Enterprise Risk Management...In this context, enterprise risk management (ERM) has emerged as an important new business trend. ERM is a structured and disciplined approach aligning

Assurance and Advisory

Enterprise Risk ManagementAn emerging model for building shareholder value

7874Mkt ERM Cover 22/09/2003 11:44 AM Page 2

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

The current environment: How risk management is evolving . . . . . . . . . . . . . . . . . . . 4

How organisations are deploying ERM: Tools and techniques in use today . . . . . . . . 6

An emerging model for deriving value from risk management . . . . . . . . . . . . . . . . . 10

Implications and opportunities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Appendix I: Interviews with leading risk management specialists . . . . . . . . . . . . . . 19

Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Contacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Contents

6314Mkt ERM Whitepaper 22/09/2003 11:39 AM Page 1

As business leaders seek new ways to build shareholder value, they have begun

to think in new ways about how risk management is tied to value creation. Across

industries and organisations, many are recognising that risks are no longer merely

hazards to be avoided but, in many cases, opportunities to be embraced. “Risk in

itself is not bad,” asserts Suzanne Labarge, chief risk officer at Royal Bank

of Canada. “What is bad is risk that is mismanaged, misunderstood, mispriced,

or unintended.”1 Indeed, many are realising that risk creates opportunity, that

opportunity creates value, and that value ultimately creates shareholder wealth.

How best to manage risks to derive that value has become the critical question.

In this context, enterprise risk management (ERM) has emerged as an important

new business trend. ERM is a structured and disciplined approach aligning

strategy, processes, people, technology, and knowledge with the purpose of

evaluating and managing the uncertainties the enterprise faces as it creates

value. “Enterprise-wide” means the removal of traditional functional, divisional,

departmental, or cultural barriers. A truly holistic, integrated, future-focused, and

process-oriented approach helps an organisation manage all key business risks

and opportunities with the intent of maximising shareholder value for the

enterprise as a whole.

Leaders face a variety of new challenges in their drive to maximise value.

Globalisation, e-business, new organisational partnerships, and the increasing speed

of business activity are rapidly changing and expanding the risks organisations face.

One significant result is that risk management must now extend well beyond

traditional financial and insurable hazards to encompass a wide variety of strategic,

operational, reputation, regulatory, and information risks. As a means of identifying,

prioritising, and managing such risks across an enterprise or division—and linking

them to value creation—ERM has the potential to provide organisations with a new

competitive advantage.

Most organisations, however, are uncertain about how, exactly, to translate the

concept of ERM into concrete action steps that will help them enhance shareholder

value. Leaders agree that as important as ERM might be in theory, it will never be

valuable in practice unless it enables organisations to use risk information to drive

business value in a way they could not do otherwise.

2

Introduction

ERM has the potential to provide

organisations with a new

competitive advantage.


This white paper describes ERM as it has begun to evolve today, emphasising that

organisations may be able to benefit more fully from their ERM efforts than they

may have done thus far. It addresses how leaders should seek to analyse their

critical risks—balancing them with their objectives for improved returns—and then

use that information to drive business value. To that end, this document outlines

a new ERM model, one that can provide organisations with new action steps they

may use to enhance business decision-making and, potentially, shareholder value.

3


As risks change and proliferate, managers in a variety of industries are seeking

to ensure that they are taking both the right risks as well as the right amount of

risk—compared with their own organisations’ risk tolerance or “appetite” and

benchmarked against others in their markets and industries. An organisation

determines its risk appetite, and its capacity for taking on additional risks, in

much the same way individual investors balance their own tolerance for various

risks against their desire for greater returns and use that knowledge to diversify

the portfolio of stocks, bonds, and other financial instruments they hold

(see box below).

4

The current environment: How riskmanagement is evolving

An organisation’s “appetite” or tolerance for risk will vary with its strategy as well as

evolving conditions in its industry and markets. Each organisation’s risk tolerance is

unique, and it will vary according to organisational culture as well as external factors.

A critical aspect of management’s responsibility is to determine which risks, and how

much of each of them, the organisation should take and then to re-evaluate those choices

as circumstances change. Unlike Total Quality Management (TQM), which tolerates

no failures, ERM maintains that a defined number of failures can be tolerated if the cost

of guarding against them is more expensive than the risks they impose.

Consider the perspectives of a government buying computer chips for use in cruise

missiles and a computer manufacturer buying the same chips for use in personal

computers. Both entities have high standards for the quality and integrity of the

computer chips, but widely differing tolerances for failures in them. The cruise missile

manufacturer can tolerate no chip failures. The likelihood of such failures may be low,

but the magnitude of the consequences is too high for all organisational stakeholders.

That manufacturer must thus test every chip to ensure that it fully meets the high

standards the organisation has established.

