enterprise risk management - rims · pdf fileenterprise risk management ... the catalyst for...

TransiTioning To

EntErprisE risk ManagEMEnt

Executive Report

The Risk Perspective

As the preeminent organization dedicated to advancing the

practice of risk management, RIMS, the Risk Management

Society™, is a global not-for-profit organization

representing more than 3,500 industrial, service,

nonprofit, charitable and government entities throughout

the world. Founded in 1950, RIMS brings networking,

professional development and education opportunities to

its membership of more than 11,000 risk management

professionals located in more than 60 countries. For more

information on RIMS, visit www.RIMS.org.

A RIMS ERM Committee Report

Contributors Linda Conrad, Zurich Radu Demian, Correctional Healthcare Companies Carol Fox, RIMS Laura Langone, Juniper Networks Michael Thoits, Affinia Group, Inc. David Shluger, Zurich Jana Utter, Fiserv

RIMS is grateful to the following individuals for participating in a virtual roundtable and sharing their approaches and expressing their commitment to advancing risk management practices through their words and actions:

Ted Pokarski, Dow CorningBrian Thelen, General MotorsLaura Langone, Juniper NetworksWard Ching, SafewaySandra Carson, Sysco Corporation

Editor Morgan O’Rourke

Designer Joseph Ricci

Trans iT ioning To

EntErprisE risk ManagEMEnt

© 2014 Risk and Insurance Management, Society, Inc. All rights Reserved.

Executive Summary ........................................................................... 1

What Has Changed? ......................................................................... 2

Catalysts for Change ......................................................................... 2Business Results ........................................................................... 3Board or C-Suite Impetus ............................................................... 3Compliance and Regulatory Push ................................................... 3Rating Agency Pressure ................................................................. 4

Risk Management Roles in ERM ......................................................... 4What if ERM Is Led by Another Part of the Organization? .................. 5Collaborating with Other Internal Risk Management Functions .......... 5Translating Risk into Senior Executives’ Language ........................... 5

Demonstrating Value ......................................................................... 6

5 Simple Steps to Transition to Enterprise Risk Management ............... 7

Moving Forward ................................................................................ 9

ERM Virtual Roundtable ................................................................... 10

ContEnts

© 2014 Risk and Insurance Management, Society, Inc. All rights Reserved.1

Financial results indicate that a robust enterprise-wide risk manage-ment framework can be a practical and sustained basis for improved profitability, greater operational efficiency, increased shareholder value and reduced financial volatility. A 2012 study by FERMA and Ernst & Young, found that firms with “advanced” risk management practices exhibited stronger earnings before interest, taxes, depre-ciation and amortization (EBITDA) and revenue results over the past five years than did those with “emerging” risk cultures. Specifically, their review of over 800 firms in 20 countries concluded that 75% of firms with “advanced” risk management practices had EBITDA growth of over 10% and 62% of firms with “advanced” risk manage-ment practices showed revenue growth of 10%.

The study validates the concept that creating an active risk culture can directly correlate to stronger financial results, and as the entire firm becomes more aware of, and accountable for, potential obstacles and opportunities, this mindset may lead to even greater success.

Results of the 2013 RIMS Enterprise Risk Management Survey suggest that organizations are overwhelmingly realizing ERM’s value, with more 80% of respondents transitioning from a traditional risk-siloed approach to an ERM risk portfolio approach. In addition to the favorable business results that have been realized by companies that have implemented ERM programs, this shift has also been driven by pressure from regulators, rating agencies and the C-suite for organizations to develop a better understanding of the risks they face. As a result, risk managers have an excellent opportunity to play a key role in their organization’s ERM transition.

This paper is intended to give you insights into building an ERM process and culture that not only protects the company’s assets and reduces the volatility of outcomes, but also helps your company proactively address obstacles standing in the way of leveraging opportunities for success. As demonstrated in the virtual roundtable that begins on page 10, this is more than just an optimistic theory. By reviewing the experiences of organizations that have success-fully made that transition, we hope to demonstrate how you can effectively expand current, perhaps fractured, risk management practices into a more strategic enterprise risk management program that makes a difference in your organization.

ExECutivE suMMary


What has Changed? In the 20th century, the discipline of risk management focused on managing a broad set of hazard risks, ranging from the threat of fire and windstorm to employee crime and theft. In transferring traditional hazard risks through insurance solutions and then mitigating residual hazard exposures through loss control and claims management, traditional reporting meant an insurance review on coverage and cost. Protecting the balance sheet was the primary driver of corporate risk management due diligence.

Since the turn of the 21st century, executive management and board members are faced with managing a wide range of risks in a rapidly and constantly changing environment. The acceleration of technol-ogy and the speed and complexity of cybersecurity risk in a global web of outsourcing systems through cloud technology and solutions has raised the bar for companies to respond quickly to real and/or perceived threats. Expanding in emerging markets with immature infrastructures in legal and regulatory oversight has created challenges for organizations that are trying to protect R&D investment and intel-lectual property. Traditional command and control supply management has been replaced by intricate, outsourced supply chain models that make it difficult to ensure quality standards are being met. Meanwhile, black-swan events like 9/11 and the 2008 global economic crisis, seem to happen with greater frequency. As a result, management has to have a deeper understanding of these dynamic risks and adopt a solid approach to evaluate and manage their potential impact, not only to protect the bottom line but to increase it. Many organizations are finding that conventional risk management is no longer the complete solution for the job and are now taking a different approach.

Opportunities abound to evolve from a defensive approach to risk management—protect and preserve—to a more offensive or proactive approach to risk management—one that evaluates risk holistically and acknowledges greater uncertainty in business today. The value tradi-tional risk managers bring to this new role is the solid risk manage-ment discipline developed over the last century to assess and manage risk. These basic tenets are well understood and form the foundation of most widely accepted enterprise risk management standards and guidelines. However, technical skills alone are not enough. Personal skills, such as critical thinking, change management, project manage-ment, and concise and direct communications, can expedite movement across the organization and build credibility at the senior management and board level.

According to RIMS 2013 President John Phelps, ERM allows risk man-agement professionals to provide greater value in organizations by not just allowing for indemnification for events after the fact. Greater value comes from getting in front of a broad array of risks to the organization and being proactive. ERM takes a look at a range of risks across the organization, evaluates those risks—some of which can be treated in a traditional fashion and others that may need to be treated differently.

“Risk management professionals help determine the best way to address those risks for the organization, and that creates tremen-dous value for their respective organizations,” Phelps said. “If we can harness risk in company and understand it better than our competi-tors, then it increases our likelihood for success. So enterprise risk management is really an extension of traditional risk management. Risk financing and loss control methods are considered tools in the risk professionals’ toolkit.”

So the question may not be whether traditional risk management is really integrated with ERM. In Phelps’ view, ERM is more of a matura-tion or extension of traditional risk management, its process and the function’s capability within the organization.

KEy EntErprisE risK ManagEMEnt ChangE QuEstions:

1. What is my approach to assessing risk within the organization? Is it widely accepted to make enterprise-wide risk management decisions?

2. How is risk perceived in the organization? Do we consider the downside, upside or both?

3. How is risk evaluated across the organization?

4. What skills are needed to drive enterprise risk management in my organization?

Catalysts for Change The catalyst for ERM’s ascendancy is driven by internal and external factors. In addition to making a strong business case, the board and C-suite are turning to ERM to understand the impact of today’s dynamic risks in order to protect shareholder value and corporate brand and reputation. At the same time, new legal and regulatory requirements are pushing management to improve oversight for risk across the enterprise. Rating agencies are requiring more oversight for risk across the enterprise at the board level to maintain credit ratings. And corpo-rate shareholders are demanding board and C-suite accountability on transparency for risk related issues with managing risk and uncertainty tied to executive compensation.

