CHAPTER 24
Enterprise Risk Management Lessons from the Field
WILLIAM G. SHENKIR
William Stamps Farish Professor Emeritus, University of Virginia’s McIntire School of Commerce
THOMAS L. BARTON
Kathryn and Richard Kip Professor of Accounting, University of North Florida
PAUL L. WALKER
Associate Professor of Accounting, University of Virginia
You can resist an invading army; you cannot resist an idea whose time has come.
—Victor Hugo
INTRODUCTION
As this is being written, the U.S. economy is currently reeling from what many describe as the worst financial crisis since the Great Depression. Analysts of the current crisis have been asking: “How could so many capable executives, regulators, the congress, and the administration have underestimated the enormous risk in the subprime mortgage market and related areas such as securitized subprime loans and credit default swaps.” The current crisis seems to indicate that the drive for profits by some organizations was accompanied by questionable risk management practices.
Before the current financial crisis, some leading opinion-making organizations recognized that enterprise risk management (ERM) was an idea whose time had come. In 1999, a blue ribbon commission of the National Association of Corporate Directors (NACD) concluded that audit committees should “define and use timely, focused information that is responsive to important performance measures and to the key risks they oversee” (National Association of Corporate Directors 1999, 2). Additionally, the commission stated that audit committees should develop an agenda that includes “a periodic review of risk by each significant business unit” (National Association of Corporate Directors 1999, 3). As further evidence of this risk awareness, a survey of chief financial officers and controllers in 2000 by the Financial Executives Institute ranked “key areas of business and financial risk” as the number one area of importance for audit committee oversight (Financial Executives Institute January 12, 2000).
ERM is a fairly new management discipline, but some companies have been implementing it for several years and have matured in their ERM efforts. This chapter highlights some key lessons that can be learned from these companies.1
LESSONS FROM THE ERM PROCESS
ERM is an iterative and disciplined process that can take many forms and designations but typically includes these key steps: clarifying strategies and objectives, identifying risks, assessing risks, acting upon those assessments, and monitoring risks. At the outset in ERM implementation, it is critical to the success of the initiative that C-level (CEO, CFO, chief audit executive) support is unwavering. Without that level of commitment, a project as important and overarching as ERM will not obtain the needed support and resources, or even survive.
Clarifying Strategies and Objectives
Organizations must clarify their strategy and related objectives before they identify their risks. These can be the company’s strategic objectives if ERM is being applied to the company as a whole. Alternatively, they can be a department’s objectives or the objectives for a new project if ERM is being applied at those levels. For example, an energy company used ERM to identify and manage risks around a new e-business initiative, as well as to identify and manage risks of the entire organization (Walker, Shenkir, and Barton 2002, 63).
Without this initial focus on strategy and objectives, managers have no way of knowing how their daily efforts and risk management processes relate to the organization’s goals. They would also have no way of knowing if they are managing the relevant risks. One of the early lessons companies glean from ERM is that many layers of the company including senior management, operating managers, and regular employees do not know or understand the strategies and objectives of the organization and how these, in turn, relate to their daily job and tasks. ERM compels companies to identify and focus on the organization’s strategies and objectives. Indeed, some companies have had to call a temporary halt in the ERM implementation process and spend time clarifying and interpreting the strategies and objectives with their associates before proceeding to the next step. One major retailer appropriately starts its ERM process with a focus on vision, strategy, and objectives (Walker, Shenkir, and Barton 2002, 129).
In the typical ERM process, risks are defined broadly to include any event or action that will prevent the organization from achieving its objectives. ERM reinforces priorities to everyone involved, and ultimately creates a focus on the risks surrounding those priorities. Knowing the priorities and the risks is essential to creating value for the stakeholders and to managing the company successfully. As one general auditor who served as the ERM process owner, noted: “An organization cannot shrink its way to greatness—it must grow and one of the keys to successful growth is excellent risk management” (Walker, Shenkir, and Barton 2002, 87).
Identifying Risks
Companies identify their risks by using a variety of methods as shown in Box 24.1. In studying how companies have approached risk identification, it is clear that one technique cannot fit all organizations. Below we contrast the approaches of four companies to risk identification:
- Company A decided that it would not prescribe any particular technique to its business units but let them select the one that would work best for them.
- Company B, in focusing on the risks embedded in the organization’s strategies, used a facilitated workshop method with senior executives as participants. They were asked to brainstorm as a group on the possible risks. Using senior executives from across the business units greatly increased the value of the process because it helped the group learn how risks and objectives are correlated and how they can impact each of the business units differently. The sessions also allowed participants to rank the risks in terms of impact by using group software to vote anonymously on the risks. The company believed that the anonymity increased the reliability of the results.
