MARK S. BEASLEY, PhD, CPA
Deloitte Professor of Enterprise Risk Management and Director of the ERM Initiative, College of Management, North Carolina State University
MARK L. FRIGO, PhD, CPA, CMA
Director, The Center for Strategy, Execution, and Valuation and Ledger & Quill Alumni Foundation Distinguished Professor of Strategy and Leadership at the DePaul University Kellstadt Graduate School of Business and School of Accountancy
Enterprise risk management (ERM) has rightfully become a top priority for directors and executive management. The current economic crisis highlights the disastrous results when risks associated with strategies are ignored or ineffectively managed. Coming out of the crisis are numerous calls for improvements in overall risk oversight, with a particular emphasis on strategic risk management.
One of the major challenges in ensuring that risk management is adding value is to incorporate ERM in business and strategic planning of organizations. The “silos” that separate risk management functions in organizations also create barriers that separate strategic planning from ERM. In many cases, risk management activities are not linked or integrated with strategic planning, and strategic risks can be overlooked, creating dangerous “blind spots” in strategy execution and risk management that can be catastrophic.
The challenge, as well as opportunity, for organizations is to embed risk thinking and risk management explicitly into the strategy development and strategy execution processes of an organization so that strategy and risk mindsets are one in the same. This chapter is based on articles, cases, and research by the authors in leading ERM and Strategic Risk Management initiatives at North Carolina State University and DePaul University, respectively, and their work with hundreds of practice leaders in enterprise risk management.
The expectations that boards of directors and senior executives are effectively managing risks facing an enterprise are at all-time highs.1 Much of this shift in expectations was prompted initially by corporate scandals and resulting changes in corporate governance requirements, such as the Sarbanes-Oxley Act of 2002 (SOX) and the NYSE Corporate Governance Rules updated in 2004. Debt-rating agencies such as Standard & Poor’s, Moody’s, and Fitch now examine enterprise-wide risk management practices of institutions as part of their overall credit-rating assessment processes. Their particular focus is on understanding the risk management culture and the overall strategic risk management processes in place.1
The economic crisis that began in 2007 and still continues is now shining a huge spotlight on the board and senior management’s enterprise-wide risk management processes. Reform proponents are pointing to failures in the overall risk oversight processes, including unaware boards, overreliance on sophisticated models, and underreliance on sound judgment. Critics argue that because returns on certain strategic initiatives were so great, risks that were present were either unknown or ignored.2 Numerous calls are now arising for drastic improvements in risk management, with a specific call for more formal risk considerations in managing an organization’s deployment of specific strategic initiatives.
This sentiment is evidenced by Federal Reserve Governor Randall S. Kroszner’s October 2008 speech where he argued that financial institutions must improve the linkage between overall corporate strategy and risk management given that “survivability will hinge on such an integration.” Governor Kroszner noted that many firms have forgotten the critical importance of undertaking an adequate assessment of risks associated with the overall corporate strategies.3
This shift toward greater expectations for effective enterprise-wide risk management oversight is complicated by the fact that the volume and complexities of risks affecting an enterprise are increasing as well. Rapid changes in information technologies, the explosion of globalization and outsourcing, the sophistication of business transactions, and increased competition make it that much more difficult for boards and senior executives to effectively oversee the constantly evolving complex portfolio of risks.
Even before the recent financial crisis, board members believed that risks were increasing. Ernst & Young’s 2006 report, “Board Members on Risk,” found that 72 percent of board members surveyed believed that the overall level of risk that companies face has increased in the past two years, with 41 percent indicating that overall levels of risk have increased significantly.4 Given recent events, that concern is only heightened. Similarly, management has a comparable observation. IBM’s 2008 “Global CFO Study” reported that 62 percent of enterprises with revenues greater than $5 billion encountered a major risk event that substantially affected operations or results in the last three years and nearly half (42 percent) stated that they were not adequately prepared.5
Many of the risks threatening an enterprise are difficult to see and manage, given their systemic nature. However, while many risks may be unknown, they often have a similar impact. Management and boards of directors are increasingly being held accountable for considering the probabilities and impact of various possible risk scenarios tied to their overall business strategies, even for risk events that may not be foreseeable. For example, the events of 9/11 and the catastrophic impact of Hurricane Katrina, although “unknown” by most, had similar impacts: loss of employees, destroyed operations, damaged IT infrastructure, lack of cash flow, and so on. Management and boards are not expected to predict the next 9/11–type event, but they are expected to consider and be proactive about thinking of responses to events (whatever the cause) that might have a similar impact. That is, management should have a plan for any significant scenario that might lead to consequences that might be detrimental to its core strategy, such as a loss of employees, destroyed operations, damaged IT infrastructure, lack of cash flow, drastic shift in regulations, and so on.