Is Someone Moving Your Risk Management Cheese? In 1998, Spencer Johnson illustrated the reality of life changing around us in his best-selling book Who Moved My Cheese? It is the tale four characters living in a maze who spend their days searching for cheese. After they discover that their current supply has disappeared, the characters react in different ways—some productive, some not—to this unexpected change.

At times, in the risk management “maze,” terms such as enterprise risk management, strategic risk management, IT risk management and so on, can make some risk managers feel like their “cheese” is moving as well. Traditionalists might question why risk management has to change at all (or even why it needs so many adjectives). After all, it already works and they do it exceptionally well. For some of these risk managers, change might not be necessary. But not all mazes are the same and other risk managers come to realize that new situations call for them to search for new cheese. This is their story.


RIMS RMM ATTRIBUTE ISO 31000 OCEG BS 31100 COSO FERMA SOLVENCY II

ERM-Based Approach X X X X X X

Process Management X X X X X X

Risk Appetite Management X X X X X X

Root Cause Discipline X X X

Uncovering Risks X X X X X X

Performance Management X X X X X

Business Resiliency & Sustainability X X X

Figure 2: overview of Common Elements of Widely used risk Management standards and guidelines

Figure 1: Compound annual growth rates 2004-2011 by risk Maturity LevelBusiness Results Although multiple drivers are certainly catalysts for ERM, the results that more mature ERM programs have been able to demonstrate is perhaps the strongest catalyst for change. A 2011 Ernst & Young report entitled, “Turning Risks into Results,” found that companies with more mature risk management practices outperform their peers finan-cially (Figure 1). “Our research suggests this translates to competitive advantage: we found that companies with more mature risk manage-ment practices generated the highest growth in revenue, EBITDA and EBITDA/EV.” An independent research study, published in early 2014 by the Journal of Risk and Insurance and conducted by the Queens University Management School in Belfast Northern Ireland using data from the RIMS Risk Maturity Model assessments, found that “An ERM maturity transition from a silo based risk management process…to a mature ERM environment with established enterprise risk management routines and engagement from the top of the firm could create a value improvement of as much as 25%.”

Board or C-Suite Impetus The complexity of global business risks impacting public and even non-public companies is challenging for even seasoned board members and senior executives. Boards must understand the risks facing the company and how they affect its ability to achieve its business objec-tives. Disclosure and transparency are imperative to understanding these risks to ensure proper oversight of executive management. Chief executive officers (CEOs) are faced with creating greater shareholder value in a challenging macroeconomic environment where margins are eroding. Chief financial officers (CFOs) are challenged with achieving higher returns in an environment where investment yields are low and while they are spending considerable resources on ensuring compli-ance with internal financial controls. Chief information officers (CIO) are managing IT architectures, operability and security in an environ-ment with open platforms, multiple devices and sophisticated hacking threats. General counsels must manage traditional legal issues and contract management and also are expected to improve legal and regulatory compliance. As a result, the C-suite is mandating that man-agement provide greater transparency of risk across the organization. While managers are struggling with diverse approaches to evaluate these risks within their silos, the C-suite is demanding a more inte-grated, holistic approach to understanding these enterprise-wide risks.

Compliance and Regulatory PushSince the financial crisis, there has been a push for greater oversight of risk across the enterprise at the management and board level. As a result, there has also been an emergence of enterprise risk manage-ment standards and regulations including ISO 31000, OCEG’s “Red Book,” BS 31100, COSO, FERMA and Solvency II. To understand these standards and regulations and the application of each, the 2011 RIMS executive report, “An Overview of Widely Used Risk Management Stan-dards and Guidelines,” discusses various approaches and frameworks in depth to drive enterprise risk management within an organization (Figure 2).

While the many standards and guidelines to enterprise risk manage-ment may be confusing, there are basic tenets and similarities among all of them:

1. Adopt an enterprise-approach to risk management

2. Ensure governance and sponsorship

3. Assess risk across the enterprise

4. Assign accountability to manage risk

5. Monitor and report on progress

In order for traditional risk managers to be successful, they should be familiar with these various approaches to enterprise risk management and educate management on the optimal approach aligned with an organization’s culture and management style.

Source: Ernst & Young, “Turning Risks into Results”

Source: RIMS, “An Overview of Widely Used Risk Management Standards and Guidelines”


Intimate knowledge of the business and industry

Strategic view of risks and risk management’s role

Broad-based operational perspective

Business process / project management experience

Compliance view of risks / risk management’s role

Insurance knowledge

Figure 3: Executive risk practitioner section from riMs risk Management professional growth Model

Figure 4: C-suite’s Competency Expectations

Source: “Delivering Strategic Value Through Risk Management,” RIMS/Marsh Excellence in Risk Management 10 Report, 2013

Rating Agency Pressure Since 2007, rating agencies have requested that public companies provide greater oversight for enterprise risks and have required executive management and the board to communicate to sharehold-ers the governance structure and the process the company employs for evaluating various types of risk. Specifically, Standard & Poor’s Ratings Services has enhanced its review of governance for evaluating enterprise-wide risks at the board level for public companies, and is seeking an in-depth analysis of financial service industry’s enterprise risk management practices and risks that could impact creditworthi-ness. The rating agencies as a whole are continuing to strengthen their reviews of risk management practices for both financial and nonfinan-cial organizations. Forward thinking firms are wise to get out ahead of the curve.

risk ManageMent roles in erMAt times, organizations can be resistant to change. Past processes have worked well, so the need to change may not be evident. Change certainly brings additional uncertainty. For organizations that culturally are averse to uncertainty, undertaking an ERM program may cause some discomfort. Individuals who have experienced success in current roles may fear that this new “ERM thing” may only be a fad. They may perceive that traditional risk management is more secure than attempt-ing something new, particularly if past efforts to implement ERM have frustrated the organization.

On the other hand, embracing change provides a growth opportunity. In the RIMS Professional Growth Model, the executive practitioner exhibits the abilities, knowledge, attributes and skills required of the enterprise risk management professional (Figure 3).

While all of the noted abilities, knowledge, skills and attributes are impor-tant as an executive-level risk leader, a few of these are worth highlighting in the context of being successful in a changing environment:

• Abilities and KnowledgeIn our ERM roundtable (page 10), the participants demonstrated a deep knowledge of their respective businesses and how risk management plays an important strategic role in the organiza-tion’s success. Interestingly enough, these same two abilities

were the top two expectations noted by C-suite executives in the RIMS/Marsh 2013 Excellence in Risk Management Report (Figure 4). No longer is insurance knowledge the primary compe-tency expected of the risk professional by executives, particularly in those organizations seeking a risk management leader who can deliver broad-based business value.

• Skills and AttributesWhen asked about the skills and attributes that most led to a successful integration of enterprise risk management into the fabric of the organization, one of the roundtable respondents cited five: influential, change agent, strategic thinker, effective with others and exceptional verbal communication. Influential is a critical attribute in the sense that risk leaders need to be able to inspire and guide, as well as move others to action. Change agent is a necessary skill for understanding how to overcome the challenges inherent in inertia and reluctance to change. Strategic thinking is critical as risk management is primar-ily focused on future uncertainties that may either improve or worsen an organization’s position. Being effective with others encompasses the ability to work at all levels of the organization,

Source: RIMS Risk Management Professional Growth Model

Intimate knowledge of the business and industryBroad-based operational perspectiveBusiness process expertiseCompany’s risk leader (Enterprise Risk Management/ Chief Risk Officer)Company’s business resiliency plannerStrategic view of risk managementKey player in mergers and acquisitions and due diligencePushes/pulls leading practices across industriesResource for C-suite for non-insurance business risk issuesEthics and governance cultural leaderAlternative risk transfer leaderStrong budgeting and staff development expertise

PerceptiveInfluentialEducator Change agentProfit center focusFacilitatorConstructive

PragmaticPromoterWell-preparedLeaderDynamicPersuasiveEffective with others

ProactiveCoachDecisiveStrategic thinker

Exceptional presentation skillsExceptional negotiation techniquesExceptional verbal communicationExceptional written communication

aBiLitiEs anD KnoWLEDgE sKiLLs anD attriButEs

Exec

utiv

e ri

sk p

ract

ition

er


KEy EntErprisE risK ManagEMEnt roLEs QuEstions:

1. What internal and/or external stakeholders are driving greater transparency for risk across the organization?

2. Who is primarily responsible for risk management at the executive level?

3. Who are the key stakeholders responsible for evaluating risk within the silos?

4. How is risk evaluated within these silos?

5. What are the similarities of the various risk management approaches?

6. Is there an optimal enterprise risk management standard or guideline that best fits the organization?

7. What are the benefits of integrating and aligning risk management gover-nance, resources, and information on risk across the enterprise?

