May 2009 The RMA Journal

Enterprise Risk

32

by Henry KillacKey

Once regarded as unsinkable, the RMS Titanic nonetheless collided with an iceberg on April 14, 1912, and sank to the bottom of the frigid Atlantic in less than three hours. More than 1,500 passengers died.

••An ERM program must align with corporate strategy to give the organization a complete and comprehensive approach to managing risk.

Ariel

le M

orris

/shu

tter

stoc

k

Integrating Enterprise Risk Management with Organizational Strategy

The RMA Journal May 2009 33

The builders and crew of the vessel had praised its ad-vanced technology and numerous safety features, believing it could withstand any threat from nature. Their overcon-fidence became evident when the ship’s poor design has-tened its demise and a shortage of lifeboats led to many unnecessary deaths. Had the crew and builders properly accounted for all potential risks, the ship and its passengers might have avoided disaster.

In recent years, many financial executives developed the same kind of unwarranted confidence in their enter-prise risk management (ERM) programs. Institutions such as Lehman Brothers and AIG implemented ERM programs to protect their assets and prevent their organizations from collapsing. Yet changing business conditions and mis-guided moves by internal players created risks that nei-ther organization anticipated. Their ERM programs failed to protect them from risks that led to disaster.

Despite the experiences of Lehman Brothers and AIG, enterprise risk management can be a valuable tool in pro-tecting your organization. The key is to align your ERM program and your corporate strategy to give your organi-zation a complete and comprehensive approach to manag-ing all types of risk.

Defining ERMThe current financial crisis and global economic reces-sion offer a vivid reminder to the risk management com-munity that changes in business conditions can happen quickly. Driving these changes are globalization, technol-ogy advances, compliance with new regulations, emerg-ing markets, competition, geopolitical threats, and natural hazards, among other risk events. Rapid and significant change increases an organization’s exposure to loss, mak-ing a comprehensive ERM program necessary.

For many publicly traded companies, ERM has emerged as a value-added contribution to Sarbanes-Oxley (SOX) compliance and audit efforts.1 According to a survey re-ported in Business Finance Magazine, 76% of respondents indicated they either intended to expand SOX compliance into ERM, or were already in the process of doing so.2

Widely accepted definitions of ERM emphasize that it needs to be a part of the organization’s DNA. For instance, as defined by COSO in 2004, ERM is “effected by an enti-ty’s board of directors, management and other personnel.” It is “applied in strategy setting across the enterprise” and “designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite to provide reasonable assurance regarding the achievement of entity objectives.”

The COSO definition describes ERM as guiding the achievement of organizational goals and objectives. Ac-cording to Barton, Shenkir, and Walker, the purpose of ERM initiatives is to “create, protect, and enhance share-

holder value by managing the uncertainties that could influence achieving the organization’s objectives.”3 By this stated purpose, ERM ini-tiatives are not intended to eliminate risk, but to manage risk for the sake of achieving organization-al objectives.

But while many tradi-tional or outdated defini-tions of enterprise risk describe risk in a negative light, Thomas Stewart says risk should not be eliminated: “Risk—let’s get this straight up front—is good. The point of risk management isn’t to eliminate it; that would eliminate reward. The point is to manage it—that is, choose where to place bets, and where to avoid betting altogether.”4

In short, risk has to be managed for the organization to seize new opportunities, avoid potential losses, and execute strategy.

Clarifying Strategy and Organizational ObjectivesOrganizational strategy is the intended course of action re-quired to achieve goals or objectives, and it must be execut-ed to achieve the desired end result. The COSO definition of ERM gives it a strategic purpose. But in order to make ERM a part of the strategy, that strategy must be clarified and understood by the organization.

Unfortunately, strategy rarely gets the attention it de-serves, despite the important role it plays in an organi-zation’s performance. This has resulted in the failure to execute strategy by nine out of 10 organizations, accord-ing to the Balanced Scorecard Collaborative. The firm has identified four barriers to executing strategy, as shown in Figure 1.

If ERM can be understood as a process that guides the achievement of objectives, it can be integrated into the strategic actions of the organization. Accordingly, it is im-portant that a broad strategy be broken down to opera-tional terms that employees, managers, and other internal stakeholders can understand. An understanding of strat-egy can help foster buy-in and inspire action.

The integration of ERM and strategy begins with the Balanced Scorecard (BSC). Developed by Robert Kaplan and David Norton, the BSC is a management and com-munication tool that articulates strategy and the organiza-tion’s progress in executing it across four perspectives:1. Financial: How do shareholders view the organization?2. Customer: How do customers view the organization’s

product, brand, and image?3. Internal Process: At which processes must the or-

ganization excel in order to satisfy customers and shareholders?

If ERM can be understood as a process that guides the achievement of objectives, it can be integrated into the strategic actions of the organization.

May 2009 The RMA Journal

4. Learning and Growth: Which human capital assets must the organization develop or draw from in order to execute value-creating processes?A complete BSC contains measures, targets, and ini-

tiatives within each of the four perspectives that link to strategy. All of these elements are derived from a strategy map, a diagram reflecting the cause-and-effect relation-ships among the strategic objectives of the four perspec-tives. Learning/growth and internal process are regarded as input perspectives because they drive results within the customer and financial perspectives (also known as out-come perspectives).

