Professional Documents
Culture Documents
I Ma Tools Techniques May 07
I Ma Tools Techniques May 07
TITLE
CREDITS
Published by
Institute of Management Accountants
Copyright © 2007 by Institute of Management
10 Paragon Drive
Accountants
Montvale, NJ 07645-1760
www.imanet.org All rights reserved
Statements on Management Accounting
TABLE OF CONTENTS
TABLE OF CONTENTS
Exhibits
Exhibit 1: A Continuous Risk Management Exhibit 10: : Tornado Chart: Earnings
Process . . . . . . . . . . . . . . . .2 Variability by Sample Risks .17
Exhibit 2: Industry Portfolio of Risks . .5 Exhibit 11: Actual Revenue vs. Risk-
Exhibit 3A-D: Risk Identification Template 6-7 Corrected Revenue . . . . . . .18
Exhibit 4: Influence Diagram . . . . . . .10 Exhibit 12: Goals of Risk Management .19
Exhibit 5: Quantifying Risk: Determine the Exhibit 13: : Earnings at Risk by Risk
Drivers . . . . . . . . . . . . . . .11 Factor . . . . . . . . . . . . . . . .20
Exhibit 6: Qualitative and Quantitative Exhibit 14: Earnings at Risk Hedge
Approaches to Risk Effectiveness Comparisons .21
Assessment . . . . . . . . . . .12 Exhibit 15: Expected Earnings and EaR 21
Exhibit 7: Risk Map . . . . . . . . . . . . . .13 Exhibit 16: Probability Assessment of
Exhibit 8: Risk Map Model . . . . . . . . .14 Earnings Outcomes . . . . . .22
Exhibit 9: Gain/Loss Probability Curve 16 Exhibit 17: ERM Maturity Model . . . . . .24
ENTERPRISE RISK AND CONTROL
1
ENTERPRISE RISK AND CONTROL
SET STRATEGY/
OBJECTIVES
COMMUNICATE IDENTIFY
& MONITOR RISKS
CONTROL ASSESS
RISKS RISKS
TREAT
RISKS
Source: Adapted from Institute of Chartered Accountants in England and Wales, No Surprises: The Case
for Better Risk Reporting, ICAEW, London, U.K., 1999, p. 47.
as strategic planning, the balanced scorecard, risk management, information technology, and
budgeting, business continuity planning, and cor- internal audit will also find this SMA useful.
porate governance. Finally, it takes up the issue
of transitioning from compliance under the Like many other change initiatives going on with-
Sarbanes-Oxley Act (SOX), where the focus is on in dynamic organizations, ERM provides an
risks related to financial reporting, to an opportunity for management accounting and
enterprise-wide perspective on risks, including finance professionals to alter how they are per-
strategic risks. ceived by others in the organization. By becom-
ing a strategic partner in ERM implementation,
III. SCOPE they can be seen as “bean sprouters” of new
This SMA is addressed to management account- management initiatives rather than merely “bean
ing and finance professionals who serve as counters.” They also can move from being the
strategic business partners with management in historians and custodians of accounts to futuris-
the implementation of ERM in their organization. tic thinkers. They can become coaches and play-
Others within the organization responsible for ers in a new management initiative important to
the future overall well-being of the company
2
ENTERPRISE RISK AND CONTROL
rather than merely scorekeepers on what has or one company’s senior enterprise risk manager,
has not been accomplished.2 are: “What could stop us from reaching our top
goals and objectives?” and “What would materi-
The focus of this SMA is on core tools and tech- ally damage our ability to survive?” These ques-
niques to facilitate successful ERM implementa- tions can be modified for the appropriate level of
tion. While other tools and techniques can be inquiry.
found in the Additional Resources section, this
document emphasizes those that are critical for In the risk identification process, those involved
most ERM initiatives. Since all organizations should recognize that it is a misperception to
have stakeholders with ever increasing expecta- think of a risk “as a sudden event.”3 Identifying
tions, the tools and techniques discussed here an issue that is facing the organization and dis-
are generally relevant to: cussing it in advance can potentially lead to the
● large and small organizations, risk being mitigated. Two benefits are possible:
● enterprises in the manufacturing and services “One, if you mitigate the risk and your
sectors, peers do not—in a catastrophic, continu-
● public and private organizations, and ity-destroying event that hits an indus-
● for-profit and not-for-profit organizations. try—say a financial scandal—you get
what is called the survivor’s bonus. Two,
I V. R I S K I D E N T I F I C AT I O N if you survive or survive better than oth-
TECHNIQUES ers, then you have an upside after the
Exhibit 1 shows the generic ERM framework pre- fact, and this should be part of the
sented in Enterprise Risk Management: board’s strategic thinking.”4
Frameworks, Elements, and Integration. The ini-
tial focus is on clarity of strategies and objec- Before considering some of the specific tech-
tives. The focal point for risk identification may niques available for organizations to identify
be at any level, such as the overall company, a risks, several important factors should be noted
strategic business unit, function, project, about this process:
process, or activity. Without clear objectives it is ● The end result of the process should be a risk
impossible to identify events that might give rise language specific to the company or the unit,
to risks that could impede the accomplishment function, activity, or process (whatever is the
of a particular strategy or objective—regardless focal point);
of the scope of the inquiry. Assuming those ● Using a combination of techniques may pro-
involved in identifying risks have a clear under- duce a more comprehensive list of risks than
standing of the strategies and objectives, the would reliance on a single method;
appropriate questions to ask, as suggested by ● The techniques used should encourage open
and frank discussion, and individuals should
not fear reprisal for expressing their concerns
2 The authors acknowledge that the ideas in this paragraph
about the changing role of financial professionals were 3 Corporate Board Member, 2006 Academic Council
taken from a presentation heard some years ago (uncertain Supplement: Emerging Trends in Corporate Governance,
as to date and place) and given by Jim Smith of The Marmon Board Member, Inc., Brentwood, Tenn., p. 20.
Group, Inc. While the original remarks were not given in the
context of ERM, they have been adapted accordingly. 4 Ibid.