Legal

Internal Audit

Compliance

IT Risk Management

Operations/Safety

Strategic Planning

Business Continuity

Treasury

HR

Security

Public Affairs/Relations

Logistics

Other

Figure 5: Which risk functions within your organization are included in ErM activity planning and execution

Source: RIMS 2013 ERM Benchmark Survey; produced by Advisen

external groups and preparing materials for different audiences. Although all communication skills are important, verbal commu-nication advances the integration of risk management practices at every level.

What if ERM Is Led by Another Part of the Organization? Just over 55% of the respondents to the 2013 RIMS ERM Benchmark Survey indicated that ERM is being led by risk management within their organizations. This highlights the fact that other functions, such as in-ternal audit and finance, are stepping up to the changing environment. Regardless of which part of the organization takes the lead in integrat-ing ERM, traditional risk managers can and do play a critical role. The same abilities, knowledge, skills and attributes noted above would be expected from a traditional risk management team member, particu-larly knowledge of the business and industry, strategic thinking and effectively working with others. Risk financing and loss control methods remain important tools for protecting the organization’s balance sheet.

The greatest challenge traditional risk professionals have in an orga-nization in which ERM is led by another part of the organization is to overcome being perceived and marginalized as a risk-averse tactician who provides a limited, albeit essential, function. Two important steps for those who desire to be integrated as part of the enterprise risk management team are to: 1) conduct a frank and honest strength/de-velopmental needs self-assessment, seeking external feedback, based on the RIMS Professional Growth model, and 2) create a 15-word mission statement that answers the following question: What do or can I do that adds remarkable, measurable, distinctive and distinguished value to my organization? Understanding how to be a contributing and valued team member is indeed a leadership characteristic. Being able to demonstrate that value goes a long way towards winning a spot on the team.

Collaborating with Other Internal Risk Manage-ment FunctionsProgression towards greater risk awareness across silos has created another opportunity—the need for greater integration of various risk management activities and resources across the organi-zation. Pressure from legal and regulatory bodies, such as the SEC, are also putting pressure on finance and legal departments to enhance risk management activities and oversight for financial and legal risks. The adoption of ISO 27000 is pushing CIOs to assess and manage technology risks. A number of internal auditors are evaluating the Open Compliance and Ethics Group (OCEG) guidelines that integrate and align governance, risk management and compli-ance (GRC) efforts, as a supplement to the COSO internal controls framework or international risk management standards, such as ISO 31000.

Traditional risk managers can leverage this corporate position in the organization

to gain a broader understanding of risk across silos, evaluate these various functions and responsibilities for risk management and drive a common approach. Integrating and partnering with like-minded functional teams will lead to greater transparency for risk and allow organizations to better prioritize resources to oversee and manage risk. The traditional risk manager can then orchestrate enterprise risk management initiatives across the organization and drive value to the bottom line.

Organizations with ERM programs already are leveraging this cross functional collaboration for ERM planning as well as execution, with over 60% involving legal, internal audit, compliance, IT risk manage-ment, operations/safety and strategic planning (Figure 5).

Translating Risk into Senior Executives’ Language All risk managers know that there is a cost associated with risk assumption, mitigation and transfer. Certainly, one of the traditional values that risk management brings for senior executives is disclosure of these costs. Equally important, from an enterprise risk manage-ment perspective, is the opportunity for greater return. Transparency for enterprise-wide risks and the associated costs and benefits can drive a new discussion with management focused on measuring risk


KEy EntErprisE risK ManagEMEnt risK aggrEgation QuEstions:

1. What are the costs associated with assuming risk across the organization?

2. What are the direct and indirect costs (such as potential lost op-portunities) to avoid undesired risk outcomes?

3. What is the level of investment required to control unwanted risk levels to an acceptable level?

4. Is there a mechanism (accounting or other) that can be used to cap-ture material risk-related expenditures across the organization?

KEy EntErprisE risK ManagEMEnt VaLuE QuEstions:

1. How does my organization measure its performance?

2. How does management make risk-return decisions within the organization?

3. How does it determine an acceptable level of risk and return?

4. What value is senior management expecting risk management to deliver that is not being delivered already?

5. In what specific areas can risk management make the most significant value contributions?

in monetary terms and prioritizing resources on those risks that will drive greater revenue and growth while protecting shareholder value. Aggregating risks and measuring risk and return enables management to make cost-benefit calculations to determine the optimal return on investment for risk management decisions.

Traditional risk managers have been utilizing models such as total cost of risk (TCOR). However, TCOR in the traditional risk management set-ting measures the cost of hazard risks and mitigation—primarily risk transfer premiums—and does not reflect the cost associated with risk across the enterprise and the return on investment. The opportunity for the traditional risk manager is to use these solid concepts to help provide transparency for the cost of aggregated risks and the return on reducing or taking on more risk to the organization.

deMonstrating ValueDemonstrating ERM value through traditional investment metrics such as return on investment (ROI), return on equity (ROE), return on assets (ROA), or risk adjusted return on capital (RAROC) can be challenging for many risk professionals. As a result, organizations may consider ERM’s value in any number of non-traditional approaches.

From a traditional risk management perspective, there may be quantifi-able benefits in hard savings on insurance premiums and loss costs. For one healthcare organization, it meant significant premium savings. In the director’s own words, “We experienced a significant increase in insurance costs (30%) in the year prior to my joining the organiza-tion. We have since implemented an ERM program that identified and developed mitigation plans around the top five risks. Before presenting the details of our program to the insurer, we received a renewal esti-mate of 14% increase in premium rate. After describing our strategy and the details of our ERM program and mitigation plan, we were able to significantly reduce the increase to just 4%, which translated into several hundred thousand dollars of savings. The implementation of the ERM program provided not only more operational and financial stability but also hard dollar savings for our company.”

Insurance premium savings and loss reductions may be low hanging fruit, but they are not the only—nor even the most important—value to be gained from ERM. From our ERM roundtable participants (page 10), we learned about the varied and distinct value realized from ERM.

Safeway, for example, not only realized value from workers compensa-tion loss reductions but in managing volatility, an important outcome in an industry traditionally challenged by single-digit margins. Operational efficiency was gained at Sysco by centralizing a previously fragmented ownership for food safety. Process improvement and risk management integration at General Motors was cited as adding demonstrable value. Supply chain resiliency was strengthened at Juniper Networks through

its ERM program.

As these value contributions become more measurable, they may be forecasted and actually become a “revenue stream,” either through measurable loss reductions, previously unrecognized strategic opportu-nities ripe for pursuit, or through organizational behavior changes that result in quality-driven operational cost reductions.

More qualitative benefits are revealed by internal success stories, such as previously unrealized opportunities becoming apparent through additional risk assessment and awareness, development of a stronger strategy, and resiliency to disruption. This strategy and performance integration is a recurring theme from our roundtable participants. For example, risk correlations and interconnectedness were noted as an effective value measure for Dow Corning. Equally, Dow Corning’s ERM involvement in the budget and capital allocation process is “the best indication of ERM’s value.” Involvement in the budget process and stra-tegic plan modifications also proved effective at General Motors. Im-proved store performance added directly and measurably to the bottom line at Safeway, while generating an organizational behavioral shift to a “Culture of Safety” through rewards for “positive observations” given by employees themselves. Competition as a hidden ally was uncovered at Sysco through its ERM program’s use of game theory methodol-ogy. This revelation changed the organization’s approach to a specific, long-term and complicated “slow leak” trending risk by incorporating a previously unidentified opportunity into its strategy.