The rise in the volume and complexities of risks is complicated by the fact that many of the techniques used by boards and senior executives are dated, lack sophistication, and are often ad hoc. Few boards and senior executives have robust key risk indicators that provide adequate data to recognize shifts in risks patterns within and external to their organizations, resulting in an inability to proactively alter strategic initiatives in advance of risk events occurring. This has created an “expectations gap” between what stakeholders expect boards and senior executives to do regarding enterprise-wide risk management and what they actually are doing.
In response to these changing trends, organizations are embracing ERM because it emphasizes a top-down, holistic approach to effective risk management for the entire enterprise. The goal of ERM is to increase the likelihood that an organization will achieve its objectives by managing risks to be within the stakeholders’ appetite for risk. ERM done correctly should ultimately not only protect but also create stakeholder value.
ERM differs from a traditional risk management approach, frequently referred to as a “silo” or “stovepipe” approach, where risks are often managed in isolation. In those environments, risks are managed by business unit leaders with minimal oversight or communication of how particular risk management responses might affect other risk aspects of the enterprise, including strategic risks. Instead, ERM seeks to strategically consider the interactive effects of various risk events with the goal of balancing an enterprise’s portfolio of risks to be within the stakeholders’ appetite for risk. The ultimate objective is to increase the likelihood that strategic objectives are realized and value is preserved and enhanced.
Several conceptual frameworks have been developed in recent years that provide an overview of the core principles for effective ERM processes. In 2004, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued its “Enterprise Risk Management—Integrated Framework,” with this definition of ERM (see www.coso.org):
Enterprise risk management is a process, effected by the entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within the risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
Note that ERM is directly related to “strategy setting.” For ERM to be value creating, it must be embedded in and connected directly to the enterprise’s strategy. Another part of this definition refers to the goal of ERM, which is to help the enterprise achieve its core objectives. So, to be effective, ERM must be part of the strategic planning process and strategy execution processes.
The Conference Board’s 2007 research study, “Emerging Governance Practices in Enterprise Risk Management,” notes that while many organizations are engaging in some form of ERM, only a few have full-fledged ERM program infrastructures.6 Many of these organizations initially launched their ERM efforts out of a compliance function, such as compliance with SOX, emerging privacy legislation, and environmental regulations. More boards and senior executives are now working to shift their ERM approach from a compliance orientation to a strategic orientation, consistent with the view that an enterprise-wide approach to risk management should be value enhancing. A 2008 survey, “The 2008 Financial Crisis: A Wake-Up Call for Enterprise Risk Management,” by the Risk and Insurance Management Society (RIMS) found that about 65 percent of the businesses surveyed have begun or plan to implement a strategic risk management system.7
Boards are feeling an increasing pressure to strengthen their overall oversight of the enterprise’s risk management processes, with a stronger emphasis on strategic risk management. Recent reports, such as the Conference Board’s “Overseeing Risk Management and Executive Compensation” report issued in December 2008, note that while companies report some progress in developing an enterprise-wide risk management program, it has yet to be adequately embedded in strategy execution and entity culture.8
Boards are becoming more aggressive at pushing management to reassess vulnerabilities in existing risk management processes and to begin strengthening the soundness of its risk management analysis to the company’s strategic setting activities. Benchmarking surveys about the state of ERM consistently find that the launch of ERM is often tied to the board’s (more specifically the audit committee’s) demand for more robust risk management processes. Boards are now asking management about their risk oversight processes and they are adding formal risk discussions to their agendas on a regular basis.9 Boards are also seeking to take a strategic view of Governance, Risk and Compliance (GRC) by setting and articulating the organization’s “Enterprise Risk Policy and Appetite” and the role of each GRC function.10 Despite these emerging trends, board members still believe they need to have a better handle around issues affecting strategic risk.
