enterprise risk management as a core management process

BEST PRACTICES REPORT

RISKY BUSINESS II:Enterprise Risk Management as a Core Management Process

This page is left blank intentionally for double-sided printing.

1Risky Business II: Enterprise Risk Management as a Core Management Process

MEMBERshIP InfoRMaTIonFor information about how to become a member of APQC, and to receive publications and other benefits, call 800-776-9676 or +1-713-681-4020, or visit our Web site at www.apqc.org.

CoPyRIghT©2008 APQC, 123 North Post Oak Lane, Third Floor, Houston, Texas 77024-7797 USA. This report cannot be reproduced or transmitted in any form or by any means electronic or mechanical, including photocopying, faxing, recording, or information storage and retrieval.

Additional copies of this report may be purchased from the APQC Order Department at 800-776-9676 (U.S.) or +1-713-685-7281. Quantity discounts are available.

IsBn-10: 1-60197-148-6IsBn-13: 978-1-60197-148-7

sTaTEMEnT of PuRPosEThe purpose of publishing this report is to provide a reference point for and insight into the processes and practices associated with certain issues. It should be used as an educational learning tool and is not a “recipe” or step-by-step procedure to be copied or duplicated in any way. This report may not represent current organizational processes, policies, or practices because changes may have occurred since the completion of the study.

* The IBM Logo is a registered trademark of IBM in the United States and other countries and is used under license. IBM responsibility is limited to IBM products and services and is governed solely by the agreements under which such products and services are provided.

a best practices report from

P U B L I C A T I O N S

P ®OA C

In collaboration with Research Champion*

EditorLauren Trees

subject Matter ExpertsBob Paladino, founder, Bob Paladino & Associates

William Shenkir, Ph.D., CPA, William Stamps Farish Professor Emeritus, University of Virginia

Contributing authorsStephanie CarlinBob PaladinoWilliam ShenkirGerry SwiftAngelica Wurth

study TeamGerry Swift, project managerAngelica Wurth, special adviserAPQC

DesignersDavid AndrewsConnie Choate

Risky Business II: Enterprise Risk Management as a Core Management Process

This page is left blank intentionally for double-sided printing

C h a p t e r n u m b e r


4 sponsor and Partner organizations

A listing of the sponsor organizations in this study, as well as the

best-practice (“partner”) organizations that were benchmarked for

their efforts in enterprise risk management.

5 Executive summary

A bird’s-eye view of the study presenting the study focus, the methodology

used throughout the course of the study, key findings, and a profile of

participants. The findings are explored in detail in the following sections.

11 study findings

An in-depth look at the findings of this study. The findings are supported

by quantitative data and qualitative examples of practices employed by

the partner organizations.

53 Partner organization Case studies

Background information on the partner organizations and their

innovative practices in enterprise risk management.

Contents

tabLe OF COntentS

Risky Business II: Enterprise Risk Management as a

Core Management Process


OrganizatiOnS


Sponsor Organizations

American Electric Power (AEP)Fonterra Cooperative Group LimitedThe Hartford Financial Services Group Inc.*Microsoft CorporationNew York Independent System Operator (NYISO)Textron Inc.

Partner Organizations

* This organization participated as a data-only partner.

CHRISTUS HealthEl Paso CorporationLloyd’s Register GroupMarathon Oil CorporationPublic Service Enterprise Group (PSEG) U.S. Army, ARDECU.S. Coast GuardU.S. Depar tment of the NavyVisa Inc.

Risky Business II: Enterprise Risk Management as a Core Management Process5

Executive Summary

I n today’s global business environment, leaders of organizations must deal with a myriad of complex risks, many of which carry potentially substantial

consequences. Stakeholders demand that these leaders employ methodologies to uncover the risks embedded in any given opportunity as well as the risks inherent in ongoing business operations. Many businesses are implementing enterprise risk management (ERM) as a program to improve the identification, assessment, and management of risks across internal silos.

Although ERM is a relatively young management discipline, this consortium benchmarking study has identified five organizations with advanced ERM programs. The report you are about to read describes how the leaders of these organizations implemented ERM across business units and embedded ERM in core management processes to improve decision making. Throughout the report, APQC offers valuable insights on developing strategic risk management processes and fostering a risk-conscientious culture. These two components are essential for establishing an effective ERM program and are emphasized in other leading evaluations, such as Enterprise Risk Management: Standard & Poor’s to Apply Enterprise Risk Analysis to Corporate Ratings (2008).

— William G. Shenkir, a special adviser on this consortium benchmarking study

Research indicates that strategy execution continues to challenge many companies where executives are faced with new and more potent risks. While working on APQC’s two ERM studies in 2006 and 2008, I have observed that the ERM body of knowledge and the application of strategic risk management frameworks are still maturing. There are, however, best-practice partner organizations illuminating the path for the rest of us, and I am extremely grateful to them. Our hope is that this study will help your organization improve its ability to identify, mitigate, manage, and report on ERM in a valued manner.

— Bob E. Paladino, a special adviser on this consortium benchmarking study


exeCutive Summary


StuDy SCOpeThe organizations selected for deep, detailed study through structured data collection and site visits (referred to throughout the report as “best-practice organizations” or “study partners”) demonstrate innovative performance in one or more of the following study focus areas:

1. optimizing the ERM organizational structure;2. identifying, implementing, and maintaining supporting ERM methodologies;3. using ERM for effective decision making; and4. using ERM for performance improvement.

The goal of this study was to examine organizations that excel in one or more aspects of the study scope and to aggregate the best practices from all the organizations studied. To achieve this goal, the APQC study team identified potential best-practice partners that demonstrated excellence and a history of success in the four scope areas. Project sponsors then selected the final list of partners from among the candidates.

OvervieW OF FinDingSThe study team discovered 10 principal findings from studying the best-practice organizations. These findings have been organized into the following chapters, which map closely to the study scope. Each chapter explores key findings and supports them with brief examples from the study partners; additional details on the best-practice organizations can be found in their respective case studies at the end of this report.

Chapter 1: optimizing the ERM organizational structure1. Best-practice organizations establish clear structures for ERM involving

executive-level support.2. Senior leaders understand the impact of risk information.3. A holistic approach to risk management enables improved understanding of

critical risks.

Chapter 2: ERM support Tools and Methodologies4. Best-practice organizations use a variety of methodologies to identify, assess,

aggregate, and report risks. 5. Currently, the technology of choice for ERM among the partner organizations

is Microsoft Office.

Chapter 3: using ERM for Effective Decision Making6. A focus on risk management creates a culture of informed risk takers.7. Risk information must be effectively communicated across the enterprise in

order to influence decision making.


Chapter 4: using ERM for Performance Improvement

8. Effective risk management is evaluated as an organizational key performance indicator.

9. Best-practice organizations use risk management as an individual performance indicator.

10. Evaluation of ERM effectiveness is in the early stages of maturity.

Chapter 5: The “Essentials” of ERMThis chapter details lessons learned and critical success factors for effectively managing enterprise-wide risks.

StuDy methODOLOgyDeveloped in 1993, APQC’s consortium benchmarking study methodology (Figure 1) serves as one of the world’s premier methods for successful benchmarking. It was recognized by the European Center for Total Quality Management in 1995 as first among 10 leading benchmarking organizations’ models. It is an extremely powerful tool for identifying best and innovative practices and for facilitating the actual transfer of these practices.

Phase 1: PlanThe planning phase of the study began in fall 2007. During this phase, APQC conducted secondary research to help identify innovative organizations that might participate as study partners. In addition to this research, APQC staff members and the subject matter experts identified potential participants based on their own firsthand experiences, research, and sponsor recommendations. Each recognized organization was invited to participate in a screening process. Based on the results of the screening process, as well as each organization’s capacity or willingness to participate in the study, a final list of nine potential partner candidates was developed.

A study kickoff meeting was held in April 2008, during which the sponsors refined the study scope, gave input on the data collection tools, and selected the study partners at which they would most like site visits to be conducted. Finalizing the data collection tools and piloting them within the sponsor group concluded the planning phase.

Phase 2: CollectThree tools were used to collect information for this study:1. screening questionnaire—qualitative and quantitative questions designed to

identify best practices within the partner organizations;2. detailed questionnaire—quantitative questions designed to collect objective,

quantitative data across all participating organizations; and3. site visit guide—qualitative questions that parallel the areas of inquiry in the

detailed questionnaire, which serves as the structured discussion framework for all site visits.

exeCutive Summary



APQC’s Benchmarking Model:The Four-Phased Methodology

Figure 1


Along with the nine sponsor organizations, five best-practice partners completed the detailed questionnaire: American Electric Power, Fonterra Cooperative Group Limited, The Hartford Financial Services Group Inc. (a data-only study partner), Microsoft Corporation, and Textron Inc. Four of these five organizations also hosted site visits, and study partner New York Independent System Operator hosted a fifth site visit.

The APQC study team prepared a written report (case study) of each site visit and submitted it to the partner organization for approval or clarification. The case studies are included at the end of this report.

Phase 3: analyzeThe subject matter experts and APQC analyzed the quantitative and qualitative information obtained through the data collection tools. Analysis concentrated on examining the challenges that organizations face in the four study focus areas. The analysis of the data, as well as case examples based on the site visits, is contained in this report.

Phase 4: adaptAdaptation and improvement, stemming from identified best practices, occur after readers apply key findings to their own operations. APQC staff members are available to help create action plans appropriate for readers’ organizations.

partiCipant baCKgrOunDFigure 2 describes the industry distribution of the best-practice partners that responded to the detailed questionnaire.

exeCutive Summary


Figure 2

Industry Representation of Partner OrganizationsPercentage of Partners

Aerospace/Defense

Food and Beverage

Information Technology/Computer

Insurance

Telecommunications/Utilities 20%

20%

20%

20%

20%


SubJeCt matter expertiSeBob Paladino, CPa, founder, Bob Paladino & associates, LLCBob Paladino is the founder of Bob Paladino & Associates and a former executive and long-time implementation practitioner in the corporate performance management (CPM) field. His firm advises boards of directors and executives and offers CPM services. Formerly a leading consultant for PricewaterhouseCoopers and Towers Perrin, Paladino has been published in leading journals and is among the highest-rated speakers at corporate and industry events such as FEI, ASMI, and CFO Rising.

William g. shenkir, Ph.D., CPa, William stamps farish Professor Emeritus, university of VirginiaBill Shenkir served on the faculty of the University of Virginia’s McIntire School of Commerce for almost 40 years and as dean from 1977 to 1992. He continues to consult and do research on ERM. Shenkir has published more than 50 articles and edited/co-authored eight books, three of which focus on ERM. He served on the staff of the FASB, as president of the AACSB, on numerous professional committees, and on three corporate boards. He has received the IMA’s Virginia Outstanding Educator Award and was recognized by students as one of the 10 University Distinguished Professors in the 1997 Corks and Curls.

abOut apQCA recognized leader in benchmarking, knowledge management, measurement, and quality programs, APQC helps organizations adapt to rapidly changing environments, build new and better ways to work, and succeed in a competitive marketplace. For more than 30 years, APQC has identified best practices, discovered effective methods of improvement, broadly disseminated findings, and connected individuals with one another and with the knowledge, training, and tools they need to succeed. APQC is a member-based nonprofit serving more than 500 organizations around the world in all sectors of business, education, and government. Learn more about APQC by visiting www.apqc.org or calling 800-776-9676 or +1-713-681-4020.

abOut ibm gLObaL buSineSS ServiCeSWith consultants and professional staff in more than 160 countries, IBM Global Business Services is the world’s largest consulting services organization. IBM Global Business Services provides clients with business transformation and industry expertise, as well as the ability to translate that expertise into integrated, responsive, innovative business solutions and services that deliver bottom-line business value. IBM Global Business Services offers industry-leading transformation consulting skills and delivery capabilities across a range of areas, including human capital management, financial management, customer relationship management, R&D management, supply chain management, and strategy and change. For more information, visit www.ibm.com.

exeCutive Summary




exeCutive Summary


IBM Global Business Services’ Financial Management practice focuses on enabling enterprise innovation and performance through improved finance organization efficiency and effectiveness. With more than 4,000 practitioners, Financial Management has a full suite of end-to-end capabilities to address a client’s challenges. Its capabilities include finance transformation, finance operations improvement, business performance management, business risk management, and finance enterprise applications.


Study Findings

13 Chapter 1 > optimizing the ERM organizational structure

23 Chapter 2 > ERM support Tools and Methodologies

31 Chapter 3 > using ERM for Effective Decision Making

41 Chapter 4 > using ERM for Performance Improvement

49 Chapter 5 > The “Essentials” of ERM

StuDy FinDingS




Optimizing the ERM Organizational StructureC h a p t e r 1

1. Best-practice organizations establish clear structures for ERM involving executive-level support.

2. Senior leaders understand the impact of risk information.

3. A holistic approach to risk management enables improved understanding of critical risks.

Chapter 1 Key FindingsRisk management has evolved significantly since APQC published its initial report on the subject, Risky Business: Employing Risk Management to Sustain

Growth, Mitigate Threats, and Maximize Shareholder Value. When research was being conducted for that report in 2006, many organizations had long histories of deploying risk management for specific risks such as insurance and audits, but true enterprise risk management was a fairly new endeavor. Few participants in the 2006 study had well-established ERM approaches—in fact, half of the ERM programs examined were only three to five years old. However, organizations were beginning to recognize the importance of an enterprise-wide approach to risk due to factors such as:• theincreasedvolatilityofmarketsdrivenbycompetition,globalization,

and technology;• anenhancedfocusonthetradeoffsamongachievingfinancial,customer-,

process-, and people-oriented results; and• changesinregulatoryoversight,fromderegulationintheutilityandtelecom

industries to recent legislation such as the Sarbanes-Oxley Act (SOX).

The best-practice partners examined in our most recent study reflect this ongoing evolution from more limited, silo-based risk strategies toward enterprise risk manage ment. Four of the five best-practice ERM programs have existed in their current states for less than three years, and the remaining program for less than five years.

According to APQC’s past and current research, organizations at the level of ERM maturity demonstrated by the best-practice partners have integrated enterprise risk management into their strategic planning processes and analyze the likelihood and impact of risks across the enterprise, as opposed to relying on an isolated approach where they merely react to events. This report explores how best-practice organizations achieve this level of maturity and plan for continuing development. To that end, the report details how the best-practice partners ensure that ERM is treated as a core management process. It also examines optimal ERM organizational infrastructures, effective support methodologies, how ERM can influence key decisions, and how an enterprise view of risk can improve overall performance.

the buiLDing bLOCKS OF erm: OrganizatiOnaL StruCtureSBest-practice organizations establish clear structures for ERM involving executive-level support.

The best-practice organizations in this study have established clear roles and responsibilities for deploying and overseeing their ERM initiatives. They also have executive sponsors in place to support the continued maturation of ERM efforts.

“ERM is a strategic and dynamic process that all our employees

have a stake and ownership in to implement. In its ideal state, ERM

should identify business process improvement and risk mitigation

opportunities, be they physical, financial, or cultural.”

— Wayne Bailey, director of risk, compliance,

and quality management, NYISO

(n=5) Frequency of Response

CEO direct report

CEO team

Figure 4

CRO

Board of directors, subcommittee 0%

Board of directors

Other

CEO

Who Is Responsible for Deploying and Overseeing ERM?

Core ERM group

20%

0%

20%

0%

40%

0%

60%

0% 20% 40% 60% 80% 100%

Other: • Vice president of internal audit• COO

Partners were asked to select all options that apply to their organizations.


CEO direct report

CEO team

Figure 3

Chief risk officer (CRO)

Board of directors, subcommittee 40%

Board of directors

Other

CEO

Who Provides Executive Sponsorship for ERM?

Core ERM group

40%

40%

20%

20%

40%

0%

20%

0% 20% 40% 60% 80% 100%

Other:• Chief operating officer (COO)• Chief financial officer (CFO)


Chapter 1

optimizing the ERM organizational structure

Figure 3 and Figure 4 provide an overview of ERM process ownership at the best-practice partner organizations. Most of the study partners have assigned core functions to oversee ERM activities as well as C-level executives to act as ERM executive sponsors. According to representatives from these organizations, clear ownership and reporting structures are crucial to communicating the importance of risk management to the work force.


Chapter 1



As you can see from Figures 3 and 4, the partner organizations employ diverse reporting structures for ERM. The study did not reveal a one-size-fits-all approach. However, all the partners effectively support the executive-level positioning of ERM through senior committees and other change agents.

Figure 5 depicts the ERM reporting structure at Fonterra, a best-practice partner in both the both the 2006 study and the current study. In 2006, Fonterra split its global assurance function into audit and risk, with two different reporting lines to the office of the chief financial officer (CFO). The organization integrated its ERM process into business strategy and planning; the ERM function now interacts with insurance brokers and leverages employees within the business units who are engaged in risk assessments.

Figure 5

Fonterra’s Risk Reporting Structure

Enterprise Risk Manager

• Claims• Insurance• Captive• Risk management• Risk engineering

ERM responsibility:• ERM program• Monitoring and reporting key risk matters (residual and emerging risk) to senior executives and the board (including the top 20 risks)• Business interruption evaluation• Business continuity planning and crisis response planning• Insurance program (strategy, policies, placement, and reporting)• Claims management and administration• Financial aspects of accident compensation• Other risk management activities including contract risk, security, etc.

Manager Risk

Assessment

Manager Risk

Assessment

RiskManager(Contract)

Business ContinuityManager

Risk Management

Admin

Injury Management

Manager

Claims Administrator


Insurance Brokers:

Fonterra’s ERM function is responsible for managing the ERM program, monitoring and reporting key risk information, evaluating business interruptions, and carrying out business continuity planning. The ERM function also manages insurance programs, claims management, financial aspects of accident compensation, and various other risk management activities such as contract risk and security.

To influence behaviors and reinforce the importance of ERM in its culture, Fonterra gave its business units a defined role in ERM. The organization expects business units to manage risks and promote certain behaviors by: • identifyingdownsiderisksandupsideopportunitiesforthebusiness,• servingasexpertwitnesseswithdeepknowledgeofoperationstoassess

risk magnitude,

Chapter 1


• mitigatingrisksandmonitoringemergingrisks,• collectingandreportingriskdatatotheERMfunctionforaggregation,• enforcingcompliancewithriskmitigationproceduresamongbusiness-unit

personnel, and• makingsurethatprocessesareinplaceandthatcostsarisingfrom

implementation strategies are planned for and budgeted.

At Textron, the ERM function reports to the vice president of audit, who reports directly to the organization’s board of directors. The business continuity management function also reports to the vice president of audit; in addition, both functions report to an operating committee comprising key managers and leaders from all Textron business units. The ERM function reports to the operating committee instead of a traditional risk committee so that it can communicate directly with the business-unit owners. This structure has enabled risk reporting to have a greater impact across the organization.

At American Electric Power (AEP), ERM is centrally managed, but key reporting responsibilities are held at the business-unit level. The name of AEP’s enterprise risk organization—enterprise risk oversight (ERO)—is intended to emphasize the group’s role: Whereas ERO oversees risks across the organization, the individual business functions are responsible for risk management process execution. In accordance with this structure, funding for risk management is incorporated into business-unit budgets.

Figure 6 depicts the risk management structure at AEP. As shown, risk management involves all levels of the organization.


Figure 6

AEP’s Risk Reporting Structure• AEP’s ERM policy - sets governance structure, roles, and responsibilities

• Summary report provided to board audit committee

Audit Comm.

Risk Executive Committee

Enterprise Risk Oversight Function

• Strategic focus for monthly REC meetings

• Independent oversight function

• Management of risks Functional Unit Management

Chapter 1


Microsoft’s risk reporting structure centers on four risk “pillars”: strategy, finance, operations, and legal/compliance (Figure 7). Each pillar is supported by a committee and an executive sponsor responsible for coordinating the overall program approach developed by the Office of ERM. This structure is complemented by the efforts of individuals and groups in specific business units and functions where risk management specializations already existed prior to the implementation of an enterprise-wide approach.


Figure 7

Microsoft’s Risk Reporting StructureEnterprise Risk Office (ERO) - Virtual Organizations

The Office of Enterprise Risk Management is sponsored by the vice president of internal audit and supported by the director of ERM leading and executing the overall program approach. The ERM effort is being coordinated virtually across the organization including four risk committees (pillars) each with their respective executive sponsors.

Board of Directors:Audit and Finance Committee(s)

Strategic

Chief Executive Officer

VP of Corporate Strategy

Director of Corporate Strategy

Chief Legal Officer

VP of General Counsel

Director of Compliance

Compliance Attorney

Chief Financial and Chief Accounting Officers

Sr. Director Compliance

Sr. Manager Compliance

Chief Operating and Chief Information Officers

General Manager

Manager

Legal/Compliance Financial/Reporting Operations

Enterprise Risk Office:Executive Sponsor: VP of Internal AuditProgram Office: Director of ERM

FOLLOW the LeaDer: the rOLe OF exeCutiveSSenior leaders understand the significant impact of risk information.

Executive-level support for ERM is a critical success factor for the best-practice partners. Given their birds-eye views of the entire enterprise, senior leaders and high-level committees are uniquely positioned to understand and oversee an organization’s overall risk picture. What is the role of these leaders regarding ERM, and how and why did this role develop? What is the value of their involvement in ERM? The following examples detail senior leadership’s unusually high level of direct involvement in ERM at the partner organizations.

At the New York Independent System Operator (NYISO), responsibility for ERM resides within the organization’s risk, compliance, and quality management function. The head of this function reports directly to the CEO and board of directors, who were the organization’s original ERM champions. As ERM’s executive sponsor, the CEO also acts informally as the chief risk officer. Additional risk management responsibilities are spread throughout the organization. For example, the general

counsel is the chief compliance officer. Cyber and physical security risks fall within the domain of the enterprise security function’s business continuity planning department. A senior risk specialist is responsible for insurance program contracts, structure, loss control, and reporting, as well as the administration of the ERM process and national trends analysis related to the overall power generation and distribution industry. This trend information is provided to the board and CEO.

Textron’s board of directors plays a significant role in ERM. Specifically, the board:• setsERMexpectations,• communicatesthatERMisanintegralpartoftheoverallmanagementand

governance structure,• providesinputandoversightforallaspectsofERM,and• funnelsconcernsaboutspecificrisksintotheERMprocess.

At Fonterra, enterprise-wide risk strategy is based on board-level recognition that the organization must effectively manage risk in order to grow and be successful. Risk management is integrated across the organization and supported by senior leaders, including the CFO and the chair of the board’s audit, finance, and risk committee. In addition, ERM roles and responsibilities are cascaded down to the specific business units.

a hOLiStiC vieWA holistic approach to risk management enables improved understanding of critical risks.

Organizations that incorporate identified risks into strategic planning make better decisions and are more likely to achieve their strategic objectives. But how do organizations ensure that they understand their own risk universes and then effectively leverage resources to mitigate risks? How do they confirm that all relevant risks are included in their risk assessment processes? How do certain risks offset one another?

Because these questions are central to the idea of ERM best practices, a key objective of this study was to examine how organizations develop an understanding of their own critical risks. The following examples illustrate some of the methods used by the partner organizations.

The NYISO focuses on risks that fall into three broad categories: reliability (resources and fuel costs/availability), markets (legislative/political, finance and credit, and billing), and reputation (legal/regulatory issues and compliance). These three categories are further broken down into 17 areas of risk that are leveraged throughout the organization:


Chapter 1


Figure 8

The NYISO’s Risk Rating Definitions

Low/No Impact

Some Impact

Serious Impact

Most Severe Impact

Improbable—unlikely to affect NYISO within one year

Possible—may affect NYISO within one year

Imminent—likely to affect NYISO within one quarter

Immediate—the risk presently affects NYISO

Affects local reliability, non-mission-critical systems

Affects zones outsideJ&K, non-mission-critical systems not operational

Affects all of the state’s control area mission-critical systems

Affects zones J&K, mission-critical systems affected

0 to $100,000

$100,000 to $1 million

$1 million to $5 million

In excess of $5 million

Small process/procedural errors that impact limited stakeholder segments

Continuous mistakes in processes that affect stakeholders and indicate NYISO inability to correct

NYISO fails to meet regulatory compliance issues/NYISO execution causes marked disruptions

Regulators, market participants, and media severely impugn NYISO reputation, with NYISO unable to influence outcome

ReputationReliabilityImpact Impact to Markets


Chapter 1


• infrastructure• resources,• financial,• compliance,• execution,• seams,

• creditexposure,• press/media,• security,• billing,• marketdesign,• regulatorrelations,

• marketparticipants,• fraud,• retention,• politicalclimate,and• market

administration.

Risks aligning to these categories are tracked according to a hybrid framework that combines those of the Risk and Insurance Management Society (RIMS) and the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The NYISO uses matrix scales and heat maps that list each of the organization’s 17 risk categories according to probability and impact. The list of risks changes periodically, with new risks added and others replaced or subsumed under other categories.

Figure 8 illustrates how the NYISO defines its risks to facilitate strategic decision making.


At Fonterra, the organization has defined the purpose of ERM in order to articulate the why and how of enterprise risk. For example, Fonterra identifies “assist” as a key ERM activity: This refers to assisting the financial success of the business by providing a forum and methodology for evaluating and prioritizing potential risk improvement opportunities and understanding their financial and other impacts.

Additionally, Fonterra is establishing risk champions within each key business. Risk champions will spend several days in risk assessment workshops designed to help individuals identify and manage key business risks. Risk champions will also become business liaisons to the risk function. Fonterra assesses risks using a database that, in turn, populates the organization’s risk profiling report. The database and report, which are discussed further in Chapter 2, illustrate the types of data fields that reporting employees must complete in order for the ERM function to accurately assess high and significant risks.

According to Textron, every risk is quantifiable. The organization’s ERM function works closely with the business units to determine costs for specific risks. In some cases, the organization estimates a range to illustrate best- and worst-case scenarios, and each risk cost is factored into an overall cost average.