Each of these examples of ERM’s demonstrable value highlights the primary value that ERM delivers for any organization: the conversation and embedded techniques that risk management provides can and does drive organizational success. However value is expressed, the re-sponses from those participating in the roundtable discussions suggest that enterprise risk management competencies accelerate the success of the organization’s mission and its related objectives.


5 siMple steps to transition to enterprise risk ManageMentFostering a risk-aware culture can be cultivated in the way that risk is assessed throughout the organization. A number of successful organizations establish a uniform method of identifying, assessing and managing risk, whether it is in research and development, transpor-tation, retail operations or strategy-setting. Every staff member has some interaction with the risk assessment process and considers it a standard business practice. One risk professional described this outcome as the ultimate success for her ERM program. It may take a great deal of time and resources to reach this point but a successful transition to an enterprise risk management program begins with these five simple steps.

1. Determine what value your organization will gain from ErM.What is the internal driver or need that is not currently being met? What are the internal value and performance metrics that your organization already uses? Whether value is expressed as market share, profit, service provision, donor levels, social impact or other benefit, how do the enterprise risk management competencies accelerate the success of the organization’s mission and related objectives? In other words, what business need will be met through a structured ERM approach?

As significant strides are made in developing, implementing and enhancing an ERM program, the company’s results should reflect this effort. For many companies, the strength of their risk man-agement program serves as a competitive advantage. This is true because the company is able to navigate through the uncertainty associated with strategic risks and toward opportunity based on timely, relevant risk information. The company may also see benefits from a more productive workforce, as better decisions reduce losses, improve efficiencies and eliminate waste. ERM may serve as a marketplace differentiator, as well, if customers view the company as a more stable, transparent trading partner.

2. scan the internal environment for what is already being done.Many organizations already have established controls against commonly and widely understood risks, such as business disrup-tion, environmental, execution failure, etc. (see management control options in Figure 6 on page 8). It is likely that the individu-als responsible for these various control options also conduct risk assessments, possibly against some potentially irrelevant “best practices” without consideration of the underlying root causes. Understanding what your organization is already doing allows you to leverage practices already in use within a broader enterprise risk management environment. Additionally, a common, collective understanding and agreement concerning which—and what level of—risks should be accepted, avoided, transferred (or shared), mitigated and/or exploited would serve to reduce organizational dissonance about what is acceptable or relevant to the organiza-tion’s stated objectives.

an unDErWritEr’s pErspECtiVE on ErM

Rarely do insurance submissions contain a detailed outline of the company’s ERM program, either because it does not have one, or the company did not think the information was relevant to include. Since underwriters have to assess and price the overall exposure, an underwriter typically finds these details very valuable. If the company does not mention its ERM program, the underwriter must assume it does not exist. If a company invests time and resources into identify-ing, avoiding and mitigating losses that may ultimately hit its carrier’s bottom line, a good underwriter will certainly consider these efforts in determining the appropriate price.

Companies must communicate to insurance markets the strength and effectiveness of their ERM programs if they wish to maximize the value. By proactively sharing the benefits of ERM that are relevant to each respective line of insurance, companies have the opportunity to shape the discussion and advocate on their own behalf. The best approach is a simple meeting several months in advance of a renewal to present the ERM program details, including stakeholders, resource support and expected or realized benefits. The information should be organized by relevance, simplifying the underwriter’s consideration of ERM’s impact on the exposure. Also, not all underwriters have a comprehensive understanding of ERM, so one should not be afraid to educate the underwriter on the fundamentals. There is very little to risk, but much to be gained, by making your underwriter a partner in your ERM efforts.

ZuriCh’s risK-BasED CapitaL aLLoCation rEsuLts shoW a MEasuraBLE VaLuE

Over the past ten years, Zurich has strengthened its own risk manage-ment capabilities by introducing an operational risk management framework into its ERM program. This improved ERM process provides it with risk management tools to specifically identify, assess, manage and quantify operational risks. As a result, Zurich’s operational risk capital efficiency has improved. One Zurich business unit experienced a reduction of 21.7% in operational risk-based capital consumption. The operational risk capital not consumed was then available to fund other profitable growth initiatives for Zurich.


Common Risks• BusinessDisruption

• Environmental

• ExecutionFailure

• Theft/CivilUnrest

• DataBreach/Attack

• Regulatory

• ITInfrastructure

• FinancialRisks

• Worker/PublicInjury

Management Control Options• BusinessContinuityManagement

• EnvironmentalManagement

• QualityAssurance/ProjectManagement

• PhysicalSecurityManagement

• Privacy/InformationSecurityManagement

• ComplianceProgramManagement

• ITRiskManagement

• FinancialRiskManagement

• SafetyManagement

Root

Caus

e Ana

lyse

s

Adheringtoriskmanagementpoliciesonrisktolerance,riskauthorities,etc.

Accept,Avoid,Transfer,Mitigateand/orExploit

Measureuncertainties/deviationsfromplan

ControlsAssessment(Audits)

Figure 6: Common risks and Management Control options

Source: RIMS Strategic Risk Management Implementation Guide

An alternative to a single companywide method of risk assess-ment is to perform a “risk assessment inventory.” Such an exer-cise evaluates how each business area or function is assessing its own risks. Often these are homegrown methods, and not entirely adequate. Risk management functions can help to strengthen and document these methodologies based on experience. Where no approach is currently being taken, a process can be deployed so that risk is formally addressed. While it may be a lengthy process of evaluating each business area, the approach should be prioritized based on criticality of the operation (i.e., sales/profit contribution, past performance, etc.).

3. Find a champion.Your most important advocates should be one or more executive sponsors. Once your sponsors are on board, determine who best understands the risks your organization may be facing. Many suc-cessful implementers form a working committee of internal stake-holders, such operations, sales, accounting, legal and internal audit among others. Including the leaders responsible for management control options in such a working committee generally accelerates collaboration. If your organization’s mission is innovation, including leaders from research and development may make sense. If your organization’s mission is education, including faculty leaders can help drive productive discussions. The most important characteristic in seeking support is to find individuals within the organization who are able to influence others in positive ways.

An ERM program is a great opportunity to create a network of risk assessment champions and trainers who can serve as a support function to one another and ensure the company’s risk assess-ment methodologies are robust and up to date. As the company’s operations evolve and new risks emerge, these practitioners will already be embedded in the frontlines of the business, armed with the best practices to manage risks proactively.

4. adapt processes to the organization’s needs.Remember to keep the message focused on the organization’s objec-tives, rather than the continuous risk management process itself. As an internal risk management consultant (or “competency enabler”) within your organization, it is important for you to understand and frame the discussions around internal and external interrelated conditions within whatever policies, procedures and risk authorities that you and leader-ship have established. However, the ERM program mandate or policy is less important to the end-user than gaining the expected value from their collective objectives by actually making risk-informed decisions and implementing their selected responses. While a formal training program may be characteristic of a mature program, simple process training using available tools and templates is quite appropriate when first getting started.

One area that can yield great results is in strengthening the risk culture of the company. Risk culture can be described as the norms and tradi-tions of behavior of individuals and of groups within an organization that determine the way in which they identify, understand, discuss and act on the risk the organization confronts and takes. Each and every staff member understands the risks faced by their respective area of the organization, and by knowing the company’s philosophy toward risk, they will be prepared to act accordingly. This might be as simple as an employee facing an ethically questionable business opportunity, and instinctively keeping the company’s long-term reputation in mind, or as complex as thoroughly evaluating an outsourced supply chain, not just for pricing, but for risks—both threats and opportunities. This should not be confused with compliance. A strong risk culture is proactive and takes advantage of opportunity.