3
ENTERPRISE RISK AND CONTROL
about potential events that would give rise to The participants may very well be required to do
risks resulting in major loss to the company; some preparation prior to the session.
● The process should involve a cross-functional
and diverse team both for the perspectives In using this technique, one company familiar to
that such a group provides and to build com- the authors noted that because the objectives
mitment to ERM; and were unclear to some of the participants, the
● Finally, the process will probably generate a process had to back up and clarify the objectives
lengthy list of risks, and the key is to focus on before proceeding. Using a cross-functional
the “vital few” rather than the “trivial many.” team of employees greatly increases the value of
the process because it sheds light on how risks
Some techniques for identifying risk are: and objectives are correlated and how they can
● Brainstorming impact business units differently. Often in brain-
● Event inventories and loss event data storming sessions focused on risk identification,
● Interviews and self-assessment a participant may mention a risk only to have
● Facilitated workshops another person say: “Come to think of it, my area
● SWOT analysis has that risk, and I have never thought of it
● Risk questionnaires and risk surveys before.” With the team sharing experiences,
● Scenario analysis coming from different backgrounds, and having
● Using technology different perspectives, brainstorming can be suc-
● Other techniques cessful in identifying risk. It is also powerful
when used at the executive level or with the
Brainstorming audit committee and/or board of directors.
When objectives are stated clearly and under-
stood by the participants, a brainstorming ses- In a brainstorming session, the participants
sion drawing on the creativity of the participants must have assurance that their ideas will not
can be used to generate a list of risks. In a well- result in humiliation or demotion. Otherwise,
facilitated brainstorming session, the partici- they may feel inhibited in expressing what they
pants are collaborators, comprising a team that believe are major risks facing the organization.
works together to articulate the risks that may As an example, a set of often overlooked risks
be known by some in the group. In the session, are “people risks” vs. environmental risks, finan-
risks that are known unknowns may emerge, and cial risks, and other more technical risks. People
perhaps even some risks that were previously risks include succession planning (What if our
unknown unknowns may become known. very competent leader departs the organiza-
Facilitating a brainstorming session takes spe- tion?) and competency and skills building (What
cial leadership skills, and, in some organiza- if we continue with a team that does not have
tions, members of the internal audit and ERM the requisite skills for success?). Once a list of
staff have been trained and certified to conduct risks is generated, reducing the risks to what the
risk brainstorming sessions. In addition to well- group considers the top few can be accom-
trained facilitators, the participants need to plished using group software to enable partici-
understand the ERM framework and how the pants to anonymously vote on the objectives and
brainstorming session fits into the ERM process. risks. Anonymity is believed to increase the
veracity of the rankings. Some of the interactive
4
ENTERPRISE RISK AND CONTROL
Source: Debra Elkins, “Managing Enterprise Risks in Global Automatic Manufacturing Operations,”
presentation at the University of Virginia, January 23, 2006. Permmission granted for use.
voting software that could be used in the risk Exhibit 2) or a generic inventory of risks.
identification process includes Sharpe Examples of the latter are readily available from
Decisions, Resolver*Ballot, OptionFinder, and various consulting firms and publications.5 In
FacilitatePro. With the availability of interactive the first SMA on ERM, a general risk classifica-
voting software and Web polling, the brainstorm- tion scheme is given that could also be used to
ing session might be conducted as a virtual “seed” the discussion. In a brainstorming ses-
meeting with participants working from their sion or facilitated workshop (discussed below),
office location, also enabling them to identify the goal is to reduce the event inventory to those
and rank the risks anonymously. relevant to the company and define each risk
specific to the company. The risk identification
Event Inventories and Loss Event Data process can also be seeded by available loss
Seeding or providing participants with some form
of stimulation on risks is very important in a
5 Economist Intelligence Unit, Managing Business Risks—
brainstorming session. One possibility is to pro- An Integrated Approach, The Economist Intelligent Unit, New
vide an event inventory for the industry (see York, 1995.
5
ENTERPRISE RISK AND CONTROL
Please list the major risks your unit faces in achieving its objectives. List no more than 10 risks.
Please assess the overall risk management capability within your area of responsibility to seize opportunities
and manage the risks you have identified.
6
ENTERPRISE RISK AND CONTROL
Internal Environment VL L M H VH
Objective Setting VL L M H VH
Event Identification VL L M H VH
Risk Assessment VL L M H VH
Risk Response VL L M H VH
Control Activities VL L M H VH
Information/Communication VL L M H VH
Monitoring VL L M H VH
What is your level of concern with respect to the overall risk management capability of your area of
responsibility to seize opportunities and manage risks? Please circle the most appropriate response:
*The categories are taken from COSO, Enterprise Risk Management—Integrated Framework: Executive Summary,
AICPA, New York, 2004.
Commission (COSO). A sample template is pre- reprisal should their superior be a member of the
sented in Exhibits 3A-D. The completed docu- group.
ments are submitted to the ERM staff or coordi-
nator, which could be the CFO, controller, COO, or SWOT Analysis
CRO (chief risk officer). That group follows up SWOT (strengths-weaknesses-opportunities-
with interviews to clarify issues. Eventually, the threats) analysis is a technique often used in the
risks for the unit are identified and defined, and formulation of strategy. The strengths and weak-
a risk management capability score can be nesses are internal to the company and include
determined from a five-point scale, as used in the company’s culture, structure, and financial
Exhibit 3D. This technique might also be used in and human resources. The major strengths of
conjunction with a facilitated workshop. the company combine to form the core compe-
tencies that provide the basis for the company to
Facilitated Workshops achieve a competitive advantage. The opportuni-
After the information is completed and collected, ties and threats consist of variables outside the
a cross-functional management team from the company and typically are not under the control
unit or from several units might participate in a of senior management in the short run, such as
facilitated workshop to discuss it. Again, using the broad spectrum of political, societal, environ-
voting software, the various risks can be ranked mental, and industry risks.
to arrive at a consensus of the top five to 10, for
example. As noted previously, using interactive
voting software allows the individuals to identify
and rank the risks anonymously without fear of
7
ENTERPRISE RISK AND CONTROL
For SWOT analysis to be effective in risk identifi- pants to “List the five most important risks to
cation, the appropriate time and effort must be achieving the company’s strategic objectives.”
