. Therefore, a separate set of criteria has been developed. As previously discussed, the organization periodically collects information related to the potential impact of each risk, the timing of possible impact, the manageability of the risk, and how well the possible impact can be measured. Standardizing the way in which this information is provided by the functional units helps the organization compare risks at the enterprise level. Risky Business II: Enterprise Risk Management as a Core Management Process 64
    • Case study American Electric PowerERO works closely with the functional units to identify and report emerging risks.The aim is to relate these events to goal attainment, budget criteria, and areaswhere the risk may impact the organization going forward.Risks are also evaluated on timelines related to the strategic plan. Where possible,business units measure the impact of a particular risk over time. Each functional unitanswers questions to determine a given risk’s potential impact on the organizationin areas such as regulatory, safety, operational, or finance. AEP’s strategic planningfunction leverages this information to identify internal improvement opportunities.As mentioned, it is difficult to quantify financial impacts for each risk. This is becausethe organization tracks a broad range of risks, and each functional unit has uniquerisks and challenges. A risk that is associated with a smaller financial amount maystill be strategically important and have a far-reaching effect on the organization. Inthe area of safety, for example, it is nearly impossible to associate a dollar amountwith risks such as near misses, injuries, and fatalities. Most of the risk analysis inthis area focuses on ways to impact prevention. Some regulatory issues are alsoextremely difficult to measure in terms of dollars. Since the organization operates in11 different states, there are regulatory challenges that make it difficult to apply riskmeasures consistently.Key risks and performance indicators are reported through the risk reports andrelate to the strategic plan. There is a strong relationship between business-unitobjectives and reported risks. Functional units are actively involved in identifyingrisks that may impact strategy, and guidance is provided by the ERO function. The  ERO team provides feedback to the functional units and helps them define risksthat may prevent them from achieving strategic objectives. These risks are reviewedthroughout the year by both the functional units and the ERO team members.At AEP, there is an emphasis on identifying emerging risks throughout the year. Itis recognized that emerging risks often impact strategic plans and can prevent theorganization from achieving corporate objectives.The relationship between ERM and the organization’s strategic plan implies alink to incentive programs. In this sense, employees are indirectly accountable forrisk management. For example, distribution reliability is both a key performanceindicator and a key risk. Employees are measured against the amount of time ittakes to restore power as well as the number of customer minutes lost. Distributionreliability is also a key risk. In cases like this, there is a strong relationship betweenincentives and objectives that are stated in the strategic plan. The organizationexamines incentive plans to see whether there are additional links to risk that arenot covered elsewhere. There is significant overlap between incentives, objectives,risks, and the strategic plan. Risky Business II: Enterprise Risk Management as a Core Management Process 65
    • Ca se s tu dy American Electric Power“Risks are changing all the time; Although it is difficult to measure the success of ERM, the organization asserts thattherefore, you need a process that enterprise risk management has intangible benefits. There is an increased awareness of risk across the organization and a growing desire to understand and implementis flexible, recognizes emerging risks, consistent risk approaches. Functional units often request assistance from the EROand finds a way to communicate group to help identify and mitigate risks.risk-related information across thebusiness units.” Lessons Learned and Future Plans — Laura Thomas, vice president of At AEP, one of the key lessons learned is related to communication. Publicizing enterprise risk and insurance, the purpose, strategy, process, benefits, and results of ERM is critical to change American Electric Power management and helps achieve buy-in at all levels of the organization.   EP’s A goal is to have the implementation of the company-specific ERM program drive the process, rather than letting systems or software drive the process. By de- emphasizing systems and technology, the organization has been able to establish effective communications and processes. Providing adequate training and education on ERM methods and benefits is also important.   EP spent more than two years expanding its process, educating A functional units, refining its reporting, and developing a way to evaluate risks at an enterprise level. The ERO group worked closely with each of the functional units on how to identify risks and what to report. Much of the education and training is provided on an ongoing basis and can be requested at any time. AEP did not adopt ERM concepts all at once; rather, ERM was rolled out gradually to various parts of the organization. This approach helped with buy-in and was critical to success. By presenting ERM concepts in phases, AEP was able to manage the process effectively, gain buy-in and acceptance, and provide ample communication to ensure that ERM was seen as beneficial. Starting slowly encouraged others to get involved and lessened resistance to change. The process continues to evolve over time. Despite its successes, AEP is still grappling with challenges related to risk quantification and reporting. Some of these challenges include: • the quantification and evaluation of enterprise effects, • the assessment of the interrelationships between risks, • the diverse nature of risks, • different presentation formats for decision making, and • refinement of information management. The organization will continue to address these challenges in the upcoming years. Within the next several years, AEP hopes to implement software that will facilitate the reporting process. The vision is to expand risk reporting and analysis so that there is a better understanding of the root causes of risks as well as their potential impact on the enterprise. It is expected that this will enhance the links to the strategic plan and enable a better response to the risks facing AEP. Risky Business II: Enterprise Risk Management as a Core Management Process 66
    • C a s e S t u dyFonterra Cooperative Group LimitedD airy exporter Fonterra Cooperative Group Limited was formed in 2001 by a forced merger of two historical competitors and a New Zealand governmentagency. With nearly 11,000 farmer shareholders and 16,000 employees, Fonterra’srevenues represent more than 20 percent of total exports in New Zealand.Fonterra also accounts for 9 percent of New Zealand’s total GDP and 40 percentof cross-border trade in global dairy products.Fonterra is headquartered in Auckland, with major regional offices in Melbourne,Chicago, Hamburg, Tokyo, Colombo, Santiago, Singapore, Mexico, Dubai, and China.The organization also maintains various alliances and joint ventures in globallocations that are co-owned with its partners, which include Dairy Farmers ofAmerica and San Lu in China. In 2007, Fonterra reported $10 billion (USD) inrevenue, making it the fifth largest dairy company in the world.Every 2.75 minutes, Fonterra exports one container load of dairy product tocustomers located throughout 140 countries. The majority of its business(98 percent) is in the edible foods market, which includes cheese, milk powders,cream, butter, and milk. The remaining 2 percent of its product goes to other uses,including one percent to protein areas such as stockfeed. A small portion of itsbusiness (0.1 percent) involves the manufacture of pharmacy grade lactose, which isprimarily used in inhalers.Fonterra’s top 15 customers account for more than 40 percent of all production.From a risk perspective, this is significant; losing one of these top 15 customerswould have far-reaching consequences.   s a result, on-time delivery, supply chain Aeffectiveness and efficiency, and production robustness are criticalto the organization.During the months of October to December, there is a peak flow of milk, whichis followed by a steady decline. This pattern is referred to as the “milk curve,”which ultimately determines supply. During peak months in the milk curve, plantsare running at full capacity; any disturbances during this time affect the entireorganization.   ccordingly, many of Fonterra’s risk management efforts focus on Aproduction and business continuity planning. The organization fully supports  business continuity planning, which provides a solid anchor to its risk managementprogram. Enterprise risk management (ERM) has enabled better business continuityplanning so that interruptions during the peak period are less likely to occur. Risky Business II: Enterprise Risk Management as a Core Management Process 67
    • Ca se s tu dy Fonterra Cooperative Group Limited“We focus on attitudes and Optimizing the ERM Organizational Structurebehaviors. If we can get behaviors Since its creation, Fonterra has attempted to establish enterprise risk management three times. The first effort was initiated in 2001, shortly after the formation of theto focus on risk management and organization. Due to difficulties associated with merging multiple enterprises, thechange the perception of what it attempt at ERM failed and was viewed as an impediment to more pressing issues.means to the organization, then we Leadership viewed ERM as “the right idea at the wrong time,”can really impact our culture.” — John Pearce, enterprise risk manager, In 2003, Fonterra’s management board raised the issue of risk management and Fonterra assigned the responsibility to its global assurance function. During this time, the organization developed a risk policy and risk management framework based on New Zealand and Australia Risk Management Standard 4360 and other risk strategies, such the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The organization also held 45 risk management workshops that covered 85 percent of the business. The process involved identifying more than   800 corporate risks, which were distilled to the top 99 risks and the top 20 risks by early 2005. Whereas Fonterra’s second attempt at risk management successfully uncovered a number of corporate risks, employees considered the process to be too theoretical and felt it did not produce any significant benefits at the operating business-unit level, according to Enterprise Risk Manager John Pearce. The key finding from this exercise was that ERM needed to be interactive and anchored in business functions. Fonterra’s third ERM attempt successfully integrated ERM into the organization and created a link to business functions. In 2006, the global assurance function was split into audit and risk functions with two different reporting lines to the office of the chief financial officer (CFO). The organization integrated audit and risk processes into business strategy and planning as well as refreshing and fully defining its top 20 corporate risks. The current ERM structure is based on board-level recognition that Fonterra, as a new company with a mandate to grow, must effectively manage risk in order to be successful. Fonterra aims to use risk management to maximize opportunities and enhance abilities and upside opportunities. Risk management is supported by senior leaders, including the CFO and the chair of the audit, finance, and risk committee (AFRC). In contrast to previous risk management efforts, which lacked a stated return on investment (ROI) or other direct analysis to support ERM, Fonterra’s current risk assessment process provides insurance cost drivers. The process also encompasses risks across the enterprise. Business units own and fund risk outcomes, but the risk management function provides technical support and coaching to the business units. The risk management function also funds risk identification and consults with the businesses on solutions and controls. Risky Business II: Enterprise Risk Management as a Core Management Process 68
    • Case study Fonterra Cooperative Group Limited Fonterra’s risk management policy is fully defined and builds on key concepts that guide risk management. For example, the intention is to establish a program that promotes cultural change and is embedded in the way the organization operates. Another goal is to develop a common approach and language to ensure that key risks are identified, assessed, controlled, and reported in a consistent manner. Fonterra’s risk management policy is forward-looking, applies to internal as well as external risks, and provides a link between risk and organizational strategy. The organization regularly benchmarks and reviews its policies against Fortune 1000 drivers to identify weak spots in its process. Figure 27 depicts the risk management framework at Fonterra. As shown, risk management is part of the overall governance framework. The policies that support risk management are found under compliance and assurance. Processes that assist with risk identification are the responsibility of the risk management function and business units; the internal audit function follows up on controls, and assurance is Risk Management Framework Governance FrameworkThe Way We Work Values Vision Strategy Risk Management Board Charter• Focused on the future To lead in dairy • Foundation theme - The • Provides a framework • Outlines the key• Delivering • Ensuring when anyone thinks Sustainable Co-operative to identify, assess, values and practices uncompromised results dairy they think Fonterra • Lowest cost supplier of dairy and monitor risks of Fonterra as they• With complete integrity • Putting the customer first products and to report on risk apply to the activities• Energized by innovation • Making dairy an integral part of • Leading global dairy marketer management of the board of people’s nutrition everywhere • Developer of valuable activities directors • Delivering an integrated cow-to- customer partnerships customer value chain • Specialty milk components • Making Fonterra’s brands first innovator and provider choice • Leading consumer dairy • Employing and motivating marketer talented people around the world • Leading dairy marketer to food • Winning and retaining the loyalty services of shareholders Policy FrameworkDevelopment Approval Management Communication Compliance AssuranceThe development of Obtaining the Ensuring that all Ensuring that staff are Ensuring that everyone Using different tools tonew or the updating of appropriate level of content is relevant and made aware of all follows (complies with) check that everyone isexisting content approval for all up-to-date so that changes/additions to the FPF content complying with the FPF content users always have the content in a timely content and reporting right information manner on compliance Business Unit/ Group Standards/ Division Standards/ Group Projects Guidelines/ Guidelines/ Rules/ Procedures Procedures/ Processes Figure 27 Risky Business II: Enterprise Risk Management as a Core Management Process 69
    • Ca se s tu dyFonterra Cooperative Group Limited completed through the process of risk assessment. The enterprise risk, audit, and legal functions all work closely together on compliance and assurance. The risk management function and the internal audit function have recently purchased a software solution that allows the organization to capture and regulate risks using a common format. The ERM function provides information to Fonterra’s leadership team and the AFRC. The responsibilities of the ERM function have been outlined and approved   by Fonterra’s leadership team and its board of directors. Specifically, the enterprise risk management function: • communicates key risks and mitigation strategies to the AFRC, the board, ratings agencies, and shareholders; • embeds risk management into existing line processes such as planning, forecasting, and budgeting; • develops and standardizes quantification tools, templates, and systems to facilitate best-practice risk management activities by line managers; • aggregates business-unit risk exposures to identify enterprise-wide threats and exposures; • communicates and ensures visualization of enterprise risks; • elevates risk management as a key line priority; • provides a center of expertise in risk management practices; • provides resource assistance to up-skill line managers in risk management; and • challenges line assumptions and presents alternative scenarios. Business units also have a defined role in enterprise risk management. The objective is to engage business units in managing risk in order to influence behaviors. By integrating risk management into behaviors, the organization hopes to influence overall attitudes regarding the importance of risk. In other words, getting employees to focus on risk management is the first step to cultural change. In terms of risk management, the business units are expected to: • identify downside risks and upside opportunities for the business, • serve as expert witnesses to assess risk magnitude, • mitigate downside risks, • monitor emerging risks, • collect risk data and report it to a corporate center for aggregation, • enforce compliance with risk mitigation procedures among business-unit personnel, and • use outcomes in budgeting/forecasting and business planning to ensure that processes are in place and that costs arising from implementation strategies are planned for and budgeted. In order to further engage business units, Fonterra is establishing risk champions within each key business. The organization is converting the role of business continuity champions into risk champions charged with expanding the risk program. Risk champions will spend several days in risk assessment workshops designed to Risky Business II: Enterprise Risk Management as a Core Management Process 70