The PC manufacturer, on the other hand, need not test all its chips because it can,

in fact, tolerate a few failures. It can bank on the limited likelihood of such failures,

because the magnitude of the consequences is considerably lower than with chip

failures in cruise missiles. This difference in risk appetite will drive differences

in resource allocations and other management choices.

Defining Risk Appetite


“Globalisation has completely changed both the risks organisations face and their management

of those risks. When you’re no longer making things in Lancaster, Pennsylvania, for example,

but in Bangladesh, or Marissa, or Hong Kong, you’ve got risks, along with opportunities,

along the entire value chain. A large portion of our product is sourced overseas, so as with

all retailers, we have to work hard to be sure that working conditions are what they should be.

What do the plants look like, and do we own them? How do we ensure that they are safe and

humane and that workers are appropriately compensated? Failing to pay close attention to the

risks related to those issues can result in tremendous liabilities, not the least of which is

degradation of the brand.”2

Vice President Financial OperationsSpecialty Retailer

Thus, risk management is moving well beyond the tradition of risk mitigation

(using controls to limit exposure to problems) toward risk portfolio optimisation

(determining the organisation’s risk appetite and capacity among a group of risks

across the enterprise, seizing opportunities within those defined parameters, and

capitalising on the rewards that result). As a consequence, risk management is

beginning to be perceived as a new means of strategic business management,

linking business strategy to day-to-day risks.

Enterprise risk management is evolving in this context. It is an important means

of identifying the critical risks the organisation faces—for example, reputation,

ethics, e-business, or health, safety, and environmental risks (not just financial

or insurable hazards). It is also important for managing and optimising that

portfolio of risks in a way that realises financial rewards. Interpretations

of ERM vary widely by industry and among organisations. Consequently,

definitions of ERM also vary widely—but many agree that it is a top-down

approach, based on and supportive of organisational strategy, that is focused

on new ways to manage and optimise the risks of highest importance to the

board and management.

Depending on how they perceive ERM, organisations are using it in a variety

of ways, with varying results, as described in the next section.

5


Intrigued by ERM, organisations are using risk management concepts to consider

a number of questions:

■ What risks am I facing, and how do they compare to those of my peers

or competitors?

■ How are these risks changing based on changes in my business environment?

■ What level of risk should I take?

■ How should I manage those risks?

To help answer these questions, many organisations are collecting and analysing

risk information using a variety of basic tools such as one or more of those

described below:

■ Identification/Assessment tools enable a management team to collectively

identify and assess the risks facing the organisation. These tools also enable the

team to evaluate each risk according to its “likelihood” (that is, the probability

that the risk will occur) and its “magnitude” (the impact the risk would have

if it did occur). (See Figure 1.)

6

How organisations are deploying ERM:Tools and techniques in use today

Like

liho

od

Reduce

Risk

ReduceControl Pass On

Accept

Terminate

5%

25%

50%

75%

95%

Extreme

High

Moderate

Low

Impact<$X <$X to $X<$X to $X <$X to $X <$X to $X

Management can derive considerable power from augmenting its knowledge about risk

likelihood and impact. Through this process they will make judgments on the likelihood and

impact of various risks, creating an analysis such as that depicted above. Once such an analysis

is done, some risks will require no action, but when a risk has a potentially high likelihood and

substantial impact (such as those in the upper right quadrant), management should take action

to move that risk into an acceptable range or even eliminate it altogether, based on a risk/return

analysis of the effects of such action on the entire organisation. Risks in the lower left quadrant

may be candidates for reduced controls.

Figure 1: Business Risk Matrix


7

Strategic Risk

Operational Risk

Reputation Risk

Regulatory orContractual Risk

Financial Risk

Information Risk

New Risks

■ Are the critical strategies appropriate to enable the organisation

to meet its business objectives?

■ What are the risks inherent in those strategies, and how might

the organisation identify, quantify and manage these risks?

■ How much risk is the organisation willing to take?

■ What risks result from e-business developments?

■ What are the risks inherent in the processes that have been

chosen to implement the strategies?

■ How does the organisation identify, quantify, and manage these

risks given its appetite for risk? How does it adapt its activities

as strategies and processes change?

■ What are the risks to brand and reputation inherent in how the

organisation executes its strategies?

■ What risks are related to compliance with regulations

or contractual arrangements—not just those that are

financially based?

■ Have operating processes put financial resources at undue risk?

■ Has the organisation incurred unreasonable liabilities to support

operating processes?

■ Has the organisation succeeded in meeting measurable

business objectives?

■ Is our data/information/knowledge reliable, relevant

and timely?

■ Are our information systems reliable?

■ Do our security systems reflect our e-business strategy?

■ What risks have yet to develop? (These might include risks

from new competitors or emerging business models, recession

risks, relationship risks, outsourcing risks, political or criminal

risks, financial risk disasters (rogue traders) and other crisis

and disaster risks.)