spent on thinking seriously about the organiza- The survey instruments included a column for
tion’s weaknesses and threats. The tendency is respondents to rank the effectiveness of man-
to devote more time to strengths and opportuni- agement for each of the five risks listed, using a
ties and give the discussion of weaknesses and range of one (ineffective) to 10 (highly effective).
threats short shrift. Taking the latter discussion Whether using a questionnaire or survey, the
further and developing a risk map based on con- consolidated information can be used in conjunc-
sensus will ensure that this side of the discus- tion with a facilitated workshop. In that session,
sion gets a robust analysis. In a possible acqui- the risks are discussed and defined further.
sition or merger consideration, a company famil- Then interactive voting software is used to nar-
iar to the authors uses a SWOT analysis that row that risk list to the vital few.
includes explicit identification of risks. The writ-
ten business case presented to the board for the Scenario Analysis
proposed acquisition includes a discussion of Scenario analysis is a particularly useful tech-
the top risks together with a risk map. nique in identifying strategic risks where the sit-
uation is less defined and “what-if” questions
Risk Questionnaires and Risk Surveys should be explored. Essentially, this technique is
A risk questionnaire that includes a series of one way to uncover risks where the event is high
questions on both internal and external events impact/low probability.7 In this process,
can also be used effectively to identify risks. For “Managers invent and then consider, in
the external area, questions might be directed at depth, several varied stories of equally
political and social risk, regulatory risk, industry plausible futures. The stories are careful-
risk, economic risk, environmental risk, competi- ly researched, full of relevant detail, ori-
tion risk, and so forth. Questions on the internal ented toward real-life decisions, and
perspective might address risk relating to cus- designed (one hopes) to bring forward
tomers, creditors/investors, suppliers, opera- surprises and unexpected leaps of
tions, products, production processes, facilities, understanding.”8
information systems, and so on. Questionnaires
are valuable because they can help a company Using this technique, a cross-functional team
think through its own risks by providing a list of could consider the long-term effects resulting
questions around certain risks. The disadvan- from a loss of reputation or customers or from
tage of questionnaires is that they usually are the lack of capability to meet demand. Another
not linked to strategy. relevant question to ask is, “What paradigm
shifts in the industry could occur, and how would
Rather than a lengthy questionnaire, a risk sur- they impact the business?”
vey can be used. In one company, surveys were
sent to both lower- and senior-level manage-
ment. The survey for lower management asked
respondents to “List the five most important 7 Deloitte & Touche LLP, The Risk Intelligent Enterprise: ERM
Done Right, Deloitte Development LLC, 2006, p. 4.
risks to achieving your unit’s goals/objectives.” 8 Peter Schwartz, The Art of the Long View, Currency
The survey to senior management asked partici- Doubleday, New York, 1991, p. xiii.
8
ENTERPRISE RISK AND CONTROL
The risk management group of one company company’s risk management group analyzed was
uses scenario analysis to identify some of its a stock market downturn (or bear market). The
major business risks.9 One risk for this company group also defined five or six other scenarios.
is an earthquake. Its campus of more than 50 Under each one, it identified as many material
buildings is located in the area of a geological risks as could be related to the scenario and
fault. From a holistic perspective, the loss from developed white papers on each one for execu-
an earthquake is not so much the loss of the tive management and the board.11
buildings but the business interruption in the
product development cycle and the inability to Using Technology
serve customers. The company’s risk manage- The risk identification process can also utilize
ment group analyzed this disaster scenario with the company’s existing technology infrastructure.
its outside advisors and attempted to quantify For example, most organizations utilize an
the real cost of such a disaster, taking into intranet in their management processes. The
account how risks are correlated. In the process, group responsible for a company’s ERM process
the group identified many risks in addition to can encourage units to place their best risk prac-
property damage, including: tices on the ERM site. Risk checklists, anec-
● “Director and officer liability if some people dotes, and best practices on the intranet serve
think management was not properly prepared, as stimulation and motivation for operating man-
● Key personnel risk, agement to think seriously about risks in their
● Capital market risk because of the firm’s unit. Also, tools that have been found particular-
inability to trade, ly useful to various units can be catalogued. As
● Worker compensation or employee benefit new projects are launched, business managers
risk, are encouraged to consult the risk management
● Supplier risks for those in the area of the group’s intranet site.
earthquake,
● Risk related to loss of market share because Another use of technology is to recognize the
the business is interrupted, company’s potential risk that resides with the
● Research and development risks because Internet. For example, a company’s products, ser-
those activities are interrupted and product vices, and overall reputation are vulnerable to
delays occur, and Internet-based new media like blogs, message
● Product support risks because the company boards, e-mailing lists, chat rooms, and independ-
cannot respond to customer inquiries.”10 ent news websites. Some companies devote
information technology resources to scan the
This example reveals the value of using scenario blogosphere continuously for risks related to the
analysis: A number of risks are potentially pres- company’s products, services, and reputation.
ent within a single event, and the total impact
could be very large. Another scenario that this Other Techniques
Other possible approaches for identifying risks
9 Thomas L. Barton, William G. Shenkir, and Paul L.
Walker, Making Enterprise Risk Management Pay Off, include value chain analysis, system design
Financial Executives Research Foundation, Upper Saddle review, process analysis, and benchmarking with
River, N.J., 2001, pp. 132-135.