    • Case study Fonterra Cooperative Group Limitedhelp them identify and manage key business risks. Risk champions will also becomebusiness liaisons to the risk function.Before embarking on a risk assessment project, the ERM function and businessunits draft a formal proposal that outlines exactly who will do what during theassessment. Each function agrees to its respective responsibilities and outlines whatis required. This process helps promote accountability and provides a starting pointfor follow-up and future recommendations. The contract also notes that any project  is subject to an internal audit and that the processes will continue to be monitored.Again, the goal is to promote accountability, define responsibilities, and provide abasis for future evaluations and monitoring.The following list summarizes the key activities of Fonterra’s ERM function.• Assist—Assist with the financial success of the business by providing a forum and methodology for evaluating and prioritizing potential risk improvement opportunities and understanding their financial and other impacts.• Improve—Improve the likelihood of meeting strategic targets by managing risk at the lowest possible cost.• Encourage—Encourage customer success by providing a methodology to help the business build robustness so that losses are less likely or less impactful and the ability to deliver to customers in spec, on time, and in full is enhanced.• Develop—Develop a culture in which risk assessment is seen as a normal part of doing business by developing programs that promote appropriate risk management behaviors and attitudes.• Ensure—Ensure that Fonterra is aware of and managing its key risk exposures as part of its due diligence requirements.Figure 28 (page 72) depicts Fonterra’s ERM organizational chart and areas ofresponsibility. The size of the ERM function is small relative to the organization’s17,000-employee global work force. However, the function operates at a highlevel and relies on strong engagement with the business units.   s shown, the ERM Afunction interacts with insurance brokers and leverages employees that are engagedin risk assessments within the business units. The ERM function is responsible formanaging the ERM program, monitoring and reporting key risk matters, evaluatingbusiness interruptions, and business continuity planning. The ERM function alsomanages insurance programs; claims management; financial aspects of accidentcompensation; and other risk management activities, including contract riskand security.Fonterra closely aligns risk management activities with its business plan.   lthough Athe organization’s business plan has not changed significantly since 2001, the goalsfor risk management have increased. The governing principle for risk management isto provide an ERM center of excellence. The goals are to assist business units withthe identification of risks and to improve insurance efficiency. Risky Business II: Enterprise Risk Management as a Core Management Process 71
    • Ca se s tu dyFonterra Cooperative Group Limited Fonterra’s Risk Reporting Structure Enterprise Risk Manager Insurance Manager Manager Business Risk Injury Brokers: Risk Risk Continuity Management Management • Claims Assessment Assessment Manager Admin Manager • Insurance • Captive Claims • Risk management Risk Administrator • Risk engineering Manager (Contract) Claims ERM responsibility: Administrator • ERM program • Monitoring and reporting key risk matters (residual and emerging risk) to senior executives and the board (including the top 20 risks) • Business interruption evaluation • Business continuity planning and crisis response planning • Insurance program (strategy, policies, placement, and reporting) • Claims management and administration • Financial aspects of accident compensation • Other risk management activities including contract risk, security, etc. Figure 28 Fonterra’s current business plan (Figure 29) identifies the key strategies for risk management and the critical initiatives and actions that must occur in order for the organization to achieve its goals. Providing a central focus for risk management is a key strategy included in the business plan. Other key strategies for risk management include enterprise-wide risk assessments, enhanced information flow, and improved risk assessments. Since 2006, risk management has helped Fonterra realize significant benefits. For example, the ERM function provides a common platform for assessing risks and has shifted the emphasis from managing insurance and claims to managing risk. The ability to engage insurance partners in risk improvement activities has yielded significant financial benefits; there is also a greater emphasis on risk assessment, and business units are able to understand risks and associated priorities incorporated into strategic planning.   lthough risk assessment activities have not yet occurred A in all parts of the organization, Fonterra has completed business risk, process risk, property/asset risk, and project risk assessments across most of the enterprise. One of Fonterra’s goals was to create a sustainable culture for risk management. Accordingly, risk activities integrate with the organizational culture and have become part of daily business functions. Cultural change activities focus on providing employees with clearly defined roles and responsibilities in order to Risky Business II: Enterprise Risk Management as a Core Management Process 72
    • Case study Fonterra Cooperative Group Limited ERM Business Plan—Executive Summary Governing Statement Key Strategies Initiatives and Actions Provide a center of Central focus for • Review/Establish practical risk management procedures and protocols excellence in risk risk management • Resource and support the risk management activities (”coach”) management • Ensure that AFRC is updated on key matters of concern regarding risk management Enterprise-wide • Roll out the enterprise risk assessment process risk assessment • Assist business units to undertake risk assessments as required Improve • Implement claims management and recording systems to improve claims visiblity Goals information flow and tracking and administration • Develop links between existing systems 1. Assist • Improve insurance administration activities to reduce workflow businesses with • Review and streamline insurance covers to maximize benefits the identification of risk Improve risk • Improve the value add from assessments by including Fonterra standards in the 2. Improve assessment assessment activities and broadening their scope insurance efficiency People, quality, • Expand the business continuity function to include risk assessment in the and processes scope of work Figure 29promote consistency. In addition, Fonterra provides incentives for business units toensure that risk management is incorporated into business planning, project risk,and risk assessments. Risk assessment is included as a key performance indicatorfor business-unit managers under the organization’s risk management policy.   ll Aof these techniques have helped Fonterra influence its culture and integrate riskmanagement into existing systems and processes. “Right now, we mainly use Excel,Identifying, Implementing, and Maintaining which has evolved over the pastSupporting ERM Technologies 10 years depending on our needs.The primary technology used to support ERM at Fonterra is Microsoft Office Excel. But I have a great fear that, if weThe organization has evolved its risk assessment tool to accommodate changes purchase a formal software package,in its risk management processes. There is a perception within Fonterra that   we will lose the ability to evolveimplementing a formal software package would make it difficult to quickly adapt toany process or business change.   ccordingly, the organization has not purchased A our process.”a formal software package for risk management. Currently, one full-time resource — John Pearce, enterprise risk manager,manages the formal risk assessment process and the supporting database. FonterraSince the basic tool has not changed significantly in the past year, Fonterra hasstarted to explore available software packages. While some applications are similarto what the organization already uses, the ability to integrate voting software andMonte Carlo simulation is important. Thus far, the organization has not found one  tool that provides these types of features in tandem. Creating a custom softwarepackage is too costly at this time, but the organization is continuing to look at othertools that may be applicable in the future. Risky Business II: Enterprise Risk Management as a Core Management Process 73
    • Ca s e stu dy Fonterra Cooperative Group Limited Fonterra aggregates risk assessment reporting into reporting themes developed by its leadership team and the audit, risk, and finance committee. The themes are “strategic,”   market,” “operational,” “financial,”   compliance,” and “governance.” Each “ “ risk is categorized into one of the themes, which enables leadership to view risks across the organization and identify which areas are more exposed. This strategy also helps identify risk categories that need more attention, controls, policies, procedures, or guidance based on risk outcomes within each theme. Figure 30 depicts an example of a risk assessment report. The risk categories (i.e., themes) are listed on the left-hand side, whereas the other two columns provide an overview of the sub-risk categories and risk areas that are linked to each of the themes. This data also flows to the business units in order to help them understand key risks. “Sometimes we can quantify risks, Using ERM as a Decision-Making Toolbut a lot of the time we can’t. A lot of ERM is fully integrated into strategic policy and the business units; accordingly, what we do requires a leap of faith Fonterra uses risk management for budgeting and forecasting, business planning, capital evaluations, mergers and acquisitions, and project evaluations. Thethat a prescribed course of action will organization employs ERM across all business units except joint ventures where get us where we need to be.” Fonterra does not have management control. — John Pearce, enterprise risk manager, Fonterra Fonterra also links ERM to business continuity planning and the outcomes of business projects and reviews that feed into the business planning process. In short, risk management strategy is integrated into the organization as a whole and provides a solid foundation for decision making. Figure 31 (page 76) provides an overview of Fonterra’s risk management process. This process is based on a risk management standard for Australia and New Zealand (also referred to as Risk Standard 4360) and is used every time the organization decides to conduct a risk assessment. The first step is to create a risk   map in order to identify and assess potential risks. This activity allows Fonterra to   evaluate risks prior to making a decision.   fter a decision is made, the organization A determines a response strategy, which provides a framework for risk reporting. Throughout the process, communication, consultation, and continued review are critical. Fonterra focuses its risk assessment activities in a number of areas and links them to key business decisions that are categorized as operational, strategic, or financial. The first area is process risk assessment, which focuses on operational and strategic risks. The intent is to obtain a high-level understanding of the production process   from a risk perspective, which the ERM function factors into the overall risk exposure of the organization. The function accomplishes this by examining the path of production at each stage and closely reviewing inputs and outputs. This process   exposes risks, controls, and what might be required in order to mitigate potential failures. Identifying process dependencies and articulating process risks is another Risky Business II: Enterprise Risk Management as a Core Management Process 74
    • Case study Fonterra Cooperative Group Limited Fonterra’s Risk Assessment ReportRisk Sub-Risk Risk AreasCategory CategoryStrategic Strategic Direction Operationalization of Strategy Stabilized Organization Structure Strategic Resource Ethics & Culture The Way We Work Knowledge Sharing Allocation Reputation NZ International Image Supplier Land Management & Empowerment Strategic Partnerships BFL Farming Practices China Strategic Evaluation of Post Investment Reviews DairiConcepts/DFA Soprole/DPA BFL/BSC New Business DPA/Nestle Outsourcing Investor Relations Payout Forecast Management Communications Shareholder Council Capital Availability Redemption RDI Innovations Product Market Process GE Risk Management Implementation of Risk Project Interface Change Initiatives/ Management Framework Transformation JediMarket Economic/Geopolitical Economic Downturn Political Instability/Sovereign Credit Risk Political/Regulatory Trade Access & Quotas Risk Acquisition Approval Competitors Industry Structure Product Specification & Duties Emerging Competitors Product Substitution Financial Financial Markets/Cost of Debt Competitor Strategy/Spend Commodity Prices Distributors Retail Channel Structure Capital Fund Raising Consumers Consumer Trends Social Trends Demand Uncertainty Customer SatisfactionOperational S&OP Management Demand Forecasting Supply Forecasting Production Planning Logistical Planning IP Protection Marketing & Innovation Product Innovation R&D Funding Business Case Evaluation of A&P Spend Brand Management Brand Strategy/Rationalization Brand Protection & Development Sales Order Management Counterfeiting Sales Promotion RDI Pricing Contract Management Production Asset Security & Protection Production Efficiency Production Capacity Product Quality/ Food Safety R&D Implementation Asset Maintenance Specification Logistics & Warehousing Milk Collection Product Shipment Distribution Channel Inventory Planning Inventory Protection & Project Management Capex Approval Post Project Evaluation Structure Security Time, Cost & Quality Control People Personal Health & Safety Attract & Retain Talent GROW & PERFORM Capabilities Motivation & Focus Succession Industrial Action Internal Communication Renumeration Transaction Processing Order Processing Invoicing Cash Collection Credit Management Expenses & Purchases Cycle Payroll Trade Spend Promotion Cycle Milk Payout Information Data Accuracy, Completeness & System Development System Integration System Failure System Transformation Timeliness COE Jedi IS Data Security Kea Crisis management Bio-Security Terrorism DRP/BCP Product Recall Natural Disaster Non-Core Business SynergyFinancial Financial Reporting COA FRS Hyperion SAP Functional Currency Core Controls Financial Planning CMP/S&P Payout Forecasts Foreign Exchange Commodity Price Volatility Cost of Production Inventory Mix & Valuation Sales Mix & Valuation Volatility Fair Value Share Valuation Peak Note Management Lifecycle Planning Working Capital Redemption Management Treasury Management Hedging Functional Currency Debt Raising Management Tax Planning Domestic Tax Regimes Foreign Tax Regimes Performance Planning & RCM Performance Measurement VBM Measurement Fraud Geopolitical/Cultural Control Design & ImplementationCompliance Policy & Procedures Procurement Production Standards HR Treasury Insurance Environmental Jedi Business Rules & Supplier Land Management Compliance & Farming Practices Legal & Regulatory Sovereign Legislation & Customs & Duties Health & Safety/ACC Environmental Hazardous Substances Regulation DIRA Intellectual Property Shareholder Reporting Future RegulationGovernance Ethics & Culture The Way We Work Geographic Diversity Empowerment Corporate Citizenship Board Activities Shareholder Reporting Sub-Committee Delegations Qualifications Figure 30 Risky Business II: Enterprise Risk Management as a Core Management Process 75
    • Ca s e stu dyFonterra Cooperative Group Limited Overview of Fonterra’s Risk Management Framework Process 1. Create Risk Map 2. Develop and Monitor 3. Report Upon Management Plans Risk Communication and Consultation Risk Establish the Identify Assess Evaluate Risk Risk response context the risks the risks the risks decision reporting strategy Monitor and Review Figure 31 goal of this activity. The result is defined risk mitigation activities, including the   prioritization of capital allocations where required. Process risk assessments focus heavily on engineering and manufacturing activities. Business risk assessments follow a similar approach, but focus on the business- unit level. At this level, business process maps show processes by function and catalog inputs, outputs, and process dependencies. The goal is to rank potential risk probability and make financial determinations related to risk impact when possible. This activity helps identify what can go wrong, likelihood of risk occurrence, and the controls in place to mitigate business risk. If the risk is significant, the organization conducts a more detailed risk assessment and examines additional controls in order to determine what else needs to be done, if anything, to better manage the risk. If a risk is identified as high or significant to the business, then it is subject to a more detailed review using a formal risk assessment tool. If it remains a high-level risk, then the organization examines additional controls that can be put in place to monitor or mitigate the risk. The risk management policy requires that high or significant risks be   formally reviewed and included in the strategic plan of the business unit. However, not all risks that are rated as significant or high are necessarily unacceptable. For example, currency and commodity risks are always high, and Fonterra’s shareholders accept those risks. However, these risks are constantly monitored and reported on across the business. Activity/Project risk assessments focus on a variety of areas, which may include construction projects, outsourcing opportunities, union negotiations, IT security, or strategies to expand business units. For example, the organization recently conducted a risk assessment on outsourcing some of its IT functions to India. Activity/Project risk assessments follow a defined process for a specific project. Risky Business II: Enterprise Risk Management as a Core Management Process 76
    • Case study Fonterra Cooperative Group LimitedProcess and disruption risk assessments are contracted out to engineers aroundthe world who complete asset risk reviews on-site. In other words, the organizationseparates sites as a building and manufacturing activity and reviews property risksindependently from process- or project-related risks.The organization conducts insurance and claims risk assessments in order toinfluence its financial health and reduce insurance premiums. It also evaluates riskadvice and administration (e.g., contracts) in the process of strategic and financialdecision making. Fonterra aggregates all risk-related assessments to improvebusiness continuity planning activities. It identifies each risk and factors it intobusiness planning at the strategic level.As mentioned earlier, Fonterra uses a formal risk assessment process to evaluaterisks across the organization. The ERM function is charged with evaluating high orsignificant risks and entering the data into the risk assessment database. In somecases, a risk assessment manager may conduct a formal review; however, most riskdata is reviewed by the ERM function. This is because information must flow tothe ERM function so it can be rolled up to senior leadership. In some cases, risksconsidered to be high or significant by one site are not necessarily high risks for theenterprise as a whole. Conversely, risks that a particular site does not consider to behigh may, in fact, be of great concern to the organization. Therefore, it is importantthat all risk data be filtered to the ERM function so that it can be aggregated andinterpreted.Using the ERM function as a gatekeeper of risk data has both advantages anddisadvantages. Generally, business units are not aware of the enterprise-wide risklandscape.   s a gatekeeper, the ERM function is able to effectively weigh business Arisks against the impact on Fonterra as an organization. However, the interpretationof risks among sites may differ, and the process currently relies on a small teamof individuals who communicate key corporate risks to senior leaders. To balancethis, there is a growing effort to provide additional risk training to business units sothat they are better equipped to articulate and identify risks that are of corporatesignificance.Figure 32 (page 78) provides an example of the data captured during the formalrisk assessment process. The example is fictitious, but shows the types of data fieldsthat must be completed in order to accurately assess high and significant risks. Forexample, the reporting employee must clearly define the context and objectivefor each risk. The process also captures the volatility of risk in order to determinehow often the risk must be evaluated. If a risk is getting worse over time, then it isfollowed up more aggressively than it would be if it were improving over time. Eachrisk is assigned an owner and a category, which ensures accountability and allowsthe organization to aggregate risks into groups. Risky Business II: Enterprise Risk Management as a Core Management Process 77
