enterprise tools and_techniques

Statements on Management Accounting

E N T E R P R I S E R I S K A N D C O N T R O L

C R E D I T S

T I T L E

IMA®would like to acknowledge the work of William G.Shenkir, Ph.D., CPA, and Paul L. Walker, Ph.D., CPA, bothof the McIntire School of Commerce, University ofVirginia, who were the authors of this SMA. Thanks alsogo to Tim Leech of Paisley Consulting and COSO boardmember Jeff Thomson of IMA who served as reviewersand Raef Lawson, Ph.D., CMA, CPA, of IMA who servesas series editor.

ENTERPRISE RISK MANAGEMENT:TOOLS AND TECHNIQUES FOR EFFECTIVE IMPLEMENTATION

Published byInstitute of Management Accountants10 Paragon DriveMontvale, NJ 07645-1760www.imanet.org

Copyright © 2007 by Institute of ManagementAccountants

All rights reserved


T A B L E O F C O N T E N T S

Enterprise Risk Management: Tools andTechniques for Effective Implementation


I. Executive Summary . . . . . . . . . . . . . . . . 1

II. Introduction . . . . . . . . . . . . . . . . . . . . . 1

III. Scope . . . . . . . . . . . . . . . . . . . . . . . . . .2

IV. Risk Identification Techniques . . . . . . . . .3Brainstorming . . . . . . . . . . . . . . . . . . . . .4Event Inventories and Loss Event Data . . .5Interviews and Self-Assessment . . . . . . . .6Facilitated Workshops . . . . . . . . . . . . . . .7SWOT Analysis . . . . . . . . . . . . . . . . . . . .7Risk Questionnaires and Risk Surveys . . .8Scenario Analysis . . . . . . . . . . . . . . . . . .8Using Technology . . . . . . . . . . . . . . . . . .9Other Techniques . . . . . . . . . . . . . . . . . .9

V. Analysis of Risk by Drivers . . . . . . . . . . .10

VI. Risk Assessment Tools . . . . . . . . . . . . .11

Categories . . . . . . . . . . . . . . . . . . . . . .12Qualitative vs. Quantitative . . . . . . . . . .12Risk Rankings . . . . . . . . . . . . . . . . . . . .13Impact and Probability . . . . . . . . . . . . . .13Keys to Risk Maps . . . . . . . . . . . . . . . .14Link to Objectives at Risk or Divisions at Risk . . . . . . . . . . . . . . . . . . . . . . . . .15Residual Risk . . . . . . . . . . . . . . . . . . . .16

Validating the Impact and Probability . . .17Gain/Loss Curves . . . . . . . . . . . . . . . . .17Tornado Charts . . . . . . . . . . . . . . . . . . .18Risk-Adjusted Revenues . . . . . . . . . . . . .18A Common Sense Approach to RiskAssessment . . . . . . . . . . . . . . . . . . . . .19Probabilistic Models . . . . . . . . . . . . . . .19Seemingly Nonquantifiable Risks . . . . . .20

VII. Practical Implementation Considerations 23ERM Infrastructure . . . . . . . . . . . . . . . .23ERM Maturity Models . . . . . . . . . . . . . .23

Staging ERM Adoption for Early Wins . . .24The Role of the Management Accountant 25ERM Education and Training . . . . . . . . .25Technology . . . . . . . . . . . . . . . . . . . . . .25Aligning Corporate Culture . . . . . . . . . . .26Building a Case for ERM . . . . . . . . . . . .26The ROI of ERM . . . . . . . . . . . . . . . . . .27

X. Conclusion . . . . . . . . . . . . . . . . . . . . .27

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . .27

Reference List . . . . . . . . . . . . . . . . . . . . . .28

Additional Resources . . . . . . . . . . . . . . . . . .28


T A B L E O F C O N T E N T S

ExhibitsExhibit 1: A Continuous Risk Management

Process . . . . . . . . . . . . . . . .2

Exhibit 2: Industry Portfolio of Risks . .5

Exhibit 3A-D: Risk Identification Template 6-7

Exhibit 4: Influence Diagram . . . . . . .10

Exhibit 5: Quantifying Risk: Determine theDrivers . . . . . . . . . . . . . . .11

Exhibit 6: Qualitative and QuantitativeApproaches to Risk Assessment . . . . . . . . . . .12

Exhibit 7: Risk Map . . . . . . . . . . . . . .13

Exhibit 8: Risk Map Model . . . . . . . . .14

Exhibit 9: Gain/Loss Probability Curve 16

Exhibit 10: : Tornado Chart: EarningsVariability by Sample Risks .17

Exhibit 11: Actual Revenue vs. Risk-Corrected Revenue . . . . . . .18

Exhibit 12: Goals of Risk Management .19

Exhibit 13: : Earnings at Risk by Risk Factor . . . . . . . . . . . . . . . .20

Exhibit 14: Earnings at Risk HedgeEffectiveness Comparisons .21

Exhibit 15: Expected Earnings and EaR 21

Exhibit 16: Probability Assessment ofEarnings Outcomes . . . . . .22

Exhibit 17: ERM Maturity Model . . . . . .24

Enterprise Risk Management: Tools andTechniques for Effective Implementation


I . EXECUTIVE SUMMARYEnterprise risk management (ERM) takes abroad perspective on identifying the risks thatcould cause an organization to fail to meet itsstrategies and objectives. In this Statement onManagement Accounting (SMA), several tech-niques for identifying risks are discussed andillustrated with examples from company experi-ences. Once risks are identified, the next issueis to determine the root causes or what drivesthe risks. A suggested approach is describedand followed by a discussion of several qualita-tive and quantitative procedures for assessingrisks. Some practical ERM implementation con-siderations are also explored, including infra-structure and maturity models, staging adoption,the role of the management accountant, educa-tion and training, technology, aligning corporateculture, building a case for ERM, and the ROI ofERM. Any organization—large or small; public,private, or not-for-profit; U.S.-based or global—that has a stakeholder with expectations forbusiness success can benefit from the tools andtechniques provided in this SMA.

I I . INTRODUCTIONIn the economic landscape of the 21st century,an organization’s business model is challengedconstantly by competitors and events that couldgive rise to substantial risks. An organizationmust strive to find creative ways to continuouslyreinvent its business model in order to sustaingrowth and create value for stakeholders.Companies make money and increase stakehold-er value by engaging in activities that have somerisk, yet stakeholders also tend to appreciateand reward some level of stability in their expect-ed returns. Failure to identify, assess, and man-age the major risks facing the organization’sbusiness model, however, may unexpectedlyresult in significant loss of stakeholder value.Thus, senior leadership must implement

processes to manage effectively any substantialrisks confronting the organization. This dualresponsibility of growing the business and man-aging risk has been noted by Jeffrey Immelt,Chairman and CEO at General Electric Co., whenhe described his position at GE: “My job is to fig-ure out how to grow and manage risk and volatil-ity at the same time.”1

While leaders of successful organizations havealways had some focus on managing risks, it typ-ically has been from a reactive exposure-by-exposure standpoint or a silo approach ratherthan a proactive, integrated, across-the-organization perspective. Under a silo approach,individual organizational units deal with their ownrisks, and often no single group or person in theorganization has a grasp of the entire exposureconfronting the company (especially the overallorganization’s “reputation” risk). To correct sucha situation, enterprise risk management (ERM)has emerged in recent years and takes an inte-grated and holistic view of the risks facing theorganization.

This SMA is the second one to address enter-prise risk management. The first, Enterprise RiskManagement: Frameworks, Elements, andIntegration, serves as the foundation for under-standing and implementing ERM. It highlightsthe various risk frameworks and statements thatprofessional organizations around the worldhave published. In addition, it discusses andillustrates through company experiences thecore components of a generic ERM framework. Italso points out some entrepreneurial opportuni-ties for change within an organization (with spe-cific leadership roles for the managementaccountant articulated) when ERM is incorporat-ed in such ongoing management activities

1


1 Diane Brady, “General Electric, the Immelt Way,”Business Week, September 11, 2006, p. 33.

as strategic planning, the balanced scorecard,budgeting, business continuity planning, and cor-porate governance. Finally, it takes up the issueof transitioning from compliance under theSarbanes-Oxley Act (SOX), where the focus is onrisks related to financial reporting, to an enterprise-wide perspective on risks, includingstrategic risks.

I I I . SCOPEThis SMA is addressed to management account-ing and finance professionals who serve asstrategic business partners with management inthe implementation of ERM in their organization.Others within the organization responsible for

risk management, information technology, andinternal audit will also find this SMA useful.

Like many other change initiatives going on with-in dynamic organizations, ERM provides anopportunity for management accounting andfinance professionals to alter how they are per-ceived by others in the organization. By becom-ing a strategic partner in ERM implementation,they can be seen as “bean sprouters” of newmanagement initiatives rather than merely “beancounters.” They also can move from being thehistorians and custodians of accounts to futuris-tic thinkers. They can become coaches and play-ers in a new management initiative important tothe future overall well-being of the company

2


SET STRATEGY/OBJECTIVES

IDENTIFYRISKS

ASSESSRISKS

TREATRISKS

CONTROLRISKS

COMMUNICATE& MONITOR

EXHIBIT 1. A CONTINUOUS RISK MANAGEMENT PROCESS

Source: Adapted from Institute of Chartered Accountants in England and Wales, No Surprises: The Case

for Better Risk Reporting, ICAEW, London, U.K., 1999, p. 47.

rather than merely scorekeepers on what has orhas not been accomplished.2

The focus of this SMA is on core tools and tech-niques to facilitate successful ERM implementa-tion. While other tools and techniques can be found in the Additional Resources section, thisdocument emphasizes those that are critical formost ERM initiatives. Since all organizationshave stakeholders with ever increasing expecta-tions, the tools and techniques discussed hereare generally relevant to:l large and small organizations,l enterprises in the manufacturing and services

sectors,l public and private organizations, andl for-profit and not-for-profit organizations.