9
ENTERPRISE RISK AND CONTROL
Process Breakdown in
breakdown goal process
other similar as well as dissimilar organizations. developed using scenario analysis. This can be
Also, external consultants can add value in the done by using supporting documentation and
risk identification process by bringing in knowl- interviewing those who own parts of the risk.
edge from other companies and industries and by Exhibit 4 presents an influence diagram for a
challenging the company’s list of identified risks. strategic risk provided by a senior manager of
ERM at a major company. In this exhibit, a chain
V. A N A LY S I S O F R I S K B Y of likely events within a given scenario is spelled
DRIVERS out where a strategic risk—revenue target not
After a risk is identified, the temptation to quan- met—has been identified.
tify it before further analysis is completed should
be avoided. Additional understanding of the Studying Exhibit 4, the inquiry to determine the
risk’s potential causes is required by the ERM likely drivers in a scenario for the risk of not meet-
team and management before its impact can be ing the revenue target could be the following:
quantified. Working with the various units of the ● Failure to sell a new product;
organization that own parts of the risk, the ERM ● The new machinery and equipment purchased
team should drill into the risk to uncover what is for making the new product was not selected
beneath the surface and to get a better under- properly because of a process breakdown in
standing of the potential risk drivers. An influ- the acquisition. This led to manufacturing fail-
ence diagram or root cause analysis can be ures attributed to product design problems,
10
ENTERPRISE RISK AND CONTROL
which led to a high rate of product defect; The point of this analysis is to understand the
● Failure in the supply chain impacted the ability level at which quantification can best occur. If
to meet the revenue target. A catastrophic the risk is quantified at too high a level, it could
event occurred at a major supplier, and the be too broad or not actionable. Using a building
business continuity plan recognized this event block approach around risk drivers facilitates the
too late to find alternative suppliers; quantification process. At the end of the
● Together, the above events would result in los- process, however, quantification is still an esti-
ing some top customers because high-quality mate and should be viewed as merely providing
products could not be delivered when required; an “order of magnitude” of the impact.
furthermore, in digging deeper, some misalign-
ment of specific goals might exist in the silos VI. RISK ASSESSMENT TOOLS
involved. For example, manufacturing might Risks must be identified correctly before an
have a goal of cutting cost; customer service organization can take the next step. Assessing
naturally will want low defects in the products; the wrong list of risks or an incomplete list of
the pricing function will be seeking high mar- risks is futile. Organizations should make every
gins for the products; and the sales force is possible effort to ensure they have identified
motivated to generate revenue. their risks correctly using some or all of the
approaches discussed. The act of identifying
With an in-depth understanding of how the risks is itself a step on the risk assessment
strategic risk could occur, more information is road. Any risks identified, almost by default, have
now available to assist in quantifying the risk. some probability of influencing the organization.
This information can be framed as noted in
Exhibit 5 in order to begin estimating the impact.
11
ENTERPRISE RISK AND CONTROL
Qualitative/
Qualitative Quantitative Quantitative
Risk identification Validation of risk impact Probablistic techniques
Risk rankings Validation or risk likelihood cash flow at risk
Risk maps Validation of correlations earnings at risk
Risk maps with Risk-corrected revenues earnings distributions
impact and likelihood Gain/loss curves eps distributions
Risks mapped to Tornado charts
objectives or divisions Scenario analysis
Identification of risk Benchmarking
correlations Net present value
Traditional measures
12
ENTERPRISE RISK AND CONTROL
risks on the list may not be quantifiable. For and analysis of historical error rates on a busi-
these risks, identifying them and adding them to ness process) where possible.
a priority list may be the only quantification pos-
sible. Organizations should not be concerned Impact and Probability
that they cannot apply sophisticated modeling to The importance of an event includes not just its
every risk. impact but also its likelihood of occurring.
Therefore, many ERM organizations generate risk
Risk Rankings maps using impact and probability. In ERM imple-
Once an organization has created its list of risks, mentation, companies not only generate risk
it can begin to rank them. Ranking requires the maps to capture impact and likelihood but also
ERM team to prioritize the risks on a scale of to demonstrate how risks look when put togeth-
importance, such as low, moderate, and high. er in one place. The value of the map is that it
Although this seems unsophisticated, the results reflects the collective wisdom of the parties
can be dramatic. Organizations find considerable involved. Furthermore, risk maps capture consid-
value in having conversations about the impor- erable risk information in one place that is easi-
tance of a risk. The conversations usually lead to ly reviewed. A basic risk map, such as in Exhibit
questions about why one group believes the risk 7, captures both impact and likelihood.
is important and why others disagree. Again, this
process should use a cross-functional risk team When assessing likelihood or probability, the
so that perspectives from across the entire ERM team can use a variety of scales:
organization are factored into the rankings. This ● Low, medium, or high;
is a critical task requiring open debate, candid ● Improbable, possible, probably, or near certain-
discussion, and data (e.g., tracking, recording, ty; and
● Slight, not likely, likely, highly likely, expected.
The same is true for assessing impact:
13
ENTERPRISE RISK AND CONTROL
for increased
Segment • Reported to
impact and/or Leadership Segment Leadership
Level Impact
● Low, medium, or high impact; high probability of a $10 million impact. For
● Minor, moderate, critical, or survival; and example, when Apple announced its entrance
● Dollar levels, such as $1 million, $5 million, into the cell phone market, other cell phone mak-
etc. ers likely began making calculations to gauge
the risk of the new entrant into their market.
When qualitatively assessing these risks, it is
also possible to estimate ranges. For example, a Risk maps can help an organization determine
company might determine that there is a low how to respond to a risk. As organizations see
probability of a customer-related risk having an the greater risks, they can plan a response. For
impact of $100 million, a moderate probability example, one risk map approach used by a com-
(or best guess) of a $50 million impact, and a pany is shown in Exhibit 8. For risks that are in
14
ENTERPRISE RISK AND CONTROL
the lower levels of impact and probability—the etc. What seems important today or this week
green zone on the map—a company should may not seem important in five years. Similarly,
respond with high-level monitoring. For risks with although some longer-range risks may not seem
higher levels of impact and probability—the red important today, these risks could threaten the
zone on the map—a company should take a organization’s survival if left unmanaged.
stronger response and a higher level of commit-
ment to managing them. Some organizations find it valuable to capture
the direction of the risk. This can be labeled on
Keys to Risk Maps the risk map or communicated separately.
