4. This page is left blank intentionally for double-sided printing
5. Chapter number TABLE OF CONTENTS
Risky Business II:
Enterprise Risk Management as a
Core Management Process
Contents
4 Sponsor and Partner Organizations
A listing of the sponsor organizations in this study, as well as the
best-practice (“partner”) organizations that were benchmarked for
their efforts in enterprise risk management.
5 Executive Summary
A bird’s-eye view of the study presenting the study focus, the methodology
used throughout the course of the study, key findings, and a profile of
participants. The findings are explored in detail in the following sections.
11 Study Findings
An in-depth look at the findings of this study. The findings are supported
by quantitative data and qualitative examples of practices employed by
the partner organizations.
53 Partner Organization Case Studies
Background information on the partner organizations and their
innovative practices in enterprise risk management.
Risky Business II: Enterprise Risk Management as a Core Management Process
3
6. Org a ni z ati o n s
Risky Business II:
Enterprise Risk Management as a
Core Management Process
Sponsor Organizations
CHRISTUS Health
El Paso Corporation
Lloyd’s Register Group
Marathon Oil Corporation
Public Ser vice Enterprise Group (PSEG)
U.S. Army, ARDEC
U.S. Coast Guard
U.S. Depar tment of the Navy
Visa Inc.
Partner Organizations
American Electric Power (AEP)
Fonterra Cooperative Group Limited
The Hartford Financial Services Group Inc.*
Microsoft Corporation
New York Independent System Operator (NYISO)
Textron Inc.
*
his organization participated as a data-only partner.
T
Risky Business II: Enterprise Risk Management as a Core Management Process
4
7. Executive Summary
I n today’s global business environment, leaders of organizations must deal
with a myriad of complex risks, many of which carry potentially substantial
consequences. Stakeholders demand that these leaders employ methodologies to
uncover the risks embedded in any given opportunity as well as the risks inherent
in ongoing business operations. Many businesses are implementing enterprise risk
management (ERM) as a program to improve the identification, assessment, and
management of risks across internal silos.
Although ERM is a relatively young management discipline, this consortium
benchmarking study has identified five organizations with advanced ERM programs.
The report you are about to read describes how the leaders of these organizations
implemented ERM across business units and embedded ERM in core management
processes to improve decision making. Throughout the report, APQC offers
valuable insights on developing strategic risk management processes and fostering
a risk-conscientious culture. These two components are essential for establishing
an effective ERM program and are emphasized in other leading evaluations, such
as Enterprise Risk Management: Standard Poor’s to Apply Enterprise Risk Analysis to
Corporate Ratings (2008).
— William G. Shenkir, a special adviser on
this consortium benchmarking study
Research indicates that strategy execution continues to challenge many companies
where executives are faced with new and more potent risks. hile working on
W
APQC’s two ERM studies in 2006 and 2008, I have observed that the ERM body
of knowledge and the application of strategic risk management frameworks are still
maturing. There are, however, best-practice partner organizations illuminating the
path for the rest of us, and I am extremely grateful to them. Our hope is that this
study will help your organization improve its ability to identify, mitigate, manage, and
report on ERM in a valued manner.
— Bob E. Paladino, a special adviser on
this consortium benchmarking study
Risky Business II: Enterprise Risk Management as a Core Management Process
5
8. Exe cu ti ve s u m m a ry
Risky Business II:
Enterprise Risk Management as a
Core Management Process
STUDY SCOPE
The organizations selected for deep, detailed study through structured data
collection and site visits (referred to throughout the report as “best-practice
organizations” or “study partners”) demonstrate innovative performance in one or
more of the following study focus areas:
1. optimizing the ERM organizational structure;
2. identifying, implementing, and maintaining supporting ERM methodologies;
3. using ERM for effective decision making; and
4. using ERM for performance improvement.
The goal of this study was to examine organizations that excel in one or more
aspects of the study scope and to aggregate the best practices from all the
organizations studied. To achieve this goal, the APQC study team identified potential
best-practice partners that demonstrated excellence and a history of success in
the four scope areas. Project sponsors then selected the final list of partners from
among the candidates.
OVERVIEW OF FINDINGS
The study team discovered 10 principal findings from studying the best-practice
organizations. These findings have been organized into the following chapters, which
map closely to the study scope. Each chapter explores key findings and supports
them with brief examples from the study partners; additional details on the best-
practice organizations can be found in their respective case studies at the end of
this report.
Chapter 1: Optimizing the ERM Organizational Structure
1. Best-practice organizations establish clear structures for ERM involving
executive-level support.
2. Senior leaders understand the impact of risk information.
3. A holistic approach to risk management enables improved understanding of
critical risks.
Chapter 2: ERM Support Tools and Methodologies
4. Best-practice organizations use a variety of methodologies to identify, assess,
aggregate, and report risks.
5. Currently, the technology of choice for ERM among the partner organizations
is Microsoft Office.
Chapter 3: Using ERM for Effective Decision Making
6. A focus on risk management creates a culture of informed risk takers.
7. Risk information must be effectively communicated across the enterprise in
order to influence decision making.
Risky Business II: Enterprise Risk Management as a Core Management Process
6
9. E xe cu tive Summary
Risky Business II:
Enterprise Risk Management as a
Core Management Process
Chapter 4: Using ERM for Performance Improvement
8. Effective risk management is evaluated as an organizational key
performance indicator.
9. Best-practice organizations use risk management as an individual
performance indicator.
10. Evaluation of ERM effectiveness is in the early stages of maturity.
Chapter 5: he “Essentials” of ERM
T
This chapter details lessons learned and critical success factors for effectively
managing enterprise-wide risks.
STUDY METHODOLOGY
Developed in 1993, APQC’s consortium benchmarking study methodology APQC’s Benchmarking Model:
(Figure 1) serves as one of the world’s premier methods for successful The Four-Phased Methodology
benchmarking. It was recognized by the European Center for Total Quality
Management in 1995 as first among 10 leading benchmarking organizations’
models. It is an extremely powerful tool for identifying best and innovative
practices and for facilitating the actual transfer of these practices.