- Company C used a combination of techniques. Initially, a questionnaire was sent to the operating units, which asked them to list not more than 10 of their strategies and objectives, identify the risks impacting those strategies and objectives, list the factors that contribute to the risks, state the management activities or controls that were in place to mitigate the risks, and finally to assess their readiness to seize opportunities and manage risks. After receiving the completed questionnaires, the internal audit unit (which operated the ERM process but did not own the risks) followed up with interviews to clarify the information received and then summarized the results. Workshops conducted by internal audit staff, who had been specially trained in facilitation skills, were used to rank the risks in terms of impact and likelihood.
- Company D instructed its units not to use questionnaires but to engage in face-to-face discussions in facilitated workshops to identify risks.
The risk identification process yields a risk language for the organization. Companies either develop their own risk frameworks or modify the frameworks of others to fit the unique qualities of their own organizations. Exhibit 24.1 provides an example of a generic risk template applicable to any company. It can be used to seed the discussion using techniques shown in Box 24.1. Exhibit 24.2 is an example of a general risk template that could be used by specific operating units in an organization as they focus their specific risks. Both templates are useful in helping participants consider the spectrum of risks and for seeding the risk identification process. Risk templates are also a valuable method for categorizing risks, allowing organizations to aggregate risks for upstream reporting to senior management and the board, and to better integrate risks.
Assessing Risk
The next step in the ERM process is to assess risk. Exhibit 24.3 shows an array of informal and formal, qualitative and quantitative approaches that are used by various organizations (Shenkir and Walker 2007a and 2007b). Some companies believe it is a necessary step to validate empirically a risk’s effect on the company using a traditional metric. As an example, one company quantifies all risks in terms of net operating profit (NOP) because not knowing the significance of the risk could lead to wasting valuable resources such as time and capital. The operating units at Microsoft are able to access “quantification resources” within the organization’s treasury group to assist “the business units in modeling a specific risk” (Barton, Shenkir, and Walker 2001, 128).
Many companies plot their assessments on risk maps (see Exhibit 24.4), which are constructive because they can summarize all of the significant risks in one visual display. Risk maps embody the 80/20 rule in that 80 percent of risk management focuses on 20 percent of the risks (Barton, Shenkir, Walker 2001, 136). The maps allow others such as senior executives and board members to review the identified risks and related rankings, thus enabling sharper focus and management of the key risks.
Exhibit 24.1 Business Risk Model—A Common Language
Source: Economist Intelligence Unit 1995, 15.
Exhibit 24.2 Industry Risk Portfolio
Source: Elkins 2006. Permission granted to use.
Exhibit 24.3 Qualitative and Quantitative Approaches to Assessment and Measurement
Source: Shenkir and Walker 2007a, B-1401; Shenkir and Walker 2007b, 12.
As shown in Exhibit 24.3, a number of techniques are available for measuring the impact of a specific risk in order to place it on a risk map. Some organizations tend to give more attention to quantification of impact and, as previously noted, will use a metric such as one based on net operating profit to that end. The determination of likelihood, on the other hand, might be based more on a consensus judgment among the participants in the specific area responsible for managing and monitoring the risk. Organizations whose cultures are measurement-oriented have found that ERM is more readily accepted by people in the organization when efforts are made to measure the impact of risks. As an example, one organization that implemented ERM is also committed to the Six Sigma problem-solving process: define, measure, analyze, improve, and control (DMAIC). When ERM was introduced, the director of ERM observed that management recognized a relationship between the Six Sigma process and ERM and as a result, ERM was more readily accepted into the culture.
Exhibit 24.4 Risk Map
Acting on the Risks
Once the risks surrounding the organization’s objectives are identified and assessed, the next step is to isolate the risks and then take appropriate actions on those risks. Possible actions related to the risk include accepting, avoiding, reducing, and sharing the risk. The goal is for the organization to make conscious decisions about risk even though that may mean choosing to accept the risk over the other actions. In Exhibit 24.5, the risks map shows that 12 risks have been identified, and risks one and eight are critical—high impact and high likelihood. The 12 risks were plotted on the risk map in their inherent state, which is before any further mitigation action. Taking some mitigation action moves risks one and eight in the direction of the arrows to their residual risk level, a position after mitigation action. The remaining question is: Can management accept the residual risks? To answer this question involves analyzing the costs of additional mitigation action against the benefits of operating with further reduced risks. Another issue in mitigation is to recognize if some risks are correlated. As an example, United Grain Growers (UGG), now part of Viterra, found highly correlated business risks that they had not been aware of before they embarked on their enterprise risk process. Subsequently, they transferred and reduced some of the risks in a bundled financing package and lowered their overall costs of managing the combined risks (Barton, Shenkir, Walker 2001, 161).
Exhibit 24.5 Risk Map
Monitoring Risks
Once the process and actions are underway, the final step includes monitoring the risk. Monitoring involves communication both upstream and downstream and across the organization. It also includes periodic reporting and follow-up on the risks by various levels of management, risk committees, and internal auditors. Additionally, monitoring should include board oversight and review. One monitoring approach that is evolving in ERM is the use of key (target) performance indicators (KPIs) or metrics as part of a risk scorecard.2 A KPI might also be used as a key risk indicator (KRI) or the two might be separate metrics. These risk-related metrics can be a valuable way to monitor the improvement of key risks and to link the improvement back to improved cash flow and earnings. As an example, Wal-Mart develops metrics incorporated into a scorecard to track performance on risks and to determine the company’s progress in managing the risk. They also use these metrics to determine the value added by the ERM process (Walker, Shenkir, and Barton 2002, 134). The discussion on metrics is continued below under the balanced scorecard discussion.