Improving a corporate risk culture requires a truly enterprise approach. There are dozens of influences that shape an employee’s experience, and each one of these can be used to boost risk culture. The obvious ones are annual training sessions, which are often compulsory, and represent a great opportunity to communicate the company’s risk ap-petite and tolerance. Another way is to embed risk metrics, or key risk indicators (see page 9), into the performance objectives of business managers. Accountability for risk matters when it is measured, and can achieve a trickle-down effect as these managers engage their staff to support in achieving the objectives. Risk culture can also be instilled through the on-boarding process by human resources, the support and procurement processes of IT, and company updates from communica-tions. The key is a consistent approach within existing processes that can be understood at all levels.

5. strive for continuous improvement.Progress reports highlight the difference that enterprise risk manage-ment makes in your organization, and should be reported in at least two ways: by material risk and by program progression. The risk owners should be reporting on key issues in their normal business updates, such as the material risk target outcome, specific activities that have taken place since the last report, challenges in executing the risk plan, and a trend assessment in the risk profile against the targeted outcome. Periodic reports to senior management on ERM program progression might include progress related to milestones for specific objectives.


MoVing forWardTwo millennia ago, Greek philosopher Heraclitus noted that change is the only constant. In today’s world, change is increasing at un-precedented speed, leading to even greater uncertainty.

But with uncertainty comes the opportunity for traditional risk man-agers who wish to take on broader responsibilities by integrating what they already are doing into a broader enterprise risk manage-ment approach. It all depends on what you want to be known for, and whether you personally are ready to “move on.”

Whatever the catalysts are within your organization—business re-sults, mandates from the board or executives, compliance and regu-latory requirements, rating agency pressures, or actions from other internal risk management functions—that are driving the desire for enterprise risk management, traditional risk professionals certainly have a role, whether that is a role of leadership or teammate.

American business writer and guru Tom Peters is best known for his book In Search of Excellence. Less well known is his view on personal branding, which he coined as building and then reinventing “Me, Inc.” Different from one’s personal reputation or ethical code, personal brand focuses on customer delivery and perception. Argu-ing that each person is in charge of his or her own brand, he asks a simple question: “What do you want to be known for?”

In Who Moved My Cheese?, Spencer Johnson wrote, “Sometimes...things change and they are never the same again. This looks like one of those times. That’s life! Life moves on. And so should we.”

Moving from a traditional role into an enterprise risk management role requires certain competencies, as noted in RIMS Professional Development Model, and an ability to demonstrate value from the undertaking. Each of the risk professionals for the organizations highlighted in this report are making a difference in value creation and value protection—even though that value may be measured differently depending on the organization’s and the program’s objectives. The five steps we listed to transition to an enterprise risk management program are not easy, nor achievable overnight. Even so, if someone is moving your risk management cheese, perhaps now is the time for you to “move on” as well.

aLigning risK ManagEMEnt to BusinEss nEEDs

Key Performance Indicators (KPIs) help a firm see how it is performing in relation to its strategic goals and objectives.

Key Risk Indicators (KRIs) are leading indicators of risk to business performance, giving early warning about potential risks.

KRIs, when aligned to an organization’s KPIs, are designed to be an early warning sign to allow the company to take action. To monitor and continuously improve the ERM process, appropriate metrics must be implemented to track progress. This is often seen as a dif-ficult component, as it relies on data to measure both tangible and intangible achievements. Just as performance is measured in other areas of the business through KPIs, risk should be measured through key indicators of its own—KRIs. Developing meaningful KRIs can be achieved by aligning the risk objective with the actions taken to achieve it. Key risk indicators will heighten the enterprise risk aware-ness of management, increasing ERM effectiveness and improve organizations’ strategic execution. If the goal is to reduce the risk of harmful actions taken by a rogue employee, a KRI could be developed that tracks the adherence to a decision sign-off mechanism. Such a process is surely under observation by the company’s internal audit team, but by the time it is discovered there, it could be too late. In addition, the KRI for the sign-off control and the control itself could serve as examples of the ERM process in place to mitigate errors or fraudulent activities. Such demonstration of preventative risk indica-tors and controls can be used by the traditional risk professional to convey to insurance underwriters the robust ERM processes in place and possibly result in lower crime and professional liability and E&O premiums. To that end, it is important that enterprise risk manage-ment works collaboratively with internal audit to develop KRIs that can provide critical information to the company’s decision-makers. For example, Zurich uses KRIs to monitor risks in areas such as:

• natural catastrophe risks (as % of group shareholder equity)

• asset-liability matching (duration mismatch)

• strategic asset allocation (% allowed in each investment category)

• credit risk (weighted average credit rating)

• other risks specific to business or functional areas

While metrics are necessary to improve the ERM process (as the old adage goes, “what gets measured gets done”), moving to a more strategic approach to ERM will, in turn, help the organization keep sight of its key goals by actively addressing the risks to achieving those goals. An organization’s goals are the core around which its ERM process operates. The risk identification process starts with key goals, while the risk evaluation process centers on those key goals, and risk prevention/mitigation focuses on reaching the same key goals. As noted in COSO’s “Developing Key Risk Indicators to Strengthen Enterprise Risk Management” paper, ERM raises visibility of business unit goals at one level and reinforces the organization’s focus at the highest level; “[the] strategic use of KRIs increases the likelihood that goals and objectives set by management are achieved.” In short, the transition to strategic risk management will facilitate an organization’s use of risk knowledge to proactively adjust its strategic goals to a competitive advantage.


partiCipants:

sandra Carson Vice President, Enterprise Risk Management and Compliance Sysco Corporation

Ward Ching Vice President, Risk Management Operations Safeway

Laura Langone Director, Global Risk Management Juniper Networks

ted pokarski Customer Financial Services Manager Dow Corning

Brian thelen Chief Risk Officer and General Auditor General Motors

What was the impetus for the ERM program at your organization?Langone: Juniper’s journey to develop an enterprise risk manage-ment program, referred to internally as integrated risk management, started at the request of our CFO who wanted to implement a program to enhance oversight for risk at the board and executive management level and to create a more risk intelligent organization. The impetus was in response in part to greater regulatory requirements for public compa-nies to enhance oversight for risk at the board level.

Juniper coordinated a cross-functional risk management team, called the Risk Management Working Team or RMWT, representing leaders across business units and other risk-related functions (i.e., corporate development, business unit leaders, sales and marketing, finance, in-ternal audit, and legal). The RMWT developed a roadmap to drive this important initiative focused on three key components of a risk intelli-gent organization: 1) risk governance, 2) risk management infrastruc-ture and 3) risk ownership. Today, Juniper has a more mature risk intelligent organization with governance for risk management at the board and executive management level and a formal infrastructure for assessing, mitigating and monitoring operational and strategic risks.

Ching: Safeway is significantly self-insured and self-administered for most of its insurance program and utilizes two captives, on-shore and off-shore. We started a project called “Culture of Safety” in 2008. As a former Marsh managing director and head of the growth department, I knew that we wanted to develop a more integrated risk management view for the company. The goal was to integrate risk management into retail operations, strategy, execution, mergers and to find opportunities to grow. It was meant to reduce the cost per share by being proactive.