Phase 1: Plan
The planning phase of the study began in fall 2007. During this phase, PQCA
conducted secondary research to help identify innovative organizations that might
participate as study partners. In addition to this research, PQC staff members
A
and the subject matter experts identified potential participants based on their own
firsthand experiences, research, and sponsor recommendations. Each recognized
organization was invited to participate in a screening process. Based on the results
Figure 1
of the screening process, as well as each organization’s capacity or willingness
to participate in the study, a final list of nine potential partner candidates was
developed.
A study kickoff meeting was held in April 2008, during which the sponsors refined
the study scope, gave input on the data collection tools, and selected the study
partners at which they would most like site visits to be conducted. Finalizing the
data collection tools and piloting them within the sponsor group concluded the
planning phase.
Phase 2: Collect
Three tools were used to collect information for this study:
1. screening questionnaire—qualitative and quantitative questions designed to
identify best practices within the partner organizations;
2. detailed questionnaire—quantitative questions designed to collect objective,
quantitative data across all participating organizations; and
3. site visit guide—qualitative questions that parallel the areas of inquiry in the
detailed questionnaire, which serves as the structured discussion framework
for all site visits.
Risky Business II: Enterprise Risk Management as a Core Management Process
7
10. Exe c u ti ve su m m a ry
Risky Business II:
Enterprise Risk Management as a
Core Management Process
Along with the nine sponsor organizations, five best-practice partners completed
the detailed questionnaire: merican Electric Power, Fonterra Cooperative Group
A
Limited, The Hartford Financial Services Group Inc. (a data-only study partner),
Microsoft Corporation, and Textron Inc. Four of these five organizations also hosted
site visits, and study partner New York Independent System Operator hosted a fifth
site visit.
The APQC study team prepared a written report (case study) of each site visit
and submitted it to the partner organization for approval or clarification. The case
studies are included at the end of this report.
Phase 3: Analyze
The subject matter experts and APQC analyzed the quantitative and qualitative
information obtained through the data collection tools. nalysis concentrated on
A
examining the challenges that organizations face in the four study focus areas.
The analysis of the data, as well as case examples based on the site visits, is
contained in this report.
Phase 4: Adapt
Adaptation and improvement, stemming from identified best practices, occur after
readers apply key findings to their own operations. PQC staff members are
A
available to help create action plans appropriate for readers’ organizations.
PARTICIPANT BACKGROUND
Figure 2 describes the industry distribution of the best-practice partners that
responded to the detailed questionnaire.
Industry Representation of Partner Organizations
Percentage of Partners
Telecommunications/ Aerospace/Defense
Utilities 20% 20%
20% 20%
Insurance Food and Beverage
20%
Information Technology/
Computer
Figure 2
Risky Business II: Enterprise Risk Management as a Core Management Process
8
11. E xe cu tive Summary
Risky Business II:
Enterprise Risk Management as a
Core Management Process
SUBJECT MATTER EXPERTISE
Bob Paladino, CPA, Founder, Bob Paladino Associates, LLC
Bob Paladino is the founder of Bob Paladino Associates and a former executive and
long-time implementation practitioner in the corporate performance management
(CPM) field. His firm advises boards of directors and executives and offers CPM
services. Formerly a leading consultant for PricewaterhouseCoopers and Towers
Perrin, Paladino has been published in leading journals and is among the highest-rated
speakers at corporate and industry events such as FEI, ASMI, and CFO Rising.
William G. Shenkir, Ph.D., CPA, William Stamps Farish Professor Emeritus,
University of Virginia
Bill Shenkir served on the faculty of the University of Virginia’s McIntire School of
Commerce for almost 40 years and as dean from 1977 to 1992. He continues to
consult and do research on ERM. Shenkir has published more than 50 articles and
edited/co-authored eight books, three of which focus on ERM. He served on the
staff of the FASB, as president of the AACSB, on numerous professional committees,
and on three corporate boards. He has received the IMA’s Virginia Outstanding
Educator Award and was recognized by students as one of the 10 University
Distinguished Professors in the 1997 Corks and Curls.
ABOUT APQC
A recognized leader in benchmarking, knowledge management, measurement, and
quality programs, APQC helps organizations adapt to rapidly changing environments,
build new and better ways to work, and succeed in a competitive marketplace.
For more than 30 years, APQC has identified best practices, discovered effective
methods of improvement, broadly disseminated findings, and connected individuals
with one another and with the knowledge, training, and tools they need to succeed.
APQC is a member-based nonprofit serving more than 500 organizations around
the world in all sectors of business, education, and government. Learn more about
APQC by visiting www.apqc.org or calling 800-776-9676 or +1-713-681-4020.
ABOUT IBM GLOBAL BUSINESS SERVICES
With consultants and professional staff in more than 160 countries, IBM Global
Business Services is the world’s largest consulting services organization. IBM
Global Business Services provides clients with business transformation and
industry expertise, as well as the ability to translate that expertise into integrated,
responsive, innovative business solutions and services that deliver bottom-line
business value. IBM Global Business Services offers industry-leading transformation
consulting skills and delivery capabilities across a range of areas, including human
capital management, financial management, customer relationship management,
RD management, supply chain management, and strategy and change. For more
information, visit www.ibm.com.
Risky Business II: Enterprise Risk Management as a Core Management Process
9
12. Exe c u ti ve su m m a ry
Risky Business II:
Enterprise Risk Management as a
Core Management Process
IBM Global Business Services’ Financial Management practice focuses on enabling
enterprise innovation and performance through improved finance organization
efficiency and effectiveness. With more than 4,000 practitioners, Financial
Management has a full suite of end-to-end capabilities to address a client’s
challenges. Its capabilities include finance transformation, finance operations
improvement, business performance management, business risk management, and
finance enterprise applications.