Successful deployments of ERM in strategic planning seek to maximize value when setting strategic goals by finding an optimal balance between performance goals and targets and related risks. As management evaluates various strategic alternatives designed to reach performance goals, it includes related risks across each alternative in that evaluation process to determine whether the potential returns are commensurate with the associated risks that each alternative brings. It also considers how one strategic initiative might introduce risks that are counterproductive to goals associated with another strategy. At that point, management is in a better position to evaluate various strategic alternatives to ensure that the combined risks that the entity might take on are within the stakeholders’ appetite for risk and that they collectively support the strategic direction desired.
Considering risk during strategy planning also creates an ability to seize risk opportunities. Again, the goal of ERM is to preserve and enhance value. In some situations, ERM may reveal areas where the enterprise is being too risk averse or is ineffectively responding to similar risks that exist across multiple silos of the enterprise. In other situations, ERM may identify risk opportunities that may create potential increased returns to the enterprise. If risks are ignored in strategy, risk opportunities may be overlooked.
A consumer products company’s experience illustrates the advantage of connecting strategy and risks. As part of its sales strategy, the company sought to increase revenues by strategically aligning with a key distributor customer through electronic reordering systems. As part of this alliance, the consumer products company entered into contracts requiring the automatic shipment of products to the retail customer’s distribution warehouses within two-hour increments upon receipt of the customer’s electronic reorder purchase request.
As the consumer products company began to launch its ERM processes, senior management quickly discovered a huge potential threat to this strategic arrangement with the retail customer. The company’s information technology (IT) disaster recovery processes were set to be within acceptable tolerance limits established by the IT group. In an effort to balance costs with perceived IT needs, the IT group had put recovery procedures in place to fully restore IT-based sales systems within a two-day (not two-hour) period. When core sales executives learned about this recovery time frame, they quickly partnered with IT to reduce recovery thresholds to shorter windows of time. Had they not linked IT’s disaster recovery response risks with the sales strategies to fulfill customer orders within two-hour increments, a looming IT disaster could have significantly affected their ability to achieve sales goals, thus compromising the enterprise’s ability to achieve strategic goals. Needless to say, this discovery also prevented other risks that might have been triggered by a disaster, including legal risks tied to contract violations, cash flow losses due to idle sales functions, and reputation risks that could have been realized given the large size and visibility of both the consumer products company and retailer customer.
Strategic risk management can help companies avoid the problem of not recognizing risks soon enough and can help management take swift action to deal with those risks that do occur. What initially appeared to be a minor disruption in the value chain for Nokia and Ericsson in March 2000 turned out to be a critical event for both companies. On Friday, March 17, 2000, a line of thunderstorms appeared in Albuquerque, New Mexico. A lightning bolt struck a Philips semiconductor plant, causing a fire in a plant that made chips for both Nokia and Ericsson and presented similar risks to both companies. The fire was minor, lasting only 10 minutes, and the damage at first appeared to be limited, so Philips expected to be back in operation within a week. As it turns out, the disruption to the plant was months rather than weeks, and the impact on production was significant.
Nokia quickly noticed the problem with the supply of the parts even before Philips told them there was a real problem. They took fast action to address the situation once they determined that the potential impact of the disruption in the supply of chips from the Philips plant could translate into an inability to produce 4 million handsets, representing 5 percent of the company’s sales at the time.
In contrast, Ericsson responded slowly and didn’t have alternative sourcing options. By the time management realized the extent of the problem, they had nowhere else to turn for several key parts. This partly stemmed from the company’s strategy in the mid-1990s, when it simplified its supply chain to cut costs and in the process weakened its supply backup. One manager at Ericsson said: “We did not have a Plan B.” Underestimating the risk of the disruption in supply from the Philips plant and being unable to manage the problem were major factors that led to Ericsson exiting the phone headset production market in 2001.11
What lessons do these contrasting cases offer about integrating strategies and risk management surrounding the supply chain?12
The first step in strategic risk management is finding a way to systematically evaluate a company’s strategic business risk. That has to begin with first making sure that management and the board understand the entity’s key strategies that are designed to preserve and create stakeholder value. For a for-profit entity, key strategies are generally linked to increasing shareholder value through initiatives designed to boost revenues, to maintain or reduce costs, or to pursue growth through mergers and acquisitions. A thorough understanding of specific drivers of shareholder value that management and the board are pursuing is necessary before risks surrounding those drivers can be accurately and completely considered. And, that understanding of specific strategy drivers has to permeate leadership across the organization if risks are to be managed effectively.