Carson: In 2009, prompted by Sysco’s board of directors and driven by the financial services sector’s focus on risk management pro-grams, I was tapped to help the general counsel initiate an ERM pro-gram for Sysco. Deloitte was selected to help start the ERM program. The CEO wanted to get ahead of the board of directors. The board came from highly regulated industries—banking, financial services—and was not satisfied with Sysco’s risk assessment process. At the time, Sysco had a risk assessment process in place but the related report had changed from many pages long to a few pages without much improvement so the process needed an overhaul. The ERM program needed to be flexible enough to keep up with changing busi-ness, yet have enough structure to be taken seriously. It also needed to add value and be consistently applied.

thelen: We knew that we needed to be both systemic and episodic in our approach. We must be prepared for episodic scenarios, such as an earthquake in Japan or flooding in Thailand, on an operational basis. However, we also realized that on a longer-term systemic basis, we must plan to galvanize the company against the risk of failure. The traditional risk management approach, which places most of the focus on the insurance function, does not provide that type of comprehensive risk management.

pokarski: In the late-1980s and 1990s, numerous class action lawsuits were filed against the company alleging its silicone breast implants had caused health problems. The litigation culminated in a multi-billion dollar class action settlement in 1998. After Dow Corning exited bankruptcy court protection in 2004, several independent reviews of the scientific literature, including one by the U.S. Institute of Medicine, concluded that silicone breast implants did not appear to cause breast cancers or any other identifiable systemic diseases. But, the experience taught the company a vital lesson—the necessity of implementing a world-class ERM process.

The litigation was the motivating factor, but another was our growth trajectory, especially in Asia. In 2008, when we launched the ERM process, we had just invested more than $2 billion to provide criti-cal materials to the fast-growing solar technology industry, via our majority ownership of Hemlock Semiconductor. This is a pretty sizable investment for us. At the time, we were also finally free of the breast cancer litigation, which had embedded risk management in our DNA. It deeply affected us on the insurance side, and there was a long in-dustry memory of the pain it brought to the market. But, at the same time it set the stage for insurance and risk management to have a seat at the board table. Having the nuts and bolts of good insurance coverage had kept this company alive.

Who was the champion of the ERM program?thelen: The Chairman and CEO.

Carson: After the retirement of the general counsel, the ERM func-tion was moved to the CFO who served as the executive sponsor champion for the program.

Many organizations have benefited from implementing a successful enterprise risk management program. Every company’s path to ERM is different, but the experiences of five such organizations that participated in the following virtual roundtable—Dow Corning, General Motors, Juniper Networks, Safeway and Sysco Corporation—can serve as useful examples to consider when planning a fully integrated risk management approach.

erM Virtual roundtable


Langone: Our CFO.

pokarski: The genesis of the program was our CFO, Don Sheets, who wanted to put some authority behind our risk management efforts. Before Don created the vice president of enterprise risk management position, which was held by Kevin Scroggin, risk man-agement maybe got 20 minutes of talk time at a board meeting. We used the traditional “heat map” assessing risks for financial impact and frequency, but were beginning to migrate away from it, wanting something more robust and resilient. So the first step was Don hiring Kevin, and the second was Kevin hiring me. The two of us divided ERM up, with Kevin focusing on senior management, and me focusing on middle management, although there was some overlap.

Ching: The executive committee of the company: the CEO, CFO and the executive vice president of retail. The CEO and the executive com-mittee delivered messages to employees that the Culture of Safety is an important process that will create competitive advantage for the company.

What were the first steps? pokarski: Our approach has been to keep ERM as simple as possible. The reason is that we are a research and science-driven organization, with lots of Ph.D.s and engineers. A traditional risk man-agement tool like a heat map would be problematic, since our people would pull out their protractors and say, “This is two inches off.” From a 30,000-foot view, it would provide a false level of protection, although at the ground level we find it useful from a resource alloca-tion standpoint. So we avoid the heat map in our five-year strategic planning process.

Ching: Using the Culture of Safety as a core approach, the transfor-mation process started with an evaluation of the company’s culture. They defined core tenets, key drivers and their impact, after which the culture was mapped. The company needed to ensure the program’s cultural alignment with the core business culture. As part of the process, risks beyond hazard risk were identified. The Culture of Safety was embedded in operations. Each operating division had risk managers that operated similar to loss control engineers, providing support and management consulting. The employees were encour-aged to understand price and manage behaviors through positive observations. Managers had to perform five positive observations a week while employees were encouraged to perform an unlimited number, in order to reinforce the right behaviors.

An integrated financial and operational dashboard with results was created with the goal to reduce frequency. Processes were adjusted based on these observations. The company used customer specific language/actions in order to ingrain specific behaviors in store per-sonnel. For example, employees would be asked how many sand-wiches do they need to sell to cover a $30,000 loss? Actuaries were used to perform a statistical analysis of losses and to vet the numbers obtained during the process. Significant savings were obtained by reducing the frequency, which allowed the company to significantly reduce the loss reserves.

thelen: ERM was created in 2010 with the appointment of a chief risk officer. The group’s initial reporting structure was placed within the legal department. However, in 2011, the chief risk officer role and ERM were realigned with internal audit, and I assumed the role

of chief risk officer, in addition to my role as general auditor. ERM is separate from the insurance function, which is under treasury, but ERM provides coverage for all GM functions and regions, including insurance and claims management activity.

Langone: Juniper encountered a number of challenges in developing an ERM program. First, there is no one enterprise risk management framework recommended as a best practice by legal and regulatory bodies like S&P or the NYSE. We evaluated many ERM frameworks. We also explored internal approaches to manage other risks like financial, legal and regulatory in order to leverage best practices and develop a common approach. There were many committees with oversight of risk. However, there was limited governance for top risks impacting the company and minimal sharing on risk-related information.

Treasury evaluated common elements of these models and other risk-related team approaches to evaluating risks and developed an approach that would meet our unique culture, our risk profile and our overall objectives driving this initiative. Juniper management also wanted to ensure risk management practices were instilled and embedded in everyday work activities, not viewed as “extra” work incremental to an already heavy load of responsibilities.

Juniper evaluated the common elements of many models. Proxy statements of the companies with formal ERM programs were analyzed to understand the role of the board in managing risk. Our objective was to develop an approach to enterprise risk management that would enhance oversight for risk at the board and executive management level, provide greater transparency for risk across the company, and leverage existing best practices in risk management that served us well in the past.

While there are multiple approaches to ERM, there are three com-mon elements to most enterprise risk management models. First, there must be governance for risk management at the senior level with clearly defined roles and responsibilities. Second, there must be a common framework to assess, manage, mitigate and monitor risk across the company and various risk-related functions. Last, there must be ownership for risk at the individual level to measure performance and drive results. While these are common elements to effective enterprise risk management, any program adopted must be tailored to a company’s unique culture.

Ultimately, Juniper presented an integrated risk management program with governance for risk at the executive management level. Guiding principles, not formal policies, were developed to understand roles and responsibilities at the board and executive management level. Current risk management practices were leveraged to retain some of Juniper’s best practices to manage risk during difficult times, specifi-cally, management’s ability to make nimble decisions to mitigate risk versus committee based decision making authority.

Carson: I was tapped to manage the program due to my experience in affecting change in areas of indirect responsibility, the deep knowl-edge of the business, and the ability to give “bad” news to people who would remain receptive to the news/feedback. At the time, I did not have a lot of experience with ERM.

To start, we utilized outside resources to learn the “book side” or “academics” of ERM and best practices. We instituted a top-down approach to complement and enhance processes that were already occurring or in place within the company. My first task was to conduct


27 interviews with management and board committee chairs. After-wards, we held prioritization workshops with executive management, some five or six executives. What we found was an ability to use a “common lens” to objectively evaluate very different risks.

What is the structure and process of your ERM program?Ching: The Culture of Safety program instituted a much more aggressive claims management approach in order to eliminate frequency. This was also a cultural transformation and risks were considered for both the upside and downside potential. The company looked at both behavioral economics (price) and behavioral safety (losses). They measured the variability and frequency of the enter-prise risk portfolio. By comparing the previous trends with the actual ones to determine the savings value, the company was able to show the value of prevention. Also, bonuses were calculated based on the budgeted insurance/loss number. Premium refunds were provided to divisions with a good performance. The process was made to be very transparent, to encourage positive behaviors and to learn and validate where everyone is through competition. Behavior was influenced by influencing price. Modeling tools such as Monte Carlo were used, together with Six Sigma processes, dynamic financial analysis and efficient frontier analysis.