A coordinator for each business unit works directly with the ERM function to ensure that Textron has a clear view of critical risks. In addition to spending 10 to 14 hours each quarter coordinating risk information, these individuals help subject matter experts in their business units and councils compile and assess risk data. The primary benefit of this structure is that it brings together experts who understand the risks with risk coordinators who understand the process; rather than training a large number of employees on ERM, Textron aims to keep risk management intelligence flowing between ERM coordinators and the ERM function.

Textron uses an ERM input tool to capture key risk data. For each risk, ERM coordinators help subject matter experts collect data in five key categories:1. basic risk information—such as title, description, failure mode, and cause;2. gross risk information—the cost of the risk event and the probability of

occurrence (in annual terms) if no mitigations were in place;3. current risk information—the cost of the risk event and the probability of

occurrence (in annual terms) with all current mitigations in place;4. decision—whether or not further action is required; and5. expected risk—details on impact and likelihood.

Data from this input tool is entered into an Excel spreadsheet that can be tracked and used for reporting purposes. The spreadsheet is color-coded so that, if the “decision” category indicates that further action is required, then the risk is automatically highlighted in red.

Chapter 1



Chapter 1


AEP divides risks into two categories: monitored risks and high-impact risks. Monitored risks are generally easier to quantify and have governing policies focused on limits and controls. These risks are monitored for status changes and to ensure that the controls in place are working. By contrast, potential high-impact risks are more difficult to quantify. High-impact risks are often operational or physical risks and are typically addressed by programs, rather than limits. In general, these risks would have an impact on one or more monitored risks. AEP’s risk executive committee, which is made up of senior executives who manage a significant amount of risk for the organization, focuses its discussions on high-impact risks.

As previously mentioned, AEP’s functional units are responsible for analyzing, assessing, managing, and mitigating their own risks. Functional units provide monthly risk reports that include risk information such as metrics (where possible), current status, trends, strategy and mitigation, and emerging risk areas. These reports are reviewed by the enterprise risk oversight function, which then prepares a high-level summary for the risk executive committee. Reports from functional units are compiled in a binder that is provided to all risk executive committee members prior to each meeting. This enables committee members who want more detail to read about specific risks prior to the meeting and come prepared with questions. The high-level summaries are also reviewed by the board audit committee, which sits at the top of AEP’s organizational structure for ERM.

Risks reported to the risk executive committee cover a very broad range of issues; some are quantifiable, but others are not. Also, because risks change over time, AEP continuously revises the list of reported risks. Some risks are reported on a long-term basis, whereas others are reported for several months and then removed from reporting.

COnCLuSiOnThe best-practice partners featured in this report have created ERM organizational structures that facilitate fluid collaboration around risk management. Involvement and support from senior leaders convey the value of managing risk to the rest of the organization. By combining an infrastructure that places high visibility on risk management with senior leaders that understand the importance of effectively identifying and assessing risks, the best-practice organizations ensure that strategic objectives will be met. Partners emphasize that ERM must be viewed holistically in order for organizations to properly identify, aggregate, and asses all types of risk and then incorporate the results of their analyses into strategic decision making.


This study clearly shows that there is no “best” way to structure and manage an ERM program. But as we reflect on the different organization structure approaches taken by the best-practice partners, a couple of observations come to mind, particularly in light of recent IBM research in this area.

The first is the role of the “risk manager,” a title used in many organizations and throughout the literature on ERM. The second is the linkage of risks to business processes and the associated management responsibilities and performance measurements, a topic we will discuss further in our Research Champion Perspective for Chapter 4 of this report. Importantly, we see these two points as intrinsically linked through the convergence of risk and performance management.

In organizations and structures where the ERM function is stand-alone and tasked with risk management (as opposed to policy and process formulation), the risk manager typically owns the risks and mitigation solutions. for example, a supply chain risk manager may be expected to “gain a clear understanding of the supply chain process, its key exposures and values, and to develop a plan to minimize the adverse effects of the identified exposures on the organization.”1 In such a structure, the risk manager must identify, assess, and manage the risks that might impact that process.

But where does this approach leave the supply chain manager, the individual who owns the underlying process and is responsible for the supply chain team? how does he or she manage the process and resolve issues, pro- or re-actively? If there is a failure (i.e., a risk event) in the supply chain, who is responsible for (1) its resolution, (2) its mitigation, and (3) its performance implications? Put very bluntly, where does the buck stop, and which performance metric will be affected?

our view is that business process owners should own the responsibility for risk management as a core part of their day-to-day management responsibilities. In this way, they can assess risks and alternatives with full understanding of the short- and long-term impacts of those options and make the most appropriate trade-offs for success of the process. on the other hand, a stand-alone risk manager might accept/avoid/mitigate risks which need not be so handled given the alternatives available to the process owner.

But do not construe this perspective as a rejection of the role of the risk manager: he or she has a key role as an adviser to the process owner, acting in much the same manner as a financial, human resources, or information systems expert would. The risk manager should establish the risk management process, ensure its appropriate execution—including a reporting line to executive management if the process is not followed—and advise the process owner of alternative strategies.

This is a key role required by every enterprise, but one that still leaves decision-making responsibility in the hands of process and business owners, thereby supporting a more effective performance measurement assessment structure.

reSearCh ChampiOn perSpeCtive FrOm ibm gLObaL buSineSS ServiCeS

Optimizing the ERM Organizational Structure

Chapter 1


1 Ron Stokes. “Understanding Supply Chain Risk.” Risk Management, August 2008 (www.rmmag.com).


1. Best-practice organizations use a variety of methodologies to identify, assess, aggregate, and report risks.

2. Currently, the technology of choice for ERM among the partner organizations is Microsoft Office.

ERM Support Tools and Methodologies

Chapter 2 Key Findings

C h a p t e r 2

Two of the most pressing concerns for organizations implementing ERM initiatives are: “What is the process for identifying and assessing risks?” and

“How do you roll out risk management across an enterprise?” To answer these questions, this report explores the steps that best-practice organizations have taken to integrate risk management into the way they work.

Whereas Chapter 1 focused on the best-practice partners’ organizational infrastructures, this chapter details the methodologies and tools that partners use to identify, assess, monitor, and report enterprise-wide risks.

a methOD tO the maDneSSBest-practice organizations use a variety of methodologies to identify, assess, aggregate, and report risks.

The study participants leverage many different techniques to assess risks and collect and report risk information; for the most part, this diversity reflects the organizations’ unique work approaches. However, one commonality among the best-practice partners is that they all make distinctions between ownership of a specific risk and facilitation of the ERM process. Most partners rely on a com-bination of risk maps, scenario analysis, Microsoft Office applications, and home-grown software to aggregate and identify key risk categories (Figure 9, page 24). When organizations can catalog and pinpoint significant risks, they are better able to ensure that those risks are thoroughly understood, closely tracked, and periodically reviewed.

To capture key risk data, Textron uses an ERM input tool based on failure mode effects analysis (FMEA).2 Data from this input tool is entered into an Excel spreadsheet for reporting purposes and color-coded to indicate whether or not a risk requires further action.

The spreadsheet data populates risk radars (Figure 10, page 25), which highlight Textron’s significant risks and associate those risks with dollar amounts related to net operating profits. Risk radars track gross risk and are color-coded to indicate whether further action is required; risks are graphed so that the likelihood of a risk occurring in the next year is represented on the X-axis and annual net operating

2 APQC defines FMEA as “a well documented, proven technique commonly used to evaluate the risk for failures in product and process designs” (2007).

Chapter 2

ERM support Tools and Methodologies

profit is represented on the Y-axis. For example, Risk A in Figure 10 was initially estimated at approximately $2 billion, but through mitigation and control efforts, that exposure was reduced by about half. However, since the level of exposure is still considered unacceptable, Risk A is depicted as a box, indicating that further action is required. Throughout Textron’s risk radars, embedded links guide users to more detailed information from the risk database.

Fonterra uses a risk database to support risk assessment and evaluation across the enterprise. Figure 11 (page 26) provides an example of how Fonterra presents data captured during the risk assessment process. Although the figure contains only sample data, it illustrates the types of data fields that must be completed in order to accurately assess high and significant risks. For example, the reporting employee must clearly define the context and objective of a given activity/process and then identify the risks that could prevent the accomplishment of that objective. Each risk is assigned an owner and a category, which allows the organization to aggregate risks into groups. The forms include a representation of “inherent” risk in terms of



Influence diagrams

Failure mode effects analysis (FMEA)

Figure 9

Bowtie diagrams

Scenario analysis

Fault tree/event tree

Off-the-shelf application

Home-grown application

ERP

MS Office

Other

Risk registers

Technologies, Applications, Techniques, and Methodologies Used for ERM

Risk maps

60%

60%

80%

40%

40%

40%

0%

0%

0%

0%

60%

0% 20% 40% 60% 80% 100%


20%


Chapter 2


impact and likelihood displayed on a heat map, a review of controls to mitigate risks, and a scoring of residual risks in terms of impact and likelihood displayed on a heat map.

Figure 12 (page 27) depicts an example of Fonterra’s risk assessment report, which provides an overview of risk by category. This data flows to the business units so that decision makers can better understand key risks. At the New York Independent System Operator (NYISO), risk identification and reporting are the responsibility of the business units. Risk owners—those owning the business processes—are expected to report known risks, their status, and mitigation efforts on a monthly basis.

As part of establishing its ERM program, the NYISO mapped out every function and process in the organization and then created an executive summary and supporting report detailing each risk along with its triggers and status. The risk, compliance, and quality management function updates this ERM report every month based on business-unit-level reporting and mitigation efforts. Thus, the quality of the overall ERM report depends on the accurate monitoring and reporting of risks by the business units.

Textron’s Significant Risks Radar

Figure 10

100% 75% 50% 25% 0% $0

$35M

$70M

$105M

$140M

$500M

$1B

$2B Risk Name

Risk reduced to an acceptable level

Further action required

Gross risk

A

B

CDEFGH

I

JK

Crisis ManagementFinance CouncilIMCTFCBellLegal CouncilBellFinance CouncilFinance CouncilBellKautex

1Q06

1Q06

1Q061Q061Q061Q061Q061Q06

1Q06

1Q061Q06

TBD

1Q06

1Q061Q061Q061Q061Q061Q06

1Q06

1Q06TBD

Risk Owner Initial Complete

C

B B

A

H

J K

F E

I

G H

I

D

F E

G

A

J

D

K

$ is measured in annualized NOP

C

SAMPLERISKDATA


Chapter 2


Fonterra’s Formal Risk Assessment Process

Figure 11

Context/ Objective

INHERENT (UNTREATED) RISK ASSESSMENT: Assessment WITHOUT Controls

Potential business impact WITHOUT the benefit of controls =

Guaranteed ability to process milk from shareholders

Casual Factors • Road closure from flood• Road closure from landslip• Loss of power to the site for milk transfer >24 hours

Expected Consequences/ Impact

• Unable to receive all milk supplies• Worst reasonable case estimate 50% loss

of milk for 6 days following landslip

Potential Cost NZ$1M - NZ$10M

Risk Owner

Risk

GM Milk Supply

Inherent Likelihood (1-10) 9

Inherent Consequence/ Impact (1-10) 6 7

53

1

9

Inherent Risk Rating HIGH

(Optional Entry) Risk Category Coding

Milk Collection and Transport

VolatilityReduced ability to supply milk to site for a period longer than 24 hours Increasing over time

(Optional Entry) Process Coding

Operational

Like

lihoo

d

A Risk Management Framework - Risk Profiling Report

The NYISO’s risk, compliance, and quality management function also summarizes the larger ERM report in a four-page monthly risk report that is distributed to the board of directors. These summaries detail immediate and pending risks for the coming year along with mitigation efforts currently in place. Each summary includes a risk matrix detailing probability and impact for specific risks as well as relative risk over time and an aggregate scoring of risk factors. A reporting section highlights looming national issues in the industry. Each month, the ERM staff selects and inserts an article describing issues that affect the security of electricity markets in the United States, North America, and around the globe.

At Microsoft, enterprise risk reporting occurs quarterly. The quarterly reports include updates on ERM program status and progress made toward mitigating the most critical risks facing the organization. Board presentations to a special session of the combined audit and finance committees take place semiannually. The following program principles help Microsoft execute on this reporting cycle.• ERMisanenterprise-wideframeworkandprogramadaptabletoexistingrisk

functions, division structures, and global geographies.• ERMincreasestransparencyofrisktotheboard,seniorleadership,and

external stakeholders.• ERMisintegratedandembeddedintocorporate-wideprocessessothatrisk

information can be leveraged for decision making.• ERMenablesbidirectionalinputandinformationsharingwithkeygovernance,

risk, and compliance (GRC) functions, such as Internal Audit, Windows Live Security, Corporate Privacy Group, and Information Technology Risk.


Chapter 2


Fonterra’s Risk Assessment Report

Figure 12

Strategic

Risk Category

Sub-Risk Category Risk Areas

Strategic DirectionEthics & CultureReputationStrategic Partnerships

Investor Relations

InnovationsRisk ManagementChange Initiatives/

Transformation

Operationalization of StrategyThe Way We WorkNZ International ImageBFLDairiConcepts/DFA

Payout Forecast ManagementRDIProductImplementation of Risk

Management FrameworkJedi

Stabilized Organization StructureKnowledge SharingSupplier Land Management &

Farming PracticesSoprole/DPADPA/NestleCommunications

MarketProject Interface

Strategic Resource Allocation

EmpowermentChinaBFL/BSC

Shareholder Council

Process

Strategic Evaluation of New Business

OutsourcingCapital Availability

GE

Post Investment Reviews

Redemption

Financial Financial Reporting

Financial Planning

Treasury ManagementTax PlanningPerformance Planning &

MeasurementFraud

COACore ControlsCMP/S&PInventory Mix & ValuationFair Value Share ValuationHedgingDomestic Tax RegimesRCM

Geopolitical/Cultural

FRS

Payout ForecastsSales Mix & ValuationPeak Note ManagementFunctional CurrencyForeign Tax RegimesPerformance Measurement

Control Design & Implementation

Hyperion

Foreign Exchange Volatility

Lifecycle PlanningDebt Raising

VBM

SAP

Commodity Price Volatility

Working Capital Management

Functional Currency

Cost of Production

Redemption Management

Compliance Policy & Procedures

Legal & Regulatory

ProcurementEnvironmental

Sovereign Legislation & Regulation

Intellectual Property

Production StandardsJedi Business Rules &

ComplianceCustoms & Duties

Shareholder Reporting

HRSupplier Land Management

& Farming PracticesHealth & Safety/ACC

Future Regulation

Treasury

EnvironmentalDIRA

Insurance

Hazardous Substances

Governance Ethics & CultureBoard Activities

The Way We WorkShareholder Reporting

Geographic DiversitySub-Committee Delegations

EmpowermentQualifications

Corporate Citizenship

Operational S&OP ManagementMarketing & InnovationBrand ManagementSales

Production

Logistics & WarehousingProject Management

People

Transaction Processing

Information

Crisis managementNon-Core Business

Demand ForecastingProduct InnovationBrand Strategy/RationalizationOrder Management

Asset Security & ProtectionR&D ImplementationMilk CollectionCapex Approval

Personal Health & SafetySuccessionOrder ProcessingPayrollData Accuracy, Completeness &

TimelinessKeaBio-SecuritySynergy

Supply ForecastingR&D FundingBrand Protection &

CounterfeitingPricingProduction EfficiencyAsset MaintenanceProduct ShipmentPost Project Evaluation

Attract & Retain TalentIndustrial ActionInvoicingTrade Spend Promotion CycleSystem DevelopmentCOE

Terrorism

Production PlanningBusiness Case

Development

Contract ManagementProduction Capacity

Distribution Channel Structure

Time, Cost & Quality ControlGROW & PERFORMInternal CommunicationCash CollectionMilk PayoutSystem IntegrationJedi

DRP/BCP

Logistical PlanningEvaluation of A&P Spend

Sales Promotion

Product Quality/ Specification

Inventory Planning

CapabilitiesRenumerationCredit Management

System FailureIS Data Security

Product Recall

IP Protection

RDI

Food Safety

Inventory Protection & Security

Motivation & Focus

Expenses & Purchases Cycle

System Transformation

Natural Disaster

Market Economic/GeopoliticalPolitical/RegulatoryCompetitorsFinancialDistributorsConsumers

Economic DownturnTrade Access & QuotasIndustry StructureFinancial Markets/Cost of DebtRetail Channel StructureConsumer Trends

Political Instability/Sovereign Risk

Product Specification & DutiesCompetitor Strategy/SpendCapital Fund RaisingSocial Trends

Credit RiskAcquisition ApprovalEmerging CompetitorsCommodity Prices

Demand Uncertainty

Product Substitution

Customer Satisfaction

erm anD teChnOLOgy: What’S the SOLutiOn?Currently, the technology of choice for ERM among the partner organizations is Microsoft Office.

As with any evolving business process, organizations attempting to embed ERM in their structures and operations are constantly searching for ways to facilitate their efforts. Each best-practice organization in this study is implementing and executing ERM in some way that fits its current business agenda and business model. Although the partners are open to a technology solution that would facilitate effective ERM implementation, the current preference to keep things simple has led these organizations to employ Microsoft Office as their primary enabling technology.

Although the study partners do automate some data collection, analysis, and reporting processes, the majority rely primarily on manual support for ERM activities. While a comprehensive and effective process automation solution remains elusive in the ERM arena, the following examples illustrate how the best-practice organizations create support processes adapted to their own cultures and strategic needs.

Fonterra uses Microsoft Office Excel for most of its ERM technology support. Within Fonterra, the perception is that implementing a formal software package would impede the organization’s ability to quickly adapt to any process or business change. Accordingly, the organization has decided not to purchase a software package explicitly for risk management. Currently, one full-time employee manages the formal risk assessment process and the supporting database.

American Electric Power (AEP)’s decision not to implement supporting technologies is similarly strategic. At this point, the organization feels that a new technology solution might hinder its ERM process. Although AEP has explored a number of software packages, it has chosen to refine its process first and let that process drive future technology decisions. By concentrating on process and open communication, the organization hopes to ensure that information is effectively shared among its functional units.

The NYISO’s core risk reporting and mitigation processes are heavily manual and supported by Microsoft Office programs such as Word and Excel. The organization is currently examining a number of ERM technology support tools, but has not fully automated its processes.

Microsoft is also exploring solutions to manage its risk and compliance activities. Since ERM is a relatively new concept, the program is investigating multiple options for building and implementing an ERM platform that can be leveraged globally. At present, the organization employs an enterprise solution based on SharePoint and SQL technology; moving forward, it plans to continue building a platform that integrates the best of Microsoft’s enterprise technologies with Microsoft Office solutions.


Chapter 2



Like many organizations, Microsoft faces challenges associated with the volume and complexity of external compliance obligations. There are numerous overlapping compliance requirements that must be integrated with ERM, including SOX, the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard, anti-corruption, privacy regulations, trade compliance, and so on. All these compliance requirements involve different tools, and the organization believes that even more tools will be added in future, further complicating the technology infrastructure. Microsoft’s proposed solution to address such issues is to leverage the best of its technology through a platform approach termed “OneCompliance,” which supports compliance with multiple regulations and standards. The approach involves optimizing available resources that focus on risk management, controls, and compliance while reducing duplication and time/cost requirements.

COnCLuSiOnAs the results of this study indicate, there are many ways to effectively operationalize risk management. Partners use a variety of tools, methodologies, and applications to support ERM. However, one commonality among the partners’ approaches is an emphasis on clear risk aggregation and reporting. Aggregation surfaces key significant risks that impact the organization, leading to a more thorough and informed understanding of risk.

Although the best-practice organizations employ both automated and manual processes to manage risk, Microsoft Office is the technology of choice for supporting ERM at this time. Many of the partners have just begun to think about how more complex software and systems might be used to support the unique demands of ERM. We can expect to see new technologies emerge as ERM processes mature.

Chapter 2



Chapter 2


In terms of the study results, the relatively limited use of specialized technology was the area of greatest surprise to IBM, and we believe that this finding will be equally surprising to other organizations. IBM had expected to see much broader use of ERP and/or other “best of breed” software tools to support and drive ERM processes, but clearly this is not the case, at least not yet. In fact, the limited use of such tools has been affirmed by other research undertaken by IBM.

The next logical question is akin to the “chicken and egg” analogy: Is the use of technology limited because the tools do not yet meet industry’s needs, or do the tools not exist because there is limited demand? although there is no right answer, of course, we believe that the former is the primary limitation at this time, and we believe that the current economic conditions will in fact increase the demand for technology solutions as a means of more timely and effective management of risks.

The effort many organizations expend to identify, assess, prioritize, track, measure/analyze, and report on risks will increase—at least to some degree—the use of automated tools, and such tools will start to be viewed as assets. But it must be recognized that most risks will always be heavily managed by human judgment, models and quantitative limits notwithstanding. and therein lies the challenge for developers of tools: how to build something that will regularly be overridden by human interpretation and gut feel to provide a dynamic view of risk.

Many advanced technologies allow users to simply turn built-in controls on or off, in essence partially allowing the user to determine if and the extent to which automated approaches may be used in controls and risk management.

In addition, a combination of “push” and “pull” reporting is generally required. “Push” reporting is required for any controls or limits violations, such as an employee not submitting a time report on a weekly basis or a production line deviating from quality parameters; in such cases, management must be notified so that corrective action can be taken. on the other hand, more analytical situations can be effectively assessed with “pull” reporting; for example, aggregate accounts receivable trends and balances by customer can be analyzed by a manager at intervals—within reasonable bounds—of his or her choosing, although specific limit violations might “push” reports to that same manager.


ERM Support Tools and Methodologies

Using ERM for Effective Decision Making


C h a p t e r 3

31

Almost all of the study partners value ERM for the impact it has on decision making. ERM programs can justify their existence and contribute to overall

organizational performance by offering insight into short- and long-term risks. However, deriving value from ERM requires that organizations approach risk from a holistic perspective and act on risk information in a manner that mitigates risks and maximizes opportunities. If an organization fails to translate the knowledge gained from ERM into action, then the program may falter and become a process without a purpose.

Most of this study’s best-practice partners have processes that guide the application of ERM information to support short-term, tactical, and/or long-term and strategic decisions. Communication vehicles—whether formal or informal—are important to the effectiveness of such processes. Tools and methods for sharing risk data across the organization help facilitate better decision making.

During this study, partners were asked how ERM influences short-term and tactical decision making. As Figure 13 (page 32) demonstrates, study participants use ERM in a variety of ways to support such decisions. For example, the majority of partners leverage ERM information when considering business expenditures and planning projects. Clearly, the ability to integrate ERM into decision making helps prepare organizations to act quickly in response to short-term or tactical events that impact the business.

The best-practice organizations were also asked how ERM helps facilitate long-term planning. Since ERM activities are generally designed to assist with both short-term and long-term decisions, it is not surprising that a majority of the study partners use ERM information for processes such as planning, budgeting, and forecasting.

riSK management FOr mOre inFOrmeD riSK taKingA focus on risk management creates a culture of informed risk takers.

Most of the best-practice organizations in this study use methods and tools that allow risk data to flow freely between ERM functions, business units, and senior decision makers. Risk managers and end-users employ risk information when making day-to-day, short-term, and long-term decisions. The widespread sharing of risk information helps these organizations enhance the strategic nature of their decision-making processes and contributes to better decisions.

1. A focus on risk management creates a culture of informed risk takers.

2. Risk information must be effectively communicated across the enterprise in order to influence decision making.


Some organizations, such as American Electric Power (AEP), rely on informal links between risk functions and senior management to facilitate decision making. As discussed in Chapter 1, under AEP’s risk structure, risk information flows from functional business units to the audit committee through the risk executive committee. Although there is no clear directive for the risk executive committee that pertains to decision making, the discussions that occur at risk meetings create a ripple effect throughout the organization, and outcomes from the meetings often have strategic impact. For example, shifts in budget dollars or changes to risk mitigation efforts are often indirectly linked to risk executive committee meetings.

Other elements of AEP’s risk structure and reporting also affect decision making. Throughout the year, the organization strives to identify risks that may influence strategic plans and prevent the achievement of corporate objectives. In addition, each functional business unit reports on risks using green, yellow, or red to indicate current status. Business units must present mitigation strategies for all risks that are color-coded red, and a risk that is assigned a red rating is usually addressed—or at least discussed—by the risk executive committee. This approach helps the risk executive committee recognize trends and assign priorities. However, according to AEP, it is difficult to compare one functional unit’s red-level risks against those of another functional unit. Furthermore, a risk coded red by a functional unit is not necessarily of strategic importance to the organization. For these reasons, the organization views the color-coding system as a useful but limited decision-making tool.


Chapter 3

using ERM for Effective Decision Making


Figure 13

Other

How the ERM Process Supports Short-Term/Tactical Decisions

ERM information isused for considering

business expenditures

ERM information is used in daily activities

ERM information is used for project planning 60%

80%

20%

20%

0% 20% 40% 60% 80% 100%

Other: Prioritization of risks mitigated, identified, and assessed though annual risk review



Chapter 3


At the New York Independent System Operator (NYISO), the risk, compliance, and quality management function provides a monthly ERM report detailing every risk along with its triggers and status. The board’s audit and compliance committee reviews and discusses the ERM report at least once a quarter—with line-by-line scrutiny—and provides guidance to management on risk tolerances and mitigation.

The NYISO’s ERM efforts alert employees and management to cross-functional issues affecting voltage system reliability in both the immediate and long term. These endeavors also support the organization’s effective economic dispatch of energy and compliance efforts in accordance with local, state, and federal guidelines. Such compliance monitoring took on greater meaning for the NYISO after new Federal Energy Regulatory Commission (FERC) reliability standards were introduced in 2007. These standards, which had to be operational by July 2008, include 817 standards applying to the NYISO. In some cases, noncompliance can result in a penalty of as much as $1 million a day.