LESSONS FROM INTEGRATING ERM WITH ONGOING MANAGEMENT INITIATIVES
A director of ERM at a major company recently stated that his company’s goal is to “embed ERM in the rhythm of the business.” Some of the opportunities for integrating ERM into the rhythm of the business are: strategic planning, balanced scorecard (BSC), budgeting, internal auditing, business continuity planning and crisis preparedness, and corporate governance (Shenkir and Walker 2006a and 2006b; Shenkir and Walker 2007a).
Strategic Planning and ERM
The relationship among strategic planning, the balanced scorecard, and budgeting is depicted in Exhibit 24.6. The COSO view of ERM is specific in stating that implementation begins with strategic planning (COSO 2004a, 4). Although it is tempting to view ERM and strategy formulation as independent of each other, they are properly seen as complementary activities. A strategy is in danger of failure if it is devised without identifying the attendant risks, and without an assessment and management of the risks. Along these lines, ERM implementation must commence with a holistic identification of risks tied to the company’s strategy if it is to be complete (Nagumo 2005).
Observers have pointed to the mismanagement of strategic risks as a source of major declines in shareholder value. Two important studies support this claim. For the period 1993–1998, Mercer Management Consulting analyzed value destruction in the Fortune 1000 and found that 10 percent of these companies lost 25 percent of shareholder value within a one-month period. Mercer was able to track the losses back to their root causes and determined that 58 percent were triggered by strategic risk, 31 percent by operational risk, 6 percent by financial risk, and none by hazard risk (Economist Intelligence Unit 2001, 8). Booz Allen Hamilton analyzed 1,200 large firms (market capitalizations exceeding $1 billion) during the period of 1999 through 2003. The lowest-performing index for that period, the S&P 500, was set as a benchmark. Then the weakest performing companies were identified as those that trailed the S&P 500. The study concluded that strategic and operational failures were the prime triggers for losses of shareholder value. For the 360 worst performing companies, 87 percent of their value destruction was tied to mismanagement of strategic and operational risks (Kocourek et al. 2004).
Exhibit 24.6 Strategy, the Balanced Scorecard, and the Budget
Source: Adapted from Kaplan and Norton, The Strategy Focused Organization, 275.
In the process of formulating the company’s strategy, top management analyzes its strategic opportunities and identifies factors that could threaten their attainment. The risks embedded in each strategic opportunity are plotted on a risk map, and alternatives can be evaluated against the organization’s capabilities in both people skills and capital. Risks can also be checked for how they align with the company’s risk appetite.
The concept of risk appetite is central to ERM and strategic planning, and is the overall level of risk that an organization is willing to accept given its capabilities and the expectations of its stakeholders. What we see in the financial crisis of 2008 is that some boards and the executive management team did not clearly articulate and communicate the organization’s risk appetite and/or did not understand the risks they were assuming. Also, in some of the companies, risks were managed in silos as if they were independent of each other and without executive management and the board requiring information that provided an integrated perspective on all the potential, interconnected risks facing the organization (Morgenson 2008a and 2008b).
In considering strategic opportunities, companies can build their risk appetites into their decision making processes. Presented below are examples:
- Avoid the risk. Some strategic opportunities might be outside the risk appetite of the company and a conscious decision is made not to pursue them.
- Accept the risk. Other strategies may be risky but can be managed and monitored carefully and thus will be pursued (e.g., operating in a high risk country).
- Share the risk. Another strategy may be risky but the decision is made to pursue it through a joint venture.
- Reduce the risk. Still another alternative strategy with considerable risk embedded in it might be pursued incrementally.
ERM improves strategy formulation because risks are identified, and the strategic opportunities are assessed given the company’s risk appetite. For example, the front end of the strategy formulation process is typically an environmental scan, which reveals risks and opportunities when performed comprehensively. ERM will lack the proper foundation otherwise. Integrating ERM with strategic planning forms the basis for a strategy-risk-focused organization (Shenkir and Walker 2006a).
A company’s strategic planning process may involve decisions regarding growth through acquisitions and mergers. ERM can be integrated effectively into the initial decision-making process to acquire a company, the integration with the acquired company, and the post-merger evaluation. As an example, the BOC group, now part of Linde Group, (Gates and Hexter 2005, 18) is a British company that supplies a variety of gases to a broad spectrum of industrial users and has integrated risk assessment into its merger and acquisition process (see Exhibit 24.7). The BOC risk management team focuses on these key areas in assessing the target company: people issues, financial risks, and the overall impact of the acquisition on the company. In addressing these issues, the case discussion on the target company highlights risks related to the target company in its business environment, the likely impact of the target company on BOC, its financial health, the future of the target company beyond the acquisition, and its operational complexity.