    • Ca s e stu dyFonterra Cooperative Group Limited Fonterra’s Formal Risk Assessment Process A Risk Management Framework - Risk Profiling Report Context/ Guaranteed ability to process milk from shareholders Objective Risk Reduced ability to supply milk to site for a period longer than 24 hours Volatility Increasing over time Risk Owner GM Milk Supply (Optional Entry) Risk Milk Collection and (Optional Entry) Operational Category Coding Transport Process Coding INHERENT (UNTREATED) RISK ASSESSMENT: Assessment WITHOUT Controls Casual Factors • Road closure from flood Expected • Unable to receive all milk supplies • Road closure from landslip Consequences/ • Worst reasonable case estimate 50% loss • Loss of power to the site for milk transfer >24 hours Impact of milk for 6 days following landslip Potential Cost NZ$1M - NZ$10M 9 Inherent Inherent Consequence/ 9 6 7 Likelihood Likelihood (1-10) Impact (1-10) 5 Potential business impact WITHOUT the Inherent Risk Rating HIGH 3 benefit of controls = 1 Figure 32 The ERM function conducts additional analysis to determine what causes a risk to occur and to identify the consequences of occurrence. This data generally results from brainstorming sessions attended by site management; the organization encourages site management to associate each risk with a potential cost, if possible. The ERM function assigns likelihood and consequence scores using a 1-to-10 scale. A rating of 1 would indicate a low likelihood of risk, whereas a rating of 10 would suggest that the risk is likely to occur in the near future. The combination of these two ratings generates an overall inherent risk rating, which the ERM function can use to assess the potential business impact without the benefit of controls. Once the ERM function assigns a risk rating, it reviews existing controls and looks at additional controls that could be used to mitigate the risk. The ERM function then force-rates each risk to determine an overall control effectiveness score. It rates controls in terms of quality and quantity so that frequency and accuracy of information is considered. This step sometimes exposes weaknesses in risk data that the site management team has not considered. This influences the overall ratings of controls, which the ERM function eventually shares with the internal audit group for further review, if necessary. The goal is to evaluate risks against existing controls. In some cases, the likelihood of risk occurrence may be high, but if the consequence and impact are marginal, then the overall residual risk rating may be moderate. Risky Business II: Enterprise Risk Management as a Core Management Process 78
    • Case study Fonterra Cooperative Group LimitedFonterra recently expanded its formal risk assessment process to include targetrisk. Target risk is the realistic target likelihood and consequence for each risk. Thisis a relatively new concept, but it has already been linked to strategy and businesscontinuity planning.   s part of the process, Fonterra captures target likelihood, Aconsequences, and overall risk exposure for key target risks. It then assigns a ratingto each target risk along with mitigation strategies. The organization assigns eachtarget risk a risk owner and reviews potential controls that assist withcontingency planning.Throughout the formal risk assessment process, the ERM function provides guidanceon ratings and definitions in order to ensure consistency.   risk assessment process Apack provides definitions of key risk terms and, at every stage of the process, usershave access to boxes that provide definitions of risk ratings. Consequences, forexample, are identified as affecting the financial landscape, reputation dynamics, orcustomer dynamics, to name a few. Probability ranges are also defined based onoccurrence. Each data point is clearly defined throughout the process.Formal risk assessments vary in terms of frequency. Most sites are required toformally assess high or significant risks. Often, the ERM function will lead a sitereview in which it examines risks listed in the high and significant categories andcompares them against the corporate risk environment. Sites must review high andsignificant risks annually.Once a formal assessment is completed and controls are identified, the nextstep is to evaluate costs and incorporate any risk mitigation plans into budgetplanning. Action plans may require further review to define costs associated withimplementing controls. Once costs are identified, they are integrated into budgetingand forecasting planning. In cases that require emergency expenditures, Fonterramay draw from a contingency budget that is set aside to handle unanticipated andunidentified risks. This contingency budget was approved and implemented byFonterra’s leadership team and its board of directors.Fonterra uses a defined process to determine the strategic importance of risks(Figure 33, page 80). The process begins with a risk assessment to identify riskimprovement opportunities. The key dependencies of the risk are also identified.The financial evaluation shows the impact of the opportunity; impact exposure isalso identified. This information is combined to determine strategic importance. Theorganization prioritizes key actions to maximize risk improvement opportunities andallocates resources according to its priorities. The outcome is that the business unitshave an understanding of their key risk exposures and have plans to manage thesewhere appropriate. Risky Business II: Enterprise Risk Management as a Core Management Process 79
    • Ca s e stu dy Fonterra Cooperative Group Limited Determining the Strategic Importance of Risks Risk Assessment Financial (or Other) (Identify risk Evaluation improvement (Identify impact of opportunities) opportunity) Identifies Key Identifies Impact Dependencies Exposure Strategic BCP Importance Outcome: Businesses have an understanding of Prioritized Key their key risk exposures Actions to Maximize and have developed plans Risk Improvement to manage these where Opportunities appropriate Allocate Resources According to Priority Figure 33“We’ve integrated risk management Using ERM as a Performance Improvement Toolinto policy and framework by At Fonterra, ERM is linked to performance measures. Figure 34 is a samplehaving risk management as a performance scorecard. On an annual basis, Fonterra’s management team and board of directors agree on a scorecard to measure and track performance. Itemskey performance indicator for represented in the shaded boxes directly affect managers’ annual bonuses, whereasthe businesses.” items in the unshaded boxes do not. — John Pearce, enterprise risk manager, Fonterra Risk management enhances Fonterra’s ability to meet financial targets. Specifically, the ERM function helps business units meet performance targets and works with them to understand the drivers of financial success so that they can maximize risk improvement opportunities. The business interruption valuation helps calculate potential interruptions to the organization, which is used for prioritizing risk improvement opportunities. By enabling risks to be managed at the lowest possible cost, risk management improves the likelihood of meeting strategic targets and reduces the number of surprises and losses incurred by the organization. Risk management also affects customer and operational success. Risk management enhances the organization’s ability to deliver on time and in full at a cost that customers are willing to pay. In addition, risk management can make claims response more efficient. In terms of improving operational function, ERM helps identify improvement opportunities that generate robust performance. Finally, risk management enhances Fonterra’s ability to attract and retain capable and willing people. Risk management attracts highly skilled individuals, including Risky Business II: Enterprise Risk Management as a Core Management Process 80
    • Case study Fonterra Cooperative Group Limited Sample Fonterra Performance Scorecard Fonterra Fonterra Group Core Ingredients Asia/AME China ANZ Financial 1-Yr TSR Success Payout per KgMS Contribution to Contribution to Gross Margin Gross Margin Gross Margin Payout/KgMS Payout/KgMS NPAT EBIT EBIT EBIT EBIT RONA RONA RONA RONA RONA RONA Sales Growth Sales Growth Sales Growth Sales Growth Cash measure Working Capital Working Capital Working Capital Working Capital Working Capital Turns Turns Turns Turns Turns Customer DIFOT composite DIFOT DIFOT DIFOT DIFOT DIFOT Success measure Complaints Value Complaints Value Complaints Value Complaints Value Complaints Value Complaints Value Operational Forecast Stability Forecast Stability Forecast Stability Forecast Stability Forecast Stability Improvement Measure (GT) Measure Measure Measure Measure Sales from Sales from Sales from Sales from Innovation Innovation Innovation Innovation Capable and Group LTIFR LTIFR Willing People LTIFR/TRIFR Group Fatalities Fatalities Fatalities Environment Environment Environment Issues Measure Issues Measure Issues Measure People Measure People Measure People Measure People Measure People Measure People Measure Figure 34both contractors and employees. The ERM group provides ongoing coaching andmentoring to risk champions and businesses.Lessons Learned and Future PlansAccording to Fonterra, successful ERM approaches must incorporate the following: “If you are not seen as adding value• senior management support and a venue for management support; to the business, then you are going to• the ability to show how ERM adds value to the business; be traveling down a road that leads• captured and communicated benefits; to nowhere. And that is not a place• built-in performance measures around risk assessment and improvement;• links through common systems (as used by functions such as internal anyone wants to be.” audit and IT); — John Pearce, enterprise risk manager,• a common risk management language; Fonterra• clearly defined roles and responsibilities;• established risk management processes to enable risk aggregation and transparent, unbiased reporting;• incentives to ensure the inclusion of risk information in business planning and project assessment; and• the integration of risk management into existing systems. Risky Business II: Enterprise Risk Management as a Core Management Process 81
    • Ca s e stu dyFonterra Cooperative Group Limited Fonterra attributes much of its ERM success to its ability to find an anchor for risk management in the business units. Being able to link risk management to the day-to-day business functions is critical; without a business link, risk management can become a form-filling exercise whose meaning is merely theoretical. Simply put, if ERM is not viewed as providing value to the organization, then it is seen as “just another process” and can have little impact. Accordingly, communicating and capturing the value added from risk management activities is another critical success factor. Fonterra devotes a significant amount of time to showing that ERM is a value-added activity. Senior leadership actively promotes the benefits of ERM through both formal and informal communications.   s with any corporate undertaking, the support of senior A management is essential to success. It is also vital to develop a common risk management language and provide clearly defined roles and responsibilities. This enables the organization to operate in a consistent framework and methodology throughout its different businesses and locations.   ell-established risk management processes enable risk aggregation and W transparent, unbiased reporting. Of equal importance is the ability to integrate risk management into existing systems that are used by internal audit, information technology, and other business functions. Finally, effective risk management must link to performance measures and provide incentives for participation. Fonterra established built-in performance measures and key performance indicators around risk assessment and improvement. Incentives can also be used to ensure that risk management is included in business planning and project assessment. In the future, Fonterra expects its risk assessment activities to provide business units with risk improvement opportunities that are closely monitored. The organization will expand its existing control self-assessment (CSA) process to further engage management. In past years, the CSA process focused on manufacturing, supply chain, and sales and marketing. The organization intends to use the expanded CSA process to obtain feedback from business units in order to determine future risk areas. CSAs must be completed twice annually and signed off on by senior managers at sites. Fonterra also plans to grow the role of the business continuity champion, which is currently being expanded into that of the risk champion. To help with the transition, the first in a series of trainings has been scheduled to provide businesses with skilled resources in risk assessment. Rollout will involve further training and support for business-unit operatives in order to keep ERM staff numbers low at the corporate level. Risky Business II: Enterprise Risk Management as a Core Management Process 82
    • C a s e S t u dyMicrosoft CorporationM icrosoft is the world’s leading software organization and provides a variety of products and services. Although the organization is well known for itsWindows operating systems and Office software suite, it has expanded into “Our business is dependent on taking risks. Enterprise risk management is not about limiting risk taking—it ismarkets such as video game consoles, servers and storage software, and digital about encouraging risk taking withinmusic players. The organization serves individual consumers, small and mediumenterprises, and some of the largest corporate and government entities in the boundaries that are internally orworld. In addition to software, Microsoft is also active in manufacturing high-tech externally required.”hardware in its X-box, Zune, and Unified Communications products. — Brad Jewett, director, enterprise risk management,Microsoft is organized into three businesses: Platform and Services Division, Microsoft CorporationMicrosoft Business Division, and Entertainment and Devices Division. Under eachof these business groups there are a number of products and product lines thatare developed and managed by the organization. Its products and services supportindividuals in both their personal and digital lifestyles. Microsoft strives to continueinnovating in the marketplace by constantly driving its mission “to enable peopleand businesses throughout the world to realize their full potential.”Headquartered in Redmond, Wash., Microsoft has approximately 80,000 employeesdispersed throughout 103 countries and 565 sites. During fiscal year 2008, theorganization reported approximately $60 billion in revenues and $22.5 billion inoperating income.Optimizing the ERM StructureIn 2005, Microsoft began discussing how to craft a holistic enterprise risk manage­ entm “The culture at Microsoft is focused(ERM) strategy and programmatic approach to risk management. The goal was to on innovation. We don’t want toenhance visibility to risk across the organization, establish a continuous and sustainable change or hinder our culture ofapproach to enterprise risk management, provide senior leadership and the boardwith more actionable risk information that would effectively guide management, innovation, but rather enhance theand enable the board to fulfill its charter for oversight of risk management. Prior opportunities we are pursuing byto Microsoft adopting a formal approach to ERM and creating the Office of ERM addressing the risks and threats toin 2006, the traditional risk disciplines of treasury risk, internal audit, and other risk the business.”specializations pursued risk management with notable best practices. — Brad Jewett, director, enterprise risk management,During the initial program design, the Office of ERM invested time and effort Microsoft Corporationin benchmarking other global organizations that were actively pursuing ERM.This provided input to the strategy and approach of Microsoft’s ERM programefforts and resulted in the creation of an ongoing high-tech forum where industryparticipants share common practices and principles. Risky Business II: Enterprise Risk Management as a Core Management Process 83
    • Ca s e stu dyMicrosoft Corporation The structure that Microsoft employs to accomplish its ERM goals includes four “risk pillars” that manage risk categories and topics across strategy, finance, operations, and legal/compliance. Each pillar incorporates senior leadership to sponsor and coordinate the overall program approach developed by the Office of ERM. Leveraging this structure while identifying areas in Microsoft’s business units and functions where risk management specializations already existed was important to the early success of Microsoft’s broader ERM program strategy. Figure 35 illustrates the organizational structure of ERM at Microsoft. Microsoft’s Risk Reporting Structure Enterprise Risk Office (ERO) - Virtual Organizations The Office of Enterprise Risk Management is sponsored by the vice president of internal audit and supported by the director of ERM leading and executing the overall program approach. The ERM effort is being coordinated virtually across the organization including four risk committees (pillars) each with their respective executive sponsors. Board of Directors: Audit and Finance Committee(s) Enterprise Risk Office: Executive Sponsor: VP of Internal Audit Program Office: Director of ERM Strategic Legal/Compliance Financial/Reporting Operations Chief Executive Officer Chief Legal Officer Chief Financial and Chief Chief Operating and Chief VP of Corporate Strategy VP of General Counsel Accounting Officers Information Officers Director of Corporate Director of Compliance Sr. Director Compliance General Manager Strategy Compliance Attorney Sr. Manager Compliance Manager Figure 35 Almost every organization that Microsoft benchmarked suggested that, without senior leadership support, ERM would not be successful. Another key learning was that any ERM approach must start small and leverage risk activities that are already occurring across the organization. It is equally critical to show the value of ERM to others in the organization so that the initiative will attract support and become engrained in the culture. At Microsoft, key risks that have been identified, assessed, and require action to mitigate have sponsorship and oversight by the highest-level executives. The overall responsibility for the programmatic approach to enterprise risk management at Microsoft falls under the Office of ERM and the pillar leadership embedded within the business. Since the creation of the Office of ERM, enterprise risk management at Microsoft has moved beyond compliance; it is now performance-focused and is quickly progressing toward a strategic view of risk management. Microsoft is currently Risky Business II: Enterprise Risk Management as a Core Management Process 84