Fonterra has a clearly articulated process that integrates ERM results into strategic decision making. Most risk data is reviewed by the ERM function so that it can be aggregated for senior leadership. Accordingly, Fonterra’s ERM function serves as a clearinghouse for all risk data. In this role, the ERM function is able to effectively weigh business risk against organizational impact and identify risks that are of corporate significance to senior leadership. Fonterra senior leaders then review all risk data—formal or informal—in order to make informed decisions.

At Fonterra, risk information is linked to strategic policy and dispersed to business units that use the data for budgeting and forecasting, business planning, capital evaluations, mergers and acquisitions, and project evaluations. The organization also links ERM to business continuity planning and the outcomes of business projects and project reviews that feed into the business planning process.

In addition, Fonterra uses risk assessments when expanding its businesses abroad. In China, for example, the organization established a farm with cattle shipped from New Zealand in order to manage risks related to the milk supply for that country.

Fonterra focuses its risk assessment activities on a number of areas and links them to key business decisions that are categorized as operational, strategic, or financial. When the organization is faced with a strategic decision, it uses a detailed risk management framework process to identify and assess associated risks. Figure 14 (page 34) provides an overview of Fonterra’s risk management framework process, which is based on the Australia and New Zealand Standard Risk Management (AS/NZS 4360, also referred to as Risk Standard 4360).

Figure 14

Overview of Fonterra’s Risk Management Framework Process

Communication and Consultation

Monitor and Review

3. Report Upon Risk

2. Develop and Monitor Management Plans

1. Create Risk Map

Risk reporting

Risk response strategy

Risk decision

Evaluate the risks

Assess the risks

Identify the risks

Establish the context


Chapter 3


As a result of ERM efforts, organizations are positioned to take more calculated business risks. A case in point is found at Textron. When Textron targets a company for acquisition, that company’s risks are identified and evaluated before Textron decides whether to make the acquisition. In the future, the organization plans to use risk radars and risk summaries to evaluate all potential mergers and acquisitions.

To facilitate the business ownership of risk, Microsoft has defined short-term, intermediate, and long-term themes within its ERM strategy and road map. The short-term theme is focused on strengthening the foundation for ERM and building awareness across the organization. Microsoft has already met its short-term goals and, in most cases, is executing the second cycle of these initial goals. Microsoft’s intermediate theme focuses on establishing a risk management culture and achieving deeper integration into the business. Efforts are currently underway to meet goals related to this intermediate theme. Microsoft’s long-term plans center on optimizing ERM. Specifically, the goal is to extend ERM practices across all divisions and geographies by leveraging an integrated platform of risk data.

With its current structure, strategy, and disciplined approach to ERM, Microsoft believes it is well on its way to establishing a sustainable program that is capable of achieving the organization’s overall vision: “Through ERM’s leadership, management’s value creation and value protection decision making enables Microsoft to become the most universally trusted and respected company in the world.”


On a monthly basis

On a quarterly basis

Figure 15

As needed

On a daily basis

Other

On a weekly basis

How Often Do Risk Owners Use Risk Information to Make Decisions?

At strategic sessions

0%

20%

20%

40%

40%

40%

100%

0% 20% 40% 60% 80% 100%

Other: Varies by functional area



Chapter 3


Sharing riSK inFOrmatiOn tO FaCiLitate DeCiSiOn maKingRisk information must be effectively communicated across the enterprise in order to influence decision making.

Frequent and comprehensive communication of risk information is one of the most important factors in deriving value from ERM. Without effective communication strategies and mechanisms, leaders have no access to ERM data and cannot make informed decisions. This is evidenced by the fact that all the partner organizations in this study communicate ERM data on an as-needed basis (Figure 15). When important risk data is obtained or uncovered, best-practice organizations use considerable resources to make sure that the data reaches senior leaders as quickly as possible.

At the NYISO, the risk, compliance, and quality management function summarizes ERM information in a four-page monthly risk report for the board of directors. The summary lists immediate and pending risks for the coming year along with mitigation efforts currently in place. It includes a risk matrix detailing probability and impact for specific risks as well as relative risk over time and an aggregate scoring of risk factors. A reporting section highlights looming national issues in the industry, and an article selected each month describes issues that affect the security of the electricity markets in the United States, North America, and around the globe.


Chapter 3



Relevance to strategic objectives

Risk tolerance

Figure 16

Existing risk controls

Time horizon

Risk impact

Risk likelihood

Other

Organizational resiliency

Types of Risk Information Used to Make Decisions

Cost of risk mitigation

60%

60%

60%

60%

80%

100%

100%

40%

40%

0% 20% 40% 60% 80% 100%

Other:• Quality and quantity of information about the risk• Preparedness


Figure 16 highlights the types of risk information that the best-practice partners share internally to facilitate decision making. Risk impact, likelihood, and existing risk controls are the risk data sets most commonly shared across the enterprise.

Among the study participants, meetings are one of the most frequently employed communication methods; 100 percent of the best-practice organization use meetings to impart key risk data (Figure 17). More than half of the partners also conduct presentations and workshops to share risk information. Eighty percent of the best-practice organizations use report cards or dashboards to identify and communicate risks, and 60 percent report these results monthly.

Moreover, ERM information is communicated to all levels of the organization, including those leaders empowered to make decisions. This communication chain allows each best-practice partner to take more calculated risks and support an enterprise-wide culture of informed risk takers.


Chapter 3



Figure 17

Other

How Decision Makers Are Informed of Risk

Reports/Dashboards

Presentations or workshops

Meetings

60%

80%

100%

20%

0% 20% 40% 60% 80% 100%

Other: No response


As discussed in Chapter 2, Textron uses risk radars and risk summaries to facilitate decision making. Risk radars track gross risk for every business unit and council and are color-coded to indicate whether further action is required. The operating committee reviews risk radars each month during a four-hour meeting. Risk data is updated quarterly, and meetings that occur between updates provide committee members with opportunities to probe more deeply into any risks that are of major concern.

The use of a risk report card helps promote accountability at Textron; by monitoring the report card, the organization ensures that risks are tracked and properly addressed. Report cards are embedded into the quarterly reporting process and show which business units and councils are participating in risk activities. If a business unit is not participating, then executives will usually call business-unit leaders to increase involvement and promote accountability.

At Microsoft, individuals called risk focals are described as “feet on the street” to support risk management. Focals manage action planning, risk profile development, steps to support risk, and the work breakdown structure. Generally, people take on this role in addition to their day-to-day job responsibilities, so the organization has developed a work breakdown structure to help communicate requirements. This level of detail helps risk focals talk to managers and convey needs across business units. Additional detail is provided so that focals understand the risk path and descriptions. This assists focals with reporting for monthly meetings and enhances knowledge transfer.


Although the NYISO has several performance dashboards, these metrics do not directly tie to risk reporting. Instead, the risk, compliance, and quality management function relies on its heat map of risks as its key visual aid. The organization’s 17 categories of risk are plotted on the heat map in terms of impact and probability. With aggregate risk measured historically for signs of progress, the heat map acts as a performance scorecard and a communication vehicle to share risk information across the enterprise.

At AEP, the flow of information is structured to minimize overlap and duplication in the data presented to executives. By providing a structured sharing forum, the risk executive committee helps business units increase corporate awareness of key issues and risks.

To ensure a comprehensive and consistent view of risk across functional units, AEP periodically collects additional information on reported risks, including a risk’s potential impact on the organization, the possible timing of its impact, the manageability of the risk, and how well the possible impact can be measured. Standardizing the way in which this information is shared by the functional units helps the organization accurately compare risks at the enterprise level.

According to AEP, publicizing the purpose, strategy, process, benefits, and results of ERM is critical to change management and helps achieve buy-in at all levels of the organization. By de-emphasizing systems and technology, AEP has been able to establish effective communications and processes related to risk management.

COnCLuSiOnThe integration of ERM into decision making is critical not only for the health of an organization, but also for its sustainability. Moreover, successful organizations use ERM data to understand both downside risks and upside opportunities.

The ability to communicate ERM information to all levels of the organization is equally important; without effective communication, leaders are not able to mitigate risks and reduce risk exposure. Dashboards, risk radars, and report cards are some of the tools that the best-practice organizations are leveraging to distribute key risk data and promote its use in decision making.

Chapter 3



Chapter 3


This chapter addresses a number of important points that we would like to emphasize. The first is the applicability of ERM to the day-to-day planning, assessment, and management of projects; the second is the relative assessment of risks at the functional or business-unit level versus an enterprise view—in turn leading to a discussion of risk measurement tools; and third is the use of ERM data for planning, budgeting, and forecasting (PB&f).

although not discussed at length in this study, the practice of using ERM to plan, assess, and manage projects is highly beneficial to organizations. While some might view projects as relatively discrete activities, somewhat separated from core business operations, that is rarely the case: Most projects draw on resources otherwise deployed elsewhere in the organization and provide benefits for the “core” of the enterprise. Therefore, both project risk and project risk mitigation directly impact the organization. Consider a project that is delayed: Common mitigation solutions include (1) adding resources to complete the job, (2) allowing the delay to occur, and/or (3) reducing scope in order to “finish” on schedule. no matter which solution or combination of solutions is adopted, additional risks are created.

• Theadditionofresourceswillcausefuturebudgetchallenges.Iftheresourcesareneworincrementaltotheorganization,there is a cash outflow and hence an enterprise-wide financial impact. If the resources, say staff, are reallocated to the project from elsewhere in the organization, then their previous activities will no longer be performed and that, in turn, will create new risk for those areas of the organization that depended on those activities.

• Allowingthedelaytomaterializewilldefertheproject’sbenefits,andintheworst-casescenariomayeveneliminatethebenefits. Imagine a new product launch: a delayed launch may result in loss of market share or even the ceding of a market to a competitor. so here too, the underlying or core business is affected.

• Reductionofscopecanleadtolossessimilartothoseassociatedwithadelay.Byitsverydefinition,areductionin scope means that expected benefits will not be realized as planned, and again, the underlying or core business is negatively affected.

These brief comments clearly show that project risk is integral to enterprise risk management.

a second key use of ERM data is to contrast business-unit perspectives of risk with the enterprise view. one of the most useful lessons learned from this study is the recognition that a risk deemed significant to a business unit might be of little consequence to the enterprise as a whole, or vice versa. While seemingly an obvious point, it clearly demonstrates the need for a common tool or approach for comparing risks across business units or, for that matter, by a corporate function in looking at unit-level risks.

Consider this example: a large corporation may have a number of stand-alone operating units, each of which considers revenue risk below $20 million (within the fiscal year) to be insignificant. In turn, the corporation’s leadership team is primarily concerned with single risk events that would impact total revenue by at least $50 million. This is a very typical situation in multi-unit enterprises. But it leaves a potentially huge gap. What if several units each chose to accept a certain risk due to its small size, under $20 million, but the root cause of these risks is the same, such as a supply chain failure, natural disaster, labor stoppage with the same union, commodity price or availability, etc.? now the corporate risk impact might well exceed $50 million, and this possibility can only be identified by taking a different risk assessment perspective, looking at causes across the enterprise rather than solely a unit viewpoint.

The third area of note is the use of risk data for planning, budgeting, and forecasting. Too many business-unit budgets do not explicitly reflect the risks that might impact actual results. Rather, the risks and the expected impacts are buried in the aggregate

data that is presented and reviewed on a periodic basis. Consider the example of the loss of a key customer. 3



3 For the sake of simplicity, assume it is an all-or-nothing situation (i.e., either the customer remains or is fully lost, and any lost revenue cannot be offset by other means). Without these simplifying assumptions, there is an infinite array of possible results.


Chapter 3


Revenue for the period is budgeted at $10 million, 15 percent of which comes from this one key customer; however, there is a 40 percent likelihood, based on the business unit’s assessment of the situation, that the customer will take its business elsewhere.

Initially, therefore, the risk-adjusted revenue budget for this business unit should be only $9.4 million ($10 million less the 40 percent likelihood of the loss of $1.5 million). But to accurately portray its position, the unit should indicate a revenue budget of $8.5 million oR $10 million, reflecting the loss or retention of the revenue. This dual-budget approach forces an explicit—and immediate—discussion of how the unit will respond if the revenue is lost, a very useful risk scenario that likely has broad applicability.

now let time move ahead a few months and assume that the customer situation is resolved. If the revenue was lost, the unit re-forecasts its budget with the shortfall being recognized, along with the offsetting benefits of its risk mitigation actions, those that were reviewed and agreed on during the initial situation assessment.

This same logic can be applied to any risk scenario, such as a possible work stoppage, supply chain disruption, and so on. The budget should show the likely scenarios or ranges, and then each forecast update would reflect the most current risk estimates.

reSearCh ChampiOn perSpeCtive FrOm ibm gLObaL buSineSS ServiCeS (continued)


Using ERM for Performance Improvement

1. Effective risk management is evaluated as an organizational key performance indicator.

2. Best-practice organizations use risk management as an individual performance indicator.

3. Evaluation of ERM effectiveness is in the early stages of maturity.



C h a p t e r 4

41

In this consortium research study, APQC sought to answer two important questions related to ERM and measurement: “How are ERM programs used to

improve business results?” and “How are key performance indicators (KPIs) and key risk indicators integrated into performance management?”

Measuring the success and investment of any program is a notoriously difficult task. ERM is no exception. However, most best-practice organizations in this study are able to evaluate risk management as a key performance indicator and use risk management for individual performance measures at some level.

evaLuating riSK management aS a KpiEffective risk management is evaluated as an organizational key performance indicator.

The study partners display a range of maturity levels regarding the evaluation of ERM as a KPI. Sixty percent of the best-practice organizations use KPIs, and 40 percent use performance dashboards. Furthermore, senior leaders at all the best-practice organizations use risk information to improve enterprise-wide performance (Figure 18). Likewise, individual risk owners use risk data to improve performance at the majority of these organizations. Corporate leaders and ERM groups also use risk data to improve.


Corporate

Individual risk owners

Figure 18

Central performance improvement group

0%

0%

Other

Business leaders

Roles Responsible for Using Risk Information to Improve Performance

ERM group 40%

100%

100%

60%

0% 20% 40% 60% 80% 100%



Chapter 4

using ERM for Performance Improvement

As a Six Sigma organization, Textron emphasizes the importance of measuring ERM performance. The organization tracks and assesses ERM components such as risk events and actions, overall risk prediction ratio, total cost of risk events per year, ERM participation, risk exposure reduction, mitigated reductions, and cost savings. The ERM function is able to quantify every risk by working closely with the business units to determine risk cost. In some cases, a range may be developed to illustrate best- and worst-case scenarios; each risk cost is factored into an overall cost average.

Textron’s audit committee evaluates the ERM process periodically to ensure it is working as designed. These reviews have resulted in enhanced risk identification, evaluation, and mitigation throughout the organization. The following process is used for ERM reviews:• thebusinessunitsandcouncilssubmittimelyquarterlyupdates,• theERMteamreviewsbusiness-unitandcouncilsubmissionsfor

reasonableness and completeness,• quarterlyupdatesofsignificantrisksarepresentedtotheoperatingcommittee,• theoperatingcommitteereviewssignificantrisks,and• theriskreviewbecomespartofstrategydiscussions.

American Electric Power (AEP) strives to use ERM to enhance performance and organizational effectiveness. For example, it tracks risks related to commitments made in the organization’s corporate sustainability report, which provides an interface between ERM and other business functions; the goal is to identify risks and commitments while engaging internal and external stakeholders. AEP produces an annual report that spells out the organization’s sustainability commitments. Once the report is published, the organization is pledged to a biannual review of those commitments and their inherent risks. Each functional unit provides a biannual update to the risk executive committee documenting its progress toward meeting the commitments. Although this is a relatively new process for the organization, it identifies a role for enterprise risk in relation to sustainability. The sustainability reporting process is illustrated in Figure 19.

Risks are also evaluated on timelines related to AEP’s strategic plan. When it is possible to measure the impact of a particular risk, business units are encouraged to do so. Each functional unit answers questions related to the risk to determine the risk’s potential impact in areas such as regulation, safety, operations, and finance. AEP’s strategic planning function leverages this information to identify internal improvement opportunities.


Chapter 4


Key risks and performance indicators are reported through AEP’s risk reports and linked to the organization’s strategic plan. There is a strong relationship between business-unit objectives and reported risks. Functional units are actively involved in identifying risks that may affect strategy, and guidance is provided by the enterprise risk oversight function. Enterprise risk oversight helps functional units define risks that may prevent them from achieving strategic objectives. These risks are reviewed throughout the year by both the functional units and the enterprise risk oversight function.

Risk management enhances Fonterra’s ability to meet its financial targets. The organization uses ERM to manage risk at the lowest possible cost and reduce the number of surprises and losses that occur. Specifically, the ERM function helps business units meet performance targets and understand the drivers of financial success in order to maximize risk improvement opportunities. A business interruption valuation, which helps calculate potential interruptions to the organization, is used for prioritizing risk improvement opportunities.

For instance, Fonterra can evaluate the investment tradeoffs of securing a milk supply with the revenue and profitability of its local country operations. By establishing farms in China with dairy cows from New Zealand, Fonterra is leveraging risk results to minimize supply chain disruptions that would adversely impact customers and ultimately affect revenue.

Figure 19

AEP’s Sustainability Reporting ProcessStakeholderengagement

Develop report

Identify risksand commitments - addressed or created

Report published

Internal updates on risks and commitments

Sample Fonterra Performance Scorecard

Figure 20

Fonterra Group

1-Yr TSR

Payout per KgMS

NPAT EBIT

RONA

Sales Growth Sales Growth Sales Growth Sales Growth

Cash measure

Contribution to Payout/KgMS

RONA

Working Capital Turns

DIFOT composite measure

Complaints Value

DIFOT

Complaints Value

Sales from Innovation




Forecast Stability Measure (GT)


RONA

EBIT

Gross Margin Gross Margin Gross Margin

RONA

EBIT

RONA

EBIT

RONA





DIFOT DIFOT DIFOT DIFOT

Complaints Value Complaints Value Complaints Value Complaints Value

Forecast Stability Measure




Group LTIFR/TRIFR

Group Fatalities

Environment Issues Measure

People Measure

LTIFR

Fatalities


LTIFR

Fatalities


People Measure People Measure People Measure People Measure People Measure

Core

Fonterra Ingredients

Asia/AME

China

ANZ

Financial Success

Customer Success

Operational Improvement

Capable and Willing People

riSK management anD inDiviDuaL perFOrmanCeBest-practice organizations use risk management as an individual performance indicator.

At some of the study’s best-practice organizations, risk management is used as an individual performance indicator. Linking risk management activities to performance measures helps promote accountability, augment awareness of risks, and obtain buy-in for ERM efforts. Typically, these performance indicators tie directly or indirectly to rewards.

At Fonterra, risk management is linked to performance measures; this provides an additional incentive for participation. On an annual basis, Fonterra’s management team and board of directors agree on a scorecard to measure and track performance targets. Figure 20 shows a sample performance scorecard. The shaded areas affect each manager’s annual bonus, whereas the unshaded areas do not directly affect the bonus structure. The clarity of definition signals the importance of these indicators and enables management to drive behaviors and performance.


Chapter 4


Risk management also supports Fonterra’s ability to attract and retain capable people. The ERM function helps expand the skill base of management by offering ERM tools and training. In addition to formal training, Fonterra also provides ongoing coaching and mentoring to risk champions and business units.

At AEP, ERM is connected to strategic plans, which link to goals and incentive programs. There is no explicit link between ERM and performance measures, but there is significant integration among incentives, objectives, risks, and the strategic plan. In this framework, employees are indirectly accountable for risk management. For example, distribution reliability is both a key performance indicator and a risk indicator. Employees are measured against the amount of time it takes to restore power as well as the number of customer minutes lost. Distribution reliability is also a key risk area. In cases like this, there is a strong relationship between incentives and the objectives stated in the strategic plan.

At Textron, the use of a report card helps promote accountability and ensure that risks are properly tracked and addressed. The report card is an element of the quarterly reporting process that illustrates which business-unit councils are participating in risk activities. Key executives approach those business-unit leaders who are not actively participating to understand their lack of involvement. This approach supports continued and increased participation across the enterprise.

erm evaLuatiOnEvaluation of ERM effectiveness is in the early stages of maturity.

With some exceptions, ERM evaluation is in the early stages of maturity. Most organizations measure cost savings related to risk management and use anecdotal success stories to justify a continued business case for ERM. Consequently, most of the study participants consider the development of additional and more sophisticated ERM measures to be an area for improvement.

With a sophisticated measurement framework in place, Textron is an exception to this finding. For each risk event occurrence, Textron’s ERM function reviews existing risks for possible revision and revises the impact and likelihood assessments. This information is then presented in the same format as risk analysis data and is entered in the risk event tracking system.

Although AEP cites that it is difficult to measure the success of ERM, the organization asserts that enterprise risk management has intangible benefits. There is an increased awareness of risk across the organization and a growing desire to understand and implement consistent risk approaches. Functional units frequently request assistance from the enterprise risk oversight function to ensure that projects are consistent with risk committee standards and to help identify and mitigate risks.


Chapter 4



In the future, Fonterra plans to closely monitor risk assessment activities within its business units. It will expand its existing control self-assessment process to further engage management. In past years, this process focused on manufacturing, supply chain, and sales and marketing. The organization plans to use the control self-assessment process to obtain feedback from business units in order to determine future risk areas. Currently, this process is completed twice annually, with signoff provided by senior managers at the sites.

COnCLuSiOnThe best-practice organizations in this study leverage ERM programs to enhance business results by evaluating the tradeoffs between risks and rewards and using this analysis to make conscientious investment and operating decisions. The study partners also reinforce their ERM key performance and risk indicator measurements by providing either direct or indirect links to individual performance results and, in some cases, annual bonuses.

Chapter 4




Using ERM for Performance Improvement

successful and sustainable ERM processes explicitly and visibly demonstrate the tradeoffs between risks and mitigating actions while also—in most cases—linking performance measurement with risk management.

among the innovative practices identified in this study was one that involved including the occurrence of risk events in risk team assessments, based on whether the team had identified the event as a possibility and the impact it had expected the event to have on the unit. This is a good example of how organizations establish responsibilities between central and local unit business units: The local unit identifies the risk and makes mitigation recommendations (which may include “as is” acceptance), a central corporate function assesses those risks seen as higher priority by the business units—while also considering the interaction of all other risks—and approves, adjusts, or turns down mitigation recommendations (based on resource availability, scale of size, etc.), and the local unit then implements the approved plans. When a risk event occurs, the local unit is, in part, evaluated on whether it reasonably identified the risk and its impact as well as its response actions.

Best-practice organizations also ensure that key risk indicators, often referred to as KRIs, are explicitly factored into performance measurements and results, including incentive compensation programs.4 In doing so, however, organizations should ensure that KRIs are not considered in isolation from other performance metrics; after all, risk mitigation actions directly impact other performance criteria and vice versa. for example, as we noted earlier, actions taken to bring a delayed project back on schedule usually include some combination of additional resources or reduced scope, but both of these actions will impact other metrics at a later date (project budgets and the benefit case, respectively).

This simple example also highlights the importance of the dimension of time: how decisions made in 2008 might deliver measurable benefits in 2009, but carry risks that emerge only in 2011 or 2012. In order to incent and compensate staff and executives for the short-term benefit, the organization should first adjust future planned performance by the expected or potential losses that the risk might generate. In other words, performance measurement and incentive programs should take a much longer perspective on time.

In addition, risk metrics can be very misleading on their own. for example, in a retail environment, stock-outs are likely a KRI. however, one can almost fully prevent stock-outs simply by having far too much inventory, thus running the risk of tying up capital and selling goods at lower prices. as such, measuring a manager incorporating only the KRI over stock-outs can lead to sub-optimal behavior.

finally, the selection of KRIs must be based on their relative importance to the business, or in other words, based on the value each KRI drives across the enterprise or business unit. Just as certain key performance indicators are stronger business drivers than others, some KRIs reflect very substantial risks, whereas others follow lesser ones.Therefore, an integrated view of risk and other performance metrics is vital for the long-term success of an ERM process.

Chapter 4


4 Of course, given the recent turmoil in the financial markets and the results posted by large financial institutions, it does not appear that these organizations employed these practices.

In any business area, continuous improvement may be the most essential ingredient for achieving “best practice” status. The best-practice partners in

this study take such an attitude toward their ERM initiatives; each places high importance on lessons learned and critical success factors as tools for moving forward on the path of continuous improvement. Study results reveal common themes among these best-practice organizations as essential components of successful ERM programs.

For example, the best-practice organizations cite risk assessment process tools, heat maps, risk stewardship, and recording databases as some of the most useful ERM tools and methods. Furthermore, the partners tend to agree on the top quantifiable benefits of implementing ERM as a core management process:• generalriskawarenessandunderstandingofexposure,• increasedaccountability,• lossavoidance,• reducedinsurancecosts,and• improveddecisionmaking.

This chapter details lessons learned and critical success factors for effectively managing enterprise-wide risks.

ameriCan eLeCtriC pOWerAEP cites the following critical success factors for its ERM program.• Communicatingthepurpose,strategy,process,benefits,andresultsofERM

is critical to change management and helps achieve buy-in at all levels of the organization.

• Providingadequate,ongoingtrainingonERMmethodsandbenefitsisalsoimportant. AEP spent more than two years expanding the process, educating functional units, refining its reporting process, and developing ways to evaluate risks at an enterprise level.

• ERMwasrolledoutgraduallyacrosstheorganization,whichhelpedwithbuy-in.Starting slowly encouraged others to get involved and lessened resistance to change.