Exhibit 24.7 Risk Management in Acquisitions
Source: Gates and Hexter 2005, 20.
The business case for the acquisition given to BOC’s senior management and the board contains the initial risk assessment for the target company. Once the acquisition is approved by the board, the risk management team coordinates the due diligence activity, classifying the risks identified as key risks versus all other risks. When the merger is finalized, the risk management team leads the effort to discuss the integration of the key risks with the target firm’s employees. Finally, the risk management team is involved in the post-merger evaluation process, asking a question such as: “Were there any risks that should have been picked up?” (Gates and Hexter 2005, 20).
The Balanced Scorecard and ERM
The balanced scorecard (BSC) is a tool for communicating and cascading the company’s strategy throughout the organization. The conventional BSC captures the company’s strategy in four key perspectives: (1) customer, (2) internal processes, (3) innovation and learning, and (4) financial. Variations on these four perspectives exist in practice.
The BSC was launched in the early 1990s (Kaplan and Norton, 1992) and as ERM has evolved, some organizations have integrated their BSC system with ERM to enhance performance management. In the BSC, objectives are identified for each of the perspectives; ERM begins with an understanding of objectives. For each BSC perspective, metrics (KPIs) are selected and stretch targets are established. ERM adds value to the BSC through the identification of events (risks) that could stand in the way of achieving the targets in each of the four perspectives. Management can assess how effectively the risk mitigation efforts are working by monitoring the KPIs. The KPIs for each perspective, then, also serve as KRIs although that was not their original purpose. For example, if a target for customer satisfaction is not achieved, this points to the existence of additional risks that must be identified. Effectively, the same metric can be used for monitoring both the strategy and the risk.
As shown in Exhibit 24.8, the conventional BSC can be integrated with ERM to manage and monitor risks related to the objectives in each of the perspectives (Shenkir and Walker 2006a and b, 2007a). This figure shows how one company used a risk scorecard for the key risks identified in each of the BSC perspectives to assign responsibility for managing the risk. The special risk scorecard begins with the specific objectives for the particular perspective. Then the key risks for each of those objectives are identified as well as the suggested control processes. The focus area specifies the risks as strategic, operational, or financial. Management’s self-assessment of its risk mitigation actions is shown in the worksheet by asking: “Is it in place? If so, how effective is it?” The last column focuses on identifying the owner of the risk—the person who is held accountable for managing it. A risk scorecard maintained on the company’s intranet allows managers to review the scorecard at any time, adding strength to the accountability for the management of the risk.
Exhibit 24.8 Balanced Scorecard and Strategic Risk Assessment
*Effectiveness Rating: 1 to 10, with 10 being very effective.
Budgeting and ERM
A company’s budget shows its financial commitment in the current year to achieve the organization’s long-term strategy. The annual budget can be integrated with ERM to provide insights on what the strategic business unit’s leadership sees as the risks to meeting its financial plan and other strategic objectives. In the conventional budgeting process, the leadership of the strategic business unit presents its profit plan to senior management, who then probe and ask questions to uncover the risks implicit in the numbers. A company that has progressed in its ERM implementation will ask each operating unit to include a risk map for the unit when it submits its budget
These risk maps (as shown in Exhibit 24.4 and 24.5) provide information to senior management as to the major risks associated with meeting the financial plan and other strategic objectives for the year. A risk map gives senior management critical insight in the budget review process without having to waste time uncovering the implicit budget risks separately. It is clear that operating units should be knowledgeable about their risks to meet their budget targets. An added benefit of risk maps for the budget is this: senior management can compare the risks they have identified in the strategic plan with those identified by the operating units in the budgets. Any disparities between the two can be further analyzed.
When a risk map accompanies the budget, senior management can ask questions about the costs in the budget that relate to risk mitigation decisions for the high impact/high likelihood risks such as risks one and eight in Exhibit 24.5. Also, if a decision was made not to mitigate certain risks such as five and nine in this figure, it is important to understand the potential impact on the unit’s cost structure by making that decision. Another relevant issue is to understand to what extent the cost of mitigating or accepting a risk has been built into the price of the product or service sold by that operating unit. ERM coupled with the budget review process can enrich a discussion and lead to a better understanding of the risks standing in the way of achieving budget targets, KPIs, and other strategic objectives. Combining ERM and budgeting can also lead to further risk identification. One company’s budgetary pressure was so tight that management realized that it was leading to missed strategic opportunities to develop new products and areas of business.