    • CASE STUDY Microsoft Corporationredefining its long-term (three- to five-year) ERM strategy to move in this direction.Now that the organization has pursued ERM for two years, the entire program isopen to redesign.   ccording to the director of ERM, the individuals involved in risk Amanagement are constantly striving to improve their programmatic approach fordelivering value to the company. Even the mission and vision of ERM have beenchanged in order to make sure that the program foundation is on target.   hether Wor not ERM will continue to employ the current four-pillar structure or expand itsexisting governance structure through internal audit is also debated; the ultimategoal is to make sure that ERM is working as effectively as possible.Microsoft’s overall ERM strategic plan is driven by a vision and mission. The plan’sthree key components are imperatives, principles, and strategic objectives. Undereach of these components, Microsoft clearly articulates how ERM will help theorganization fulfill its mission and vision and then communicates what actionsneed to occur to ensure success. The new plan will also include key metrics, ascorecard, and an updated road map outlining the multi-year ERM initiatives that arecontributing to the organization’s long-term vision. Microsoft’s strategic objectivesare outlined in the areas of governance, business insight, accountability, riskidentification and assessment, and leadership. Each of these areas has an assignedowner who is accountable for driving the strategic objectives company-wide. Thegoals for each of the five areas are summarized below.1. Governance—Include all governance, risk, and compliance (GRC) functions within a comprehensive ERM governance model that aligns with the board and senior leadership team responsibilities for risk management.2. Business Insight—Provide targeted risk information that enhances value creation and protection decision making within the normal business review cycles including strategic, operational, and financial planning.3. Accountability—Senior leadership commitments incorporate defined objectives and oversight for risk prioritization, mitigation, and monitoring strategies.4. Risk Identification and Assessment—Implement a continuous enterprise-wide risk assessment framework and methodology that is owned and managed within the business.5. Leadership—Design a risk management competency model with training plans that integrate into existing career stage profiles for current GRC roles.Enterprise risk reporting occurs quarterly, and board presentations to a specialsession of the combined audit and finance committees occur semiannually.Quarterly reports include updates on ERM program status and the progress madetoward mitigating the most critical risks facing the company. The following programprinciples enable Microsoft to execute on this reporting cycle.• ERM is an enterprise-wide framework and program adaptable to existing risk functions, division structures, and global geographies.• ERM increases the transparency of risk to the board, senior leadership, and external stakeholders. Risky Business II: Enterprise Risk Management as a Core Management Process 85
    • Ca s e stu dyMicrosoft Corporation • ERM is integrated and embedded into corporate-wide processes that can leverage risk information for decision making. • ERM enables bidirectional input and information sharing with key GRC functions such as Internal Audit, Windows Live Security, Corporate Privacy Group, and Information Technology Risk. Examples of these operating principles are demonstrated in Figure 36, which illustrates the process and touch points between ERM and internal audit as they execute on their annual cycles and business plans. The primary benefit derived from aligning the ERM and internal audit business cycles is the ability to leverage risk and control knowledge within both groups in order to evaluate where key business risks exist and how they should be treated from both perspectives. The outcome is that ERM’s top-down and broad-based risk profile establishes the foundation for internal audit’s annual planning, which is focused on auditable units. ERM and Internal Audit Business Cycles at Microsoft 1st Quarter • Finalize annual audit plans • Start audit plan execution • Review prior year audit results • Communicate results/plans to board Annual ERM risk Predefined change control assessment feeds annual to adapt plans to changing audit planning business assumptions Interdependent Shared Taxonomy Management and and Framework Internal Audit Risk 4th Quarter for Risk Universe Assessments 2nd Quarter • Internal audit risk assessment • ERM annual risk assessment • Annual audit planning • Communicate findings to board • Finalize ERM plans and update Common Control • Review themes/patterns and Common Risk Rating board on testing risk Framework for mitigation plans with SLT Criteria and Scoring mitigation/monitoring efforts Establishing to Determine Risk • Engage and support risk Improvement Plans, committees and pillar leaders Exposure Risk Monitoring, and Audit Testing Semiannual gap analysis Audit issues and testing between ERM risk results feed ERM plans to assessment and audit validate management’s results 3rd Quarter opinion • Annual ERM planning • ERM follow-up with improvement and monitoring plans with risk pillars and risk owners • ERM testing of management’s opinion Figure 36 Risky Business II: Enterprise Risk Management as a Core Management Process 86
    • CASE STUDY Microsoft CorporationMaking sure that the rhythms of ERM and internal audit are in sync contributes tothe core disciplines within both groups. Audit data and ERM data are shared andintegrated at several levels. Figure 37 illustrates key integration points betweenERM and internal audit.Integration Points Between ERM and Internal Audit Audit Data ERM Data Cross Matrix Audit Universe Risk Pillars Informs Risk Assessment Risk Assessment Cross Validation Risks Risks Inventory Audit Plan Informs Benchmark Audit Reports Risk Exposure Matrix Contributes to Issues Risk Mitigation Plan Figure 37Through these integration points, risk assessment data can be usedinterdependently for internal audit planning and execution as well as ERM riskassessments and mitigation plans. The organization maps audit issues to ERM riskson a quarterly basis for review by enterprise risk owners where improvementactions are being taken to mitigate risks. Also, integration of audit issues resultingfrom field audits has enabled Microsoft to recalibrate its ERM risk ratings forenterprise risks where there is alignment and commonality between the riskdefinition and specific audit issue finding.   dditionally, the ERM risk exposures and Aresulting mitigation plans help inform audit of the progress being made to mitigatespecific risks within areas of the business where audits are being planned oractively conducted.The ERM structure also facilitates and enables visibility and accountability for riskmitigation efforts, including clear sponsorship and ownership at the most seniorlevels, overall mitigation planning (e.g., timelines, milestones, resources), criticalsuccess factors, and measures of success where applicable. ERM identifies seniorleaders as risk sponsors and encourages them to engage with other senior leadersfor specific risks within their scope of the business that cut across the organization.After risks have been identified, assessed, and formally sponsored and mitigationplans established, the treasury risk group (TRG) contributes to the validation ofrisk action plans by completing formal risk quantification and analysis for the mostcritical risks. These efforts to measure each risk’s potential material impact on the Risky Business II: Enterprise Risk Management as a Core Management Process 87
    • Ca s e stu dy Microsoft Corporation company validate the initial assessment and definition of an enterprise risk and provide context for the importance of mitigating a risk to an acceptable level.“We have many discussions with Enterprise Risk Management in Actionour key leaders to get their input An example of how the ERM pillar structure operates can be found in Microsoft’s approach to operations enterprise risk management. The operations pillar ison both the risk universe and charged with driving the implementation of the overall ERM framework andrisk indicators. You don’t want to program approach into the core operations of the company. Its goal is to preparetake information and send it up Microsoft to address and mitigate operational risks and associated impacts onthe chain without giving them the Microsoft’s businesses globally. The scope of this pillar’s risk management effortsopportunity to weigh in.” includes critical areas of the business such as supply chain risk, information — Michele Turner, senior manager of technology risk, business continuity risk, and many others. The operations pillar enterprise crisis and risk management, is sponsored by Microsoft’s chief operating officer, reports through the chief Microsoft Corporation information officer, and is led by a general manager and senior manager of enterprise crisis and operations risk management. One of the strengths of the pillar structure deployed by the Office of ERM is the establishment of risk accountability. Each role is clearly defined and communicated to promote accountability on key risks. Every enterprise risk is assigned an executive sponsor (senior leadership), risk leader (corporate VP), risk owner (general manager), and risk “focal.” The executive sponsor is a member of the senior leadership team or a member of the ERM sponsorship/pillar committee that supports and champions the process required to manage risk. In conjunction with risk owners and pillar leaders, executive sponsors provide quarterly reviews prior to audit and finance meetings for Microsoft’s board meetings. The Office of ERM communicates the information provided through this accountability structure via written and face-to-face presentations to the board. Risk focals are described as “feet on the street” to support risk management. Focals manage action planning, risk profile development, steps to support risk, and the work breakdown structure. Generally, people take on this role in addition to their day-to-day job responsibilities, so the organization has developed a work breakdown structure (Figure 38) to help communicate requirements. This level of detail helps risk focals talk to managers and convey needs across business units. Additional detail is provided under each box in Figure 38 so that focals understand the risk path and descriptions. This assists focals with reporting for monthly meetings and enhances knowledge transfer. As previously noted, the culture at Microsoft is innovation-based. The organization plans to continue with its risk management momentum and embed ERM in the way it manages the business. It is also developing framework and governance structures to enable it to proactively address issues from a corporate perspective while taking into consideration its innovation-focused culture. Risky Business II: Enterprise Risk Management as a Core Management Process 88
    • CASE STUDY Microsoft Corporation Risk Focal Work Breakdown Structure 1.0 Operations Enterprise Risk Management 1.1 1.2 1.3 1.4 Risk Assessment Maintenance of Reporting Process Training & Identified Risks Awareness 1.1.1 1.2.1 1.3.1 1.4.1 Risk Universe Risk Profile Accomplishments Risk Management Update Development Update Tool Training 1.1.2 1.2.2 1.3.2 1.4.2 Pre-Work for Risk Risk Profile Update SLT and Board Improve Risk Assessment Workshops Updates Checkpoint 1.1.3 1.2.3 1.4.3 Participation in Risk Action Plan Monitor Risk Assessment Workshops Development Checkpoint 1.2.4 1.4.4 Action Plan Update Brown Bag Discussions 1.2.5 Dashboard Update Figure 38Identifying, Implementing, and Maintaining “Our technology solutions areSupporting ERM Technologies designed to empower our businessesAs a technology leader, Microsoft is currently exploring a number of solutions to so they can effectively manage risk.manage its risk and compliance activities. Since ERM is a relatively new concept, Flexibility, variation, and functionalitythe program is investigating multiple options for building and implementing an are three critical ingredients to anyERM platform that can be leveraged globally. At present, the organization employsan enterprise solution built on SharePoint and SQL technology; moving forward, solution we provide to our business.”it plans to continue building a “platform“ that integrates the best of Microsoft’s — Ramadan Chokr, senior manager,enterprise technologies with Microsoft Office solutions. Like many organizations, financial compliance group,Microsoft faces challenges associated with the volume and complexity of external Microsoft Corporationcompliance obligations. There are numerous overlapping compliance requirementsthat need to integrate with ERM, including SOX, the Health Insurance Portabilityand Accountability Act (HIPAA), the Payment Card Industry Data SecurityStandard, anti-corruption, privacy regulations, trade compliance, and so on. All thesecompliance requirements involve different tools, and the organization believesthat even more tools will be added in future, further complicating the technologyinfrastructure. Microsoft’s proposed solution to address such issues is to leveragethe best of its technology through a platform approach termed “OneCompliance,” Risky Business II: Enterprise Risk Management as a Core Management Process 89
    • Ca s e stu dy Microsoft Corporation which supports compliance with multiple regulations and standards. The approach involves optimizing available resources that focus on risk management, controls, and compliance while reducing duplication and business inputs. A number of discussion groups and functional business groups provided input to the design and structure of OneCompliance. In the design, each group chooses a framework in which to view and manage control activities that mitigate risks and help achieve objectives. This platform approach to risk and compliance aims to provide relevant control data so that businesses can reduce the time and effort involved in complying with internal or external requirements and focus on their core competencies for developing products and servicing customers. The key message is that OneCompliance captures control data so that it can be tested once and used in many different forums to ensure that risk is managed to an acceptable level and the company is in full compliance with external requirements. It is Microsoft’s belief that a platform approach reduces the total cost of ownership and provides flexibility to empower various business groups across the enterprise. Empowerment of businesses in the ERM process is an ongoing theme for Microsoft; leadership firmly believes that the key to success is to empower business units to mange risks. OneCompliance will provide the functionality to achieve this objective. To communicate key risk information, Microsoft leverages both formal and informal methods. Formal communications include quarterly meetings that engage executive sponsors and risk owners who have specific enterprise risk responsibilities. There are also numerous informal meetings that update stakeholders on key risks. Using ERM as a Decision-Making Tool ERM is not used to set strategy at Microsoft; however, the organization hopes that“At Microsoft, ERM does not set ERM information will influence what risks should be considered when businessesstrategy—but it strives to influence perform their normal business reviews and strategic planning processes. Using anwhat risks need to be considered enterprise risk assessment framework, the Office of ERM and the pillar leaders facilitate risk discussions with businesses in terms of materiality, geography/divisionand addressed when establishing scope, legal/compliance context, and overall brand or company reputation. Usingstrategy.” these criteria to assess risks, each pillar scores three aspects of an identified risk — Brad Jewett, director, or threat to the business: (1) risk impact to the company, (2) risk probability or enterprise risk management, expected frequency, and (3) existing risk controls or plans that serve as Microsoft Corporation mitigating factors. Upon completion of each pillar’s risk assessment, the information is consolidated, rationalized, and prioritized across the ERM structure for review by senior leadership and the board. Risks are evaluated on both an inherent basis and a residual basis when the organization is considering controls and mitigation plans. Based on the results of this effort, risks are categorized according to recommended actions. Those risks that are categorized as “improve” are formally sponsored and escalated for action plans. The status of a risk as “improve” is not meant to indicate Risky Business II: Enterprise Risk Management as a Core Management Process 90
    • CASE STUDY Microsoft Corporationa departure from any particular standard of care or compliance obligation; rather,it represents a risk for which Microsoft discerns concrete opportunities for controland mitigation.The Office of ERM also tracks each “improve” risk via formal opinion statementsabout progress that are presented to the board on a semiannual basis. Overall, theprocess for risk assessment and mitigation enables the organization to identify andmanage its most critical risks. The core principle advocated by ERM at Microsoft is: Risk is owned and managed by the business where key decisions and investments are made. ERM’s role is to facilitate visibility to this and establish accountability where additional efforts to manage risk are needed.To facilitate the business ownership of risk, Microsoft has defined short-term,intermediate, and long-term themes within its ERM strategy and road map. Theshort-term theme is focused on strengthening the foundation for ERM and buildingawareness across the organization. Microsoft has already met its short-term goalsand, in most cases, is executing the second cycle of these initial goals. Microsoft’sintermediate theme focuses on establishing a risk management culture andachieving deeper integration into the business. Efforts are currently underway tomeet goals related to this intermediate theme. Microsoft’s long-term plans centeron optimizing ERM. Specifically, the goal is to extend ERM practices across alldivisions and geographies by leveraging an integrated platform of risk data.Lessons Learned and Future PlansWith its current structure, strategy, and disciplined approach to ERM, Microsoftbelieves it is well on its way to establishing a sustainable program that is capable ofachieving the organization’s overall vision: “Through ERM’s leadership, management’svalue creation and value protection decision making enables Microsoft to becomethe most universally trusted and respected company in the world.”Microsoft admittedly sees challenges ahead for a global program like ERM at such alarge and complex company. However, the improvements that the organization hasmade so far represent solid progress toward realizing this ERM vision. Risky Business II: Enterprise Risk Management as a Core Management Process 91
    • This page is left blank intentionally for double-sided printing.