Several keys need to be considered when gener- Direction of risk can be captured using terms
ating risk maps: confidentiality, definitions, time- such as “increasing,” “stable,” or “decreasing.”
frame, direction, and correlations. Organizations Related to the risk direction is the risk trend.
may want to consider doing impact and probabil- Knowing the direction and trend of a risk as well
ity in a confidential manner. As noted previously, as its dollar impact and likelihood can be crucial
software tools are available to facilitate confiden- to managing that risk. For example, risk trends
tial sharing. On the other hand, some companies can reveal that the risk was decreasing over the
find that openly sharing assessments within the last several years but has increased recently.
group is acceptable. Even with confidentiality,
good risk facilitators can bring out the risk One weakness in risk maps (and in silo risk man-
source and root problems. agement) is that maps do not capture any risk cor-
relations. Ignoring risk correlations can lead to inef-
Definitions used during the risk map generation fective and inefficient risk management. Risk cor-
are critical. What is “important” to one work unit relations can be considered for financial risks or
or individual may not seem “important” to anoth- nonfinancial risks. Clearly, how some companies
er. If organizations measure impact in dollars, manage one foreign currency exposure should be
the dollars must be without ambiguity. Does the considered with how they manage another foreign
risk influence dollars on one product, dollars for currency exposure. Managing these in silos (with-
a certain division, or earnings per share? out an enterprise-wide approach) can be inefficient
Similarly, “improbable” might be interpreted by because dollar exposures to only the yen or euro
some to be 1% while others could think it means ignore that the yen and euro are correlated.
15%. These definitions and terms should be Similarly, silo risk management would ignore the
clearly established before the risk map sessions fact that the movement of interest rates could
are conducted. influence an organization’s pension obligations
and debt obligations differently. As another exam-
Closely related to definitions are timeframes, ple, how an organization manages commodity
which need to be established up front so that exposure today should be factored in with how it
any understanding of the risk and its impact is plans to change its long-term strategy to manage
clear as to when it will affect the organization. An that same exposure. Short-term solutions of for-
assessment of risk at one point in time has the eign currency risk management are different from
same failings as strategic plans and objectives, long-term solutions of building plants in other coun-
which do not take a longer-term perspective on tries. As is evident, correlations among risks and
market trends, customer needs, competitors, an enterprise-wide approach are critical.
15
ENTERPRISE RISK AND CONTROL
1.10
1.00
90%-$0.30
0.90
Probability 80%-$0.48
0.80
that Annual
Loss will 0.70 70%-$0.68
Exceed Amount 0.60 60%-$1.13
Shown
0.50 50%-$1.15
0.40 40%-$1.50
0.30 30%-$1.98
0.20 20%-$2.73
10%-$4.28
1.10
0.00
$0.00 $6.18
Annual Loss Amount
Note: All loss amounts are in millions of dollars.
Link to Objectives at Risk or Divisions at sion, which may be more informative for division
Risk managers. Organizations can generate risk
Identifying risks by objective gives an organiza- maps for each division and for the organization
tion the option to map risks by objectives. For overall.
nonprofit organizations, this may be more impor-
tant because earnings per share is not the Residual Risk
biggest concern. A risk map by objective cap- After organizations assess risks, they should
tures all the risks related to a single objective, also consider any related controls so that the
helping the organization understand the broad residual risk is known. A residual risk is the
spectrum of risks facing that objective. For exam- remaining risk after mitigation efforts and con-
ple, the objective of maintaining the corporate trols are in place to address the initially identi-
reputation at a certain level could have many fied inherent risks that threaten the achievement
risks to be mapped. Using such a map, the of objectives. Risk maps can show overall risks,
organization can see the biggest risks to reputa- or they can be shown with just residual risks.
tion. Similarly, risks can also be identified by divi- Understanding residual risk can provide major
16
ENTERPRISE RISK AND CONTROL
Risk 1
Risk 2
Risk 3
Risk 4
Risk 5
Risk 6
Risk 7
Risk 8
Risk 9
(Cents per share) -0.70 -0.50 -0.30 -0.10 0.10 0.30 0.50 0.70 0.90
-0.90 0.00 1.00
benefits because companies do not want to over- Validating the Impact and Probability
or under-manage a risk that may be deemed by Organizations can validate the qualitative
management and stakeholders to be “tolerable” assessments of initial impact and probability by
or acceptable relative to stated business objec- examining historical data to determine the fre-
tives. This is a major reason why some compa- quency of events or the impact such events have
nies adopt ERM and try to understand, even had in the past. Events that have happened to
qualitatively, the return on investment (ROI) of an other organizations can be used to understand
ERM program. In the process of identifying risks how a similar event might impact your own orga-
and controls, the management team/process nization. Gathering such data can be time con-
owners clearly play a leadership role, but there is suming, but it has certain advantages. Knowing
a system of “checks and balances” in the con- the real frequency or likelihood of a major drop in
trol environment. For example, the control envi- sales, for example, can provide an organization
ronment for internal controls over financial with the information necessary to make informed
reporting includes the audit committee as well cost-benefit decisions about potential solutions.
as internal and external auditors.
17
ENTERPRISE RISK AND CONTROL
Risk-Corrected
Revenues
Actual
Revenues
93
94
98
02
99
00
04
90
91
97
01
03
95
92
96
19
19
19
20
19
20
20
19
19
19
20
20
19
19
19
18
ENTERPRISE RISK AND CONTROL
Earnings
risks were managed better. As Exhibit 11 shows, niques, the company can reassess the risk
risk-corrected revenues are smoother and more issue. Of course, not all of the improvement
controllable. On a broader scale, Exhibit 12 related to a risk can be traced to the risk mitiga-
shows one company’s view of how better risk tion techniques, but improvement is still valu-
management affects the distributions of earn- able. One major retailer uses this approach to
ings. A tighter distribution of earnings could gauge the value added from their ERM efforts in
potentially lead to improved performance of its addition to other value-added metrics. This retail-
stock price. The two types of analysis shown in er identified inventory in-stock rates as a risk.
Exhibits 11 and 12 are why some companies Measuring in-stock rates over time gave the com-
want to implement ERM. While stakeholders pany a good feel for the historical levels of in-
(e.g., investors) appreciate growth in earnings, stock rates. Next, after implementing risk mitiga-
they also appreciate some level of stability and tion efforts, current inventory in-stock rates were
predictability and are often willing to pay a premi- captured. Improvements in in-stock rates are
um for these attributes. traced to improvements in sales and, ultimately,
to value added from the ERM process.