Risky Business II: Enterprise Risk Management as a Core Management Process
10
13. S TUDY FIN D INGS
Risky Business II:
Enterprise Risk Management as a
Core Management Process
Study Findings
13 Chapter 1 Optimizing the ERM Organizational Structure
23 Chapter 2 ERM Support Tools and Methodologies
31 Chapter 3 Using ERM for Effective Decision Making
41 Chapter 4 Using ERM for Performance Improvement
49 Chapter 5 The “Essentials” of ERM
Risky Business II: Enterprise Risk Management as a Core Management Process
11
14. This page is left blank intentionally for double-sided printing.
15. Chapter 1
Optimizing the ERM Organizational Structure
R isk management has evolved significantly since APQC published its initial
report on the subject, Risky Business: Employing Risk Management to Sustain
Growth, Mitigate Threats, and Maximize Shareholder Value. When research was being
Chapter 1 Key Findings
1. Best-practice organizations
conducted for that report in 2006, many organizations had long histories of deploying establish clear structures for
risk management for specific risks such as insurance and audits, but true enterprise ERM involving executive-
risk management was a fairly new endeavor. Few participants in the 2006 study had level support.
well-established ERM approaches—in fact, half of the ERM programs examined were
2. Senior leaders understand the
only three to five years old. However, organizations were beginning to recognize the
impact of risk information.
importance of an enterprise-wide approach to risk due to factors such as:
• the increased volatility of markets driven by competition, globalization, 3. A holistic approach to
and technology; risk management enables
• an enhanced focus on the tradeoffs among achieving financial, customer-, improved understanding of
process-, and people-oriented results; and critical risks.
• changes in regulatory oversight, from deregulation in the utility and telecom
industries to recent legislation such as the Sarbanes-Oxley Act (SOX).
The best-practice partners examined in our most recent study reflect this ongoing
evolution from more limited, silo-based risk strategies toward enterprise risk
manage ent. Four of the five best-practice ERM programs have existed in their current
m
states for less than three years, and the remaining program for less than five years.
According to APQC’s past and current research, organizations at the level of ERM “ERM is a strategic and dynamic
maturity demonstrated by the best-practice partners have integrated enterprise risk process that all our employees
management into their strategic planning processes and analyze the likelihood and have a stake and ownership in to
impact of risks across the enterprise, as opposed to relying on an isolated approach implement. In its ideal state, ERM
where they merely react to events. This report explores how best-practice should identify business process
organizations achieve this level of maturity and plan for continuing development. improvement and risk mitigation
To that end, the report details how the best-practice partners ensure that ERM is opportunities, be they physical,
treated as a core management process. It also examines optimal ERM organizational financial, or cultural.”
infrastructures, effective support methodologies, how ERM can influence key — Wayne Bailey,
decisions, and how an enterprise view of risk can improve overall performance. director of risk, compliance,
and quality management,
THE BUILDING BLOCKS OF ERM: ORGANIZATIONAL NYISO
STRUCTURES
Best-practice organizations establish clear structures for ERM involving
executive-level support.
The best-practice organizations in this study have established clear roles and
responsibilities for deploying and overseeing their ERM initiatives. They also have
executive sponsors in place to support the continued maturation of ERM efforts.
Risky Business II: Enterprise Risk Management as a Core Management Process
13
16. Chap ter 1
Optimizing the ERM
Organizational Structure
Figure 3 and Figure 4 provide an overview of ERM process ownership at the
best-practice partner organizations. Most of the study partners have assigned core
functions to oversee ERM activities as well as C-level executives to act as ERM
executive sponsors. According to representatives from these organizations, clear
ownership and reporting structures are crucial to communicating the importance
of risk management to the work force.
Who Provides Executive Sponsorship for ERM?
Partners were asked to select all options that apply to their organizations.
Core ERM group 20%
Chief risk officer (CRO) 20%
CEO team 40%
CEO direct report 40%
CEO 0%
Board of directors, subcommittee 40%
Other:
Board of directors 20% • Chief operating officer (COO)
• Chief financial officer (CFO)
Other 40%
0% 20% 40% 60% 80% 100%
(n=5) Frequency of Response
Figure 3
Who Is Responsible for Deploying and
Overseeing ERM?
Partners were asked to select all options that apply to their organizations.
Core ERM group 60%
CRO 20%
CEO team 0%
CEO direct report 20%
CEO 0%
Board of directors, subcommittee 0% Other:
• Vice president of
Board of directors 0%
internal audit
Other 40% • COO
0% 20% 40% 60% 80% 100%
(n=5) Frequency of Response
Figure 4
Risky Business II: Enterprise Risk Management as a Core Management Process
14
17. Ch apter 1
Optimizing the ERM
Organizational Structure
As you can see from Figures 3 and 4, the partner organizations employ diverse
reporting structures for ERM. The study did not reveal a one-size-fits-all approach.
However, all the partners effectively support the executive-level positioning of ERM
through senior committees and other change agents.
Figure 5 depicts the ERM reporting structure at Fonterra, a best-practice partner in
both the both the 2006 study and the current study. In 2006, Fonterra split its global
assurance function into audit and risk, with two different reporting lines to the office
of the chief financial officer (CFO). The organization integrated its ERM process into
business strategy and planning; the ERM function now interacts with insurance brokers
and leverages employees within the business units who are engaged in risk assessments.
Fonterra’s Risk Reporting Structure
Enterprise
Risk Manager
Insurance Manager Manager Business Risk Injury
Brokers: Risk Risk Continuity Management Management
• Claims Assessment Assessment Manager Admin Manager
• Insurance
• Captive
Claims
• Risk management Risk Administrator
• Risk engineering Manager
(Contract)
Claims
ERM responsibility: Administrator
• ERM program
• Monitoring and reporting key risk matters (residual and emerging risk) to senior executives
and the board (including the top 20 risks)
• Business interruption evaluation
• Business continuity planning and crisis response planning
• Insurance program (strategy, policies, placement, and reporting)
• Claims management and administration
• Financial aspects of accident compensation
• Other risk management activities including contract risk, security, etc.
Figure 5
Fonterra’s ERM function is responsible for managing the ERM program, monitoring
and reporting key risk information, evaluating business interruptions, and carrying
out business continuity planning. The ERM function also manages insurance
programs, claims management, financial aspects of accident compensation, and
various other risk management activities such as contract risk and security.