    • C A S E S TU D YNew York Independent System OperatorT he New York Independent System Operator, or NYISO, is a nonprofit organization that operates the state of New York’s bulk power system,independent of the companies that own and use the system. The NYISOadministers the marketplace for the state’s electricity, runs its transmission system,and serves as a commodities exchange to ensure a fair and competitive wholesaleelectricity market.Operating out of two locations near Albany with 430 employees, the NYISO hasan annual operating budget of $160 million with which to ensure the reliabilityof the state’s power grid and administer the market effectively. This involves 24/7operations, constant communication with regulators and counterparties, and morethan $9 billion in annual settlements. Feeding into the North American power grid,the state has 10,775 miles of high-voltage transmission, 335 generating units, andmore than 350 market participants that buy, sell, or trade electricity through theNYISO. In 2006, for instance, the NYISO administered a load of 162,265 gigawatthours (GWH) to keep electricity flowing through New York.The NYISO was created in 1999 to replace the New York Power Pool (NYPP),which was tasked with prohibiting system disturbances that could lead topower blackouts. When the state decided to allow competition, the NYPP wastransformed into the NYISO to create an infrastructure for such competition.Since that time, market transactions through the NYISO have totaled more than$50 billion.In addition to working with the companies that own and use the state’s voltagesystem, the NYISO is accountable to government regulators such as the U.S. FederalEnergy Regulatory Commission and the New York State Public Service Commission.Its accountability also extends to reliability regulators such as North AmericanElectric Reliability Corporation, the Northeast Power Coordinating Council, and theNew York State Reliability Council as well as various stakeholders including end-useconsumers, power authorities, municipalities and co-ops, other suppliers, generationand transmission owners, and environmental groups. These parties are referred tocollectively as “market participants.”The NYISO produces a number of publications for its market participants. Themajority of these publications are designed to relay the NYISO’s planning processand make recommendations on what will be required to operate the bulk power Risky Business II: Enterprise Risk Management as a Core Management Process 93
    • Ca s e stu dy New York Independent System Operator“ERM is a strategic and dynamic system in years to come. The publications include a reliability needs assessment,process that all our employees engineering solutions for reliability needs, power trends for decision makers at the state and federal level, and load and capacity data.have a stake and ownership in toimplement. In its ideal state, ERM Optimizing the ERM Organizational Structureshould identify business process The NYISO’s enterprise risk management (ERM) efforts began in 2002 in the wakeimprovement and risk mitigation of the Enron fallout. Having had some risk exposure related to Enron, the NYISOopportunities, be they physical, developed a small risk mitigation program to ensure that such losses would notfinancial, or cultural.” occur again. Using a trial-and-error process, the organization spent two and a half years developing a foundation for its ERM efforts.   lthough the ERM program is A — Wayne Bailey, director of risk, compliance, and quality management, still evolving in response to market conditions and customer needs, the NYISO’s NYISO current ERM framework has been in place since January 2005. This ERM framework is grounded in two missions: maintain system reliability and administer the markets. The NYISO has determined that these two missions require the protection of its reputation, which is its most valuable asset. For that reason, the organization has arranged its risks into three broad categories: risks to reliability (resources and fuel costs/availability), risks to markets (legislative/political, finance and credit, and billing), and risks to reputation (legal/regulatory issues and compliance). These three categories are broken down into 17 areas of risk that are used throughout the organization: 1. infrastructure, 10.  billing, 2. resources, 11.  market design, 3. financial, 12.  regulator relations, 4. compliance, 13.  market participants, 5. execution, 14.  fraud, 6. seams, 15.  retention, 7. credit exposure, 16.  political climate, and 8. press/media, 17.  market administration. 9. security, At the NYISO, risk management is regarded as the ability to identify and remove risk impediments to the organization’s operations. Such operations involve: • business support services, • market participant relations and account services, • market performance management, • fiduciary responsibility, • legal and regulatory services, • system and resource planning, and • market operations. Responsibility for ERM resides within the organization’s risk, compliance, and quality management function. This function also includes the Lean Six Sigma group and the process control and management group. Risk management is tied to quality management because the NYISO expects ERM processes to identify business Risky Business II: Enterprise Risk Management as a Core Management Process 94
    • CASE STUDY New York Independent System Operatorprocess improvements.   s the function’s director, Wayne Bailey is responsible for Athese combined efforts. “From our experience, the risk, compliance, and qualitymanagement efforts work very well together and really feed off one another in avery effective way,” Bailey says. “It’s the best intelligence network in theorganization.”Bailey reports to the CEO and the board of directors, who were the organization’soriginal champions for ERM. As ERM’s executive sponsor, the CEO informally actsas the organization’s chief risk officer. Bailey also provides information to a riskmanagement committee. Consisting of business-unit vice presidents and directors,this committee meets monthly to verify and review risk reporting. Business unitsare involved in the monthly process of risk reporting and mitigation. In additionto this monthly process, the risk, compliance, and quality management function isresponsible for identifying more immediate high risks and notifying senior leadership.According to Bailey, “Because every aspect of what we do at the NYISO has animpact on the reliability of the power grid and the effective economic dispatch ofenergy, our approach to risk reporting and mitigation is that the primary ownersare the business units and their management teams.”Consequently, although ERM funding is allocated to the risk, compliance, andquality management function, budgeting for specific risk and mitigation actionsis funneled down to the appropriate business units. That said, ERM funding isrelatively limited, with the bulk of the budget going toward salaries, benefits, andtraining and development. To supplement ERM funding, the CEO has an informalcorporate contingency fund that can be used to allow business units to respond toextraordinary risks and opportunities.Risk management responsibilities are spread throughout the organization. Forexample, the general counsel for risk is the chief compliance officer. Cyber andphysical security risks fall within the domain of the enterprise security function’sbusiness continuity planning department.   senior risk specialist is responsible for Ainsurance program contracts, structure, loss control, and reporting, as well as theadministration of the ERM process and national trends analysis.The internal audit and ERM groups work especially close together, and the twogroups frequently coordinate their risk assessments. The internal audit manageris a member of the risk management committee, and the general auditor has attimes reported to Bailey. The internal audit group reviews risk reports and uses theinformation as a basis for its testing and investigation.All of these dynamics feed into risk reporting and mitigation efforts that inform theNYISO’s annual budgeting and annual and five-year strategic plans. In fact, all budgetsubmissions require an analysis of risk mitigated by the requested dollars and adescription of any risk incurred if funding is not allocated. The risk, compliance, andquality management function drafts the annual business plan, which ensures that risk Risky Business II: Enterprise Risk Management as a Core Management Process 95
    • Ca se s tu dyNew York Independent System Operator management is tied into the annual planning process. The organization incorporates risk considerations into almost all its business decisions. In general, the NYISO’s risk appetite can be characterized as very low. Bailey explains that, because the nonprofit is focused on reliability and handles its market participants’ money, the board would prefer that it incur no risk at all.   t the highest A levels, risk appetite and enterprise definitions are discussed and agreed upon annually with the board’s audit and compliance committee, the CEO, and the senior leadership team.   ny risk appetite impasse within the ERM function is presented A by Bailey to the CEO and the audit and compliance committee for review and discussion. The NYISO defines its risk appetite in the following terms: • Inherent risk—Any business risk (legal, regulatory, financial, or operational) that the organization has assumed simply by engaging in its duties and responsibilities as an independent system operator. These risks exist independent of any attempts to mitigate them. • Mitigation activities—The portion of inherent risk that has been significantly reduced through processes, controls, or some form of risk transference so as to no longer pose a danger. These risks can reoccur as conditions change. • Residual risk—The portion of inherent risk that, regardless of reason, has not been mitigated by processes, controls, or some form of risk transference. • Defined risk appetite—The portion of inherent risk that the organization is willing to accept and tolerate. • De facto risk—The portion of inherent risk to which the organization remains exposed. As the risk rating definitions in Figure 39 illustrate, the NYISO has a low threshold for considering a risk severe. This is considered on both a portfolio and individual risk basis. Such risks are tracked in frameworks developed by the Risk and Insurance Management Society (RIMS) and the Committee of Sponsoring Organizations of the Treadway Commission (COSO) using matrix scales and heat maps that list each of the organization’s 17 risk categories according to probability and impact. Identifying, Implementing, and Maintaining Supporting ERM Technologies“The market conditions can change The core risk reporting and mitigation processes at the NYISO are heavily manual from hour to hour, and a market and supported by Microsoft Office programs, including Word and Excel. The NYISOparticipant can very quickly get in a is examining a number of ERM technology support tools, but is several months away from automating the function. lot of trouble, which puts our entire market at risk. So we track these Using ERM as a Decision-Making Tool things very carefully.” When the NYISO initiated its ERM efforts, it mapped out every function and — Wayne Bailey, director of risk, process in the organization and then created a 100-page document detailing every compliance, and quality risk along with its triggers and status. The risk, compliance, and quality management management, NYISO function updates this ERM report every month based on reporting and mitigation efforts by the business units. The board’s audit and compliance committee reviews Risky Business II: Enterprise Risk Management as a Core Management Process 96
    • CASE STUDY New York Independent System Operator The NYISO’s Risk Rating Definitions Impact to Impact Reliability Reputation Markets Low/No Affects local reliability, 0 to $100,000 Small process/procedural Impact non-mission-critical errors that impact limited systems stakeholder segments Some Affects zones outside $100,000 to Continuous mistakes in Impact J&K, non-mission-critical $1 million processes that affect systems not operational stakeholders and indicate NYISO inability to correct Serious Affects zones J&K, $1 million to NYISO fails to meet regulatory Impact mission-critical $5 million compliance issues/NYISO systems affected execution causes marked disruptions Most Affects all of the In excess of Regulators, market participants, Severe state’s control area $5 million and media severely impugn Impact mission-critical NYISO reputation, with NYISO systems unable to influence outcome Improbable—unlikely to affect Imminent—likely to affect NYISO within NYISO within one year one quarter Possible—may affect NYISO Immediate—the risk presently affects NYISO within one year Figure 39and discusses the ERM report with Bailey at least once a quarter—with line-by-linescrutiny—and provides guidance to management on risk tolerances and mitigation.The overall quality of the ERM report depends on the accurate monitoring andreporting of risks by the business units.   t this level, risk owners—those owning Athe business processes—are responsible for reporting known risks, their status,and mitigation efforts on a monthly basis. “If it appears we are no longer gettingaccurate risk reports or that a risk has been reduced due to new processes, thenwe look at the way the new process works and we work with the business processowner to help them identify what new risks they might have,” says Bailey.The risk, compliance, and quality management function summarizes the ERM reportin a four-page monthly risk report that is distributed to the NYISO’s board ofdirectors. The summary details immediate and pending risks for the coming yearas well as mitigation efforts currently in place. It includes a risk matrix detailingprobability and impact for specific risks, along with relative risk over time and anaggregate scoring of risk factors.   reporting section highlights looming national Aissues in the industry, and an article selected each month describes issues that affectthe security of the electricity markets in the United States, North America, andaround the globe. Risky Business II: Enterprise Risk Management as a Core Management Process 97
    • Ca se s tu dy New York Independent System Operator According to Bailey, the ERM report and executive summary provide instant knowledge on the state of the enterprise. He cites a recent example in which the reporting process revealed a serious concern for the credit management function. To protect its market participants, the NYISO responded by accelerating its adoption timeline for technology programs to manage credit and tightening its rules for credit exposure. This is just one of many instances in which ERM has driven business planning and helped management prioritize efforts.   s detailed earlier A in the case study, ERM information drives strategic planning from the board level down. The organization’s ERM efforts also heavily influence the insurance-buying“ERM has enabled cross-silo process by detailing risk mitigation activities to underwriters.information sharing, which hasimproved compliance, reliability, and Because of confidentiality issues, the NYISO does not often communicate risks toeconomic issues.” external stakeholders. — Wayne Bailey, director of risk, compliance, and quality Using ERM as a Performance Improvement Tool management, NYISO The NYISO’s ERM efforts alert employees and management to cross-functional issues affecting voltage system reliability in both the immediate and long term. These endeavors also support the organization’s effective economic dispatch of energy and compliance with local, state, and federal guidelines. Such compliance monitoring took on greater meaning for the NYISO after new Federal Energy Regulatory Commission reliability standards were introduced in 2007. These standards, which had to be operational by July 2008, include 817 standards applying to the NYISO. “In some of those cases, noncompliance can result in a penalty of as much as $1 million a day,” says Senior Risk Specialist Ken McGuinness. “Without the ERM process, I’m not sure we would have been able to get our arms around that.” In terms of performance, the NYISO’s early risk reporting highlighted the poor execution of processes and procedures posing a significant risk to the organization. Labeled as “root-cause risks,” these issues were addressed by a board-sponsored “Excellence in Execution” program. The program involved the extensive automation of manual processes, the adoption of Lean Six Sigma management principles, and an extensive process/control mapping effort. Although the NYISO maintains several dashboards to communicate performance data to market participants, these metrics do not directly tie to risk reporting. Instead, the risk, compliance, and quality management function relies on its heat map of risks as its key visual aid. The organization’s 17 categories of risk are plotted on the heat map in terms of impact and probability (Figure 40). With aggregate risk measured historically for signs of progress, the heat map acts as a performance scorecard and a communication vehicle to share risk information across the enterprise. When ERM efforts were first launched, the aggregate risk measured annually between 50 percent and 60 percent, but it has consistently trended down and now averages in the mid to low 30s (Figure 41). Risky Business II: Enterprise Risk Management as a Core Management Process 98