IV. R ISK IDENTIF ICAT ION TECHNIQUESExhibit 1 shows the generic ERM framework pre-sented in Enterprise Risk Management:Frameworks, Elements, and Integration. The ini-tial focus is on clarity of strategies and objec-tives. The focal point for risk identification maybe at any level, such as the overall company, astrategic business unit, function, project,process, or activity. Without clear objectives it isimpossible to identify events that might give riseto risks that could impede the accomplishmentof a particular strategy or objective—regardlessof the scope of the inquiry. Assuming those involved in identifying risks have a clear under-standing of the strategies and objectives, theappropriate questions to ask, as suggested by

one company’s senior enterprise risk manager,are: “What could stop us from reaching our topgoals and objectives?” and “What would materi-ally damage our ability to survive?” These ques-tions can be modified for the appropriate level ofinquiry.

In the risk identification process, those involvedshould recognize that it is a misperception tothink of a risk “as a sudden event.”3 Identifyingan issue that is facing the organization and dis-cussing it in advance can potentially lead to therisk being mitigated. Two benefits are possible:

“One, if you mitigate the risk and yourpeers do not—in a catastrophic, continu-ity-destroying event that hits an indus-try—say a financial scandal—you getwhat is called the survivor’s bonus. Two,if you survive or survive better than oth-ers, then you have an upside after thefact, and this should be part of theboard’s strategic thinking.”4

Before considering some of the specific tech-niques available for organizations to identifyrisks, several important factors should be notedabout this process:l The end result of the process should be a risk

language specific to the company or the unit,function, activity, or process (whatever is thefocal point);

l Using a combination of techniques may pro-duce a more comprehensive list of risks thanwould reliance on a single method;

l The techniques used should encourage openand frank discussion, and individuals shouldnot fear reprisal for expressing their concerns

3


2 The authors acknowledge that the ideas in this paragraphabout the changing role of financial professionals weretaken from a presentation heard some years ago (uncertainas to date and place) and given by Jim Smith of The MarmonGroup, Inc. While the original remarks were not given in thecontext of ERM, they have been adapted accordingly.

3 Corporate Board Member, 2006 Academic CouncilSupplement: Emerging Trends in Corporate Governance,Board Member, Inc., Brentwood, Tenn., p. 20.

4 Ibid.

about potential events that would give rise torisks resulting in major loss to the company;

l The process should involve a cross-functionaland diverse team both for the perspectivesthat such a group provides and to build com-mitment to ERM; and

l Finally, the process will probably generate alengthy list of risks, and the key is to focus onthe “vital few” rather than the “trivial many.”

Some techniques for identifying risk are:l Brainstormingl Event inventories and loss event datal Interviews and self-assessmentl Facilitated workshopsl SWOT analysisl Risk questionnaires and risk surveysl Scenario analysisl Using technologyl Other techniques

BrainstormingWhen objectives are stated clearly and under-stood by the participants, a brainstorming ses-sion drawing on the creativity of the participantscan be used to generate a list of risks. In a well-facilitated brainstorming session, the partici-pants are collaborators, comprising a team thatworks together to articulate the risks that maybe known by some in the group. In the session,risks that are known unknowns may emerge, andperhaps even some risks that were previouslyunknown unknowns may become known.Facilitating a brainstorming session takes spe-cial leadership skills, and, in some organiza-tions, members of the internal audit and ERMstaff have been trained and certified to conductrisk brainstorming sessions. In addition to well-trained facilitators, the participants need tounderstand the ERM framework and how thebrainstorming session fits into the ERM process.

The participants may very well be required to dosome preparation prior to the session.

In using this technique, one company familiar tothe authors noted that because the objectiveswere unclear to some of the participants, theprocess had to back up and clarify the objectivesbefore proceeding. Using a cross-functionalteam of employees greatly increases the value ofthe process because it sheds light on how risksand objectives are correlated and how they canimpact business units differently. Often in brain-storming sessions focused on risk identification,a participant may mention a risk only to haveanother person say: “Come to think of it, my areahas that risk, and I have never thought of itbefore.” With the team sharing experiences,coming from different backgrounds, and havingdifferent perspectives, brainstorming can be suc-cessful in identifying risk. It is also powerfulwhen used at the executive level or with theaudit committee and/or board of directors.

In a brainstorming session, the participantsmust have assurance that their ideas will notresult in humiliation or demotion. Otherwise,they may feel inhibited in expressing what theybelieve are major risks facing the organization.As an example, a set of often overlooked risksare “people risks” vs. environmental risks, finan-cial risks, and other more technical risks. Peoplerisks include succession planning (What if ourvery competent leader departs the organiza-tion?) and competency and skills building (Whatif we continue with a team that does not havethe requisite skills for success?). Once a list ofrisks is generated, reducing the risks to what thegroup considers the top few can be accom-plished using group software to enable partici-pants to anonymously vote on the objectives andrisks. Anonymity is believed to increase theveracity of the rankings. Some of the interactive

4


voting software that could be used in the riskidentification process includes SharpeDecisions, Resolver*Ballot, OptionFinder, andFacilitatePro. With the availability of interactivevoting software and Web polling, the brainstorm-ing session might be conducted as a virtualmeeting with participants working from theiroffice location, also enabling them to identifyand rank the risks anonymously.

Event Inventories and Loss Event Data Seeding or providing participants with some formof stimulation on risks is very important in abrainstorming session. One possibility is to pro-vide an event inventory for the industry (see

Exhibit 2) or a generic inventory of risks.Examples of the latter are readily available fromvarious consulting firms and publications.5 Inthe first SMA on ERM, a general risk classifica-tion scheme is given that could also be used to“seed” the discussion. In a brainstorming ses-sion or facilitated workshop (discussed below),the goal is to reduce the event inventory to thoserelevant to the company and define each risk specific to the company. The risk identificationprocess can also be seeded by available loss

5


EXHIBIT 2. INDUSTRY PORTFOLIO OF RISKS

Source: Debra Elkins, “Managing Enterprise Risks in Global Automatic Manufacturing Operations,” presentation at the University of Virginia, January 23, 2006. Permmission granted for use.

5 Economist Intelligence Unit, Managing Business Risks—An Integrated Approach, The Economist Intelligent Unit, NewYork, 1995.

event data. A database on relevant loss eventsfor a specific industry can stimulate a “fact-based discussion.”6

Interviews and Self-AssessmentThis technique combines two different process-es. First, each individual of the organizational oroperating units is given a template with instruc-tions to list the key strategies and/or objectiveswithin his or her area of responsibility and therisks that could impede the achievement of theobjectives. Each unit is also asked to assess itsrisk management capability using practicalframework categories such as those containedin the ERM framework from the Committee ofSponsoring Organizations of the Treadway

6


6 Committee of Sponsoring Organizations of the TreadwayCommission (COSO), Enterprise Risk Management—Integrated Framework: Application Techniques, AICPA, NewYork, 2004, p. 28.

EXHIBIT 3A. RISK IDENTIFICATION TEMPLATE

EXHIBIT 3B. MAJOR STRATEGIES/OBJECTIVES FOR YOUR UNIT

EXHIBIT 3C. MAJOR RISKS FOR YOUR UNIT

Please list the major strategies and/or objectives for your area of responsibility.

Please list the major risks your unit faces in achieving its objectives. List no more than 10 risks.

Please assess the overall risk management capability within your area of responsibility to seize opportunitiesand manage the risks you have identified.

Please list the major strategies/objectives for your unit.

Please list the major risks your unit faces in achieving your objectives. List no more than 10 risks.

Commission (COSO). A sample template is pre-sented in Exhibits 3A-D. The completed docu-ments are submitted to the ERM staff or coordi-nator, which could be the CFO, controller, COO, orCRO (chief risk officer). That group follows upwith interviews to clarify issues. Eventually, therisks for the unit are identified and defined, anda risk management capability score can bedetermined from a five-point scale, as used inExhibit 3D. This technique might also be used inconjunction with a facilitated workshop.

Facilitated WorkshopsAfter the information is completed and collected,a cross-functional management team from theunit or from several units might participate in afacilitated workshop to discuss it. Again, usingvoting software, the various risks can be rankedto arrive at a consensus of the top five to 10, forexample. As noted previously, using interactivevoting software allows the individuals to identifyand rank the risks anonymously without fear of

reprisal should their superior be a member of thegroup.

SWOT AnalysisSWOT (strengths-weaknesses-opportunities-threats) analysis is a technique often used in theformulation of strategy. The strengths and weak-nesses are internal to the company and includethe company’s culture, structure, and financialand human resources. The major strengths ofthe company combine to form the core compe-tencies that provide the basis for the company toachieve a competitive advantage. The opportuni-ties and threats consist of variables outside thecompany and typically are not under the controlof senior management in the short run, such asthe broad spectrum of political, societal, environ-mental, and industry risks.