To influence behaviors and reinforce the importance of ERM in its culture, Fonterra
gave its business units a defined role in ERM. The organization expects business units
to manage risks and promote certain behaviors by:
• identifying downside risks and upside opportunities for the business,
• serving as expert witnesses with deep knowledge of operations to assess
risk magnitude,
Risky Business II: Enterprise Risk Management as a Core Management Process
15
18. Chap ter 1
Optimizing the ERM
Organizational Structure
• mitigating risks and monitoring emerging risks,
• collecting and reporting risk data to the ERM function for aggregation,
• enforcing compliance with risk mitigation procedures among business-unit
personnel, and
• making sure that processes are in place and that costs arising from
implementation strategies are planned for and budgeted.
At Textron, the ERM function reports to the vice president of audit, who
reports directly to the organization’s board of directors. The business continuity
management function also reports to the vice president of audit; in addition,
both functions report to an operating committee comprising key managers and
leaders from all Textron business units. The ERM function reports to the operating
committee instead of a traditional risk committee so that it can communicate
directly with the business-unit owners. This structure has enabled risk reporting to
have a greater impact across the organization.
At American Electric Power (AEP), ERM is centrally managed, but key reporting
responsibilities are held at the business-unit level. The name of AEP’s enterprise
risk organization—enterprise risk oversight (ERO)—is intended to emphasize the
group’s role: Whereas ERO oversees risks across the organization, the individual
business functions are responsible for risk management process execution. In
accordance with this structure, funding for risk management is incorporated into
business-unit budgets.
Figure 6 depicts the risk management structure at AEP. s shown, risk management
A
involves all levels of the organization.
AEP’s Risk Reporting Structure
• AEP’s ERM policy - sets governance structure, roles, and responsibilities
• Summary report provided to board audit Audit
committee Comm.
• Strategic focus for monthly REC Risk Executive
meetings Committee
• Independent oversight Enterprise Risk
function Oversight Function
• Management of risks Functional Unit
Management
Figure 6
Risky Business II: Enterprise Risk Management as a Core Management Process
16
19. Ch apter 1
Optimizing the ERM
Organizational Structure
Microsoft’s risk reporting structure centers on four risk “pillars”: strategy, finance,
operations, and legal/compliance (Figure 7). Each pillar is supported by a
committee and an executive sponsor responsible for coordinating the overall
program approach developed by the Office of ERM. This structure is complemented
by the efforts of individuals and groups in specific business units and functions
where risk management specializations already existed prior to the implementation
of an enterprise-wide approach.
Microsoft’s Risk Reporting Structure
Enterprise Risk Office (ERO) - Virtual Organizations
The Office of Enterprise Risk Management is sponsored by the vice president of internal
audit and supported by the director of ERM leading and executing the overall program
approach. The ERM effort is being coordinated virtually across the organization including
four risk committees (pillars) each with their respective executive sponsors.
Board of Directors:
Audit and Finance Committee(s)
Enterprise Risk Office:
Executive Sponsor: VP of Internal Audit
Program Office: Director of ERM
Strategic Legal/Compliance Financial/Reporting Operations
Chief Executive Officer Chief Legal Officer Chief Financial and Chief Chief Operating and Chief
VP of Corporate Strategy VP of General Counsel Accounting Officers Information Officers
Director of Corporate Director of Compliance Sr. Director Compliance General Manager
Strategy Compliance Attorney Sr. Manager Compliance Manager
Figure 7
FOLLOW THE LEADER: THE ROLE OF EXECUTIVES
Senior leaders understand the significant impact of risk information.
Executive-level support for ERM is a critical success factor for the best-practice
partners. Given their birds-eye views of the entire enterprise, senior leaders and
high-level committees are uniquely positioned to understand and oversee an
organization’s overall risk picture. hat is the role of these leaders regarding ERM,
W
and how and why did this role develop? What is the value of their involvement in
ERM? The following examples detail senior leadership’s unusually high level of direct
involvement in ERM at the partner organizations.
At the New York Independent System Operator (NYISO), responsibility for ERM
resides within the organization’s risk, compliance, and quality management function.
The head of this function reports directly to the CEO and board of directors,
who were the organization’s original ERM champions. s ERM’s executive sponsor,
A
the CEO also acts informally as the chief risk officer. Additional risk management
responsibilities are spread throughout the organization. For example, the general
Risky Business II: Enterprise Risk Management as a Core Management Process
17
20. Cha p ter 1
Optimizing the ERM
Organizational Structure
counsel is the chief compliance officer. Cyber and physical security risks fall within
the domain of the enterprise security function’s business continuity planning
department. A senior risk specialist is responsible for insurance program contracts,
structure, loss control, and reporting, as well as the administration of the ERM
process and national trends analysis related to the overall power generation and
distribution industry. This trend information is provided to the board and CEO.
Textron’s board of directors plays a significant role in ERM. Specifically, the board:
• sets ERM expectations,
• communicates that ERM is an integral part of the overall management and
governance structure,
• provides input and oversight for all aspects of ERM, and
• funnels concerns about specific risks into the ERM process.
At Fonterra, enterprise-wide risk strategy is based on board-level recognition that
the organization must effectively manage risk in order to grow and be successful.
Risk management is integrated across the organization and supported by senior
leaders, including the CFO and the chair of the board’s audit, finance, and risk
committee. In addition, ERM roles and responsibilities are cascaded down to the
specific business units.
A HOLISTIC VIEW
A holistic approach to risk management enables improved understanding
of critical risks.
Organizations that incorporate identified risks into strategic planning make better
decisions and are more likely to achieve their strategic objectives. But how do
organizations ensure that they understand their own risk universes and then
effectively leverage resources to mitigate risks? How do they confirm that all
relevant risks are included in their risk assessment processes? How do certain risks
offset one another?
Because these questions are central to the idea of ERM best practices, a key
objective of this study was to examine how organizations develop an understanding
of their own critical risks. The following examples illustrate some of the methods
used by the partner organizations.
The NYISO focuses on risks that fall into three broad categories: reliability
(resources and fuel costs/availability), markets (legislative/political, finance and
credit, and billing), and reputation (legal/regulatory issues and compliance). These
three categories are further broken down into 17 areas of risk that are leveraged
throughout
the organization:
Risky Business II: Enterprise Risk Management as a Core Management Process
18
21. Ch apter 1
Optimizing the ERM
Organizational Structure
• infrastructure • credit exposure, • market participants,
• resources, • press/media, • fraud,
• financial, • security, • retention,
• compliance, • billing, • political climate, and
• execution, • market design, • market
• seams, • regulator relations, administration.