At the core of the strategy map is learning and growth. Employee growth and development is a catalyst for or-ganizational performance and has a direct influence on

34

the success of internal processes. An educated and well-trained workforce can execute more sophisticated pro-cesses, which in turn improves organizational efficiency and directly influences the customer’s perspective. Im-proved efficiency from better processes can increase cus-tomer satisfaction and loyalty. Finally, improved custom-er satisfaction and loyalty can result in larger sustainable revenue streams for the organization, which translates into greater financial performance, directly impacting shareholder satisfaction.

Identifying and Measuring RiskWhen a strategy is broken down to operational or under-standable terms, the organization can begin work on identi-fying specific risks that threaten organizational performance. The following are some typical ways to identify risks.

Internal investigation: An organization can examine itself to find risks and their impacts. Methods for inves-tigation include brainstorming sessions among business unit managers, SWOT analysis, surveys, and interviews. Looking internally enables the organization to gather in-formation from the employees and managers who work to prevent risks from adversely affecting business units.

External sources: An organization can gain valuable information about its risks by relying on external sources. This effort can include conversations with risk consultants and discussions with subject matter experts outside of the organization. Benchmarking is another external source. Benchmarking involves researching best practices in the industry and comparing the organization’s risk manage-ment efforts to those practices.5 The information gathered from these sources can help an organization refine its course of action for managing risk.

Tools: Risks can be identified by dissecting business processes. Tools such as Six Sigma, Pareto analysis, and Ishikawa diagrams can provide insight into the controls and gaps within business processes.6

Once a risk has been identified, it can be classified. Is it a hazard risk, a strategic risk, a legal risk, or some other type of risk? Classification also includes determining the likelihood of a risk event occurring.7

The following qualitative methods are often used for classifying risks:• Risk“heatmaps”thatdepicttheimpactandlikelihood

of risk events.• Riskrankings.• Identificationofriskcorrelations.

Once a risk has been classified, it can be measured for severity. Indeed, quantifying risk is necessary in order to understand the size of its impact. Many organizations

Figure 1

Four Barriers to Executing Strategy

Source: Balanced Scorecard Collaborative newsletter.

Only 5% of work-force understands

the strategy.

Vision Barrier

Only 25% of managers have

incentives linked to the strategy.

People Barrier

85% of executive teams spend less

than one hour per month discussing

long-term strategy.

Management Barrier

60% of organizations do

not link strategy to budgets.

Resources Barrier

Nine out of 10 organizations fail to execute their

strategy.

The RMA Journal May 2009 35

mitigating operational risks or the risks that affect a spe-cific business unit. ERM requires the assessment and man-agement of the entire portfolio of risks that can impact any internal process, employee, customer perspective, or financial result.8

Strategic objectives for risk management can be built into the internal process perspective of the organization-al strategy map, in which processes are segregated into four categories: operations management, customer man-agement, innovation, and regulatory/social. Risks can be managed within each of these categories. In operations management, risks can affect supplies, logistics, and

need this information to perform tasks such as purchasing insurance or determining economic capital.

The following quantitative methods are often used for measuring risks: • Tornadochart(abarchartthatcomparesmultiplesets

of risk data).• Gain/losschart(achartthatdeterminesthevaluationof

an asset).• Cashflowatrisk(amethodthatdetermineshowchang-

es in risk factors affect an organization’s cash flow).

MonitoringEffective ERM requires monitoring and reporting on the performance of risk management processes. It is a con-tinuous and collaborative effort that should involve the input and cooperation of stakeholders such as the C-level executives, the audit committee, and the board of direc-tors. This collaboration is essential to ensure that ERM enhances organizational confidence in making decisions and executing strategy.

It is vitally important, however, to remember the COSO definition of ERM and its clear link with strategy: a pro-cess “applied in strategy setting across the enterprise.”

ERM and the BSC can be integrated because of the organization-wide view that each requires from users. To be effective, the BSC has to provide a balanced view of the organization to drive strategy execution and busi-ness performance across the enterprise. The BSC requires input and feedback from entities inside and outside the organization. It does not rely solely on the viewpoints of shareholders or the financial returns of the enterprise, but on the perspectives of customers, employees, and other internal stakeholders. Meanwhile, ERM is not just about

Figure 2

Risk “Heat Map” Template for Classifying Risk

Yellow

Emerging Risk

Red

High Impact Risk

Red

High Impact Risk

Green

Controlled Risk / Poses Limited Threat

Yellow

Deserves Monitoring

Red

Requires Attention

Green

Controlled Risk / Poses Limited Threat

Green

Controlled Risk / Poses Limited Threat

Yellow

Has Potential to Become Severe

Probability of Occurrence

Magnitude of Risk

High

HighLow

*Some companies will use more or fewer cells in a heat map, depending upon their risk portfolio or their desired level of detail.

Figure 3

Strategic Linkage of the Four Perspectives of the Balanced Scorecard

Organizational Vision / Mission

Strategic objectives are placed within the four perspectives of the BSC.