7


EXHIBIT 3D. RISK MANAGEMENT CAPABILITY

*The categories are taken from COSO, Enterprise Risk Management—Integrated Framework: Executive Summary,

AICPA, New York, 2004.

Use the following categories* to assess the overall risk management capability within your area of responsi-bility to seize opportunities and manage risks using the scale at the bottom of the page.

Internal Environment VL L M H VHObjective Setting VL L M H VHEvent Identification VL L M H VHRisk Assessment VL L M H VHRisk Response VL L M H VHControl Activities VL L M H VHInformation/Communication VL L M H VHMonitoring VL L M H VH

What is your level of concern with respect to the overall risk management capability of your area ofresponsibility to seize opportunities and manage risks? Please circle the most appropriate response:

VL= Very Low L=Low M=Medium H=High VH=Very High

For SWOT analysis to be effective in risk identifi-cation, the appropriate time and effort must bespent on thinking seriously about the organiza-tion’s weaknesses and threats. The tendency isto devote more time to strengths and opportuni-ties and give the discussion of weaknesses andthreats short shrift. Taking the latter discussionfurther and developing a risk map based on con-sensus will ensure that this side of the discus-sion gets a robust analysis. In a possible acqui-sition or merger consideration, a company famil-iar to the authors uses a SWOT analysis thatincludes explicit identification of risks. The writ-ten business case presented to the board for theproposed acquisition includes a discussion ofthe top risks together with a risk map.

Risk Questionnaires and Risk SurveysA risk questionnaire that includes a series ofquestions on both internal and external eventscan also be used effectively to identify risks. Forthe external area, questions might be directed atpolitical and social risk, regulatory risk, industryrisk, economic risk, environmental risk, competi-tion risk, and so forth. Questions on the internalperspective might address risk relating to cus-tomers, creditors/investors, suppliers, opera-tions, products, production processes, facilities,information systems, and so on. Questionnairesare valuable because they can help a companythink through its own risks by providing a list ofquestions around certain risks. The disadvan-tage of questionnaires is that they usually arenot linked to strategy.

Rather than a lengthy questionnaire, a risk sur-vey can be used. In one company, surveys weresent to both lower- and senior-level manage-ment. The survey for lower management askedrespondents to “List the five most importantrisks to achieving your unit’s goals/objectives.”The survey to senior management asked partici-

pants to “List the five most important risks toachieving the company’s strategic objectives.”The survey instruments included a column forrespondents to rank the effectiveness of man-agement for each of the five risks listed, using arange of one (ineffective) to 10 (highly effective).Whether using a questionnaire or survey, theconsolidated information can be used in conjunc-tion with a facilitated workshop. In that session,the risks are discussed and defined further.Then interactive voting software is used to nar-row that risk list to the vital few.

Scenario AnalysisScenario analysis is a particularly useful tech-nique in identifying strategic risks where the sit-uation is less defined and “what-if” questionsshould be explored. Essentially, this technique isone way to uncover risks where the event is highimpact/low probability.7 In this process,

“Managers invent and then consider, indepth, several varied stories of equallyplausible futures. The stories are careful-ly researched, full of relevant detail, ori-ented toward real-life decisions, anddesigned (one hopes) to bring forwardsurprises and unexpected leaps ofunderstanding.”8

Using this technique, a cross-functional teamcould consider the long-term effects resultingfrom a loss of reputation or customers or fromthe lack of capability to meet demand. Anotherrelevant question to ask is, “What paradigmshifts in the industry could occur, and how wouldthey impact the business?”

8


7 Deloitte & Touche LLP, The Risk Intelligent Enterprise: ERMDone Right, Deloitte Development LLC, 2006, p. 4.8 Peter Schwartz, The Art of the Long View, CurrencyDoubleday, New York, 1991, p. xiii.

The risk management group of one companyuses scenario analysis to identify some of itsmajor business risks.9 One risk for this companyis an earthquake. Its campus of more than 50buildings is located in the area of a geologicalfault. From a holistic perspective, the loss froman earthquake is not so much the loss of thebuildings but the business interruption in theproduct development cycle and the inability toserve customers. The company’s risk manage-ment group analyzed this disaster scenario withits outside advisors and attempted to quantifythe real cost of such a disaster, taking intoaccount how risks are correlated. In the process,the group identified many risks in addition toproperty damage, including: l “Director and officer liability if some people

think management was not properly prepared,l Key personnel risk,l Capital market risk because of the firm’s

inability to trade,l Worker compensation or employee benefit

risk,l Supplier risks for those in the area of the

earthquake,l Risk related to loss of market share because

the business is interrupted,l Research and development risks because

those activities are interrupted and productdelays occur, and

l Product support risks because the companycannot respond to customer inquiries.”10

This example reveals the value of using scenarioanalysis: A number of risks are potentially pres-ent within a single event, and the total impactcould be very large. Another scenario that this

company’s risk management group analyzed wasa stock market downturn (or bear market). Thegroup also defined five or six other scenarios.Under each one, it identified as many materialrisks as could be related to the scenario anddeveloped white papers on each one for execu-tive management and the board.11

Using TechnologyThe risk identification process can also utilizethe company’s existing technology infrastructure.For example, most organizations utilize anintranet in their management processes. Thegroup responsible for a company’s ERM processcan encourage units to place their best risk prac-tices on the ERM site. Risk checklists, anec-dotes, and best practices on the intranet serveas stimulation and motivation for operating man-agement to think seriously about risks in theirunit. Also, tools that have been found particular-ly useful to various units can be catalogued. Asnew projects are launched, business managersare encouraged to consult the risk managementgroup’s intranet site.

Another use of technology is to recognize thecompany’s potential risk that resides with theInternet. For example, a company’s products, ser-vices, and overall reputation are vulnerable toInternet-based new media like blogs, messageboards, e-mailing lists, chat rooms, and independ-ent news websites. Some companies devoteinformation technology resources to scan theblogosphere continuously for risks related to thecompany’s products, services, and reputation.

Other TechniquesOther possible approaches for identifying risksinclude value chain analysis, system design review, process analysis, and benchmarking with

9


9 Thomas L. Barton, William G. Shenkir, and Paul L.Walker, Making Enterprise Risk Management Pay Off,Financial Executives Research Foundation, Upper SaddleRiver, N.J., 2001, pp. 132-135.

10 Ibid., p. 133. 11 Ibid., p. 133.

other similar as well as dissimilar organizations.Also, external consultants can add value in therisk identification process by bringing in knowl-edge from other companies and industries and bychallenging the company’s list of identified risks.

V. ANALYSIS OF R ISK BY DRIVERSAfter a risk is identified, the temptation to quan-tify it before further analysis is completed shouldbe avoided. Additional understanding of therisk’s potential causes is required by the ERMteam and management before its impact can bequantified. Working with the various units of theorganization that own parts of the risk, the ERMteam should drill into the risk to uncover what isbeneath the surface and to get a better under-standing of the potential risk drivers. An influ-ence diagram or root cause analysis can be

developed using scenario analysis. This can bedone by using supporting documentation andinterviewing those who own parts of the risk.Exhibit 4 presents an influence diagram for astrategic risk provided by a senior manager ofERM at a major company. In this exhibit, a chainof likely events within a given scenario is spelledout where a strategic risk—revenue target notmet—has been identified.

Studying Exhibit 4, the inquiry to determine thelikely drivers in a scenario for the risk of not meet-ing the revenue target could be the following:l Failure to sell a new product; l The new machinery and equipment purchased

for making the new product was not selectedproperly because of a process breakdown inthe acquisition. This led to manufacturing fail-ures attributed to product design problems,

10


Revenue targetnot met

Capital expense

Failure tosell newproduct

Supplychainfailure

Loss of topcustomer(s)

High defectrate Catastrophic

eventDecrease in

inventory

Error in productplanning or

design

Mfg.selectionmistake

Misalignment ofBUs

Processbreakdown

Failure to haveBCP plan

Breakdown ingoal process

= a key risk driver

Mfg. failure

Develop Influence Diagram andQuantify the Risk Drivers:

Define root causes and main driversof the risks. Define the chain ofevents in likely scenario. Driversshould be small enough in scopethat they can be quantified.

EXHIBIT 4. INFLUENCE DIAGRAM

which led to a high rate of product defect;l Failure in the supply chain impacted the ability

to meet the revenue target. A catastrophicevent occurred at a major supplier, and thebusiness continuity plan recognized this eventtoo late to find alternative suppliers;

l Together, the above events would result in los-ing some top customers because high-qualityproducts could not be delivered when required;furthermore, in digging deeper, some misalign-ment of specific goals might exist in the silosinvolved. For example, manufacturing mighthave a goal of cutting cost; customer servicenaturally will want low defects in the products;the pricing function will be seeking high mar-gins for the products; and the sales force ismotivated to generate revenue.

With an in-depth understanding of how thestrategic risk could occur, more information isnow available to assist in quantifying the risk.This information can be framed as noted inExhibit 5 in order to begin estimating the impact.

The point of this analysis is to understand thelevel at which quantification can best occur. Ifthe risk is quantified at too high a level, it couldbe too broad or not actionable. Using a buildingblock approach around risk drivers facilitates thequantification process. At the end of theprocess, however, quantification is still an esti-mate and should be viewed as merely providingan “order of magnitude” of the impact.