    • CASE STUDY New York Independent System Operator Example Risk Report Heat Map Immediate Imminent B - Security F - Billing H - Market Design C - Seams I - Reg Relations K - Compliance G - Credit Exposure J - MPs N - Execution Possible L - Press/Media M -Fraud O - Retention P - Political Climate Q - Market Admin D - Resources Improbable A - Infrastructure E - Financial Low/No Some Serious Most Severe Impact Impact Impact Impact Figure 40 Risk Ratings Over 42 Months 60% 55% 50%Percentage 45% 40% 35% 30% 25% 1 6 12 18 24 30 36 42 Timeline in Months Figure 41 Risky Business II: Enterprise Risk Management as a Core Management Process 99
    • Ca s e stu dyNew York Independent System Operator Lessons Learned and Future Plans Many of the NYISO’s lessons learned regarding ERM implementation involve change management principles and the importance of gaining support from all levels of the organization. Initially, many employees were concerned that the ERM program would be a tool for finger-pointing and assigning blame. To combat this fear, the risk, compliance, and quality management function made a concerted effort to prove that employees would not be penalized for reporting on risks. This involved a cooperative and collegial approach that set the tone for all of the risk, compliance, and quality management function’s efforts. Now, resistance more commonly comes from employees who state they are too busy or that risk does not apply to their functions. In response, the risk, compliance, and quality management function offers continuing education about ERM. This involves quarterly seminars for all managers and supervisors to review the organization’s risk profile. In addition, the function distributes relevant articles and anecdotes focused on the consequences of ignoring risks. The function also leverages corporate publications and meetings to raise awareness and facilitate buy-in. For the NYISO, the key elements of ERM success include: • responsiveness, flexibility, and the ability to adapt; • continuing education on emerging trends; • acceptance of a risk management framework as a focal point; • a common language for defining and describing risks; • senior management support and commitment; • risk management ownership; • communication of risk information throughout the organization; • comprehensive training; • reinforcement through HR mechanisms; • effective risk management processes; and • monitoring through self and internal audit. The NYISO would advise organizations that are just beginning their ERM journeys to obtain the support of senior leaders, rely on results for additional buy-in, identify how risk analysis and mitigation can help the organization’s core processes, be patient yet firm, and embrace responsible parties as part of the solution and acknowledge them accordingly. Those who stay focused, the NYISO advises, will make a difference. Risky Business II: Enterprise Risk Management as a Core Management Process 100
    • C A S E S TU D YTextron Inc.F ounded in 1923, Textron started as a small textile company called Special Yarns Corporation, but would eventually grow to become the world’s firstconglomerate. During World War II, textiles boomed, and Textron (then operating “Value is realized when the ERM process motivates beneficial actions that wouldn’t have otherwiseas Atlantic Rayon Corporation) was able to grow its business by making parachutes. occurred.”After the war ended, it diversified and began producing lingerie, blouses, linens, andother consumer goods. By 1947, the organization was listed on the New York Stock — Jim Laney, director,Exchange; just two years later, sales reached $67.8 million. enterprise risk management, business continuity and strategic development,Today, Textron is a global organization with more than 44,000 employees and Textronbrands such as Cessna airplanes (which has built more than half of all generalaviation airplanes currently in operation, including the largest fleet of business jets).Textron also manufactures Bell helicopters for military and commercial sectorsworldwide. The company has contracts with the U.S. Army, U.S. Air Force,and U.S. Marines.Textron operates in five major business segments: Cessna, Bell, defense andintelligence, industrial, and finance. Cessna Aircraft, which accounts for 38 percentof Textron’s business, produces citations, single engine aircraft, and used and caravanaircraft, as well as providing parts, service, and CitationShares. Bell Helicoptersaccounts for 19 percent of Textron’s business; this segment builds military andcommercial aircraft. The defense and intelligence segment produces a number ofdefense systems, land systems, and aircraft and weapon subsystems. The industrialsegment, which manufactures E-Z GO golf carts and various hand tools, accountsfor approximately 26 percent of the overall business. Finally, Textron Financialprovides commercial loans and asset-based lending. Since almost all of Textron’saircraft are financed, a significant portion of Textron Financial’s business deals with  aircraft financial loans.The major business units within each segment are responsible for the day-to-daymanagement and operation of their businesses with oversight by the segment andcorporate offices. However, Textron has consolidated certain functions such as  financial reporting and IT to achieve cost savings and improve efficiency across theenterprise. With 500 Black Belts, Textron has embraced Six Sigma across all levels ofthe organization in an effort to improve its myriad processes.In fiscal year 2007, Textron reported $13.2 billion in revenue; by 2010, it expects toreport between $16.5 billion and $18.8 billion in revenue. Textron’s revenue typicallygrows by 15 percent or more each year. Risky Business II: Enterprise Risk Management as a Core Management Process 101
    • Ca s e stu dy Textron Inc.“We don’t have a risk committee Optimizing the ERM Organizational Structurelike other organizations. And this is by Textron initiated its enterprise risk management (ERM) efforts in late 2004 after assessing the regulatory climate and examining statements from members of thedesign. We felt having risks reported U.S. Securities and Exchange Commission and other entities. The organizationto a separate committee would be determined that an ERM process would be beneficial once it realized that sucha fatal flaw, since risks are often a process would help it file a more meaningful 10-K.   lthough there were no Abundled up to a committee where laws or regulations requiring an ERM system, Textron’s board quickly assembled anothing ever happens. Instead, our team to address ERM methods and tools. After assigning the chief auditor to leadrisks are reported directly to risk the ERM effort, the organization retained consulting firm Deloitte to help assessowners in our key business units.” organizational risk. — Jim Laney, director, Deloitte interviewed about 200 Textron employees to create a comprehensive enterprise risk management, business continuity and risk assessment, which included a list of the greatest risks facing the organization. strategic development, Textron’s board of directors wanted a prioritized list ranking the most significant Textron risks, but this was not immediately available from the risk assessment. In order to more effectively manage risks, the organization decided to adopt Six Sigma. In January 2005, Textron implemented Design for Six Sigma (DFSS), which is a seven- phase project that seeks to prevent manufacturing and service process problems by using systems engineering techniques to eliminate process problems at the outset. These techniques include tools and processes to better predict, model, and simulate the product delivery system as well as analysis of the developing system life cycle itself to ensure customer satisfaction with the proposed system design solution. It took approximately a year to complete and implement the DFSS Black Belt project for ERM. Deloitte was involved with the team for the first four phases (through the design phases) and provided expertise and benchmarking insight. Textron did not adopt Deloitte’s methodology, but instead developed its own toolset and definitions. The team was sponsored by some of the organization’s key executives, including the chief financial officer (CFO). Textron cites the involvement of the CFO as one of its critical success factors:   ith strong leadership and Six W Sigma, the ERM project was able to quickly gain momentum across the organization. The ERM tools and processes were piloted across several business units so that they could be tested and validated; this was another factor that helped promote rollout and buy-in. Using the Committee of Sponsoring Organizations of the Treadway Commission (COSO) II definition, Textron defines risk as “any event, condition, or action that could adversely affect an entity’s ability to achieve its business objectives or execute its strategies effectively.” Enterprise risk management is identified as a “systematic and disciplined set of policies, processes, and practices, as well as a structure that enables ongoing identification, assessment, and prioritization of the major risks associated with the company’s key business objectives.” ERM also enables the development, implementation, monitoring, and evaluation of risk mitigation strategies. Risky Business II: Enterprise Risk Management as a Core Management Process 102
    • CASE STUDY Textron Inc. Specifically, the DFSS methodology allowed the organization to create designs using Six Sigma discipline with reference to customer requirements and service delivery capability. Figure 42 illustrates the DFSS process that was used to design ERM at Textron. At each gate, a specific checklist must be completed in order to move to the next phase. As mentioned, three Deloitte consultants assisted with the process through the design phases. Key functional leaders from Textron business functions participated in the process, as well. DFSS in Designing ERM at Textron DFSS methodology allows Textron to create designs using Six Sigma discipline with reference to customer requirements and service delivery capability. Deloitte. Identify Design Optimize Validate Tollgate 1 Tollgate 2 Tollgate 3 Tollgate 4 Tollgate 5 Tollgate 6 Tollgate 7 Customer Conceptual Preliminary Detail Pilot/ Validation Transition Requirements Design Design Design Prototype and Definition Phase 1 Phase 2 Phase 3 Phase 4 Phase 5 Phase 6 Phase 7 • Gather needs • Translate • Flow down system • Develop transfer • Run pilot • Demonstrate • Monitor system • Translate needs to functional design to functions • Optimize process/ capabilityActivities CTSs requirements to subsystems • Develop system design product • Implement • Translate CTSs to design parameters • Design for capability • Verify system capability design and functional • Develop/Evaluate reliability, • Assess design capability • Mistake-proof process control requirements design alternatives maintainability gaps • Assess risk design plans • Assess technology • Resolve design • Mistake-proof • Assess risk • Assess risk • Develop • Develop plan conflicts design transition plan • Assess risks • Assess risk • Assess risk • Survey Design • Pugh Selection • Simulation Tools: • DOE • Design of • Capability • Balanced • Quality Function Matrix SigmaFlow, iGrafx, • QFD Experiments: Analysis Scorecard Development • TRIZ SigmaCalc, FEA • TRIZ Conjoint, • Design of • Design • Kano Diagrams • DeBono’s Lateral • Quality Function • Simulation Tools Response Experiments: ScorecardTools Thinking Tolls Deployment • Design Scorecard Surface Methods Response • Statistical • Product Technology • Quality Function • TRIZ • Process • Design Surface Process Control Road Map Deployment • Design Scorecard Verification Scorecard Methods • Capability • Balanced • Design Scorecard • DFMEA • DFMEA • Measurement • Design Analysis Scorecard • DFMEA • Infrastructure • Process FMEA Systems Scorecard • Measurement • Axiomatic Design Process Map • Reliability Testing Analysis System Analysis • Standardization Figure 42 Risky Business II: Enterprise Risk Management as a Core Management Process 103
    • Ca se s tu dyTextron Inc. In 2006, Textron adopted ERM across the organization. Because ERM was launched from existing Six Sigma efforts, there were fewer cultural barriers to adoption. According to Jim Laney, Textron’s director of ERM, “If we would have just said we are using ERM, we would have had a lot of resistance. But thanks to Six Sigma, the ERM tools and processes obtained a near automatic badge of acceptance.” Accordingly, Textron cites attaching ERM to a standard design process within the organization as a critical success factor to enable validation. ERM risk data contributes to the development of Textron’s annual 10-K report and related public filings. The director of ERM provides relevant risk data and works with a team to develop 10-K revisions. At Textron, the ERM function reports to the vice president of audit, who reports directly to the board of directors with a dotted-line relationship to the CFO. The business continuity management (BCM) function also reports to the vice president of audit; the two functions have three full-time employees devoted to ERM and BCM activities. ERM and BCM also report to an operating committee made up of business-unit leaders and key functional leaders. The operating committee is used in lieu of a traditional risk committee because Textron’s leaders feel that the ERM function should report directly to risk owners in key business units. The ability to report risks directly to risk owners is another critical success factor at Textron because it enables timely risk discussions to occur with interested parties and risk owners. Textron’s board of directors plays a significant role in ERM. For example, the board sets expectations for ERM and communicates that risk management is an integral part of the overall management and governance process. The board also provides oversight and process integrity for ERM. Board members offer input and feed concerns about specific risks into the ERM process. As noted in the case study introduction, Textron has consolidated certain business functions that are common to multiple business units—such as finance and information management—into “councils” that report to one CFO and one CIO. These councils present their own risks to the organization in addition to the separate business-unit risks. Figure 43 shows how risks are reported across Textron’s business units and councils. The chart is also used as a report card to indicate which business units and councils are participating in risk activities. This approach has helped the organization increase involvement and promote accountability. As part of the reporting and mitigation process, business units and councils work with the operating committee to determine the acceptability of the risk mitigations. Risky Business II: Enterprise Risk Management as a Core Management Process 104