The CEO and the board of directors should consider a number of questions during risk

identification and assessment. Such questions include:

Identifying and Assessing Risk from an ERM Perspective


Typically, users plot risks in a matrix that depicts risks in categories, thus

determining how particular risks compare to the organisation’s defined risk appetite.

Multiple tools provide a structured framework for identifying and assessing risks.

They may also assist in identifying risk “owners” (those to whom organisations

assign responsibility and authority for the management of specific risks).

■ Categorisation tools help organisations group and prioritise their risks, by

industry or within an entity. Such tools help management to ensure that they

have captured all categories of organisational risks, not just traditional,

financial hazards (see Figure 2 below).

■ Financial quantification tools help organisations understand the potential impact

of risks. A number of sophisticated models are available to evaluate risk in

financial areas. These models—encompassing, for example, value-at-risk

and options theory—have been most commonly applied in financial services

organisations, in which credit and market risks, among others, are highly

quantifiable. In addition, risk-adjusted returns on assets or equity have been

quantified by many organisations to better manage and balance the inherent

differences in their divisions or product lines. How to model other categories of

risks is less well understood, although some organisations have attempted to do so.

Having systematically assessed and categorised their risks—and perhaps having

tried to understand their impact—many organisations try to determine which risks

should be managed at the corporate level and which risks should also be pushed

down into the structure of the organisation.

8

Organisational Risks

Compliance

Governance Integrity

Information

Financial

HumanResources

Operational

Figure 2: Risk categories


Organisational approaches to risk management may be centralised at the corporate

level or decentralised among divisions or processes, depending on the nature of the

risks in question and the organisational preferences of management. While there

is no right or wrong way to organise, organisational principles are emerging

as follows:

■ Centralised risk management tends to focus on risks that affect the achievement

of key corporate objectives and strategies and significantly affect most if not all

functions and processes (e.g., reputation). These risks may be referred to as

enterprise-wide risks. Accountability for enterprise-wide risks may reside with

the CEO and the board of directors (although responsibility for these risks may

be dispersed throughout the organisation). Other risks that may be managed

centrally include those that require specialised skill sets that cannot be

duplicated at the division level or those that require partnering or contracting

at the corporate level.

■ Decentralised risk management pushes the responsibility of risk management

to those who live with it day to day. Risks that may best be managed in this

way are division or process-level (PL) risks, which are those that are significant

only within a particular process but nonetheless affect the organisation’s ability

to successfully implement its strategies overall.

Regardless of whether risks are managed in a centralised manner, in a

decentralised manner, or with a hybrid of these structures, a new organisational

trend is to create ERM “program offices” and appoint chief risk officers (CROs),

who are responsible for developing and managing risk management strategy. Notes

Pamela G. Rogers, assistant treasurer, risk management with Sears, Roebuck &

Co., “Just as companies have revenue and profit strategies, there’s got to be a risk

strategy, and the CRO needs to set it.”3

In summary, experience shows that many leaders believe ERM is important—and

potentially a competitive differentiator—but many of them remain largely unable

to translate risk information into the action steps that can drive business value.

They may have learned a great deal from the information they have collected,

but they are seeking new ways to use and derive value from it. The next section

describes a new ERM implementation model designed to further the value

enhancement process.

9


Organisations are engaged in a wide variety of risk assessment and monitoring

efforts, but many of them remain largely unable to point to the specific value

they derive from these activities. The emerging models for risk management are

integrating how leaders think about risk with how they manage their businesses

and are designed to monitor how risk management provides value. Leaders can

participate in this ERM evolution by broadening and expanding the tools and

concepts used today, as shown in Figure 3.

Figure 3: Risk Management is evolving…

Tying ERM to Business StrategyEarly models of risk management viewed risk as a market imperative—something

to be understood and analysed for its own sake. The new models maintain that

ERM should be intrinsically linked to the entity’s business strategy—which

encompasses an organisation’s established vision, mission, and objectives; its

process for defining operational imperatives; and its philosophies, policies,

plans, and initiatives for growth and development (see Figure 4).

10

An emerging model for deriving value fromrisk management

Risk as individual hazards

Risk identification and assessment

Focus on all risks

Risk mitigation

Risk limits

Risks with no owners

Haphazard risk quantification

Risk is not my responsibility

Risk in the context of business strategy

Risk “portfolio” development

Focus on critical risks

Risk optimisation

Risk strategy

Defined risk responsibilities

Monitoring and measurement

Risk is everyone’s responsibility

From To


Aligning ERM resources and actions with the business strategy is necessary

to maximise organisational effectiveness. What’s more, by linking ERM to the

strategy, risk processes can be carried out in the context of where a business is

headed, not solely based on where it is today. This differentiator is critical in an

environment in which many organisations are changing their business models and

strategies with increasing speed, driven by influences such as the rise of e- and

m-commerce, the globalisation of business, and changing consumer expectations.