V I . R ISK ASSESSMENT TOOLSRisks must be identified correctly before anorganization can take the next step. Assessingthe wrong list of risks or an incomplete list ofrisks is futile. Organizations should make everypossible effort to ensure they have identifiedtheir risks correctly using some or all of theapproaches discussed. The act of identifyingrisks is itself a step on the risk assessmentroad. Any risks identified, almost by default, havesome probability of influencing the organization.

11


Do NOTtry to quantify atthese levels

Main goals andObjectives(revenue missed)

Risk #1to achievinggoals andobjectives(failure to sell)

Risk #2to achievinggoals and objectives

Risk #3to achievinggoals and objectives

Quantify risks atthis level or below

Driver ofRisk #1

Driver ofRisk #1

Driver ofRisk #2

Driver ofRisk #2

Driver ofRisk #3

Driver ofRisk #3

EXHIBIT 5. QUANTIFYING RISK: DETERMINE THE DRIVERS

CategoriesOnce risks are identified, some organizationsfind it helpful to categorize them. This may be anecessity if the risk identification process pro-duces hundreds of risks, which can be over-whelming and seem unmanageable. Risk cate-gories include hazard, operational, financial, andstrategic. Other categories are controllable ornoncontrollable and external or internal.Categorizing risk requires an internal risk lan-guage or vocabulary that is common or unique tothe organization in total, not just to a particularsubunit or silo. Studies have shown that aninconsistent language defining risks across anorganization is an impediment to an effectiveERM strategy. Risk terms would certainly varybetween a pharmaceutical company and a tech-

nology company or between a nonprofit and anenergy company. Several risks could be groupedaround a broader risk, such as reputation risk.Other methods for categorizing risk can be finan-cial or nonfinancial and insurable or noninsur-able. Some companies also categorize risks asquantifiable or nonquantifiable.

Qualitative vs. QuantitativeAs Exhibit 6 shows, risk assessment techniquescan vary from qualitative to quantitative. Thequalitative techniques can be a simple list of allrisks, risk rankings, or risk maps. A list of risksis a good starting point. Even though no quanti-tative analysis or formal assessment has beenapplied to the initial list of risks, the list andaccompanying knowledge is valuable. Some

12


QualitativeRisk identificationRisk rankingsRisk mapsRisk maps with impact and likelihoodRisks mapped to objectives or divisionsIdentification of risk correlations

Qualitative/QuantitativeValidation of risk impactValidation or risk likelihoodValidation of correlationsRisk-corrected revenuesGain/loss curvesTornado chartsScenario analysisBenchmarkingNet present valueTraditional measures

QuantitativeProbablistic techniques cash flow at risk earnings at risk earnings distributions eps distributions

Level of difficulty and amount of data required

EXHIBIT 6. QUALITATIVE AND QUANTITATIVE APPROACHES TO RISK ASSESSMENT

risks on the list may not be quantifiable. Forthese risks, identifying them and adding them toa priority list may be the only quantification pos-sible. Organizations should not be concernedthat they cannot apply sophisticated modeling toevery risk.

Risk RankingsOnce an organization has created its list of risks,it can begin to rank them. Ranking requires theERM team to prioritize the risks on a scale ofimportance, such as low, moderate, and high.Although this seems unsophisticated, the resultscan be dramatic. Organizations find considerablevalue in having conversations about the impor-tance of a risk. The conversations usually lead toquestions about why one group believes the riskis important and why others disagree. Again, thisprocess should use a cross-functional risk teamso that perspectives from across the entireorganization are factored into the rankings. Thisis a critical task requiring open debate, candiddiscussion, and data (e.g., tracking, recording,

and analysis of historical error rates on a busi-ness process) where possible.

Impact and ProbabilityThe importance of an event includes not just itsimpact but also its likelihood of occurring.Therefore, many ERM organizations generate riskmaps using impact and probability. In ERM imple-mentation, companies not only generate riskmaps to capture impact and likelihood but alsoto demonstrate how risks look when put togeth-er in one place. The value of the map is that itreflects the collective wisdom of the partiesinvolved. Furthermore, risk maps capture consid-erable risk information in one place that is easi-ly reviewed. A basic risk map, such as in Exhibit7, captures both impact and likelihood.

When assessing likelihood or probability, theERM team can use a variety of scales:l Low, medium, or high;l Improbable, possible, probably, or near certain-

ty; andl Slight, not likely, likely, highly likely, expected.The same is true for assessing impact:

13


High ImpactLow Likelihood

High ImpactHigh Likelihood

Low ImpactLow Likelihood

Low ImpactHigh Likelihood

High

Low HighLikelihood of Occurrence

Impact

EXHIBIT 7. RISK MAP

l Low, medium, or high impact;l Minor, moderate, critical, or survival; andl Dollar levels, such as $1 million, $5 million,

etc.

When qualitatively assessing these risks, it isalso possible to estimate ranges. For example, acompany might determine that there is a lowprobability of a customer-related risk having animpact of $100 million, a moderate probability(or best guess) of a $50 million impact, and a

high probability of a $10 million impact. Forexample, when Apple announced its entranceinto the cell phone market, other cell phone mak-ers likely began making calculations to gaugethe risk of the new entrant into their market.

Risk maps can help an organization determinehow to respond to a risk. As organizations seethe greater risks, they can plan a response. Forexample, one risk map approach used by a com-pany is shown in Exhibit 8. For risks that are in

14


Criti

calit

yof

Ach

ieve

men

t

Pro

cess

/Bus

ines

sLe

velI

mpa

ctSeg

men

t/In

ters

egm

ent

Leve

lIm

pact

Leve

lIm

pact

6 Yellow (Level III)

Close monitoringfor increasedimpact and/or

variability

8 Red (Level IV)• Segment Commitment• Reported to Segment Leadership• Close monitoring of risk action plan

9 Red (Level V)• Commitment• Reported to Audit Committee• Reported to Segment Leadership• Close monitoring of risk action plan

3 Green (Level II)

High-levelmonitoring for

increased impactand/or variablity

5 Yellow (Level III)


variability

7 Red (Level IV)

• Segment Commitment• Reported to Segment Leadership• Close monitoring of risk action plan

1 Green (Level I) 2 Green (Level II) 4 Yellow (Level III)






variability

Low(Consistently

within tolerable variance in key

metric improvement or target)

Moderate High(Sometimes

within tolerablevariance in key

metric improvementor target)

(Mostly outside oftolerable

variance in keymetric improvement

or target)

Actual/Potential Performance Variability Around Targets

Achievement of Objective/Execution of Process/Implementation of Change/Management of Risk

EXHIBIT 8. RISK MAP MODEL

the lower levels of impact and probability—thegreen zone on the map—a company shouldrespond with high-level monitoring. For risks withhigher levels of impact and probability—the redzone on the map—a company should take astronger response and a higher level of commit-ment to managing them.

Keys to Risk MapsSeveral keys need to be considered when gener-ating risk maps: confidentiality, definitions, time-frame, direction, and correlations. Organizationsmay want to consider doing impact and probabil-ity in a confidential manner. As noted previously,software tools are available to facilitate confiden-tial sharing. On the other hand, some companiesfind that openly sharing assessments within thegroup is acceptable. Even with confidentiality,good risk facilitators can bring out the risksource and root problems.

Definitions used during the risk map generationare critical. What is “important” to one work unitor individual may not seem “important” to anoth-er. If organizations measure impact in dollars,the dollars must be without ambiguity. Does therisk influence dollars on one product, dollars fora certain division, or earnings per share?Similarly, “improbable” might be interpreted bysome to be 1% while others could think it means15%. These definitions and terms should beclearly established before the risk map sessionsare conducted.

Closely related to definitions are timeframes,which need to be established up front so thatany understanding of the risk and its impact isclear as to when it will affect the organization. Anassessment of risk at one point in time has thesame failings as strategic plans and objectives,which do not take a longer-term perspective onmarket trends, customer needs, competitors,

etc. What seems important today or this weekmay not seem important in five years. Similarly,although some longer-range risks may not seemimportant today, these risks could threaten theorganization’s survival if left unmanaged.

Some organizations find it valuable to capturethe direction of the risk. This can be labeled onthe risk map or communicated separately.Direction of risk can be captured using termssuch as “increasing,” “stable,” or “decreasing.”Related to the risk direction is the risk trend.Knowing the direction and trend of a risk as wellas its dollar impact and likelihood can be crucialto managing that risk. For example, risk trendscan reveal that the risk was decreasing over thelast several years but has increased recently.

One weakness in risk maps (and in silo risk man-agement) is that maps do not capture any risk cor-relations. Ignoring risk correlations can lead to inef-fective and inefficient risk management. Risk cor-relations can be considered for financial risks ornonfinancial risks. Clearly, how some companiesmanage one foreign currency exposure should beconsidered with how they manage another foreigncurrency exposure. Managing these in silos (with-out an enterprise-wide approach) can be inefficientbecause dollar exposures to only the yen or euroignore that the yen and euro are correlated.Similarly, silo risk management would ignore thefact that the movement of interest rates couldinfluence an organization’s pension obligationsand debt obligations differently. As another exam-ple, how an organization manages commodityexposure today should be factored in with how itplans to change its long-term strategy to managethat same exposure. Short-term solutions of for-eign currency risk management are different fromlong-term solutions of building plants in other coun-tries. As is evident, correlations among risks andan enterprise-wide approach are critical.