A Common Sense Approach to Risk
Assessment Probabilistic Models
While some of these risk metrics and tools may Some organizations use quantitative approaches
seem difficult, a simple approach can yield in ERM that are built on traditional statistical and
equally good results. One approach is to meas- probabilistic models and techniques. The disad-
ure where the company stands today on a risk vantage to these approaches is that they require
issue. After implementing risk mitigation tech- more time, data, and analysis and are built on
19
ENTERPRISE RISK AND CONTROL
Commodity
Prices 32% 51%
Foreign
17% Exchange
Interest
Commodity Contribution to Foreign Exchange Contribution to
Rates
EaR by Major Commodity EaR for Major Currency
(100% = $16 million) (100% = $26 million)
35% 35%
30% 30%
25% 25%
20% 20%
15% 15%
10% 10%
5% 5%
assumptions. Furthermore, using the past to pre- age it more efficiently. Companies can also trace
dict the future has limitations even before other the earnings-at-risk to business units to help
“explanatory” variables are included in the sta- gauge the hedge effectiveness of each business
tistical prediction process. But some organiza- unit (see Exhibit 14). Knowing which business
tions still find these models very useful as a tool units have the greatest risk is valuable informa-
in their solutions toolkit when approaching risk. tion. With this knowledge, a company could com-
pare a business unit’s earnings level to the
One technique focuses on earnings at risk, earnings-at-risk. Those units that generate low
which are determined by examining how earnings earnings and high levels of risk may not be desir-
vary around expected earnings. In this approach, able business units. Having earnings-at-risk in
variables are examined to see how they influ- the aggregate allows an organization to see
ence earnings, such as determining the influ- which months have the greatest risk (see Exhibit
ence that a one-point movement in interest rates 15). Also, distributions can be created that esti-
would have on earnings. Similarly, expected or mate the probability of meeting earnings targets
budgeted cash flows can be determined and (see Exhibit 16).
then tested for sensitivity to certain risks, yield-
ing a cash-flow-at-risk number. As Exhibit 13 Seemingly Nonquantifiable Risks
shows, some companies trace the earnings-at- Some risks seem to defy acceptable quantifica-
risk to individual risk sources. Knowing the actu- tion, but a deeper look can reveal valuable infor-
al root cause or source of the risk helps to man- mation. Reputation is a risk that has become
20
ENTERPRISE RISK AND CONTROL
$40
$30
$20
Earnings at Risk
$10
Contribution
(millions of dollars) $0
-$10
-$20
-$30
-$40
Business Unit 1 Business Unit 2 Business Unit 3 Business Unit 4 TOTAL Diversification
Benefit
$60
20%
$50
15%
$40
$30 10%
$20
5%
$10 $125
EaR equals
the difference
$0 0%
$545 $670 Earnings
January
February
March
April
June
July
September
October
December
November
August
May
21
ENTERPRISE RISK AND CONTROL
$0 25%
Interpretation: There is a 30% chance
10% that due to all risks earnings will
20% fall below $640 million for the year.
20%
30%
40% 15%
50%
60% 10%
70%
80% 5%
90%
100% 0%
$545 $640 $670 Earnings
Level of earnings Expected ($ millions)
corresponding with EaR or budgeted earnings
increasingly important in today’s business envi- able risk, it still partially ignores the damage that
ronment, and it must be managed. At first reputation events have on supplier or vendor
glance, some executives would say you cannot relations. It also ignores how future customers
quantify it, but it can be in some ways. In acade- might be influenced by the reputation event.
mia, for example, a university’s reputation is a Although these related risks might not be quan-
prodigious risk. Tracking a drop in contributions tifiable, they highlight the importance of having
after a scandal can provide preliminary data that an ERM team study and analyze risks very close-
could lead to the ability to quantify reputation ly so that conversations about the risks are
risk. Ranges of decreases in contributions could focused on managing the risk and not just on
also be developed, with the maximum risk being identification and measurement.
a major decrease in donations. Gathering data
from universities or other nonprofit organizations Another example of a risk that appears nonquan-
that have experienced a drop in contributions tifiable is a breach in IT security. Examining the
can provide valuable external data that could movement in stock price around the event, how-
assist in quantifying this risk. For public compa- ever, can help a company gather a preliminary
nies, the impact of reputation risk could be estimate of how shareholders view the event.
examined by studying decreases in stock prices Additionally, talking to other companies that have
surrounding an event that damaged an organiza- experienced IT security breaches can help the
tion’s reputation. It is important to note that company understand the potential impact.
while this might capture and provide a quantifi- Finally, understanding the organization’s unique
22
ENTERPRISE RISK AND CONTROL
23
ENTERPRISE RISK AND CONTROL
24
ENTERPRISE RISK AND CONTROL
more explicit understanding of the risks facing hood estimates, benchmarking impact and likeli-
the unit. ERM is a journey that takes continuous hood against historical events and other organi-
commitment from C-level executives and where zations, setting and understanding risk toler-
implementation cannot be achieved overnight— ances and appetites, assessing and quantifying
it should proceed in incremental steps. At the various alternative risk mitigation strategies, and
same time, an organization embarking on ERM quantifying the benefits of ERM.
implementation needs to recognize that bad
things can happen to a good project if results are ERM Education and Training
not forthcoming. Consequently, striving for early Some control frameworks outside the United
wins in the ERM implementation project is impor- States mention the possibility of mandating ERM
tant. For example, a major company (after devel- training. Although formal training on financial
oping its approach to ERM) chose to implement risks is more common, ERM education and train-
ERM in a strategic business unit that was ing is being developed. Training needs can
mature and tightly controlled. In this instance, include:
the company preferred not to roll out ERM in a ● Understanding the nature of risk—this is not
unit that it knew in advance had many problems. as easy as it first appears if a true enterprise-
The roll out was successful, and the unit was wide approach is implemented,
used as a model to help build momentum for ● Understanding the legal and regulatory require-
ERM implementation in other units. ments related to risk management,
● Knowledge of ERM frameworks,
In another company, the decision was to initially ● Facilitation skills,
implement ERM with the senior level executives. ● Expertise in identifying risks,
This group went through the process of identify- ● Knowledge for building risk maps,
ing and assessing risks at the enterprise level ● Reporting structures and options (what to
and developing mitigation strategies. Once mem- report to the CEO, board, and audit
bers of this group were sold on the benefits of committee),
ERM, they became ERM champions and support- ● Software training,
ed its roll out to the various operating units. See ● Financial risk training (options, hedging strate-
Exhibit 17 for an example of staging an gies, insurance options, derivatives, etc.),
implementation. ● Refocused strategy training and how risk inter-
acts with strategy,
The Role of the Management Accountant ● Building and understanding control solutions,
As noted in the first SMA on ERM, the manage- ● Developing and monitoring performance met-
ment accountant and finance professional can rics related to risks, and
play a major role in ERM implementation by ● Change management.