In the course of this process, an organisation may find that it is unsure of its

actual risk appetite. By developing measurements to evaluate levels of risk, an

organisation may determine how it may need to adjust its risk appetite, based

on business outcomes and assessments. Linking the business strategy to ERM

can also provide a context for setting risk appetite and risk measures so that they

are linked to a long-term view of the entity. Otherwise, if appetite and related

measures are established inappropriately, leaders may make decisions that tolerate

more or less risk than the strategy establishes as ideal. Newer models of ERM

establish a link with business strategy, which can increase ERM’s relevance to the

organisation as a whole.

11

Business Strategy

M e a s u r i n g a n d M o n i t o r i n g

R i s k S t r a t e g yR i s k O p t i m i s a t i o n

R i s k S t r u c t u r e

R i s k Po r t f o l i o

Figure 4: A new ERM model

Risk strategy is built around and supports the business strategy. Risk portfolio development,

optimisation, and measuring and monitoring take place in the context of these strategies,

based on an established structure for ERM that provides the means of embedding it in

organisational culture.


Deriving Action Steps from Risk AssessmentRisk assessment has proved to be a highly useful process for identifying,

categorising, and assessing critical risks based on their likelihood of occurrence

and magnitude of impact. The key issue that has arisen, however, is what to do with

the information when the risk assessment is finished. In some instances, entities

find that the process has identified so many risks that they cannot possibly track

them all. In others, they find they have not been able to translate the risk assessment

into specific action steps—in the context of management’s risk appetite—that drive

value for the organisation.

To address these issues, the new models of ERM are taking the concept of risk

assessment several steps further to encompass a risk portfolio. The concept

of a risk portfolio assumes that various risks share certain characteristics and/or

interdependencies. Risks are considered in groups, based on how they relate

to each other, and within these groups one or more risks may rise or fall when

other risks rise or fall. In addition, when one risk is transferred, another may arise.

For example, by outsourcing a non-core function to mitigate performance risk,

an organisation assumes credit and supply-chain risks. By understanding and

mapping such interdependencies, leaders can begin to parcel risks into broad

categories that will influence how these risks are managed and optimised.

12

Re t u r n

O b s e r v e dR i s k

R i s k - f r e eRe t u r n

( + / - 4 . 5 % )

1 2 3 4 5 6 7 8- 4

8

0

4

16

12

Risk Capacity

Value "Curve"

Risk Appetite

(expressed as % variation of return: SD/Mean)

Figure 5: Benchmarking performance indicators to understand risk management

Measuring risk based on the performance of an organisation and comparing it to

industry-based returns may point out opportunities to optimise risk.


Another key concept of the risk portfolio is that it acknowledges organisational

limitations. Management has time and resources to focus on a limited number

of risks. Evaluating risks in a portfolio enables leaders to perceive impacts and

interdependencies, allowing management to proceed through the ERM process with

a better understanding of which risks are critical and thus may require their increased

focus—driving a better return on management’s time and resource investment.

Optimising RisksAt this point in the ERM process, organisations understand their strategy, have

identified their risks, have defined the interrelationships of those risks within

a risk portfolio, and have made preliminary decisions as to which risks require

the most management attention. The next step is to optimise the risk portfolio.

Risk optimisation embodies the concept of choice. Just as an investor adjusts

the mix of investments based on defined targets for risk and return, a risk portfolio

manager chooses among tactics to manage risk based on the entity’s appetite for

risk and its ability to absorb it. These choices can include adding controls or limits

for risks that may exceed the entity’s risk appetite. Such choices also may include

reducing costs related to excessive controls or taking action to expand risks in

areas where existing controls provide additional risk capacity. Thus the manager

must continually balance the cost/benefit of taking such action with the need to

optimise risk in the organisation. By applying a variety of tactics, risk managers

can begin to affect corporate performance and thereby affect shareholder value.

A key part of the optimisation process is to make sure that the risk “limits” are

understood and that the risk appetite is apportioned appropriately, so that the limits

managed separately do not exceed the entity’s risk appetite as a whole. This is a

key step in the process, as a risk manager’s point of view may affect what he or

she deems an acceptable level of risk. For example, a corporate CFO may

understand that the total dollar amount of risk acceptable in futures trading could

be $20 million. Within a division, however, that has $2 million in total sales and

the only futures trading in the entity, the division manager may believe that only

$1 million in risk is acceptable. The organisation’s overall performance could be

enhanced if the division manager understood that he or she could take more risk.

Conversely, if the division undertook a position of risk for $30 million, it is putting

itself and the entire corporation in an unacceptable risk position.

13

Risk optimisation is an iterative and

ongoing process: as one tactic is

implemented, others should be

reassessed.


Risk optimisation is an iterative and ongoing process: as one tactic is implemented,

others should be reassessed. While reassessment is typically not possible for every

action, entities are beginning to track actions related to the organisation’s most

important and material risks.