15


Link to Objectives at Risk or Divisions atRiskIdentifying risks by objective gives an organiza-tion the option to map risks by objectives. Fornonprofit organizations, this may be more impor-tant because earnings per share is not thebiggest concern. A risk map by objective cap-tures all the risks related to a single objective,helping the organization understand the broadspectrum of risks facing that objective. For exam-ple, the objective of maintaining the corporatereputation at a certain level could have manyrisks to be mapped. Using such a map, theorganization can see the biggest risks to reputa-tion. Similarly, risks can also be identified by divi-

sion, which may be more informative for divisionmanagers. Organizations can generate riskmaps for each division and for the organizationoverall.

Residual RiskAfter organizations assess risks, they shouldalso consider any related controls so that theresidual risk is known. A residual risk is theremaining risk after mitigation efforts and con-trols are in place to address the initially identi-fied inherent risks that threaten the achievementof objectives. Risk maps can show overall risks,or they can be shown with just residual risks.Understanding residual risk can provide major

16


Probabilitythat AnnualLoss willExceed AmountShown

$0.00 $6.18

Annual Loss Amount

1.10

1.00

0.90

0.80

0.70

0.60

0.50

0.40

0.30

0.20

1.10

0.00

90%-$0.30

80%-$0.48

70%-$0.68

60%-$1.13

50%-$1.15

40%-$1.50

30%-$1.98

20%-$2.7310%-$4.28

Note: All loss amounts are in millions of dollars.

EXHIBIT 9. GAIN/LOSS PROBABILITY CURVE

benefits because companies do not want to over-or under-manage a risk that may be deemed bymanagement and stakeholders to be “tolerable”or acceptable relative to stated business objec-tives. This is a major reason why some compa-nies adopt ERM and try to understand, evenqualitatively, the return on investment (ROI) of anERM program. In the process of identifying risksand controls, the management team/processowners clearly play a leadership role, but there isa system of “checks and balances” in the con-trol environment. For example, the control envi-ronment for internal controls over financialreporting includes the audit committee as wellas internal and external auditors.

Validating the Impact and ProbabilityOrganizations can validate the qualitativeassessments of initial impact and probability byexamining historical data to determine the fre-quency of events or the impact such events havehad in the past. Events that have happened toother organizations can be used to understandhow a similar event might impact your own orga-nization. Gathering such data can be time con-suming, but it has certain advantages. Knowingthe real frequency or likelihood of a major drop insales, for example, can provide an organizationwith the information necessary to make informedcost-benefit decisions about potential solutions.

17


Risk 1

Risk 2

Risk 3

Risk 4

Risk 5

Risk 6

Risk 7

Risk 8

Risk 9

(Cents per share)-0.90

-0.70 -0.50 -0.30 -0.10 0.100.00

0.30 0.50 0.70 0.901.00

EXHIBIT 10. TORNADO CHART: EARNINGS VARIABILITY BY SAMPLE RISKS

Gain/Loss CurvesGain/loss curves are useful tools because theyhelp an organization see how a risk can influ-ence its financial statements and result in a gainor a loss. Furthermore, gain/loss curves alsoreveal the distribution of potential gains andlosses. Gain/loss curves do not show correla-tions between risks, however, and they do notshow all the risks in one place. A gain/loss curveis presented in Exhibit 9. The curve shows howmuch money the company loses or gains from aspecific risk. The horizontal axis represents dol-lars, and the vertical axis represents probability.The sample curve in Exhibit 9 shows that theorganization loses $1.15 million dollars on aver-age (at 50% probability in this illustration) as aresult of this risk. Moving along the probabilityscale shows that, 90% of the time, this organiza-tion loses $300,000 because of this risk. Theorganization believes it loses $4.28 millionabout 10% of the time. Knowing how big of animpact a risk causes over a distribution of prob-abilities provides management with the informa-

tion necessary to decide how much money tospend managing the risk. Gain/loss curves canalso reveal that some risks occasionally gener-ate gains instead of losses. Developinggain/loss curves can require substantial datacollection, and a company has to balance thedata collection efforts with the benefitsobtained.

Tornado ChartsSimilar to gain/loss curves, tornado chartsattempt to capture how much of an impact a riskhas on a particular metric such as revenue, netincome, or earnings per share. Exhibit 10 showsan example of a tornado chart. Tornado chartsdo not show correlations or distributions, butthey are valuable because executives can see, inone place, the biggest risks in terms of a singleperformance metric.

Risk-Adjusted RevenuesRisk-adjusted (or risk-corrected) revenues allowmanagement to see how revenues could look if

18


ActualRevenues

Risk-CorrectedRevenues

1990

1991

1992

1993

1994

1995

1996

1997

1998

1999

2000

2001

2002

2003

2004

EXHIBIT 11. ACTUAL REVENUE VS. RISK-CORRECTED REVENUE

risks were managed better. As Exhibit 11 shows,risk-corrected revenues are smoother and morecontrollable. On a broader scale, Exhibit 12shows one company’s view of how better riskmanagement affects the distributions of earn-ings. A tighter distribution of earnings couldpotentially lead to improved performance of itsstock price. The two types of analysis shown inExhibits 11 and 12 are why some companieswant to implement ERM. While stakeholders(e.g., investors) appreciate growth in earnings,they also appreciate some level of stability and predictability and are often willing to pay a premi-um for these attributes.

A Common Sense Approach to RiskAssessmentWhile some of these risk metrics and tools mayseem difficult, a simple approach can yieldequally good results. One approach is to meas-ure where the company stands today on a riskissue. After implementing risk mitigation tech-

niques, the company can reassess the riskissue. Of course, not all of the improvementrelated to a risk can be traced to the risk mitiga-tion techniques, but improvement is still valu-able. One major retailer uses this approach togauge the value added from their ERM efforts inaddition to other value-added metrics. This retail-er identified inventory in-stock rates as a risk.Measuring in-stock rates over time gave the com-pany a good feel for the historical levels of in-stock rates. Next, after implementing risk mitiga-tion efforts, current inventory in-stock rates werecaptured. Improvements in in-stock rates aretraced to improvements in sales and, ultimately,to value added from the ERM process.

Probabilistic ModelsSome organizations use quantitative approachesin ERM that are built on traditional statistical andprobabilistic models and techniques. The disad-vantage to these approaches is that they requiremore time, data, and analysis and are built on

19


Earnings

InherentDistribution

Distribution after Risk Management

EXHIBIT 12. GOALS OF RISK MANAGEMENT

assumptions. Furthermore, using the past to pre-dict the future has limitations even before other“explanatory” variables are included in the sta-tistical prediction process. But some organiza-tions still find these models very useful as a toolin their solutions toolkit when approaching risk.

One technique focuses on earnings at risk,which are determined by examining how earningsvary around expected earnings. In this approach,variables are examined to see how they influ-ence earnings, such as determining the influ-ence that a one-point movement in interest rateswould have on earnings. Similarly, expected orbudgeted cash flows can be determined andthen tested for sensitivity to certain risks, yield-ing a cash-flow-at-risk number. As Exhibit 13shows, some companies trace the earnings-at-risk to individual risk sources. Knowing the actu-al root cause or source of the risk helps to man-

age it more efficiently. Companies can also tracethe earnings-at-risk to business units to helpgauge the hedge effectiveness of each businessunit (see Exhibit 14). Knowing which businessunits have the greatest risk is valuable informa-tion. With this knowledge, a company could com-pare a business unit’s earnings level to the earnings-at-risk. Those units that generate lowearnings and high levels of risk may not be desir-able business units. Having earnings-at-risk inthe aggregate allows an organization to seewhich months have the greatest risk (see Exhibit15). Also, distributions can be created that esti-mate the probability of meeting earnings targets(see Exhibit 16).

Seemingly Nonquantifiable RisksSome risks seem to defy acceptable quantifica-tion, but a deeper look can reveal valuable infor-mation. Reputation is a risk that has become

20


Total EaR by Risk Category(100% = $35 million)

CommodityPrices

ForeignExchange

51%

InterestRatesCommodity Contribution to

EaR by Major Commodity(100% = $16 million)

32%

17%

35%

30%

25%

20%

15%

10%

5%

0% Chemicals PreciousMetals

NaturalGas

Agriculture Other Commodities

Foreign Exchange Contribution toEaR for Major Currency(100% = $26 million)

35%

30%

25%

20%

15%

10%

5%

0%Euro Yen Canadian $

Other CurrenciesMexican

Peso

EXHIBIT 13. EARNINGS AT RISK BY RISK FACTOR

21


$40

$30

$20

$10

$0

-$10

-$20

-$30

-$40

Earnings at RiskContribution(millions of dollars)

Business Unit 1 Business Unit 2 Business Unit 3 Business Unit 4 TOTAL Diversification Benefit

“Natural” Earnings at Risk

With Hedging Earnings at Risk

EXHIBIT 14. EARNINGS AT RISK HEDGE EFFECTIVENESS COMPARISONS

$70

$60

$50

$40

$30

$20

$10

$0

$ Millions

Janu

ary

Febr

uary

Mar

ch

Apr

il

May

June July

Aug

ust

Sep

tem

ber

Oct

ober

Nov

embe

r

Dec

embe

r

Summary By Month Distribution or AnnualizedEarnings Outcomes

25%

20%

15%

10%

5%

0%$545Equals the earningscorresponding to the95% CI

$670Equals the expectedor budgeted earnings

Earnings($ millions)