championing the process, providing expertise on
the process, serving on cross-functional ERM Technology
teams, and providing thought leadership. Other Some technology tools are available to assist in
key roles include assisting with the quantifica- the facilitation/identification phase. Additionally,
tion of risks, analyzing the risk correlations, software is available to assist an organization
developing the range and distribution of a risk’s with the entire ERM process. Gartner Inc. recent-
impact, determining the reasonableness of likeli- ly reviewed ERM software vendors on two
25
ENTERPRISE RISK AND CONTROL
aspects: completeness of vision and ability to products; this effort has resulted in a shift in the
execute.13 Some organizations choose to either culture and thinking about the role of risk man-
develop their own ERM processes tailored to agement. Other cultural changes could occur,
their needs or hire consultants to help with the such as a shift from “blaming” to “identify and
process. Technology products not only help with managing,” a change in “do not report bad
the process, but they also assist with data news” to “report as early as possible” (so the
gathering, modeling, or reporting. One risk soft- risk can be managed), and, finally, from “How
ware tool, for example, helps with capital opti- does this affect my area or unit” to “How does
mization and data management. Other technolo- this affect the risks of the entire organization.”
gy products are designed to help with issues Some consultants have developed cultural diag-
such as time-series modeling, correlations, and nostic tools to enable organizations to assess
other advanced modeling techniques. Finally, cer- this cultural change.
tain industries have software tailored for compa-
nies in that industry, such as the online maturity Building a Case for ERM
model available for insurance companies.14 The New York Stock Exchange (NYSE) has incor-
porated elements of risk assessment and man-
Aligning Corporate Culture agement into its listing requirements. For regis-
Many organizations will notice a change in the trants with the Securities and Exchange
company culture as ERM implementation pro- Commission, item 1A of Form 10-K mandates
gresses. One noticeable difference is a proactive “risk factor disclosures.” These certainly support
focus on risks rather than a reactive approach. a case for ERM implementation, yet a company’s
Other changes are related to improved accounta- executive management may argue that compli-
bility and responsibility. With ERM in place, man- ance with these requirements can occur without
agers are more responsible for risk management full-scale ERM implementation. In those situa-
and controls because they helped identify the tions, the board of directors may have to ask the
risks and controls. As solutions and metrics are tough questions about the company’s risk identi-
developed to better manage a risk, management fication, assessment, and management process
can also be held more accountable for it. One to get executive management to implement
nonprofit organization mandates management ERM. Certainly, when executive management
action plans for any risk over a certain amount. presents the company’s strategy to the board or
This increase in accountability and responsibility seeks approval of a merger, the board has an
can flow down to lower levels in the organization. opening to ask questions about the company’s
An additional change may be from a “We need to risk identification, assessment, and manage-
comply” perspective to “We need to manage this ment process. ERM should engage and educate
risk to achieve better results.” One software the board because the board members clearly
company tries to build a risk management have a stake in the reputation and sustainable
thought process into the development of all new success of the organizations they serve.
13 French Caldwell and Tom Eid, Magic Quadrant for
Finance, Governance, Risk and Compliance Management As more companies adopt ERM and disclose its
Software, 2007, Gartner, February 1, 2007, adoption in their annual reports and as Standard
http://mediaproducts.gartner.com/reprints/paisleyconsult-
ing/145150.html. & Poor’s incorporates a company’s ERM prac-
14 See www.rims.org. tices in its ratings, other companies may begin
26
ENTERPRISE RISK AND CONTROL
27
ENTERPRISE RISK AND CONTROL
28
ENTERPRISE RISK AND CONTROL
Summary, AICPA, New York, 1992. Gibbs, Everett, and Jim DeLoach, “Which Comes
Corporate Executive Board, Confronting First…Managing Risk or Strategy-Setting?
Operational Risk—Toward an Integrated Both,” Financial Executive, February 2006,
Management Approach, Washington, D.C., pp. 35-39.
2000. Hands On, “Risk Management Issues for
DeLoach, James W., Enterprise-wide Risk Privately Held Companies,” ACC Docket, May
Management: Strategies for Linking Risk and 2006, pp. 76-88.
Opportunity, Financial Times, London, U.K., King Committee on Corporate Governance, King
2000. Report on Corporate Governance for South
Deloitte & Touche LLP, Perspectives on Risk for Africa, Institute of Directors in Southern
Boards of Directors, Audit Committees, and Africa, 2002.
Management, Deloitte Touche Tohmatsu Institute of Management Accountants (IMA),
International, 1997. “IMA Announces Bold Steps to ‘Get it Right’
Economist Intelligence Unit, Enterprise Risk on Sarbanes-Oxley Compliance,” press
Management—Implementing New Solutions, release, December 21, 2005.
New York, 2001. IMA, “A Global Perspective on Assessing Internal
Emen, Michael S., “Corporate Governance: The Control over Financial Reporting (ICoFR),”
View from NASDAQ,” NASDAQ, New York, Discussion Draft for Comment, September
2004. 2006.
Epstein, Marc J., and Adriana Rejc, Identifying, Joint Standards Australia/Standards New
Measuring, and Managing Organizational Zealand Committee, Risk Management,
Risks for Improved Performance, Society of Standards Australia/Standards New
Management Accountants of Canada and Zealand, 2004.