Internal Auditing and ERM
Internal auditing and the chief audit executive can have an important role in implementing and integrating ERM across an organization, especially in organizations in which internal auditing has undergone a paradigm shift (McNamee and Selim 1998). The shift could include a movement from an internal control approach to a business risk approach, and from testing important internal controls to examining important business risks. To reflect this paradigm shift, the Institute of Internal Auditors (IIA) even changed the definition of internal auditing as follows: “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes” (IIA, emphasis added). This shift in thinking by internal auditors and chief audit executives is valuable to senior level managers who need assistance in changing how an entire organization manages risk. However, it is important to remember that ERM is not exclusively an internal audit activity. For real efficacy, ERM must involve multiple levels of management and employees and be integrated in all aspects of the business including strategy, operations, accounting, information technology, and human resources.
One organization that has strongly embraced ERM is Canada Post Corporation (CPC) (Walker, Shenkir, and Barton 2002). The CPC’s chief audit executive is required by the board to provide an annual assessment of the greatest risks facing the organization and an evaluation of the control effectiveness surrounding those risks. To provide the required risk and control assessments, CPC developed an integrated risk management process called Dynamic Assessment of Risk and Enablers (D.A.R.E.) that is designed to answer three questions:
- Is CPC likely to achieve its objectives?
- Is CPC managing the organization’s significant risks?
- Is CPC recognizing opportunities and acting on them?
It seems obvious that these are questions that all organizations in the twenty-first century should be asking.
The D.A.R.E. process was developed by the internal audit unit and ties into CPC’s overall risk process. The risks CPC is trying to manage are broadly defined as anything that will keep it from achieving its objectives. CPC has developed its own risk framework that is unique to its activities. In accord with normal ERM practice, CPC ranks risks to determine their potential impact on the organization. For any risk that is ranked as exceeding a certain level, an action plan by the risk owner is required. Internal audit also follows up on those action plans and reports to the board of directors on outstanding action plans and progress on those plans. This process strongly enhances the corporate governance process at CPC.
Business Continuity Planning, Crisis Preparedness, and ERM
Some unknown risks will remain unknown at the end of the process regardless of how robust the effort to identify risks. A company can prepare for these unknown risks through its business continuity and crisis management plan, which is an essential element of the ERM process. It is not unusual for the owner of the ERM process, not of the specific risks, to also have oversight over business continuity (Walker, Shenkir, and Barton 2002, 99).
Chat rooms, bloggers, message boards, e-mail lists, independent news web sites, and other Internet-based new media have changed the informational landscape. A company must be prepared to recognize a crisis and respond swiftly and decisively to contain it before severe damage is done to its reputation and brands. A company needs to “play war games” to test the crisis management plan and to ensure that all the key employees know their roles. In addition, communication with the entire work force about the plan in advance of a crisis is an essential part of the preparation.
When a crisis occurs, it does not generally evolve in a linear way. This is because a series of reactions and events in other areas either within and/or outside the organization may be triggered if the crisis is not recognized and dealt with quickly (Walker, Shenkir, and Barton 2002, 100). In effect, without quick containment, the initial event may have a ballooning impact and may develop exponentially. To illustrate, a major company sold contaminated product in two countries and some purchasers fell ill. The company failed to acknowledge the crisis quickly and as a result, the governments of the two countries removed the product from store shelves. After some delay, the CEO traveled from the United States to the countries and eventually made a public apology. By then, though, the damage had been done—the company’s stock price fell precipitously and eventually the CEO was replaced.
Corporate Governance and ERM
Corporate governance is receiving much attention today, and ERM strengthens corporate governance in a number of ways (Walker, Shenkir, and Barton 2002, 26–28). An individual who serves on several boards has noted to the authors that if a company on whose board he has been asked to serve has not adopted an ERM process and identified its key business risks, he requests that external consultants come in and perform a risk assessment. He does not feel comfortable joining a board without ERM as a part of the corporate governance structure.
As noted previously, the National Association of Corporate Directors has suggested that audit committees develop an agenda that includes a periodic review of risk “by each significant business unit.” Additionally, failure to manage risk can lead to missed opportunities and loss of shareholder value, adding pressure (both internal and external) to improve corporate governance.
As depicted in Exhibit 24.9, reporting to the board and audit committee on the key risks facing the organization is one way ERM can improve corporate governance. An arrangement often adopted is this: the chief audit executive owns the ERM process and he or she reports directly to the board’s audit committee.3 The chief audit executive might also survey the audit committee and ask whether “the internal audit function has provided a reliable, overall assessment of risks and internal control effectiveness” (Walker, Shenkir, and Barton 2002, 50).
ERM results in enhanced upstream reporting to the board and audit committee and the type, volume, and frequency of information changes with ERM. Canada Post’s chief audit executive is required to report annually on all major business risks to the audit committee. Wal-Mart reported that it is not just the reporting that is helpful, but also the quantity of information available to the board. Wal-Mart’s board is interested in risks and often asks questions on how management is addressing risks. As a result, the chief audit executive at Wal-Mart reports to the board on the top risks, presents risk maps, and discusses the action plans and linkage to shareholder value (Walker, Shenkir, and Barton 2002, 125).
Other forms of corporate governance improvement show up in the appointment of chief risk officers, ERM committees, and risk champions. For example, Wal-Mart appointed a risk committee and that committee reports to the board on progress toward targeted risks. Some organizations have designated risk champions for the ERM process while others appointed champions for a specific risk.