FOnterra COOperative grOup LimiteDAccording to Fonterra, successful ERM approaches must incorporate the following:• seniormanagementsupportandavenueforsuchsupport;• awaytoshowhowERMaddsvaluetothebusiness;

The “Essentials” of ERM


C h a p t e r 5

49

Chapter 5



• capturedandcommunicatedbenefits;• built-inperformancemeasuresaroundriskassessmentandimprovement;• linksthroughcommonsystems(asusedbyfunctionssuchasinternal

audit and IT);• acommonriskmanagementlanguage;• clearlydefinedrolesandresponsibilities;• establishedriskmanagementprocessestoenableriskaggregationand

transparent, unbiased reporting;• incentivestoensuretheinclusionofriskinformationinbusinessplanningand

project assessment; and• theintegrationofriskmanagementintoexistingsystems.

neW yOrK inDepenDent SyStem OperatOrKey elements of the NYISO’s ERM success include:• responsiveness,flexibility,andtheabilitytoadapt;• continuingeducationonemergingtrends;• acceptanceofariskmanagementframeworkasafocalpoint;• acommonlanguagefordefininganddescribingrisks;• seniormanagementsupportandcommitment;• riskmanagementownership;• communicationofriskinformationthroughouttheorganization;• comprehensivetraining;• reinforcementthroughHRmechanisms;• effectiveriskmanagementprocesses;and• monitoringthroughselfandinternalaudit.

The NYISO would advise organizations that are starting ERM programs to obtain the support of senior leaders, rely on results for additional buy-in, identify how risk analysis and mitigation can help the organization’s core processes, be patient yet firm, and embrace responsible parties as part of the solution and acknowledge them accordingly.

textrOn inC. Textron cites the following as critical success factors for ERM.• SeniorleaderssupportedERM,andinitialriskmanagementactivitieswereled

by the CFO. This strong leadership commitment promoted cultural buy-in for ERM activities.

• SixSigmawasastartingpointforERM.BecauseERMwaslaunchedfromexisting Six Sigma efforts, there were fewer cultural barriers to adoption and the process was validated immediately.

• Textronestablishedanoperatingcommitteeinlieuofatraditionalriskcommittee. The organization’s leaders felt strongly that the ERM function should report directly to risk owners within key business units. This structure means that risks are reported directly to individuals who have the ability to act on them.


Chapter 5


• AtTextron,areportcardembeddedintothequarterlyreportingprocessshows which business units and councils are participating in risk activities. This report card promotes accountability and helps ensure that risks are tracked and addressed.

The following list summarizes lessons that Textron has learned over the course of its ERM journey.• ERMisaprocess,notaproject.• Managementownstherisks;ERMdrivestheprocess.• Riskassumptionshavefiniteaccuracyregardingimpactandlikelihoodandare

not critical to the process.• Managementmustbeengagedinregularriskdiscussions.• ValueisrealizedwhentheERMprocessmotivatesbeneficialactionsthat

would not have occurred otherwise.• ERMmustachievetangiblebenefitsinordertojustifyitsexistence.• ERMwillnevereliminateallrisksandexposures.• ThesupportofTextron’sboardofdirectorsisimportanttoongoingsuccess.

COnCLuSiOnThroughout this study, certain themes repeatedly came to light: consistent processes, swift information flow, targeted support, pervasive accountability, buy-in, communication, defined roles, and flexibility. These are necessary ingredients that contribute to the effective management of enterprise risk. Although ERM is an evolving practice area and cultures differ from organization to organization, the best-practice partners have shown that the regular practice and reinforcement of these essentials is the best approach for implementing successful enterprise risk management.




We echo the conclusions of this study, which recognize the critical elements of success in implementing ERM across an organization. There are clear parallels across the organizations that participated in this study, particularly with respect to executive support, role definition, lines of communication, and the use of agreed-upon risk metrics.

While Enterprise Risk Management (ERM) and what we see as its sister discipline, the Management of Risk Events (MRE), are specific management processes, the underlying strategies parallel those of broader enterprise management.

The key messages that we would like to close with are to emphasize the need for consistency in language and process, common definitions of data and risk, and an integrated approach to the management of risk, particularly through the dual prism of risk and performance management.

We would like to thank our fellow sponsors for their support and participation, aPQC and the independent experts who guided the research and study deliverables, and most especially the organizations that agreed to be put under a microscope as best-practice partners. The partner organizations, in particular, put in many hours to present their ideas and approaches and answer questions.

Thank you for taking the time to review this study, and we hope you have gained as much as we did in helping to prepare it. We look forward to working with you again soon!

Chapter 5



CaSe StuDieS



Case Studies

55 american Electric Power

67 fonterra Cooperative group Limited

83 Microsoft Corporation

93 new york Independent system operator

101 Textron Inc.


American Electric PowerC a S e S t u Dy

American Electric Power (AEP) is one of the largest power generators in the United States. The organization provides electric service to more than five

million customers in 11 states. With approximately 20,800 employees, AEP has $40.4 billion in assets and annual revenues that exceed $13 billion.

AEP is the second largest domestic power generator, providing electricity that powers the national economy. Power generation involves the creation of electrical power using fossil fuels (e.g., coal, oil, natural gas); nuclear technology; hydroelectric plants; and renewable and other resources. Domestically, AEP produces energy using coal and lignite, natural gas, nuclear, hydro, and wind. Coal and lignite account for 68 percent of AEP’s power generation, and natural gas and oil account for 23 percent. Nuclear and hydro power generation account for 6 percent and 3 percent, respectively.

Power transmission and distribution are key business functions within the organization. AEP’s transmission business encompasses highly integrated bulk power supply facilities, high-voltage power lines and substations, and the ability to transport power from a point of origin to load centers. This system is linked to a larger support system. Distribution refers to the ability to connect customers to the grid through substations, lower-voltage power lines, poles, transformers, services, and meters.

AEP’s corporate strategy is to grow its core utility business at a consistent rate through major investment supported and funded by innovative programs for regulatory recovery, and to develop an independent, federally regulated transmission company for the pursuit of new major interstate projects.

Specifically, the current focus of the organization is to:• investinandevolveinfrastructuretosupportfuturetechnologyandcustomer

needs with an emphasis on efficiency, conservation, and load management;• enhancecashflowandearningsthroughraterecoverymechanisms;and• takeadvantageofAEP’ssizetobenefitcustomersandshareholdersthrough

regulatory-supported investment.

The utility industry is regulated in most states. Accordingly, AEP is highly dependent on and affected by regulatory commissions and reviews. Two of the states in which it currently operates, Ohio and Texas, have deregulated domestic power generation; this presents challenges as well as risks for the organization. As a result, preparing for the post-2008 energy market transition in Ohio is another key strategic directive.


Enterprise Risk Management

Evolution of Energy Utility Risk Management

Figure 21

1970s

Insurance

1980s

Insurance

Credit

1990s(Deregulation)

Insurance

Credit

Market

Credit

Market

Organizational

Business Expansion

Operations

Corporate Responsibility

2000s

Insurance

Insurance Risk Management

Financial and Insurance Risk Management

Financial and Market Risk

Management

Organizational

CaSe StuDy

american Electric Power

Regulatory risks and issues are managed by a separate function that works with AEP’s operating organizations. AEP’s regulatory function is responsible for ensuring consistency in filings across jurisdictions, regulatory changes, and any other risks that impact the regulatory environment. Since AEP operates in 11 states, there is a strong need for the regulatory function to maintain information on state changes, financial results, and timing and status of issues that pertain specifically to industry regulations. Accordingly, risks associated with the regulatory environment are not specifically addressed in this report, although there is a link to corporate risk processes in that they are impacted by the regulatory environment.

Optimizing the erm OrganizatiOnaL StruCture Risk management within the industry and at AEP has progressed over time. Figure 21 summarizes the evolution of risk management from an industry and organizational perspective. As shown, in the 1970s, the primary focus was insurance risk management. Financial risk management, which includes risks associated with credit, was added in the 1980s. During the 1990s, the deregulation of utilities presented additional risks, and organizational and market risk management became critical to the organization. Since then, risk management has expanded to include business expansion risks and operational risks. In 2007, AEP began to publish an annual corporate responsibility report containing commitments that represent additional risks to the organization. Today, AEP applies risk management strategy to all areas of its U.S. operations and is applying for the 2009 Baldrige Award to recognize its worldwide operations.

“The enterprise risk oversight (ERO) group does not manage risk per se;

risks are managed by functional units across the company. Some risks—

such as credit, insurable, and pension risks—are managed within the risk and strategic initiatives department,

which includes enterprise risk oversight. The ERO group works

with the functional units to identify their respective risks and emerging

issues that are considered significant enough to have an enterprise effect.

The ERO group then works to combine this information into an enterprise view of the company.

For this reason, and to avoid confusion about the purpose of the group, this group is named

‘enterprise risk oversight’ and not ‘enterprise risk management.’ ”

— Doug Buck, director of enterprise risk oversight, American Electric Power


AEP’s Current Organizational Structure

Chairman, President & CEO

2008 REC Members

VP Strategic Initiatives & CRO

SVP CAO

SVP Corp. Plan. & Budgeting

Treasurer & VP Investor Relations

VP Enterprise Risk & Insurance

CFO President AEP Transmission

SVP Transmission

EVP Generation

VP Generation Business Services

SVP FEL

SVP Fossil & Hydro Gen.

SVP Chief Nuclear Officer

SVP Eng. Projects & Field Services

SVP General Counsel

VP Corp. Communications

COO

Dir. Ethics & Comp

SVP Shared Services

President AEP Utilities

SVP Regulatory Services

EVP Safety, Environ. Health & Facilities

Figure 22

EVP AEP West Utilities

EVP AEP East Utilities

VP Cust. Svcs., Mktg. & Dist. Svcs.

SVP Comm. Ops

CaSe StuDy


AEP’s risk organization is led by the vice president of strategic initiatives and chief risk officer (CRO). This individual is responsible for multiple groups within AEP, including enterprise risk and insurance, market risk oversight, credit risk management, trusts and investments, and strategic initiatives. The CRO reports to the chief financial officer (CFO) of the organization, who is responsible for accounting, treasury and investor relations, corporate planning and budgeting, and risk and strategic initiatives. The enterprise risk oversight (ERO) group is under the vice president of enterprise risk and insurance, who reports to the CRO.

Figure 22 depicts AEP’s current organizational structure. The shaded boxes indicate members of the risk executive committee (REC). The REC is made up of members of the executive council and other senior executives who manage a significant amount of risk for the organization. As shown, REC members are dispersed across the organization.

AEP’s enterprise risk organization is strategically named “enterprise risk oversight” in order to communicate that, although the group oversees risks for the enterprise, risk management is the responsibility of the individual business functions. Accordingly, funding for risk management is incorporated into business-unit budgets.


Figure 23

AEP’s Risk Reporting Structure • AEP’s ERM policy - sets governance structure, roles, and responsibilities

• Summary report provided to board audit committee

Audit Comm.

Risk Executive Committee

Enterprise Risk Oversight Function

• Strategic focus for monthly REC meetings

• Independent oversight function

• Management of risks Functional Unit Management

CaSe StuDy


The organization created an enterprise risk management (ERM) policy that outlines the governance structure for ERM and clearly defines roles and responsibilities associated with managing risk. Any changes to the ERM policy must be approved by the CFO, the CRO, and the vice president of enterprise risk and insurance.

Figure 23 depicts the risk structure at AEP. As the diagram indicates, enterprise risk management involves all levels of the organization and is governed by the ERM policy.

The ERM policy establishes a governing framework for assessing the organization’s collective risk and ensures accountability for the identification, measurement, evaluation, and mitigation of risk. At the top of the structure is the board audit committee. Audit committee members meet approximately six times each year and are provided with summary risk reports to review.

The REC is the organization’s high-level risk management group. Each month, REC members meet to discuss risk reports and address issues facing the organization. The REC also provides input on identifying and managing enterprise risks. The vice president of enterprise risk and insurance chairs the meetings, which generally begin with a review of notable risk items from the monthly risk reports along with items that require follow-up action from previous meetings. The rest of the meeting is led by an REC member who represents a specific functional unit within the organization. Using input from the ERO group, this member determines a topic from his or her respective area for the committee to discuss and presents to the group on that topic. Discussion topics focus on emerging and/or major risk


CaSe StuDy


issues and tend to be strategic in nature. The committee provides feedback and develops an action plan for assistance, if needed. The REC ensures that reported risks are aligned with AEP’s strategic plan; it also biannually reviews the status of commitments made in the company’s corporate sustainability report.

The ERO group coordinates the agenda, prepares relevant information for monthly REC meetings, works with functional units on risk identification and reporting, and is responsible for the ongoing development and maintenance of a collective (i.e., enterprise) risk view for the organization. This group also provides enterprise risk–related information, analysis on emerging areas of risk, and strategies for improving risk measures.

The functional units are responsible for managing their respective risks and providing monthly risk reporting. They involve ERO in special projects as needed. Functional-unit management is the foundation of the risk structure at AEP. Although the oversight function is available to provide assistance, much of what is reported is determined by functional units. Functional units are asked to report on why they think certain risks should be tracked, what mitigation plans are underway, and the current status of the risks. Functional units are also asked to identify trends and emerging issues that affect enterprise risk. The status of risks is measured by guidelines that are established by functional-unit managers.

Figure 24 (page 60) lists the specific functional areas that provide risk reports to the REC. The REC information flow is designed to minimize overlap and duplication in the information presented to executives.

The ERO group works with functional units to help identify risks and provides education and support. There are currently two full-time resources in the oversight function; however, these individuals are supported by numerous functional-unit representatives who act as an “extended family” to ERO. This group helps functional units determine what risks should be reported, what information should be included in the reports, and how to identify emerging areas of risk.

At AEP, there are many risks within each functional unit; however, the focus of ERM is on risks that affect the enterprise as a whole. Although risks are managed functionally, input on these risks is solicited from across the organization.

One of the challenges that AEP faces pertains to the fact that “all risks are not created equal.” Risks reported to the REC cover a very broad range of issues; some are quantifiable, and others are not. Also, because risks change over time, the organization continuously revises the list of reported risks. Some risks are reported on a long-term basis, whereas others are reported for several months and then removed from reporting.


CaSe StuDy


REC Reporting at AEP

Operating company risks are reflected in the functional reports

Figure 24

Generation

Fossil and Hydro Plant OperationsEnvironmental ConstructionNew Generation ConstructionFuel, Emissions and Logistics

Utilities

TransmissionCustomer and Distribution ServicesRegulatoryCommercial Operations

Shared Services

IT Business logistics Workforce

Risk and Strategic InitiativesTreasury

Finance

Environmental Safety Corporate Responsibility

Environ., Safety, Health, and Facilities

Reputation Legal Analysis

Other

Financial AuditsOperational AuditsEnviron., Safety, and Health ServicesSOX Complaince

Audit Services

CEO

AEP divides its risks into two categories: monitored risks and potential high-impact risks. Monitored risks are generally easier to quantify and have governing policies focused on limits and controls. They are monitored for status changes and to ensure that controls are working. By contrast, potential high-impact risks are more difficult to quantify. High-impact risks are usually operational or physical risks and are addressed by programs, rather than limits. These risks typically have an impact on one or more monitored risks; therefore, potential high-impact risks are the focus of REC discussions.

In general, it is difficult for AEP to define and measure its risk appetite. This is because it is easier to set a risk appetite around risks that are quantifiable, and many of AEP’s most significant risks are very hard to quantify. However, there are some risk policies that aim to set limits and appetites. The regulatory aspect of the industry also makes it difficult to define and measure certain risks, and much of the risk appetite is influenced by industry regulations.


CaSe StuDy


As previously mentioned, functional units are responsible for analyzing, assessing, managing, and mitigating their own risks. Functional units provide monthly risk reports that include information such as metrics (where possible), current status, trends, strategy and mitigation, and emerging risk areas. Reports are reviewed by the ERO group, which in turn prepares a high-level summary for the REC. All reports are subject to audit. In addition, reports from functional units are compiled in a binder that is provided to all REC members prior to each meeting. This enables committee members who want more detail to read about specific risks prior to the meeting and come prepared with questions. The summary is prepared for those who prefer high-level reviews. This summary is also reviewed by the board audit committee.

Increased communication around ERM has helped AEP overcome barriers to adoption and promote buy-in across the organization. When ERM was first implemented, members of the ERO function engaged in discussions with senior executives to determine what they liked about previous risk committee meetings and to learn about their expectations for monitoring risks. The ability to engage leaders in one-on-one conversations was important because it helped leaders become part of the process. As a result, discussions about risks and risk-related issues occur frequently across the organization.

Increased communication also helped change the perception of risk management across functional units. Education and one-on-one conversations with key leaders and functional-unit representatives were instrumental in obtaining buy-in from all levels of the organization. By promoting early successes from its enterprise risk processes, AEP was able to convince employees that ERM is both valuable and tangible. An increased understanding of enterprise risk began to be seen as beneficial. Today, risk reporting is viewed as an opportunity to share issues and address concerns with executives, and business units often ask for assistance on projects to ensure they are taking an enterprise view of risk.

iDentiFying, impLementing, anD maintaining SuppOrting erm teChnOLOgieSCurrently, AEP does not use any specific ERM software. Monthly reports are submitted in various formats, including Word, PowerPoint, and Excel. The organization uses a manual process to manage the data and prepare information for the REC. Leveraging tools that work across different business units is difficult because each unit has different needs.

The decision not to implement supporting technologies is strategic. Although the organization has explored a number of software packages, it has chosen to focus on process first and let the process drive future technology decisions. AEP believes that, by concentrating on the process, it can ensure that more information is shared between functional units. At this time, a software package would most likely be

“There are some good ones [software packages] out there, but

we are focusing on process first and letting that drive our decision.”



CaSe StuDy


“The risk executive committee is like a large, extended family. It includes individuals from across the organization. We don’t duplicate efforts—we coordinate them and work together to minimize the overlap of information they receive. As a result, this group is a valuable forum for sharing key risk information.”

— Steve Haynes, vice president of strategic initiatives and chief risk officer,

American Electric Power

a hindrance to the process. In the future, the organization expects to implement some type of ERM technology; however, there is a general expectation that it will be highly customized to fit the organization’s unique needs.

AEP is continuing to develop criteria for implementing an ERM software system. The organization wants a system that will help identify common root causes of risks and apply common definitions and rating criteria; for example, if one business unit refers to financial risks, these terms and concepts should have the same meaning across all business units. Such a system would facilitate risk reporting and analysis by providing an aggregated view of risk that could be used in decision making.

uSing erm aS a DeCiSiOn-maKing tOOLAEP’s risk structure and reporting are often factored into decision making, but the process is informal. For instance, many strategic decisions are influenced by risk information provided to the REC. Although there is no clear directive from the REC that pertains to decision making, the discussions and outcomes from risk meetings create a “ripple effect” across the organization, and the results from the meetings frequently have strategic impact. For example, shifts in budget dollars or changes to risk mitigation efforts are often indirectly linked to REC meetings.

Each functional business unit reports on risk using a “stop light” approach. Risks are assigned a color—green, yellow, or red—to indicate the current status of each reported risk. If a risk is assigned a red rating, it is usually addressed or at least discussed by the REC. This approach helps the REC recognize trends and assign priorities. In addition, any risk that is coded red must have an associated mitigation strategy. However, this system is difficult to apply consistently across the organization because of challenges inherent in comparing one functional unit’s “red-level risks” against those of another functional unit. Furthermore, just because a risk is in the red does not necessarily mean it is of strategic importance to the organization; it could simply be a lower-level risk that happens to be important to the functional unit. For this reason, the color-coding system has limitations as a decision-making tool.

To ensure a comprehensive and consistent view of risk across functional units, the organization periodically collects additional information on reported risks, including potential impact, the timing of possible impact, the manageability of the risk, and how well the possible impact can be measured. This allows for a more forward-looking approach to evaluating risks. Standardizing the way in which this information is provided by the functional units helps AEP accurately compare risks at the enterprise level.

ERM is applied using various methods across the industry. Due to the range and types of risks that AEP tracks, it is difficult to apply a common technique to manage risk throughout the organization. Therefore, the goal is to make sure that there is consistent recognition of risk management across the enterprise. AEP leaders believe that this is best accomplished by requiring functional units to identify and address risks at the functional level with assistance from the ERO group.

AEP’s Audit/Enterprise Risk Interface

Figure 25

Audit risk types and processes• Continuous/Ongoing• New and emerging• Implementation

Audit plan execution and reporting

Monthly reporting

Enterprise risk types• Strategic• Significant auditable• Emerging and potential

Significant enterprise risks

Risk universe

Auditable risks


At AEP, there is a strong relationship between the audit function and the enterprise risk function. Figure 25 depicts the audit and enterprise risk interface. As shown, both functions start with the same risk universe. Although a number of enterprise risks may be auditable, some of the potential or emerging risks cannot be audited. This is where the two functions diverge: The audit function focuses on processes and risks that can be audited, whereas enterprise risk focuses on strategic, emerging, and potential risks. The audit function receives monthly reports and is charged with identifying what can be audited. Risks that are not easily measured are tracked by the enterprise risk function. There is a strong interrelationship between the two functions, and communication occurs on a regular basis. Data shared between these two functions is often used in strategic decision making, as well.

“Due to the nature of our business, we are not a risk-taking company. We don’t speculate, and we aren’t

out there looking for high-risk opportunities.”


CaSe StuDy


uSing erm aS a perFOrmanCe imprOvement tOOLIn using ERM to enhance performance and organizational effectiveness, AEP relies on a number of methods and tools. For example, the tracking of risks related to the commitments made in the corporate sustainability report provides an additional interface between ERO and other business functions. During the year, the organization generates a report on its sustainability efforts. Both internal and external stakeholders are engaged in developing this report. Once the report is published, the organization is committed to a biannual review of the included commitments and risks. Each functional unit provides a biannual update to the REC documenting its progress toward meeting the commitments. Although this is


CaSe StuDy


Figure 26

AEP’s Sustainability Reporting Process Stakeholder engagement

Develop report

Identify risks and commitments - addressed or created

Report published

Internal updates on risks and commitments

a relatively new process for AEP, it identifies a role for enterprise risk in relation to sustainability. The sustainability reporting process is illustrated in Figure 26.

There is also a strong relationship between strategic planning and ERM. Strategic objectives are created on an annual basis under the direction of the CFO. This is a formal process that outlines business plans and defines incentives and performance indicators. Within the risk reporting process, reported risk categories from each functional unit identify risk factors that could prevent the business unit from meeting its goals and objectives.

There are two types of risks at AEP. The first is one-time events, which are risks related to happenings that occur only once. The second is ongoing risks or circumstances, which are risks that occur periodically over time or are conditions in which the company operates. Some of these conditions are beyond the control of the organization. Assessing the effects of ongoing risks and conditions is challenging.

Due to the nature of these types of risks, it is difficult to calculate likelihood and impact for all risks. Therefore, a separate set of criteria has been developed. As previously discussed, the organization periodically collects information related to the potential impact of each risk, the timing of possible impact, the manageability of the risk, and how well the possible impact can be measured. Standardizing the way in which this information is provided by the functional units helps the organization compare risks at the enterprise level.


CaSe StuDy


ERO works closely with the functional units to identify and report emerging risks. The aim is to relate these events to goal attainment, budget criteria, and areas where the risk may impact the organization going forward.

Risks are also evaluated on timelines related to the strategic plan. Where possible, business units measure the impact of a particular risk over time. Each functional unit answers questions to determine a given risk’s potential impact on the organization in areas such as regulatory, safety, operational, or finance. AEP’s strategic planning function leverages this information to identify internal improvement opportunities.

As mentioned, it is difficult to quantify financial impacts for each risk. This is because the organization tracks a broad range of risks, and each functional unit has unique risks and challenges. A risk that is associated with a smaller financial amount may still be strategically important and have a far-reaching effect on the organization. In the area of safety, for example, it is nearly impossible to associate a dollar amount with risks such as near misses, injuries, and fatalities. Most of the risk analysis in this area focuses on ways to impact prevention. Some regulatory issues are also extremely difficult to measure in terms of dollars. Since the organization operates in 11 different states, there are regulatory challenges that make it difficult to apply risk measures consistently.

Key risks and performance indicators are reported through the risk reports and relate to the strategic plan. There is a strong relationship between business-unit objectives and reported risks. Functional units are actively involved in identifying risks that may impact strategy, and guidance is provided by the ERO function. The ERO team provides feedback to the functional units and helps them define risks that may prevent them from achieving strategic objectives. These risks are reviewed throughout the year by both the functional units and the ERO team members.

At AEP, there is an emphasis on identifying emerging risks throughout the year. It is recognized that emerging risks often impact strategic plans and can prevent the organization from achieving corporate objectives.

The relationship between ERM and the organization’s strategic plan implies a link to incentive programs. In this sense, employees are indirectly accountable for risk management. For example, distribution reliability is both a key performance indicator and a key risk. Employees are measured against the amount of time it takes to restore power as well as the number of customer minutes lost. Distribution reliability is also a key risk. In cases like this, there is a strong relationship between incentives and objectives that are stated in the strategic plan. The organization examines incentive plans to see whether there are additional links to risk that are not covered elsewhere. There is significant overlap between incentives, objectives, risks, and the strategic plan.


CaSe StuDy


Although it is difficult to measure the success of ERM, the organization asserts that enterprise risk management has intangible benefits. There is an increased awareness of risk across the organization and a growing desire to understand and implement consistent risk approaches. Functional units often request assistance from the ERO group to help identify and mitigate risks.

LeSSOnS LearneD anD Future pLanSAt AEP, one of the key lessons learned is related to communication. Publicizing the purpose, strategy, process, benefits, and results of ERM is critical to change management and helps achieve buy-in at all levels of the organization. AEP’s goal is to have the implementation of the company-specific ERM program drive the process, rather than letting systems or software drive the process. By de-emphasizing systems and technology, the organization has been able to establish effective communications and processes.

Providing adequate training and education on ERM methods and benefits is also important. AEP spent more than two years expanding its process, educating functional units, refining its reporting, and developing a way to evaluate risks at an enterprise level. The ERO group worked closely with each of the functional units on how to identify risks and what to report. Much of the education and training is provided on an ongoing basis and can be requested at any time.

AEP did not adopt ERM concepts all at once; rather, ERM was rolled out gradually to various parts of the organization. This approach helped with buy-in and was critical to success. By presenting ERM concepts in phases, AEP was able to manage the process effectively, gain buy-in and acceptance, and provide ample communication to ensure that ERM was seen as beneficial. Starting slowly encouraged others to get involved and lessened resistance to change. The process continues to evolve over time.