The next step to strategic risk management surrounds defining the entity’s use of the term “risk.” Michael Porter’s definition in his landmark book, Competitive Advantage, is useful: “Risk is a function of how poorly a strategy will perform if the ‘wrong’ scenario occurs.”13 Thus, strategic risk management begins by identifying and evaluating how a wide range of possible events and scenarios will impact a business’s strategy execution, including the ultimate impact on the valuation of the company.
Before management can effectively manage risks that might be identified by various scenario analyses, they need to define an overriding risk management goal. Risk appetites can vary across industries and entities. Without an understanding of stakeholder appetites for risks, neither management nor the board know what strategic risks are to be managed and what risks are to be accepted.
The Return Driven Strategy framework is an effective tool for integrating strategic goals and risk management goals. The framework is the result of more than a decade of research and application, involving the study of thousands of companies and the identification of strategic activities that separate the best performers from the worst. The Return Driven Strategy framework describes the hierarchy of strategic activities of best performing companies in terms of financial impact and shareholder value.
The Return Driven Strategy is comprised of 11 core tenets and 3 foundations that together form a hierarchy of interrelated activities that companies must perform to deliver superior financial performance. These tenets and foundations summarize the common activities of high-performance companies and identify flawed strategies of marginal performers. Here is a list of the 11 tenets and 3 foundations of Return Driven Strategy.14
Management must understand, define, and then align all activities toward the shareholder wealth creation objectives and ensure that the business operates within the ethical parameters set by its communities.
Two Goal Tenets
To avoid commoditization, management must focus on fulfilling otherwise unmet customer needs. The path to business success is through the customer—sufficiently large enough groups of customers. This means targeting economically profitable customer groups that have sufficient size and growth opportunities while fulfilling otherwise unmet needs which are not commoditized.
Three Competency Tenets
Through synchronization of these three competency tenets, offerings are created that target customer needs. Management needs to consider the executability of plans at the outset, with the three higher tenets as primary goals. Continuous innovation of the entirety of the offerings to develop offerings designed to enhance needs currently unfulfilled. Branding of the offerings to bridge the customer’s explicitly understood need to the offering that uniquely fulfills it.
Five Supporting Tenets
The supporting activities are done to support the achievement of the higher level tenets: the competency tenet, goal tenet, and commitment tenet.
There are three foundations that are critical to the Return Driven Strategy:
The 11 tenets are the “verbs” of strategy. Genuine assets are the “nouns.” Genuine assets are the building blocks of sustainable competitive advantage. Activities are copied by competitors, leading to price competition and reduced cash flow returns. This can be defended only by leveraging unique assets to create unique offerings that cannot be copied (patents, brands, scale and scope, etc.).
The ability and agility to capitalize on opportunities and avoid threats is foundational. Management must take advantage of opportunities and avoid threats in each of the three tenets arising from (1) government, legal, and other regulatory change, (2) demographic and cultural shifts, (3) scientific and technological breakthroughs.
A discipline that links strategy to ultimate financial results is necessary for measuring the achievement of strategic goals. Performance measures must be in place to support the achievement of the strategy and its resulting value creation.
This framework describes how an enterprise’s strategy can be aligned with the ultimate objective to “Ethically Maximize Shareholder Wealth.” This is a valid goal for a business entity: to create shareholder wealth, to strive to maximize it, and to do so while adhering to the ethical parameters of stakeholders and communities.15
That ultimate strategic goal can work simultaneously as the entity’s risk management goal as well. That is, management must understand, define, and then align risk management activities toward ethical shareholder wealth creation objectives. In doing so, risk management activities must be justified in terms of shareholder wealth creation. If wealth preservation or creation isn’t linked to risk management activities, then particular risk management activities should be challenged.
