Enterprise risk management: effective ERM practices

Strategy & Leadership

ISSN: 1087-8572

Article publication date: 9 May 2008



Kennedy, P. (2008), "Enterprise risk management: effective ERM practices", Strategy & Leadership, Vol. 36 No. 3. https://doi.org/10.1108/sl.2008.26136cac.001



Emerald Group Publishing Limited

Copyright © 2008, Emerald Group Publishing Limited

Enterprise risk management: effective ERM practices

Article Type: Conference report From: Strategy & Leadership, Volume 36, Issue 3.

The Enterprise Risk Management (ERM) discipline is still new, and few companies have done it all and done it right. Presenters at the Conference Board’s 2007 session in New York offered this general assessment of where ERM is today:

  • Since Sarbanes Oxley, the liability of corporate directors increases if they fail to keep pace with evolving best practices in ERM.

  • NYSE requires audit committees to deal with firms’ internal and external risk environments.

  • Stakeholder expectations and activism are increasing, with greater focus on operations risk and reputations risk.

  • As business is becoming more complex and geographically dispersed, effective ERM requires the assessment and efficient reporting of existing risks and emerging risks.

Inevitably, ERM has become a concern of corporate strategists as it raises production, sourcing, HR, financial, technology, distribution, alliance and competitive issues that strike at the heart of a firm’s identity and its place in the marketplace. ERM’s scope is far beyond traditional risk management.

What works? A top management perspective

  1. 1.

    A few leading firms are practicing integrated, cross-enterprise risk management.

  2. 2.

    Initiation and sustaining of ERM must be top-down. Senior leadership must champion and drive the process and furnish all required resources and authority. Surprisingly, a number of conference presenters did not believe that having a formal “chief risk officer” was a good idea.

  3. 3.

    Company business units must own the process and take responsibility for all relevant remediation activities, but risk analysis and remediation must look across silos.

  4. 4.

    Metrics are important for a wide batch of ERM analytics, such as determining risk appetite. But there appears to be a tendency to rely too heavily on quantifiable indicators. It’s widely accepted that forecasting resolution diminishes the further out in time one goes. Also, some risks can only be qualitatively understood. Thus, risk analysis models must be transparent to its users, with limitations fully transparent.

  5. 5.

    Scenario analysis is a useful tool for thinking through the range of risks associated with unprecedented events or those that cannot be predicted through traditional forecasting techniques. It can also be a useful forum in which ERM stakeholders interactively wrestle with unfamiliar future business environments that contain hidden opportunities as well as risks.

  6. 6.

    ERM is inherently strategic. While ensuring ERM independence, it should be appropriately integrated into corporate strategy activities to eliminate overlap, manage turf battles, and maximize corporate coherence. ERM surveys have repeatedly established that the greatest threat to firms fall in the domain of strategy and operations (not necessarily finance or legal). As one participant put it, “Tailoring risk to appetite/tolerance really gets at the heart of strategic thinking and strategic priorities.”

Integrating corporate capabilities for superior ERM results at IBM and Eastman Chemical

  • IBM has adopted a highly integrated approach to ERM, incorporating corporate strategy and market intelligence into the ERM function. IBM’s is “an enterprise-level, top-down approach.” This effort is one year old and headed by a VP, Risk Management & Compliance. IBM has an internal research capability on future trends. Various parts of the business engage over the understanding of external risk. Scenario analysis has been applied to risk assessment for some time. IBM appears somewhat unique in that its ERM process seeks to both anticipate hazards and exploit upside potential. The strategic nature of ERM becomes clear as operating risk analysis reveals correlations of related risks. Mitigation requires changes in the business design.

  • Equitable Life of Canada states that strategy is basically about understanding risks to the business model. Like IBM, it tries to identify opportunities as it assesses risk. Equitable values external perspectives and brings in trained facilitators to create an open dialogue.

Overarching themes:

  • To focus solely on risk mitigation limits the value of ERM, because ERM travels across strategic territory and could identify opportunities along the way.

  • Risk management must be integrated into corporate operations; it cannot remain external to it. The people making operational decisions in the business units must own the risk.

  • Risk mitigation plans need to be embedded in the risk assessment process. Again, the operating units must own the risk.

Getting ERM started on the right track

Ellen Dulberger, VP, Enterprise Risk Management & Compliance, IBM. This session was intended to provide general guidance for firms beginning the ERM process. IBM did not establish an ERM system because of some traumatic event. Leadership saw this as an opportunity. In fact, the VP of Corporate Strategy has a seat on the ERM Steering Committee.

How to do ERM right

  1. 1.

    Establish governance and expect it to change.

  2. 2.

    Start the conversation inside and outside.

  3. 3.

    Use risk management tools and methods.

  4. 4.

    Keep line of sight from actions to root causes to risks.

  5. 5.

    Share findings across domains.

IBM’s ERM system is comprised of three major elements:

  1. 1.

    Steering Committee VP and Assistant General Counsel; VP and Controller; VP Financial Management; Treasurer; CHQ General Auditor, and VP Corporate Strategy.

  2. 2.

    Corporate Compliance Organization Ellen Dulberger, VP, Enterprise Risk Management & Compliance. This is a new organization established in Q4 2006.

  3. 3.

    Operating Units/Support Functions/Stakeholders Operational units; stockholders; and board of directors.

Practical risk quantification

Victor Allen, Vice President/Treasurer, Eastman Chemical. Eastman Chemical’s case is distinctly different from IBM’s. It is a much narrower ERM scope, for a much narrower business. Eastman’s ultimate ERM objective is reducing earnings-at-risk. Managing commodity risk is at the heart of their ERM work.

