Professional Documents
Culture Documents
Management
Enhanced Enterprise Risk
Management
10 9 8 7 6 5 4 3 2 1
Description
The performance and survival of a business in a global economy
depends on understanding and managing the risks—both external
and those embedded within its operations.
It is vital to identify and prioritize significant risks and detect the
weakest points. Adding other elements to an essential ERM program,
such as PESTLE and Porter’s Five Forces, treatment plans, scorecards, the
three lines of defense (3LoD) components, and process improvements
(Six Sigma, 8D, etc.) significantly increases the ERM success rate.
The authors outline a comprehensive strategy for designing and
implementing a robust and successful ERM program—that is not just
successful in implementation but also in yielding enormous returns for
the organizations that implemented this enhanced ERM program.
Keywords
Enterprise risk management; ERM; risks; lines of defense; 3LoD;
COSO; governance; stress testing; evaluation; measurement; assessment;
response; reporting; framework; PESTLE; Porter’s Five Forces; internal
audit; process improvement; scorecards; heat maps; finance
Contents
Testimonials������������������������������������������������������������������������������������������ix
Foreword�����������������������������������������������������������������������������������������������xi
Acknowledgments���������������������������������������������������������������������������������xiii
Chapter 1 Introduction�������������������������������������������������������������������1
Chapter 2 What Is ERM?���������������������������������������������������������������3
Chapter 3 COSO Evolution ERM Frameworks����������������������������13
Chapter 4 ERM Structure�������������������������������������������������������������21
Chapter 5 ERM Framework����������������������������������������������������������25
Chapter 6 Reporting ERM Results and Status�������������������������������69
Chapter 7 Structure and Responsibilities���������������������������������������91
Chapter 8 Emerging and Unknown Risks�����������������������������������103
Chapter 9 Competitor and Industry Public Information�������������117
Chapter 10 Monitoring Risk Events to Stock Price Changes���������121
Chapter 11 PESTLE Analysis Method������������������������������������������123
Chapter 12 Porter’s Five Force Analysis�����������������������������������������129
Chapter 13 The Three Lines of Defense (3LoD)����������������������������137
Chapter 14 Creating and Implementing an ERM Program�����������177
Chapter 15 Case Study�����������������������������������������������������������������225
Chapter 16 Conclusion�����������������������������������������������������������������277
“While most ERM programs are sufficient in identifying business risks, John’s
program successfully focused on the Treatment Plans to mitigate the risks. In
volatile/dynamic industries and a world of heightened geopolitical risks, this
program is excellent and brought life to our risk management process and
had a significant impact on the organization.”—Thad Trent, Executive
Vice President and Chief Financial Officer On Semiconductor
Corporation, former Executive Vice President and Chief Financial
Officer Cypress Semiconductor Corporation
“John was a pioneer and early adopter of the three lines of defense and ERM.
He built a framework that involved the leaders and staff across the company
to identify risks, both known and previously unknown to the executive team.
Importantly, he was able to use a common sense approach to quantify and
rank the risks and track the trending of the various risks. With the closed loop
process, tracking and managing mitigation plans protects the shareholders and
stakeholders.”—Chuck Boynton, Executive Vice President and Chief
Financial Officer Poly, former Executive Vice President and Chief
Financial Officer SunPower Corporation
Foreword
As a serial founder, Board Director, Venture Capitalist, and Adjunct
Faculty Member, I have spent more than two decades on the frontiers of
reputation risk management, cyber risk governance, and Enterprise Risk
Management. I’ve signed off on many variations of ERM programs. Few
have served as an orienteering guide to navigate our complex geopolitical,
ecological, and social landscape.
ERM failures I have observed in the industry were because the orga-
nizations struggled with having a clear ERM objective and structure
applicable to the specific needs of their company and industry. Others
were due to the leadership taking on too much risk, believing the market
would react positively to their message of apparent unbridled commercial
growth—at any cost. Their strategies lacked globally responsible lead-
ership, citizenship, board of directors’ endorsement, or alignment with
executive leadership team support. Others simply tried to implement too
many changes at the same time. Especially in these complex times, navi-
gating shades of gray has never been more critical.
Through a journey from conception to birth, the growth and success
of an ERM program, John and Peter lay out the path for ERM practi-
tioners to follow—step by step. They provide a robust, practical approach
to the discipline, empowering you to identify and quantify your organi-
zation’s strategic and operational risks. Investing your time in reading this
book will provide you with an opportunity to learn from real-life case
studies and examples of ERM best practices applicable across all industry
sectors and business models.
ERM is core to supporting strategic planning, decision making, and
reputation risk management.
If you follow the best practices provided in this book, the chances of
establishing and implementing a successful ERM and reputation risk
program at your company increase exponentially.
xii Foreword
But don’t let me hold you off any longer, so go ahead and enjoy
your journey.
musician and CEO, Kooky.io), Yun Sil Chu (CEO, Moaah), Bell Beh
(CEO, BuzzAR), Anthony Chua (CEO, Stratificare), George Heng
(CEO, SenzeHub), and about 30 other founders I had the pleasure to
mentor and learn from; and my close friends and trailblazers Howard
Kim, Henry Wong, Elena Lim, Chelle Coury, Brett Millar, Louis Lye,
WT Soh, Kelvin Phua, Kirti Chandel, and many others. Without their
continued encouragement, friendship, and support, my life’s endeavor
would not be complete.
CHAPTER 1
Introduction
The performance and even vitality of a business today depends on
managing both—the known and foreseeable risks. Every business needs
to understand the acceptable risks in achieving its objectives, as well as the
type and level of risk embedded within its operations. It is vital to i dentify
and prioritize significant risks and detect the weakest points. Manag-
ing risks may be in a form of an essential Enterprise Risk Management
(ERM) program but can be significantly enhanced by considering other
elements frequently present in most companies, such as the Three Lines
of Defense (3LoD) components and Process Improvement teams (Six
Sigma, 8D, etc.). There are employees within these functions who are
aware of and employing resources to address perceived risk areas. To better
prioritize and manage risks, it can be helpful to integrate these programs
into the formal ERM program. The overall objective should be to apply
the limited risk management resources to the highest company risks for
strongest payback. In this book we will address the basic ERM program
first, then delve into the 3LoD as well as Process Improvement activities.
ERM has been around for some time. There are a few frameworks that
influence and address managing risks, such as Committee of Sponsoring
Organizations of the Treadway Commission (COSO),1 National Institute
of Standards and Technology (NIST),2 International Organization for
Standardization—ISO31000. The leading practice is to use COSO as the
base, but also consider elements of both ISO and NIST as appropriate.
We will focus on COSO as the primary framework for managing risks.
www.coso.org/
1
www.nist.gov/
2
Index