Carson: The audit committee oversees the ERM process and recom-mends board committee assignment/oversight for each of the specific key enterprise risks to the appropriate board committee. Initially the audit committee reviewed the ERM process framework quarterly and made recommendations as appropriate. Now the ERM process framework is only reported each year to the board, but key risks are reported quarterly by executive dashboard to the full board and annu-ally to the appropriate board committee.

The CFO and I provide the audit committee with an annual ERM process update. Each quarter a few of the top risks are selected for deeper review and discussion. Cadence is such that each risk is reviewed and discussed by the board at least annually. Our team is relatively small. Even with responsibility for ERM and the compliance disciplines, with security and business continuity, occupational health and EHS and crisis management added more recently, our senior director for ERM and I have decreased our reliance on our consultant partner over the years. Sysco traditionally has been a decentralized organization, so we currently are transitioning to centralizing more risk via an ERP initiative.

thelen: Our ERM team consists of a small core group plus ap-proximately 40 executive-level risk officers that represent all regional and functional areas at the company. It was important to scout the organizational chart and find the right people to be designated as risk officers. In most cases, these individuals were appointed by direct reports of the CEO.

Each month, the ERM group and all risk officers meet and discuss top risks, mitigation plans, tools and techniques, and emerging risk topics. The group determines what risks to focus on and who has the responsibility for managing and mitigating them. The assigned teams are often multi-departmental. The risk owner is the senior operating executive over the department most affected by the risk. The senior operating executive is also the one communicating with the board

about the risk. The risk topic covers actual and potential risks, both inside and outside the business. Decision support tools were created to assist senior executives in risk mitigation planning and three tiers/bands of risks are used to provide the right visibility to various levels within GM.

At the monthly meetings, key risks are identified through a blue-sky thinking approach and company objectives are layered on top to make sure only meaningful risks are selected. The key risks selected are presented to senior management. The risks are then assigned to risk owners, and a multi-departmental team is assembled to develop a mitigation plan. As these risks are often broad in scope, we aren’t concerned about what categories they fall under.

Langone: Juniper has a three-pronged approach to enterprise risk management that is simple for management to understand, support and manage successfully. Overall, we evaluated many approaches but adopted three essential tenets, which include governance for risk, risk infrastructure with a process to evaluate and manage risks, and risk ownership. Juniper further developed these three components to fit our culture and risk profile.

Risk governance includes risk oversight and strategic decision-mak-ing. It defines the parameters of acceptable risk, monitors strategic alignment and sets overall risk management expectations. We developed guiding principles for governance that maintained some of our best practices in managing historical risks, leveraged current risk management oversight for risk, and filled any gaps.

The board has an active role, as a whole and also at the committee level, in overseeing management of company risk. This role is one of informed oversight rather than direct management of risk. The board regularly reviews and consults with management on strategic direction, challenges and risks faced by the company. The board also reviews and discusses with management quarterly financial results and forecasts and also receives periodic reports on the company’s risk management efforts. The audit committee of the board oversees management of financial risks, and its charter calls for the committee to provide oversight of and review at least annually the company’s risk management policies, including its investment policies and anti-fraud program, as well as management’s overall risk management process.

The risk management committee works across the business to iden-tify, consolidate and assess Juniper’s top risks across all risk types—strategic, operational, compliance and governance—on an annual basis and monitors and reports on risk mitigation activities, and escalates critical risks further, as needed, to the CEO and the board. The committee does not have any direct ownership of any risks.

Risk infrastructure includes designing, implementing and maintain-ing an effective risk management program. Risk infrastructure is composed of the three “pillars of people, process and technology.” It forms the essential link between risk governance and risk ownership. We focused our efforts on the process for risk management including developing a risk universe, metrics to measure and prioritize risk and tools to drive mitigation results and evaluate performance to plan.

First, Juniper developed a risk taxonomy with over 200 risks. We then categorized risks into four risk pillars: strategic, operational, financial and compliance risks. Then we developed metrics to measure the im-pact and vulnerability after current risk mitigation for senior manage-ment to assess these risks. We then prioritized our top risks further


by speed of onset to determine the most important risks for the risk management committee to evaluate on a quarterly basis.

Risk ownership is what risk governance relies on to execute risk intelligence. The risk management working team developed a risk mitigation template for risk owners to further identify the root cause and develop activities to mitigate these risks to an acceptable level. We then developed evaluation criteria for the risk management com-mittee to evaluate the adequacy of the risk mitigation plans. Juniper’s evaluation of risk mitigation plans focuses on the following key questions: 1) Are we focused on the right issues to manage the risk? 2) Has the level of acceptable risk been determined? 3) Is this risk management response acceptable?

Juniper’s three-pronged approach provides a simple framework for management to understand and support. We continue to evolve our process and tools and are currently evaluating technology to improve monitoring and reporting of our risks across the enterprise.

pokarski: We have a simple five-step procedure that calls for identifying risks and then assessing, responding, communicating and monitoring them. ERM’s value proposition is that it enables the or-ganization to examine sources of uncertainty to discuss what we will then do about them. It ensures that the right discussions are occur-ring. One of our tools is a one-page risk summary, on which we try to articulate the top 10 risks to our five-year strategic plan. We then take examine how a risk affects each function and particular geography, whether it materializes on the balance sheet or the income statement, and will this then translate into a cash flow impact to the organiza-tion. We then monitor the risks to see how they’re trending against the controls we have in place. I don’t mean controls in an internal audit sense, but the work structure—which person is responsible for monitoring which risks, and what are the actions and special initia-tives they are undertaking in these regards.

What is the involvement of ERM in the strategic process? thelen: The output of the strategic plan is evaluated from a risk perspective. Stress tests are developed and presented for evaluation and possible impact on the plan prior to being finalized.

Ching: The Culture of Safety program helps identify embedded risks that can influence acquisitions and structural changes. When the company sold an international division, the process was used to sup-port senior management in the due diligence process.

pokarski: A few years ago, when the function was in startup mode, Kevin [Scroggin, vice president of enterprise risk management] used to say we had to “push” ourselves into the dialogue at the strategic level. Now, we’re pulled into these conversations. We no longer ride the wake of our CFO. Various functions within the company routinely ask us for help in assessing risks—sometimes this is at the execu-tive level and sometimes this is at a more granular level. ERM also affects resource allocation priorities. The company is inundated with regulations and production bottlenecks affecting our capital, and we are asked to help prioritize the underlying risks to develop the budget for the next five years. This, in and of itself, is the best indication of ERM’s value. We now have a seat at the table, and don’t have to pull the chair up ourselves.

Carson: While ERM is aligned with Sysco’s corporate strategy area, the alignment is a work in progress with the goal of the integration of the two to mature the program for value creation as well as value protection. Sysco considers risks “of” and “to” the strategy. There is some degree of setting strategic initiatives to address the key risks identified through the ERM process and also aligning the enterprise risks with the strategy in mind. The ERM function is process-driven with a formal re-prioritization of risks occurring annually along with deep-dives into key risks.

Emerging and changing risks are identified and there are elevation criteria in place that are applied to move these risks up to key risks if warranted. KRIs and triggers are examples of assessments used to determine elevation of risks. The risk assessment process has changed and captures “emerging and changing risks” and puts them into the review “cadence.” Black swan workshops are conducted every Friday the 13th to force executives to think of exceptional or out of the norm possibilities. Risk awareness has broadened across the company.

How long did it take to develop and implement the ERM program?Carson: After two years into the implementation of ERM, the process was in place where it was ingrained within the company at the top. Now, four years into the ERM program, the ERM process is mostly at a Maturity Level 4 out of 5.

thelen: It took about one and a half years to develop a mature pro-gram. ERM provides feedback during the budget process and helps in the development and evaluation of business plans. Stress tests receive a keen interest from the financial community.