We believe that, to be effective, a framework for strategic risk management needs to include these three characteristics:
For example, Harley Davidson’s recent letter to shareholders describes one of its strategic goals to expand into international markets, particularly China and Japan. The letter also describes another strategic goal to enhance its “H.O.G.” brand mystique and motorcycling lifestyle. In this case, the strategic desire to expand into Asian cultures, if left unmanaged, has the potential to create risks associated with its strategic desire to expand the Harley mystique if changes are made to Harley products to satisfy the motorcycling preferences of riders in different cultures. To effectively manage strategic risks, management needs to monitor how each strategic initiative might be throwing off counterproductive risks impeding other strategic objectives.17
Executive teams have used the Return Driven Strategy as a holistic framework to set, evaluate, refine, and execute strategy. It also has been integrated into strategic planning processes and used as a way to evaluate the impact of events and scenarios, including merger-and-acquisition scenarios, on a strategy’s performance. As directors and management have used the framework to evaluate the business strategy, they have been able to hone in on key risks that could destroy shareholder value while considering the upside of risk in terms of the opportunities, thereby using it as a strategic risk management framework.
How risky is our strategy? What events and risk scenarios could ruin our business? Do we have the right countermeasures and risk management strategies in place? These are just some of the questions on the minds of executives and board members today.
A strategic risk management mindset focuses on examining how well a business strategy will perform under different scenarios and events. It encourages and supports thinking about scenarios where the strategy could perform so poorly that it could potentially result in significant losses, destruction of shareholder value, or a damaged corporate reputation. For example, management at Fidelity Investments knows that their strategy of providing investment services to an investor base all across the globe creates unbelievable demand for resiliency in its information technology functions. The tolerance for information systems outages or lack of access to pricing information approaches zero. They know that customers have little appetite for Fidelity to say their “systems are down.” Thus, one of the key areas of focus of Fidelity’s Risk Advisory Services Group is to oversee the business continuity planning processes at Fidelity.
A strategic risk mindset should also consider the “upside” of risk.18 For example, the Target Corporation sidestepped the competitive threat from Wal-Mart by focusing on a customer segment different from Wal-Mart’s and achieved profitable growth opportunities in the process. As another example, Samsung, confronted with serious brand erosion and commoditization risk, turned its attention to build on product innovation, speed to market, and a strong brand to turn a position of weakness into a position of market strength.
Risk can include loss of tangible assets, and it can also mean the potential loss of one of the company’s most valuable assets—its reputation.19 The H.J. Heinz Company has centered its enterprise risk management function on supporting an ultimate goal of protecting the Heinz reputation. In fact, its ERM program is formally known within as “Enterprise Reputation and Risk Management (or ER2M).” Heinz’s ER2M helps the company meet two primary reputation related goals: (1) to further support doing the common thing uncommonly well, and (2) to help Heinz become the most trusted packaged food company. To help management see the importance of thinking about risk and reputation, Heinz defines risks as “anything that can prevent the company from achieving its objectives.” They recognize that any event that affects the Heinz reputation in the food industry will directly impact its ability to achieve its objectives.
Ultimately, strategic risk management and ERM need to be connected with the potential impact on shareholder value. Effective strategic risk management should provide a way for identifying and evaluating how a wide range of possible events and scenarios will impact a business’s strategy execution, including the impact on the assets and shareholder value of the company. That’s how risk management is positioned at the Dow Chemical Company. The objective of effective enterprise risk management at Dow is to improve management’s ability to run its business with the view that if they can manage risks better, they can be more competitive. Management and the board realize they have the responsibility to pursue opportunities, which will require the assumption of risks. They seek to assume those risks in a well-managed, controlled manner that recognizes the reality that as new strategies are created, new risks arise that need to be managed.
The Return Driven Strategy framework provides a way to evaluate the strategic risks of a company from the perspectives of shareholder value risk, financial reporting risk, governance risk, customer and market risk, operations risk, innovation risk, brand risk, partnering risk, supply chain risk, employee engagement risk, R&D risk, and communications risk. It also provides a useful framework for understanding the cause-and-effect linkages in critical risk scenarios and explains how those scenarios would play out in the business strategy and impact profitability, growth, and shareholder value.20
The framework encourages thinking around these risk categories:
Research on high-performance companies can provide valuable insights about risk management. High-performance companies are vigilant to forces of change, and they manage risks and opportunities better than other companies. By better understanding how the success or failure of a business is driven by its plans and actions, we can improve how we value companies—and run our businesses.