Measuring and Monitoring to Enhance ValueAt this point in the process, all of the actions related to ERM should be having

an impact on the organisation. Measuring and monitoring these actions now

becomes necessary, as an ongoing means of understanding and reporting on the

status and impact of risks. Many organisations are devising ways to perform these

activities on both an enterprise-wide and a process level.

Monitoring at its most basic level can be embedded in an organisation’s systems.

By defining risk limits in terms of specific attributes or measurements, real-time

monitoring can occur and, if limits are exceeded, actions can be taken. Achieving

this result requires thoughtful definition of performance measures (both

quantitative and qualitative) that can embody risk characteristics. Other monitoring

methods include the use of internal and external auditors, benchmarking against

market or other data, and retroactive review of risk results. Companies should

define the monitoring and measurement systems that best serve their management

styles and characteristics.

Risk Strategy and Structure Complete the ModelRounding out this ERM construct are two additional concepts. The first is that of

a risk strategy. Just as a business strategy indicates the direction of the business,

a risk strategy provides guidance for the risk activities within a company. It can

set the tone for aggressive or conservative risk management activities, dictate how

measuring and monitoring activities can be carried out, and provide the “bird’s-eye”

view needed by management and the board. Indeed, it is the risk strategy that

provides the backbone for embedding ERM within the culture of the business.

The risk strategy should be executed by the risk structure. Many organisations

today are designing integrated structures that define how ERM is embedded into

the organisation. This endeavor will not require a bureaucratic reinvention of the

business structures already in place, but rather an enhancement of such structures

that will embed and align risk management within existing strategies and business

planning efforts.

14

Risk strategy provides the backbone

for embedding ERM within the culture

of the business.


The structures will encompass the roles and responsibilities for managing

risk. They will also define accountability as well as clear reporting lines, which

will empower managers to act within defined boundaries linked to risk appetite.

The effective integration of these structures calls for the board to develop ownership

of the effort and demonstrate its strong commitment to it. To achieve this

commitment, the board will need both education and ongoing assurance that

ERM is providing value.

Communication of the risk strategy and structure is essential. Such communication

should be designed—using appropriate technology and common language and

concepts—to ensure that all employees and stakeholders understand the board’s

vision and objectives. Leaders must clearly demonstrate the relevance of the

ERM strategy, providing success stories to maximise the value of the

communication process.

Having defined responsibility and accountability, leaders should also take careful

steps to ensure that individuals have the skills necessary to execute effectively.

The level and type of skills required will vary considerably; consequently, all

relevant business and personal training should encompass ERM principles.

In many cases, the CRO is at the center of this structure and is responsible

for driving it as well as fine-tuning it based on organisational performance.

Implementing such an ERM model within an organisation can produce a business

risk management process that results in a systematic workflow for addressing risk

within the organisation.

15


16

Board activities■ Provide ERM education at board level

■ Establish buy-in at board level for risk appetite and risk strategy

■ Develop “ownership” of risk management oversight by the board

■ Review a risk report of the enterprise

Management activities■ Create a high-level risk strategy (policy) aligned with strategic business objectives

■ Create a risk management organisational structure and ensure clear reporting lines

■ Develop and assign responsibilities for risk management

■ Communicate board vision, strategy, policy, responsibilities and reporting lines

to all employees across the organisation

Establish a common risk culture■ Use common risk language and concepts

■ Communicate about risk using appropriate channels and technology

■ Develop training programs for risk management

■ Identify and train “risk champions”

■ Provide success stories and identify quick wins

■ Align risk management techniques with company culture

■ Develop a knowledge-sharing system

Create risk accountability/responsibility■ Include risk management activities/responsibilities in job descriptions

■ Incorporate ERM concepts into personal goals

■ Empower managers with defined risk boundaries

Embed Risk Activities into Ongoing Business Processes■ Align and integrate risk management activities within business processes

■ Embed real-time controls related to risk into digital systems as appropriate

■ Develop continuous improvement processes related to risk

Measure and monitor risk■ Identify key performance indicators and critical success factors related to risk

■ Establish success measures for risk strategy and activities

■ Provide a periodic process for measuring risk/return

■ Identify and implement monitoring processes and methods of feedback

Key Actions to Help Embed a Risk Structure in an Organisation


Whether ERM can drive change in an organisation ultimately depends on whether

management implements ERM in an integrated way. When risk is used as an

organising principle, in the context of a risk strategy, management can take action

in a coordinated and synergistic manner. Using ERM to optimise its risks can

help the organisation perceive potential structural and/or strategic adjustments

that can help enhance organisational effectiveness in building shareholder value.

Ultimately, ERM requires the support of the CEO and the board, who drive it

through the organisation. For any leader, however, undertaking all of the ERM

process at one time can be daunting. The key is to start somewhere. The checklist

below can provide a place to begin.