Despite its successes, AEP is still grappling with challenges related to risk quantification and reporting. Some of these challenges include:• thequantificationandevaluationofenterpriseeffects,• theassessmentoftheinterrelationshipsbetweenrisks,• thediversenatureofrisks,• differentpresentationformatsfordecisionmaking,and• refinementofinformationmanagement.

The organization will continue to address these challenges in the upcoming years. Within the next several years, AEP hopes to implement software that will facilitate the reporting process. The vision is to expand risk reporting and analysis so that there is a better understanding of the root causes of risks as well as their potential impact on the enterprise. It is expected that this will enhance the links to the strategic plan and enable a better response to the risks facing AEP.

“Risks are changing all the time; therefore, you need a process that is flexible, recognizes emerging risks, and finds a way to communicate risk-related information across the business units.”

— Laura Thomas, vice president of enterprise risk and insurance,

American Electric Power


Fonterra Cooperative Group LimitedC a S e S t u Dy

Dairy exporter Fonterra Cooperative Group Limited was formed in 2001 by a forced merger of two historical competitors and a New Zealand government

agency. With nearly 11,000 farmer shareholders and 16,000 employees, Fonterra’s revenues represent more than 20 percent of total exports in New Zealand. Fonterra also accounts for 9 percent of New Zealand’s total GDP and 40 percent of cross-border trade in global dairy products.

Fonterra is headquartered in Auckland, with major regional offices in Melbourne, Chicago, Hamburg, Tokyo, Colombo, Santiago, Singapore, Mexico, Dubai, and China. The organization also maintains various alliances and joint ventures in global locations that are co-owned with its partners, which include Dairy Farmers of America and San Lu in China. In 2007, Fonterra reported $10 billion (USD) in revenue, making it the fifth largest dairy company in the world.

Every 2.75 minutes, Fonterra exports one container load of dairy product to customers located throughout 140 countries. The majority of its business (98 percent) is in the edible foods market, which includes cheese, milk powders, cream, butter, and milk. The remaining 2 percent of its product goes to other uses, including one percent to protein areas such as stockfeed. A small portion of its business (0.1 percent) involves the manufacture of pharmacy grade lactose, which is primarily used in inhalers.

Fonterra’s top 15 customers account for more than 40 percent of all production. From a risk perspective, this is significant; losing one of these top 15 customers would have far-reaching consequences. As a result, on-time delivery, supply chain effectiveness and efficiency, and production robustness are critical to the organization.

During the months of October to December, there is a peak flow of milk, which is followed by a steady decline. This pattern is referred to as the “milk curve,” which ultimately determines supply. During peak months in the milk curve, plants are running at full capacity; any disturbances during this time affect the entire organization. Accordingly, many of Fonterra’s risk management efforts focus on production and business continuity planning. The organization fully supports business continuity planning, which provides a solid anchor to its risk management program. Enterprise risk management (ERM) has enabled better business continuity planning so that interruptions during the peak period are less likely to occur.


CaSe StuDy

fonterra Cooperative group Limited

Optimizing the erm OrganizatiOnaL StruCtureSince its creation, Fonterra has attempted to establish enterprise risk management three times. The first effort was initiated in 2001, shortly after the formation of the organization. Due to difficulties associated with merging multiple enterprises, the attempt at ERM failed and was viewed as an impediment to more pressing issues. Leadership viewed ERM as “the right idea at the wrong time,”

In 2003, Fonterra’s management board raised the issue of risk management and assigned the responsibility to its global assurance function. During this time, the organization developed a risk policy and risk management framework based on New Zealand and Australia Risk Management Standard 4360 and other risk strategies, such the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The organization also held 45 risk management workshops that covered 85 percent of the business. The process involved identifying more than 800 corporate risks, which were distilled to the top 99 risks and the top 20 risks by early 2005.

Whereas Fonterra’s second attempt at risk management successfully uncovered a number of corporate risks, employees considered the process to be too theoretical and felt it did not produce any significant benefits at the operating business-unit level, according to Enterprise Risk Manager John Pearce. The key finding from this exercise was that ERM needed to be interactive and anchored in business functions.

Fonterra’s third ERM attempt successfully integrated ERM into the organization and created a link to business functions. In 2006, the global assurance function was split into audit and risk functions with two different reporting lines to the office of the chief financial officer (CFO). The organization integrated audit and risk processes into business strategy and planning as well as refreshing and fully defining its top 20 corporate risks.

The current ERM structure is based on board-level recognition that Fonterra, as a new company with a mandate to grow, must effectively manage risk in order to be successful. Fonterra aims to use risk management to maximize opportunities and enhance abilities and upside opportunities. Risk management is supported by senior leaders, including the CFO and the chair of the audit, finance, and risk committee (AFRC).

In contrast to previous risk management efforts, which lacked a stated return on investment (ROI) or other direct analysis to support ERM, Fonterra’s current risk assessment process provides insurance cost drivers. The process also encompasses risks across the enterprise. Business units own and fund risk outcomes, but the risk management function provides technical support and coaching to the business units. The risk management function also funds risk identification and consults with the businesses on solutions and controls.

“We focus on attitudes and behaviors. If we can get behaviors to focus on risk management and change the perception of what it means to the organization, then we can really impact our culture.”

— John Pearce, enterprise risk manager, Fonterra


Risk Management Framework

Figure 27

Governance Framework

The Way We Work Values Vision Strategy Risk Management Board Charter

• Focused on the future• Delivering

uncompromised results• With complete integrity• Energized by innovation

• Ensuring when anyone thinks dairy they think Fonterra

• Putting the customer first• Making dairy an integral part of

people’s nutrition everywhere• Delivering an integrated cow-to-

customer value chain• Making Fonterra’s brands first

choice• Employing and motivating

talented people around the world• Winning and retaining the loyalty

of shareholders

• Foundation theme - The Sustainable Co-operative

• Lowest cost supplier of dairy products

• Leading global dairy marketer• Developer of valuable

customer partnerships• Specialty milk components

innovator and provider• Leading consumer dairy

marketer• Leading dairy marketer to food

services

• Provides a framework to identify, assess, and monitor risks and to report on risk management activities

• Outlines the key values and practices of Fonterra as they apply to the activities of the board of directors

Policy Framework

Business Unit/Division Standards/Guidelines/ Rules/

Procedures/ Processes

Group Standards/Guidelines/ Procedures

Group Projects

Development

Approval

Management

Communication

Compliance

The development of new or the updating of existing content

Obtaining the appropriate level of approval for all content

Ensuring that all content is relevant and up-to-date so that users always have the right information

Ensuring that staff are made aware of all changes/additions to content in a timely manner

Ensuring that everyone follows (complies with) the FPF content

Assurance

Using different tools to check that everyone is complying with the FPF content and reporting on compliance

To lead in dairy

CaSe StuDy


Fonterra’s risk management policy is fully defined and builds on key concepts that guide risk management. For example, the intention is to establish a program that promotes cultural change and is embedded in the way the organization operates. Another goal is to develop a common approach and language to ensure that key risks are identified, assessed, controlled, and reported in a consistent manner. Fonterra’s risk management policy is forward-looking, applies to internal as well as external risks, and provides a link between risk and organizational strategy. The organization regularly benchmarks and reviews its policies against Fortune 1000 drivers to identify weak spots in its process.

Figure 27 depicts the risk management framework at Fonterra. As shown, risk management is part of the overall governance framework. The policies that support risk management are found under compliance and assurance. Processes that assist with risk identification are the responsibility of the risk management function and business units; the internal audit function follows up on controls, and assurance is


CaSe StuDy


completed through the process of risk assessment. The enterprise risk, audit, and legal functions all work closely together on compliance and assurance. The risk management function and the internal audit function have recently purchased a software solution that allows the organization to capture and regulate risks using a common format.

The ERM function provides information to Fonterra’s leadership team and the AFRC. The responsibilities of the ERM function have been outlined and approved by Fonterra’s leadership team and its board of directors. Specifically, the enterprise risk management function: • communicateskeyrisksandmitigationstrategiestotheAFRC,theboard,

ratings agencies, and shareholders;• embedsriskmanagementintoexistinglineprocessessuchasplanning,

forecasting, and budgeting;• developsandstandardizesquantificationtools,templates,andsystemsto

facilitate best-practice risk management activities by line managers;• aggregatesbusiness-unitriskexposurestoidentifyenterprise-widethreats

and exposures;• communicatesandensuresvisualizationofenterpriserisks;• elevatesriskmanagementasakeylinepriority;• providesacenterofexpertiseinriskmanagementpractices;• providesresourceassistancetoup-skilllinemanagersinriskmanagement;and• challengeslineassumptionsandpresentsalternativescenarios.

Business units also have a defined role in enterprise risk management. The objective is to engage business units in managing risk in order to influence behaviors. By integrating risk management into behaviors, the organization hopes to influence overall attitudes regarding the importance of risk. In other words, getting employees to focus on risk management is the first step to cultural change. In terms of risk management, the business units are expected to: • identifydownsiderisksandupsideopportunitiesforthebusiness,• serveasexpertwitnessestoassessriskmagnitude,• mitigatedownsiderisks,• monitoremergingrisks,• collectriskdataandreportittoacorporatecenterforaggregation,• enforcecompliancewithriskmitigationproceduresamongbusiness-unit

personnel, and• useoutcomesinbudgeting/forecastingandbusinessplanningtoensurethat

processes are in place and that costs arising from implementation strategies are planned for and budgeted.

In order to further engage business units, Fonterra is establishing risk champions within each key business. The organization is converting the role of business continuity champions into risk champions charged with expanding the risk program. Risk champions will spend several days in risk assessment workshops designed to


CaSe StuDy


help them identify and manage key business risks. Risk champions will also become business liaisons to the risk function.

Before embarking on a risk assessment project, the ERM function and business units draft a formal proposal that outlines exactly who will do what during the assessment. Each function agrees to its respective responsibilities and outlines what is required. This process helps promote accountability and provides a starting point for follow-up and future recommendations. The contract also notes that any project is subject to an internal audit and that the processes will continue to be monitored. Again, the goal is to promote accountability, define responsibilities, and provide a basis for future evaluations and monitoring.

The following list summarizes the key activities of Fonterra’s ERM function. • assist—Assist with the financial success of the business by providing a forum

and methodology for evaluating and prioritizing potential risk improvement opportunities and understanding their financial and other impacts.

• Improve—Improve the likelihood of meeting strategic targets by managing risk at the lowest possible cost.

• Encourage—Encourage customer success by providing a methodology to help the business build robustness so that losses are less likely or less impactful and the ability to deliver to customers in spec, on time, and in full is enhanced.

• Develop—Develop a culture in which risk assessment is seen as a normal part of doing business by developing programs that promote appropriate risk management behaviors and attitudes.

• Ensure—Ensure that Fonterra is aware of and managing its key risk exposures as part of its due diligence requirements.

Figure 28 (page 72) depicts Fonterra’s ERM organizational chart and areas of responsibility. The size of the ERM function is small relative to the organization’s 17,000-employee global work force. However, the function operates at a high level and relies on strong engagement with the business units. As shown, the ERM function interacts with insurance brokers and leverages employees that are engaged in risk assessments within the business units. The ERM function is responsible for managing the ERM program, monitoring and reporting key risk matters, evaluating business interruptions, and business continuity planning. The ERM function also manages insurance programs; claims management; financial aspects of accident compensation; and other risk management activities, including contract risk and security.

Fonterra closely aligns risk management activities with its business plan. Although the organization’s business plan has not changed significantly since 2001, the goals for risk management have increased. The governing principle for risk management is to provide an ERM center of excellence. The goals are to assist business units with the identification of risks and to improve insurance efficiency.


CaSe StuDy


Fonterra’s current business plan (Figure 29) identifies the key strategies for risk management and the critical initiatives and actions that must occur in order for the organization to achieve its goals. Providing a central focus for risk management is a key strategy included in the business plan. Other key strategies for risk management include enterprise-wide risk assessments, enhanced information flow, and improved risk assessments.

Since 2006, risk management has helped Fonterra realize significant benefits. For example, the ERM function provides a common platform for assessing risks and has shifted the emphasis from managing insurance and claims to managing risk. The ability to engage insurance partners in risk improvement activities has yielded significant financial benefits; there is also a greater emphasis on risk assessment, and business units are able to understand risks and associated priorities incorporated into strategic planning. Although risk assessment activities have not yet occurred in all parts of the organization, Fonterra has completed business risk, process risk, property/asset risk, and project risk assessments across most of the enterprise.

One of Fonterra’s goals was to create a sustainable culture for risk management. Accordingly, risk activities integrate with the organizational culture and have become part of daily business functions. Cultural change activities focus on providing employees with clearly defined roles and responsibilities in order to

Figure 28

Fonterra’s Risk Reporting Structure

Enterprise Risk Manager

• Claims• Insurance• Captive• Risk management• Risk engineering

ERM responsibility:• ERM program• Monitoring and reporting key risk matters (residual and emerging risk) to senior executives and the board (including the top 20 risks)• Business interruption evaluation• Business continuity planning and crisis response planning• Insurance program (strategy, policies, placement, and reporting)• Claims management and administration• Financial aspects of accident compensation• Other risk management activities including contract risk, security, etc.

Manager Risk

Assessment

Manager Risk

Assessment

RiskManager(Contract)

Business ContinuityManager

Risk Management

Admin

Injury Management

Manager



Insurance Brokers:


Figure 29

ERM Business Plan—Executive Summary

Governing Statement Key Strategies Initiatives and Actions

Central focus for risk management

• Review/Establish practical risk management procedures and protocols• Resource and support the risk management activities (”coach”)• Ensure that AFRC is updated on key matters of concern regarding risk management

Improve information flow and administration

• Implement claims management and recording systems to improve claims visiblity and tracking

• Develop links between existing systems• Improve insurance administration activities to reduce workflow• Review and streamline insurance covers to maximize benefits

Improve risk assessment

• Improve the value add from assessments by including Fonterra standards in the assessment activities and broadening their scope

People, quality, and processes

• Expand the business continuity function to include risk assessment in the scope of work

Enterprise-wide risk assessment

• Roll out the enterprise risk assessment process• Assist business units to undertake risk assessments as required

Goals

1. Assist businesses with the identification of risk

2. Improve insurance efficiency

Provide a center of excellence in risk management

CaSe StuDy


promote consistency. In addition, Fonterra provides incentives for business units to ensure that risk management is incorporated into business planning, project risk, and risk assessments. Risk assessment is included as a key performance indicator for business-unit managers under the organization’s risk management policy. All of these techniques have helped Fonterra influence its culture and integrate risk management into existing systems and processes.

iDentiFying, impLementing, anD maintaining SuppOrting erm teChnOLOgieSThe primary technology used to support ERM at Fonterra is Microsoft Office Excel. The organization has evolved its risk assessment tool to accommodate changes in its risk management processes. There is a perception within Fonterra that implementing a formal software package would make it difficult to quickly adapt to any process or business change. Accordingly, the organization has not purchased a formal software package for risk management. Currently, one full-time resource manages the formal risk assessment process and the supporting database.

Since the basic tool has not changed significantly in the past year, Fonterra has started to explore available software packages. While some applications are similar to what the organization already uses, the ability to integrate voting software and Monte Carlo simulation is important. Thus far, the organization has not found one tool that provides these types of features in tandem. Creating a custom software package is too costly at this time, but the organization is continuing to look at other tools that may be applicable in the future.

“Right now, we mainly use Excel, which has evolved over the past

10 years depending on our needs. But I have a great fear that, if we

purchase a formal software package, we will lose the ability to evolve

our process.”



CaSe StuDy


Fonterra aggregates risk assessment reporting into reporting themes developed by its leadership team and the audit, risk, and finance committee. The themes are “strategic,” “market,” “operational,” “financial,” “compliance,” and “governance.” Each risk is categorized into one of the themes, which enables leadership to view risks across the organization and identify which areas are more exposed. This strategy also helps identify risk categories that need more attention, controls, policies, procedures, or guidance based on risk outcomes within each theme.

Figure 30 depicts an example of a risk assessment report. The risk categories (i.e., themes) are listed on the left-hand side, whereas the other two columns provide an overview of the sub-risk categories and risk areas that are linked to each of the themes. This data also flows to the business units in order to help them understand key risks.

uSing erm aS a DeCiSiOn-maKing tOOL ERM is fully integrated into strategic policy and the business units; accordingly, Fonterra uses risk management for budgeting and forecasting, business planning, capital evaluations, mergers and acquisitions, and project evaluations. The organization employs ERM across all business units except joint ventures where Fonterra does not have management control.

Fonterra also links ERM to business continuity planning and the outcomes of business projects and reviews that feed into the business planning process. In short, risk management strategy is integrated into the organization as a whole and provides a solid foundation for decision making.

Figure 31 (page 76) provides an overview of Fonterra’s risk management process. This process is based on a risk management standard for Australia and New Zealand (also referred to as Risk Standard 4360) and is used every time the organization decides to conduct a risk assessment. The first step is to create a risk map in order to identify and assess potential risks. This activity allows Fonterra to evaluate risks prior to making a decision. After a decision is made, the organization determines a response strategy, which provides a framework for risk reporting. Throughout the process, communication, consultation, and continued review are critical.

Fonterra focuses its risk assessment activities in a number of areas and links them to key business decisions that are categorized as operational, strategic, or financial. The first area is process risk assessment, which focuses on operational and strategic risks. The intent is to obtain a high-level understanding of the production process from a risk perspective, which the ERM function factors into the overall risk exposure of the organization. The function accomplishes this by examining the path of production at each stage and closely reviewing inputs and outputs. This process exposes risks, controls, and what might be required in order to mitigate potential failures. Identifying process dependencies and articulating process risks is another

“Sometimes we can quantify risks, but a lot of the time we can’t. A lot of

what we do requires a leap of faith that a prescribed course of action will

get us where we need to be.”



CaSe StuDy


Fonterra’s Risk Assessment Report

Figure 30

Strategic

Risk Category

Sub-Risk Category Risk Areas

Strategic DirectionEthics & CultureReputationStrategic Partnerships

Investor Relations

InnovationsRisk ManagementChange Initiatives/

Transformation

Operationalization of StrategyThe Way We WorkNZ International ImageBFLDairiConcepts/DFA

Payout Forecast ManagementRDIProductImplementation of Risk

Management FrameworkJedi

Stabilized Organization StructureKnowledge SharingSupplier Land Management &

Farming PracticesSoprole/DPADPA/NestleCommunications

MarketProject Interface

Strategic Resource Allocation

EmpowermentChinaBFL/BSC

Shareholder Council

Process

Strategic Evaluation of New Business

OutsourcingCapital Availability

GE

Post Investment Reviews

Redemption

Financial Financial Reporting

Financial Planning

Treasury ManagementTax PlanningPerformance Planning &

MeasurementFraud

COACore ControlsCMP/S&PInventory Mix & ValuationFair Value Share ValuationHedgingDomestic Tax RegimesRCM

Geopolitical/Cultural

FRS

Payout ForecastsSales Mix & ValuationPeak Note ManagementFunctional CurrencyForeign Tax RegimesPerformance Measurement

Control Design & Implementation

Hyperion

Foreign Exchange Volatility

Lifecycle PlanningDebt Raising

VBM

SAP

Commodity Price Volatility

Working Capital Management

Functional Currency

Cost of Production

Redemption Management

Compliance Policy & Procedures

Legal & Regulatory

ProcurementEnvironmental

Sovereign Legislation & Regulation

Intellectual Property

Production StandardsJedi Business Rules &

ComplianceCustoms & Duties

Shareholder Reporting

HRSupplier Land Management

& Farming PracticesHealth & Safety/ACC

Future Regulation

Treasury

EnvironmentalDIRA

Insurance

Hazardous Substances

Governance Ethics & CultureBoard Activities

The Way We WorkShareholder Reporting

Geographic DiversitySub-Committee Delegations

EmpowermentQualifications

Corporate Citizenship

Operational S&OP ManagementMarketing & InnovationBrand ManagementSales

Production

Logistics & WarehousingProject Management

People

Transaction Processing

Information

Crisis managementNon-Core Business

Demand ForecastingProduct InnovationBrand Strategy/RationalizationOrder Management

Asset Security & ProtectionR&D ImplementationMilk CollectionCapex Approval

Personal Health & SafetySuccessionOrder ProcessingPayrollData Accuracy, Completeness &

TimelinessKeaBio-SecuritySynergy

Supply ForecastingR&D FundingBrand Protection &

CounterfeitingPricingProduction EfficiencyAsset MaintenanceProduct ShipmentPost Project Evaluation

Attract & Retain TalentIndustrial ActionInvoicingTrade Spend Promotion CycleSystem DevelopmentCOE

Terrorism

Production PlanningBusiness Case

Development

Contract ManagementProduction Capacity

Distribution Channel Structure

Time, Cost & Quality ControlGROW & PERFORMInternal CommunicationCash CollectionMilk PayoutSystem IntegrationJedi

DRP/BCP

Logistical PlanningEvaluation of A&P Spend

Sales Promotion

Product Quality/ Specification

Inventory Planning

CapabilitiesRenumerationCredit Management

System FailureIS Data Security

Product Recall

IP Protection

RDI

Food Safety

Inventory Protection & Security

Motivation & Focus

Expenses & Purchases Cycle

System Transformation

Natural Disaster

Market Economic/GeopoliticalPolitical/RegulatoryCompetitorsFinancialDistributorsConsumers

Economic DownturnTrade Access & QuotasIndustry StructureFinancial Markets/Cost of DebtRetail Channel StructureConsumer Trends

Political Instability/Sovereign Risk

Product Specification & DutiesCompetitor Strategy/SpendCapital Fund RaisingSocial Trends

Credit RiskAcquisition ApprovalEmerging CompetitorsCommodity Prices

Demand Uncertainty

Product Substitution

Customer Satisfaction


CaSe StuDy


goal of this activity. The result is defined risk mitigation activities, including the prioritization of capital allocations where required. Process risk assessments focus heavily on engineering and manufacturing activities.

Business risk assessments follow a similar approach, but focus on the business-unit level. At this level, business process maps show processes by function and catalog inputs, outputs, and process dependencies. The goal is to rank potential risk probability and make financial determinations related to risk impact when possible. This activity helps identify what can go wrong, likelihood of risk occurrence, and the controls in place to mitigate business risk. If the risk is significant, the organization conducts a more detailed risk assessment and examines additional controls in order to determine what else needs to be done, if anything, to better manage the risk. If a risk is identified as high or significant to the business, then it is subject to a more detailed review using a formal risk assessment tool. If it remains a high-level risk, then the organization examines additional controls that can be put in place to monitor or mitigate the risk. The risk management policy requires that high or significant risks be formally reviewed and included in the strategic plan of the business unit. However, not all risks that are rated as significant or high are necessarily unacceptable. For example, currency and commodity risks are always high, and Fonterra’s shareholders accept those risks. However, these risks are constantly monitored and reported on across the business.

Activity/Project risk assessments focus on a variety of areas, which may include construction projects, outsourcing opportunities, union negotiations, IT security, or strategies to expand business units. For example, the organization recently conducted a risk assessment on outsourcing some of its IT functions to India. Activity/Project risk assessments follow a defined process for a specific project.

Figure 31

Overview of Fonterra’s Risk Management Framework Process

Communication and Consultation

Monitor and Review

3. Report Upon Risk

2. Develop and Monitor Management Plans

1. Create Risk Map

Risk reporting

Risk response strategy

Risk decision

Evaluate the risks

Assess the risks

Identify the risks

Establish the context


CaSe StuDy


Process and disruption risk assessments are contracted out to engineers around the world who complete asset risk reviews on-site. In other words, the organization separates sites as a building and manufacturing activity and reviews property risks independently from process- or project-related risks.

The organization conducts insurance and claims risk assessments in order to influence its financial health and reduce insurance premiums. It also evaluates risk advice and administration (e.g., contracts) in the process of strategic and financial decision making. Fonterra aggregates all risk-related assessments to improve business continuity planning activities. It identifies each risk and factors it into business planning at the strategic level.

As mentioned earlier, Fonterra uses a formal risk assessment process to evaluate risks across the organization. The ERM function is charged with evaluating high or significant risks and entering the data into the risk assessment database. In some cases, a risk assessment manager may conduct a formal review; however, most risk data is reviewed by the ERM function. This is because information must flow to the ERM function so it can be rolled up to senior leadership. In some cases, risks considered to be high or significant by one site are not necessarily high risks for the enterprise as a whole. Conversely, risks that a particular site does not consider to be high may, in fact, be of great concern to the organization. Therefore, it is important that all risk data be filtered to the ERM function so that it can be aggregated and interpreted.

Using the ERM function as a gatekeeper of risk data has both advantages and disadvantages. Generally, business units are not aware of the enterprise-wide risk landscape. As a gatekeeper, the ERM function is able to effectively weigh business risks against the impact on Fonterra as an organization. However, the interpretation of risks among sites may differ, and the process currently relies on a small team of individuals who communicate key corporate risks to senior leaders. To balance this, there is a growing effort to provide additional risk training to business units so that they are better equipped to articulate and identify risks that are of corporate significance.

Figure 32 (page 78) provides an example of the data captured during the formal risk assessment process. The example is fictitious, but shows the types of data fields that must be completed in order to accurately assess high and significant risks. For example, the reporting employee must clearly define the context and objective for each risk. The process also captures the volatility of risk in order to determine how often the risk must be evaluated. If a risk is getting worse over time, then it is followed up more aggressively than it would be if it were improving over time. Each risk is assigned an owner and a category, which ensures accountability and allows the organization to aggregate risks into groups.


CaSe StuDy


The ERM function conducts additional analysis to determine what causes a risk to occur and to identify the consequences of occurrence. This data generally results from brainstorming sessions attended by site management; the organization encourages site management to associate each risk with a potential cost, if possible. The ERM function assigns likelihood and consequence scores using a 1-to-10 scale. A rating of 1 would indicate a low likelihood of risk, whereas a rating of 10 would suggest that the risk is likely to occur in the near future. The combination of these two ratings generates an overall inherent risk rating, which the ERM function can use to assess the potential business impact without the benefit of controls.