Ching: It took six months to set up the process. The Culture of Safety program was started in 2008.

What was a major stumbling block? Ching: Setting up the risk management system planning in order to eliminate project risks was difficult. It was accomplished through using risk mapping peer reviews with customers and through using retail language.

thelen: The key to success is the ability to be both objective and transparent when talking about risks and opportunities. It is a bit of a shift to try and get everyone in a room and talk openly about everything that can go wrong. Corporate culture, and perhaps human nature, is that people like to hold their cards close when it comes to risk. However, with strong support from the top, and a carefully selected team of risk officers, we believe we have cultivated an excel-lent team that is open and challenges the status quo.

What did you find to be most effective?thelen: The big wins were the decision support tools—scenario analysis and game theory, which were developed in house. The involvement in the budget process made a big difference. The results of the stress tests contributed to modification of strategic plans.

Ching: Positive observations had a great impact. Store manager-centric experience modifiers (ExMod), similar to the ones used in


calculating standard modified premiums for workers compensation, were very useful as well. We now use a three-year rolling database. Each store manager’s risk management performance, as measured through workers compensation losses (limited), is used to calculate the ExMod. An expected ExMod is 1.0, which means that the store manager’s performance is at the expected level. ExMods greater than 1.0, say 1.25 or so, indicate that the store manager has underper-formed by having more losses than expected, thus exhibiting an “equity drag” on the organization. This store manager is costing the company more to operate by not managing a strong and safe working environment. Conversely, the store manager that exhibits a 0.75 ExMod is “making money” for the company from a risk management point of view by working safely and eliminating costly worker injury. The ExMod stays with the store manager throughout their career and is calculated each year for publication and comparison by retail management.

pokarski: Definitely an important aspect of the program is to discuss the interconnectedness of risks. Risk A could cause Risk B, which causes Risk C in a domino-like effect. We’ve borrowed diagrams used at the World Economic Forum to drive deeper conversations around risk correlations, not necessarily as a scientific measure of risk. For example, an HR risk might create other risks that affect the organiza-tion in different geographies, in ways that appear unforeseen right now.

How do you measure success?Ching: We used cascade reports that measured frequency of claims per store per hour. System control charts were also used together with an in-house own claims management system. Hypotheses were employed to develop solutions for issues. Analytical systems were built and distributions were generated. Divisions were charged with identifying three initiatives that move the needle: what were the key performance indicators and processes that generate savings? They fed certain behaviors over time to see if systems would change. The process contributed to managing volatility across the system.

Carson: The early ERM process had KPIs. Over time, KRIs were de-veloped with triggers, or early warning signs, identified and a process in place for escalation.

Qualitatively, there’s overall appreciation form the board and executive management as exemplified by significant top-down support for ERM. Success is also measured based on the results of addressing and mitigating different individual risks. Quantitatively, application of ERM processes led to early wins by addressing low-hanging fruit.

A deep-dive analysis focused on food safety, identified as Sysco’s big-gest reputational risk area. The deep-dive highlighted the fragmented ownership of food safety—there was no common owner across the risk from the farm to the fork. Although the top risks were very different, they had some very common deep-dive findings, such as fragmented ownership. The move from decentralized programs to centralized at corporate would aggregate the risk, therefore increas-ing it, but also lend itself to much better mitigation, consistency into risk management, and better visibility into performance. Scenario planning was used along with statistical analysis of historical data. As a result, changes made led to measurable decreases in exposure. Game theory was also utilized and led by a team of Canadian experts

in the application. Sysco used a variety of risk identification tools to identify and analyze risks.

Other measures are hard to define because there isn’t a common way to articulate or show value, but lots of individual evidence em-phasizes that ERM adds value protection and value creation (sub-op-timization of gains and/or goals). The return on investment has been demonstrated by identifying and addressing low-hanging fruit, using cost avoidance where it makes sense, using near-miss learnings to feed ERM, and using game theory on complicated risks to determine the best route forward.

One example of success was an outcome of the game theory tool. Sysco is a food distributor and not a manufacturer. The end customer is the most valued partner but through game theory it came evident there is an area where Sysco’s customers can also be their competi-tors; they cut into Sysco’s profit margin. Sysco’s hidden allies were its competitors and suppliers were their allies. Game theory identified this non-traditional competitive threat, called disintermediation.

thelen: Success is measured by the number of requests for par-ticipation that we receive. The team has been solicited to help with numerous risk and control related activities, most of which are con-sultative in nature. For example, we have assisted with the mitigation process through the development of various courses of action, using one or more tools in the process: game theory, modeling, scenario planning or Monte Carlo simulation. We have been able to contrib-ute to process improvement and help management to make more informed decisions. In the end, everything we do should be adding value.

Langone: Success is in the outcomes. As a specific example, we actually were able to optimize insurance coverage, limits and pricing by integrating ERM and traditional risk management. In a time when property insurers and reinsurers were restricting contingent business income coverage, Juniper leveraged the analysis through its ERM program to deeply evaluate its critical suppliers and manufacturers. As a result, Juniper was not only able to increase its contingent business interruption limits on key contract manufacturers but at no additional premium. The team felt that this was directly attributable to the in-depth understanding of the risks in its supply chain through ERM.

While there have been many challenges to develop an integrated risk management program, the benefits are great. We have improved transparency for risk at the executive management and board level. We have enhanced accountability for management of our top risks at the most senior level. We have optimized resource allocation and decision making focused on the most critical risks impacting our business.

Based on Juniper’s experience over the last several years, the most important components of a successful enterprise risk management program are to ensure there is top-down leadership and support as developing and implementing enterprise risk management is a transformational process. There must also be cross-functional sup-port across the enterprise and among the risk management functions. Finally, individual accountability to manage risk to an acceptable level is fundamental to the performance of effective enterprise risk management.


What future trends, if any, do you see?Carson: As Sysco grows and matures its ERM program, our goals include:

• Further integrating the risk process with strategy.

• Determining if and how technology can better enable the ERM process. Sysco’s ERM process currently utilizes Excel and Ac-cess.

• Scoring of risks by the board. Currently, the officer level en-gages in scoring once a year, determining where risks fit in the process, heat mapping of risks, and developing watch lists and risk tiers.

• Formalizing the ERM process integration with the capital alloca-tion process.

• Determining and establishing early-warning indicators.

A new endeavor Sysco recently undertook was engaging in a risk workshop initiated by a produce provider for a large sandwich chain. An industry group was invited to discuss regulation driving ERM. The group gathered to discuss their knowledge, views, possible outcomes and ideas for managing regulatory drivers for ERM in order to get ahead of regulation. Thirty-four of 35 invited companies participated with a total of 54 people attending. Large companies attended in addition to small companies such as one producer of kumquats. The level ranged from CEO to guards since there isn’t a standard defini-tion for risk management functions within companies.

thelen: More integration is expected in the business decision-making process. The contribution of ERM would be to help manage-ment in its ability to determine what can happen, what actions can be taken, and the best course of action.

Ching: Businesses will be more quantitatively driven. There will be an effort to translate ERM types of information and trending into the language of the business. The ERM process will be used to create competitive advantage: understand what competitors can’t do and use the differences.

Do you have any recommendations for someone who may want to integrate traditional risk management into ERM? Ching: Before starting the ERM process you need to understand who the company is, what the drivers are, how decisions are made, what the key measures are and what the language of the business is. You need to make sure you are in tune with cultural differences and that you partner with the stakeholders instead of giving them direction.

thelen: The best approach is to sit with each of the senior leaders of the company and determine what their desired outcomes are. What can the process do for them? What is beneficial to them? The ultimate goal is to build a function that will satisfy customers.

One should not make the mistake to tell business/risk owners how to do their job. The role of ERM is to help them think through and to make the most informed decisions. This approach should be adjusted based on the culture of the company.

enterprise risk management - rims · pdf fileenterprise risk management ... the catalyst for...

Documents