17

Implications and opportunities

Organisational leaders should ask themselves a number of questions to help determine

whether they are effectively using ERM to optimise their risks:

1. Do I know what our risks are?

2. Have I evaluated non-traditional risk exposures?

3. Do we understand the interrelationships of our risks?

4. Do I know what our risk appetite is?

5. Do I know who our risk owners are? Do they have systems in place for measuring

and monitoring risk?

6. What is the perspective of the person(s)/department(s) overseeing risk?

7. Do we have systems in place that promote risk optimisation?

8. Do we regularly look for new markets, partnering opportunities, and other risk

optimisation strategies?

9. How do our incentive systems affect risk management?

10. Does our understanding of risk permeate our organisation and culture?

11. Does each individual understand his or her role and responsibility for managing risk?

12. Is risk a priority consideration whenever business processes are improved?

A strategic checklist for business leaders


Enterprise risk management can become a strategic competitive advantage if it is

used to identify specific action steps that enhance performance and optimise risk.

It can also influence business strategy by identifying potential adjustments related

to previously unidentified opportunities and risks. Used appropriately, ERM thus

becomes a means of helping the organisation shift its focus from crisis response

and compliance to evaluating risks in business strategies proactively, to enhancing

investment decision-making and to improving shareholder value. Organisations that

develop an ERM framework for linking critical risks with business strategies can

become highly formidable competitors in the quest to add value for shareholders.

18

Conclusion

ERM can become a means of helping

the organisation shift its focus away

from crisis response and compliance.


In order to further explore ERM and how it is impacting on some leading

organisations we interviewed the senior risk executives of a selection of multinational

companies. We selected our interviewees using our knowledge of organisations that

are particularly advanced in risk management, and who are considered by their peer

organisations to be leading exponents of risk management.

Fiona Bennett Formerly Vice President, Risk Management & Audit BHP Billiton

1.How do you see risk management developing in the future?

In the light of recent high-profile corporate collapses and the economic downturn,

there is likely to be more explicit direction from regulatory bodies. Good Corporate

Governance should include a holistic, structured enterprise-wide risk management

program. Whilst the ASX Listing Rules suggest that this should exist, it is not yet

mandatory for publicly-listed companies.

As insurance costs increase because of the recent events in the US, there is also

likely to be a drive by companies to mitigate their risks by implementing effective

risk management programs.

2. How do you ensure a company takes a holistic approach to risk management?

In order to develop an effective holistic approach to risk management, it is vital

that there is demonstrated commitment and support from the Board, the CEO and

senior management. The extent and consistency of the communication that comes

from the Board and senior management is vital to ensure that the holistic risk

management framework is understood and readily applied across the company.

Time needs to be taken to ensure that business leaders within the company

understand firstly, the benefits that the program can bring to their individual

part of the business and secondly, how to use the results to achieve their strategic

goals and planned business outcomes. To effectively “embed” the approach in the

organisation, the management incentive and reward structure needs to support such

an approach.

19

Appendix I: Interviews with leading RiskManagement specialists


3. What impact has risk management had at BHP Billiton?

The greatest and most sustaining impact that risk management has had at BHP

Billiton is in the area of Capital Projects decision making. This does not mean

that capital project decision making is risk averse, rather that there is full

awareness and understanding of the risks that are associated with a particular

project. A structured risk management process is undertaken as part of the Capital

Projects review procedures, whereby different specialists covering project

management, HS&E, technical, financial, tax and so on, are involved in the

process, thereby leading to better decision making. In turn, this leads to effective

allocation of resources and better use of management time and effort.

4.How do you measure the benefits of your risk management program?

Benefits to date, have been measured qualitatively, rather than quantitatively.

Businesses may identify new risks, reprioritise existing risks and get the whole

team focused on issues that are important to the business rather than issues in their

individual areas. By getting the management team to appreciate the context of the

broader spectrum of business risk, the team can then allocate resources (time and

money) more effectively to achieve their business outcomes.

5. What drives the success of a risk management program?

The success of a formal risk management program is driven by leadership and

enthusiasm from the Board and executive management. This is critical to ensuring

that risk management becomes embedded as part of the culture of an organisation.

The program also needs to be a valuable experience to the individual businesses.

If it is seen purely as “another Head Office initiative” it will surely fail.

The other important factor is that the framework and language used needs to be

readily understood and transferable across the company using concepts that can

be applied to all facets of an organisation, from projects to functions to full risk

assessments across individual businesses/sectors/units.

20


Ernestine RozarioGroup Manager, Risk Management & Assurance Telstra

1.How do you see risk management developing in the future?

Enterprise risk management will be a seamless process integrated within all

elements of a company’s activities such as strategic direction, corporate planning

and merger and acquisition activities. In fact, risk management capabilities will

be across all levels of management, so much so that an organisation’s need for

a Chief Risk Officer could be debatable. Evolution of risk management is likely

to lead to it becoming part of management’s accountability.