Once the ERM function assigns a risk rating, it reviews existing controls and looks at additional controls that could be used to mitigate the risk. The ERM function then force-rates each risk to determine an overall control effectiveness score. It rates controls in terms of quality and quantity so that frequency and accuracy of information is considered. This step sometimes exposes weaknesses in risk data that the site management team has not considered. This influences the overall ratings of controls, which the ERM function eventually shares with the internal audit group for further review, if necessary. The goal is to evaluate risks against existing controls. In some cases, the likelihood of risk occurrence may be high, but if the consequence and impact are marginal, then the overall residual risk rating may be moderate.

Fonterra’s Formal Risk Assessment Process

Figure 32

Context/ Objective

INHERENT (UNTREATED) RISK ASSESSMENT: Assessment WITHOUT Controls

Potential business impact WITHOUT the benefit of controls =

Guaranteed ability to process milk from shareholders

Casual Factors • Road closure from flood• Road closure from landslip• Loss of power to the site for milk transfer >24 hours

Expected Consequences/ Impact

• Unable to receive all milk supplies• Worst reasonable case estimate 50% loss

of milk for 6 days following landslip

Potential Cost NZ$1M - NZ$10M

Risk Owner

Risk

GM Milk Supply

Inherent Likelihood (1-10) 9

Inherent Consequence/ Impact (1-10) 6 7

53

1

9

Inherent Risk Rating HIGH

(Optional Entry) Risk Category Coding

Milk Collection and Transport

VolatilityReduced ability to supply milk to site for a period longer than 24 hours Increasing over time

(Optional Entry) Process Coding

Operational

Like

lihoo

d

A Risk Management Framework - Risk Profiling Report


CaSe StuDy


Fonterra recently expanded its formal risk assessment process to include target risk. Target risk is the realistic target likelihood and consequence for each risk. This is a relatively new concept, but it has already been linked to strategy and business continuity planning. As part of the process, Fonterra captures target likelihood, consequences, and overall risk exposure for key target risks. It then assigns a rating to each target risk along with mitigation strategies. The organization assigns each target risk a risk owner and reviews potential controls that assist with contingency planning.

Throughout the formal risk assessment process, the ERM function provides guidance on ratings and definitions in order to ensure consistency. A risk assessment process pack provides definitions of key risk terms and, at every stage of the process, users have access to boxes that provide definitions of risk ratings. Consequences, for example, are identified as affecting the financial landscape, reputation dynamics, or customer dynamics, to name a few. Probability ranges are also defined based on occurrence. Each data point is clearly defined throughout the process.

Formal risk assessments vary in terms of frequency. Most sites are required to formally assess high or significant risks. Often, the ERM function will lead a site review in which it examines risks listed in the high and significant categories and compares them against the corporate risk environment. Sites must review high and significant risks annually.

Once a formal assessment is completed and controls are identified, the next step is to evaluate costs and incorporate any risk mitigation plans into budget planning. Action plans may require further review to define costs associated with implementing controls. Once costs are identified, they are integrated into budgeting and forecasting planning. In cases that require emergency expenditures, Fonterra may draw from a contingency budget that is set aside to handle unanticipated and unidentified risks. This contingency budget was approved and implemented by Fonterra’s leadership team and its board of directors.

Fonterra uses a defined process to determine the strategic importance of risks (Figure 33, page 80). The process begins with a risk assessment to identify risk improvement opportunities. The key dependencies of the risk are also identified. The financial evaluation shows the impact of the opportunity; impact exposure is also identified. This information is combined to determine strategic importance. The organization prioritizes key actions to maximize risk improvement opportunities and allocates resources according to its priorities. The outcome is that the business units have an understanding of their key risk exposures and have plans to manage these where appropriate.


CaSe StuDy


uSing erm aS a perFOrmanCe imprOvement tOOLAt Fonterra, ERM is linked to performance measures. Figure 34 is a sample performance scorecard. On an annual basis, Fonterra’s management team and board of directors agree on a scorecard to measure and track performance. Items represented in the shaded boxes directly affect managers’ annual bonuses, whereas items in the unshaded boxes do not.

Risk management enhances Fonterra’s ability to meet financial targets. Specifically, the ERM function helps business units meet performance targets and works with them to understand the drivers of financial success so that they can maximize risk improvement opportunities. The business interruption valuation helps calculate potential interruptions to the organization, which is used for prioritizing risk improvement opportunities. By enabling risks to be managed at the lowest possible cost, risk management improves the likelihood of meeting strategic targets and reduces the number of surprises and losses incurred by the organization.

Risk management also affects customer and operational success. Risk management enhances the organization’s ability to deliver on time and in full at a cost that customers are willing to pay. In addition, risk management can make claims response more efficient. In terms of improving operational function, ERM helps identify improvement opportunities that generate robust performance.

Finally, risk management enhances Fonterra’s ability to attract and retain capable and willing people. Risk management attracts highly skilled individuals, including

“We’ve integrated risk management into policy and framework by having risk management as a key performance indicator for the businesses.”


Determining the Strategic Importance of Risks

Figure 33

Risk Assessment (Identify risk improvement opportunities)

Identifies Key Dependencies

Strategic Importance

Allocate Resources According to Priority

Prioritized Key Actions to Maximize

Risk Improvement Opportunities

BCP

Outcome: Businesses have an understanding of their key risk exposures and have developed plans to manage these where appropriate

Identifies Impact Exposure

Financial (or Other) Evaluation

(Identify impact of opportunity)


CaSe StuDy


both contractors and employees. The ERM group provides ongoing coaching and mentoring to risk champions and businesses.

LeSSOnS LearneD anD Future pLanSAccording to Fonterra, successful ERM approaches must incorporate the following:• seniormanagementsupportandavenueformanagementsupport;• theabilitytoshowhowERMaddsvaluetothebusiness;• capturedandcommunicatedbenefits;• built-inperformancemeasuresaroundriskassessmentandimprovement;• linksthroughcommonsystems(asusedbyfunctionssuchasinternal

audit and IT);• acommonriskmanagementlanguage;• clearlydefinedrolesandresponsibilities;• establishedriskmanagementprocessestoenableriskaggregationand

transparent, unbiased reporting;• incentivestoensuretheinclusionofriskinformationinbusinessplanningand

project assessment; and• theintegrationofriskmanagementintoexistingsystems.

“If you are not seen as adding value to the business, then you are going to

be traveling down a road that leads to nowhere. And that is not a place

anyone wants to be.”


Sample Fonterra Performance Scorecard

Figure 34

Fonterra Group

1-Yr TSR

Payout per KgMS

NPAT EBIT

RONA

Sales Growth Sales Growth Sales Growth Sales Growth

Cash measure


RONA


DIFOT composite measure

Complaints Value

DIFOT

Complaints Value





Forecast Stability Measure (GT)


RONA

EBIT

Gross Margin Gross Margin Gross Margin

RONA

EBIT

RONA

EBIT

RONA





DIFOT DIFOT DIFOT DIFOT

Complaints Value Complaints Value Complaints Value Complaints Value





Group LTIFR/TRIFR

Group Fatalities


People Measure

LTIFR

Fatalities


LTIFR

Fatalities


People Measure People Measure People Measure People Measure People Measure

Core

Fonterra Ingredients

Asia/AME

China

ANZ

Financial Success

Customer Success

Operational Improvement

Capable and Willing People


CaSe StuDy


Fonterra attributes much of its ERM success to its ability to find an anchor for risk management in the business units. Being able to link risk management to the day-to-day business functions is critical; without a business link, risk management can become a form-filling exercise whose meaning is merely theoretical. Simply put, if ERM is not viewed as providing value to the organization, then it is seen as “just another process” and can have little impact.

Accordingly, communicating and capturing the value added from risk management activities is another critical success factor. Fonterra devotes a significant amount of time to showing that ERM is a value-added activity. Senior leadership actively promotes the benefits of ERM through both formal and informal communications. As with any corporate undertaking, the support of senior management is essential to success.

It is also vital to develop a common risk management language and provide clearly defined roles and responsibilities. This enables the organization to operate in a consistent framework and methodology throughout its different businesses and locations. Well-established risk management processes enable risk aggregation and transparent, unbiased reporting. Of equal importance is the ability to integrate risk management into existing systems that are used by internal audit, information technology, and other business functions.

Finally, effective risk management must link to performance measures and provide incentives for participation. Fonterra established built-in performance measures and key performance indicators around risk assessment and improvement. Incentives can also be used to ensure that risk management is included in business planning and project assessment.

In the future, Fonterra expects its risk assessment activities to provide business units with risk improvement opportunities that are closely monitored. The organization will expand its existing control self-assessment (CSA) process to further engage management. In past years, the CSA process focused on manufacturing, supply chain, and sales and marketing. The organization intends to use the expanded CSA process to obtain feedback from business units in order to determine future risk areas. CSAs must be completed twice annually and signed off on by senior managers at sites.

Fonterra also plans to grow the role of the business continuity champion, which is currently being expanded into that of the risk champion. To help with the transition, the first in a series of trainings has been scheduled to provide businesses with skilled resources in risk assessment. Rollout will involve further training and support for business-unit operatives in order to keep ERM staff numbers low at the corporate level.


Microsoft CorporationC a S e S t u Dy

Microsoft is the world’s leading software organization and provides a variety of products and services. Although the organization is well known for its

Windows operating systems and Office software suite, it has expanded into markets such as video game consoles, servers and storage software, and digital music players. The organization serves individual consumers, small and medium enterprises, and some of the largest corporate and government entities in the world. In addition to software, Microsoft is also active in manufacturing high-tech hardware in its X-box, Zune, and Unified Communications products.

Microsoft is organized into three businesses: Platform and Services Division, Microsoft Business Division, and Entertainment and Devices Division. Under each of these business groups there are a number of products and product lines that are developed and managed by the organization. Its products and services support individuals in both their personal and digital lifestyles. Microsoft strives to continue innovating in the marketplace by constantly driving its mission “to enable people and businesses throughout the world to realize their full potential.”

Headquartered in Redmond, Wash., Microsoft has approximately 80,000 employees dispersed throughout 103 countries and 565 sites. During fiscal year 2008, the organization reported approximately $60 billion in revenues and $22.5 billion in operating income.

Optimizing the erm StruCture In 2005, Microsoft began discussing how to craft a holistic enterprise risk manage ment (ERM) strategy and programmatic approach to risk management. The goal was to enhance visibility to risk across the organization, establish a continuous and sustainable approach to enterprise risk management, provide senior leadership and the board with more actionable risk information that would effectively guide management, and enable the board to fulfill its charter for oversight of risk management. Prior to Microsoft adopting a formal approach to ERM and creating the Office of ERM in 2006, the traditional risk disciplines of treasury risk, internal audit, and other risk specializations pursued risk management with notable best practices.

During the initial program design, the Office of ERM invested time and effort in benchmarking other global organizations that were actively pursuing ERM. This provided input to the strategy and approach of Microsoft’s ERM program efforts and resulted in the creation of an ongoing high-tech forum where industry participants share common practices and principles.

“Our business is dependent on taking risks. Enterprise risk management is not about limiting risk taking—it is

about encouraging risk taking within boundaries that are internally or

externally required.”

— Brad Jewett, director, enterprise risk management,

Microsoft Corporation

“The culture at Microsoft is focused on innovation. We don’t want to change or hinder our culture of

innovation, but rather enhance the opportunities we are pursuing by

addressing the risks and threats to the business.”




CaSe StuDy


The structure that Microsoft employs to accomplish its ERM goals includes four “risk pillars” that manage risk categories and topics across strategy, finance, operations, and legal/compliance. Each pillar incorporates senior leadership to sponsor and coordinate the overall program approach developed by the Office of ERM. Leveraging this structure while identifying areas in Microsoft’s business units and functions where risk management specializations already existed was important to the early success of Microsoft’s broader ERM program strategy. Figure 35 illustrates the organizational structure of ERM at Microsoft.

Almost every organization that Microsoft benchmarked suggested that, without senior leadership support, ERM would not be successful. Another key learning was that any ERM approach must start small and leverage risk activities that are already occurring across the organization. It is equally critical to show the value of ERM to others in the organization so that the initiative will attract support and become engrained in the culture.

At Microsoft, key risks that have been identified, assessed, and require action to mitigate have sponsorship and oversight by the highest-level executives. The overall responsibility for the programmatic approach to enterprise risk management at Microsoft falls under the Office of ERM and the pillar leadership embedded within the business.

Since the creation of the Office of ERM, enterprise risk management at Microsoft has moved beyond compliance; it is now performance-focused and is quickly progressing toward a strategic view of risk management. Microsoft is currently

Figure 35

Microsoft’s Risk Reporting StructureEnterprise Risk Office (ERO) - Virtual Organizations

The Office of Enterprise Risk Management is sponsored by the vice president of internal audit and supported by the director of ERM leading and executing the overall program approach. The ERM effort is being coordinated virtually across the organization including four risk committees (pillars) each with their respective executive sponsors.

Board of Directors:Audit and Finance Committee(s)

Strategic

Chief Executive Officer

VP of Corporate Strategy

Director of Corporate Strategy

Chief Legal Officer

VP of General Counsel

Director of Compliance

Compliance Attorney

Chief Financial and Chief Accounting Officers

Sr. Director Compliance

Sr. Manager Compliance

Chief Operating and Chief Information Officers

General Manager

Manager

Legal/Compliance Financial/Reporting Operations

Enterprise Risk Office:Executive Sponsor: VP of Internal AuditProgram Office: Director of ERM


CaSe StuDy


85

redefining its long-term (three- to five-year) ERM strategy to move in this direction. Now that the organization has pursued ERM for two years, the entire program is open to redesign. According to the director of ERM, the individuals involved in risk management are constantly striving to improve their programmatic approach for delivering value to the company. Even the mission and vision of ERM have been changed in order to make sure that the program foundation is on target. Whether or not ERM will continue to employ the current four-pillar structure or expand its existing governance structure through internal audit is also debated; the ultimate goal is to make sure that ERM is working as effectively as possible.

Microsoft’s overall ERM strategic plan is driven by a vision and mission. The plan’s three key components are imperatives, principles, and strategic objectives. Under each of these components, Microsoft clearly articulates how ERM will help the organization fulfill its mission and vision and then communicates what actions need to occur to ensure success. The new plan will also include key metrics, a scorecard, and an updated road map outlining the multi-year ERM initiatives that are contributing to the organization’s long-term vision. Microsoft’s strategic objectives are outlined in the areas of governance, business insight, accountability, risk identification and assessment, and leadership. Each of these areas has an assigned owner who is accountable for driving the strategic objectives company-wide. The goals for each of the five areas are summarized below.1. governance—Include all governance, risk, and compliance (GRC) functions

within a comprehensive ERM governance model that aligns with the board and senior leadership team responsibilities for risk management.

2. Business Insight—Provide targeted risk information that enhances value creation and protection decision making within the normal business review cycles including strategic, operational, and financial planning.

3. accountability—Senior leadership commitments incorporate defined objectives and oversight for risk prioritization, mitigation, and monitoring strategies.

4. Risk Identification and assessment—Implement a continuous enterprise-wide risk assessment framework and methodology that is owned and managed within the business.

5. Leadership—Design a risk management competency model with training plans that integrate into existing career stage profiles for current GRC roles.

Enterprise risk reporting occurs quarterly, and board presentations to a special session of the combined audit and finance committees occur semiannually. Quarterly reports include updates on ERM program status and the progress made toward mitigating the most critical risks facing the company. The following program principles enable Microsoft to execute on this reporting cycle. • ERMisanenterprise-wideframeworkandprogramadaptabletoexistingrisk

functions, division structures, and global geographies.• ERMincreasesthetransparencyofrisktotheboard,seniorleadership,and

external stakeholders.


CaSe StuDy


• ERMisintegratedandembeddedintocorporate-wideprocessesthatcanleverage risk information for decision making.

• ERMenablesbidirectionalinputandinformationsharingwithkeyGRCfunctions such as Internal Audit, Windows Live Security, Corporate Privacy Group, and Information Technology Risk.

Examples of these operating principles are demonstrated in Figure 36, which illustrates the process and touch points between ERM and internal audit as they execute on their annual cycles and business plans. The primary benefit derived from aligning the ERM and internal audit business cycles is the ability to leverage risk and control knowledge within both groups in order to evaluate where key business risks exist and how they should be treated from both perspectives. The outcome is that ERM’s top-down and broad-based risk profile establishes the foundation for internal audit’s annual planning, which is focused on auditable units.

ERM and Internal Audit Business Cycles at Microsoft

Figure 36

1st Quarter• Finalize annual audit plans• Start audit plan execution• Review prior year audit results• Communicate results/plans to board

3rd Quarter• Annual ERM planning• ERM follow-up with improvement and monitoring

plans with risk pillars and risk owners• ERM testing of management’s opinion

2nd Quarter• ERM annual risk assessment• Communicate findings to board• Review themes/patterns and

mitigation plans with SLT• Engage and support risk

committees and pillar leaders

4th Quarter• Internal audit risk assessment• Annual audit planning• Finalize ERM plans and update

board on testing risk mitigation/monitoring efforts

Annual ERM risk assessment feeds annual audit planning

Predefined change control to adapt plans to changing business assumptions

Semiannual gap analysis between ERM risk assessment and audit results

Audit issues and testing results feed ERM plans to validate management’s opinion

Shared Taxonomy and Framework for Risk Universe

Interdependent Management and Internal Audit Risk Assessments

Common Control Framework for Establishing Improvement Plans, Risk Monitoring, and Audit Testing

Common Risk Rating Criteria and Scoring to Determine Risk Exposure


CaSe StuDy


Making sure that the rhythms of ERM and internal audit are in sync contributes to the core disciplines within both groups. Audit data and ERM data are shared and integrated at several levels. Figure 37 illustrates key integration points between ERM and internal audit.

Integration Points Between ERM and Internal Audit

Figure 37

Audit Data

Audit Universe

Risk Assessment

Risks

Audit Plan

Audit Reports

Issues

ERM Data

Risk PillarsCross Matrix

Informs

Cross Validation

Contributes to

Risk Assessment

Risks Inventory

Benchmark

Risk Exposure Matrix

Risk Mitigation Plan

Informs

Through these integration points, risk assessment data can be used interdependently for internal audit planning and execution as well as ERM risk assessments and mitigation plans. The organization maps audit issues to ERM risks on a quarterly basis for review by enterprise risk owners where improvement actions are being taken to mitigate risks. Also, integration of audit issues resulting from field audits has enabled Microsoft to recalibrate its ERM risk ratings for enterprise risks where there is alignment and commonality between the risk definition and specific audit issue finding. Additionally, the ERM risk exposures and resulting mitigation plans help inform audit of the progress being made to mitigate specific risks within areas of the business where audits are being planned or actively conducted.

The ERM structure also facilitates and enables visibility and accountability for risk mitigation efforts, including clear sponsorship and ownership at the most senior levels, overall mitigation planning (e.g., timelines, milestones, resources), critical success factors, and measures of success where applicable. ERM identifies senior leaders as risk sponsors and encourages them to engage with other senior leaders for specific risks within their scope of the business that cut across the organization. After risks have been identified, assessed, and formally sponsored and mitigation plans established, the treasury risk group (TRG) contributes to the validation of risk action plans by completing formal risk quantification and analysis for the most critical risks. These efforts to measure each risk’s potential material impact on the


CaSe StuDy


company validate the initial assessment and definition of an enterprise risk and provide context for the importance of mitigating a risk to an acceptable level.

enterpriSe riSK management in aCtiOn An example of how the ERM pillar structure operates can be found in Microsoft’s approach to operations enterprise risk management. The operations pillar is charged with driving the implementation of the overall ERM framework and program approach into the core operations of the company. Its goal is to prepare Microsoft to address and mitigate operational risks and associated impacts on Microsoft’s businesses globally. The scope of this pillar’s risk management efforts includes critical areas of the business such as supply chain risk, information technology risk, business continuity risk, and many others. The operations pillar is sponsored by Microsoft’s chief operating officer, reports through the chief information officer, and is led by a general manager and senior manager of enterprise crisis and operations risk management.

One of the strengths of the pillar structure deployed by the Office of ERM is the establishment of risk accountability. Each role is clearly defined and communicated to promote accountability on key risks. Every enterprise risk is assigned an executive sponsor (senior leadership), risk leader (corporate VP), risk owner (general manager), and risk “focal.” The executive sponsor is a member of the senior leadership team or a member of the ERM sponsorship/pillar committee that supports and champions the process required to manage risk. In conjunction with risk owners and pillar leaders, executive sponsors provide quarterly reviews prior to audit and finance meetings for Microsoft’s board meetings. The Office of ERM communicates the information provided through this accountability structure via written and face-to-face presentations to the board.

Risk focals are described as “feet on the street” to support risk management. Focals manage action planning, risk profile development, steps to support risk, and the work breakdown structure. Generally, people take on this role in addition to their day-to-day job responsibilities, so the organization has developed a work breakdown structure (Figure 38) to help communicate requirements. This level of detail helps risk focals talk to managers and convey needs across business units. Additional detail is provided under each box in Figure 38 so that focals understand the risk path and descriptions. This assists focals with reporting for monthly meetings and enhances knowledge transfer.

As previously noted, the culture at Microsoft is innovation-based. The organization plans to continue with its risk management momentum and embed ERM in the way it manages the business. It is also developing framework and governance structures to enable it to proactively address issues from a corporate perspective while taking into consideration its innovation-focused culture.

“We have many discussions with our key leaders to get their input on both the risk universe and risk indicators. You don’t want to take information and send it up the chain without giving them the opportunity to weigh in.”

— Michele Turner, senior manager of enterprise crisis and risk management,



CaSe StuDy


“Our technology solutions are designed to empower our businesses

so they can effectively manage risk. Flexibility, variation, and functionality are three critical ingredients to any

solution we provide to our business.”

— Ramadan Chokr, senior manager, financial compliance group,


iDentiFying, impLementing, anD maintaining SuppOrting erm teChnOLOgieSAs a technology leader, Microsoft is currently exploring a number of solutions to manage its risk and compliance activities. Since ERM is a relatively new concept, the program is investigating multiple options for building and implementing an ERM platform that can be leveraged globally. At present, the organization employs an enterprise solution built on SharePoint and SQL technology; moving forward, it plans to continue building a “platform“ that integrates the best of Microsoft’s enterprise technologies with Microsoft Office solutions. Like many organizations, Microsoft faces challenges associated with the volume and complexity of external compliance obligations. There are numerous overlapping compliance requirements that need to integrate with ERM, including SOX, the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard, anti-corruption, privacy regulations, trade compliance, and so on. All these compliance requirements involve different tools, and the organization believes that even more tools will be added in future, further complicating the technology infrastructure. Microsoft’s proposed solution to address such issues is to leverage the best of its technology through a platform approach termed “OneCompliance,”

Risk Focal Work Breakdown Structure

Figure 38

1.2Maintenance of Identified Risks

1.2.3Action Plan

Development

1.2.4Action Plan Update

1.2.5Dashboard Update

1.2.2Risk Profile Update

1.2.1Risk Profile

Development

1.1.3Participation in Risk

Assessment Workshops

1.1.2Pre-Work for Risk

Assessment Workshops

1.1.1Risk Universe

Update

1.4.3Monitor Risk Checkpoint

1.4.4Brown Bag Discussions

1.4.2Improve Risk Checkpoint

1.4.1Risk Management

Tool Training

1.3.2SLT and Board

Updates

1.3.1Accomplishments

Update

1.3Reporting Process

1.4Training &

Awareness

1.0Operations Enterprise

Risk Management

1.1Risk Assessment


CaSe StuDy


which supports compliance with multiple regulations and standards. The approach involves optimizing available resources that focus on risk management, controls, and compliance while reducing duplication and business inputs.

A number of discussion groups and functional business groups provided input to the design and structure of OneCompliance. In the design, each group chooses a framework in which to view and manage control activities that mitigate risks and help achieve objectives. This platform approach to risk and compliance aims to provide relevant control data so that businesses can reduce the time and effort involved in complying with internal or external requirements and focus on their core competencies for developing products and servicing customers. The key message is that OneCompliance captures control data so that it can be tested once and used in many different forums to ensure that risk is managed to an acceptable level and the company is in full compliance with external requirements. It is Microsoft’s belief that a platform approach reduces the total cost of ownership and provides flexibility to empower various business groups across the enterprise. Empowerment of businesses in the ERM process is an ongoing theme for Microsoft; leadership firmly believes that the key to success is to empower business units to mange risks. OneCompliance will provide the functionality to achieve this objective.

To communicate key risk information, Microsoft leverages both formal and informal methods. Formal communications include quarterly meetings that engage executive sponsors and risk owners who have specific enterprise risk responsibilities. There are also numerous informal meetings that update stakeholders on key risks.

uSing erm aS a DeCiSiOn-maKing tOOLERM is not used to set strategy at Microsoft; however, the organization hopes that ERM information will influence what risks should be considered when businesses perform their normal business reviews and strategic planning processes. Using an enterprise risk assessment framework, the Office of ERM and the pillar leaders facilitate risk discussions with businesses in terms of materiality, geography/division scope, legal/compliance context, and overall brand or company reputation. Using these criteria to assess risks, each pillar scores three aspects of an identified risk or threat to the business: (1) risk impact to the company, (2) risk probability or expected frequency, and (3) existing risk controls or plans that serve as mitigating factors.

Upon completion of each pillar’s risk assessment, the information is consolidated, rationalized, and prioritized across the ERM structure for review by senior leadership and the board. Risks are evaluated on both an inherent basis and a residual basis when the organization is considering controls and mitigation plans. Based on the results of this effort, risks are categorized according to recommended actions. Those risks that are categorized as “improve” are formally sponsored and escalated for action plans. The status of a risk as “improve” is not meant to indicate

“At Microsoft, ERM does not set strategy—but it strives to influence what risks need to be considered and addressed when establishing strategy.”