Risks aligning to these categories are tracked according to a hybrid framework that
combines those of the Risk and Insurance Management Society (RIMS) and the
Committee of Sponsoring Organizations of the Treadway Commission (COSO). The
NYISO uses matrix scales and heat maps that list each of the organization’s 17 risk
categories according to probability and impact. The list of risks changes periodically,
with new risks added and others replaced or subsumed under other categories.
Figure 8 illustrates how the NYISO defines its risks to facilitate strategic decision
making.
The NYISO’s Risk Rating Definitions
Impact to
Impact Reliability Reputation
Markets
Low/No Affects local reliability, 0 to $100,000 Small process/procedural
Impact non-mission-critical errors that impact limited
systems stakeholder segments
Some Affects zones outside $100,000 to Continuous mistakes in
Impact JK, non-mission-critical $1 million processes that affect
systems not operational stakeholders and indicate
NYISO inability to correct
Serious Affects zones JK, $1 million to NYISO fails to meet regulatory
Impact mission-critical $5 million compliance issues/NYISO
systems affected execution causes marked
disruptions
Most Affects all of the In excess of Regulators, market participants,
Severe state’s control area $5 million and media severely impugn
Impact mission-critical NYISO reputation, with NYISO
systems unable to influence outcome
Improbable—unlikely to affect Imminent—likely to affect NYISO within
NYISO within one year one quarter
Possible—may affect NYISO Immediate—the risk presently affects NYISO
within one year
Figure 8
Risky Business II: Enterprise Risk Management as a Core Management Process
19
22. Chap ter 1
Optimizing the ERM
Organizational Structure
At Fonterra, the organization has defined the purpose of ERM in order to articulate
the why and how of enterprise risk. For example, Fonterra identifies “assist” as a key
ERM activity: This refers to assisting the financial success of the business by providing
a forum and methodology for evaluating and prioritizing potential risk improvement
opportunities and understanding their financial and other impacts.
Additionally, Fonterra is establishing risk champions within each key business. Risk
champions will spend several days in risk assessment workshops designed to help
individuals identify and manage key business risks. Risk champions will also become
business liaisons to the risk function. Fonterra assesses risks using a database that,
in turn, populates the organization’s risk profiling report. The database and report,
which are discussed further in Chapter 2, illustrate the types of data fields that
reporting employees must complete in order for the ERM function to accurately
assess high and significant risks.
According to Textron, every risk is quantifiable. The organization’s ERM function
works closely with the business units to determine costs for specific risks. In some
cases, the organization estimates a range to illustrate best- and worst-case scenarios,
and each risk cost is factored into an overall cost average.
A coordinator for each business unit works directly with the ERM function to
ensure that Textron has a clear view of critical risks. In addition to spending 10 to
14 hours each quarter coordinating risk information, these individuals help subject
matter experts in their business units and councils compile and assess risk data. The
primary benefit of this structure is that it brings together experts who understand
the risks with risk coordinators who understand the process; rather than training
a large number of employees on ERM, Textron aims to keep risk management
intelligence flowing between ERM coordinators and the ERM function.
Textron uses an ERM input tool to capture key risk data. For each risk, ERM
coordinators help subject matter experts collect data in five key categories:
1. basic risk information—such as title, description, failure mode, and cause;
2. gross risk information—the cost of the risk event and the probability of
occurrence (in annual terms) if no mitigations were in place;
3. current risk information—the cost of the risk event and the probability of
occurrence (in annual terms) with all current mitigations in place;
4. decision—whether or not further action is required; and
5. expected risk—details on impact and likelihood.
Data from this input tool is entered into an Excel spreadsheet that can be tracked
and used for reporting purposes. The spreadsheet is color-coded so that, if the
“decision” category indicates that further action is required, then the risk is
automatically highlighted in red.
Risky Business II: Enterprise Risk Management as a Core Management Process
20
23. Ch apter 1
Optimizing the ERM
Organizational Structure
AEP divides risks into two categories: monitored risks and high-impact risks.
Monitored risks are generally easier to quantify and have governing policies focused
on limits and controls. These risks are monitored for status changes and to ensure
that the controls in place are working. By contrast, potential high-impact risks
are more difficult to quantify. High-impact risks are often operational or physical
risks and are typically addressed by programs, rather than limits. In general, these
risks would have an impact on one or more monitored risks. EP’s risk executive
A
committee, which is made up of senior executives who manage a significant amount
of risk for the organization, focuses its discussions on high-impact risks.
As previously mentioned, AEP’s functional units are responsible for analyzing,
assessing, managing, and mitigating their own risks. Functional units provide monthly
risk reports that include risk information such as metrics (where possible), current
status, trends, strategy and mitigation, and emerging risk areas. These reports are
reviewed by the enterprise risk oversight function, which then prepares a high-
level summary for the risk executive committee. Reports from functional units are
compiled in a binder that is provided to all risk executive committee members prior
to each meeting. This enables committee members who want more detail to read
about specific risks prior to the meeting and come prepared with questions. The
high-level summaries are also reviewed by the board audit committee, which sits at
the top of AEP’s organizational structure for ERM.
Risks reported to the risk executive committee cover a very broad range of issues;
some are quantifiable, but others are not. lso, because risks change over time,
A
AEP continuously revises the list of reported risks. Some risks are reported on a
long-term basis, whereas others are reported for several months and then removed
from reporting.
CONCLUSION
The best-practice partners featured in this report have created ERM organizational
structures that facilitate fluid collaboration around risk management. Involvement
and support from senior leaders convey the value of managing risk to the rest of
the organization. By combining an infrastructure that places high visibility on risk
management with senior leaders that understand the importance of effectively
identifying and assessing risks, the best-practice organizations ensure that strategic
objectives will be met. Partners emphasize that ERM must be viewed holistically in
order for organizations to properly identify, aggregate, and asses all types of risk and
then incorporate the results of their analyses into strategic decision making.