Expected Earnings Earnings at Risk

$125EaR equals

the difference

EXHIBIT 15. EXPECTED EARNINGS AND EAR

increasingly important in today’s business envi-ronment, and it must be managed. At firstglance, some executives would say you cannotquantify it, but it can be in some ways. In acade-mia, for example, a university’s reputation is aprodigious risk. Tracking a drop in contributionsafter a scandal can provide preliminary data thatcould lead to the ability to quantify reputationrisk. Ranges of decreases in contributions couldalso be developed, with the maximum risk beinga major decrease in donations. Gathering datafrom universities or other nonprofit organizationsthat have experienced a drop in contributionscan provide valuable external data that couldassist in quantifying this risk. For public compa-nies, the impact of reputation risk could beexamined by studying decreases in stock pricessurrounding an event that damaged an organiza-tion’s reputation. It is important to note thatwhile this might capture and provide a quantifi-

able risk, it still partially ignores the damage thatreputation events have on supplier or vendorrelations. It also ignores how future customersmight be influenced by the reputation event.Although these related risks might not be quan-tifiable, they highlight the importance of havingan ERM team study and analyze risks very close-ly so that conversations about the risks arefocused on managing the risk and not just onidentification and measurement.

Another example of a risk that appears nonquan-tifiable is a breach in IT security. Examining themovement in stock price around the event, how-ever, can help a company gather a preliminaryestimate of how shareholders view the event.Additionally, talking to other companies that haveexperienced IT security breaches can help thecompany understand the potential impact.Finally, understanding the organization’s unique

22


$0

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

CumulativeProbability

E

$545Level of earnings

corresponding with EaR

$640 $670Expected

or budgeted earnings

Earnings($ millions)

Probabilityof a SpecificOutcome

25%

20%

15%

10%

5%

0%

Interpretation: There is a 30% chancethat due to all risks earnings willfall below $640 million for the year.

EXHIBIT 16. PROBABILITY ASSESSMENT OF EARNINGS OUTCOMES

method of creating value for its customers canalso offer critical insights regarding the impact ofthe breach. Companies that have customers whovalue trust and confidentiality, such as financialinstitutions, should estimate a greater impactfrom a potential IT security breach.

A major electronic retailer may determine that akey risk to sales is a change in gas prices. Theretailer relies on consumers having discretionaryincome, and higher gas prices lower discre-tionary income and decrease the retailer’s sales.The effect of gas prices on sales can be calculat-ed and potentially planned for in advance.Another example is the risk of weather related toa snow machine company’s sales. Guaranteeinga rebate to customers if the amount of snowfallis below a certain level can increase sales inyears with low snow fall.12 These examplesshow that while not all risks can be quantifiedwith a sophisticated technique, valuable riskassessment and management can still beapplied.

V I I . PRACTICAL IMPLEMENTATIONCONSIDERATIONSThe implementation of ERM depends on a num-ber of organizational variables and no specificrecipe is available to assure successful imple-mentation in any organization. In this section,however, a number of practical considerationsare discussed that may provide helpful insightsin the implementation process. These include:ERM infrastructure, ERM maturity models, stag-ing ERM adoption for early wins, the role of themanagement accountant, ERM education andtraining, technology, aligning corporate culture,building a case for ERM, and the ROI of ERM.

ERM InfrastructureImplementing ERM can take many shapes. Someorganizations have only one person in charge ofrisk, while others employ a large team. Bothapproaches have advantages. With a large team,more resources and people are focused on theeffort. Having a small ERM staff, however,encourages the organizational units, manage-ment, and employees to become highly involvedand share responsibility for ERM. A common approach is to have a moderate number of peo-ple on the ERM team to facilitate risk work-shops, help executives and business unitsunderstand their risks, gather data across theorganization, and assist in reporting risksupwards to senior executives and the board.Broad representation, objectivity, and a look to“the big picture” are keys. Although manyapproaches to ERM are found in practice, com-mon elements include:l CEO commitment (tone and messaging from

the top),l Risk policies and/or mission statements,

including adapting any company risk or auditcommittee charter to incorporate ERM,

l Reporting to business units, executives, andthe board,

l Adoption or development of a risk framework,l Adoption or development of a common risk

language,l Techniques for identifying risk,l Tools for assessing risks,l Tools for reporting and monitoring risk,l Incorporating risk into appropriate employees’

job descriptions and responsibilities,l Incorporating risk into the budgeting function,

andl Integrating risk identification and assessment

into the strategy of the organization.

23


12 Stephen W. Bodine, Anthony Pugliese, and Paul L.Walker, “A Road Map to Risk Management.” Journal ofAccountancy, December 2001, pp. 65-70.

ERM Maturity ModelsOnce an organization has implemented ERM, anappropriate question arises about the progressbeing made in ERM. As a result, a number of ERMmaturity models have been developed. One orga-nization categorizes ERM development into threephases: (1) building a foundation, (2) segment-level ERM, and (3) enterprise-level ERM. Eachphase is broken down into three stages, shown inExhibit 17. Phase 1 involves building executivesupport, building the core model, aligning expecta-tions, and developing segment-level risk manage-ment commitments. Phase 2 covers executing aconsistent risk framework, engagement in specif-ic areas and by segment-level personnel, anddemonstrating the tangible value of a disciplinedprocess. Phase 3 includes connecting segmentrisks, enhancing coordination and integration, anddeepening risk management focus. Whiledescribed for a multi-billion dollar entity, thisapproach is scalable to organizations of any size.

Maturity models do more than inform a companyof its progress in ERM. They can influence a com-pany’s rating from rating agencies, too. Standard& Poor’s now applies an ERM maturity model tocertain companies and industries, such as theinsurance and banking industries as well assome energy companies. Consequently, ERMimplementation could eventually impact a compa-ny’s cost of capital and capital adequacy. Forexample, Standard & Poor’s evaluates an insur-er’s ERM practices by considering the risk man-agement culture, risk controls, emerging riskmanagement, risk and capital models, and strate-gic risk management. These lead to an ERMscore of weak, adequate, strong, or excellent.

Staging ERM Adoption for Early WinsERM implementation is a change managementproject in which an organization moves to risk-informed decision making. The goal is to improvethe confidence of decision makers through a

24


Phase I:Building a Foundation for

Business Risk Management

Phase II:Segment-Level


Phase III:Enterprise-Level


Phase Objectives• Build executive-level support• Strengthen core team and operating model• Align expectations through a risk management commitment process• Develop segment-level risk management commitments

• Execution of a consistent risk management approach across all segments• Engagement in specific areas to help the business remediate significant risk issues and fulfill their segment risk management commitment• Segment-level personnel at appropriate levels engaged in the risk management process• Demonstrating the tangible value of a

disciplined risk management process within each segment

• Evolve to an Enterprise Risk Commitment and accountability model by “connecting” the Segment Risk Commitments to consider cross- segment risk issues and interdependencies• Enhance coordination and integration among Segment Business Risk Services (BRS) teams to help the enterprise remediate significant risk issues and fulfill the Enterprise Risk Commitment• Deepen risk management focus on potential risk issues applicable to all business segments• Enhance coordination with other components of the Enterprise Risk Management Operating Model that focus on specific areas of risk exposure

Stage Objectives:

Stage 1:

Awareness

Build RiskManagement

Vision, Strategy &Awareness

Stage 2:

Capability

Build Initial RiskManagementFoundation of

Structure,Resources and

Operating Model

Stage 3:

Alignment

AlignExpectations

through a RiskManagementCommitment

Stage 4:

Engagement

Stage 5:

Value

Stage 6:

Operationalize

Engagement inSpecific Risk

Issues to HelpFulfill the RiskManagementCommitment

DemonstratingTangible Value

from aDisciplined Risk

ManagementProcess

Segment-LevelPersonnel at All

Levels Fully-Engaged in andOperationalizing

the RiskManagement

Process

Stage 7:

Collaborate

Stage 8:

Coordinate

Stage 9:

Integrate

Enhance BRMCollaborationAcross Other

Segment Teamsto Consider

Cross-SegmentRisk Issues and

Interdependences

Enhance BRMCollaborationAcross Other

Segment Teamsto Consider

Cross-SegmentRisk Issues and

Interdependences

Enhance BRMCoordination with

Other Areas

BRM is Fully-Integrated with

BusinessPlanning,

PerformanceManagement,

Quality and OtherKey Management

Processes

EXHIBIT 17. ERM MATURITY MODEL

more explicit understanding of the risks facingthe unit. ERM is a journey that takes continuouscommitment from C-level executives and whereimplementation cannot be achieved overnight—it should proceed in incremental steps. At thesame time, an organization embarking on ERMimplementation needs to recognize that badthings can happen to a good project if results arenot forthcoming. Consequently, striving for earlywins in the ERM implementation project is impor-tant. For example, a major company (after devel-oping its approach to ERM) chose to implementERM in a strategic business unit that wasmature and tightly controlled. In this instance,the company preferred not to roll out ERM in aunit that it knew in advance had many problems.The roll out was successful, and the unit wasused as a model to help build momentum forERM implementation in other units.