The previously mentioned changes that occur in internal auditing also improve corporate governance. Internal auditors now take a more business-oriented approach, develop greater knowledge of the business and its risks, and change their audit approach to focus on those business risks, resulting in greater risk coverage and efficiency for their organizations. Furthermore, internal auditing can now perform more effective follow-ups on outstanding ERM scorecards and metrics. These same scorecards and metrics can also be used to increase management accountability and follow-up, especially when management knows that there is upstream risk reporting to the board and audit committee. Corporate governance is enhanced when an operating unit, as a result of process risk management, develops an action plan listing improvements that must be made with specific people assigned the responsibility to follow up. In addition, the action plans can be stored on a centralized database to facilitate management review and monitoring.
Exhibit 24.9 Corporate Governance and ERM
Source: Walker, Shenkir, and Barton 2002, 27.
SOME KEY VALUE LESSONS FROM ERM
A key lesson from ERM case studies (Barton, Shenkir, and Walker 2001; Walker, Shenkir, and Barton 2002) is the belief on the part of each company that ERM was adding value (see Box 24.2). But the sources of the value tended to be unique across the companies. Some saw the value as reduced revenue volatility and a more predictable earnings stream. Other companies saw value in the risk identification step. That is, these companies admitted that, prior to implementing ERM, they did not know or understand all of their risks. It is somewhat surprising to consider that large organizations are operating in an environment in which they do not know their major risks. Other companies mentioned the value in just increasing the probability that they were helping to avoid potential debacles by knowing their risks.
Still other companies took great pride in the value gained from integrating the risks—that is, from understanding how actions in one area (such as the CFO or controller’s office) affect the actions of other areas (such as the company’s strategic planning group). Some companies noted that they found that they were over-managing some risks and undermanaging other, more significant risks. As a result, these companies believed that ERM helped them better evaluate management and allocate resources. Although some companies were satisfied with risk maps and qualitative rankings, others took risk measurement to a new level and attempted to quantify what they could; and they were not overly concerned if they did not capture everything in their measurements. One company learned from their risk measurement that certain divisions have financial risks that appear to exceed the relative profits they bring in to the overall organization. Peter Cox, former Chief Financial Officer of United Grain Growers (now Viterra) appropriately stated at the time, “I think the point to risk management is not to try and operate your business in a risk-free environment. It is to tip the scale to your advantage. So it becomes strategic rather than just defensive” (Barton, Shenkir, Walker 2001, 143). Several other value lessons learned from the companies are highlighted in Box 24.2. These lessons include the dynamic nature of risk identification, understanding the risk appetite of stakeholders, making risk assessment a normal part of decision making, and establishing risk infrastructures.
One company also emphasized that value was added through the ERM process itself. In fact, Wal-Mart’s chief financial officer required the ERM team to link the risk process to value added in the organization. Additionally, while the role of internal audit was critical to these organizations, most of the chief audit executives interviewed in the study mentioned that internal auditing itself greatly benefited from being involved. They noted how it forced their audit team to think “like managers” rather than internal auditors, and how their audit team gained a broader knowledge of business risk (Walker, Shenkir, and Barton 2002).
One of the major value statements of an ERM effort was improvement in corporate governance. This was accomplished through the emergence of risk champions, risk committees, and in some cases, chief risk officers. That is, by designating employees and teams to identify and assess the risk, the organizations learned more about themselves and their risks than they had ever realized. This information alone—knowing the key risks facing the business—can make the process worth the effort. Armed with information about the key risks, management can better evaluate risks taken, profits made, merger prices, hedged risks, more efficiently allocate resources, and even increase the chances that their organization will meet earnings, revenue, and cash flow targets. Furthermore, this information can be reported upstream to audit committees and boards of directors so that improved corporate governance can occur. What board or audit committee member, for example, does not want to know the major risks facing the organization and what management is currently doing to manage those risks?
CONCLUSION
In the perilous economic times of today, enterprise risk management is a necessity, not a luxury. Effective business management requires that firms understand all of their risks and have plans in place to manage those risks in a unified, integrated manner. Failure to do so may result in a modest decline in shareholder value all the way to the complete financial destruction of the firm. Recent events demonstrate that this latter result is not at all far-fetched, even for large, mature organizations that dominate their industries.
Over the years, ERM has been implemented effectively in a number of organizations of varying sizes. Many of these organizations have generously shared their accumulated knowledge and insights—their lessons from the field. They believe that ERM has been a worthwhile undertaking, creating significant added value for stakeholders. ERM is the wave of the future, and organizations that refuse to recognize this do so at their own peril.
NOTES
REFERENCES
American Institute of Certified Public Accountants and Canadian Institute of Chartered Accountants. 2000. Managing risk in the new economy. New York: AICPA.