Financial

To succeed financially, how must we appear to shareholders?

Customer

To achieve our vision, how should we appear to our customers?

Internal Business Processes

To satisfy our shareholders and customers, what business processes must we excel at?

Learning and Growth (strategic enablers)

Which key assets must we draw to execute our value-creating process?

May 2009 The RMA Journal

production (traditionally for nonfinancial industries). In managing customers, there are risks involved in selecting

and acquiring custom-ers. There are innovation risks in developing new products and introducing them to the marketplace. Also, damage can be done to an organization’s reputation when there is a failure to comply with regulations. Strategic ob-jectives related to ERM

can be linked into each of these process categories to en-sure alignment across the perspective and achieve broad impact.

There are also risks in the learning and growth per-spective on which ERM-related strategic objectives can be built. There are risks behind selecting potential new employees. There is the risk of improperly training and

34

supervising new employees. Also, there are risks in not having an effective succession plan for the future health of the organization. ERM-related strategic objectives can be built into this perspective to mitigate the chance and impact of these risks. Objectives created for such risks can communicate the importance of ERM to human resources and organizational development professionals who work within the enterprise.

By applying ERM to the input perspectives, positive results can emerge in the customer and financial perspec-tives. Driving ERM in the learning/growth and internal process perspectives can lead to greater cost controls and, as a result, reasonable prices for customers. ERM applied in the internal process perspective can ensure product quality that strengthens the organizational brand image to the customer. In every benefit that comes to customers through integrating ERM in the input perspectives, there is the greater opportunity that can come by ensuring cus-tomer loyalty and acquiring new customers, which can drive financial results for shareholders.

ERM applied in the internal process perspective can ensure product quality that strengthens the organizational brand image to the customer.

Figure 4

Example of a Strategy Map

Strategy Map for a Fictitious BankMain Street Financial CorporationPurpose: Maximize the long term total return to our shareholders

Become a Top Performing Sales Organization

F1–Long Term Growth with Top Tier Earnings

F2–Increase Revenues F3–Maintain a High Level of Risk Management

F4–Manage Expenses F5–Strategically Invest/Divest

Acquire and Retain Customers

C1–Provide Financial Solutions for Life

I2–Use the Preferred Way of Selling

I1–Expand and Enhance Offerings

C2–Deliver Quality Service

13–Profitably Deliver Consistent Service

I4–Proactively Manage Resource Allocation

I5–Continually Improve our Business Processes

Optimize Business Effectiveness

Employees are our #1 Asset

E1–We will be the preferred Employer

E2–We Will Develop the Leadership Expertise

to Succeed

E3–We Will Have Employees Who Volunteer

in our Communities

E4–We Will Recognize and Reward Outstanding ResultsLe

arning

Intern

al Pro

cesse

sCu

stome

rsFin

ancia

l

The RMA Journal May 2009 35

Notes1. Killackey, Henry. “The Balanced Approach to Managing Risk—Integrating the Balanced Scorecard with Enterprise Risk Management.” Information Management Magazine, February 1, 2008. Available at http://www.information-management.com/issues/2007_44/10000635-1.html.

2. “How Compliance Became an ERM Trigger.” Business Finance Mag-azine, September 11, 2007. Available at http://businessfinancemag.com/article/how-compliance-became-erm-trigger-0911.

3. Barton, Thomas, William Shenkir, and Paul Walker. Making En-terprise Risk Management Pay Off: How Leading Companies Implement Risk Management. Upper Saddle River: Financial Times/Prentice Hall, 2003, p.5.

4. Op. cit., p. 1.

5. Pyzdek, Thomas. The Six Sigma Handbook: A Complete Guide for Green Belts, Black Belts, and Managers at All Levels. New York: McGraw-Hill, 2003, p. 91.

6. Schaefer, John. “Practical Approaches to ERM.” Presented at the Enterprise Risk World conference, Houston, November 28, 2006.

7. Killackey, Henry. “Building the Quality-Centered Enterprise Risk Program.” The RMA Journal, May 1, 2007.

8. Killackey, Henry. “The Balanced Approach to Managing Risk—Inte-grating the Balanced Scorecard with Enterprise Risk Management.”

Write to editor@rmahq.org.

The BSC can effectively align ERM efforts with strategy while communicating the relevance of risk management to individuals and business units. By including in the or-ganizational strategy map nine- or 10-word strategic ob-jectives that communicate the mitigation of specific risks, individuals can understand how risk management aligns with their jobs.

ConclusionOnce it is integrated into strategy, ERM can spread throughout the entire organization. This integration re-quires cooperation among executives, managers, and employees. It also requires an organizational commitment to identify risk across business units and to thoroughly assess and measure risk. With the help of the Balanced Scorecard, an organization can articulate its strategy and ERM programs while alleviating the challenges of execut-ing the strategy. v

••Henry Killackey, a certified Six Sigma Green Belt, is the educational services manager and a founding member of the Global Institute for Management (www.gimanagement.com), an educational services provider that facilitates workshops and training sessions covering issues in performance management and risk management. Contact him by e-mail at henry.killackey@gimanagement.com.