Risky Business II: Enterprise Risk Management as a Core Management Process
21
24. Chap ter 1
Optimizing the ERM
Organizational Structure
Res earch Ch a mp i o n P er s p ecti ve f ro m IBM Glo b a l Bu s i n e ss S e rv i c e s
Optimizing the ERM Organizational Structure
This study clearly shows that there is no “best” way to structure and manage an ERM program. But as we reflect on
the different organization structure approaches taken by the best-practice partners, a couple of observations come to
mind, particularly in light of recent IBM research in this area.
The first is the role of the “risk manager,” a title used in many organizations and throughout the literature on ERM.
The second is the linkage of risks to business processes and the associated management responsibilities and
performance measurements, a topic we will discuss further in our Research Champion Perspective for Chapter
4 of this report. Importantly, we see these two points as intrinsically linked through the convergence of risk and
performance management.
In organizations and structures where the ERM function is stand-alone and tasked with risk management
(as opposed to policy and process formulation), the risk manager typically owns the risks and mitigation solutions.
For example, a supply chain risk manager may be expected to “gain a clear understanding of the supply chain process,
its key exposures and values, and to develop a plan to minimize the adverse effects of the identified exposures on
the organization.”1 In such a structure, the risk manager must identify, assess, and manage the risks that might impact
that process.
But where does this approach leave the supply chain manager, the individual who owns the underlying process and is
responsible for the supply chain team? How does he or she manage the process and resolve issues, pro- or re-actively?
If there is a failure (i.e., a risk event) in the supply chain, who is responsible for (1) its resolution, (2) its mitigation, and
(3) its performance implications? Put very bluntly, where does the buck stop, and which performance metric will
be affected?
Our view is that business process owners should own the responsibility for risk management as a core part of their
day-to-day management responsibilities. In this way, they can assess risks and alternatives with full understanding of the
short- and long-term impacts of those options and make the most appropriate trade-offs for success of the process.
On the other hand, a stand-alone risk manager might accept/avoid/mitigate risks which need not be so handled given
the alternatives available to the process owner.
But do not construe this perspective as a rejection of the role of the risk manager: He or she has a key role as an
adviser to the process owner, acting in much the same manner as a financial, human resources, or information systems
expert would. The risk manager should establish the risk management process, ensure its appropriate execution—
including a reporting line to executive management if the process is not followed—and advise the process owner of
alternative strategies.
This is a key role required by every enterprise, but one that still leaves decision-making responsibility in the hands of
process and business owners, thereby supporting a more effective performance measurement assessment structure.
1
on Stokes. “Understanding Supply Chain Risk.” Risk Management, August 2008 (www.rmmag.com).
R
Risky Business II: Enterprise Risk Management as a Core Management Process
22
25. Chapter 2
ERM Support Tools and Methodologies
T wo of the most pressing concerns for organizations implementing ERM
initiatives are: “What is the process for identifying and assessing risks?” and
“How do you roll out risk management across an enterprise?” To answer these
Chapter 2 Key Findings
1
. Best-practice organizations
questions, this report explores the steps that best-practice organizations have taken use a variety of
to integrate risk management into the way they work. methodologies to identify,
assess, aggregate, and report
Whereas Chapter 1 focused on the best-practice partners’ organizational risks.
infrastructures, this chapter details the methodologies and tools that partners use to
2. Currently, the technology
identify, assess, monitor, and report enterprise-wide risks.
of choice for ERM among
the partner organizations is
A METHOD TO THE MADNESS
Microsoft Office.
Best-practice organizations use a variety of methodologies to identify,
assess, aggregate, and report risks.
The study participants leverage many different techniques to assess risks and
collect and report risk information; for the most part, this diversity reflects the
organizations’ unique work approaches. However, one commonality among the
best-practice partners is that they all make distinctions between ownership of
a specific risk and facilitation of the ERM process. Most partners rely on a com
bination of risk maps, scenario analysis, Microsoft Office applications, and home-
grown software to aggregate and identify key risk categories (Figure 9, page 24).
When organizations can catalog and pinpoint significant risks, they are better able
to ensure that those risks are thoroughly understood, closely tracked, and
periodically reviewed.
To capture key risk data, Textron uses an ERM input tool based on failure mode
effects analysis (FMEA).2 Data from this input tool is entered into an Excel
spreadsheet for reporting purposes and color-coded to indicate whether or not a
risk requires further action.
The spreadsheet data populates risk radars (Figure 10, page 25), which highlight
Textron’s significant risks and associate those risks with dollar amounts related to
net operating profits. Risk radars track gross risk and are color-coded to indicate
whether further action is required; risks are graphed so that the likelihood of a risk
occurring in the next year is represented on the X-axis and annual net operating
PQC defines FMEA as “a well documented, proven technique commonly used to evaluate
2
A
the risk for failures in product and process designs” (2007).
Risky Business II: Enterprise Risk Management as a Core Management Process
23
26. Chap ter 2
ERM Support Tools and Methodologies
Technologies, Applications, Techniques, and
Methodologies Used for ERM
Partners were asked to select all options that apply to their organizations.
Risk maps 60%
Bowtie diagrams 0%
Failure mode effects analysis
40%
(FMEA)
Influence diagrams 0%
Risk registers 40%
Scenario analysis 60%
Fault tree/event tree 20%
Off-the-shelf application 40%
Home-grown application 60%
ERP 0%
MS Office 80%
Other 0%
0% 20% 40% 60% 80% 100%
(n=5) Frequency of Response
Figure 9
profit is represented on the Y-axis. For example, Risk A in Figure 10 was initially
estimated at approximately $2 billion, but through mitigation and control efforts,
that exposure was reduced by about half. However, since the level of exposure is
still considered unacceptable, Risk A is depicted as a box, indicating that further
action is required. Throughout Textron’s risk radars, embedded links guide users to
more detailed information from the risk database.