Once risk management has reached this level of integration in an organisation,

it will result in more conscious risk taking. What I mean by this is, as knowledge

of risks increase, management will be in a better position to make informed

decisions and will be able to capitalise on opportunities.

2. How does Telstra ensure it is taking a holistic approach to risk management?

Telstra began the introduction of a holistic approach to risk management in 1995/96

with a focus on strategic and operational risks. The initial investment in education,

training and the development of a common language across all levels of the

organisation was quite substantial but very worthwhile.

The introduction of our approach also coincided with a number of changes

at Telstra and came at a time when management were receptive to change

and we were able to demonstrate the benefits to the organisation in taking

a holistic approach to risk management.

On an on-going basis, we have been able to remain focused on our approach

by continual reinforcement of the framework through effective communication

and demonstrable benefits of risk management.

3. What impact has risk management had at Telstra?

Risk management has had an impact across the whole of Telstra. The investment

made in establishing a common language and the focus on a simple and easy

to understand control model, has meant that the framework, when applied,

is in a consistent manner across all businesses and down to project level.

21


Although this is happening on a consistent basis, the bigger challenge for Telstra

is to bring new employees and management up the same level of knowledge as

those that have been with the organisation since the introduction of the framework.

4.How do you measure the benefits of your risk management program?

The most effective way to measure the benefits of our program is the fact that

the Board is satisfied with the information it receives in relation to the risks

faced by Telstra. Risk is a consistent item on the Board agenda and most steering

committees have a regular focus on risk management. The degree of questioning

and analysis on risk issues has increased as the awareness and risk culture at the

top of the organisation increases.

5. What drives the success of your risk management program?

A holistic risk management program will not be successful without the direction

setting and support of the Board and senior management which clearly we have had.

In addition to support from the top, the other factors which have contributed to the

success of our approach has been the fact that the framework is easy to understand.

We use simple language which has resulted in all levels of the organisation being

able to relate to the concepts and have been able to apply the framework across all

aspects of the business.

The other major aspect that has driven the success of the program has been the

consistent and constant communication of the framework throughout the company.

22


Mike MerrifieldFormerley Head of Risk ManagementRolls Royce

1. How do you see ERM developing as a business trend?

I would like to see it emerge as a fundamental building block in the way

businesses are managed, but not all companies embrace the idea enthusiastically.

There always will be a heavy focus on financial and operational issues—and too

much effort expended on reporting statistical and financial data, very little of

which is grounded in an understanding of risk issues.

Rolls-Royce is addressing this issue. I have recently agreed with our financial

controller that we should amend our finance manual, which explains our financial

policies and authorisation requirements for obtaining project funding. (At Rolls-Royce,

a project could be anything from launching a new aero-engine or installing an

industrial engine in a power project to relocating a business from one country

to another.) The finance manual explains how to compile a business case for

a project; it tells you which forms to submit for authorisation, and it asks for

extensive information about financial variables. But nowhere does it ask for

a qualitative or quantitative assessment of potential risks and what effect they

might have on outcomes. I’ve now provided our controller with language to

insert in the manual, so that when someone proposes a project, they must attach

a “risk register” that analyses the key risks and their potential consequences.

That is a major step forward, and I would like to see that kind of risk orientation

become more widespread, because an inadequate risk focus has two significant

impacts. First, resources are not allocated to those areas of the business where

the best returns can be achieved, because decisions are based on marketing data

and similar analyses, not on risk data. And second, an inordinate amount of time

and money is wasted on non-added-value activities—for example, the wording

of a contract affecting an issue that is not significant when analysed from

a risk perspective.

23


Therefore, I see ERM evolving, but it has to be thoroughly integrated in the

business, particularly in financial and operational control reporting. It should

be a key aspect of management control and information.

2. Is ERM a worldwide movement, or is it embraced only in particular countries?

It’s not worldwide. In my experience, ERM is largely an Anglo-Saxon

phenomenon. It’s American, it’s British, and to a degree, it’s Australasian. I believe

the Europeans have a lot to do to catch up, which will largely happen through the

influence of subsidiaries of American and U.K. companies that operate in Europe.

3. How has risk management developed at Rolls-Royce?

Manufacturing aircraft engines is our primary business, which means we are

heavily focused on safety and regulatory compliance. We began to expand our risk

focus, however, beginning in the mid-1980s—prompted by a new chairman, a new

insurance broker, and, later, the acquisition of a troubled business. We started

to touch on ERM in the late 1990s in part because our financial director served

on the committee of the Institute of Chartered Accountants, that supported the

development of the Turnbull recommendations on corporate governance. (Those

recommendations were developed for the London Stock Exchange, but their risk

focus has made them widely influential.)