Research about high-performance companies highlights that one of the challenges facing management teams is how to link business plans and enterprise risk management. There are three approaches for effective strategic risk management to consider: (1) a strategic risk assessment process, (2) a process to identify and protect Genuine Assets that are at risk, and (3) strategic risk monitoring and performance measurement.
A simple process for strategic risk assessment involves four steps:21
Here are some questions to address during a strategic risk assessment process:
There are several approaches to building a strategic risk management process. Several are described next.
Some of the most valuable assets of an organization aren’t on the balance sheet. Genuine assets include the most valuable tangible and intangible resources and capabilities of an organization and must be protected because some of them may be at risk.24 Companies routinely insure tangible assets on the balance sheet to protect against loss. But what about protecting the genuine assets?
Genuine assets are the tangible and intangible resources, capabilities, and traits that make an organization and its offerings unique, such as employee expertise, brand, reputation, and so on. As mentioned, some genuine assets appear on the balance sheet, but many don’t. As the “building blocks” of strategy, genuine assets form the basis for creating sustainable competitive advantages. And only through these advantages can you plan and execute business strategy that leads to higher returns, higher growth, and, ultimately, increased market value.
When identifying these assets, management should be very specific as to what the genuine asset is. They should think specifically about how it allows the company to accomplish its strategy in ways other firms couldn’t, thereby leading to higher performance. How difficult would it be for another firm to develop a similar genuine asset, allowing it to copy the activity that led to high performance? How long would it take? How much money would it cost?
To help identify and manage the risks to genuine assets, management should ask three questions:
Examples of genuine assets to consider in a risk assessment would include corporate reputation, customer information, competitor intelligence, vendor intelligence, specialized processes and capabilities, existing patents and trademarks, and intellectual property that should be protected with patents, trademarks, and other means.
Customer information is an example of a genuine asset that must be protected. Information security is a big issue at most companies, yet breaches occur, sometimes with significant potential impact. For example, the British government recently announced that government workers lost two computer disks containing names, addresses, dates of birth, national insurance numbers, and banking information for approximately 25 million residents of the United Kingdom, almost half its population. Effective risk management in the area of data security requires the right mindset and attitude toward information security among employees. It requires an understanding and awareness that the information on a $20 storage device or a $1,000 laptop, if not protected, could result in potential loss of customers, corporate reputation, and shareholder value.
Some genuine assets can support and be part of an effective risk management strategy and can help protect a company against risks. For example, having a “Plan B” in place for potential disruptions in critical parts of the supply chain is an example of a genuine asset for effective strategic risk management. Another example is employees having a risk mindset and risk attitude that support the organization’s strategy and risk appetite.
Many people believe that the recent financial crisis is largely attributable to the failure to link performance incentives with the risk management activities within the enterprise. Many of the executive compensation packages provide numerous unintended incentives for management to assume excessive amounts of risk exposures to achieve specific performance compensation targets.
Compensation incentives are typically designed to encourage executives to achieve strategic goals and initiatives and boards have typically evaluated those executives on whether they successfully achieve specific targets. Unfortunately, for many, risks associated with those compensation packages are overlooked. Boards are sometimes unaware of the nature of all risk exposures to the organization created by the executives. As long as the expected returns are achieved, few questions about the amount and types of risks being assumed are voiced.
The recent crisis is now placing greater light on the risks inherent in these executive compensation packages, and regulations are now being established to shed more insight into the risks associated with performance incentives. For example, the U.S. Treasury Department announced in January 2009 a new requirement for the chief executive officer (CEO) of financial institutions that receive federal funding under the Troubled Asset Relief Program’s (TARP) Capital Purchase Program. For those entities, the CEO must certify within 120 days of receiving the funding that the entity’s compensation committee has reviewed the senior executive’s incentive compensation arrangements with the senior risk officers to ensure that these arrangements do not encourage senior executives to “take unnecessary and excessive risks that could threaten the value of the financial institution.”
