Professional Documents
Culture Documents
at r
ticl
u
e
fe
W companies
with robust,
best practice–based
What do leading companies with robust, best
practice–based enterprise risk management
(ERM) programs know that could benefit your
operational risks to
meet organizational
objectives;
enterprise risk man- organization? This article, which draws on • identifying
agement (ERM) pro- methodologies,
research with 17 leading private- and public-
grams know that could tools, and best
benefit your organiza- sector organizations, details ERM practices your practices proven
tion? What differenti- organization can use to define, manage, and inte- successful in
ates their ERM grate ERM programs. © 2008 Wiley Periodicals, Inc. enabling, manag-
programs from many ing, and measur-
other leading compa- ing ERM per-
nies? How do they define, competitor, pricing, records formance; and
manage, and integrate their ERM management, security, and • examining ERM trends to
programs into their company many other risks? identify threats and risks to
operations? This article, based on your company.
extensive research with 17 lead- INTRODUCTION
ing private and government sec- The team reviewed dozens
tor organizations for six months, In 2006, APQC’s Sebastian of companies and identified
reveals best practices in this rela- Francis and Angelica Wurth five best practice partner com-
tively immature field of study. invited subject matter experts panies (companies with inno-
Most companies define risk Bob Paladino and David Axson vative practices) to study.
narrowly as IT risk, Sarbanes- to commence a consortia study These included: Blue Cross
Oxley or audit risk, or com- project to better understand and Blue Shield of Florida,
modities risk, but only a hand- capture best practices in ERM FirstEnergy, Fonterra Co-
ful fully understand and programs. The study objectives operative Group Ltd., Split
incorporate a holistic definition included: Rock Energy, and the United
of risk in their programs to cre- Illuminating Company. Eight
ate value in their companies. • discovering how first-rate of the following twelve organi-
Have you considered supplier, ERM programs enable the zations sponsored the research
customer, project management, holistic management of busi- project and participated in the
Exhibit 1
ERM and Strategy Process
Exhibit 2
Scope of ERM Program
Exhibit 3
ERM Activities
organizations mostly conduct ping” strategic risks to opera- nization is claims and customer
these key activities on an tional planning through its plan service, consisting of 3,500 to
annual basis. and budget process. The con- 4,000 employees, where claims
At Blue Cross Blue Shield trollership activity is managed are processed. This functional
Florida (BCBSF), a strategic risk ARC. When the organization area has a team of four to five
assessment is conducted in the analyzes risks, it seeks to under- people focused on compliance
fall of every year using a work- stand how to change risk impact, claims—claims that have to
sheet tool. The strategic risk and/or the likelihood, and/or abide by certain regulations. This
assessment consists of one-on- identify opportunities associated small team welcomed the oppor-
one discussions and independent with the risk. tunity to be strategic in enabling
assessments. The risk manage- The identification, evalua- the overall claims and customer
ment department collates and tion, and quantification of risk service department to achieve its
assimilates the information. The takes place at the operational objectives by leveraging ERM
office of the chief executive offi- level, resulting in a risk profile. tools that were available on their
cer (OCEO) validates this infor- A team consisting of risk owners own system.
mation and is responsible for at the operational level, internal BCBSF sustains support for
strategy formulation. The list of audit, downstream departments, ERM by providing a two-sided
strategic risks is used as an input compliance, and privacy creates view of risk. On one side, the
into strategic planning. Once risk profiles. Risk owners are downside of risk, ERM is widely
strategic planning is completed, identified in the organization’s accepted largely due to
it is communicated to the entire corporate risk policy that has computer-based training that
organization via closed circuit been in effect since 2002. every employee must complete
monitors and an internal elec- “Risk integrator” areas were within 30 days of employment.
tronic newsletter. established to integrate the ERM Additionally, compliance issues
The BCBSF ERM program process into key functional such as Sarbanes-Oxley provide
seeks to drive risk management areas. For example, one key a clear understanding of manag-
to operational areas by “map- functional area within the orga- ing the downside of risk. On the
Exhibit 4
Blue Cross Blue Shield Florida Risk Governance Model
other side, the upside of risk, the the tools and consulting for the risk control group focused on
premise is reducing uncertainty organization. developing control processes and
and increasing the opportunity to Both strategic and opera- risk management systems at the
succeed. tional risks are the responsibility new unregulated subsidiary. FE
BCBSF’s governance model of the risk management depart- understands that risk is both a
reinforces its strategic focus by ment. The risk council adminis- threat and an opportunity, Enter-
involving the board of directors, ters both areas of risk manage- prisewide Risk Manager Tom
audit committee, and members ment. The risk council enables Marshall said. For example,
of the senior leadership team, as the analysis of both strategic and when deregulation was taking
shown in Exhibit 4. operational risks, resulting in place, the organization sought to
The board of directors both top-down and bottom-up mitigate risk by identifying other
(BoD), the audit committee, and risk management. The risk coun- lines of business. In 2001, a
the Audit, Risk Management, cil consists of director- and vice chief risk officer (CRO) role was
and Compliance Division pro- president–level resources. established and staffed. Also in
vide thought leadership where At Best Practice Study Part- 2001, Bob Paladino, then vice
ERM is both a program and ner FirstEnergy (FE), a decision president for Drs. Kaplan and
process. The process involves was made to create a specific Norton’s consulting division,
risk thinking and managing, and department solely focused on partnered with FE’s Richard J.