Barton, T.L., W.G. Shenkir, and P.L. Walker. 2001. Making enterprise risk management pay off. Upper Saddle River, NJ: Financial Executives Research Foundation.
Committee of Sponsoring Organizations of the Treadway Commission (COSO). 1992. Internal control—Integrated framework: Executive summary framework. New York: AICPA.
———. 2004a. Enterprise risk management—Integrated framework: Executive Summary framework. New York: AICPA.
———. 2004b. Enterprise Risk Management—Integrated Framework: Application Techniques. New York: AICPA.
Economist Intelligence Unit. 1995. Managing business risks—An integrated approach. New York: The Economist Intelligent Unit.
———. 2001. Enterprise risk management—Implementing new solutions. New York: The Economist Intelligent Unit.
Elkins, D. 2006. Managing risks in global automotive manufacturing operations. Presentation at the University of Virginia (January 23).
Financial Executives Institute. 2000. Survey: Audit committees should focus on key business risks. FEI Press Release (January 12).
Gates, S., and E. Hexter. 2005. From risk management to risk strategy. New York: The Conference Board.
Kaplan, R.S., and D.P. Norton. 1992. The balanced scorecard—Measures that drive performance. Harvard Business Review (January–February): 71–79.
———and ———. 2001. The strategy-focused organization. Boston, MA: Harvard Business School Press.
Kocourek, P., R.V. Lee, C. Kelly, and J. Newfrock. 2004. Too much SOX can kill you. Strategy+Business (Reprint, January): 1–5.
McNamee, D., and G.M. Selim. 1998. Risk management: Changing the internal auditor’s paradigm. Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation.
Morgenson, G. 2008a. Behind biggest insurer’s crisis, a blind eye to a web of risk. New York Times (September 28): 1 and 18.
———2008b. How the thundering herd faltered and fell. New York Times (November 9): BU 1 and 9.
Nagumo, T. 2005. Aligning enterprise risk management with strategy through the BSC: The Bank of Tokyo-Mitsubishi approach. Balanced Scorecard Report (Harvard Business School Publishing, Reprint No. B0509D, September–October): 1–6.
National Association of Corporate Directors. 1999. Report of the NACD blue ribbon commission of audit committees—A practical guide. National Association of Corporate Directors.
Shenkir, W., and P.L. Walker. 2006a. Enterprise risk management and the strategy-risk-focused organization. Cost Management (May–June): 32–38.
———, and ———. 2006b. Enterprise risk management: Framework, elements, and implementation. Montvale, NJ: IMA.
———, and ———. 2007a. Enterprise risk management. Washington, DC: BNA.
———, and ———. 2007b. Enterprise risk management: Tools and techniques for effective implementation. Montvale, NJ: IMA.
Walker, P.L., W.G. Shenkir, and T.L. Barton. 2002. Enterprise risk management: Pulling it all together. Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation.
FURTHER READING
Augustine, N.R. “Managing the Crisis You Tried to Prevent.” Harvard Business Review (November–December 1995): 147–158.
Barton, T.L., W.G. Shenkir, and P.L. Walker. “Managing Risk: An Enterprise-wide approach.” Financial Executive (March–April 2001): 48–51.
———, ———, and ———. “Managing the Unthinkable Event.” Financial Executive (December 2008): 24–29.
Bernstein, P.L. Against the Gods—The Remarkable Story of Risk. New York: John Wiley & Sons, 1996.
Bodine, S., A. Pugliese, and P. Walker. “A Road Map to Risk Management.” Journal of Accountancy (December 2001).
Corporate Executive Board. Confronting Operational Risk—Toward an Integrated Management Approach. Washington, DC: Corporate Executive Board, 2000.
DeLoach, J.W. Enterprise-wide Risk Management: Strategies for Linking Risk and Opportunity. London: Financial Times, 2000.
Deloitte & Touche LLP. Perspectives on Risk for Boards of Directors, Audit Committees, and Management. Deloitte Touche Tohmatsu International, 1997.
Epstein, M.J., and A. Rejc. Identifying, Measuring, and Managing Organizational Risks for Improved Performance. Society of Management Accountants of Canada and AICPA, 2005.
Gibbs, E., and J. DeLoach. “Which Comes First … Managing Risk or Strategy-Setting? Both.” Financial Executive (February 2006): 35–39.
King Committee on Corporate Governance. King Report on Corporate Governance for South-Africa. Institute of Directors in Southern Africa, 2002.
“Joint Standards Australia/Standards New Zealand Committee.” Risk Management. Standards Australia/Standards New Zealand, 2004.
———. Risk Management Guidelines. Standards Australia/Standards New Zealand, 2004.
Kaplan, R.S., and D.P. Norton. “Putting the Balanced Scorecard to Work.” Harvard Business Review (September–October 1993): 134–147.
Kaplan, Robert S., and David P. Norton. The Balanced Scorecard. Boston, MA: Harvard Business School Press, 1996.
“Living Dangerously: A Survey of Risk. The Economist (January 24, 2004): 1–15.