Effective strategic risk management should be a continual process that includes metrics for continuous monitoring of risk. An organization’s key risk indicators and metrics should link to the potential impact of risk on shareholder value. Holistic performance management systems such as the Balanced Scorecard give organizations an unprecedented opportunity to align strategy and performance measures with risk management—and to achieve integrated, strategic risk management.
The Balanced Scorecard focuses on strategy and accountability and fosters a continuous process for risk assessment and risk management. The Balanced Scorecard framework can help management develop and use these risk metrics. With its focus on strategy and accountability, the Balanced Scorecard can foster a continuous process for risk assessment and risk management.
Strategy maps also can provide a useful way to understand the cause-and-effect relationships in critical risk scenarios and can suggest risk metrics that would be valuable in effective risk management. Risk dashboards can also provide a way to monitor key metrics and trends.
Kaplan and Norton’s closed-loop management system (the Execution Premium model) provides another useful platform for a systematic approach to strategic risk management that integrates with overall management.25 The Strategic Risk Management Lab at DePaul University has been working with management teams to help them embed strategic risk management into each stage of the management system.
These are just a few examples of using the closed-loop management system to drive better strategic risk management.
Strategic risk management is increasingly being viewed as a core competency at both the management and board levels. In fact, board members are increasingly focused on strategic risk management, asking executives such questions as “Of the top five strategic business risks the company faces, which ones are you looking at, and what countermeasures are you devising?” The Strategic Risk Management Lab in the Center for Strategy, Execution, and Valuation at DePaul University is sharing with management teams and boards emerging best practices gleaned from its research. Consider the following list of 10 practices worth striving toward.26
The need to connect strategy and enterprise risk management couldn’t be more relevant than it is in the current economic climate. Effective strategic risk management is likely to make the difference between survivability and demise for many. Designed effectively, the connection of ERM and strategy should be value-adding, allowing the enterprise to be more proactive and flexible in managing uncertainties tied to strategies as they unfold.
The key to successful strategic risk management is the ability to identify those risks embedded in the organization’s business strategy that are potentially the most consequential. Focusing on strategic risks serves as a filter for management and boards of directors to reduce the breadth of the risk-playing field and ensure that they are focused on the right risks.
Mark S. Beasley, PhD, CPA, is Deloitte Professor of Enterprise Risk Management and Professor of Accounting in the College of Management at North Carolina State University. He is the Director of NC State’s Enterprise Risk Management (ERM) Initiative (www.erm.ncsu.edu), which provides leadership about ERM practices and their integration with strategy and corporate governance. Mark currently is serving on the board for the Committee of Sponsoring Organizations of the Treadway Commission (widely known at COSO). He has previously served on several national task forces and working groups, including the Auditing Standards Board SAS No. 99 Fraud Task Force and the advisory board for the Conference Board’s research about board of director responsibility for ERM. He is the author of textbooks, casebooks, and continuing education materials and has published extensively in business and academic journals. Mark is also a frequent speaker at national and international conferences on ERM, internal controls, and corporate governance, including audit committee practices. He received a BS in accounting from Auburn University and a PhD from Michigan State University.
Mark L. Frigo, PhD, CPA, CMA is Director of the Center for Strategy, Execution, and Valuation and the Strategic Risk Management Lab in the Kellstadt Graduate School of Business at DePaul, and Ledger & Quill Alumni Foundation Distinguished Professor of Strategy and Leadership in the School of Accountancy at DePaul University. He is a leading expert in Strategic Risk Management. The author of 6 books and more than 80 articles, his work is published in leading business journals including Harvard Business Review. He is the editor of the Strategic Management section of Strategy Finance and lectures frequently at universities and conferences in Europe. He is the co-author with Joel Litman of the book Driven: Business Strategy, Human Actions and the Creation of Wealth (www.returndriven.com). He received his BS in Accountancy from the University of Illinois, an MBA from Northern Illinois University and completed postgraduate studies in the Kellogg Graduate School of Management at Northwestern University. He is a CPA in the State of Illinois and a Certified Management Accountant. Dr. Frigo received his PhD in Economics and Econometrics. Dr. Frigo serves as an advisor to executive teams and boards of directors in the area of Strategic Risk Management.
18.218.136.90