Fonterra uses a risk database to support risk assessment and evaluation across the
enterprise. Figure 11 (page 26) provides an example of how Fonterra presents
data captured during the risk assessment process. lthough the figure contains only
A
sample data, it illustrates the types of data fields that must be completed in order
to accurately assess high and significant risks. For example, the reporting employee
must clearly define the context and objective of a given activity/process and then
identify the risks that could prevent the accomplishment of that objective. Each risk
is assigned an owner and a category, which allows the organization to aggregate
risks into groups. The forms include a representation of “inherent” risk in terms of
Risky Business II: Enterprise Risk Management as a Core Management Process
24
27. Ch apter 2
ERM Support Tools and Methodologies
Textron’s Significant Risks Radar
$2B A
Risk Risk
Name Owner Initial Complete
SAMPLE A Crisis 1Q06 TBD
$1B A RISK Management
DATA B Finance 1Q06 1Q06
Council
$500M B C IMC 1Q06 1Q06
B D TFC 1Q06 1Q06
E Bell 1Q06 1Q06
I
D C F Legal Council 1Q06 1Q06
$140M C
G Bell 1Q06 1Q06
H Finance 1Q06 1Q06
Council
$105M H I Finance 1Q06 1Q06
E E Council
F F J Bell 1Q06 1Q06
G G
$70M H K Kautex 1Q06 TBD
I $ is measured in annualized NOP
D
$35M Risk reduced to an acceptable level
J J
K Further action required
K
Gross risk
$0
0% 25% 50% 75% 100%
Figure 10
impact and likelihood displayed on a heat map, a review of controls to mitigate risks,
and a scoring of residual risks in terms of impact and likelihood displayed on a
heat map.
Figure 12 (page 27) depicts an example of Fonterra’s risk assessment report, which
provides an overview of risk by category. This data flows to the business units so
that decision makers can better understand key risks.
At the New York Independent System Operator (NYISO), risk identification and
reporting are the responsibility of the business units. Risk owners—those owning
the business processes—are expected to report known risks, their status, and
mitigation efforts on a monthly basis.
As part of establishing its ERM program, the NYISO mapped out every function and
process in the organization and then created an executive summary and supporting
report detailing each risk along with its triggers and status. The risk, compliance,
and quality management function updates this ERM report every month based on
business-unit-level reporting and mitigation efforts. Thus, the quality of the overall
ERM report depends on the accurate monitoring and reporting of risks by the
business units.
Risky Business II: Enterprise Risk Management as a Core Management Process
25
28. Cha p ter 2
ERM Support Tools and Methodologies
Fonterra’s Formal Risk Assessment Process
A Risk Management Framework - Risk Profiling Report
Context/ Guaranteed ability to process milk from shareholders
Objective
Risk Reduced ability to supply milk to site for a period longer than 24 hours Volatility Increasing over time
Risk Owner GM Milk Supply (Optional Entry) Risk Milk Collection and (Optional Entry) Operational
Category Coding Transport Process Coding
INHERENT (UNTREATED) RISK ASSESSMENT: Assessment WITHOUT Controls
Casual Factors • Road closure from flood Expected • Unable to receive all milk supplies
• Road closure from landslip Consequences/ • Worst reasonable case estimate 50% loss
• Loss of power to the site for milk transfer 24 hours Impact of milk for 6 days following landslip
Potential Cost NZ$1M - NZ$10M
9
Inherent Inherent Consequence/
9 6 7
Likelihood
Likelihood (1-10) Impact (1-10)
5
Potential business impact WITHOUT the Inherent Risk Rating HIGH 3
benefit of controls = 1
Figure 11
The NYISO’s risk, compliance, and quality management function also summarizes
the larger ERM report in a four-page monthly risk report that is distributed to the
board of directors. These summaries detail immediate and pending risks for the
coming year along with mitigation efforts currently in place. Each summary includes
a risk matrix detailing probability and impact for specific risks as well as relative risk
over time and an aggregate scoring of risk factors. reporting section highlights
A
looming national issues in the industry. Each month, the ERM staff selects and inserts
an article describing issues that affect the security of electricity markets in the
United States, North America, and around the globe.
At Microsoft, enterprise risk reporting occurs quarterly. The quarterly reports
include updates on ERM program status and progress made toward mitigating the
most critical risks facing the organization. Board presentations to a special session of
the combined audit and finance committees take place semiannually. The following
program principles help Microsoft execute on this reporting cycle.
• ERM is an enterprise-wide framework and program adaptable to existing risk
functions, division structures, and global geographies.
• ERM increases transparency of risk to the board, senior leadership, and
external stakeholders.
• ERM is integrated and embedded into corporate-wide processes so that risk
information can be leveraged for decision making.
• ERM enables bidirectional input and information sharing with key governance,
risk, and compliance (GRC) functions, such as Internal Audit, Windows Live
Security, Corporate Privacy Group, and Information Technology Risk.