One result has been the appointment of a director of operational risk, to whom

my old job as head of risk management now reports, and he’s just one level below

the main board. (I reported to the director of treasury, which is a traditional risk

management reporting arrangement, and focused largely on risk financing and

insurance issues.) The new director has commercial and operations manufacturing

experience, in addition to finance skills, which gives him a wider perspective on

the business. It’s perceived as a different job, at a higher level, with a wider risk

management approach. It’s a great development, but I’d like to see the director of

operational risk become a main board job—not just the conscience of the other

directors. That person should encourage the other directors to manage risk in their

own businesses, while he ties the whole thing together at the corporate level.

24


5. Are all organisational risk management activities centralised at Rolls-Royce?

We do have a centralised risk management activity, but our business risk

management process applies across the organisation—at the task level within our

projects, and across our five business sectors—Civil Airlines, Defence, Energy,

Marine, and Finance.

Each business compiles risk registers, which they submit periodically for review

and consolidation at the corporate level, by the director of operational risk.

He weeds out what’s irrelevant and identifies aggregate or similar risks in different

businesses. The risk registers are reviewed as part of the normal quarterly review

of business performance.

The director of operational risk also performs a corporate review of risk, which

is entirely independent, and may pick up on additional risks. The central risk

operations group also helps each business compile and update the registers, advises

on specific risk issues, and supports risk management education and training.

So it’s not yes or no, centralised or decentralised. It’s both. That’s particularly

important in a business like Rolls-Royce that is very widespread, both in its

activities and geographically. If you manage risk only at the center you miss too

much, and you’d soon have a problem that you didn’t see coming. In any business

that is diverse—in terms of activity, product, or geography—you have to get

the businesses managing risk themselves as well as the organisation doing it

at a higher level.

6. What impact has risk management had at Rolls-Royce?

Over the past 10 years, it has helped management understand which businesses

weren’t performing, and Rolls-Royce has derived many benefits from that

approach. In addition, we make it clear to the businesses that risk is not solely

a cost—but like most companies, we’re a long way from measuring risk in terms

of opportunities or in comparison to our competitors. To do those things, you have

to change the culture of management, which will require new skills and retraining.

When that broadened perspective does develop, however, it will greatly enhance

the benefits of risk management.

25


7. How does Rolls-Royce measure the organisational benefits of ERM?

If we achieve our business objectives, we’ll be very successful. If we don’t, poor

risk management will be one of the reasons. That message is starting to filter

through, but the actual technical ability, knowledge, and capability of management

to perceive and realize all the potential benefits of ERM will take time.

8. What drives the success of an ERM effort?

First, Turnbull’s efforts here in the United Kingdom are certainly welcome, but

people must not take a regulatory compliance approach to ERM. I have observed

that approach, particularly in the utilities and some of the banks and building

societies here, and it won’t make a difference, ultimately.

Second, the key to ERM’s success is in the people doing it, whether they are at the

central level or in the business units. They’ve got to step up to the plate, educate

others and demonstrate the benefits when they’ve got the models to do so. And,

they’ve got to get the buy-in of senior management. In the final analysis, senior

leadership’s commitment is really the key.

26


1 Suzanne Labarge. “Chief Risk Officers: Should Your Organisation Have One?”

speech delivered at The Conference Board 2000 Enterprise Risk Management

Conference, May 3, 2000.

2 Telephone interview with Vice President Financial Operations, Specialty

Retailer, December 14, 2000.

3 Douglas McLeod. “New Chief Risk Officer Role Coordinates Risk Strategy,”

Business Insurance, April 26, 1999, p. 3.

27

Endnotes


AustraliaNational Partner in Charge,Management Assurance ServicesJoAnne Stephenson

Phone: +61 3 9288 5458

Email: [email protected]

National Leader,Enterprise Risk ManagementMaurice Pagnozzi

Phone: +61 2 9455 9129


AdelaideLaurie Kozlovic

Phone: +61 8 8236 3167


BrisbaneJoanne Baldwin

Phone: +61 7 3233 3163


MelbourneMike Ritchie

Phone: +61 3 9288 5082


PerthJeff Powell

Phone: +61 8 9263 7339


SydneyMaurice Pagnozzi

Phone: +61 2 9455 9129


New ZealandNational Partner in Charge,Management Assurance ServicesJeremy Bendall

Phone: +64 9 367 5800


WellingtonGraeme Falloon

Phone: +64 4 381 8078


Visit our website at www.kpmg.com.au

or www.kpmg.co.nz

28

Contacts


The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or

entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as

of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate

professional advice after a thorough examination of the particular situation.


November 2001

© 2001 KPMG, the Australian member firm of KPMG International,

a Swiss association. All rights reserved. Printed in Australia.

6314Mkt


Documents

Enterprise Risk Management...In this context, enterprise risk management (ERM) has emerged as an important new business trend. ERM is a structured and disciplined approach aligning