the program involves providing risk management. ERM and its Horak, director of performance
Exhibit 5
FirstEnergy’s Risk Identification Process and Results
Exhibit 11
ERM Technology
Exhibit 12
Risk Aggregation
(horizontal or cross-functional based upon the Project Manage- process; therefore, risks were
view), as shown in Exhibit 7. The ment Institute’s (PMI) Project not always addressed in
process view of the organization Management Body of Knowl- alignment with objectives
reflects what they do as a busi- edge (PMBOK). PMBOK and strategies of the business.
ness, their core processes, and includes several key risk-man-
the enabling and governing agement components to enhance The solution was to assign
processes necessary to be suc- the success of projects. ERM responsibilities to strategic
cessful. As an indicator of the In 2002, the audit committee business services (SBS), the
value they place on ERM, “man- of the UI board of directors spon- organizational unit responsible
age risk” is one of their enabling sored an effort to assess risk con- for the strategic planning process
processes. Looking at risk from a cerns with several UI subsidiaries. at UI. This allowed UI to inte-
process perspective offers advan- The centerpiece of the program grate ERM with strategic plan-
tages over a strict functional was an enterprisewide risk assess- ning, process improvement, and
view. For instance, in addressing ment (ERA) survey that resulted project management—core prac-
a risk with a functional boundary, in several risk response strategies. tice areas of SBS—and to lever-
the risk may be transferred to UI’s internal audit took over man- age process improvement and
another part of the organization, agement of the ERA in 2003, and project management as risk man-
with an overall negative impact by the end of that year, two recur- agement tools. This effort
on the process. The end-to-end rent findings highlighted the need resulted in an integrated strategic
perspective of a process is more for change: planning and risk management
holistic and allows more effective process (see Exhibit 8). Senior
ERM. • Risk identification and risk leaders meet monthly to go
Historically, UI managed management across all oper- through this process, evaluating
risk on a case-by-case or project- ations was still not occur- strategic projects to ensure that
by-project basis. They did a rea- ring. risks are understood, priorities
sonable job, given their strong • ERM was not being driven are established, and budgets and
project management discipline by the strategy-setting resources are in place.
Exhibit 13
FirstEnergy’s Decision Tree Analysis Litigation Support Tool
Through each cycle in this point. These reports contain the organization to focus on how
process, the SBS organization qualitative data about identified risk is integrated with each of its
makes improvements, including risks and their associated strate- other processes. It also ensured
timeliness of deliverables, depth gies. It also includes considera- that UI evaluates how risk
of information, measures of tion for regulatory (both state affects stakeholder value, rather
effectiveness, and better integra- and federal), tax, legal, and than just as an internal measure.
tion. This is continuous improve- industry changes that impact Bob Paladino notes, “UI is one
ment in action. SBS also business. of the few organizations to effec-
receives and utilizes the inde- In 2004, the ERA was inte- tively define, roll out, and imple-
pendent review provided by UI’s grated into UI’s “establish strate- ment a process-based organiza-
internal audit, as well as the gic direction” process. While tion that incorporates the best of
input and feedback of UI’s audit this incorporated key risk activi- CPM practices throughout.”
committee, to ensure the ties into planning, it did not Using a blend of COSO and
integrity and thoroughness of the address a comprehensive PMBOK principles, UI estab-
effort. approach to risk management. To lished their “manage risk”
SBS also prepares two major resolve this, “manage risk” was process as shown in Exhibit 9.
reports each year: in October to made one of UI’s nine Level 1 This process has become the
evaluate yearly results and set processes in 2005. foundation for all UI’s risk activ-
the goals for the next year and in Defining risk as one of UI’s ities, from strategic planning
May as a major status check- nine business processes allowed down to individual projects. The
Exhibit 14
FirstEnergy’s ERM Intranet Site Screen Shot
objective of this process is not to • apply the discipline of a Best Practice Finding
eliminate all risks, but rather to well-defined “manage risk” Statement #2
manage them effectively. Risks process structure to provide
can be either negative or posi- reasonable assurance that UI Mature ERM practices lever-
tive, threats or opportunities. An can meet its objectives in his age technology to automate data
opportunity not pursued can be a particular sphere of respon- capture and report risk measures.
risk. sibility. Partner organizations leveraged a
Central to this process is the variety and number of enabling
concept that every manager is a Although risk management technologies for ERM.
risk manager. The expectation is was not new to UI, it had not
that each manager within UI been standardized or applied at Supporting Point
will: all levels. These were activities Partners and sponsors differ
• be an expert regarding the that were already being man- significantly in the use of auto-
risk events, likelihoods, aged, albeit somewhat indepen- mated data capture and reporting
impacts, and preparations dently and without common of risk measures (see Exhibit 10).
required; language or process. The first-
• align the resources of the phase rollout of “manage risk” • 100 percent of sponsors nei-
organization to continuously was targeted to these special risk ther automate data capture
monitor and protect; and areas. nor automate reporting.