Miccolis, J.A., K. Hively, and B.W. Merkley. Enterprise Risk Management: Trends and Emerging Practices. Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation, 2001.
Nagumo, T., and B.S. Donlon. “Integrating the Balanced Scorecard and COSO ERM Framework.” Cost Management (July/August 2006): 20–30.
New York Stock Exchange. Final NYSE Corporate Governance Rules. (November 4, 2003).
Nottingham, L. A Conceptual Framework for Integrated Risk Management. The Conference Board of Canada, 1997.
Schwartz, P. The Art of the Long View. New York: Currency Doubleday, 1991.
Shenkir, W.G., and P.L. Walker. “Ensemble Performance.” Business Officer (December 2008): 14–20.
Simons, R.L. “How Risky Is Your Company?” Harvard Business Review (May–June 1999): 85–94.
Smith, Wendy K. “James Burke: A Career in American Business (A) (B). “Harvard Business School Case 9-389-177 and 9-390-030. Harvard Business School Publishing, 1989.
Slywotzky, A.J., and J. Drzik. “Countering the Biggest Risk of All.” Harvard Business Review (Reprint R0504E, April 2005): 1–12.
Stroh, P. “Enterprise Risk Management at United Health Group.” Strategic Finance (July 2005): 27–35.
Thornton, E. “A Yardstick for Corporate Risk.” Business Week (August 26, 2002): 106–108.
Walker, P.L., W.G. Shenkir, and T.L. Barton.. “ERM in Practice.” Internal Auditor (August 2003): 51–55.
Walker, P.L., W.G. Shenkir, and S. Hunn. “Developing Risk Skills: An Investigation of Business Risks and Controls at Prudential Insurance Company of America.” Issues in Accounting Education (May 2001): 291–304.
———, and ———. “Teaching a Risk Assessment Course.” Advances in Accounting Education, 2000: 33–56.
ABOUT THE AUTHORS
William G. Shenkir, PhD, CPA, is the William Stamps Farish Professor Emeritus at the University of Virginia’s McIntire School of Commerce, where he served on the faculty for almost 40 years and as the dean from 1977 to 1992. He has co-authored three books on enterprise risk management and continues to consult in the area.
He has produced more than 60 professional publications in leading academic and practitioner journals, made more than 100 presentations before professional and academic organizations, and edited or co-authored eight books, From 1973 to 1976, he served on the staff of the FASB. Shenkir has served as President of the Association to Advance Collegiate Schools of Business International (AACSB) and as a Vice President of the American Accounting Association. He has served on numerous professional committees and on the board of directors of three corporations.
In 1995 he received the Virginia Outstanding Educator Award from the Carman Blough Chapter of the IMA, and in 1997 he was recognized as one of the 10 University of Virginia Distinguished Professors in the students’ yearbook, Corks and Curls.
Thomas L. Barton, PhD, CPA is Kathryn and Richard Kip Professor of Accounting at the University of North Florida. He holds a PhD in accounting from the University of Florida and is a certified public accountant (CPA). Dr. Barton has more than 50 professional publications, including research articles in Barron’s, Decision Sciences, Abacus, Advances in Accounting, Financial Executive, CPA Journal, and Management Accounting; and five books and one audio book. He received the Lybrand Silver Medal for his article, “A System is Born: Management Control at American Transtech.” Dr. Barton is the creator of the Minimum Total Propensity to Disrupt method of allocating gains from cooperative ventures. This method has been the subject of several articles in Decision Sciences. He is also a recognized expert in the application of management controls to highly creative activities.
Dr. Barton has taught more than 150 professional development seminars and has extensive consulting experience with a wide cross section of organizations in the public and private sectors. Dr. Barton is the recipient of several teaching awards for his undergraduate and graduate work. He was a winner of the State University System of Florida’s prestigious Teacher Incentive Program award in the program’s inaugural year.
Paul L. Walker, PhD, CPA, is an accounting professor at the University of Virginia. Professor Walker co-developed one of the first courses on enterprise risk management in the world. He has taught ERM at the University of Virginia, to numerous executives groups, and to boards. Professor Walker has also served as a visiting fellow at the London School of Economics Centre for the Analysis of Risk.
Professor Walker was one of the original consultants to COSO on their enterprise risk management process and framework and has served as an advisor to both small and large organizations on enterprise risk management (including the Federal Reserve Bank, several Fortune 500 companies, a leading university, and international companies). Additionally, he has been invited to train international audiences on ERM, including companies with operations in South Korea, Japan, and Belgium.
Professor Walker has visited the headquarters of some major companies (e.g., Wal-Mart, Microsoft, and DuPont) to study their ERM processes. Professor Walker has co-authored numerous manuscripts on enterprise risk management including the books Making Enterprise Risk Management Pay Off and Enterprise Risk Management: Pulling it All Together. He has also co-authored several articles on ERM including: “Managing Risk: An Enterprise-Wide Approach,” “A Road Map to ERM” and “ERM and the Strategy-Risk Focused Organization.”