Risky Business II: Enterprise Risk Management as a Core Management Process
26
29. Ch apter 2
ERM Support Tools and Methodologies
Fonterra’s Risk Assessment Report
Risk Sub-Risk
Risk Areas
Category Category
Strategic Strategic Direction Operationalization of Strategy Stabilized Organization Structure Strategic Resource
Ethics Culture The Way We Work Knowledge Sharing Allocation
Reputation NZ International Image Supplier Land Management Empowerment
Strategic Partnerships BFL Farming Practices China Strategic Evaluation of Post Investment Reviews
DairiConcepts/DFA Soprole/DPA BFL/BSC New Business
DPA/Nestle Outsourcing
Investor Relations Payout Forecast Management Communications Shareholder Council Capital Availability Redemption
RDI
Innovations Product Market Process GE
Risk Management Implementation of Risk Project Interface
Change Initiatives/ Management Framework
Transformation Jedi
Market Economic/Geopolitical Economic Downturn Political Instability/Sovereign Credit Risk
Political/Regulatory Trade Access Quotas Risk Acquisition Approval
Competitors Industry Structure Product Specification Duties Emerging Competitors Product Substitution
Financial Financial Markets/Cost of Debt Competitor Strategy/Spend Commodity Prices
Distributors Retail Channel Structure Capital Fund Raising
Consumers Consumer Trends Social Trends Demand Uncertainty Customer Satisfaction
Operational SOP Management Demand Forecasting Supply Forecasting Production Planning Logistical Planning IP Protection
Marketing Innovation Product Innovation RD Funding Business Case Evaluation of AP Spend
Brand Management Brand Strategy/Rationalization Brand Protection Development
Sales Order Management Counterfeiting Sales Promotion RDI
Pricing Contract Management
Production Asset Security Protection Production Efficiency Production Capacity Product Quality/ Food Safety
RD Implementation Asset Maintenance Specification
Logistics Warehousing Milk Collection Product Shipment Distribution Channel Inventory Planning Inventory Protection
Project Management Capex Approval Post Project Evaluation Structure Security
Time, Cost Quality Control
People Personal Health Safety Attract Retain Talent GROW PERFORM Capabilities Motivation Focus
Succession Industrial Action Internal Communication Renumeration
Transaction Processing Order Processing Invoicing Cash Collection Credit Management Expenses Purchases Cycle
Payroll Trade Spend Promotion Cycle Milk Payout
Information Data Accuracy, Completeness System Development System Integration System Failure System Transformation
Timeliness COE Jedi IS Data Security
Kea
Crisis management Bio-Security Terrorism DRP/BCP Product Recall Natural Disaster
Non-Core Business Synergy
Financial Financial Reporting COA FRS Hyperion SAP Functional Currency
Core Controls
Financial Planning CMP/SP Payout Forecasts Foreign Exchange Commodity Price Volatility Cost of Production
Inventory Mix Valuation Sales Mix Valuation Volatility
Fair Value Share Valuation Peak Note Management Lifecycle Planning Working Capital Redemption Management
Treasury Management Hedging Functional Currency Debt Raising Management
Tax Planning Domestic Tax Regimes Foreign Tax Regimes
Performance Planning RCM Performance Measurement VBM
Measurement
Fraud Geopolitical/Cultural Control Design Implementation
Compliance Policy Procedures Procurement Production Standards HR Treasury Insurance
Environmental Jedi Business Rules Supplier Land Management
Compliance Farming Practices
Legal Regulatory Sovereign Legislation Customs Duties Health Safety/ACC Environmental Hazardous Substances
Regulation DIRA
Intellectual Property Shareholder Reporting Future Regulation
Governance Ethics Culture The Way We Work Geographic Diversity Empowerment Corporate Citizenship
Board Activities Shareholder Reporting Sub-Committee Delegations Qualifications
Figure 12
Risky Business II: Enterprise Risk Management as a Core Management Process
27
30. Cha p ter 2
ERM Support Tools and Methodologies
ERM AND TECHNOLOGY: WHAT’S THE SOLUTION?
Currently, the technology of choice for ERM among the partner
organizations is Microsoft Office.
As with any evolving business process, organizations attempting to embed ERM in
their structures and operations are constantly searching for ways to facilitate their
efforts. Each best-practice organization in this study is implementing and executing
ERM in some way that fits its current business agenda and business model. lthough
A
the partners are open to a technology solution that would facilitate effective
ERM implementation, the current preference to keep things simple has led these
organizations to employ Microsoft Office as their primary enabling technology.
Although the study partners do automate some data collection, analysis, and
reporting processes, the majority rely primarily on manual support for ERM
activities. hile a comprehensive and effective process automation solution remains
W
elusive in the ERM arena, the following examples illustrate how the best-practice
organizations create support processes adapted to their own cultures and
strategic needs.
Fonterra uses Microsoft Office Excel for most of its ERM technology support.
Within Fonterra, the perception is that implementing a formal software package
would impede the organization’s ability to quickly adapt to any process or business
change. ccordingly, the organization has decided not to purchase a software
A
package explicitly for risk management. Currently, one full-time employee manages
the formal risk assessment process and the supporting database.
American Electric Power (AEP)’s decision not to implement supporting
technologies is similarly strategic. At this point, the organization feels that a new
technology solution might hinder its ERM process. lthough AEP has explored a
A
number of software packages, it has chosen to refine its process first and let that
process drive future technology decisions. By concentrating on process and open
communication, the organization hopes to ensure that information is effectively
shared among its functional units.
The NYISO’s core risk reporting and mitigation processes are heavily manual and
supported by Microsoft Office programs such as Word and Excel. The organization
is currently examining a number of ERM technology support tools, but has not fully
automated its processes.
Microsoft is also exploring solutions to manage its risk and compliance activities.
Since ERM is a relatively new concept, the program is investigating multiple options
for building and implementing an ERM platform that can be leveraged globally. tA
present, the organization employs an enterprise solution based on SharePoint
and SQL technology; moving forward, it plans to continue building a platform that
integrates the best of Microsoft’s enterprise technologies with Microsoft Office
solutions.
Risky Business II: Enterprise Risk Management as a Core Management Process
28
31. Ch apter 2
ERM Support Tools and Methodologies
Like many organizations, Microsoft faces challenges associated with the volume and
complexity of external compliance obligations. There are numerous overlapping
compliance requirements that must be integrated with ERM, including SOX,
the Health Insurance Portability and Accountability Act (HIPAA), the Payment
Card Industry Data Security Standard, anti-corruption, privacy regulations, trade
compliance, and so on. All these compliance requirements involve different tools,
and the organization believes that even more tools will be added in future, further
complicating the technology infrastructure. Microsoft’s proposed solution to address
such issues is to leverage the best of its technology through a platform approach
termed “OneCompliance,” which supports compliance with multiple regulations
and standards. The approach involves optimizing available resources that focus on
risk management, controls, and compliance while reducing duplication and time/cost
requirements.
CONCLUSION
As the results of this study indicate, there are many ways to effectively
operationalize risk management. Partners use a variety of tools, methodologies,
and applications to support ERM. However, one commonality among the partners’
approaches is an emphasis on clear risk aggregation and reporting. ggregation
A
surfaces key significant risks that impact the organization, leading to a more
thorough and informed understanding of risk.
Although the best-practice organizations employ both automated and manual
processes to manage risk, Microsoft Office is the technology of choice for
supporting ERM at this time. Many of the partners have just begun to think about
how more complex software and systems might be used to support the unique
demands of ERM. We can expect to see new technologies emerge as ERM
processes mature.
Risky Business II: Enterprise Risk Management as a Core Management Process
29