Exhibit 15
FirstEnergy’s Capital Allocation—Risk Measurement Tool
• 80 percent of partners auto- At FE, the ERM group lever- • capital allocation: risk mea-
mate capture, and 60 percent ages an Excel add-on tool, surement tool,
automate reporting of risk @Risk. The tool enables statisti- • decision tree analysis (see
measures. cal analysis of data. Monte Carlo Exhibit 13 for an example),
simulations and decision trees are • Monte Carlo simulation, and
Supporting Point done with @Risk. Midas enables • quarterly risk report.
Partners are more likely to modeling of statistical variability
deploy a variety of software appli- and Monte Carlo simulations. Exhibit 14 shows a snapshot
cations to perform ERM; sponsors Zai*Net is used by FE’s unregu- of ERM’s intranet site. The site
almost universally use Microsoft lated subsidiary as a modeling is general in nature, providing a
Office only (Exhibit 11). Sponsors tool. SAP “houses” the organiza- definition of enterprise risk.
are more likely to use multiple MS tion’s financial/budget system The ERM intranet consists of
Office and non-MS Office tools. and enables the development of secure and public sites; the pub-
budgets and forecasted earnings. lic site is open to all 13,300 FE
Supporting Point Below is a list of the tools employees. To access the secure
One hundred percent of that FE uses to measure and site, a login authentication must
partners aggregate risk metric report risk: be done. The top 30 executives
data across the organization, and of the organization have access
38 percent of sponsors do • ERM’s intranet site, to strategic information and
(Exhibit 12). • workforce development tool, reports on the secure site.
Exhibit 17
ERM Formal Training
were eligible to retire in 2006 lion-dollar cost per point. This SUMMARY
and 75 percent will be eligible in could be analyzed against other
the next 10 years. projects that perhaps had lower In closing, this consortia
The capital allocation tool or higher cost per point and research has revealed that best
enables FE to analyze projects would provide another method to practice enterprises view ERM
and opportunities to ensure that rank projects to allocate capital. as a strategic and highly
valuable opportunities have not Exhibit 16 lists other reports regarded process, not an event.
been missed. This tool provides and tools FE employs in its Best practice organizations
stakeholders with information to ERM efforts. incorporate ERM into their
make better decisions and overall strategic and business
enables better prioritization. The Best Practice Finding planning processes, thus raising
group creates a risk matrix plot- Statement #3 its importance and visibility in
ting the opportunity or project the organization. This formaliza-
ratings. Exhibit 15 shows a sam- ERM formal training is con- tion underscores their commit-
ple matrix with potential projects ducted with more rigor at partner ment to ERM and recognition of
plotted. Values, whether tangible organizations enabling the its value in not only minimizing
(dollar values) or intangible (i.e., understanding of risk manage- risk, but also maximizing inputs
increased customer satisfaction), ment at the individual level. and visibility of ERM elements
are estimated and assigned to enterprisewide. Best practice
these potential projects. The tool Supporting Point management teams regularly use
enables better decision making, Partners more heavily pene- the ERM processes in the nor-
such as deciding to spend trate the employee base with mal course of their business
$20,000 to prevent a million- ERM formal training than do operations.
dollar exposure. sponsors. Best practice organizations
One possible use of the tool invest more heavily in a range
that may be developed in the • 100 percent of sponsors train of tools and infrastructure than
future is reviewing a specific 0 to 25 percent of the do sponsors to capture informa-
project where a value of six may employee base, and partners tion, conduct risk analyses, and
exist in both the X and Y axes; if train 60 percent. communicate results to their
you multiply both values of six, • 40 percent of partners organizations. The ERM
the result would be 36. If the exceed this threshold and process tools also provide for
capital budget for the project train between 26 and 75 per- increased transparency and
were $36 million, the group cent of the employee base enabling of broad and deep
would be able to assign a mil- (see Exhibit 17). employee usage.
Sebastian Francis is a knowledge management adviser and the financial management program manager
for APQC in Houston. Bob Paladino, founder of Bob Paladino & Associates, LLC, in Pittsburgh, advises
boards of directors and executives and offers corporate performance management/balanced scorecard
services for rapidly implementing and integrating proven methodologies to drive breakthrough results.