CaSe StuDy


a departure from any particular standard of care or compliance obligation; rather, it represents a risk for which Microsoft discerns concrete opportunities for control and mitigation.

The Office of ERM also tracks each “improve” risk via formal opinion statements about progress that are presented to the board on a semiannual basis. Overall, the process for risk assessment and mitigation enables the organization to identify and manage its most critical risks. The core principle advocated by ERM at Microsoft is:

Risk is owned and managed by the business where key decisions and investments are made. ERM’s role is to facilitate visibility to this and establish accountability where additional efforts to manage risk are needed.

To facilitate the business ownership of risk, Microsoft has defined short-term, intermediate, and long-term themes within its ERM strategy and road map. The short-term theme is focused on strengthening the foundation for ERM and building awareness across the organization. Microsoft has already met its short-term goals and, in most cases, is executing the second cycle of these initial goals. Microsoft’s intermediate theme focuses on establishing a risk management culture and achieving deeper integration into the business. Efforts are currently underway to meet goals related to this intermediate theme. Microsoft’s long-term plans center on optimizing ERM. Specifically, the goal is to extend ERM practices across all divisions and geographies by leveraging an integrated platform of risk data.

LeSSOnS LearneD anD Future pLanSWith its current structure, strategy, and disciplined approach to ERM, Microsoft believes it is well on its way to establishing a sustainable program that is capable of achieving the organization’s overall vision: “Through ERM’s leadership, management’s value creation and value protection decision making enables Microsoft to become the most universally trusted and respected company in the world.”

Microsoft admittedly sees challenges ahead for a global program like ERM at such a large and complex company. However, the improvements that the organization has made so far represent solid progress toward realizing this ERM vision.

The New York Independent System Operator, or NYISO, is a nonprofit organization that operates the state of New York’s bulk power system,

independent of the companies that own and use the system. The NYISO administers the marketplace for the state’s electricity, runs its transmission system, and serves as a commodities exchange to ensure a fair and competitive wholesale electricity market.

Operating out of two locations near Albany with 430 employees, the NYISO has an annual operating budget of $160 million with which to ensure the reliability of the state’s power grid and administer the market effectively. This involves 24/7 operations, constant communication with regulators and counterparties, and more than $9 billion in annual settlements. Feeding into the North American power grid, the state has 10,775 miles of high-voltage transmission, 335 generating units, and more than 350 market participants that buy, sell, or trade electricity through the NYISO. In 2006, for instance, the NYISO administered a load of 162,265 gigawatt hours (GWH) to keep electricity flowing through New York.

The NYISO was created in 1999 to replace the New York Power Pool (NYPP), which was tasked with prohibiting system disturbances that could lead to power blackouts. When the state decided to allow competition, the NYPP was transformed into the NYISO to create an infrastructure for such competition. Since that time, market transactions through the NYISO have totaled more than $50 billion.

In addition to working with the companies that own and use the state’s voltage system, the NYISO is accountable to government regulators such as the U.S. Federal Energy Regulatory Commission and the New York State Public Service Commission. Its accountability also extends to reliability regulators such as North American Electric Reliability Corporation, the Northeast Power Coordinating Council, and the New York State Reliability Council as well as various stakeholders including end-use consumers, power authorities, municipalities and co-ops, other suppliers, generation and transmission owners, and environmental groups. These parties are referred to collectively as “market participants.”

The NYISO produces a number of publications for its market participants. The majority of these publications are designed to relay the NYISO’s planning process and make recommendations on what will be required to operate the bulk power

New York Independent System Operator


C a S e S t u Dy

93


CaSe StuDy

new york Independent system operator

system in years to come. The publications include a reliability needs assessment, engineering solutions for reliability needs, power trends for decision makers at the state and federal level, and load and capacity data.

Optimizing the erm OrganizatiOnaL StruCtureThe NYISO’s enterprise risk management (ERM) efforts began in 2002 in the wake of the Enron fallout. Having had some risk exposure related to Enron, the NYISO developed a small risk mitigation program to ensure that such losses would not occur again. Using a trial-and-error process, the organization spent two and a half years developing a foundation for its ERM efforts. Although the ERM program is still evolving in response to market conditions and customer needs, the NYISO’s current ERM framework has been in place since January 2005.

This ERM framework is grounded in two missions: maintain system reliability and administer the markets. The NYISO has determined that these two missions require the protection of its reputation, which is its most valuable asset. For that reason, the organization has arranged its risks into three broad categories: risks to reliability (resources and fuel costs/availability), risks to markets (legislative/political, finance and credit, and billing), and risks to reputation (legal/regulatory issues and compliance). These three categories are broken down into 17 areas of risk that are used throughout the organization:1. infrastructure, 10. billing,2. resources, 11. market design,3. financial, 12. regulator relations,4. compliance, 13. market participants,5. execution, 14. fraud,6. seams, 15. retention,7. credit exposure, 16. political climate, and8. press/media, 17. market administration.9. security,

At the NYISO, risk management is regarded as the ability to identify and remove risk impediments to the organization’s operations. Such operations involve:• businesssupportservices,• marketparticipantrelationsandaccountservices,• marketperformancemanagement,• fiduciaryresponsibility,• legalandregulatoryservices,• systemandresourceplanning,and• marketoperations.

Responsibility for ERM resides within the organization’s risk, compliance, and quality management function. This function also includes the Lean Six Sigma group and the process control and management group. Risk management is tied to quality management because the NYISO expects ERM processes to identify business

“ERM is a strategic and dynamic process that all our employees have a stake and ownership in to implement. In its ideal state, ERM should identify business process improvement and risk mitigation opportunities, be they physical, financial, or cultural.”

— Wayne Bailey, director of risk, compliance, and quality management,

NYISO


CaSe StuDy


process improvements. As the function’s director, Wayne Bailey is responsible for these combined efforts. “From our experience, the risk, compliance, and quality management efforts work very well together and really feed off one another in a very effective way,” Bailey says. “It’s the best intelligence network in the organization.”

Bailey reports to the CEO and the board of directors, who were the organization’s original champions for ERM. As ERM’s executive sponsor, the CEO informally acts as the organization’s chief risk officer. Bailey also provides information to a risk management committee. Consisting of business-unit vice presidents and directors, this committee meets monthly to verify and review risk reporting. Business units are involved in the monthly process of risk reporting and mitigation. In addition to this monthly process, the risk, compliance, and quality management function is responsible for identifying more immediate high risks and notifying senior leadership. According to Bailey, “Because every aspect of what we do at the NYISO has an impact on the reliability of the power grid and the effective economic dispatch of energy, our approach to risk reporting and mitigation is that the primary owners are the business units and their management teams.”

Consequently, although ERM funding is allocated to the risk, compliance, and quality management function, budgeting for specific risk and mitigation actions is funneled down to the appropriate business units. That said, ERM funding is relatively limited, with the bulk of the budget going toward salaries, benefits, and training and development. To supplement ERM funding, the CEO has an informal corporate contingency fund that can be used to allow business units to respond to extraordinary risks and opportunities.

Risk management responsibilities are spread throughout the organization. For example, the general counsel for risk is the chief compliance officer. Cyber and physical security risks fall within the domain of the enterprise security function’s business continuity planning department. A senior risk specialist is responsible for insurance program contracts, structure, loss control, and reporting, as well as the administration of the ERM process and national trends analysis.

The internal audit and ERM groups work especially close together, and the two groups frequently coordinate their risk assessments. The internal audit manager is a member of the risk management committee, and the general auditor has at times reported to Bailey. The internal audit group reviews risk reports and uses the information as a basis for its testing and investigation.

All of these dynamics feed into risk reporting and mitigation efforts that inform the NYISO’s annual budgeting and annual and five-year strategic plans. In fact, all budget submissions require an analysis of risk mitigated by the requested dollars and a description of any risk incurred if funding is not allocated. The risk, compliance, and quality management function drafts the annual business plan, which ensures that risk


management is tied into the annual planning process. The organization incorporates risk considerations into almost all its business decisions.

In general, the NYISO’s risk appetite can be characterized as very low. Bailey explains that, because the nonprofit is focused on reliability and handles its market participants’ money, the board would prefer that it incur no risk at all. At the highest levels, risk appetite and enterprise definitions are discussed and agreed upon annually with the board’s audit and compliance committee, the CEO, and the senior leadership team. Any risk appetite impasse within the ERM function is presented by Bailey to the CEO and the audit and compliance committee for review and discussion. The NYISO defines its risk appetite in the following terms: • Inherent risk—Any business risk (legal, regulatory, financial, or operational)

that the organization has assumed simply by engaging in its duties and responsibilities as an independent system operator. These risks exist independent of any attempts to mitigate them.

• Mitigation activities—The portion of inherent risk that has been significantly reduced through processes, controls, or some form of risk transference so as to no longer pose a danger. These risks can reoccur as conditions change.

• Residual risk—The portion of inherent risk that, regardless of reason, has not been mitigated by processes, controls, or some form of risk transference.

• Defined risk appetite—The portion of inherent risk that the organization is willing to accept and tolerate.

• De facto risk—The portion of inherent risk to which the organization remains exposed.

As the risk rating definitions in Figure 39 illustrate, the NYISO has a low threshold for considering a risk severe. This is considered on both a portfolio and individual risk basis. Such risks are tracked in frameworks developed by the Risk and Insurance Management Society (RIMS) and the Committee of Sponsoring Organizations of the Treadway Commission (COSO) using matrix scales and heat maps that list each of the organization’s 17 risk categories according to probability and impact.

iDentiFying, impLementing, anD maintaining SuppOrting erm teChnOLOgieSThe core risk reporting and mitigation processes at the NYISO are heavily manual and supported by Microsoft Office programs, including Word and Excel. The NYISO is examining a number of ERM technology support tools, but is several months away from automating the function.

uSing erm aS a DeCiSiOn-maKing tOOLWhen the NYISO initiated its ERM efforts, it mapped out every function and process in the organization and then created a 100-page document detailing every risk along with its triggers and status. The risk, compliance, and quality management function updates this ERM report every month based on reporting and mitigation efforts by the business units. The board’s audit and compliance committee reviews

CaSe StuDy


“The market conditions can change from hour to hour, and a market

participant can very quickly get in a lot of trouble, which puts our entire

market at risk. So we track these things very carefully.”

— Wayne Bailey, director of risk, compliance, and quality

management, NYISO


and discusses the ERM report with Bailey at least once a quarter—with line-by-line scrutiny—and provides guidance to management on risk tolerances and mitigation.

The overall quality of the ERM report depends on the accurate monitoring and reporting of risks by the business units. At this level, risk owners—those owning the business processes—are responsible for reporting known risks, their status, and mitigation efforts on a monthly basis. “If it appears we are no longer getting accurate risk reports or that a risk has been reduced due to new processes, then we look at the way the new process works and we work with the business process owner to help them identify what new risks they might have,” says Bailey.

The risk, compliance, and quality management function summarizes the ERM report in a four-page monthly risk report that is distributed to the NYISO’s board of directors. The summary details immediate and pending risks for the coming year as well as mitigation efforts currently in place. It includes a risk matrix detailing probability and impact for specific risks, along with relative risk over time and an aggregate scoring of risk factors. A reporting section highlights looming national issues in the industry, and an article selected each month describes issues that affect the security of the electricity markets in the United States, North America, and around the globe.

CaSe StuDy


Figure 39

The NYISO’s Risk Rating Definitions

Low/No Impact

Some Impact

Serious Impact

Most Severe Impact

Improbable—unlikely to affect NYISO within one year

Possible—may affect NYISO within one year

Imminent—likely to affect NYISO within one quarter

Immediate—the risk presently affects NYISO

Affects local reliability, non-mission-critical systems

Affects zones outsideJ&K, non-mission-critical systems not operational

Affects all of the state’s control area mission-critical systems

Affects zones J&K, mission-critical systems affected

0 to $100,000

$100,000 to $1 million

$1 million to $5 million

In excess of $5 million

Small process/procedural errors that impact limited stakeholder segments

Continuous mistakes in processes that affect stakeholders and indicate NYISO inability to correct

NYISO fails to meet regulatory compliance issues/NYISO execution causes marked disruptions

Regulators, market participants, and media severely impugn NYISO reputation, with NYISO unable to influence outcome

ReputationReliabilityImpact Impact to Markets


According to Bailey, the ERM report and executive summary provide instant knowledge on the state of the enterprise. He cites a recent example in which the reporting process revealed a serious concern for the credit management function. To protect its market participants, the NYISO responded by accelerating its adoption timeline for technology programs to manage credit and tightening its rules for credit exposure. This is just one of many instances in which ERM has driven business planning and helped management prioritize efforts. As detailed earlier in the case study, ERM information drives strategic planning from the board level down. The organization’s ERM efforts also heavily influence the insurance-buying process by detailing risk mitigation activities to underwriters.

Because of confidentiality issues, the NYISO does not often communicate risks to external stakeholders.

uSing erm aS a perFOrmanCe imprOvement tOOLThe NYISO’s ERM efforts alert employees and management to cross-functional issues affecting voltage system reliability in both the immediate and long term. These endeavors also support the organization’s effective economic dispatch of energy and compliance with local, state, and federal guidelines. Such compliance monitoring took on greater meaning for the NYISO after new Federal Energy Regulatory Commission reliability standards were introduced in 2007. These standards, which had to be operational by July 2008, include 817 standards applying to the NYISO. “In some of those cases, noncompliance can result in a penalty of as much as $1 million a day,” says Senior Risk Specialist Ken McGuinness. “Without the ERM process, I’m not sure we would have been able to get our arms around that.”

In terms of performance, the NYISO’s early risk reporting highlighted the poor execution of processes and procedures posing a significant risk to the organization. Labeled as “root-cause risks,” these issues were addressed by a board-sponsored “Excellence in Execution” program. The program involved the extensive automation of manual processes, the adoption of Lean Six Sigma management principles, and an extensive process/control mapping effort.

Although the NYISO maintains several dashboards to communicate performance data to market participants, these metrics do not directly tie to risk reporting. Instead, the risk, compliance, and quality management function relies on its heat map of risks as its key visual aid. The organization’s 17 categories of risk are plotted on the heat map in terms of impact and probability (Figure 40). With aggregate risk measured historically for signs of progress, the heat map acts as a performance scorecard and a communication vehicle to share risk information across the enterprise. When ERM efforts were first launched, the aggregate risk measured annually between 50 percent and 60 percent, but it has consistently trended down and now averages in the mid to low 30s (Figure 41).

CaSe StuDy


“ERM has enabled cross-silo information sharing, which has improved compliance, reliability, and economic issues.”

— Wayne Bailey, director of risk, compliance, and quality

management, NYISO

Example Risk Report Heat Map

Figure 40

Immediate

Imminent

Possible

Improbable A - Infrastructure

C - SeamsG - Credit ExposureL - Press/Media

K - ComplianceN - Execution

B - SecurityF - BillingH - Market DesignI - Reg RelationsJ - MPsM -FraudO - RetentionP - Political ClimateQ - Market Admin

D - ResourcesE - Financial

Low/NoImpact

SomeImpact

SeriousImpact

Most SevereImpact


CaSe StuDy


Risk Ratings Over 42 Months

Figure 41

Timeline in Months

Perc

enta

ge

1 25%

35%

45%

55%

60%

50%

40%

30%

12 6 18 30 24 36 42


CaSe StuDy


LeSSOnS LearneD anD Future pLanSMany of the NYISO’s lessons learned regarding ERM implementation involve change management principles and the importance of gaining support from all levels of the organization. Initially, many employees were concerned that the ERM program would be a tool for finger-pointing and assigning blame. To combat this fear, the risk, compliance, and quality management function made a concerted effort to prove that employees would not be penalized for reporting on risks. This involved a cooperative and collegial approach that set the tone for all of the risk, compliance, and quality management function’s efforts.

Now, resistance more commonly comes from employees who state they are too busy or that risk does not apply to their functions. In response, the risk, compliance, and quality management function offers continuing education about ERM. This involves quarterly seminars for all managers and supervisors to review the organization’s risk profile. In addition, the function distributes relevant articles and anecdotes focused on the consequences of ignoring risks. The function also leverages corporate publications and meetings to raise awareness and facilitate buy-in.

For the NYISO, the key elements of ERM success include:• responsiveness,flexibility,andtheabilitytoadapt;• continuingeducationonemergingtrends;• acceptanceofariskmanagementframeworkasafocalpoint;• acommonlanguagefordefininganddescribingrisks;• seniormanagementsupportandcommitment;• riskmanagementownership;• communicationofriskinformationthroughouttheorganization;• comprehensivetraining;• reinforcementthroughHRmechanisms;• effectiveriskmanagementprocesses;and• monitoringthroughselfandinternalaudit.

The NYISO would advise organizations that are just beginning their ERM journeys to obtain the support of senior leaders, rely on results for additional buy-in, identify how risk analysis and mitigation can help the organization’s core processes, be patient yet firm, and embrace responsible parties as part of the solution and acknowledge them accordingly. Those who stay focused, the NYISO advises, will make a difference.

Founded in 1923, Textron started as a small textile company called Special Yarns Corporation, but would eventually grow to become the world’s first

conglomerate. During World War II, textiles boomed, and Textron (then operating as Atlantic Rayon Corporation) was able to grow its business by making parachutes. After the war ended, it diversified and began producing lingerie, blouses, linens, and other consumer goods. By 1947, the organization was listed on the New York Stock Exchange; just two years later, sales reached $67.8 million.

Today, Textron is a global organization with more than 44,000 employees and brands such as Cessna airplanes (which has built more than half of all general aviation airplanes currently in operation, including the largest fleet of business jets). Textron also manufactures Bell helicopters for military and commercial sectors worldwide. The company has contracts with the U.S. Army, U.S. Air Force, and U.S. Marines.

Textron operates in five major business segments: Cessna, Bell, defense and intelligence, industrial, and finance. Cessna Aircraft, which accounts for 38 percent of Textron’s business, produces citations, single engine aircraft, and used and caravan aircraft, as well as providing parts, service, and CitationShares. Bell Helicopters accounts for 19 percent of Textron’s business; this segment builds military and commercial aircraft. The defense and intelligence segment produces a number of defense systems, land systems, and aircraft and weapon subsystems. The industrial segment, which manufactures E-Z GO golf carts and various hand tools, accounts for approximately 26 percent of the overall business. Finally, Textron Financial provides commercial loans and asset-based lending. Since almost all of Textron’s aircraft are financed, a significant portion of Textron Financial’s business deals with aircraft financial loans.

The major business units within each segment are responsible for the day-to-day management and operation of their businesses with oversight by the segment and corporate offices. However, Textron has consolidated certain functions such as financial reporting and IT to achieve cost savings and improve efficiency across the enterprise. With 500 Black Belts, Textron has embraced Six Sigma across all levels of the organization in an effort to improve its myriad processes.

In fiscal year 2007, Textron reported $13.2 billion in revenue; by 2010, it expects to report between $16.5 billion and $18.8 billion in revenue. Textron’s revenue typically grows by 15 percent or more each year.

Textron Inc.


C a S e S t u Dy


“Value is realized when the ERM process motivates beneficial actions

that wouldn’t have otherwise occurred.”

— Jim Laney, director, enterprise risk management,

business continuity and strategic development,

Textron


CaSe StuDy

Textron Inc.

Optimizing the erm OrganizatiOnaL StruCtureTextron initiated its enterprise risk management (ERM) efforts in late 2004 after assessing the regulatory climate and examining statements from members of the U.S. Securities and Exchange Commission and other entities. The organization determined that an ERM process would be beneficial once it realized that such a process would help it file a more meaningful 10-K. Although there were no laws or regulations requiring an ERM system, Textron’s board quickly assembled a team to address ERM methods and tools. After assigning the chief auditor to lead the ERM effort, the organization retained consulting firm Deloitte to help assess organizational risk.

Deloitte interviewed about 200 Textron employees to create a comprehensive risk assessment, which included a list of the greatest risks facing the organization. Textron’s board of directors wanted a prioritized list ranking the most significant risks, but this was not immediately available from the risk assessment. In order to more effectively manage risks, the organization decided to adopt Six Sigma.

In January 2005, Textron implemented Design for Six Sigma (DFSS), which is a seven-phase project that seeks to prevent manufacturing and service process problems by using systems engineering techniques to eliminate process problems at the outset. These techniques include tools and processes to better predict, model, and simulate the product delivery system as well as analysis of the developing system life cycle itself to ensure customer satisfaction with the proposed system design solution.

It took approximately a year to complete and implement the DFSS Black Belt project for ERM. Deloitte was involved with the team for the first four phases (through the design phases) and provided expertise and benchmarking insight. Textron did not adopt Deloitte’s methodology, but instead developed its own toolset and definitions. The team was sponsored by some of the organization’s key executives, including the chief financial officer (CFO). Textron cites the involvement of the CFO as one of its critical success factors: With strong leadership and Six Sigma, the ERM project was able to quickly gain momentum across the organization. The ERM tools and processes were piloted across several business units so that they could be tested and validated; this was another factor that helped promote rollout and buy-in.

Using the Committee of Sponsoring Organizations of the Treadway Commission (COSO) II definition, Textron defines risk as “any event, condition, or action that could adversely affect an entity’s ability to achieve its business objectives or execute its strategies effectively.” Enterprise risk management is identified as a “systematic and disciplined set of policies, processes, and practices, as well as a structure that enables ongoing identification, assessment, and prioritization of the major risks associated with the company’s key business objectives.” ERM also enables the development, implementation, monitoring, and evaluation of risk mitigation strategies.

“We don’t have a risk committee like other organizations. And this is by design. We felt having risks reported to a separate committee would be a fatal flaw, since risks are often bundled up to a committee where nothing ever happens. Instead, our risks are reported directly to risk owners in our key business units.”



Textron


CaSe StuDy

Textron Inc.

Specifically, the DFSS methodology allowed the organization to create designs using Six Sigma discipline with reference to customer requirements and service delivery capability. Figure 42 illustrates the DFSS process that was used to design ERM at Textron. At each gate, a specific checklist must be completed in order to move to the next phase. As mentioned, three Deloitte consultants assisted with the process through the design phases. Key functional leaders from Textron business functions participated in the process, as well.

• DOE• QFD• TRIZ• Simulation Tools• Design Scorecard• Process

Verification• DFMEA• Process FMEA• Reliability Testing

DFSS in Designing ERM at Textron

Figure 42

DFSS methodology allows Textron to create designs using Six Sigma discipline with reference to customer requirements and service delivery capability.

Phase 1• Gather needs• Translate needs to

CTSs • Translate CTSs to

functional requirements

• Assess technology• Develop plan• Assess risks

• Survey Design• Quality Function

Development• Kano Diagrams

• Product Technology Road Map

• Balanced Scorecard

• Measurement System Analysis

Activ

ities

To

ols

DesignIdentify

Deloitte.

Optimize Validate

Customer Requirements and Definition

Tollg

ate

1

Phase 2• Translate

functional requirements to design parameters

• Develop/Evaluate design alternatives

• Resolve design conflicts

• Assess risk

• Pugh Selection Matrix

• TRIZ• DeBono’s Lateral

Thinking Tolls• Quality Function

Deployment• Design Scorecard• DFMEA• Axiomatic Design

Conceptual Design

Tollg

ate

2

Phase 3• Flow down system

design to subsystems

• Design for reliability, maintainability

• Mistake-proof design

• Assess risk

• Simulation Tools: SigmaFlow, iGrafx, SigmaCalc, FEA

• Quality Function Deployment

• TRIZ• Design Scorecard• DFMEA• Infrastructure

Process Map• Standardization

Preliminary Design

Tollg

ate

3

Phase 4• Develop transfer

functions• Develop system

capability• Assess design

gaps• Assess risk

Detail Design

Tollg

ate

4

Phase 5• Run pilot• Optimize

design• Verify system

capability• Assess risk

• Design of Experiments: Conjoint, Response Surface Methods

• Design Scorecard

• Measurement Systems Analysis

Pilot/ Prototype

Tollg

ate

5

Phase 6• Demonstrate

process/ product capability

• Mistake-proof design

• Assess risk

• Capability Analysis

• Design of Experiments: Response Surface Methods


Validation

Tollg

ate

6

Phase 7• Monitor system

capability• Implement

design and process control plans

• Develop transition plan

• Balanced Scorecard


• Statistical Process Control

• Capability Analysis

Transition

Tollg

ate

7


In 2006, Textron adopted ERM across the organization. Because ERM was launched from existing Six Sigma efforts, there were fewer cultural barriers to adoption. According to Jim Laney, Textron’s director of ERM, “If we would have just said we are using ERM, we would have had a lot of resistance. But thanks to Six Sigma, the ERM tools and processes obtained a near automatic badge of acceptance.” Accordingly, Textron cites attaching ERM to a standard design process within the organization as a critical success factor to enable validation.

ERM risk data contributes to the development of Textron’s annual 10-K report and related public filings. The director of ERM provides relevant risk data and works with a team to develop 10-K revisions.

At Textron, the ERM function reports to the vice president of audit, who reports directly to the board of directors with a dotted-line relationship to the CFO. The business continuity management (BCM) function also reports to the vice president of audit; the two functions have three full-time employees devoted to ERM and BCM activities. ERM and BCM also report to an operating committee made up of business-unit leaders and key functional leaders. The operating committee is used in lieu of a traditional risk committee because Textron’s leaders feel that the ERM function should report directly to risk owners in key business units. The ability to report risks directly to risk owners is another critical success factor at Textron because it enables timely risk discussions to occur with interested parties and risk owners.

Textron’s board of directors plays a significant role in ERM. For example, the board sets expectations for ERM and communicates that risk management is an integral part of the overall management and governance process. The board also provides oversight and process integrity for ERM. Board members offer input and feed concerns about specific risks into the ERM process.