In another company, the decision was to initiallyimplement ERM with the senior level executives.This group went through the process of identify-ing and assessing risks at the enterprise leveland developing mitigation strategies. Once mem-bers of this group were sold on the benefits ofERM, they became ERM champions and support-ed its roll out to the various operating units. SeeExhibit 17 for an example of staging an implementation.

The Role of the Management AccountantAs noted in the first SMA on ERM, the manage-ment accountant and finance professional canplay a major role in ERM implementation bychampioning the process, providing expertise onthe process, serving on cross-functional ERMteams, and providing thought leadership. Otherkey roles include assisting with the quantifica-tion of risks, analyzing the risk correlations,developing the range and distribution of a risk’simpact, determining the reasonableness of likeli-

hood estimates, benchmarking impact and likeli-hood against historical events and other organi-zations, setting and understanding risk toler-ances and appetites, assessing and quantifyingvarious alternative risk mitigation strategies, andquantifying the benefits of ERM.

ERM Education and TrainingSome control frameworks outside the UnitedStates mention the possibility of mandating ERMtraining. Although formal training on financialrisks is more common, ERM education and train-ing is being developed. Training needs caninclude:l Understanding the nature of risk—this is not

as easy as it first appears if a true enterprise-wide approach is implemented,

l Understanding the legal and regulatory require-ments related to risk management,

l Knowledge of ERM frameworks,l Facilitation skills,l Expertise in identifying risks,l Knowledge for building risk maps,l Reporting structures and options (what to

report to the CEO, board, and audit committee),

l Software training,l Financial risk training (options, hedging strate-

gies, insurance options, derivatives, etc.),l Refocused strategy training and how risk inter-

acts with strategy,l Building and understanding control solutions,l Developing and monitoring performance met-

rics related to risks, and l Change management.

TechnologySome technology tools are available to assist inthe facilitation/identification phase. Additionally,software is available to assist an organizationwith the entire ERM process. Gartner Inc. recent-ly reviewed ERM software vendors on two

25


aspects: completeness of vision and ability toexecute.13 Some organizations choose to eitherdevelop their own ERM processes tailored totheir needs or hire consultants to help with theprocess. Technology products not only help withthe process, but they also assist with data gathering, modeling, or reporting. One risk soft-ware tool, for example, helps with capital opti-mization and data management. Other technolo-gy products are designed to help with issuessuch as time-series modeling, correlations, andother advanced modeling techniques. Finally, cer-tain industries have software tailored for compa-nies in that industry, such as the online maturitymodel available for insurance companies.14

Aligning Corporate CultureMany organizations will notice a change in thecompany culture as ERM implementation pro-gresses. One noticeable difference is a proactivefocus on risks rather than a reactive approach.Other changes are related to improved accounta-bility and responsibility. With ERM in place, man-agers are more responsible for risk managementand controls because they helped identify therisks and controls. As solutions and metrics aredeveloped to better manage a risk, managementcan also be held more accountable for it. Onenonprofit organization mandates managementaction plans for any risk over a certain amount.This increase in accountability and responsibilitycan flow down to lower levels in the organization.An additional change may be from a “We need tocomply” perspective to “We need to manage thisrisk to achieve better results.” One softwarecompany tries to build a risk management thought process into the development of all new

products; this effort has resulted in a shift in theculture and thinking about the role of risk man-agement. Other cultural changes could occur,such as a shift from “blaming” to “identify andmanaging,” a change in “do not report badnews” to “report as early as possible” (so therisk can be managed), and, finally, from “Howdoes this affect my area or unit” to “How doesthis affect the risks of the entire organization.” Some consultants have developed cultural diag-nostic tools to enable organizations to assessthis cultural change.

Building a Case for ERMThe New York Stock Exchange (NYSE) has incor-porated elements of risk assessment and man-agement into its listing requirements. For regis-trants with the Securities and ExchangeCommission, item 1A of Form 10-K mandates“risk factor disclosures.” These certainly supporta case for ERM implementation, yet a company’sexecutive management may argue that compli-ance with these requirements can occur withoutfull-scale ERM implementation. In those situa-tions, the board of directors may have to ask thetough questions about the company’s risk identi-fication, assessment, and management processto get executive management to implementERM. Certainly, when executive managementpresents the company’s strategy to the board orseeks approval of a merger, the board has anopening to ask questions about the company’srisk identification, assessment, and manage-ment process. ERM should engage and educatethe board because the board members clearlyhave a stake in the reputation and sustainablesuccess of the organizations they serve.

As more companies adopt ERM and disclose itsadoption in their annual reports and as Standard& Poor’s incorporates a company’s ERM prac-tices in its ratings, other companies may begin

26


13 French Caldwell and Tom Eid, Magic Quadrant forFinance, Governance, Risk and Compliance ManagementSoftware, 2007, Gartner, February 1, 2007,http://mediaproducts.gartner.com/reprints/paisleyconsult-ing/145150.html.14 See www.rims.org.

to feel pressure to implement ERM. The execu-tive management of one company has noted thatit will discuss the company’s ERM process when-ever meeting with financial analysts. The goal isto inform analysts that the company is seriousabout risk management, and, ideally, the marketwill recognize this management capability in itsassessment of the company’s future.

The ROI of ERMWhen a company has adopted ERM, the case forbenefits vs. the cost and effort expended can bemade by pointing to specific experiences wheremanaging a risk added value to the bottom line.A major retailer uses metrics to track the resultsof its risk management initiatives. For example,the company will open many new stores in theyear and must have capable store managers.From experience, the company knows that onerisk is the turnover of store managers—it hashistorical data on turnover rates and knows thecost of recruiting and training a store manager.The human resources group adopted risk mitiga-tion activities for the turnover risk, establishedtargets for improvement, and monitored theresults. In time, it was able to show that manag-ing this risk reduced costs and, thus, improvedthe company’s bottom line. The leadership of thehuman resources group could report to the CEOthat they had indeed created shareholder valueby managing this risk. In many cases, it does nottake a rocket scientist to select appropriate met-rics to monitor the effectiveness of risk mitiga-tion initiatives, and, in turn, the impact on thebottom line. While it would be desirable to calcu-late a ROI for the ERM effort, such a measure-ment would be based on many assumptions.Focusing on the benefits of managing a specificrisk may offer the most persuasive evidence ofhow ERM creates value for the company.

V I I I . CONCLUSION This Statement on Management Accounting onERM, along with the earlier one published byIMA, provides guidance for the leaders of orga-nizations to identify, assess, and manage riskwhile at the same time growing the business.Because the risks in the global economy con-stantly change and evolve, ERM is a never-endingjourney. ERM requires strong commitment fromC-level executives and an effective process tai-lored to each organization’s unique culture. Acompany’s implementation can benefit from theERM knowledge that Certified ManagementAccountants (CMAs) and other finance profes-sionals can bring to the process. In their questto “drive business performance,” managementaccounting and finance professionals shouldseize the opportunity to become partners withsenior management and the board in ERM implementation.

GLOSSARYIMPACT—The significance of a risk to an organi-

zation. Impact captures the importance ofthe risk. It can be measured quantitatively orqualitatively.

INHERENT RISK—The level of risk that resideswith an event or process prior to manage-ment taking mitigation action.

LIKELIHOOD—An estimate of the chance or prob-ability of the risk event occurring.

OPPORTUNITY—The upside of risks.RESIDUAL RISK—The level of risk that remains

after management has taken action to miti-gate the risk.

RISK—Any event or action that can keep anorganization from achieving its objectives.

RISK APPETITE—The overall level of risk anorganization is willing to accept given itscapabilities and the expectations of itsstakeholders.

27


RISK TOLERANCE—The level of risk an organiza-tion is willing to accept around specificobjectives. Risk tolerance is a narrower levelthan risk appetite.

REFERENCE L ISTBarton, Thomas L., William G. Shenkir, and Paul

L. Walker, Making Enterprise RiskManagement Pay Off, Financial ExecutivesResearch Foundation, Upper Saddle River,N.J., 2001.

Bodine, Stephen W., Anthony Pugliese, and PaulL. Walker, “A Road Map to RiskManagement.” Journal of Accountancy,December 2001, pp. 65-70.

Brady, Diane, “General Electric, the Immelt Way,”Business Week, September 11, 2006, p. 33.

Caldwell, French, and Tom Eid, Magic Quadrantfor Finance, Governance, Risk andCompliance Management Software, 2007,Gartner, February 1, 2007, http://mediaproducts.gartner.com/reprints/paisleyconsulting/145150.html.

Committee of Sponsoring Organizations of theTreadway Commission (COSO), EnterpriseRisk Management—Integrated Framework:Application Techniques, AICPA, New York,2004.

COSO, Enterprise Risk Management—IntegratedFramework: Executive Summary, AICPA, NewYork, 2004.

Corporate Board Member, 2006 AcademicCouncil Supplement: Emerging Trends inCorporate Governance, Board Member, Inc.,Brentwood, Tenn., p. 20.

Deloitte & Touche LLP, The Risk IntelligentEnterprise: ERM Done Right, DeloitteDevelopment LLC, 2006.

Economist Intelligence Unit, Managing BusinessRisks—An Integrated Approach, TheEconomist Intelligent Unit, New York, 1995.

Elkins, Debra, “Managing Enterprise Risks in

Global Automotive ManufacturingOperations,” presentation at the Universityof Virginia, January 23, 2006.

