The individual case studies were conducted with the most senior risk officer in the organization. A series of questions (Appendix A) was put together before any of the interviews took place. These were intended as a guide. Depending upon the extent of the ERM implementation, some questions were not asked. In other instances interviewers asked additional questions to gain further insight into the issues risk managers have been facing.

Interviews were conducted either in person or by telephone. The interviewer wrote up the case study from interview notes and the case study was triangulated back to the interviewee for concurrence. In some cases the interviewee had others in the organization read the material for additional observations or changes. Case studies were approved by the interviewees for inclusion in the book.

This practice was not followed for the two case studies, Risk Management Implementation in China, which was written by the author of this case. Agreeing Upon The Scope of the Project and the Job of the ERM Risk Manager was based upon an interview with the authors of this book and considered only one facet of the ERM process – negotiating the scope of the job and ERM project.

APPENDIX A – CASE STUDY INTERVIEW QUESTIONS

Question Categories

1. What is the organization?
   1. Legal entity: corporation, public, private, etc.?
   2. If government institution, services provided and revenue sources?
   3. If a business or not-for-profit, demographics: industry segment, major products, number of employees, total revenue, geographic markets, distribution channels?
   4. Competitive issues: e.g., emerging market, mature market, commodity, oligarchy, etc.?
   5. Important stakeholders (segments)?
   6. Mission and vision and social license to operate?
   7. Other information important to help understand the business (acquisitions, environmental, leadership style, etc.)?
2. What is the identified need for ERM?
   1. When?
   2. Why?
   3. Scope (including threats and opportunities – extended to partners and external dependencies)?
   4. Who made the decision?
   5. What are the regulatory or rating agency compliance issues (if not identified)?
   6. Other?
3. What has been the process of implementing ERM?
   1. Who is in charge of the ERM initiative?
   2. What is the project of ERM implementation?
   3. What is your role/your education and background?
   4. What is the hierarchy of those involved in ERM?
   5. What is the support of management and board?
   6. What strategic changes have been required?
   7. What organizational changes have been required?
   8. Other changes, e.g., systems, accounting, etc. (including data quality and adequacy to make informed decisions)?
   9. What were the tools developed: dashboards, etc.?
   10. What is the assurance process?
   11. What are or have been other implementation issues?
4. What are the critical risks associated with ERM?
   1. What critical risks were identified (prompt if necessary: operational, strategic, financial, reputation, other risks)?
   2. How were critical risks identified (SWOT, etc.)?
   3. What risk management tools are being used to treat critical risks?
   4. What surprise risks were identified, and/or what were the unexpected challenges associated with critical risks?
   5. Disruption planning: what are plans to deal with unanticipated disruptions; plans for resiliency in the event of major disruption?
   6. Describe other issues associated with risks.
5. What are the benefits of ERM / cost & benefit analysis?
   1. What are the metrics used?
   2. How do you measure success?
   3. What are the economic indicators important to your business?
   4. What are the incentives for management/others?
   5. What are the costs associated with ERM?
   6. What have been the surprise benefits?
   7. Other?
6. What are the problems or challenges associated with ERM?
   1. Implementation issues?
   2. Sustaining ERM over time?
   3. Engaging employees/management?
   4. Business model conflicts?
   5. Quantification of results?
   6. Learning curve?
   7. Strategic integration?
   8. Supply chain?
   9. Other?
7. What other surprises have come from your ERM experience?
8. What are the recommendations for others seeking to implement ERM?
   1. What to do?
   2. What not to do?
   3. What to avoid?
   4. What would you do/have done differently if given the opportunity?
   5. Under what conditions would you not recommend an organization begin an ERM implementation?
   6. Other?