AICPA, 2005. Joint Standards Australia/Standards New
Federation of European Risk Management Zealand Committee, Risk Management
Associations, A Risk Management Standard, Guidelines, Standards Australia/Standards
2003. New Zealand, 2004.
Financial and Management Accounting Kaplan, Robert S., and David P. Norton, “The
Committee of the International Federation of Balanced Scorecard—Measures that Drive
Accountants (IFAC) (prepared by Performance,” Harvard Business Review,
PricewaterhouseCoopers), Enhancing January-February 1992, pp. 71-79.
Shareholder Wealth by Better Managing Kaplan, Robert S., and David P. Norton, “Putting
Business Risk, International Federation of the Balanced Scorecard to Work,” Harvard
Accountants, New York, 1999. Business Review, September-October 1993,
Financial Reporting Council, The Combined Code pp. 134-147.
on Corporate Governance, 2003. Kaplan, Robert S., and David P. Norton, The
Financial Reporting Council, Internal Control: Balanced Scorecard, Harvard Business
Revised Guidance for Directors on the School Press, Boston, Mass., 1996.
Combined Code, 2005. Kaplan, Robert S., and David P. Norton, The
Gates, Stephen, and Ellen Hexter, “From Risk Strategy-Focused Organization, Harvard
Management to Risk Strategy,” The Business School Press, Boston, Mass.,
Conference Board, New York, 2005. 2001.
29
ENTERPRISE RISK AND CONTROL
Kocourek, Paul, Reggie Van Lee, Chris Kelly, and Shaw, Helen, “The Trouble with COSO,” CFO,
Jim Newfrock, “Too Much SOX Can Kill You,” March 15, 2006, pp. 1-4.
Strategy+Business, reprint, January 2004, Shenkir, William, and Paul L. Walker, “Enterprise
pp. 1-5. Risk Management and the Strategy-Risk-
McNamee, David, and Gerges M. Selim, Risk Focused Organization,” Cost Management,
Management: Changing the Internal Auditor’s May-June 2006, pp. 32-38.
Paradigm, The Institute of Internal Auditors Simons, Robert L., “Control in an Age of
Research Foundation, Altamonte Springs, Empowerment,” Harvard Business Review,
Fla., 1998. March-April 1995, pp. 80-88.
Miccolis, Jerry A., Kevin Hively, and Brian W. Simons, Robert L., “How Risky Is Your
Merkley, Enterprise Risk Management: Trends Company?” Harvard Business Review, May-
and Emerging Practices, The Institute of June 1999, pp. 85-94.
Internal Auditors Research Foundation, Smith, Carl, “Internal Controls,” Strategic
Altamonte Springs, Fla., 2001. Finance, March 2006, p. 6.
Nagumo, Takehiko, “Aligning Enterprise Risk Smith, Wendy K., “James Burke: A Career in
Management with Strategy through the BSC: American Business [(A) & (B)],” Harvard
The Bank of Tokyo-Mitsubishi Approach,” Business School Case 9-389-177 and
Balanced Scorecard Report, Harvard 9-390-030, Harvard Business School
Business School Publishing, Reprint No. Publishing, 1989.
B0509D, September-October 2005, pp. 1-6. Smutniak, John, “Living Dangerously: A Survey of
Nagumo, Takehiko, and Barnaby S. Donlon, Risk,” The Economist, January 24, 2004, pp.
“Integrating the Balanced Scorecard and 1-15.
COSO ERM Framework,” Cost Management, Slywotzky, Adrian J., and John Drzik, “Countering
July/August 2006, pp. 20-30. the Biggest Risk of All,” Harvard Business
National Association of Corporate Directors Review, Reprint R0504E, April 2005,
(NACD), Report of the NACD Blue Ribbon pp. 1-12.
Commission of Audit Committees—A Practical Standard and Poor’s, Criteria: Assessing
Guide, 1999. Enterprise Risk Management Practices of
New York Stock Exchange, Final NYSE Corporate Financial Institutions: Rating Criteria and Best
Governance Rules, November 4, 2003. Practices, September 22, 2006.
Nottingham, Lucy, “A Conceptual Framework for Standard and Poor’s, Insurance Criteria: Refining
Integrated Risk Management,” The the Focus of Insurer Enterprise Risk
Conference Board of Canada, 1997. Management Criteria, June 2, 2006.
Oversight Systems, “The 2006 Oversight Stroh, Patrick J., “Enterprise Risk Management
Systems Financial Executive Report on Risk at UnitedHealth Group,” Strategic Finance,
Management,” 2006. July 2005, pp. 27-35.
Protiviti, “U.S. Risk Barometer—Survey of C- Thornton, Emily, “A Yardstick for Corporate Risk,”
Level Executives with the Nation’s Largest Business Week, August 26, 2002,
Companies,” 2005. pp. 106-108.
Protiviti, “Guide to Enterprise Risk Management: Treasury Board of Canada Secretariat, Integrated
Frequently Asked Questions. Sarbanes-Oxley Risk Management Framework, 2001.
Act of 2002, H.R. 3763,” 2006.
30
ENTERPRISE RISK AND CONTROL
Treasury Board of Canada Secretariat, Integrated Walker, Paul L., William G. Shenkir, and Thomas
Risk Management Framework: A Report on L. Barton, “ERM in Practice,” Internal
Implementation Progress, 2003. Auditor, August 2003, pp. 51-55.
U.S. Securities and Exchange Commission Walker, Paul L., William G. Shenkir, and Stephen
(SEC), “Commission Guidance Regarding Hunn, “Developing Risk Skills: An
Management’s Discussion and Analysis of Investigation of Business Risks and Controls
Financial Condition and Results of at Prudential Insurance Company of
Operations,” Release No. 33-8350, America,” Issues in Accounting Education,
December 19, 2003. May 2001, pp. 291-304.
SEC, “Securities Offering Reform,” Release No.
33-8591, effective December 1, 2005.
Walker, Paul L., William G. Shenkir, and Thomas
L. Barton, Enterprise Risk Management:
Pulling It All Together, The Institute of Internal
Auditors Research Foundation, 2002.
31