Institute of Chartered Accountants in Englandand Wales (ICAEW), No Surprises: The Casefor Better Risk Reporting, ICAEW, London,U.K., 1999.

Schwartz, Peter, The Art of the Long View,Currency Doubleday, New York, 1991, p. xiii.

ADDIT IONAL RESOURCESAugustine, Norman R., “Managing the Crisis You

Tried to Prevent,” Harvard Business Review,November-December 1995, pp. 147-158.

American Institute of Certified PublicAccountants (AICPA) and Canadian Instituteof Chartered Accountants (CICA), ManagingRisk in the New Economy, AICPA, New York,2000.

Barton, Thomas L., William G. Shenkir, and PaulL. Walker, “Managing Risk: An Enterprise-wide Approach,” Financial Executive, March-April 2001, pp. 48-51.

Basel Committee on Banking Supervision,International Convergence of CapitalMeasurement and Capital Standards, ARevised Framework, 2004.

Bernstein, Peter L., Against the Gods—TheRemarkable Story of Risk, John Wiley &Sons, Inc., New York, 1996.

Brancato, Carolyn K., Enterprise RiskManagement Systems: Beyond the BalancedScorecard, The Conference Board, New York,2005.

Burns, J., “Everything You Need to Know AboutCorporate Governance…,” The Wall StreetJournal, October 27, 2003, p. R6.

Byrne, John, “Joseph Berardino (Cover Story),”Business Week, August 12, 2002, pp. 51-56.

Committee of Sponsoring Organizations of theTreadway Commission (COSO), InternalControl—Integrated Framework: Executive

28


Summary, AICPA, New York, 1992.Corporate Executive Board, Confronting

Operational Risk—Toward an IntegratedManagement Approach, Washington, D.C.,2000.

DeLoach, James W., Enterprise-wide RiskManagement: Strategies for Linking Risk andOpportunity, Financial Times, London, U.K.,2000.

Deloitte & Touche LLP, Perspectives on Risk forBoards of Directors, Audit Committees, andManagement, Deloitte Touche TohmatsuInternational, 1997.

Economist Intelligence Unit, Enterprise RiskManagement—Implementing New Solutions,New York, 2001.

Emen, Michael S., “Corporate Governance: TheView from NASDAQ,” NASDAQ, New York,2004.

Epstein, Marc J., and Adriana Rejc, Identifying,Measuring, and Managing OrganizationalRisks for Improved Performance, Society ofManagement Accountants of Canada andAICPA, 2005.

Federation of European Risk ManagementAssociations, A Risk Management Standard,2003.

Financial and Management AccountingCommittee of the International Federation ofAccountants (IFAC) (prepared byPricewaterhouseCoopers), EnhancingShareholder Wealth by Better ManagingBusiness Risk, International Federation ofAccountants, New York, 1999.

Financial Reporting Council, The Combined Codeon Corporate Governance, 2003.

Financial Reporting Council, Internal Control:Revised Guidance for Directors on theCombined Code, 2005.

Gates, Stephen, and Ellen Hexter, “From RiskManagement to Risk Strategy,” TheConference Board, New York, 2005.

Gibbs, Everett, and Jim DeLoach, “Which ComesFirst…Managing Risk or Strategy-Setting?Both,” Financial Executive, February 2006,pp. 35-39.

Hands On, “Risk Management Issues forPrivately Held Companies,” ACC Docket, May2006, pp. 76-88.

King Committee on Corporate Governance, KingReport on Corporate Governance for SouthAfrica, Institute of Directors in SouthernAfrica, 2002.

Institute of Management Accountants (IMA),“IMA Announces Bold Steps to ‘Get it Right’on Sarbanes-Oxley Compliance,” pressrelease, December 21, 2005.

IMA, “A Global Perspective on Assessing InternalControl over Financial Reporting (ICoFR),”Discussion Draft for Comment, September2006.

Joint Standards Australia/Standards NewZealand Committee, Risk Management,Standards Australia/Standards NewZealand, 2004.

Joint Standards Australia/Standards NewZealand Committee, Risk ManagementGuidelines, Standards Australia/StandardsNew Zealand, 2004.

Kaplan, Robert S., and David P. Norton, “TheBalanced Scorecard—Measures that DrivePerformance,” Harvard Business Review,January-February 1992, pp. 71-79.

Kaplan, Robert S., and David P. Norton, “Puttingthe Balanced Scorecard to Work,” HarvardBusiness Review, September-October 1993,pp. 134-147.

Kaplan, Robert S., and David P. Norton, TheBalanced Scorecard, Harvard BusinessSchool Press, Boston, Mass., 1996.

Kaplan, Robert S., and David P. Norton, TheStrategy-Focused Organization, HarvardBusiness School Press, Boston, Mass.,2001.

29


Kocourek, Paul, Reggie Van Lee, Chris Kelly, andJim Newfrock, “Too Much SOX Can Kill You,”Strategy+Business, reprint, January 2004,pp. 1-5.

McNamee, David, and Gerges M. Selim, RiskManagement: Changing the Internal Auditor’sParadigm, The Institute of Internal AuditorsResearch Foundation, Altamonte Springs,Fla., 1998.

Miccolis, Jerry A., Kevin Hively, and Brian W.Merkley, Enterprise Risk Management: Trendsand Emerging Practices, The Institute ofInternal Auditors Research Foundation,Altamonte Springs, Fla., 2001.

Nagumo, Takehiko, “Aligning Enterprise RiskManagement with Strategy through the BSC:The Bank of Tokyo-Mitsubishi Approach,”Balanced Scorecard Report, HarvardBusiness School Publishing, Reprint No.B0509D, September-October 2005, pp. 1-6.

Nagumo, Takehiko, and Barnaby S. Donlon,“Integrating the Balanced Scorecard andCOSO ERM Framework,” Cost Management,July/August 2006, pp. 20-30.

National Association of Corporate Directors(NACD), Report of the NACD Blue RibbonCommission of Audit Committees—A PracticalGuide, 1999.

New York Stock Exchange, Final NYSE CorporateGovernance Rules, November 4, 2003.

Nottingham, Lucy, “A Conceptual Framework forIntegrated Risk Management,” TheConference Board of Canada, 1997.

Oversight Systems, “The 2006 OversightSystems Financial Executive Report on RiskManagement,” 2006.

Protiviti, “U.S. Risk Barometer—Survey of C-Level Executives with the Nation’s LargestCompanies,” 2005.

Protiviti, “Guide to Enterprise Risk Management:Frequently Asked Questions. Sarbanes-OxleyAct of 2002, H.R. 3763,” 2006.

Shaw, Helen, “The Trouble with COSO,” CFO,March 15, 2006, pp. 1-4.

Shenkir, William, and Paul L. Walker, “EnterpriseRisk Management and the Strategy-Risk-Focused Organization,” Cost Management,May-June 2006, pp. 32-38.

Simons, Robert L., “Control in an Age ofEmpowerment,” Harvard Business Review,March-April 1995, pp. 80-88.

Simons, Robert L., “How Risky Is YourCompany?” Harvard Business Review, May-June 1999, pp. 85-94.

Smith, Carl, “Internal Controls,” StrategicFinance, March 2006, p. 6.

Smith, Wendy K., “James Burke: A Career inAmerican Business [(A) & (B)],” HarvardBusiness School Case 9-389-177 and 9-390-030, Harvard Business SchoolPublishing, 1989.

Smutniak, John, “Living Dangerously: A Survey ofRisk,” The Economist, January 24, 2004, pp.1-15.

Slywotzky, Adrian J., and John Drzik, “Counteringthe Biggest Risk of All,” Harvard BusinessReview, Reprint R0504E, April 2005,pp. 1-12.

Standard and Poor’s, Criteria: AssessingEnterprise Risk Management Practices ofFinancial Institutions: Rating Criteria and BestPractices, September 22, 2006.

Standard and Poor’s, Insurance Criteria: Refiningthe Focus of Insurer Enterprise RiskManagement Criteria, June 2, 2006.

Stroh, Patrick J., “Enterprise Risk Managementat UnitedHealth Group,” Strategic Finance,July 2005, pp. 27-35.

Thornton, Emily, “A Yardstick for Corporate Risk,”Business Week, August 26, 2002,pp. 106-108.

Treasury Board of Canada Secretariat, IntegratedRisk Management Framework, 2001.

30


Treasury Board of Canada Secretariat, IntegratedRisk Management Framework: A Report onImplementation Progress, 2003.

U.S. Securities and Exchange Commission(SEC), “Commission Guidance RegardingManagement’s Discussion and Analysis ofFinancial Condition and Results ofOperations,” Release No. 33-8350,December 19, 2003.

SEC, “Securities Offering Reform,” Release No.33-8591, effective December 1, 2005.

Walker, Paul L., William G. Shenkir, and ThomasL. Barton, Enterprise Risk Management:Pulling It All Together, The Institute of InternalAuditors Research Foundation, 2002.

Walker, Paul L., William G. Shenkir, and ThomasL. Barton, “ERM in Practice,” InternalAuditor, August 2003, pp. 51-55.

Walker, Paul L., William G. Shenkir, and StephenHunn, “Developing Risk Skills: AnInvestigation of Business Risks and Controlsat Prudential Insurance Company ofAmerica,” Issues in Accounting Education,May 2001, pp. 291-304.

31


enterprise tools and_techniques

Documents