    • CASE STUDY Textron Inc. Risk Reporting for Busness Units and Councils Business Unit / 1Q07 2Q07 3Q07 4Q07Wave Council Name Updates Updates Updates Updates A Bell Lee Tait Complete without Complete with Complete with Complete with Shelley Klopfenstein changes changes changes changes A Fluid & Power Jim Kelley Complete without Complete without Complete without Complete without changes changes changes changes A IM Council Mara Pankovich Complete with Complete with Complete with Complete with changes changes changes changes A Finance Council Deborak Imondi Complete with Complete with Complete with Complete without changes changes changes changes B TFC Don Burch Complete with Complete with Complete with Complete without changes changes changes changes Joe Gentile ERM 4Q07 B Kautex Mike Donoghue Complete with Complete with Complete without Complete with changes changes changes changes Update B Cessna Mark Mann Complete with Complete with Complete with Complete with changes changes changes changes Status for (Open Position) B Supply Chain Jim Kieran Complete with no Complete with no Complete with no Complete with no Business Council risks risks risks risks B Human Resources Dave Green Complete without Complete without Complete without Complete without Units and Council changes changes changes changes C Textron Systems Al Gagne Complete with Complete with Complete without Complete with Councils changes changes changes changes C Jacobsen Cynthia Funderburk Complete with Complete without Complete without Complete without changes changes changes changes C E-Z-GO Rusty McGahee Complete with Complete without Complete without Complete with changes changes changes changes C Greenlee Steve Wehrle Complete with Complete without Complete with Complete with changes changes changes changes C Legal Council Andrew Spacone Complete without Complete without Complete without Complete without changes changes changes changes C Crisis Management Andrew Spacone Complete without Complete without Complete without Complete with changes changes changes changes C Compliance / Ethics Bill Clegg Not Applicable Not Applicable Not Applicable Not Applicable Committee Figure 43 Figure 44 (page 106) depicts the ERM flow at Textron. Over the years, ERM activities and assessments have increased across the enterprise. For example, information technology risk management (ITRM) is now linked to ERM, and in the past year, ethics and compliance risk assessments have also begun to flow through the ERM function. ERM feeds into audit planning with enhanced risk assessments; risk validation work is expected to increase in the future. Each business unit and council has assigned ERM coordinators who work directly with the ERM function. These individuals spend 10 to 14 hours each quarter coordinating risk information. ERM coordinators help subject matter experts in their business units and councils complete risk data and assessments. The concept is to integrate experts who understand the specific risks with risk coordinators who understand the ERM Risky Business II: Enterprise Risk Management as a Core Management Process 105
    • Ca se s tu dyTextron Inc. ERM Flow at Textron Textron ERM Ethics and Compliance Risk Assessments Primary Flow Audit Planning ERAP Business Unit & Council Information Systems ITRM (Enhanced Risk ERM Coordinators (Information Technology Risk Assessment Process) Management) Audit Planning Figure 44 process. Rather than training all employees on ERM, Textron keeps ERM intelligence dispersed between ERM coordinators and the ERM function. To capture key risk data, Textron uses an ERM input tool that is based on failure mode effects analysis (FMEA). For each risk, ERM coordinators help subject matter experts collect data in five key categories: 1. basic risk information—such as title, description, failure mode, and cause; 2. gross risk information—the cost of the risk event and the probability of occurrence (in annual terms) if no mitigations were in place; 3. current risk information—the cost of the risk event and the probability of occurrence (in annual terms) with all current mitigations in place; 4. decision—whether or not further action is required; and 5. expected risk—details on impact and likelihood. Data from this input tool is then entered into an Excel spreadsheet that can be tracked and used for reporting purposes. The spreadsheet is color-coded so that, if the “decision” category indicates that further action is required, then the risk is automatically highlighted in red. As the categories listed above indicate, for each risk, Textron captures gross risk information—the expected cost of a risk if no mitigations were in place—and current risk information—the expected cost of the risk event with mitigations in place. Calculations of gross risk information and current information are combined to produce a mitigated value, which indicates what the risk will actually cost if the mitigations fail. Risky Business II: Enterprise Risk Management as a Core Management Process 106
    • CASE STUDY Textron Inc.Figure 45 depicts a sample of a calculated mitigated value for a risk. This typeof reporting illustrates the gap between gross impact and likelihood and currentimpact and likelihood if the corrective controls are effective. Senior leaders devoteadditional attention to any risk that has a high gross impact and likelihood. This mayresult in an audit of controls or a more detailed presentation from the president ofthe business unit to explain the mitigated value of the risk. Mitigated values that aregreater than $100 million are presented in a risk summary report to managementto ensure that the associated risks are tracked and understood.Risk analysis at Textron is data-driven. Once a risk is entered using the input tool,the data is analyzed in the ERM database and extracted to produce risk radars andrisk summaries. Because the operating committee prefers to view all risk data on asingle page, risk summaries are prepared using PowerPoint and presented on oneto two slides.   dditional data about a particular risk can be obtained by clicking Athe risk icon depicting that risk. To create the summaries, Textron uses Microsoft  Office programs and an add-on tool called DataPoint that allows links betweenPowerPoint presentations and the organization’s Access database. This enablesconsumers of risk data to quickly access details on any risk. Mitigated Value Sample Impact (NOP Annualized) $40M+ Gross Impact Gross Likelihood A $30M Mitigated Value Corrective Controls (Value of the $20M (Mitigating Actions) Corrective Controls) $10M A Current Impact Current Likelihood $0 0% 25% 50% 75% 100% Likelihood (Annualized) Figure 45 Risky Business II: Enterprise Risk Management as a Core Management Process 107
    • Ca se s tu dyTextron Inc. Leaders can also access risk radars, which highlight Textron’s significant risks and associate those risks with dollar amounts related to net operating profits. A sample risk radar is depicted in Figure 46. Risk radars track gross risk and are color- coded to indicate whether further action is required; risks are graphed so that the likelihood of a risk occurring in the next year is represented on the X-axis and annual net operating profits are represented on the Y-axis. Embedded links guide users to more detailed information from the risk database. Currently, risks that involve more than $30 million in net operating profits are tracked on a regular basis, but the organization is considering moving this threshold to $50 million. Textron creates a risk radar for every business unit and council. The operating committee reviews these risk radars each month during its regular meeting. Although risk data is updated quarterly, meetings that occur between updates enable committee members to probe more deeply into risks that are of concern. Sometimes, a technical leader will be asked to prepare a presentation on a particular risk so that the operating committee can better understand the risk and what is being done to mitigate it. Textron Significant Risks Radar $2B A Risk Risk Name Owner Initial Complete A Crisis 1Q06 TBD $1B A Management B Finance 1Q06 1Q06 Council $500M B C IMC 1Q06 1Q06 B D TFC 1Q06 1Q06 E Bell 1Q06 1Q06 I D C F Legal Council 1Q06 1Q06 $140M C G Bell 1Q06 1Q06 H Finance 1Q06 1Q06 Council $105M H I Finance 1Q06 1Q06 E E Council F F J Bell 1Q06 1Q06 G G $70M H K Kautex 1Q06 TBD I $ is measured in annualized NOP D $35M Risk reduced to an acceptable level J J K Further action required K Gross risk $0 0% 25% 50% 75% 100% Figure 46 Risky Business II: Enterprise Risk Management as a Core Management Process 108
    • CASE STUDY Textron Inc.Part of the risk review process includes sending pre-reads and discussion items tothe operating committee prior to the monthly meetings. The committee receivespresentations on risks with impacts greater than $30 million and mitigated valueanalysis on risks with impacts greater than $100 million. In addition, the committeepre-selects risks to be discussed from one meeting to the next. The ERM teamoften promotes certain risks for additional consideration, such as “yellow” or “red”risks with no movement, risks that are being removed from the significant risksradar, and risks or mitigated risks that need to be escalated. Validation requests and  results are also discussed during the monthly meetings.Each quarter, information packages are sent to the operating committee for review.Similar to the pre-read packets for the monthly meetings, the quarterly reviewpackages contain detailed risk data such as status updates, risk update summaries, arisk radar summary, and a summary of risks whose mitigated values are greater than$100 million. The packages also contain a report card detailing which business unitsare participating and a quick list of significant changes. For example, the quarterlyreport would show if a risk that was initially quantified as $30 million was increasedto $50 million. A risk removal process requires business units to explain how andwhy a risk should be removed. For example, a risk may be removed if the programor project that supported the risk is eliminated.   risk can also be removed if it Ais not changing significantly over time. In such cases, the risk is still tracked andcaptured, but a box is checked to indicate that it is not active for review. The riskis left in the database, but is not reported in the risk review process. (Periodicrenewals allow these risks to be checked for updates.)As part of Textron’s ERM activity cycle, risk data is captured and reported two  weeks prior to the end of each quarter. This allows time for the CFO to examineand sign off on any risk activity without interfering with quarterly financialreporting processes.Initially, it was thought that the ERM function would act as administrator ofthe process; however, this is not the case. Instead, the ERM function serves asa coordinator for risk activity and works closely with key business leaders todetermine how risks should be reported.Identifying, Implementing, and Maintaining “We’d love to have a Web-basedSupporting ERM Technologies tool that lets our risk owners inputTextron primarily uses Microsoft Excel to collect risk data. Information related to data online. Being able to track andrisk radars, risk summaries, and risk measures is collected in Excel and exported update risks online would be ideal;to PowerPoint for reporting purposes. The tool is slightly interactive in the sense however, we aren’t there yet.”that certain boxes can be turned off if needed. For example, if a risk is considered — Jim Laney, director,acceptable and no further work is required, then the portion of the form related to enterprise risk management,future mitigation actions is turned off to prevent input. business continuity and strategic development, Textron Risky Business II: Enterprise Risk Management as a Core Management Process 109
    • Ca se s tu dy Textron Inc. As mention previously, the organization employs a tool called DataPoint to enable links between Microsoft programs.   hen reports are extracted, a button next to W each risk allows users to access more detailed risk data from the risk database. For each risk, 59 data points (or fields) are collected. On the input form, users can click “question boxes” to obtain additional guidance on how to complete the various sections. Data fields are standardized to ensure accurate data analysis and promote “apples-to-apples” comparisons. Textron has examined some emerging ERM systems, but has not found any that meet the maturity requirements of the organization. Ideally, it would like to develop a Web-based tool that captures basic inputs and allows users to track and update key risks.   llowing risk consultants to input risk data on a standardized form is the A goal; however, the costs associated with this technology and the limited resources available to maintain and develop such a tool prohibit its development at this time. Currently, about 18 individuals update risks each quarter; this represents 40 to 50 transactions.   ith such a low number of transactions, an enterprise software W solution would need to be economically priced in order to be attractive.“We are not as integrated into the Using ERM as a Decision-Making Toolstrategic process as we could be, but ERM is integrated into decision making at Textron in the sense that risk data iswe are integrated somewhat. ERM considered and reviewed as part of strategic planning. In addition, most strategicdoesn’t necessarily drive strategy at plans at Textron capture the level of risk associated with various projects. TheTextron, but it is considered in the ERM function encourages business units to use the same process that is used to track and report risks across the organization; however, this practice is not fullyannual strategy planning process.” implemented. The ERM function is currently trying to improve how assessments — Jim Laney, director, are conducted for strategic planning. However, since risk radars are reviewed as enterprise risk management, part of the strategic planning process, the organization is satisfied with the level of business continuity and strategic development, integration with strategic planning. The strategy organization is involved in creating Textron risk assumptions when developing scenarios for planning risk assessments. Although there is not a direct link between ERM and strategic planning, risk discussions occur during the business units’ annual strategy review planning sessions. In addition, the board of directors integrates risk information into strategy and planning. The ERM function tracks macroeconomic risks that are considered high- level. For example, the board of directors will often request risk assessments on macroeconomic risks such as a European or U.S. recession. The ERM function is charged with creating a risk assessment on a potential recession that includes financial data as well as the impact to the overall organization or business unit. Currently, the ERM function manages nine macroeconomic risk assessments, and Textron’s board of directors has initiated about half of these. The assessments cover emerging risks as well as regulatory risks. The ERM function tracks a number of economic assumptions such as gross domestic product (GDP), interest rates, and other data that may affect business units. Assessments that involve global economic factors are generally given in two scenarios. For example, one scenario may report Risky Business II: Enterprise Risk Management as a Core Management Process 110
    • CASE STUDY Textron Inc.the outcome of a mild recession, whereas another may focus on the outcome ofa worldwide recession. Possible scenarios are presented from both division andcorporate perspectives.ERM is also integrated into Textron’s annual 10-K report. As previously stated,Textron’s director of ERM works with a team to provide risk data to be consideredin 10-K revisions. Although specific risks are not mentioned in the 10-K, they arecovered in basic risk categories.Textron does not use risk workshops for decision making or strategic planningbecause it is difficult to determine exactly who is a risk expert in its variousbusiness units and segments. Cessna, for example, has more than 12,000 employees,and identifying the right people to participate in workshops would be extremelychallenging. The audit committee monitors ERM and evaluates how the process isworking on a regular basis; the organization finds this process to be more effectivethan workshops.In 2006, the ethics and compliance organization began conducting its own riskassessments to drive action plans. A year later, this group changed its risk assessmentprocess to the process used by the ERM function.   s part of the integration, the AERM function and the compliance and ethics function jointly developed businessconduct guidelines. The document outlined 29 standard risk categories anddefinitions such as improper payments, insider trading, international trade, and anti-trust. Each risk category was assigned a subject matter expert to answer questionson compliance issues.The ERM function worked closely with the compliance and ethics group to helpthe group understand the difference between controls that would reduce likelihoodand controls that would change impact. For example, some controls, such astraining, may reduce likelihood, but not impact. Conversely, some controls mayreduce impact and cost to the organization, but do not reduce likelihood. Basicinformation about this distinction was communicated across the organization. Sincemany of Textron’s business units face the same compliance and regulatory issues, it  was important to provide a standardized way to compare and assess risks in theseareas. Each business unit was surveyed to identify its top three compliance risks, andthis information was used to determine the 29 standard risk categories.In 2007, Textron successfully incorporated compliance risk into its ERM process.Compliance risk assessments and actions are reported via the same risk radar andsummary format used for other risks. This enables the organization to rationalizecompliance expenditures. Compliance risks are updated quarterly, but assessmentsand major changes to action plans occur only once a year. Risky Business II: Enterprise Risk Management as a Core Management Process 111