Eastman has developed quantitative models to anticipate commodity price movements. They apply Monte Carlo simulations tools (e.g., “At Risk” software) to run through multiple “what ifs.” They call these alternative sets of assumptions “scenarios.” Ultimately, this work informs Eastman’s hedging strategy.

While containing many different analytical challenges than the other ERM cases, many of the high-level organizational challenges Eastman has encountered are notably very similar:

  • Balancing expectations and capabilities.

  • Changing roles and responsibilities require good communication.

  • Demonstrating that the program delivers results.

Practical ERM integration at CIGNA and Premier Health Partners

Richard Scanlon, VP Enterprise Risk Management, CIGNA Corporation. CIGNA’s ERM milestones were:

  • An effective, formal risk assessment process is in place.

  • An enterprise risk profile exists and is continuously updated.

  • Management has made a visible commitment to ERM.

  • Risks are discussed across business areas and functions.

  • Leadership promotes a risk aware culture.

  • An awareness of the ERM approach exists among its business leaders.

ERM integration takes place on several levels:

  • Internal audit is a big ERM partner, but ERM is separate; this is important to ensure independence.

  • Strategic planning ensuring that risks are aligned with business strategy.

  • Operational planning remediation is tied to the business plan; need a common set of metrics.

  • Disclosure key partner, for example in 10-K reporting.

  • Audit team which is ultimately responsible for the ERM process; wants to see that key issues are mediated.

  • External stakeholders reaching out to the external community as well, including customers.

Dianne Judge, Premier Health Partners. Enterprise Risk Management at PHP is governed by an ERM Governance Committee chaired by the CEO The Board of Trustees’ Audit and Compliance Committee provides oversight.

“As we entered our second year of business risk assessments, we realized that many of our risks not only had common root causes but drove other corporate and business unit risks.” Premier searches for risk roots across silos. Technology affects not only patient satisfaction, for example, it also affects privacy issues. “Understanding the inter-dependencies of our key risks is critical as we develop risk and risk driver action plans across the organization.” Some success indicators:

  • Development and launch of structure combined with regular updates increased visibility and awareness across hospitals and corporate.

  • Soon the COOs asked to be included in the ERM Governance Committee.

  • CFO requested that risk assessments, analysis and action planning be conducted on the negotiation of new managed care contracts.

The ERM road ahead for Premier:

  • Continued focus on ERM education across the corporate and business units coordinated with risk assessment initiatives and action-plan execution.

  • Continued alignment and integration of action planning metrics and its corporate balanced scorecard analytics.

  • Focus on expanding the risk analysis process to quantify the impact of the root causes identified.

  • Focus on risk monitoring and reporting technologies.

  • Examine various technology solutions to expand action planning and risk dashboard reporting.

Case studies: Cisco and Equitable Life

Edward Erickson, Senior Manager of Business Resiliency and Global Security, Cisco Systems, Inc. Cisco’s Board is engaging on an increasing number of risk topics, beyond financial and compliance. Now it’s looking at operational issues, emerging risks and, increasingly, strategic risk. Erickson says there’s real leverage in understanding strategic risk. This helps answer the key question, “Do we really understand our own portfolio?” In fact, a study quoted suggests that the greatest risks to market capitalization have been non-financial risks. In terms of what Cisco calls “market capitalization decline drivers”: 65% are strategic risks, 15% financial, 13% are operational and 7% are legal and compliance.

Cisco’s “Integrated Risk Management Strategy” is comprised of the following pieces:

  • Identifying enterprise-wide risks and opportunities.

  • Assessing the magnitude of risks and opportunities.

  • Aggregating business unit risk assessments.

  • Communicating key risk and mitigation strategies.

  • Embedding risk consideration in long range planning, budgeting and forecasting processes.

Cisco asks: “Is risk management the new supply chain dogma, the next big thing?” Global supply chains, which depend on efficiency, connectivity and information velocity, are increasingly at risk in potentially volatile emerging markets where so much production takes place. Risks include security, payments, taxes, FX, labor, infrastructure, legal and regulatory and political risk.

Cisco’s global insights:

  • Managers should be aware of the hidden costs and account for them in their analysis, by carefully choosing adequate performance measures.

  • From the managers’ perspective, the output of a risk assessment process should identify where risk resides within the supply chain.

  • Mitigation strategies should be appraised within a global context.

The ERM opportunity for Cisco:

  • Integrate ERM in the business continue to evolve and extend the reach of Cisco’s ERM program.

  • Develop deeper understanding of Cisco’s risks globally and partner with the business to take action on the risks.

  • Continue to transfer accountability for effective risk management to the business units (supply chain).

  • Improve risk quantification and business process modeling capabilities in an effort to support decision making.

  • Keep abreast of internal and external trends and evolve the ERM program with the market.

  • Continue to focus on the opportunities.

Doug Brooks, Equitable Life of Canada. Equitable believes in the utility of scenarios to explore risk. For example, what are the implications of a pandemic, like the avian fu? In anticipation of such an event, have we thought about:

  • Ability/willingness to go to work?

  • High staff demand in some areas?

  • Sales people not making sales?

  • Support for remote work?

  • Impact on reinsurance companies?

Equitable’s scenarios probe unprecedented risks, which do not show up in forecasting models or historical data. An example of this is the phenomenon of non-termination, when people hold on to policies that they traditionally have terminated.

Peter Kennedy Principal of The Futures Strategy Group LLC (pkennedy@futurestrat.com). This ERM conference was presented by The Conference Board in New York in late 2007.

Related articles