As noted in the case study introduction, Textron has consolidated certain business functions that are common to multiple business units—such as finance and information management—into “councils” that report to one CFO and one CIO. These councils present their own risks to the organization in addition to the separate business-unit risks. Figure 43 shows how risks are reported across Textron’s business units and councils. The chart is also used as a report card to indicate which business units and councils are participating in risk activities. This approach has helped the organization increase involvement and promote accountability.

As part of the reporting and mitigation process, business units and councils work with the operating committee to determine the acceptability of the risk mitigations.

CaSe StuDy

Textron Inc.


CaSe StuDy

Textron Inc.

Figure 44 (page 106) depicts the ERM flow at Textron. Over the years, ERM activities and assessments have increased across the enterprise. For example, information technology risk management (ITRM) is now linked to ERM, and in the past year, ethics and compliance risk assessments have also begun to flow through the ERM function. ERM feeds into audit planning with enhanced risk assessments; risk validation work is expected to increase in the future. Each business unit and council has assigned ERM coordinators who work directly with the ERM function. These individuals spend 10 to 14 hours each quarter coordinating risk information. ERM coordinators help subject matter experts in their business units and councils complete risk data and assessments. The concept is to integrate experts who understand the specific risks with risk coordinators who understand the ERM

Risk Reporting for Busness Units and Councils

Figure 43

ERM 4Q07

Update

Status for

Business

Units and

Councils

A

A

A

A

B

B

B

B

B

C

C

C

C

C

C

C

Bell

Fluid & Power

IM Council

Finance Council

TFC

Kautex

Cessna

Supply Chain CouncilHuman Resources CouncilTextron Systems

Jacobsen

E-Z-GO

Greenlee

Legal Council

Crisis Management

Compliance / Ethics Committee

Lee TaitShelley KlopfensteinJim Kelley

Mara Pankovich

Deborak Imondi

Don BurchJoe GentileMike Donoghue

Mark Mann(Open Position)Jim Kieran

Dave Green

Al Gagne

Cynthia Funderburk

Rusty McGahee

Steve Wehrle

Andrew Spacone

Andrew Spacone

Bill Clegg

Complete without changes


Complete with changes





Complete with no risksComplete without changesComplete with changes






Not Applicable














Not Applicable








Complete with no risksComplete without changesComplete without changes






Not Applicable














Not Applicable

Wave NameBusiness Unit / Council

1Q07 Updates

2Q07 Updates

3Q07 Updates

4Q07 Updates


ERM Flow at Textron

Figure 44

Textron ERMEthics and Compliance

Risk Assessments

Audit Planning

Audit Planning ERAP(Enhanced Risk

Assessment Process)

Business Unit & Council ERM Coordinators

Information Systems ITRM (Information Technology Risk

Management)

Prim

ary

Flow

process. Rather than training all employees on ERM, Textron keeps ERM intelligence dispersed between ERM coordinators and the ERM function.

To capture key risk data, Textron uses an ERM input tool that is based on failure mode effects analysis (FMEA). For each risk, ERM coordinators help subject matter experts collect data in five key categories:1. basic risk information—such as title, description, failure mode, and cause;2. gross risk information—the cost of the risk event and the probability of

occurrence (in annual terms) if no mitigations were in place;3. current risk information—the cost of the risk event and the probability of

occurrence (in annual terms) with all current mitigations in place;4. decision—whether or not further action is required; and5. expected risk—details on impact and likelihood.

Data from this input tool is then entered into an Excel spreadsheet that can be tracked and used for reporting purposes. The spreadsheet is color-coded so that, if the “decision” category indicates that further action is required, then the risk is automatically highlighted in red.

As the categories listed above indicate, for each risk, Textron captures gross risk information—the expected cost of a risk if no mitigations were in place—and current risk information—the expected cost of the risk event with mitigations in place. Calculations of gross risk information and current information are combined to produce a mitigated value, which indicates what the risk will actually cost if the mitigations fail.

CaSe StuDy

Textron Inc.


CaSe StuDy

Textron Inc.

Figure 45 depicts a sample of a calculated mitigated value for a risk. This type of reporting illustrates the gap between gross impact and likelihood and current impact and likelihood if the corrective controls are effective. Senior leaders devote additional attention to any risk that has a high gross impact and likelihood. This may result in an audit of controls or a more detailed presentation from the president of the business unit to explain the mitigated value of the risk. Mitigated values that are greater than $100 million are presented in a risk summary report to management to ensure that the associated risks are tracked and understood.

Risk analysis at Textron is data-driven. Once a risk is entered using the input tool, the data is analyzed in the ERM database and extracted to produce risk radars and risk summaries. Because the operating committee prefers to view all risk data on a single page, risk summaries are prepared using PowerPoint and presented on one to two slides. Additional data about a particular risk can be obtained by clicking the risk icon depicting that risk. To create the summaries, Textron uses Microsoft Office programs and an add-on tool called DataPoint that allows links between PowerPoint presentations and the organization’s Access database. This enables consumers of risk data to quickly access details on any risk.

Mitigated Value Sample

Figure 45

Impact (NOP Annualized)

Likelihood (Annualized)

Gross Impact Gross Likelihood

Corrective Controls (Mitigating Actions)

Current Impact Current Likelihood

100% 75% 50% 25% 0% $0

$10M

$20M

$30M

$40M+

Mitigated Value (Value of the Corrective Controls)

A

A


Leaders can also access risk radars, which highlight Textron’s significant risks and associate those risks with dollar amounts related to net operating profits. A sample risk radar is depicted in Figure 46. Risk radars track gross risk and are color-coded to indicate whether further action is required; risks are graphed so that the likelihood of a risk occurring in the next year is represented on the X-axis and annual net operating profits are represented on the Y-axis. Embedded links guide users to more detailed information from the risk database. Currently, risks that involve more than $30 million in net operating profits are tracked on a regular basis, but the organization is considering moving this threshold to $50 million.

Textron creates a risk radar for every business unit and council. The operating committee reviews these risk radars each month during its regular meeting. Although risk data is updated quarterly, meetings that occur between updates enable committee members to probe more deeply into risks that are of concern. Sometimes, a technical leader will be asked to prepare a presentation on a particular risk so that the operating committee can better understand the risk and what is being done to mitigate it.

Textron Significant Risks Radar

Figure 46

100% 75% 50% 25% 0% $0

$35M

$70M

$105M

$140M

$500M

$1B

$2B Risk Name

Risk reduced to an acceptable level

Further action required

Gross risk

A

B

CDEFGH

I

JK

Crisis ManagementFinance CouncilIMCTFCBellLegal CouncilBellFinance CouncilFinance CouncilBellKautex

1Q06

1Q06

1Q061Q061Q061Q061Q061Q06

1Q06

1Q061Q06

TBD

1Q06

1Q061Q061Q061Q061Q061Q06

1Q06

1Q06TBD

Risk Owner Initial Complete

C

B B

A

H

J K

F E

I

G H

I

D

F E

G

A

J

D

K

$ is measured in annualized NOP

C

CaSe StuDy

Textron Inc.


CaSe StuDy

Textron Inc.

Part of the risk review process includes sending pre-reads and discussion items to the operating committee prior to the monthly meetings. The committee receives presentations on risks with impacts greater than $30 million and mitigated value analysis on risks with impacts greater than $100 million. In addition, the committee pre-selects risks to be discussed from one meeting to the next. The ERM team often promotes certain risks for additional consideration, such as “yellow” or “red” risks with no movement, risks that are being removed from the significant risks radar, and risks or mitigated risks that need to be escalated. Validation requests and results are also discussed during the monthly meetings.

Each quarter, information packages are sent to the operating committee for review. Similar to the pre-read packets for the monthly meetings, the quarterly review packages contain detailed risk data such as status updates, risk update summaries, a risk radar summary, and a summary of risks whose mitigated values are greater than $100 million. The packages also contain a report card detailing which business units are participating and a quick list of significant changes. For example, the quarterly report would show if a risk that was initially quantified as $30 million was increased to $50 million. A risk removal process requires business units to explain how and why a risk should be removed. For example, a risk may be removed if the program or project that supported the risk is eliminated. A risk can also be removed if it is not changing significantly over time. In such cases, the risk is still tracked and captured, but a box is checked to indicate that it is not active for review. The risk is left in the database, but is not reported in the risk review process. (Periodic renewals allow these risks to be checked for updates.)

As part of Textron’s ERM activity cycle, risk data is captured and reported two weeks prior to the end of each quarter. This allows time for the CFO to examine and sign off on any risk activity without interfering with quarterly financial reporting processes.

Initially, it was thought that the ERM function would act as administrator of the process; however, this is not the case. Instead, the ERM function serves as a coordinator for risk activity and works closely with key business leaders to determine how risks should be reported.

iDentiFying, impLementing, anD maintaining SuppOrting erm teChnOLOgieSTextron primarily uses Microsoft Excel to collect risk data. Information related to risk radars, risk summaries, and risk measures is collected in Excel and exported to PowerPoint for reporting purposes. The tool is slightly interactive in the sense that certain boxes can be turned off if needed. For example, if a risk is considered acceptable and no further work is required, then the portion of the form related to future mitigation actions is turned off to prevent input.

“We’d love to have a Web-based tool that lets our risk owners input

data online. Being able to track and update risks online would be ideal;

however, we aren’t there yet.”



Textron


As mention previously, the organization employs a tool called DataPoint to enable links between Microsoft programs. When reports are extracted, a button next to each risk allows users to access more detailed risk data from the risk database.

For each risk, 59 data points (or fields) are collected. On the input form, users can click “question boxes” to obtain additional guidance on how to complete the various sections. Data fields are standardized to ensure accurate data analysis and promote “apples-to-apples” comparisons.

Textron has examined some emerging ERM systems, but has not found any that meet the maturity requirements of the organization. Ideally, it would like to develop a Web-based tool that captures basic inputs and allows users to track and update key risks. Allowing risk consultants to input risk data on a standardized form is the goal; however, the costs associated with this technology and the limited resources available to maintain and develop such a tool prohibit its development at this time. Currently, about 18 individuals update risks each quarter ; this represents 40 to 50 transactions. With such a low number of transactions, an enterprise software solution would need to be economically priced in order to be attractive.

uSing erm aS a DeCiSiOn-maKing tOOLERM is integrated into decision making at Textron in the sense that risk data is considered and reviewed as part of strategic planning. In addition, most strategic plans at Textron capture the level of risk associated with various projects. The ERM function encourages business units to use the same process that is used to track and report risks across the organization; however, this practice is not fully implemented. The ERM function is currently trying to improve how assessments are conducted for strategic planning. However, since risk radars are reviewed as part of the strategic planning process, the organization is satisfied with the level of integration with strategic planning. The strategy organization is involved in creating risk assumptions when developing scenarios for planning risk assessments.

Although there is not a direct link between ERM and strategic planning, risk discussions occur during the business units’ annual strategy review planning sessions. In addition, the board of directors integrates risk information into strategy and planning. The ERM function tracks macroeconomic risks that are considered high-level. For example, the board of directors will often request risk assessments on macroeconomic risks such as a European or U.S. recession. The ERM function is charged with creating a risk assessment on a potential recession that includes financial data as well as the impact to the overall organization or business unit.

Currently, the ERM function manages nine macroeconomic risk assessments, and Textron’s board of directors has initiated about half of these. The assessments cover emerging risks as well as regulatory risks. The ERM function tracks a number of economic assumptions such as gross domestic product (GDP), interest rates, and other data that may affect business units. Assessments that involve global economic factors are generally given in two scenarios. For example, one scenario may report

“We are not as integrated into the strategic process as we could be, but we are integrated somewhat. ERM doesn’t necessarily drive strategy at Textron, but it is considered in the annual strategy planning process.”



Textron

CaSe StuDy

Textron Inc.


CaSe StuDy

Textron Inc.

the outcome of a mild recession, whereas another may focus on the outcome of a worldwide recession. Possible scenarios are presented from both division and corporate perspectives.

ERM is also integrated into Textron’s annual 10-K report. As previously stated, Textron’s director of ERM works with a team to provide risk data to be considered in 10-K revisions. Although specific risks are not mentioned in the 10-K, they are covered in basic risk categories.

Textron does not use risk workshops for decision making or strategic planning because it is difficult to determine exactly who is a risk expert in its various business units and segments. Cessna, for example, has more than 12,000 employees, and identifying the right people to participate in workshops would be extremely challenging. The audit committee monitors ERM and evaluates how the process is working on a regular basis; the organization finds this process to be more effective than workshops.

In 2006, the ethics and compliance organization began conducting its own risk assessments to drive action plans. A year later, this group changed its risk assessment process to the process used by the ERM function. As part of the integration, the ERM function and the compliance and ethics function jointly developed business conduct guidelines. The document outlined 29 standard risk categories and definitions such as improper payments, insider trading, international trade, and anti-trust. Each risk category was assigned a subject matter expert to answer questions on compliance issues.

The ERM function worked closely with the compliance and ethics group to help the group understand the difference between controls that would reduce likelihood and controls that would change impact. For example, some controls, such as training, may reduce likelihood, but not impact. Conversely, some controls may reduce impact and cost to the organization, but do not reduce likelihood. Basic information about this distinction was communicated across the organization. Since many of Textron’s business units face the same compliance and regulatory issues, it was important to provide a standardized way to compare and assess risks in these areas. Each business unit was surveyed to identify its top three compliance risks, and this information was used to determine the 29 standard risk categories.

In 2007, Textron successfully incorporated compliance risk into its ERM process. Compliance risk assessments and actions are reported via the same risk radar and summary format used for other risks. This enables the organization to rationalize compliance expenditures. Compliance risks are updated quarterly, but assessments and major changes to action plans occur only once a year.


Business Continuity Management at Textron

Figure 47

Crisis Response & Business Recovery

PlanningBusiness Recovery

Crisis Management, EH&S, Risk Management, IT DR, ISC, and ERM are also part of effective BCM and can mitigate the effects of business disruptions.

CrisisResponse

Planning Execution

Busi

ness

Dis

rupt

ion

Time Time

ERM is also integrated with business continuity management. In fact, data from ERM drives BCM activities. At Textron, BCM is a coordinated set of organizations, activities, processes, and tools that allows the company to prevent and/or prepare for, mitigate against, respond to, and recover from significant business disruptions. Textron uses enterprise applications and IT tools for BCM, and each business unit has a BCM coordinator.

When Textron was initially considering business continuity planning, it relied on ERM to make the case. By leveraging risk data, the ERM function was able to identify a significant number of risks that would benefit from business continuity mitigations. Accordingly, with the full support of management, the organization adopted a BCM process to mitigate business risks. Figure 47 shows the current process that is used for business continuity planning.

The integration of BCM and ERM has led to significant process improvements across the organization. Figure 48 lists some of the benefits that have been derived from BCM. For example, HR Textron will have reduced a significant risk exposure down to a small amount along with potential insurance benefits. Likewise, by enabling an alternate treasury site, the organization will reduce a small expected loss per week to zero.

CaSe StuDy

Textron Inc.

ERM and Business Continuity Management Benefits

Figure 48

Risk

Risk

Former Current Impact Action Revised Current Impact Benefit

TMLS - Hurricane - Mfg. facility producing armed security vehicle for U.S. Army

HR Textron - Earthquake - Mfg. facility producing actuators for Bell Helicopter and Cessna Aircraft

Treasury - All Threats - Risk to 40 Westminster

IT Data Loss - Data Loss - Exposure with laptops

$ Significant6 month recovery time

$ Small per week plus delays in payroll, dividends, taxes, pensions, debt service

$ Small

$ Significant(Will be less than $ Small upon implementation) 3 month recovery timeProject in Phase 5 (of 7). Impact and recovery time, est.

$ Significant reduction in risk exposure anticipatedPotential insurance benefitsAddresses capacity restraints

$ Very Low

$ Very Low

$ Significant4 month recovery time

$ Significant reduction in risk impact exposure

$ Minor reduction in insurance premium

$ Small1 month recovery time

Implemented business continuity plan and relocated critical processes to new facility

In Process - Implementing business continuity plan and (planning) a co-production facility at new location

Business continuity plan (in process) to enable alternate treasury site w/ full functionality

Fully mitigated risk impact of loss of treasury operations

Implemented data encryption technology on all laptop computers

$ Small reduction in risk impact exposure


CaSe StuDy

Textron Inc.

“We are a Six Sigma company. We measure everything. We measure

the risk impact and likelihood and the ERM process effectiveness

as well.”



Textron

uSing erm aS a perFOrmanCe imprOvement tOOLTextron tracks and measures a number of ERM components, including: • riskeventsandactions,• overallriskpredictionratio,• totalcostofriskeventsperyear,• ERMparticipation,• riskexposurereduction,• mitigatedreductions,and• costsavings.

Most of these measures are basic. For example, risk events and actions measure any disruptions that result in changes to risk analysis. For each risk event occurrence, the ERM function reviews existing risks and makes any necessary revisions to the impact and likelihood assessments. This information is presented in the same format as risk analysis data and is entered in the risk event tracking system. A risk event summary shows the current predicted impact, the actual impact occurrence, and the costs associated with the change in the event.


The overall risk prediction ratio is the percentage of events that were accurately predicted. Calculating this ratio requires the organization to collect data on risk events in relation to risk prediction. The ratio compares risk events to the predicted risks. For example, a sample overall risk prediction ratio would be the number of risk events that occurred divided by the number predicted.

The total cost of risk events per year is the cumulative cost of risk events. To obtain this data, the ERM function tracks risk events and total annual cost. The cost of risk events is plotted against total risk exposures.

Risk exposure reduction refers to the cost of a risk once mitigation controls are in place. Risk impact is collected as annualized net operating profits. Reductions in risk impact potential that result directly from ERM mitigating actions are collected as risk exposure reductions. For example, if an initial risk of $100 million is reduced to $25 million through controls or other ERM actions, then the risk exposure reduction would be $75 million.

Mitigated reductions are the potential savings that would result from mitigation efforts if a risk event actually occurred. Textron tracks the total effect of all new mitigating actions each quarter. The sum of the differences between previous current risk impact and current risk impact is summarized across all business units.

Finally, cost savings are measured; this category includes items such as insurance savings or other savings that are actually realized. To obtain this number, the ERM function captures the total cumulative cost of all savings generated by actions caused by ERM.

Textron’s audit committee evaluates the ERM process periodically to ensure it is working as designed. These reviews have resulted in enhanced risk identification, evaluation, and mitigation throughout the organization. The following process is used for ERM reviews:• thebusinessunitsandcouncilssubmittimelyquarterlyupdates,• theERMteamreviewsbusiness-unitandcouncilsubmissionsfor

reasonableness and completeness,• quarterlyupdatesofsignificantrisksarepresentedtotheoperatingcommittee,• theoperatingcommitteereviewssignificantrisks,and• theriskreviewisincorporatedintostrategydiscussions.

Textron is able to quantify all its risks. This means that every risk is associated with a dollar amount representing the approximate cost the organization would incur if that risk event were to occur. However, cost is not the only consideration for mitigation. Other, more important considerations can affect mitigation decisions. If the business unit or council is not able to assign a cost for a risk, the ERM function

CaSe StuDy

Textron Inc.


CaSe StuDy

Textron Inc.

“ERM is not something that is done in the back office and put in a drawer for future reference,

and you don’t want it to be like a newspaper where you just report what may or may not happen. It

is a hands-on activity that requires everyone to work on it. And the value is only realized when you actually do something that ultimately improves

the organization.”



Textron

can still track the risk. However, in the history of ERM, there has yet to be a risk that cannot be quantified. This is because the ERM function works closely with business units to determine risk costs. In some cases, a range may be developed to illustrate best- and worst-case scenarios, and each risk cost is factored into an overall cost average.

At Textron, ERM has transformed the organization significantly and helped it realize significant benefits. Some of these benefits result from reduced risk exposure, which means that they are realized only when a risk event occurs and its impact is reduced through risk mitigation efforts that have been put into place. However, other benefits accrue even if a risk event does not occur. For example, insurance premium reductions and credit rating agency decisions that impact the cost of capital have produced significant cost savings for the organization.

Other key benefits and activities resulting from Textron’s ERM function follow.• Riskdiscussionsnowoccurwithinbusinessunits,councils,andthe

operating committee.• ThecomplianceorganizationusestheERMriskcollectionprocessandtoolsto

assess compliance risks.• Infinancialreporting,10-Kand10-Qriskfactorssectionsareenhancedby

risk data from ERM as recommended by the U.S. Securities and Exchange Commission.

• Toenhancesecurity,laptopencryptionanddatariskanalysisandsoftwaretoolshave been adopted based on recommendations by the ERM function.

• Mitigationplansfortheavianfluhavebeenimplementedatallbusinessunitsusing ERM tools.

• ERMdatafeedstheannualFRMandauditplanningprocess.• Physicalpropertydamageinsurancereviewsarebeingcompleted,andcoverage

is being rationalized.• Integratedrisksandsupplychainriskshavebeenidentifiedandmitigated.• Theneedformorerobustbusinesscontinuityplanninghasbeenidentified,and

this functionality is being developed.

LeSSOnS LearneD anD Future pLanS The ERM function regularly completes an 18-month outlook that shows target areas for risk and process improvements. Figure 49 (page 117) illustrates the current 18-month outlook for ERM. The bottom of the chart details the areas that the function has targeted for improvement. For example, ERM plans to expand on macroeconomic risks and continue to evaluate enterprise-level risks through scenario planning. Mergers and acquisitions (M&A) is also a target area for improvement; the objective is to employ ERM risk analysis tools such as risk radars and risk summaries to evaluate all future mergers and acquisitions prior to making a commitment.


Another key area for improvement is physical property damage risk. Recent developments provided an impetus to examine the organization’s insurance policies across a number of business units. For example, Hurricane Katrina damaged one of Textron’s facilities on the Gulf Coast. Although the organization had insurance, much of the significant cost required to rebuild the facility was not covered. This resulted in an effort to rationalize insurance coverage and began the process to consider business continuity as mitigation for some risks.

Continuing to develop business continuity risks is an additional area that the ERM function will address over the next 18 months. Until recently, Textron did not use formal business continuity management practices. While some areas, such as information technology, have disaster recovery processes, there is generally a narrow focus. For example, the IT function has processes in place to recover data and servers, but not entire structures and data facilities. To combat such concerns, the ERM function plans to address these risks in greater detail.

Supply chain risks will also receive more attention in the upcoming year. The organization plans to increase its evaluation of supply chain–related risks in each business unit. Every year, Textron’s board of directors requests more evaluation of supply chain risks, and the business units report difficulties in assessing suppliers and conducting product assessments. The ERM function is currently working with the business units to help them understand how to analyze suppliers in critical parts of the supply chain.

Integrated risks—those that have a chain reaction within Textron business units—also will be addressed in the near future.

Figure 49 also shows the process improvements that will be addressed by the ERM team. Probing and challenging risk assumptions is a critical area for improvement. Each year, Textron’s director of ERM conducts a review of key risks by business unit. Business units may receive comments or direction on how to expand on risks, new risks that should be added, or suggestions to reevaluate risk data.

Textron cites the support of key leadership for ERM as a critical success factor. The initial ERM activities were led by the CFO, which communicated the importance of the initiative. The commitment of senior management was instrumental in obtaining cultural buy-in for both Six Sigma and ERM.

Because ERM was launched from existing Six Sigma efforts, there were fewer cultural barriers to adoption. Six Sigma also validated the ERM process and helped with buy-in. Accordingly, Textron cites attaching ERM to a standard design process within the organization as a critical success factor.

CaSe StuDy

Textron Inc.

Textron’s 18-Month ERM Outlook

Figure 49

Incorporate E&C Risk Assessment Reporting into ERM

Macro-economic RisksEvaluated enterprise-level risks that must be evaluated through scenario planning

M&A Risks

Integrated to use ERM risk analysis tools

Climate Change

Assess risk and develop strategy for mitigations

Insurance

Update risk exposure from combined physical property review (w/ ins.)

Business Continuity RisksReport revised risk exposure from 12 high- priority BCPs

Supply Chain RisksIncrease evaluation of supply chain– related risks at each business unit

Integrated Risks

Renew risks that have a “chain reaction” within Textron business units

Lean Qtr. Reporting Process

Risk AOP/ Strategy Tighter Integration

Probing and Challenging Risk Assumptions

Annual Risk Refresher

In-Depth Two-Way Benchmarking

Proc

ess

Impr

ovem

ent

Risk

Im

prov

emen

t

2008 2009


CaSe StuDy

Textron Inc.

The use of an operating committee in lieu of a traditional risk committee was also vital to success. Textron’s leaders felt strongly that the ERM function should report directly to risk owners in key business units. This lets the organization communicate risk information directly to individuals who have the ability to act on it, which enables ERM to have a greater impact across the organization.

The use of a report card helps promote accountability; by monitoring the report card, the organization ensures that risks are tracked and properly addressed. As noted, the report card is embedded into the quarterly reporting process and shows which business units and councils are participating in risk activities. If a business unit is not participating, then executives will usually call business-unit leaders and question their lack of involvement. This approach helps increase involvement and accountability.

The following list summarizes additional lessons learned during Textron’s ERM journey:• ERMisaprocess,notaproject.• Managementownstherisks,andtheERMfunctiondrivestheprocess.• Riskassumptionshavefiniteaccuracyregardingimpactandlikelihoodandare

not critical to the process.• Managementmustbeengagedinregularriskdiscussions.• ValueisrealizedwhentheERMprocessmotivatesbeneficialactionsthatwould

not have otherwise occurred.• TangiblebenefitsmustbeachievedfromERMinjustifytheprogram’sexistence.• ERMwillnevereliminateallrisksandexposures.• Thesupportoftheboardofdirectorsisimportanttoongoingsuccess.

Organizations that take note of these lessons learned will be in a strong position to establish effective ERM programs.

ISBN-10: 1-60197-148-6ISBN-13: 978-1-60197-148-7

123 North Post Oak Lane, Third FloorHouston, Texas 77024-7797800-776-9676 • +1-713-681-4020www.apqc.org • [email protected]

A best pract ices report f rom

P ®A COP U B L I C A T I O N S

RISKY BUSINESS II:Enterprise Risk Management as a Core Management Process