    • Ca se s tu dyTextron Inc. ERM is also integrated with business continuity management. In fact, data from ERM drives BCM activities. At Textron, BCM is a coordinated set of organizations, activities, processes, and tools that allows the company to prevent and/or prepare for, mitigate against, respond to, and recover from significant business disruptions. Textron uses enterprise applications and IT tools for BCM, and each business unit has a BCM coordinator. When Textron was initially considering business continuity planning, it relied on ERM to make the case. By leveraging risk data, the ERM function was able to identify a significant number of risks that would benefit from business continuity mitigations. Accordingly, with the full support of management, the organization adopted a BCM process to mitigate business risks. Figure 47 shows the current process that is used for business continuity planning. Business Continuity Management at Textron Crisis Response & Business Recovery Business Business Disruption Planning Recovery Time Time Planning Crisis Execution Response Crisis Management, EH&S, Risk Management, IT DR, ISC, and ERM are also part of effective BCM and can mitigate the effects of business disruptions. Figure 47 The integration of BCM and ERM has led to significant process improvements across the organization. Figure 48 lists some of the benefits that have been derived from BCM. For example, HR Textron will have reduced a significant risk exposure down to a small amount along with potential insurance benefits. Likewise, by enabling an alternate treasury site, the organization will reduce a small expected loss per week to zero. Risky Business II: Enterprise Risk Management as a Core Management Process 112
    • CASE STUDY Textron Inc. ERM and Business Continuity Management Benefits Risk Former Current Impact Action Revised Current Impact Benefit TMLS - $ Significant Implemented business $ Small $ Significant reduction in Risk Hurricane - 4 month recovery time continuity plan and 1 month recovery time risk impact exposure Mfg. facility producing relocated critical $ Minor reduction in armed security vehicle for processes to new facility insurance premium U.S. Army HR Textron - $ Significant In Process - Implementing $ Significant $ Significant reduction in Earthquake - 6 month recovery time business continuity plan (Will be less than $ Small upon risk exposure anticipated Mfg. facility producing and (planning) a implementation) Potential insurance benefits actuators for Bell co-production facility at 3 month recovery time Addresses capacity Helicopter and Cessna new location Project in Phase 5 (of 7). restraints Aircraft Impact and recovery time, est. Treasury - $ Small per week plus Business continuity plan $ Very Low Fully mitigated risk impact All Threats - delays in payroll, dividends, (in process) to enable of loss of treasury Risk to 40 Westminster taxes, pensions, debt alternate treasury site w/ operations service full functionality IT Data Loss - $ Small Implemented data $ Very Low $ Small reduction in risk Data Loss - encryption technology on impact exposure Exposure with laptops all laptop computers Figure 48Using ERM as a Performance Improvement Tool “We are a Six Sigma company.Textron tracks and measures a number of ERM components, including: We measure everything. We measure• risk events and actions, the risk impact and likelihood and• overall risk prediction ratio, the ERM process effectiveness• total cost of risk events per year,• ERM participation, as well.”• risk exposure reduction, — Jim Laney, director,• mitigated reductions, and enterprise risk management,• cost savings. business continuity and strategic development, TextronMost of these measures are basic. For example, risk events and actions measure anydisruptions that result in changes to risk analysis. For each risk event occurrence, theERM function reviews existing risks and makes any necessary revisions to the impactand likelihood assessments. This information is presented in the same format as riskanalysis data and is entered in the risk event tracking system.   risk event summary Ashows the current predicted impact, the actual impact occurrence, and the costsassociated with the change in the event. Risky Business II: Enterprise Risk Management as a Core Management Process 113
    • Ca se s tu dyTextron Inc. The overall risk prediction ratio is the percentage of events that were accurately predicted. Calculating this ratio requires the organization to collect data on risk events in relation to risk prediction. The ratio compares risk events to the predicted risks. For example, a sample overall risk prediction ratio would be the number of risk events that occurred divided by the number predicted. The total cost of risk events per year is the cumulative cost of risk events. To obtain this data, the ERM function tracks risk events and total annual cost. The cost of risk events is plotted against total risk exposures. Risk exposure reduction refers to the cost of a risk once mitigation controls are in place. Risk impact is collected as annualized net operating profits. Reductions in risk impact potential that result directly from ERM mitigating actions are collected as risk exposure reductions. For example, if an initial risk of $100 million is reduced to $25 million through controls or other ERM actions, then the risk exposure reduction would be $75 million. Mitigated reductions are the potential savings that would result from mitigation efforts if a risk event actually occurred. Textron tracks the total effect of all new   mitigating actions each quarter. The sum of the differences between previous current risk impact and current risk impact is summarized across all business units. Finally, cost savings are measured; this category includes items such as insurance savings or other savings that are actually realized. To obtain this number, the ERM function captures the total cumulative cost of all savings generated by actions caused by ERM. Textron’s audit committee evaluates the ERM process periodically to ensure it is working as designed. These reviews have resulted in enhanced risk identification, evaluation, and mitigation throughout the organization. The following process is used for ERM reviews: • the business units and councils submit timely quarterly updates, • the ERM team reviews business-unit and council submissions for reasonableness and completeness, • quarterly updates of significant risks are presented to the operating committee, • the operating committee reviews significant risks, and • the risk review is incorporated into strategy discussions. Textron is able to quantify all its risks. This means that every risk is associated with a dollar amount representing the approximate cost the organization would incur if that risk event were to occur. However, cost is not the only consideration for mitigation. Other, more important considerations can affect mitigation decisions. If the business unit or council is not able to assign a cost for a risk, the ERM function Risky Business II: Enterprise Risk Management as a Core Management Process 114
    • CASE STUDY Textron Inc.can still track the risk. However, in the history of ERM, there has yet to be a risk thatcannot be quantified. This is because the ERM function works closely with businessunits to determine risk costs. In some cases, a range may be developed to illustratebest- and worst-case scenarios, and each risk cost is factored into an overall costaverage.At Textron, ERM has transformed the organization significantly and helped it realizesignificant benefits. Some of these benefits result from reduced risk exposure, whichmeans that they are realized only when a risk event occurs and its impact is reducedthrough risk mitigation efforts that have been put into place. However, otherbenefits accrue even if a risk event does not occur. For example, insurance premiumreductions and credit rating agency decisions that impact the cost of capital haveproduced significant cost savings for the organization.Other key benefits and activities resulting from Textron’s ERM function follow.• Risk discussions now occur within business units, councils, and the operating committee.• The compliance organization uses the ERM risk collection process and tools to assess compliance risks.• In financial reporting, 10-K and 10-Q risk factors sections are enhanced by risk data from ERM as recommended by the U.S. Securities and Exchange Commission.• To enhance security, laptop encryption and data risk analysis and software tools have been adopted based on recommendations by the ERM function.• Mitigation plans for the avian flu have been implemented at all business units using ERM tools.• ERM data feeds the annual FRM and audit planning process.• Physical property damage insurance reviews are being completed, and coverage is being rationalized. “ERM is not something that is• Integrated risks and supply chain risks have been identified and mitigated. done in the back office and put• The need for more robust business continuity planning has been identified, and this functionality is being developed. in a drawer for future reference, and you don’t want it to be like aLessons Learned and Future Plans newspaper where you just reportThe ERM function regularly completes an 18-month outlook that shows target what may or may not happen. Itareas for risk and process improvements. Figure 49 (page 117) illustrates the is a hands-on activity that requirescurrent 18-month outlook for ERM. The bottom of the chart details the areas everyone to work on it. And the valuethat the function has targeted for improvement. For example, ERM plans to is only realized when you actually doexpand on macroeconomic risks and continue to evaluate enterprise-level risksthrough scenario planning. Mergers and acquisitions (M&A) is also a target area for something that ultimately improvesimprovement; the objective is to employ ERM risk analysis tools such as risk radars the organization.”and risk summaries to evaluate all future mergers and acquisitions prior to making — Jim Laney, director,a commitment. enterprise risk management, business continuity and strategic development, Textron Risky Business II: Enterprise Risk Management as a Core Management Process 115
    • Ca se s tu dyTextron Inc. Another key area for improvement is physical property damage risk. Recent developments provided an impetus to examine the organization’s insurance policies across a number of business units. For example, Hurricane Katrina damaged one of Textron’s facilities on the Gulf Coast. Although the organization had insurance, much of the significant cost required to rebuild the facility was not covered. This resulted in an effort to rationalize insurance coverage and began the process to consider business continuity as mitigation for some risks. Continuing to develop business continuity risks is an additional area that the ERM function will address over the next 18 months. Until recently, Textron did not use formal business continuity management practices. While some areas, such as information technology, have disaster recovery processes, there is generally a narrow focus. For example, the IT function has processes in place to recover data and servers, but not entire structures and data facilities. To combat such concerns, the ERM function plans to address these risks in greater detail. Supply chain risks will also receive more attention in the upcoming year. The   organization plans to increase its evaluation of supply chain–related risks in each business unit. Every year, Textron’s board of directors requests more evaluation of supply chain risks, and the business units report difficulties in assessing suppliers and conducting product assessments. The ERM function is currently working with the business units to help them understand how to analyze suppliers in critical parts of the supply chain. Integrated risks—those that have a chain reaction within Textron business units— also will be addressed in the near future. Figure 49 also shows the process improvements that will be addressed by the ERM team. Probing and challenging risk assumptions is a critical area for improvement. Each year, Textron’s director of ERM conducts a review of key risks by business unit. Business units may receive comments or direction on how to expand on risks, new risks that should be added, or suggestions to reevaluate risk data. Textron cites the support of key leadership for ERM as a critical success factor. The initial ERM activities were led by the CFO, which communicated the importance of the initiative. The commitment of senior management was instrumental in obtaining cultural buy-in for both Six Sigma and ERM. Because ERM was launched from existing Six Sigma efforts, there were fewer cultural barriers to adoption. Six Sigma also validated the ERM process and helped with buy-in. Accordingly, Textron cites attaching ERM to a standard design process within the organization as a critical success factor. Risky Business II: Enterprise Risk Management as a Core Management Process 116
    • CASE STUDY Textron Inc. Textron’s 18-Month ERM Outlook Incorporate E&C Lean Qtr. Risk AOP/ Probing and In-DepthImprovement Risk Assessment Reporting Strategy Tighter Challenging Risk Annual Risk Two-Way Process Reporting into ERM Process Integration Assumptions Refresher Benchmarking 2008 2009Improvement Risk Macro-economic M&A Risks Climate Change Insurance Business Supply Chain Integrated Risks Risks Continuity Risks Risks Evaluated Integrated to Assess risk and Update risk Report revised Increase Renew risks that enterprise-level use ERM risk develop strategy exposure from risk exposure evaluation of have a “chain risks that must be analysis tools for mitigations combined from 12 high- supply chain– reaction” within evaluated through physical property priority BCPs related risks at Textron business scenario planning review (w/ ins.) each business units unit Figure 49The use of an operating committee in lieu of a traditional risk committee was alsovital to success. Textron’s leaders felt strongly that the ERM function should reportdirectly to risk owners in key business units. This lets the organization communicaterisk information directly to individuals who have the ability to act on it, which enablesERM to have a greater impact across the organization.The use of a report card helps promote accountability; by monitoring the reportcard, the organization ensures that risks are tracked and properly addressed.   s Anoted, the report card is embedded into the quarterly reporting process and showswhich business units and councils are participating in risk activities. If a business unit isnot participating, then executives will usually call business-unit leaders and questiontheir lack of involvement. This approach helps increase involvement and accountability.The following list summarizes additional lessons learned during Textron’s ERM journey:• ERM is a process, not a project.• Management owns the risks, and the ERM function drives the process.• Risk assumptions have finite accuracy regarding impact and likelihood and are not critical to the process.• Management must be engaged in regular risk discussions.• Value is realized when the ERM process motivates beneficial actions that would not have otherwise occurred.• Tangible benefits must be achieved from ERM in justify the program’s existence.• ERM will never eliminate all risks and exposures.• The support of the board of directors is important to ongoing success.Organizations that take note of these lessons learned will be in a strong position toestablish effective ERM programs. Risky Business II: Enterprise Risk Management as a Core Management Process 117
    • RISKY BUSINESS II:Enterprise Risk Management as aCore Management ProcessA bes t p r a c t i c e s r e po rt fro m 123 North Post Oak Lane, Third Floor Houston, Texas 77024-7797 APOC 800-776-9676  •  +1-713-681-4020 www.apqc.org  •  apqcinfo@apqc.org ® ISBN-10: 1-60197-148-6 P U B L I C A T I O N S ISBN-13: 978-1-60197-148-7